Post on 15-Jan-2015
description
Copyright ©2013 Ping Identity Corporation. All rights reserved. 1 Confidential
API Security
Bradford Stephens (Ping) & Tim Anglade (Apigee)
Copyright ©2013 Ping Identity Corporation. All rights reserved. 2 Confidential
• Intros • The “Platform Imperative” • What does Security Mean? • Solutions • Wrap-Up
Contents
Copyright ©2013 Ping Identity Corporation. All rights reserved. 3 Confidential
• Hi! • Former CEO of VC-Backed database startup, Drawn to
Scale. Built a distributed SQL database, Spire, from scratch.
• Does a lot of work in big data, distributed systems, and APIs.
• Now running Developer Evangelism + Platforms @ Ping!
Bradford Intro
Copyright ©2013 Ping Identity Corporation. All rights reserved. 4 Confidential
• Hi as well! • Built financial infrastructure at NASDAQ, an eCommerce
startup, Invited Expert work at W3C and now APIs & Mobile Apps
• Spent a few years focusing heavily on distributed systems and NOSQL databases — nosqltapes.com and nosqlsummer.org
• Now running Developer Programs @ Apigee!
Tim Intro
Copyright ©2013 Ping Identity Corporation. All rights reserved. 5 Confidential
Business Software is Changing
CRM
Sales
Analytics
Sharepoint
Website
Transactions Marketing
Biz Apps
Copyright ©2013 Ping Identity Corporation. All rights reserved. 6 Confidential
Business Software is Changing
Biz Apps
Salesforce Box
AWS
Shopify
Omniture
Google Apps
Copyright ©2013 Ping Identity Corporation. All rights reserved. 7 Confidential
Business Software is Changing
Biz Apps
Salesforce Box
AWS
Shopify
Omniture
Google Apps
API
API
API
API
API
API
API
Copyright ©2013 Ping Identity Corporation. All rights reserved. 8 Confidential
The Enterprise Must Open
Understanding the API Economy—the billionaire club
Copyright ©2013 Ping Identity Corporation. All rights reserved. 9 Confidential
The Enterprise Must Open
API Growth Rate • Open APIs
– We just hit the 7,000 API mark – 8,000 by year end – 16,000 by 2015
• Dark APIs – Dark APIs are 5x+/- Open API growth rate – 80,000 by 2015
Copyright ©2013 Ping Identity Corporation. All rights reserved. 10 Confidential
The Enterprise Must Open
• Internal apps must be refactored • Close collaboration with Partners • Explosion of different channels and devices • Everything is more social
Copyright ©2013 Ping Identity Corporation. All rights reserved. 11 Confidential
What even is security?
What does security mean in this open-default world?
Copyright ©2013 Ping Identity Corporation. All rights reserved. 12 Confidential
The never-ending battle
• Security is a never-ending battle between collaboration and secrets … to get work done
• Once we’ve chosen where we fall on the spectrum, how do you keep security around it?
Copyright ©2013 Ping Identity Corporation. All rights reserved. 13 Confidential
Major Concepts
• Identity • Authentication • Authorization • Encryption • Accounting
Copyright ©2013 Ping Identity Corporation. All rights reserved. 14 Confidential
Identity
• Answers “Who are you?” • UserIDs, Digital Certificates, ATM Cards • A public claim asserting yourself
Copyright ©2013 Ping Identity Corporation. All rights reserved. 15 Confidential
Authentication
• Answers “How can you prove who you are?” • Responding to a challenge • Private shared secrets, best if known only to user (Private
Key)
Copyright ©2013 Ping Identity Corporation. All rights reserved. 16 Confidential
Authorization
• Answers “What are you allowed to do?” • Token/Ticket Mechanism • Certain tokens are allowed certain abilities • Enforcing the principle of least privilege
Copyright ©2013 Ping Identity Corporation. All rights reserved. 17 Confidential
Encryption
• Answers “How can we keep this secret?” • Only authorized parties can understand data • Non-symmetric algorithms ‘mask’ data – ‘impossible’ to
reverse engineer
Copyright ©2013 Ping Identity Corporation. All rights reserved. 18 Confidential
Accounting
• Answers “Who did what, when?” • Typically use a logging mechanism (Splunk) • “Closes the loop” between Authentication and
Authorization • Essential in identifying gaps and postmortems
Copyright ©2013 Ping Identity Corporation. All rights reserved. 19 Confidential
So what is API Security?
• A Secure API only allows the right people the right amount of access to resources and data
• Has to balance collaboration in an open-by-default world vs. keeping important secrets
• Many, many ways to do this
Copyright ©2013 Ping Identity Corporation. All rights reserved. 20 Confidential
Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM X X 802.1X X X LDAP X ActiveDirectory X X (partial) Database Table X RADIUS/Diameter X X X VPN / IPSec X X X.509 X X SSL, TLS, DTS X Basic/Digest Auth, Login X X 2-factor X Master login X X API keys X X (partial) OAuth 1.0 OAuth 1.0a X (partial) OAuth 2.0 X (partial) OpenID X OpenID Connect X SAML X X (partial) Shiro or other framework X X Splunk or other logging X Roll your own
Recap
Copyright ©2013 Ping Identity Corporation. All rights reserved. 21 Confidential
Topology
Database
App Layer
API
User A
App 1
User B
App 2
User C
App 3
Copyright ©2013 Ping Identity Corporation. All rights reserved. 22 Confidential
• Use-cases – Internal APIs – Partner APIs – Public APIs (consumer, open, mobile etc.)
• Tiers (legs)
– Server-to-Server (internal, partner) usually 2-legged authentication
– End-user (consumer, mobile, open) usually requires 3-legged authentication
API Types
Copyright ©2013 Ping Identity Corporation. All rights reserved. 23 Confidential
Topology
Database
App Layer
API
User A
App 1
User B
App 2
User C
App 3
Copyright ©2013 Ping Identity Corporation. All rights reserved. 24 Confidential
• Malicious Apps • Well-intentioned but vulnerable App • Well-intentional App with Malicious Users
Common Security Concerns
Copyright ©2013 Ping Identity Corporation. All rights reserved. 25 Confidential
Topology
Database
App Layer
API
User A
App 1
User B
App 2
User C
App 3
Copyright ©2013 Ping Identity Corporation. All rights reserved. 26 Confidential
• Two classes – Human & Business – Technologies
• Secure APIs use both!
Remedies
Copyright ©2013 Ping Identity Corporation. All rights reserved. 27 Confidential
1. Registration Wall – Knowing is half the battle! – Identify problematic apps or users – Isolate them from other traffic – Provide means of communicating with
well-intentioned users
Human & Business Remedies
Copyright ©2013 Ping Identity Corporation. All rights reserved. 28 Confidential
2. Proof – Enhance registration by requiring proof the
account was not automatically created (captcha) or has a legit email address (activation link)
– Phone Activation – Driver’s license, …
Human & Business Remedies
Copyright ©2013 Ping Identity Corporation. All rights reserved. 29 Confidential
3. Traffic Shaping – Quotas – Throttling – Tiered Traffic – Dynamic IP Filters – Dynamic ISP Filters – Up to & including blocking – Processes not technologies!
Human & Business Remedies
Copyright ©2013 Ping Identity Corporation. All rights reserved. 30 Confidential
4. Audits & Certifications – More useful than you think – Checks for dark corners in your organization – PCI-DSS and ISO 2700X series
Human & Business Remedies
Copyright ©2013 Ping Identity Corporation. All rights reserved. 31 Confidential
• Which of these should you implement? • All of them? (Again, security vs. freedom.) • Don’t forget to impose those human &
business rules on internal users! – 80.123456% of DDoS cases come from inside the
house.
Human & Business Remedies
Copyright ©2013 Ping Identity Corporation. All rights reserved. 32 Confidential
• Identity • Authentication • Authorization • Encryption (Channel Security) • Accounting (Auditing)
Technical Remedies!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 33 Confidential
Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM X X 802.1X X X LDAP X X (definitions) ActiveDirectory X X (definitions) Database Table X RADIUS/Diameter X X X VPN / IPSec X X X.509 X X SSL, TLS, DTS X Basic/Digest Auth, Login X X 2-factor X Master login X X API keys X X (primitives) OAuth 1.0 OAuth 1.0a X (primitives) OAuth 2.0 X (primitives) OpenID X OpenID Connect X SAML X X (primitives) Shiro or other framework X X Splunk or other logging X Roll your own
Recap
Copyright ©2013 Ping Identity Corporation. All rights reserved. 34 Confidential
1. Dedicated ATM connection – You laugh, but…
Technical Remedies!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 35 Confidential
2. Identity Providers – LDAP – ActiveDirectory (provides authorization as well) – User table in your database… – Third party: Google, Twitter, etc. — still usually
maps to a user record in your internal tables. – Every other combination of solutions will use one
of the first three in this list!
Technical Remedies!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 36 Confidential
3. Network Channel Security – LAN level: 801.1X – Beyond: use VPN/IPSec – Both provide machine authentication and point-
to-point channel encryption – Both would rely on a RADIUS or Diameter server
for user authentication and authorization management
Technical Remedies!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 37 Confidential
4. Application/HTTP Channel Security – SSL, TLS – X.509
Technical Remedies!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 38 Confidential
4. Authentication – Basic/Digest Auth (over SSL) – Login form then API key – Optional 2-factor (code generator, keyfob, etc.) – Plugged to LDAP, or table of API keys or
hardcoded master login (bad). – All or nothing keys: like giving every app full
access to your facebook account
Technical Remedies!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 39 Confidential
4. Authentication/Authorization with OAuth – OAuth fundamentally tries to solve this problem, by
doing authentication but allowing to segment authorization per app
– “Valet Key” analogy: the App has access to the system as you, but cannot do certain things (like change your password)
– That valet key is a token, that automatically expires after a certain time
– Allows for “3-legged Authentication”, not just API and App or (API and User), but API, App and User
• Use for revokes and accounting – You still end up doing a regular authentication
somewhere in the middle (Basic auth, login form, etc.)
Technical Remedies!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 40 Confidential
– OAuth 1 • Do not use OAuth 1.0: logically insecure • OAuth 1.0a (RFC edition) fixes that, works nicely, in
use at Twitter • Signatures are hard (made so you don’t have to rely on
SSL/TLS though) • Malicious Apps can be kicked out and all their tokens
revoked • Web authentication flow can use keyfobs or other multi-
factor auth systems • Very web-centric. The ideal use-case when it was
designed was “allow Twitter to access my Flickr photos”
Technical Remedies!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 41 Confidential
– OAuth 2.0 • Lead author famously walked out, not all bad though! • Hard to implement correctly, in a secure manner • Lots of grant types • Not as interoperable as OAuth 1 — really a framework,
for security, not a protocol anymore • Formalizes “scopes” for specific permissions (like “post
to wall”, “see friends”, etc.) • Introduces refresh tokens — stay away • Introduces compatibility with SAML and JWT — stay
away • 2 token types: Bearer and MAC
Technical Remedies!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 42 Confidential
– OAuth 2.0 Bearer Tokens • only ones used in practice • as insecure as a Bearer Bond • Heavily rely on channel being secure, which is rarely
the case, even over HTTPS • No client binding
– App B could use a token issued for App A to log in as you to App A
– Facebook wrote its own extension to deal with that • Stay away from refresh tokens, it only serves a very
narrow use-case where two-tier refreshes are necessary.
Technical Remedies!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 43 Confidential
5. Authorization – Shiro — a Java framework to enforce
authorization rules in your apps – SAML — full XML protocol to handle
authentication and authorization
Technical Remedies!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 44 Confidential
Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM X X 802.1X X X LDAP X X (definitions) ActiveDirectory X X (definitions) Database Table X RADIUS/Diameter X X X VPN / IPSec X X X.509 X X SSL, TLS, DTS X Basic/Digest Auth, Login X X 2-factor X Master login X X API keys X X (primitives) OAuth 1.0 OAuth 1.0a X (primitives) OAuth 2.0 X (primitives) OpenID X OpenID Connect X SAML X X (primitives) Shiro or other framework X X Splunk or other logging X Roll your own
Recap
Copyright ©2013 Ping Identity Corporation. All rights reserved. 45 Confidential
Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM X X 802.1X X X LDAP X X (definitions) ActiveDirectory X X (definitions) Database Table X RADIUS/Diameter X X X VPN / IPSec X X X.509 X X SSL, TLS, DTS X Basic/Digest Auth, Login X X 2-factor X Master login X X API keys X X (primitives) OAuth 1.0 OAuth 1.0a X (primitives) OAuth 2.0 X (primitives) OpenID X OpenID Connect X SAML X X (primitives) Shiro or other framework X X Splunk or other logging X Roll your own
Connect 5!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 46 Confidential
Identity Authentication Authorization Channel Enc. Accounting Dedicated ATM X X 802.1X X X LDAP X X (definitions) ActiveDirectory X X (definitions) Database Table X RADIUS/Diameter X X X VPN / IPSec X X X.509 X X SSL, TLS, DTS X Basic/Digest Auth X X 2-factor X Master login X X API keys X X (primitives) OAuth 1.0 OAuth 1.0a X (primitives) OAuth 2.0 X (primitives) OpenID X OpenID Connect X SAML X X (primitives) Shiro or other framework X X Splunk or other logging X Roll your own
Connect 5!
Copyright ©2013 Ping Identity Corporation. All rights reserved. 47 Confidential
• Use-cases – Internal APIs – Partner APIs – Public APIs (consumer, open, mobile etc.)
• Tiers (legs)
– Server-to-Server (internal, partner) usually 2-legged authentication
– End-user (consumer, mobile, open) usually requires 3-legged authentication
API Types (again) `
Copyright ©2013 Ping Identity Corporation. All rights reserved. 48 Confidential
• Internal, Server-to-Server APIs – Use OAuth 2.0 with Bearer Tokens obtained through a Client
Credentials grant (only 2-legged requirement) – Alternatives: 802.1X with RADIUS/Diameter, X.509
• Partner, Server-to-Server APIs – Use OAuth 2.0 with Bearer obtained through a Client
Credentials grant (only 2-legged requirement) – Alternatives: VPN/IPSec with RADIUS/Diameter, X.509
• Consumer, Open or End-user Internal/Partner – Consumer/Open APIs: use OAuth 2.0 with Bearer Tokens,
using Authentication Code or Implicit Grant flow (better support for advanced authentication options, less trust on clients)
• Mobile APIs – use Oauth 2.0 (3-legged requirement) with Bearer Tokens
obtained through a Resource Owner grant or OS integration if available (better UX)
Recommendations
Copyright ©2013 Ping Identity Corporation. All rights reserved. 49 Confidential
• Security vs. Freedom • Devil’s advocate OAuth 1.0a isn’t all bad, and
tons of people implement it for Twitter. • How badly do you want to protect this vs. how
badly do you want people to use it? • All the way to physically securing the
interface…
In conclusion…
Copyright ©2013 Ping Identity Corporation. All rights reserved. 50 Confidential
• Questions, comments: bstephens@pingidentify.com tim.a@apigee.com
Thanks!