filmov
tv
6/24 Securing your API beyond basic OAuth by Sender Constrained Tokens... | Identiverse 2018
Показать описание
Full title: Securing your API beyond basic OAuth by Sender Constrained Tokens and JWT Authorization Request
Presenter: Nat Sakimura, Research Fellow at Nomura Research Institute, Ltd.
In the mobile-first world that we live, OAuth 2.0 as in RFC6749 and RFC6750 is the de-facto method for protecting your APIs. It is very simple to use while it is a vast improvement compared to API Key or shared password approach as far as security properties are concerned. However, it has given up some security properties as well. This session explains where the weakness of the basic OAuth exists by considering the source, destination, and message authentication as well as considering the recommendation based on the formal security analysis of ISO/IEC 9798 Standard for Entity Authentication by Basin, Cremers, and Meler. Then, explains how it can be solved using JWT Authorization Request and Sender Constrained Tokens based on the Financial API Security profile developed by OpenID Foundation’s FAPI WG and deployed in UK banks and other financial institutions elsewhere in the world. Such profile should be very useful not only for financial transactions but for other higher risk APIs.
Save the date: Join us June 25-28 in Washington D.C, 2019!
Presenter: Nat Sakimura, Research Fellow at Nomura Research Institute, Ltd.
In the mobile-first world that we live, OAuth 2.0 as in RFC6749 and RFC6750 is the de-facto method for protecting your APIs. It is very simple to use while it is a vast improvement compared to API Key or shared password approach as far as security properties are concerned. However, it has given up some security properties as well. This session explains where the weakness of the basic OAuth exists by considering the source, destination, and message authentication as well as considering the recommendation based on the formal security analysis of ISO/IEC 9798 Standard for Entity Authentication by Basin, Cremers, and Meler. Then, explains how it can be solved using JWT Authorization Request and Sender Constrained Tokens based on the Financial API Security profile developed by OpenID Foundation’s FAPI WG and deployed in UK banks and other financial institutions elsewhere in the world. Such profile should be very useful not only for financial transactions but for other higher risk APIs.
Save the date: Join us June 25-28 in Washington D.C, 2019!
0:29:28
0:29:48
0:24:42
0:21:27
0:45:32
0:00:17
0:18:52
0:00:23
0:30:24
0:09:00
0:06:56
0:25:53
0:58:02
0:54:30
0:59:24
0:44:54
0:33:22
0:59:30
0:05:05
1:51:59
0:42:23
0:02:50
0:07:03
0:11:19