SlideShare ist ein Scribd-Unternehmen logo

Clef security architecture

J
jessepollak

A quick deck on how Clef's security architecture works.

Technologie
1 von 30
Downloaden Sie, um offline zu lesen
CLEF SECURITY ARCHITECTURE GETCLEF.COM/SECURE
OVERVIEW Logging in with Clef 1. Unique id sent to browser and displayed as wave 2. Phone’s camera used to scan wave and transfer id 3. Private key on phone used to generate signature with id and timestamp- sent to Clef Server 4. Signature verified and OAuth Code sent to browser 5. Redirect in browser sends OAuth Code to Site Server 6. OAuth Handshake between Clef Server and Site Server 7. User info sent to Site Server 8. User is logged in to site
SETUP
Registration on the Phone • User downloads app • Email address confirmed, PIN set up • 2048-bit RSA key pair generated on phone • Public key sent to server and stored • Private key encrypted on device • for iOS—KeychainServices for hardware encryption • for Android—PIN-based encryption (PKCS#5)
Registering a New Site • Developer creates account at developer.getclef.com • Developer receives App ID and App Secret • <script> tag with App ID embedded in login form • Standard code to handle OAuth 2.0 Handshake
LOGGING IN
Generating the Clef Wave • <script> creates “Log in with Clef” button • On user click, loads iframe from Clef Server • iframe requests unique id (Session Key) • Session Key is stored as a signed cookie • displayed as animated barcode, the Clef Wave
Scanning the Clef Wave • User opens Clef App on their smartphone • Enters PIN to unlock the app • On-screen guide instructs user to sync Clef Wave • Phone’s camera reads Session Key from Clef Wave
Verifying the Signature • Signature is generated with Session Key, user id, and current timestamp • Signature is sent to Clef Server over TLS/SSL • Clef Server verifies signature using stored public key • Timestamp is checked for recency to prevent replay attacks
OAuth 2.0 Handshake ! • Clef server generates OAuth code and pushes to browser using WebSockets • Browser redirects to site’s specified redirect URL with OAuth code to initiate OAuth 2.0 handshake • Site Server sends OAuth code, App ID, App Secret to Clef Server for verification • Clef Server returns OAuth token • Site Server exchanges OAuth token for user information
Finishing the Login • Site receives user information from Clef Server, including site-specific identifier (clef_id) • Site looks up user in database with clef_id • Site sets a cookie to manage user’s session • User is redirected to logged-in page
LOGGING OUT
Single Sign Off • Site specifies a logout webhook URL on developer.getclef.com • User taps “log out” on phone (or logout timer expires), signed logout request sent to Clef Server • Clef server notifies each site of the logout via their webhook URL
Database Logout • Site stores login timestamp as part of session • When webhook is triggered, site stores time of logout in database • On page request, site compares both timestamps to determine whether user has logged out
LOST DEVICE
Deactivating a Lost Device • A phone can be reported lost or stolen on getclef.com/lost • Notifications are sent through available channels alerting user of attempted deactivation • 24 hour wait period before deactivation, can be skipped by verifying through email • Public key is wiped from Clef Server after wait period or verification
After Deactivation • Temporary passcode is granted after deactivation • Passcode can be used to log in at getclef.com • Because of single sign on, allows access to all connected services
Reactivation • User reconfirms email address and PIN • RSA key pair is generated on new device • New public key is associated with old account
REQUIREMENTS
Smartphone Requirements • Android or iOS device with camera • Android minimum SDK version: 2.3 • iOS minimum SDK version: 5.0 • Device must be networked
Verification Server Requirements • Able to run Python code, SQL database server • Network-accessible from smartphones and consoles
Console Requirements • Visual display for Clef Wave • Networked with access to Verification Server • Ability to look up users and store timestamps (for logout)
USING CLEF ON AN INTRANET
Replacing OAuth 2.0 • If within a completely trusted environment, no need to do any handshake • Otherwise, can replace OAuth 2.0 with asymmetric cryptography between Verification Server and Consoles
Networking Devices • Both phone and console must be able to communicate with Verification Server • No dependency on Internet
White-labeled App • Clef functionality wrapped in client app • Configured to work only within intranet • BYOD compatible • Available for iOS and Android devices
OTHER POSSIBLE FEATURES
Device Fingerprinting • Prevents device spoofing • Hardware IDs • Geolocation • OS-level IDs • Hardware clock-skew • Device type and configuration
Geofencing • Logins will be happening within a small geofence • Using device location can prevent external attacks • Force logout when user leaves fence
Automatic Logouts • As users move from console to console, they must log out each time • Use geolocation, Bluetooth, or NFC to make this automatic • Reduce vulnerability through carelessness

Empfohlen

CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
Secure your api from basics to beyond
Secure your api from basics to beyondSecure your api from basics to beyond
Secure your api from basics to beyondAlexandre Faria
 
Secure your api - from basics to beyond
Secure your api - from basics to beyondSecure your api - from basics to beyond
Secure your api - from basics to beyondAlexandre Faria
 
Gestión de identidad en aplicaciones corporativas web y móvil
Gestión de identidad en aplicaciones corporativas web y móvilGestión de identidad en aplicaciones corporativas web y móvil
Gestión de identidad en aplicaciones corporativas web y móvilIbon Landa
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net coreIsmaeel Enjreny
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedIsmaeel Enjreny
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 

Empfohlen

CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCloudIDSummit
 
Secure your api from basics to beyond
Secure your api from basics to beyondSecure your api from basics to beyond
Secure your api from basics to beyondAlexandre Faria
 
Secure your api - from basics to beyond
Secure your api - from basics to beyondSecure your api - from basics to beyond
Secure your api - from basics to beyondAlexandre Faria
 
Gestión de identidad en aplicaciones corporativas web y móvil
Gestión de identidad en aplicaciones corporativas web y móvilGestión de identidad en aplicaciones corporativas web y móvil
Gestión de identidad en aplicaciones corporativas web y móvilIbon Landa
 
Wso2 is integration with .net core
Wso2 is integration with .net coreWso2 is integration with .net core
Wso2 is integration with .net coreIsmaeel Enjreny
 
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET Core
2019 - Nova Code Camp - AuthZ fundamentals with ASP.NET CoreVladimir Bychkov
 
WSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedWSO2 Identity Server - Getting Started
WSO2 Identity Server - Getting StartedIsmaeel Enjreny
 
Creating a Sign On with Open id connect
Creating a Sign On with Open id connectCreating a Sign On with Open id connect
Creating a Sign On with Open id connectDerek Binkley
 
Troshichev i os mitm attack
Troshichev i os mitm attackTroshichev i os mitm attack
Troshichev i os mitm attackDefconRussia
 
Building Apps with MySpace SDKs
Building Apps with MySpace SDKsBuilding Apps with MySpace SDKs
Building Apps with MySpace SDKsMySpaceDevTeam
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Social Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID ConnectSocial Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID ConnectJames Melville
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)Emad Alashi
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE
 
OAuth
OAuthOAuth
OAuthVijay Naik
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontOry Segal
 
2011 Annual Release - Open Mobile Alliance
2011 Annual Release - Open Mobile Alliance2011 Annual Release - Open Mobile Alliance
2011 Annual Release - Open Mobile AllianceMusa Unmehopa
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in ActionCloudIDSummit
 
Box connector
Box connectorBox connector
Box connectorThang Loi
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And WebservicesMyles Eftos
 
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Álvaro Alonso González
 
safedrop secure communications
safedrop secure communicationssafedrop secure communications
safedrop secure communicationsAngus Bradley
 
Securing APIs with oAuth2
Securing APIs with oAuth2Securing APIs with oAuth2
Securing APIs with oAuth2Michae Blakeney
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenIDSouth Tyrol Free Software Conference
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API SecurityTaiseer Joudeh
 
Duo presentation
Duo presentationDuo presentation
Duo presentationRobbie Small
 
Duo security (1)
Duo security (1)Duo security (1)
Duo security (1)Alishah Chator
 

Weitere ähnliche Inhalte

Was ist angesagt?

Troshichev i os mitm attack
Troshichev i os mitm attackTroshichev i os mitm attack
Troshichev i os mitm attackDefconRussia
 
Building Apps with MySpace SDKs
Building Apps with MySpace SDKsBuilding Apps with MySpace SDKs
Building Apps with MySpace SDKsMySpaceDevTeam
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authenticationjeremysbrown
 
Social Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID ConnectSocial Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID ConnectJames Melville
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)Emad Alashi
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontOry Segal
 
2011 Annual Release - Open Mobile Alliance
2011 Annual Release - Open Mobile Alliance2011 Annual Release - Open Mobile Alliance
2011 Annual Release - Open Mobile AllianceMusa Unmehopa
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCloudIDSummit
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in ActionCloudIDSummit
 
Box connector
Box connectorBox connector
Box connectorThang Loi
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2Sang Shin
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And WebservicesMyles Eftos
 
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Álvaro Alonso González
 
safedrop secure communications
safedrop secure communicationssafedrop secure communications
safedrop secure communicationsAngus Bradley
 
Securing APIs with oAuth2
Securing APIs with oAuth2Securing APIs with oAuth2
Securing APIs with oAuth2Michae Blakeney
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2axykim00
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API SecurityTaiseer Joudeh
 

Was ist angesagt? (20)

Troshichev i os mitm attack
Troshichev i os mitm attackTroshichev i os mitm attack
Troshichev i os mitm attack
 
Building Apps with MySpace SDKs
Building Apps with MySpace SDKsBuilding Apps with MySpace SDKs
Building Apps with MySpace SDKs
 
Web API 2 Token Based Authentication
Web API 2 Token Based AuthenticationWeb API 2 Token Based Authentication
Web API 2 Token Based Authentication
 
Social Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID ConnectSocial Single Sign-On with OpenID Connect
Social Single Sign-On with OpenID Connect
 
OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)OAuth in the new .NET world (OWIN)
OAuth in the new .NET world (OWIN)
 
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
FIWARE Tech Summit - Complete Framework for Identity, Access Control and API ...
 
OAuth
OAuthOAuth
OAuth
 
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber BattlefrontVices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
Vices & Devices - How IoT & Insecure APIs Became the New Cyber Battlefront
 
2011 Annual Release - Open Mobile Alliance
2011 Annual Release - Open Mobile Alliance2011 Annual Release - Open Mobile Alliance
2011 Annual Release - Open Mobile Alliance
 
CIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David ChaseCIS 2015 OpenID Connect and Mobile Applications - David Chase
CIS 2015 OpenID Connect and Mobile Applications - David Chase
 
CIS14: PingAccess in Action
CIS14: PingAccess in ActionCIS14: PingAccess in Action
CIS14: PingAccess in Action
 
Box connector
Box connectorBox connector
Box connector
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
Open Id, O Auth And Webservices
Open Id, O Auth And WebservicesOpen Id, O Auth And Webservices
Open Id, O Auth And Webservices
 
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
Keyrock - Lesson 3. Applications. How to create OAuth2 tokens.
 
safedrop secure communications
safedrop secure communicationssafedrop secure communications
safedrop secure communications
 
Securing APIs with oAuth2
Securing APIs with oAuth2Securing APIs with oAuth2
Securing APIs with oAuth2
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
Spring4 security oauth2
Spring4 security oauth2Spring4 security oauth2
Spring4 security oauth2
 
HTTP Services & REST API Security
HTTP Services & REST API SecurityHTTP Services & REST API Security
HTTP Services & REST API Security
 

Andere mochten auch

Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016Business of Software Conference
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongDuo Security
 
Plex Systems EECS 441 Company Presentation
Plex Systems EECS 441 Company PresentationPlex Systems EECS 441 Company Presentation
Plex Systems EECS 441 Company Presentationjohntyu
 

Andere mochten auch (6)

Duo presentation
Duo presentationDuo presentation
Duo presentation
 
Duo security (1)
Duo security (1)Duo security (1)
Duo security (1)
 
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016
Zack Urlocker, Scaling to a Billion and Beyond, BoS USA 2016
 
Thesis_Furlan
Thesis_FurlanThesis_Furlan
Thesis_Furlan
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication WrongForrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
 
Plex Systems EECS 441 Company Presentation
Plex Systems EECS 441 Company PresentationPlex Systems EECS 441 Company Presentation
Plex Systems EECS 441 Company Presentation
 

Ähnlich wie Clef security architecture

OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootGeert Pante
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsPieter Ennes
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsNETUserGroupBern
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2Pratik Khasnabis
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Aaron Ralls
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthKashif Imran
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET CoreNETUserGroupBern
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonDavid Johansson
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleMayank Sharma
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2Rodrigo Cândido da Silva
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...Vladimir Bychkov
 
Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobilityFabrizio Volpe
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular jsBixlabs
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureForgeRock Identity Tech Talks
 
The WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewThe WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewNick Owen
 
Verviam Identity Management as a Service
Verviam Identity Management as a Service Verviam Identity Management as a Service
Verviam Identity Management as a Service Nya
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Kai Hofstetter
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWTJennifer Estrada
 

Ähnlich wie Clef security architecture (20)

OAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring BootOAuth2 and OpenID with Spring Boot
OAuth2 and OpenID with Spring Boot
 
Mobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patternsMobile Authentication - Onboarding, best practices & anti-patterns
Mobile Authentication - Onboarding, best practices & anti-patterns
 
Securing .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applicationsSecuring .NET Core, ASP.NET Core applications
Securing .NET Core, ASP.NET Core applications
 
DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2DDD Melbourne 2014 security in ASP.Net Web API 2
DDD Melbourne 2014 security in ASP.Net Web API 2
 
Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4Authorization and Authentication using IdentityServer4
Authorization and Authentication using IdentityServer4
 
Securing SharePoint Apps with OAuth
Securing SharePoint Apps with OAuthSecuring SharePoint Apps with OAuth
Securing SharePoint Apps with OAuth
 
Application Security in ASP.NET Core
Application Security in ASP.NET CoreApplication Security in ASP.NET Core
Application Security in ASP.NET Core
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
 
GSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 ModuleGSoC Mideterm-OAuth2 Module
GSoC Mideterm-OAuth2 Module
 
ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2ConFoo 2015 - Securing RESTful resources with OAuth2
ConFoo 2015 - Securing RESTful resources with OAuth2
 
Api security
Api security Api security
Api security
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
Skype for business mobility
Skype for business mobilitySkype for business mobility
Skype for business mobility
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Mobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless FutureMobile Authentication - Moving Towards a Passwordless Future
Mobile Authentication - Moving Towards a Passwordless Future
 
The WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems OverviewThe WiKID Strong Authentication Systems Overview
The WiKID Strong Authentication Systems Overview
 
Verviam Identity Management as a Service
Verviam Identity Management as a Service Verviam Identity Management as a Service
Verviam Identity Management as a Service
 
Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0Securing APIs with OAuth 2.0
Securing APIs with OAuth 2.0
 
Two-factor Authentication
Two-factor AuthenticationTwo-factor Authentication
Two-factor Authentication
 
Authenticating Angular Apps with JWT
Authenticating Angular Apps with JWTAuthenticating Angular Apps with JWT
Authenticating Angular Apps with JWT
 

Mehr von jessepollak

Building Trust on the Blockchain: The Importance of Mental Models
Building Trust on the Blockchain: The Importance of Mental ModelsBuilding Trust on the Blockchain: The Importance of Mental Models
Building Trust on the Blockchain: The Importance of Mental Modelsjessepollak
 
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityjessepollak
 
Passwords the weakest link in word press security
Passwords the weakest link in word press securityPasswords the weakest link in word press security
Passwords the weakest link in word press securityjessepollak
 
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityjessepollak
 
WordPress Security Update: How we're building the web's most secure platform ...
WordPress Security Update: How we're building the web's most secure platform ...WordPress Security Update: How we're building the web's most secure platform ...
WordPress Security Update: How we're building the web's most secure platform ...jessepollak
 
Cryptography 101 (with math)
Cryptography 101 (with math)Cryptography 101 (with math)
Cryptography 101 (with math)jessepollak
 
Cryptography 101
Cryptography 101Cryptography 101
Cryptography 101jessepollak
 
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityjessepollak
 
Passwords and Botnets and Zombies (oh my!)
Passwords and Botnets and Zombies (oh my!)Passwords and Botnets and Zombies (oh my!)
Passwords and Botnets and Zombies (oh my!)jessepollak
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hackjessepollak
 

Mehr von jessepollak (10)

Building Trust on the Blockchain: The Importance of Mental Models
Building Trust on the Blockchain: The Importance of Mental ModelsBuilding Trust on the Blockchain: The Importance of Mental Models
Building Trust on the Blockchain: The Importance of Mental Models
 
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
 
Passwords the weakest link in word press security
Passwords the weakest link in word press securityPasswords the weakest link in word press security
Passwords the weakest link in word press security
 
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
 
WordPress Security Update: How we're building the web's most secure platform ...
WordPress Security Update: How we're building the web's most secure platform ...WordPress Security Update: How we're building the web's most secure platform ...
WordPress Security Update: How we're building the web's most secure platform ...
 
Cryptography 101 (with math)
Cryptography 101 (with math)Cryptography 101 (with math)
Cryptography 101 (with math)
 
Cryptography 101
Cryptography 101Cryptography 101
Cryptography 101
 
Passwords: the weakest link in WordPress security
Passwords: the weakest link in WordPress securityPasswords: the weakest link in WordPress security
Passwords: the weakest link in WordPress security
 
Passwords and Botnets and Zombies (oh my!)
Passwords and Botnets and Zombies (oh my!)Passwords and Botnets and Zombies (oh my!)
Passwords and Botnets and Zombies (oh my!)
 
Anatomy of a WordPress Hack
Anatomy of a WordPress HackAnatomy of a WordPress Hack
Anatomy of a WordPress Hack
 

Kürzlich hochgeladen

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 

Kürzlich hochgeladen (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 

Clef security architecture

  • 2. OVERVIEW Logging in with Clef 1. Unique id sent to browser and displayed as wave 2. Phone’s camera used to scan wave and transfer id 3. Private key on phone used to generate signature with id and timestamp- sent to Clef Server 4. Signature verified and OAuth Code sent to browser 5. Redirect in browser sends OAuth Code to Site Server 6. OAuth Handshake between Clef Server and Site Server 7. User info sent to Site Server 8. User is logged in to site
  • 4. Registration on the Phone • User downloads app • Email address confirmed, PIN set up • 2048-bit RSA key pair generated on phone • Public key sent to server and stored • Private key encrypted on device • for iOS—KeychainServices for hardware encryption • for Android—PIN-based encryption (PKCS#5)
  • 5. Registering a New Site • Developer creates account at developer.getclef.com • Developer receives App ID and App Secret • <script> tag with App ID embedded in login form • Standard code to handle OAuth 2.0 Handshake
  • 7. Generating the Clef Wave • <script> creates “Log in with Clef” button • On user click, loads iframe from Clef Server • iframe requests unique id (Session Key) • Session Key is stored as a signed cookie • displayed as animated barcode, the Clef Wave
  • 8. Scanning the Clef Wave • User opens Clef App on their smartphone • Enters PIN to unlock the app • On-screen guide instructs user to sync Clef Wave • Phone’s camera reads Session Key from Clef Wave
  • 9. Verifying the Signature • Signature is generated with Session Key, user id, and current timestamp • Signature is sent to Clef Server over TLS/SSL • Clef Server verifies signature using stored public key • Timestamp is checked for recency to prevent replay attacks
  • 10. OAuth 2.0 Handshake ! • Clef server generates OAuth code and pushes to browser using WebSockets • Browser redirects to site’s specified redirect URL with OAuth code to initiate OAuth 2.0 handshake • Site Server sends OAuth code, App ID, App Secret to Clef Server for verification • Clef Server returns OAuth token • Site Server exchanges OAuth token for user information
  • 11. Finishing the Login • Site receives user information from Clef Server, including site-specific identifier (clef_id) • Site looks up user in database with clef_id • Site sets a cookie to manage user’s session • User is redirected to logged-in page
  • 13. Single Sign Off • Site specifies a logout webhook URL on developer.getclef.com • User taps “log out” on phone (or logout timer expires), signed logout request sent to Clef Server • Clef server notifies each site of the logout via their webhook URL
  • 14. Database Logout • Site stores login timestamp as part of session • When webhook is triggered, site stores time of logout in database • On page request, site compares both timestamps to determine whether user has logged out
  • 16. Deactivating a Lost Device • A phone can be reported lost or stolen on getclef.com/lost • Notifications are sent through available channels alerting user of attempted deactivation • 24 hour wait period before deactivation, can be skipped by verifying through email • Public key is wiped from Clef Server after wait period or verification
  • 17. After Deactivation • Temporary passcode is granted after deactivation • Passcode can be used to log in at getclef.com • Because of single sign on, allows access to all connected services
  • 18. Reactivation • User reconfirms email address and PIN • RSA key pair is generated on new device • New public key is associated with old account
  • 20. Smartphone Requirements • Android or iOS device with camera • Android minimum SDK version: 2.3 • iOS minimum SDK version: 5.0 • Device must be networked
  • 21. Verification Server Requirements • Able to run Python code, SQL database server • Network-accessible from smartphones and consoles
  • 22. Console Requirements • Visual display for Clef Wave • Networked with access to Verification Server • Ability to look up users and store timestamps (for logout)
  • 23. USING CLEF ON AN INTRANET
  • 24. Replacing OAuth 2.0 • If within a completely trusted environment, no need to do any handshake • Otherwise, can replace OAuth 2.0 with asymmetric cryptography between Verification Server and Consoles
  • 25. Networking Devices • Both phone and console must be able to communicate with Verification Server • No dependency on Internet
  • 26. White-labeled App • Clef functionality wrapped in client app • Configured to work only within intranet • BYOD compatible • Available for iOS and Android devices
  • 28. Device Fingerprinting • Prevents device spoofing • Hardware IDs • Geolocation • OS-level IDs • Hardware clock-skew • Device type and configuration
  • 29. Geofencing • Logins will be happening within a small geofence • Using device location can prevent external attacks • Force logout when user leaves fence
  • 30. Automatic Logouts • As users move from console to console, they must log out each time • Use geolocation, Bluetooth, or NFC to make this automatic • Reduce vulnerability through carelessness