WebSocket Authentication on VIDIO.COM

Transcript

1. Livestream Chat WebSocket Authentication on VIDIO.COM

2. Roadmap

3. Phase 1 - WebSocket on Web Clients

4. Phase 2 - Infrastructure Segregation

5. Phase X - Web Client Performance, Android, iOS, etc.

6. WebSocket Authentication

7. WebSocket Authentication

8. The Options JWT over URL JWT over Cookie Shared ID

   Cookie Encrypt User ID Light Payload Signed User Payload No Need to Decrypt Signed User Payload No Need to Decrypt Shared User Cookie Encrypt User Payload No Additional Request Decrypt Rails’ Cookie Need Client-Side Request Need Client-Side Request Decrypt Rails’ Cookie Need Server-Side Request Long Request URL (1-2k) Long Cookie Length (1-2k) Huge Payload Shared Cookie JSON Web Token vs Balance need to be made, and we decide to use JSON Web Token over URL. Productivity is prefered over requests efficiency using shared cookie. Decision still can change if we found a better solution.

9. JSON Web Token: Quick Intro JSON Web Token is defined

   in RFC 7519, it is a mechanism of presenting claims between 2 parties, the claims are signed using an algorithm, and only the two of them knows the secret key. It consists of 3 parts { header }.{ payload }.{ signature } encoded in base64. The derivative of JSON Web Token are: JSON Web Signature, and JSON Web Encryption. We are using the earlier, because we have no need for encryption. A typical JWT token would like like as follows: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIxMjM0NTY3OCJ9.ArJHWXBfkzeugVpshDEcHqsOIaqeR7CNH-SJCMZfZiw

10. The Problem Bad Requests Logged In User Data Authenticity Non

    Logged In User Mobile API Security Risks Performance Issue Data Privacy

11. Non Logged In User CHAT Server will rely on VIDIO.COM

    authentication. We need to allow only authorized client, therefore payload is intentionally left blank for non logged in user.

12. Bad Requests Bad client requests will simply dropped, and no

    attempt to reconnect.

13. Logged In User The difference between non logged in user

    and logged in user is just the payload.

14. JSON Web Token Header and Signature Payload are signed by

    VIDIO server using algorithm defined in the header, and CHAT server will verify against the shared secret. No data tampering is possible, therefore the payload is guaranteed to be authentic. The only liability is on the library being used. There are known issues in JWT libraries with symmetric keys and we are not using those libraries. { "typ": "jwt", "alg": "HS512" } . { ... } . { signature } Data Authenticity This is some of the header and signature of JWT.

15. JSON Web Token Payload We ensure no data privacy issue

    occurs in the authentication process. Only publicly available information are put in the payload. Possibilities of data retainment in proxies and logs are also not a problem due to no sensitive information is put in the payload. { ... "user": { "id": 30132773, "username": "hendrauzia", "name": "Hendra Uzia", "avatar": "..." "verified": false } } Data Privacy This is some of the payload content of JWT.

16. Mobile API Additional headers are required for mobile authentication, and

    different endpoints need to be introduced following up web version.

17. Security Risks Distributed Denial of Service Cross Origin Resource Sharing

    Denial of Service Reflected Cross Site Scripting SSL Stripping Stored Cross Site Scripting Session Sidejacking HTTP Replay Attack Cross Site Request Forgery Timing Attack SSL Inspection The red boxes related directly with the authentication process, the grey boxes are risks that is out of the scope of this slide. Cookie Replay Attack

18. Replay Attack and Session Sidejacking: WebSocket over TLS ✔ Cookie

    Replay Attack ✔ Session Sidejacking ✔ HTTP Replay Attack

19. Cross Origin Request: Check Origin RFC 6455 of WebSocket Protocol

    states that the Origin header is used to protect against unauthorized cross-origin use of a WebSocket server. ✔ Cross Origin Resource Sharing ✔ Cross Site Request Forgery

20. SSL Inspection: Token Expiry SSL inspection is a mechanism to

    decrypt and re-encrypt ssl traffic on the fly, tokens stored (if any) in SSL inspection logs should expire after a given time.

21. SSL Stripping: HTTP Strict Transport Security SSL stripping was first

    publicly introduced by Moxie Marlinspike in 2009. On 2012 the HSTS spec was published. Visit https://hstspreload.org/ for more information.

22. Performance Issue: Self Signed Token Request token on WebSocket reconnect

    will become performance issue in VIDIO, therefore it only requires self-signed token once connection authenticated.

23. Q&A