oauth design team call
DESCRIPTION
OAuth Design Team Call. 11 th February 2013. Security Design Requirements. Focus on symmetric key cryptography Use MAC Token spec as a starting point Lifetime of session key = Lifetime of access token Unless the sequence number space wraps Replay protection: Timestamp + [sequence number] - PowerPoint PPT PresentationTRANSCRIPT
OAuth Design Team Call
11th February 2013
Security Design Requirements
• Focus on symmetric key cryptography• Use MAC Token spec as a starting point• Lifetime of session key = Lifetime of access token
– Unless the sequence number space wraps
• Replay protection: Timestamp + [sequence number]• Support for TLS channel bindings• Integrity protection for data exchange between the client
and the resource server, and vice versa.• “Flexibility” regarding keyed message digest computation• Crypto-Agility: Algorithm indication from Authorization
Server to the Client.
Remaining Decisions
• Key distribution:– Three mechanisms presented. Which one
should focus on?
• Key naming: New key identifier (kid) parameter?
• Allow Client to indicate to which RS is wants to talk to?
DKIM Signature Recap
• body-hash: is the output from hashing the body, using hash-alg.
• data-hash: is the output from using the hash-alg algorithm, to hash the header including the DKIM-Signature header, and the body hash.
• h-headers: is the list of headers to be signed, as specified in the "h" parameter.
• h= Signed header fields • Example: h=Received : From : To : Subject :
Date : Message-ID;• Alternative: IANA registration for example
Key Distribution
• Three techniques:– Key Transport– “Key Retrieval” – Key Agreement
• Key point: What is MTI?
How RS obtains the Session Key?Option#1: Key Transport
User Agent &
Resource Owner
Client (C)
Authorization Server (AS)
Resource Server (RS)
Access Token
Keys & Meta Data
AS-C
AS-RS
Access Token
AS-RS
Keyed Message
Digest
C-RS
TLS
How RS obtains the Session Key?Option#2: “Key Retrieval”
Keyed Message
Digest
User Agent &
Resource Owner
Client (C)
Authorization Server (AS)
Resource Server (RS)
Access Token
Keys & Meta Data
AS-C
AS-RS
Access Token
AS-RS
C-RS
TLS
Key Request
How RS obtains the Session Key?Option#3: Key Agreement
Keyed Message
Digest
User Agent &
Resource Owner
Client (C)
Authorization Server (AS)
Resource Server (RS)
Access Token
Keys & Meta Data
AS-C
AS-RS
Access Token
AS-RS
C-RS
TLS
Key Request