Implimenting Privacy: OAuth and Token Madness

50 %
50 %
Information about Implimenting Privacy: OAuth and Token Madness
Technology

Published on July 24, 2009

Author: rabble

Source: slideshare.net

Description

Ever cringe when you're asked to enter your email address and password to a third party service? This talk will cover how to build and consume services which protect users privacy with OAuth and other techniques.

Ever cringe when you’re asked to enter your email address and password to a third party service? Even worse when we build systems which collect people’s credentials. It’s the password anti-pattern.

Privacy and security are important, but when it comes to real running apps, it works wins over it’s secure.
This has two main themes.

* How to use tokens and other tricks to protect the privacy of your users.
* While examples will be from a ruby on rails application, this talk is more on general web development practices for privacy.

There is no totally secure or private system out there, especially when we build social web applications. But there are many things which can be done to improve privacy. For each application you have to look at what the threat model is for leaking personal information. Everything from how your user passwords are stored to what happens if a hacker gets a full dump of your database.

* What happens when a user’s email is compromised by a third party service?
* How to provide simple sharing with casual privacy.
* What is ‘good enough’ crypto.
* Understanding the difference between Authorization and Authentication.

This talk is based on experience designing and architecting Yahoo! Fire Eagle, a location sharing service which was the first implementation of both OAuth and Ruby on Rails at yahoo.

Implementing Privacy OAuth & Token Madness evan@protest.net

Privacy

Perception of Privacy

The Privacy to Disappear

Extreme Privacy

Privacy and the State

Privacy and the Law

Can you say? source: http://www.crestpublishing.co.za/killthepresident.html

Kill the Cuban president? source: http://flic.kr/p/RfwD

Speech as Property

Privacy & Hackers

Email & Logins

One email per person

Email for Everything

We use email for everything!

Hackers want your email

The Twitter Files

Dear God Why?!?!

Fail

Salvation?

Delegated Token Authorization

Delegated Token Authorization FlickrAuth, Google AuthSub, Yahoo’s BBAuth, Facebook Auth, Amazon AWS, AOL OpenAuth, etc...

Tokens

Like Coins?

Symbols

username password token secret

timoreilly password token secret

timoreilly alphag33ks token secreto

timoreilly alphag33ks SLx39nv4 secreto

timoreilly alphag33ks SLx39nv4 L9vQlviq2x

Cryptographic Signatures

Cryptographic Signatures consumer = Auth::Consumer.new( 'dpf43f3p2l4k3l03', 'kd94hf93k423kf44' ) token = Auth::Token.new( 'nnch734d00sl2jdk', 'pfkkdhi9sl3r4s00' ) signature = Auth::Signature.sign(request, { :consumer => consumer, :token => token, :uri => 'http://photos.example.net/photos' } ) assert_equal 'tR3+Ty81lMeYAr/Fid0kMTYa/WM=', signature

Cryptographic WHAT? TOKEN HASH KEY SECRET

Cryptographic WHAT? TOKEN HASH KEY SECRET signature

Cryptographic WHAT? TOKEN HASH KEY SECRET signature

Cryptographic WHAT? TOKEN HASH KEY SECRET signature sig=aslkdjfalskd

Cryptographic WHAT? TOKEN HASH KEY SECRET signature token=vkzljxc&sig=aslkdjfalskd

Delegated Token Authorization FlickrAuth, Google AuthSub, Yahoo’s BBAuth, Facebook Auth, Amazon AWS, AOL OpenAuth, etc...

Authentication Authorization

Authentication Authorization OpenID OAuth

Authentication Authorization OpenID OAuth Users Applications

Very Simple

Love Triangle end user consumer service application provider

Three Legs end user consumer service application provider

Two Legs consumer service application provider

Buenos Aires, Argentina San Jose, California

Token Dance consumer provider

Token Dance consumer provider requesting the request token

Token Dance consumer provider requesting the request token creates and returns a new request token

Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url

Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth

Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth redirected back to consumer with request token

Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth redirected back to consumer with request token consumer wants to trade request token for access

Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth redirected back to consumer with request token consumer wants to trade request token for access provisional request token traded for access token

Token Dance consumer provider requesting the request token creates and returns a new request token redirect user to provider with token in url user selects preferences and approves auth redirected back to consumer with request token consumer wants to trade request token for access provisional request token consumer saves the traded for access token access token for the user

Token Dance web applications desktop applications out of band applications like mobile and embedded

OAuth Params oauth_*

OAuth Params oauth_consumer_key oauth_consumer_secret

OAuth Params oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk"

OAuth Params oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096"

OAuth Params oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tRMTYa%2FWM%3D"

Forms of OAuth HTTP GET params HTTP POST params HTTP Headers XMPP - Jabber

HTTP GET params GET&http%3A%2F%2Fphotos.example.net %2Fphotos&file%3Dvacation.jpg %26oauth_consumer_key %3Ddpf43f3p2l4k3l03%26oauth_nonce %3Dkllo9940pd9333jh%26oauth_signature_method %3DHMAC-SHA1%26oauth_timestamp %3D1191242096%26oauth_token%3Dnnch734d00sl2jdk %26oauth_version%3D1.0%26size%3Doriginal

HTTP HEADERS params GET /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 Authorization: OAuth realm="http://photos.example.net/ photos" oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa %2FWM%3D"

HTTP POST params POST /photos?size=original&file=vacation.jpg HTTP/1.1 Host: photos.example.net:80 oauth_consumer_key="dpf43f3p2l4k3l03" oauth_token="nnch734d00sl2jdk" oauth_nonce="kllo9940pd9333jh" oauth_timestamp="1191242096" oauth_signature_method="HMAC-SHA1" oauth_version="1.0" oauth_signature="tR3%2BTy81lMeYAr%2FFid0kMTYa %2FWM%3D"

Ignore the details source: http://flic.kr/p/5NRADb

Libraries

Gems sudo gem install oauth github.com/mojodna/oauth

Plugins

Plugins ./script/plugin install git:// github.com/pelle/oauth-plugin.git github.com/pelle/oauth-plugin

OAuth on Rails rails osconrails -m rails-base-template.text cd osconrails ./script/plugin install git://github.com/pelle/oauth-plugin.git

Add the oauth-plugin ./script/generate oauth-plugin exists app/models/ create app/views/oauth create app/views/oauth_clients create app/models/client_application.rb create app/models/oauth_token.rb create app/models/request_token.rb create app/models/access_token.rb create app/models/oauth_nonce.rb create app/controllers/oauth_controller.rb create app/helpers/oauth_helper.rb create app/controllers/oauth_clients_controller.rb create app/helpers/oauth_clients_helper.rb create spec/models/client_application_spec.rb create spec/models/oauth_token_spec.rb create spec/models/oauth_nonce_spec.rb create spec/fixtures/client_applications.yml create spec/fixtures/oauth_tokens.yml create spec/fixtures/oauth_nonces.yml create spec/controllers/oauth_controller_spec_helper.rb create spec/controllers/oauth_controller_spec.rb create spec/controllers/oauth_clients_controller_spec.rb create app/views/oauth_clients/_form.html.erb create app/views/oauth_clients/new.html.erb create app/views/oauth_clients/index.html.erb create app/views/oauth_clients/show.html.erb

Update your routes ./config/routes.rb map.resources :oauth_clients map.authorize '/oauth/authorize',:controller=>'oauth',:action=>'authorize' map.request_token '/oauth/request_token',:controller=>'oauth',:action=>'request_token' map.access_token '/oauth/access_token',:controller=>'oauth',:action=>'access_token' map.test_request '/oauth/test_request',:controller=>'oauth',:action=>'test_request'

Filters for access control class ApiController < ApplicationController before_filter :login_or_oauth_required, :except => [:oauth_only_action] before_filter :oauth_required, :only => [:oauth_only_action]

That’s it!

Desert

Careful: nonce & timestamp

Careful: nonce & timestamp source: http://flic.kr/p/QtskX

Use separate DB’s source: http://flic.kr/p/6xtHZp

Signing with keys

Without Login

Privacy Wall

Privacy Wall

Privacy and the Law

Expire Tokens

CSRF & XSS - Careful!

Don’t Log Everything source: http://flic.kr/p/5VcQWT

Selective Logging source: http://flic.kr/p/5Zkwex

dev.riseup.net/privacy/ source: http://dev.riseup.net/privacy/

Except Telephony source: http://flic.kr/p/4DzMNu

Privacy is Freedom source: http://flic.kr/p/5anoq

Implementing Privacy OAuth & Token Madness evan@protest.net

Creative Commons Photos http://fireeagle.yahoo.net/developer/documentation/oauth_best_practice http://www.flickr.com/photos/stevenh/360015104/ http://www.flickr.com/photos/cdevers/2785041073/ http://www.flickr.com/photos/myklroventine/3355106480/ http://www.flickr.com/photos/itsallaboutmich/498340461/ http://www.flickr.com/photos/charlesfred/100392094/ http://www.flickr.com/photos/purplemattfish/3126383038/ http://www.flickr.com/photos/exlibris/1579580258/ http://www.flickr.com/photos/57231735@N00/212544472/ http://www.flickr.com/photos/maniya/541287799/ http://www.flickr.com/photos/santos/1704875109/ http://www.flickr.com/photos/alphadesigner/354044811/ http://www.flickr.com/photos/roby72/553640207/ http://www.flickr.com/photos/smb_flickr/392254853/ http://www.flickr.com/photos/eatingchips/3345052094 http://www.flickr.com/photos/koluso/2808523989/ http://www.flickr.com/photos/lwr/60496147/ http://www.flickr.com/photos/razowsky/2630970947/ http://www.flickr.com/photos/crazyneighborlady/355232758/ http://www.flickr.com/photos/mwichary/2648035941/ http://www.flickr.com/photos/zanotti/304312092/

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

Implementing Privacy: OAuth & Token Madness: Web 2.0 Expo ...

This talk will cover how to build and consume services which protect users privacy with OAuth and ... Privacy: OAuth & Token Madness. ... tokens and other ...
Read more

Implimenting | LinkedIn

... E Consultant at Undisclosed USAID Implimenting Partner, Monitoring and Evaluation Specialist at Independent Consultant Past Evaluation Consultant ...
Read more

Oauth | LinkedIn

The OAuth token would be stored in the mobile phone to ... Implimenting Privacy: OAuth and Token Madness. 10,388 Views. mbleigh. The Present Future of ...
Read more

Implementing a token authentication - Stack Overflow

I read also about OAuth but I don't want to give ... you agree to the privacy policy and ... Working example of implementing 'Token Based ...
Read more

WordPress › Support » oAuth Madness

WP-OAuth oAuth Madness (5 posts) contrerasjd ... we couldn't log you in. Malformed access token result detected. ... Privacy; License / GPLv2; Code ...
Read more

OAuth 2 Simplified - Aaron Parecki

This post is an attempt to describe OAuth 2 in a simplified format to ... and using the access token to make requests. OAuth 1.0 ... Social Privacy ...
Read more

oAuth, Privacy, and Token Madness | SpeakerRate

oAuth, Privacy, and Token Madness A talk by Evan Henshaw Plath at Locos por Rails 2009. About the Talk ... Privacy; Terms & Conditions; Feedback & Support ...
Read more

security - How does OAuth 2.0 protect against compromised ...

I am in the process of implimenting OAuth 2.0 for my ... How does OAuth 2.0 protect against compromised accounts? ... due to the OAuth access token not ...
Read more