Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The Beginner's Guide to Alternative Authentication

Chris Cornutt
February 20, 2015
Technology
1
670

The Beginner's Guide to Alternative Authentication

It's pretty common for developers to go with the same kinds of authentication handling when they're creating their applications with permissions and groups. Unfortunately, as applications grow in side an interact with other systems, this kind of system sags under the weight of its own technical debt. Follow along with me as I talk about some alternatives to the typical RBAC authorization including attribute-based, multifactor, pattern-based and federated identity providers.

Chris Cornutt

February 20, 2015
Tweet

More Decks by Chris Cornutt

See All by Chris Cornutt
Securing Legacy Applications
ccornutt
0
99
Pentesting for Developers
ccornutt
0
110
Securing Legacy Applications - Longhorn PHP 2018
ccornutt
1
150
Pieces of Auth
ccornutt
0
300
Securing Legacy Applications
ccornutt
0
460
Build Security In
ccornutt
0
170
Introduction to Slim 3
ccornutt
0
150
Securing Legacy Applications
ccornutt
0
32
PHP Security, Redfined
ccornutt
0
260

Other Decks in Technology

See All in Technology
「視座」の上げ方が成人発達理論にわかりやすくまとまってた / think_ perspective_hidden_dimensions
shuzon
2
2.2k
オーティファイ会社紹介資料 / Autify Company Deck
autifyhq
9
120k
グローバル展開を見据えたサービスにおける機械翻訳プラクティス / dp-ai-translating
cyberagentdevelopers
PRO
1
150
[AWS JAPAN 生成AIハッカソン] Dialog の紹介
yoshimi0227
0
150
ユーザーの購買行動モデリングとその分析 / dsc-purchase-analysis
cyberagentdevelopers
PRO
2
100
コンテンツを支える 若手ゲームクリエイターの アートディレクションの事例紹介 / cagamefi-game
cyberagentdevelopers
PRO
1
130
Automated Promptingを目指すその前に / Before we can aim for Automated Prompting
rkaga
0
110
よくわからんサービスについての問い合わせが来たときの強い味方 Amazon Q について
kazzpapa3
0
220
なんで、私がAWS Heroに!? 〜社外の広い世界に一歩踏み出そう〜
minorun365
PRO
6
1.1k
Java x Spring Boot Warm up
kazu_kichi_67
2
490
AWSコンテナ本出版から3年経った今、もし改めて執筆し直すなら / If I revise our container book
iselegant
15
4k
Aurora_BlueGreenDeploymentsやってみた
tsukasa_ishimaru
1
120

Featured

See All Featured
How GitHub (no longer) Works
holman
311
140k
Intergalactic Javascript Robots from Outer Space
tanoku
268
27k
Building Your Own Lightsaber
phodgson
102
6k
Git: the NoSQL Database
bkeepers
PRO
425
64k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
46
2.1k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
290
Performance Is Good for Brains [We Love Speed 2024]
tammyeverts
3
370
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
Fireside Chat
paigeccino
32
3k
How STYLIGHT went responsive
nonsquared
95
5.2k
KATA
mclloyd
29
13k

Transcript

  1. The Beginners Guide to Alternative Authentication Chris Cornutt : @enygma

    - ConFoo 2015

  2. Authentication Authorization

  3. Authentication Authorization

  4. Identity Management

  5. Usual Suspects Access Control? What’s that? Permissions Access Control Lists

    Role-Based Access Controls
  6. None

  7. Attribute-Based Flexible… …to a fault. XACML

  8. Resource Subject Environment Action Attribute-Based Attribute-Based

  9. Resource Subject Environment Action Decider/Enforcer Policy Attribute-Based

  10. <Policy PolicyId="SamplePolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:permit-overrides"> <!-- This Policy only applies to requests

    on the SampleServer --> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SampleServer</AttributeValue> <ResourceAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id"/> </ResourceMatch> </Resources> <Actions> <AnyAction/> </Actions> </Target> <!-- Rule to see if we should allow the Subject to login --> <Rule RuleId="LoginRule" Effect="Permit"> <!-- Only use this Rule if the action is login --> <Target> <Subjects> <AnySubject/> </Subjects> <Resources> <AnyResource/> </Resources> <Actions> <ActionMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">login</AttributeValue> <ActionAttributeDesignator DataType="http://www.w3.org/2001/XMLSchema#string" AttributeId="ServerAction"/> </ActionMatch> </Actions> </Target> <!-- Only allow logins from 9am to 5pm --> <Condition FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-greater-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue> </Apply> <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-less-than-or-equal" <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"> <EnvironmentAttributeSelector DataType="http://www.w3.org/2001/XMLSchema#time" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time"/> </Apply> <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue> </Apply> </Condition> </Rule> <!-- We could include other Rules for different actions here --> <!-- A final, "fall-through" Rule that always Denies --> <Rule RuleId="FinalRule" Effect="Deny"/> </Policy>

  11. Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/1

    username1 production GET

  12. Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/1

    username1 production GET

  13. Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/42

    username1 dev GET

  14. Resource Subject Environment Action Policy /user/view/1 username1 production GET /user/view/42

    username1 dev GET

  15. Multifactor Something you have Something you know Something you are

    Someplace

  16. Multifactor

  17. Multifactor Stolen shared secret Steal the thing Copy the thing

    Intercept/masquerade Hijack after use

  18. Federated Identity Portable, standards-based Do you need to host? Removes

    the burden

  19. Federated Identity

  20. Federated Identity IDP

  21. Federated Identity IDP Unification

  22. Federated Identity User-to-user User-to-application Application-to-application Levels of trust

  23. Federated Identity But isn’t that just Single-Sign On? One word…context.

  24. Federated Identity Credentials User attributes Access levels Provisioning Auditing Domain

  25. Single Sign On Credentials Multiple services, one login Interface requirements

    Not always username & password

  26. Single Sign On Primary Domain

  27. Single Sign On Subset of Federation Intranets Remove authentication burden

    Makes users happy…as long as it works.

  28. SAML Security Assertion Markup Langauge Cross-service Passes needed info Version

    2 XML based

  29. SAML Security Assertion Markup Langauge

  30. SAML Security Assertion Markup Langauge Assertions Statements used in IdP

    decisions Protocols How elements are packaged Bindings Mapping of protocol to standard format Profiles Combines assertions, protocols and bindings

  31. SAML Security Assertion Markup Langauge

  32. SAML Security Assertion Markup Langauge Authentication Context Schemas Intranet, MobileTwoFactor,

    PublicKey, SSL/TLS Certificate, etc. Identification information How “secret” is defined

  33. So, which to use? Level of protection needed Current systems

    and integration Defense in depth Risk (Frequency, Probability, Cost) Don’t have to pick just one…

  34. Thanks! Questions? @enygma http://securingphp.com - @securingphp http://websec.io