Slide 1

Slide 1 text

Livestream Chat WebSocket Authentication on VIDIO.COM

Slide 2

Slide 2 text

Roadmap

Slide 3

Slide 3 text

Phase 1 - WebSocket on Web Clients

Slide 4

Slide 4 text

Phase 2 - Infrastructure Segregation

Slide 5

Slide 5 text

Phase X - Web Client Performance, Android, iOS, etc.

Slide 6

Slide 6 text

WebSocket Authentication

Slide 7

Slide 7 text

WebSocket Authentication

Slide 8

Slide 8 text

The Options JWT over URL JWT over Cookie Shared ID Cookie Encrypt User ID Light Payload Signed User Payload No Need to Decrypt Signed User Payload No Need to Decrypt Shared User Cookie Encrypt User Payload No Additional Request Decrypt Rails’ Cookie Need Client-Side Request Need Client-Side Request Decrypt Rails’ Cookie Need Server-Side Request Long Request URL (1-2k) Long Cookie Length (1-2k) Huge Payload Shared Cookie JSON Web Token vs Balance need to be made, and we decide to use JSON Web Token over URL. Productivity is prefered over requests efficiency using shared cookie. Decision still can change if we found a better solution.

Slide 9

Slide 9 text

JSON Web Token: Quick Intro JSON Web Token is defined in RFC 7519, it is a mechanism of presenting claims between 2 parties, the claims are signed using an algorithm, and only the two of them knows the secret key. It consists of 3 parts { header }.{ payload }.{ signature } encoded in base64. The derivative of JSON Web Token are: JSON Web Signature, and JSON Web Encryption. We are using the earlier, because we have no need for encryption. A typical JWT token would like like as follows: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOiIxMjM0NTY3OCJ9.ArJHWXBfkzeugVpshDEcHqsOIaqeR7CNH-SJCMZfZiw

Slide 10

Slide 10 text

The Problem Bad Requests Logged In User Data Authenticity Non Logged In User Mobile API Security Risks Performance Issue Data Privacy

Slide 11

Slide 11 text

Non Logged In User CHAT Server will rely on VIDIO.COM authentication. We need to allow only authorized client, therefore payload is intentionally left blank for non logged in user.

Slide 12

Slide 12 text

Bad Requests Bad client requests will simply dropped, and no attempt to reconnect.

Slide 13

Slide 13 text

Logged In User The difference between non logged in user and logged in user is just the payload.

Slide 14

Slide 14 text

JSON Web Token Header and Signature Payload are signed by VIDIO server using algorithm defined in the header, and CHAT server will verify against the shared secret. No data tampering is possible, therefore the payload is guaranteed to be authentic. The only liability is on the library being used. There are known issues in JWT libraries with symmetric keys and we are not using those libraries. { "typ": "jwt", "alg": "HS512" } . { ... } . { signature } Data Authenticity This is some of the header and signature of JWT.

Slide 15

Slide 15 text

JSON Web Token Payload We ensure no data privacy issue occurs in the authentication process. Only publicly available information are put in the payload. Possibilities of data retainment in proxies and logs are also not a problem due to no sensitive information is put in the payload. { ... "user": { "id": 30132773, "username": "hendrauzia", "name": "Hendra Uzia", "avatar": "..." "verified": false } } Data Privacy This is some of the payload content of JWT.

Slide 16

Slide 16 text

Mobile API Additional headers are required for mobile authentication, and different endpoints need to be introduced following up web version.

Slide 17

Slide 17 text

Security Risks Distributed Denial of Service Cross Origin Resource Sharing Denial of Service Reflected Cross Site Scripting SSL Stripping Stored Cross Site Scripting Session Sidejacking HTTP Replay Attack Cross Site Request Forgery Timing Attack SSL Inspection The red boxes related directly with the authentication process, the grey boxes are risks that is out of the scope of this slide. Cookie Replay Attack

Slide 18

Slide 18 text

Replay Attack and Session Sidejacking: WebSocket over TLS ✔ Cookie Replay Attack ✔ Session Sidejacking ✔ HTTP Replay Attack

Slide 19

Slide 19 text

Cross Origin Request: Check Origin RFC 6455 of WebSocket Protocol states that the Origin header is used to protect against unauthorized cross-origin use of a WebSocket server. ✔ Cross Origin Resource Sharing ✔ Cross Site Request Forgery

Slide 20

Slide 20 text

SSL Inspection: Token Expiry SSL inspection is a mechanism to decrypt and re-encrypt ssl traffic on the fly, tokens stored (if any) in SSL inspection logs should expire after a given time.

Slide 21

Slide 21 text

SSL Stripping: HTTP Strict Transport Security SSL stripping was first publicly introduced by Moxie Marlinspike in 2009. On 2012 the HSTS spec was published. Visit https://hstspreload.org/ for more information.

Slide 22

Slide 22 text

Performance Issue: Self Signed Token Request token on WebSocket reconnect will become performance issue in VIDIO, therefore it only requires self-signed token once connection authenticated.

Slide 23

Slide 23 text

Q&A