Security of Online Social Networks Interfaces Lehrstuhl IT-Sicherheitsmanagment Universität Siegen May 3, 2012 Lehrstuhl IT-Sicherheitsmanagment 1/38
Recapitulation Graph Model formal data representation Login Procedures Authentification Web ID Open ID TLS Lehrstuhl IT-Sicherheitsmanagment 2/38
Overview Lesson 04 OAuth Concluding Authentication Open Graph Open Social Lehrstuhl IT-Sicherheitsmanagment 3/38
OAuth vs. OpenID [http://en.wikipedia.org/wiki/file:openidvs.pseudo-authenticationusingoauth.svg] Lehrstuhl IT-Sicherheitsmanagment 4/38
OAuth Lehrstuhl IT-Sicherheitsmanagment 5/38
OAuth Overview resource owner (User) client credentials client (Consumer) temporary credentials server (Service Provider) token credentials Objectives: Redirection-Based Authentication partial authorisation to (web)-resource no password disclosure to client Lehrstuhl IT-Sicherheitsmanagment 6/38
OAuth State 2012 OAuth 1.0 RFC 5849 [1] Session Fixation Attack OAuth 2.0 Facebook deployed, Microsoft, Google experimental (source: http://hueniverse.com/oauth/) Lehrstuhl IT-Sicherheitsmanagment 7/38
OAuth Phases Preliminaries: 0. (Client Credentials) Server Communication Endpoints: 1. Temporary Credential Request 2. Resource Owner Authorisation 3. Token Request Lehrstuhl IT-Sicherheitsmanagment 8/38
OAuth 1.0: Temporary Credential Request Owner Client Server GET use resource consumer key, callback,... token, token secret,... 3xx server auth?token, callback Lehrstuhl IT-Sicherheitsmanagment 9/38
OAuth 1.0: Resource Owner Authorisation Lehrstuhl IT-Sicherheitsmanagment 10/38
OAuth 1.0: Resource Owner Authorisation Owner Client Server 3xx server auth?token auth?token Authenticate(owner) Authorise(client) Login/Auth-Form Password 3xx callback?token,token verifier callback?token&token verifier Lehrstuhl IT-Sicherheitsmanagment 11/38
OAuth 1.0: Token Request Lehrstuhl IT-Sicherheitsmanagment 12/38
OAuth 1.0: Token Request Owner Client Server callback?token&token verifier token?token verifier token, token secret Using Resource resource?token resource! OK Lehrstuhl IT-Sicherheitsmanagment 13/38
OAuth 1.0: Session Fixation Attacker uses (honest) client to get temp. credential Attacker does not follow authorisation redirect Attacker tricks resource owner to click redirect Owner authorises honest client at server Attacker uses saved temp. credential to request token Attacker uses token to access resource (source: http://oauth.net/advisories/2009-1/) Lehrstuhl IT-Sicherheitsmanagment 14/38
OAuth 2.0 Why update? OAuth 1.0 too complex Scalability issues Incompatible to existing Auth. Schemes State: Almost stable IETF draft v2.22 (source http://hueniverse.com/2010/05/introducing-oauth-2-0/) (see http://tools.ietf.org/html/draft-ietf-oauth-v2-22) Lehrstuhl IT-Sicherheitsmanagment 15/38
OAuth 2.0: Delta Role Separation: Authorization Server 6 Different Protocol Flows: User-Agent, Web-Server, Device, Username-Password, Client Credentials, Assertion (eg. SAML) Bearer Tokens Short-Lived Tokens/Long-Lived authorizations (source http://hueniverse.com/2010/05/introducing-oauth-2-0/) Lehrstuhl IT-Sicherheitsmanagment 16/38
OAuth 2.0: Flow (source: OAuth v2.22 (draft) Lehrstuhl IT-Sicherheitsmanagment 17/38
Concluding Authentication Lehrstuhl IT-Sicherheitsmanagment 18/38
WebID vs. OpenID vs OAuth WebID OpenID OAuth ID Provider self self/3rd 3rd Authentication local key passwd/assertion various Channel TLS assertion token Lehrstuhl IT-Sicherheitsmanagment 19/38
Open Graph Lehrstuhl IT-Sicherheitsmanagment 20/38
facebook social graph representation https://developers.facebook.com/docs/opengraph/ http://ogp.me/ Lehrstuhl IT-Sicherheitsmanagment 21/38
OG mechanics Lehrstuhl IT-Sicherheitsmanagment 22/38
Open Social Lehrstuhl IT-Sicherheitsmanagment 23/38
Overview set of API Community product, no owner (OpenSocial Foundation) Contribution Licensing Agreement Non-Assert Agreement Standardisation process: consensus and running code Gadgets, Container, Social Server current version 2.0.1 Lehrstuhl IT-Sicherheitsmanagment 24/38
Gadget web-based software component Container context of a gadget (e.g. web-page) User viewer of gadget at runtime Social API Server OpenSocial Container Lehrstuhl IT-Sicherheitsmanagment 25/38
OpenSocial Specification Dependencies Core Container Spec Core API Server Social API Server Core Gadget Container Social Gadget Container Open Social Container OpenSocial Specification Lehrstuhl IT-Sicherheitsmanagment 26/38
Core API Server Spec Protocols: REST or RPC Security: OAuth (Access Tokens) Content Upload Common Parameters: Request-ID, Auth-Token, Content-Type, Return-Object, Invalidation-Key-List, HTTP-Status-Code Request Parameters: Updated-Since, Encoding Format Discovery Services Concurrency Control: HTTP/AtomPup (MAY) Lehrstuhl IT-Sicherheitsmanagment 27/38
REST Protocol Request: GET /api/people/@me/@self?fields=name HTTP/1.1 Host: api.example.org Authorization: hh5s93j4hdidpola Content-Type: application/json Response: HTTP/1.x HTTP-Status-Code [ "Content-Type: " Content-Type ] [ REST-Response-Payload ] Lehrstuhl IT-Sicherheitsmanagment 28/38
Social API Server Spec OpenSocial Social API Server Specification 2.0.1 [2] People, Groups, Activity Streams, AppData, Albums, MediaItems, Messages Lehrstuhl IT-Sicherheitsmanagment 29/38
REST Create Relationship REST-HTTP-Method REST-URI-Fragment REST-Query-Parameters REST-Request-Payload = "POST" = "/people/" User-Id "/" Group-Id = null = Person POST /rest/people/@self/@friends HTTP/1.1 HOST api.example.org Authorization: hh5s93j4hdidpola Content Type: application/xml <entry xmlns="http://ns.opensocial.org/2008/opensocial"> <id>example.org:34kjdcskjn2hhf0dw20394</id> </entry> Lehrstuhl IT-Sicherheitsmanagment 30/38
Reflective Create Relationship (WebID+REST) (1) A (2) Bob s (3) Alice s (4) (1) Bob s Page (for Alice) (4) append knows Person bob (2) click know him! (3) POST /alice/rest/people/@alice#me/@knows HTTP/1.1 HOST alice.info Authorization: alice.info/alice#me Content Type: application/xml [...] <foaf:person> <foaf:homepage rdf:resource="http://bob.org/bob#me"/> <foaf:mbox_sha1sum>8a75535cfeb076f13del68aa113e91abaeb7340</foaf:mbox_sha1sum> </foaf:person> Lehrstuhl IT-Sicherheitsmanagment 31/38
Reflective Create Relationship (WebID+REST) (1) (5) A (2) (6) Bob s (3) Alice s (4) (1) Bob s Page (for Alice) (2) click know him! (4) append knows Person bob (5) Redirect back to Bob s Return-Object: Person Bob (3) POST /alice/rest/people/@alice#me/@knows HTTP/1.1 HOST alice.info Authorization: alice.info/alice#me Content Type: application/xml [...] <foaf:person> <foaf:homepage rdf:resource="http://bob.org/bob#me"/> <foaf:mbox_sha1sum>8a75535cfeb076f13del68aa113e91abaeb7340</foaf:mbox_sha1sum> </foaf:person> (6) Request Bob s Page Lehrstuhl IT-Sicherheitsmanagment 32/38
OpenSocial with WebID Authorisation? Identities in URLS? Lehrstuhl IT-Sicherheitsmanagment 33/38
RPC create friendship (WebID) POST /bob/rpc HTTP/1.1 Host: bob.org Authorization: <auth token> Content-Type: application/json { "method" : "people.create", "id" : "createfriend" "params: { "userid" : "@alice.info/alice#me", "groupid" : "@knows", "person" : { "id" : "@bob.org/bob#me" } } } Lehrstuhl IT-Sicherheitsmanagment 34/38
Sending a message REST-HTTP-Method REST-URI-Fragment REST-Query-Parameters REST-Request-Payload = "POST" = "/messages/" User-Id "/@self/@outbox" = null = Message Lehrstuhl IT-Sicherheitsmanagment 35/38
HTTP-Status Codes 400 BAD REQUEST invalid syntax 401 UNAUTHORIZED missing OAuth Credentials/no access 403 FORBIDDEN insufficient context rights 404 NOT FOUND resource missing 405 METHOD NOT ALLOWED response with Allow header 409 CONFLICT response with details 500 INTERNAL SERVER ERROR generic 501 NOT IMPLEMENTED optional feature missing Lehrstuhl IT-Sicherheitsmanagment 36/38
Conclusion Protocols Authentication towards Identity Provider towards 3rd Party Data Exchange Formats WebID needs additional API Lehrstuhl IT-Sicherheitsmanagment 37/38
Literatur I The OAuth 1.0 Protocol, IETF Informational RFC 5849, April 2010. OpenSocial Social API Server Specification 2.0.1, OpenSocial Foundation Std., Rev. 2.0.1. [Online]. Available: http://opensocial-resources.googlecode.com/svn/spec/2.0.1/ Social-API-Server.xml Lehrstuhl IT-Sicherheitsmanagment 38/38