Upload File

oauth design team call

8
OAuth Design Team Call 11 th February 2013

Upload: yuval

Post on 19-Jan-2016

35 views

Category:

Documents


1 download

Report

DESCRIPTION

OAuth Design Team Call. 11 th February 2013. Security Design Requirements. Focus on symmetric key cryptography Use MAC Token spec as a starting point Lifetime of session key = Lifetime of access token Unless the sequence number space wraps Replay protection: Timestamp + [sequence number] - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: OAuth Design Team Call

OAuth Design Team Call

11th February 2013

Page 2: OAuth Design Team Call

Security Design Requirements

• Focus on symmetric key cryptography• Use MAC Token spec as a starting point• Lifetime of session key = Lifetime of access token

– Unless the sequence number space wraps

• Replay protection: Timestamp + [sequence number]• Support for TLS channel bindings• Integrity protection for data exchange between the client

and the resource server, and vice versa.• “Flexibility” regarding keyed message digest computation• Crypto-Agility: Algorithm indication from Authorization

Server to the Client.

Page 3: OAuth Design Team Call

Remaining Decisions

• Key distribution:– Three mechanisms presented. Which one

should focus on?

• Key naming: New key identifier (kid) parameter?

• Allow Client to indicate to which RS is wants to talk to?

Page 4: OAuth Design Team Call

DKIM Signature Recap

• body-hash: is the output from hashing the body, using hash-alg.

• data-hash: is the output from using the hash-alg algorithm, to hash the header including the DKIM-Signature header, and the body hash.

• h-headers: is the list of headers to be signed, as specified in the "h" parameter.

• h= Signed header fields • Example: h=Received : From : To : Subject :

Date : Message-ID;• Alternative: IANA registration for example

Page 5: OAuth Design Team Call

Key Distribution

• Three techniques:– Key Transport– “Key Retrieval” – Key Agreement

• Key point: What is MTI?

Page 6: OAuth Design Team Call

How RS obtains the Session Key?Option#1: Key Transport

User Agent &

Resource Owner

Client (C)

Authorization Server (AS)

Resource Server (RS)

Access Token

Keys & Meta Data

AS-C

AS-RS

Access Token

AS-RS

Keyed Message

Digest

C-RS

TLS

Page 7: OAuth Design Team Call

How RS obtains the Session Key?Option#2: “Key Retrieval”

Keyed Message

Digest

User Agent &

Resource Owner

Client (C)

Authorization Server (AS)

Resource Server (RS)

Access Token

Keys & Meta Data

AS-C

AS-RS

Access Token

AS-RS

C-RS

TLS

Key Request

Page 8: OAuth Design Team Call

How RS obtains the Session Key?Option#3: Key Agreement

Keyed Message

Digest

User Agent &

Resource Owner

Client (C)

Authorization Server (AS)

Resource Server (RS)

Access Token

Keys & Meta Data

AS-C

AS-RS

Access Token

AS-RS

C-RS

TLS

Key Request


The How of OAuth OAuth Hackathon – 4/26 @ Six Apart

Team Hardcore Call Transcription September 28 Team Call ... · Team Hardcore Call Transcription September 28th - Team Call “Platinum Edge Takeaways” [Beginning of Recorded Material]

CALL presentation ELAO TEAM 3

Mastering OAuth 2 - Adobe Inc.€¦ · leveraging the OAuth 2.0 Authorization Framework Mastering OAuth 2.0 Charles Bihis Mastering OAuth 2.0 OAuth 2.0 is a powerful authorization

Twitter oauth

Implementing OAuth

The OAuth 2.0 Authorization Protocol - cleesh.com · The OAuth 2.0 Authorization Protocol draft-ietf-oauth-v2-25 Abstract The OAuth 2.0 authorization protocol enables a third-party

EBEC 2013 - Core Team Call

Oracle Access Management OAuth Service€¦ · OAuth 2.0 authorization server and also offers several compelling differentiations to enable the OAuth 2.0 Client and the OAuth 2.0

OAuth Hacks A gentle introduction to OAuth 2 and Apache Oltu

H. Tschofenig OAuth 2.0 Security: OAuth Open Redirector · OAuth 2.0 Security: OAuth Open Redirector draft-bradley-oauth-open-redirector-02.txt Abstract This document gives additional

PCMH Team CALL

OAuth for TeraGrid Gateways - …security.ncsa.illinois.edu/teragrid-oauth/OAuthforTGGateways...OAuth for TeraGrid Gateways Jim Basney Jeff Gaynor

Cisco OAuth Integration Guide for CSP OAuth Integration Guide for CSP COPS ‐Security Services Cisco IT GIS COPS Security Services Team (asp‐web‐[email protected])

Painless OAuth

Call for Media Team Members

OAuth protokol - sigurnost.zemris.fer.hrsigurnost.zemris.fer.hr/protokoli/2011_budiselic/OAuth protokol.pdf · OAuth protokol Ivan Budiseli c Seminarski rad za poslijediplomski predmet

Team call 11 3

The Essential OAuth Primer: Understanding OAuth for Securing Cloud

Oauth tutorial

oAuth test

SKYPE FOR BUSINESS: TEAM CALL GROUPSwaywe.work/tw3/wp-content/uploads/How-to-guide-Skype-Team-Call-Groups.pdfSKYPE FOR BUSINESS: TEAM CALL GROUPS Following the migration to Skype for

OAuth Tokens

Oracle OAuth ServiceOAuth 2.0 authorization server and also offers several compelling differentiations to enable the OAuth 2.0 Client and the OAuth 2.0 Resource Server roles. OAM OAuth

OAuth 2.0 Security IETF OAuth WG Conference Call, 14th December 2012

The OAuth 2.0 Authorization Frameworkself-issued.info/docs/draft-ietf-oauth-v2-30.pdf · 2012. 7. 15. · The OAuth 2.0 Authorization Framework draft-ietf-oauth-v2-30 Abstract The

Call to Action Steering Team Report - Amazon S3s3.amazonaws.com/.../documents/call-to-action-steering-team-repo… · Call to Action Steering Team Report ... storage or retrieval

The Essential OAuth Primer: Understanding OAuth for Securing Cloud APIs

Facebook & OAuth

The Essential OAuth Primer: Understanding OAuth …docs.media.bitpipe.com/.../item_426600/The-Essentials-of-OAuth.pdfThe Essential OAuth Primer: Understanding OAuth for Securing Cloud

Identity Workshopinnovbfa.viabloga.com/files//Cloud_Identity_Summit... · OAuth 2.0 OAuth 1 + OAuth-WRAP + IETF = OAuth 2.0 Expanded participation with other major vendors such as

Entendiendo oAuth

「金融API向けOAuth」にみるOAuthプロファイリングの実際 #secjaws #finsecjaws01 #oauth #oidc #api

Incorporating OAuth: How to integrate OAuth into your mobile app

OAuth Passport