Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Your HTTP API with Hawk (PHP Tour Luxe...

Securing Your HTTP API with Hawk (PHP Tour Luxembourg 2015)

Spending too much time working on a custom authentication scheme for your API? Concerned about how secure your one-off implementation actually is? Learn more about the Hawk HTTP authentication scheme. It provides partial cryptographic verification for both requests and responses and it is supported by multiple languages. With Hawk securing your HTTP API you can rest easy knowing that your server and clients can trust the data they share so that you can focus on building your application's killer features.

Beau Simensen

May 12, 2015
Tweet

More Decks by Beau Simensen

Other Decks in Programming

Transcript

  1. Do you trust the authentication method? Hint: If you are

    using HTTP Basic Auth, the answer is "No."
  2. POST /buy HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded;charset=utf-8 Authorization: SomeLegitimateAuthorizationValue item=something_reasonable&qty=1

    ... seconds, minutes, days, months, years... POST /buy HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded;charset=utf-8 Authorization: SomeLegitimateAuthorizationValue item=something_reasonable&qty=1
  3. POST /buy HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded;charset=utf-8 Authorization: SomeLegitimateAuthorizationValue item=something_reasonable&qty=1

    ... versus ... POST /buy HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded;charset=utf-8 Authorization: SomeLegitimateAuthorizationValue item=something_expensive&qty=3
  4. POST /validate HTTP/1.1 Host: id.example.com Referer: http://id.example.com/login Content-Type: application/x-www-form-urlencoded;charset=utf-8 user=admin&password=pa55word

    Compare this response... HTTP 302 Location: http://app.example.com ... to this response... HTTP 302 Location: http://id.examp1e.com/login
  5. They say the road to hell is paved with good

    intentions. Well, that’s OAuth 2.0. 1 Eran Hammer, "OAuth 2.0 and the Road to Hell"
  6. Language Support PHP • .NET • Java • JavaScript •

    Python Ruby • Go • Objective-C • C • Scala
  7. This request an be made over and over again. Forever.

    POST /buy HTTP/1.1 Host: example.com Content-Type: application/x-www-form-urlencoded;charset=utf-8 Authorization: SomeLegitimateAuthorizationValue item=something_expensive&qty=3
  8. Previously obtained Hawk credentials: $credentials = [ 'id' => 'dh37fgj492je',

    'key' => 'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn', 'algorithm' => 'sha256', ];
  9. MAC is calculated // sha256 $algorithm = $credentials['algorithm']; // werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn

    $key = $credentials['key']; $hmac = hash_hmac($algorithm, $string, $key, true); $mac = base64_encode($hmac); Resulting MAC: 6R4rV5iE+NPoym+WwjeHzjAGXUtLNIxmo1vpMofpLAE=
  10. Client includes authoriztaion header GET /resource/1?b=1&a=2 HTTP/1.1 Host: example.com:8000 Authorization:

    Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2",... Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", ext="some-app-ext-data", mac="6R4rV5iE+NPoym+WwjeHzjAGXUtLNIxmo1vpMofpLAE="
  11. MAC is calculated // sha256 $algorithm = $credentials['algorithm']; // werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn

    $key = $credentials['key']; $hmac = hash_hmac($algorithm, $string, $key, true); $mac = base64_encode($hmac); Resulting MAC: IJlWMFoE1I4hM5N7nFHpp3n84yU3qM4BTdd6i+Mxo3U=
  12. GET /resource/1?b=1&a=2 HTTP/1.1 Host: example.com:8000 Content-type: application/json Authorization: Hawk id="dh37fgj492je",

    ts="1353832234", nonce="j4h3g2",... {prop: "Some Value"} Hawk id="dh37fgj492je", ts="1353832234", nonce="j4h3g2", hash="IJlWMFoE1I4hM5N7nFHpp3n84yU3qM4BTdd6i+Mxo3U=", ext="some-app-ext-data", mac="6R4rV5iE+NPoym+WwjeHzjAGXUtLNIxmo1vpMofpLAE="
  13. Response includes Server-Authorization header HTTP 200 OK Server-Authorization: Hawk mac="XIJRsMl/4oL+nn+vK..."

    Hawk mac="XIJRsMl/4oL+nn+vKoeVZPdCHXB4yJkNnBbTbHFZUYE=", hash="f9cDF/TDm7TkYRLnGwRMfeDzT6LixQVLvrIKhh0vgmM=" ext="response-specific"
  14. Normalized request string hawk.1.bewit\n 1431390129\n // ( now + ttl

    ) = expiration time! \n // no nonce GET\n /resource/1?b=1&a=2\n example.com\n 8000\n \n some-app-ext-data\n \n
  15. Encode Bewit $id = 'id1234'; $exp = '1431390129'; $mac =

    '1VLyBgXcUovTDKwCiYJo+EuYaTZq8LIgICS7jxkGSIw='; $ext = 'some-app-ext-data'; // id1234\1431390129\1VLyBgXcUovTDKwCiYJo+E...jxkGSIw=\some-app-ext-data $bewit = implode('\\', [$id, $exp, $mac, $ext]); // aWQxMj...0LWRhdGE= $encoded = base64_encode($bewit); // aWQxMj...0LWRhdGE $stripped = str_replace( ['+', '/', '=', "\n"], ['-', '_', '', ''], $encoded );
  16. Language Support PHP • .NET • Java • JavaScript •

    Python Ruby • Go • Objective-C • C • Scala
  17. Image Credits source • source • source • source •

    source • source • source • source • source