oauth design team call

Post on 19-Jan-2016

35 Views

Category:

Documents

1 Downloads

Preview:

Click to see full reader

DESCRIPTION

OAuth Design Team Call. 11 th February 2013. Security Design Requirements. Focus on symmetric key cryptography Use MAC Token spec as a starting point Lifetime of session key = Lifetime of access token Unless the sequence number space wraps Replay protection: Timestamp + [sequence number] - PowerPoint PPT Presentation

TRANSCRIPT

OAuth Design Team Call

11th February 2013

Security Design Requirements

• Focus on symmetric key cryptography• Use MAC Token spec as a starting point• Lifetime of session key = Lifetime of access token

– Unless the sequence number space wraps

• Replay protection: Timestamp + [sequence number]• Support for TLS channel bindings• Integrity protection for data exchange between the client

and the resource server, and vice versa.• “Flexibility” regarding keyed message digest computation• Crypto-Agility: Algorithm indication from Authorization

Server to the Client.

Remaining Decisions

• Key distribution:– Three mechanisms presented. Which one

should focus on?

• Key naming: New key identifier (kid) parameter?

• Allow Client to indicate to which RS is wants to talk to?

DKIM Signature Recap

• body-hash: is the output from hashing the body, using hash-alg.

• data-hash: is the output from using the hash-alg algorithm, to hash the header including the DKIM-Signature header, and the body hash.

• h-headers: is the list of headers to be signed, as specified in the "h" parameter.

• h= Signed header fields • Example: h=Received : From : To : Subject :

Date : Message-ID;• Alternative: IANA registration for example

Key Distribution

• Three techniques:– Key Transport– “Key Retrieval” – Key Agreement

• Key point: What is MTI?

How RS obtains the Session Key?Option#1: Key Transport

User Agent &

Resource Owner

Client (C)

Authorization Server (AS)

Resource Server (RS)

Access Token

Keys & Meta Data

AS-C

AS-RS

Access Token

AS-RS

Keyed Message

Digest

C-RS

TLS

How RS obtains the Session Key?Option#2: “Key Retrieval”

Keyed Message

Digest

User Agent &

Resource Owner

Client (C)

Authorization Server (AS)

Resource Server (RS)

Access Token

Keys & Meta Data

AS-C

AS-RS

Access Token

AS-RS

C-RS

TLS

Key Request

How RS obtains the Session Key?Option#3: Key Agreement

Keyed Message

Digest

User Agent &

Resource Owner

Client (C)

Authorization Server (AS)

Resource Server (RS)

Access Token

Keys & Meta Data

AS-C

AS-RS

Access Token

AS-RS

C-RS

TLS

Key Request

top related