-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathmacaroons.slide
212 lines (127 loc) · 6.05 KB
/
macaroons.slide
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
Distributed Web Security with Macaroons
KopDar Python Meetup
21 Jun 2014
Shirkey
@shirkeydev
* About
*Purpose*
- A little about security, authentication and authorization
- Using macaroons / libmacaroons
*Me:*
I'm @shirkeydev ...
.image img/gravatar.jpeg
* Security Aspects
*Data*
- *Confidentiality* - _access_control_lists_
- *Integrity* - _hashes,_checksums_
- *Availability* - _backups,_disaster_recovery_
*User*
- *Authentication* - _identify_users_
- *Authorization* - _credentials,_permissions_
- *Accounting* - _audit_trail,_logging_
We will be focusing almost exclusively on *Authorization* in this discussion
* But first, a word about Authentication
* Authentication Factors
*Something*you*know*
- _userid/password_
- _PIN_number_
*Something*you*have*
- _smart_card_/_certificate_/_ *bearer*tokens*
- _handphone_via_SMS/inbound_call_
*Something*you*are*
- _fingerprint_,_iris_scan_
- _CAPTCHA_
*Two-factor*authentication* = any two of these methods used in combination
* Successful Authentication => Authorization Credentials
After authentication, the user is provided *credentials* for authorization on successive requests
Common authorization credential schemes found on the web include:
- *Certificates*
- *Cookies*
- *Tokens*
* Authorization Credential Schemes
* Credentials: Public-Key Certificates
Basically something server administrators look forward to administering every year*
Pros:
- agreed upon format
- established certificate authorities
Cons:
- administration overhead -- installation and portability
- non-zero cost
- *certificate revocation every year or earlier (see Heartbleed )
.link http://digital-era.net/certificate-revocations-shoot-up-in-wake-of-openssl-heartbleed-bug/
* Credentials: HTTP Cookies
Web service creates and provides a unique session id as a cookie to the client,
session state is maintained on server until token expiration (optional)
Pros:
- simple
- lightweight
Cons:
- cookies cannot be easily validated between domains
* Credentials: Tokens
Distributed credentials in the cloud that can be shared between users and services
*Macaroons* are token credentials using HMAC signing
Pros:
- use cookies or other storage mechanism (localStorage/sessionStorage) client-side
- can be shared across clients and domains, useful for distributed authorization
Cons:
- Macaroons are not alone: multiple standards still in draft (JWT, JWS)
More Info:
.link http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-19
.link http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-26
* Macaroons
* Macaroons: Overview
Developed by Google Research team
Provides for a simple distributed bearer token with
- Delegation
- Contextual Caveats
* Macaroons: Delegation
- Support for third-party authentication methods
- Flexible authorization (constrain access at the identity, resources)
- Credentials can be further constrained outside of originating service
* Macaroons: Contextual Caveats
- Attenuation / constraint of original macaroon using caveats
- Two types of caveats: first-party and third-party
- First-party is the originating service that creates the credential
- Third-party are any trusted external services that can validate credentials
- We will only be discussing first-party
* Macaroons: Implementations
- *libmacaroons* is available today for Debian/Ubuntu
- Python and Go bindings included
.link https://github.com/rescrv/libmacaroons
* libmacaroons
* libmacaroons: Installation
.play installing.sh /START OMIT/,/END OMIT/
* libmacaroons: attributes of a basic macaroon
.play ./create_the_token.py /START 1 OMIT/,/END 1 OMIT/
* libmacaroons: instantiating our macaroon
.play ./create_the_token.py /START 2 OMIT/,/END 2 OMIT/
* libmacaroons: deserializing a macaroon
.play -edit ./deserialize_the_token.py /START 1 OMIT/,/END 1 OMIT/
* libmacaroons: validating the macaroon
.play -edit ./validate_the_token.py /START 1 OMIT/,/END 1 OMIT/
* libmacaroons: adding user-specific constraints
Our first macaroon was too general, so we need to provide our users with constrained credentials
Notice that we do not need the secret to add constraints to a macaroon
.play -edit ./add_user_constraint.py /START 1 OMIT/,/END 1 OMIT/
* libmacaroons: validate user-specific constraints
We will validate the user against a requested resource
.play -edit ./verify_user_constraint.py /START 1 OMIT/,/END 1 OMIT/ HL001
* libmacaroons: validate user-specific constraints -- gotchas
Notice that without the first-party caveat, our base macaroon can access *any* user resource
.play -edit ./verify_user_constraint.py /START 1 OMIT/,/END 1 OMIT/ HL002
* libmacaroons: user can further constrain macaroon for delegation
.play -edit ./distributed_constraint.py /START 1 OMIT/,/END 1 OMIT/
* libmacaroons: now the token can be validated in delegated use
.play -edit ./check_distributed_constraints.py /START 1 OMIT/,/END 1 OMIT/
* libmacaroons: further functionality
- *satisfy_general* -- create more complex verifications beyond string matching
- *add_third_party_caveat* -- include external verification of macaroons
- since Macaroons are based on HMAC, it is very likely we will see native Javascript implementations soon
* References
.link http://hackingdistributed.com/2014/05/16/macaroons-are-better-than-cookies/ Macaroons are Better Than Cookies! (article)
.link http://hackingdistributed.com/2014/05/21/my-first-macaroon/ My First Macaroon: A New Way to do Authorization (article)
.link http://github.com/rescrv/libmacaroons libmacaroons (source code)
.link http://theory.stanford.edu/~ataly/Papers/macaroons.pdf Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud (the original research paper)
.link http://air.mozilla.org/macaroons-cookies-with-contextual-caveats-for-decentralized-authorization-in-the-cloud/ Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud (presentation by Google Research team member)
.link http://cs.nyu.edu/web/Research/TechReports/TR2013-962/TR2013-962.pdf Cryptographic Security of Macaroon Authorization Credentials (additional research paper)