Securing Your HTTP API with Hawk (PHP Tour Luxembourg 2015)

Slide 1

Slide 1 text

Securing Your HTTP API with Hawk Beau Simensen @beausimensen joind.in/14270

Slide 2

Slide 2 text

Hawk

Slide 3

Slide 3 text

HTTP Authentication

Slide 4

Slide 4 text

MAC Message Authentication Code

Slide 5

Slide 5 text

Partial Cryptographic Verification

Slide 6

Slide 6 text

Problems

Slide 7

Slide 7 text

Can you trust the channel?

Slide 8

Slide 8 text

Can you trust the channel? HTTPS

Slide 9

Slide 9 text

Do you know who made the request?

Slide 10

Slide 10 text

Do you know who made the request? Cookie

Slide 11

Slide 11 text

Do you know who made the request? HTTP Header

Slide 12

Slide 12 text

Do you know who made the request? From the payload

Slide 13

Slide 13 text

Do you trust the authentication method?

Slide 14

Slide 14 text

Do you trust the authentication method? Hint: If you are using HTTP Basic Auth, the answer is "No."

Slide 15

Slide 15 text

Do you trust the authentication method? Cookie Encryption

Slide 16

Slide 16 text

Do you trust the authentication method? Digest

Slide 17

Slide 17 text

Can you trust the authentication is still valid?

Slide 18

Slide 18 text

POST /buy HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded;charset=utf-8 Authorization: SomeLegitimateAuthorizationValue item=something_reasonable&qty=1 ... seconds, minutes, days, months, years... POST /buy HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded;charset=utf-8 Authorization: SomeLegitimateAuthorizationValue item=something_reasonable&qty=1

Slide 19

Slide 19 text

Can you trust the authentication is still valid? Expiration

Slide 20

Slide 20 text

Can you trust the request itself?

Slide 21

Slide 21 text

POST /buy HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded;charset=utf-8 Authorization: SomeLegitimateAuthorizationValue item=something_reasonable&qty=1 ... versus ... POST /buy HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded;charset=utf-8 Authorization: SomeLegitimateAuthorizationValue item=something_expensive&qty=3

Slide 22

Slide 22 text

Can you trust the request itself? Nonce

Slide 23

Slide 23 text

Can you trust the request itself? Message signing

Slide 24

Slide 24 text

Can you trust the served response?

Slide 25

Slide 25 text

POST /validate HTTP/1.1 Host: id.example.com Referer: http://id.example.com/login Content-Type: application/x-www-form-urlencoded;charset=utf-8 user=admin&password=pa55word Compare this response... HTTP 302 Location: http://app.example.com ... to this response... HTTP 302 Location: http://id.examp1e.com/login

Slide 26

Slide 26 text

Can you trust the served response? Message signing

Slide 27

Slide 27 text

Solutions

Slide 28

Slide 28 text

AWS Amazon Web Services

Slide 29

Slide 29 text

Custom

Slide 30

Slide 30 text

Query Auth Jeremy Kendall • @JeremyKendall

Slide 31

Slide 31 text

Query Auth is Based on AWS Signature V2

Slide 32

Slide 32 text

Hawk

Slide 33

Slide 33 text

Eran Hammer @eranhammer

Slide 34

Slide 34 text

HTTP Authentication: MAC Access Authentication 1 draft-hammer-oauth-v2-mac-token-05 proposal

Slide 35

Slide 35 text

OAuth 2.0 Former lead author and editor

Slide 36

Slide 36 text

They say the road to hell is paved with good intentions. Well, that’s OAuth 2.0. 1 Eran Hammer, "OAuth 2.0 and the Road to Hell"

Slide 37

Slide 37 text

Does Hawk have a specification? Not so much

Slide 38

Slide 38 text

Welcome to Hawk Where the code is the specification

Slide 39

Slide 39 text

https://github.com/hueniverse/hawk

Slide 40

Slide 40 text

Tent.io

Slide 41

Slide 41 text

Language Support PHP • .NET • Java • JavaScript • Python Ruby • Go • Objective-C • C • Scala

Slide 42

Slide 42 text

https://github.com/dflydev/dflydev-hawk

Slide 43

Slide 43 text

Authentication Is NOT Authorization

Slide 44

Slide 44 text

Looking for an OAuth alternative? Check out Oz https://github.com/hueniverse/oz

Slide 45

Slide 45 text

Replay Attacks

Slide 46

Slide 46 text

This request an be made over and over again. Forever. POST /buy HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded;charset=utf-8 Authorization: SomeLegitimateAuthorizationValue item=something_expensive&qty=3

Slide 47

Slide 47 text

Nonce + Timestamp

Slide 48

Slide 48 text

Nonce Client generated

Slide 49

Slide 49 text

Nonce Server enforced

Slide 50

Slide 50 text

Nonce unique(identifier, timestamp)

Slide 51

Slide 51 text

Timestamp Requests after expiration time are rejected by server

Slide 52

Slide 52 text

Timestamp Server can purge nonce values once expiration time has passed

Slide 53

Slide 53 text

Timestamp Client's clock must be in sync with the server's clock

Slide 54

Slide 54 text

Timestamp Skew Default 1 minute (+/-)

Slide 55

Slide 55 text

Timestamp Skew Server includes its time in bad timestamp responses

Slide 56

Slide 56 text

Timestamp Skew Client responsible for calculating offset for future requests

Slide 57

Slide 57 text

Credentials id, key, algorithm

Slide 58

Slide 58 text

id Like a username

Slide 59

Slide 59 text

key Like a password

Slide 60

Slide 60 text

key is never transmitted

Slide 61

Slide 61 text

Protect It!

Slide 62

Slide 62 text

Protocol Example

Slide 63

Slide 63 text

Client requests protected resource GET /resource/1?b=1&a=2 HTTP/1.1 Host: example.com:8000

Slide 64

Slide 64 text

Server challenges HTTP/1.1 401 Unauthorized WWW-Authenticate: Hawk

Slide 65

Slide 65 text

Previously obtained Hawk credentials: $credentials = [ 'id' => 'dh37fgj492je', 'key' => 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn', 'algorithm' => 'sha256', ];

Slide 66

Slide 66 text

Client generates a timestamp $timestamp = 1353832234;

Slide 67

Slide 67 text

Client generates a nonce $nonce = 'j4h3g2';

Slide 68

Slide 68 text

Normalized request string hawk.1.header\n 1353832234\n j4h3g2\n GET\n /resource/1?b=1&a=2\n example.com\n 8000\n \n some-app-ext-data\n \n

Slide 69

Slide 69 text

MAC is calculated // sha256 $algorithm = $credentials['algorithm']; // werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn $key = $credentials['key']; $hmac = hash_hmac($algorithm, $string, $key, true); $mac = base64_encode($hmac); Resulting MAC: 6R4rV5iE+NPoym+WwjeHzjAGXUtLNIxmo1vpMofpLAE=

Slide 70

Slide 70 text

Client includes authoriztaion header GET /resource/1?b=1&a=2 HTTP/1.1 Host: example.com:8000 Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2",... Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", ext="some-app-ext-data", mac="6R4rV5iE+NPoym+WwjeHzjAGXUtLNIxmo1vpMofpLAE="

Slide 71

Slide 71 text

Payload Validation Optional

Slide 72

Slide 72 text

Calculate hash hawk.1.payload application/json {prop:"Some Value"} Resulting hash: oULrzWdcgjMiuZ93IiKevos00WXKdXsv70Q9YSy6OfY=

Slide 73

Slide 73 text

Normalized request string hawk.1.header\n 1353832234\n j4h3g2\n GET\n /resource/1?b=1&a=2\n example.com\n 8000\n oULrzWdcgjMiuZ93IiKevos00WXKdXsv70Q9YSy6OfY=\n some-app-ext-data\n \n

Slide 74

Slide 74 text

Slide 75

Slide 75 text

GET /resource/1?b=1&a=2 HTTP/1.1 Host: example.com:8000 Content-type: application/json Authorization: Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2",... {prop: "Some Value"} Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", hash="IJlWMFoE1I4hM5N7nFHpp3n84yU3qM4BTdd6i+Mxo3U=", ext="some-app-ext-data", mac="6R4rV5iE+NPoym+WwjeHzjAGXUtLNIxmo1vpMofpLAE="

Slide 76

Slide 76 text

Response Validation Optional

Slide 77

Slide 77 text

Server-Authorization uses the same credentials and other artifacts provided by the client ext & hash may be changed

Slide 78

Slide 78 text

Response includes Server-Authorization header HTTP 200 OK Server-Authorization: Hawk mac="XIJRsMl/4oL+nn+vK..." Hawk mac="XIJRsMl/4oL+nn+vKoeVZPdCHXB4yJkNnBbTbHFZUYE=", hash="f9cDF/TDm7TkYRLnGwRMfeDzT6LixQVLvrIKhh0vgmM=" ext="response-specific"

Slide 79

Slide 79 text

Bewit Single URI Authorization

Slide 80

Slide 80 text

Only supports GET & HEAD

Slide 81

Slide 81 text

Generate a Bewit $uri_to_be_shared = 'https://example.com/resource/1?b=1&a=2'; $bewit = $client->createBewit( $credentials, $uri_to_be_shared, 300, // ttl in seconds ['ext' => 'some-app-ext-data'] );

Slide 82

Slide 82 text

Normalized request string hawk.1.bewit\n 1431390129\n // ( now + ttl ) = expiration time! \n // no nonce GET\n /resource/1?b=1&a=2\n example.com\n 8000\n \n some-app-ext-data\n \n

Slide 83

Slide 83 text

MAC built the usual way We've seen this twice already...

Slide 84

Slide 84 text

Encode Bewit $id = 'id1234'; $exp = '1431390129'; $mac = '1VLyBgXcUovTDKwCiYJo+EuYaTZq8LIgICS7jxkGSIw='; $ext = 'some-app-ext-data'; // id1234\1431390129\1VLyBgXcUovTDKwCiYJo+E...jxkGSIw=\some-app-ext-data $bewit = implode('\\', [$id, $exp, $mac, $ext]); // aWQxMj...0LWRhdGE= $encoded = base64_encode($bewit); // aWQxMj...0LWRhdGE $stripped = str_replace( ['+', '/', '=', "\n"], ['-', '_', '', ''], $encoded );

Slide 85

Slide 85 text

Append Bewit to URI to be shared // https://example.com/resource/1?b=1&a=2&bewit=aWQxMj...0LWRhdGE $uri = $uri_to_be_shared . '&bewit='.$bewit;

Slide 86

Slide 86 text

No content

Slide 87

Slide 87 text

Gotchas

Slide 88

Slide 88 text

Plaintext Credentials

Slide 89

Slide 89 text

Keys Transmission

Slide 90

Slide 90 text

Host Header

Slide 91

Slide 91 text

Only Host & Content-Type Headers are covered by the MAC

Slide 92

Slide 92 text

Bewit cannot be revoked

Slide 93

Slide 93 text

No spec

Slide 94

Slide 94 text

No content

Slide 95

Slide 95 text

HTTP Authentication

Slide 96

Slide 96 text

MAC Message Authentication Code

Slide 97

Slide 97 text

Partial Cryptographic Verification

Slide 98

Slide 98 text

Increases trust in the request and the response

Slide 99

Slide 99 text

Language Support PHP • .NET • Java • JavaScript • Python Ruby • Go • Objective-C • C • Scala

Slide 100

Slide 100 text

joind.in/14270 questions? @beausimensen • @dflydev • @thatpodcast beau.io/talks • thatpodcast.io

Slide 101

Slide 101 text

Image Credits source • source • source • source • source • source • source • source • source