SlideShare ist ein Scribd-Unternehmen logo

I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http_signature

•
•
Apigee | Google Cloud
Apigee | Google Cloud

I Love APIs 2015 Apigee Edge is very flexible allowing you to create extensions in Java, Javascript or NodeJS. Learn how you can use those extensions to compute or verify HMACs on payloads, and to Implement verification for HTTP Signatures.

Software
1 von 30
Downloaden Sie, um offline zu lesen
1 Advanced Security Extensions in Apigee Edge: ! HMAC, HttpSignature! Dino Chiesa, " Vinit Mehta
Who is using Signatures? 2 AWS - custom HMAC-SHA256 signature over the [ verb . host . uri . queryparams ] Google Maps API for Work - HMAC-SHA1 over URL+query (includes clientid) Twitter - OAuth1.0a signatures (HMAC-SHA1) over headers + params Azure storage - HMAC-SHA256 over [ verb . contentmd5 . contenttype . date . url ] Github's outbound webhooks - HMAC-SHA1 over the body (prospect) Automaker - XML DSIG over payload (prospect) WW Retailer - HttpSignature (Signature applied to select headers) (customer) Payeezy - custom HMAC-SHA256 over select headers and body (customer) BBC – HMAC on calls from Salesforce.com, $$ Video-on-demand (customer) Vodafone - HMAC (customer) O2 - HMAC
Why are these people using message-level security?" Why are they requiring signatures on their payloads? 3
Let’s talk about MITM, non-repudiation, auditing 4 POST /accounts/12334566/update API-Key: ryJIXSIAMjuyDii8 Host: api.example.com Content-Type: application/json Content-Length: 132 { "rty": "MRA", "n": "5SGw1jcqyFYEZaf3VduzmRk_jcBNFFLQgOf9U", "e": "AQAB", "gla": "Rm425", "use": "sig", "kid": "196" }
Let’s talk about MITM, Non-repudiation, Auditing 5 POST /accounts/12334566/update API-Key: ryJIXSIAMjuyDii8 Host: api.example.com Content-Type: application/json Content-Length: 132 { "rty": "MRA", "n": "5SGw1jcqyFYEZaf3VduzmRk_jcBNFFLQgOf9U", "e": "AQAB", "gla": "Rm425", "use": "sig", "kid": "196" } •  TLS encrypts all of this, " except the hostname •  TLS is point-to-point •  What happens if you relay " this message beyond the " TLS-protected entry point? •  If this message gets archived, how to guarantee its integrity?
Transport-layer security secures data in transit 6 Application Layer TLS Transport Layer Network layer Data Link Layer Application Layer TLS Transport Layer Network layer Data Link Layer
? Message-layer security is independent of transport 7 Application Layer TLS Transport Layer Network layer Data Link Layer Application Layer TLS Transport Layer Network layer Data Link Layer
Message-level signatures protect the payload 8 POST /accounts/12334566/update API-Key: ryJIXSIAMjuyDii8 Host: api.example.com Content-Type: application/json Content-Length: 132 { "rty": "MRA", "n": "5SGw1jcqyFYEZaf3VduzmRk_jcBNFFLQgOf9U", "e": "AQAB", "gla": "Rm425", "use": "sig", "kid": "196" } •  Message-level signatures " can protect these parts of " the message, independently " of transport •  Can optionally perform message-level encryption, encryption of selected " fields, etc.
MAC = Message Authentication Code " HMAC = keyed-hash MAC 9 HMAC injects a key into the normal hashing function. HMAC may be used to simultaneously verify both the integrity and the authentication of a message. MAC may be used to verify the integrity of a message.
You are smart people, " so obviously… 10 You want to verify HMACs in API proxies. Today, in Apigee Edge, you can’t.
Apigee Edge includes standard policies for many security tasks. " " But it does not include a policy to generate or validate HMACs. You’re hosed. 11
Apigee Edge includes standard policies for many security tasks. " " But it does not include a policy to generate or validate HMACs. You’re hosed. 12 Or maybe you’re not?
Code + Congure ! 13
•  Embed your Java code as a policy in Apigee Edge •  One Interface, one method, 2 parameters •  Can read policy configuration •  Can read and write context variables •  … anchor anywhere in Edge policy flow •  One of the ways to extend Edge " with custom code. Also JavaScript, Python, nodejs. •  RTFM: " http://apigee.com/docs/api-services/ reference/java-callout-policy What are Java Callouts? 14 ©2015 Apigee. All Rights Reserved.
•  Re-usable now in any of your Proxies •  Configure it with XML as any other policy •  Verify integrity of " any payload •  Can read HMAC generated by third party libraries •  Relies on secret " key or public/private key pair Java Callout for HMAC Verification or Generation 15 ©2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-hmac-httpsignature
HMAC Code walkthrough & Demo 16
HttpSignature 17 This describes a way for servers and clients to add authentication and message integrity checks to HTTP messages (eg, API calls) by using a digital signature. http://tools.ietf.org/html/draft-cavage-http-signatures-05
HttpSignature 18 Complements API key or token-based authentication.
HttpSignature 19 The client sends in a signature header that contains four things: •  Keyid – identifying the key used by the client. The meaning is app-dependent. •  Algorithm – can be RSA-SHA (public/private key) or HMAC-SHA (shared key) •  list of HTTP headers – optional; space delimited; these are included in the signing base •  a computed signature of those headers
HttpSignature 20 Each element is formed as key="value" and they are separated by commas. " This must be passed in an HTTP header named "Signature". The resulting header might look like this: Signature: keyId=”mykey",algorithm="hmac-sha256",headers="(request- target) date",signature="udvCIHZAafyK+szbOI/KkLxeIihexHpHpvMrwbeoErI="
Apigee Edge includes standard policies for many security tasks. " " But it does not include a policy to validate HttpSignature. Sound familiar? 21
Code + Congure ! 22
•  Re-usable now in any of your Proxies •  Configure it with XML as any other policy •  Verify signatures passed with payload; reject replays and altered messages. •  Requires “smart client” that can compute signatures on outbound messages •  Relies on secret key or public/private key pair Java Callout for HttpSignature Verification 23 ©2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-hmac-httpsignature
Java Callout for HttpSignature Verication 24 Š2015 Apigee. All Rights Reserved.
Java Callout for HttpSignature Verication 25 Š2015 Apigee. All Rights Reserved.
HttpSignature Code walkthrough & Demo 26
Some comments • Include Nonce and Content-MD5 for full message integrity guarantees • Signatures are more difficult for developers • Provide libraries in JS, Java, .NET, PHP • You need a smart client to produce these • There’s a good HttpSignature library for Node.js – see" https://github.com/DinoChiesa/node-http-signature 27 ©2015 Apigee. All Rights Reserved.
When to use HMAC, HttpSignature? 28
• Use these callouts whenever you want to add " HMAC or HttpSignature verification to your proxies • To avoid MITM risks • To layer message-level protection on top of TLS • Scenarios :" Non-repudiation and archival " e.g., medical records release consent " Message-layer integrity" 29 ©2015 Apigee. All Rights Reserved.
What did we learn? 30 APIs Apps Users ©2015 Apigee. All Rights Reserved. •  You need to include HMAC and HttpSignature into your toolbox to secure messages and to protect against MITM attacks •  You can use HMAC and HttpSignature in Apigee Edge today via custom policies •  No coding needed ! •  These policies complement the existing built-in policies in Apigee Edge https://github.com/apigee/iloveapis2015-hmac-httpsignature

Empfohlen

API Services: Harness the Power of Enterprise Infrastructure
API Services: Harness the Power of Enterprise InfrastructureAPI Services: Harness the Power of Enterprise Infrastructure
API Services: Harness the Power of Enterprise Infrastructure
Apigee | Google Cloud
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
Apigee | Google Cloud
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
Apigee | Google Cloud
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
Protect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsProtect your APIs from Cyber Threats
Protect your APIs from Cyber Threats
Apigee | Google Cloud
 
I Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at VerizonI Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
Apigee | Google Cloud
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
Apigee | Google Cloud
 

Empfohlen

API Services: Harness the Power of Enterprise Infrastructure
API Services: Harness the Power of Enterprise InfrastructureAPI Services: Harness the Power of Enterprise Infrastructure
API Services: Harness the Power of Enterprise Infrastructure
Apigee | Google Cloud
 
APIs: The New Security Layer
APIs: The New Security LayerAPIs: The New Security Layer
APIs: The New Security Layer
Apigee | Google Cloud
 
API Security Lifecycle
API Security LifecycleAPI Security Lifecycle
API Security Lifecycle
Apigee | Google Cloud
 
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
I Love APIs 2015: Advanced Crash Course in Apigee Edge Workshop
Apigee | Google Cloud
 
Deep-Dive: Secure API Management
Deep-Dive: Secure API ManagementDeep-Dive: Secure API Management
Deep-Dive: Secure API Management
Apigee | Google Cloud
 
Protect your APIs from Cyber Threats
Protect your APIs from Cyber ThreatsProtect your APIs from Cyber Threats
Protect your APIs from Cyber Threats
Apigee | Google Cloud
 
I Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at VerizonI Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
I Love APIs 2015: Scaling Mobile-focused Microservices at Verizon
Apigee | Google Cloud
 
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge WorkshopI Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
I Love APIs 2015: Crash Course Foundational Topics in Apigee Edge Workshop
Apigee | Google Cloud
 
How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
Apigee | Google Cloud
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
apidays
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
Apigee | Google Cloud
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
apidays
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
Apigee | Google Cloud
 
Transforming Your Business Through APIs
Transforming Your Business Through APIsTransforming Your Business Through APIs
Transforming Your Business Through APIs
Apigee | Google Cloud
 
API Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
API Design Best Practices & Tech Talk : API Craft Meetup @ ApigeeAPI Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
API Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
Anil Sagar
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
42Crunch
 
Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge
Apigee | Google Cloud
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
Apigee | Google Cloud
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and Roadmap
Apigee | Google Cloud
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Adar Weidman
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
MuleSoft
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API Security
Akana
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuth
Apigee | Google Cloud
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
Apigee | Google Cloud
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
42Crunch
 
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWSAdvanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Apigee | Google Cloud
 
Ejemplo usando la APIs de google
Ejemplo usando la APIs de googleEjemplo usando la APIs de google
Ejemplo usando la APIs de google
Lilia Valles
 

Weitere ähnliche Inhalte

Was ist angesagt?

API Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
API Design Best Practices & Tech Talk : API Craft Meetup @ ApigeeAPI Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
API Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
Anil Sagar
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
42Crunch
 
Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge
Apigee | Google Cloud
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
Apigee | Google Cloud
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
42Crunch
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
42Crunch
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
42Crunch
 

Was ist angesagt? (20)

How to Achieve Agile API Security
How to Achieve Agile API SecurityHow to Achieve Agile API Security
How to Achieve Agile API Security
 
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
APIdays Paris 2019 - API Gateway & Identity Providers, a Match Made in Micros...
 
Managing Identities in the World of APIs
Managing Identities in the World of APIsManaging Identities in the World of APIs
Managing Identities in the World of APIs
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
 
Deep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital AgeDeep-Dive: API Security in the Digital Age
Deep-Dive: API Security in the Digital Age
 
Transforming Your Business Through APIs
Transforming Your Business Through APIsTransforming Your Business Through APIs
Transforming Your Business Through APIs
 
API Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
API Design Best Practices & Tech Talk : API Craft Meetup @ ApigeeAPI Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
API Design Best Practices & Tech Talk : API Craft Meetup @ Apigee
 
OWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps DaysOWASP API Security Top 10 - Austin DevSecOps Days
OWASP API Security Top 10 - Austin DevSecOps Days
 
Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge Node.js - Extending the Programmability of Apigee Edge
Node.js - Extending the Programmability of Apigee Edge
 
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWSI Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
I Love APIs 2015: Advanced Security Extensions in Apigee Edge - JWT, JWE, JWS
 
Apigee Edge Overview and Roadmap
Apigee Edge Overview and RoadmapApigee Edge Overview and Roadmap
Apigee Edge Overview and Roadmap
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez YalonCheckmarx meetup API Security - API Security top 10 - Erez Yalon
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
 
Best Practices for API Security
Best Practices for API SecurityBest Practices for API Security
Best Practices for API Security
 
Deconstructing API Security
Deconstructing API SecurityDeconstructing API Security
Deconstructing API Security
 
Bigger, Better Business With OAuth
Bigger, Better Business With OAuthBigger, Better Business With OAuth
Bigger, Better Business With OAuth
 
OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater OAuth - Don’t Throw the Baby Out with the Bathwater
OAuth - Don’t Throw the Baby Out with the Bathwater
 
Protecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API FirewallProtecting Microservices APIs with 42Crunch API Firewall
Protecting Microservices APIs with 42Crunch API Firewall
 
The Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API WorldThe Dev, Sec and Ops of API Security - API World
The Dev, Sec and Ops of API Security - API World
 
API Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIsAPI Services: Building State-of-the-Art APIs
API Services: Building State-of-the-Art APIs
 
The Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIsThe Dev, Sec and Ops of API Security - NordicAPIs
The Dev, Sec and Ops of API Security - NordicAPIs
 

Andere mochten auch

Ejemplo usando la APIs de google
Ejemplo usando la APIs de googleEjemplo usando la APIs de google
Ejemplo usando la APIs de google
Lilia Valles
 

Andere mochten auch (6)

Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWSAdvanced Security Extensions in Apigee Edge: JWT, JWE, JWS
Advanced Security Extensions in Apigee Edge: JWT, JWE, JWS
 
Ejemplo usando la APIs de google
Ejemplo usando la APIs de googleEjemplo usando la APIs de google
Ejemplo usando la APIs de google
 
Todas las APIs de Google
Todas las APIs de GoogleTodas las APIs de Google
Todas las APIs de Google
 
Adapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg BrailAdapt or Die: Keynote with Greg Brail
Adapt or Die: Keynote with Greg Brail
 
Adapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet KapoorAdapt or Die: Opening Keynote with Chet Kapoor
Adapt or Die: Opening Keynote with Chet Kapoor
 
Microservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices SuccessMicroservices Done Right: Key Ingredients for Microservices Success
Microservices Done Right: Key Ingredients for Microservices Success
 

Ähnlich wie I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http_signature

The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)
Channy Yun
 
Kubernetes connectivity to Cloud Native Kafka | Evan Shortiss and Hugo Guerre...
Kubernetes connectivity to Cloud Native Kafka | Evan Shortiss and Hugo Guerre...Kubernetes connectivity to Cloud Native Kafka | Evan Shortiss and Hugo Guerre...
Kubernetes connectivity to Cloud Native Kafka | Evan Shortiss and Hugo Guerre...
HostedbyConfluent
 
Securing APIs
Securing APIsSecuring APIs
Securing APIs
WSO2
 
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Amazon Web Services
 
Wap Security Arch Presentation
Wap Security Arch PresentationWap Security Arch Presentation
Wap Security Arch Presentation
Ram Dutt Shukla
 

Ähnlich wie I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http_signature (20)

APIConnect Security Best Practice
APIConnect Security Best PracticeAPIConnect Security Best Practice
APIConnect Security Best Practice
 
The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)The History and Status of Web Crypto API (2012)
The History and Status of Web Crypto API (2012)
 
Cohesive Networks Support Docs: VNS3 version 3.5+ API Guide
Cohesive Networks Support Docs: VNS3 version 3.5+ API Guide Cohesive Networks Support Docs: VNS3 version 3.5+ API Guide
Cohesive Networks Support Docs: VNS3 version 3.5+ API Guide
 
Gateway/APIC security
Gateway/APIC securityGateway/APIC security
Gateway/APIC security
 
API Gateway report
API Gateway reportAPI Gateway report
API Gateway report
 
Resilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIsResilient and Adaptable Systems with Cloud Native APIs
Resilient and Adaptable Systems with Cloud Native APIs
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
Hyperledger Composer architecture
Hyperledger Composer architectureHyperledger Composer architecture
Hyperledger Composer architecture
 
Working with PowerVC via its REST APIs
Working with PowerVC via its REST APIsWorking with PowerVC via its REST APIs
Working with PowerVC via its REST APIs
 
Kubernetes connectivity to Cloud Native Kafka | Evan Shortiss and Hugo Guerre...
Kubernetes connectivity to Cloud Native Kafka | Evan Shortiss and Hugo Guerre...Kubernetes connectivity to Cloud Native Kafka | Evan Shortiss and Hugo Guerre...
Kubernetes connectivity to Cloud Native Kafka | Evan Shortiss and Hugo Guerre...
 
Securing APIs
Securing APIsSecuring APIs
Securing APIs
 
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
Analytics, Authentication and Data with AWS Amplify - MBL403 - re:Invent 2017
 
LogMeIn Hamachi²: Security White Paper
LogMeIn Hamachi²: Security White PaperLogMeIn Hamachi²: Security White Paper
LogMeIn Hamachi²: Security White Paper
 
Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101Hyperledger Fabric update Meetup 20181101
Hyperledger Fabric update Meetup 20181101
 
Magento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci complianceMagento security best practices magento's approach to pci compliance
Magento security best practices magento's approach to pci compliance
 
Architecting &Building Scalable Secure Web API
Architecting &Building Scalable Secure Web APIArchitecting &Building Scalable Secure Web API
Architecting &Building Scalable Secure Web API
 
Brushing skills on SignalR for ASP.NET developers
Brushing skills on SignalR for ASP.NET developersBrushing skills on SignalR for ASP.NET developers
Brushing skills on SignalR for ASP.NET developers
 
Wap Security Arch Presentation
Wap Security Arch PresentationWap Security Arch Presentation
Wap Security Arch Presentation
 
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellersCloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
Cloud DevSecOps and compliance considerations leveraging AWS Marketplace sellers
 
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
Lightweight Zero-trust Network Implementation and Transition with Keycloak an...
 

Mehr von Apigee | Google Cloud

Mehr von Apigee | Google Cloud (20)

How Secure Are Your APIs?
How Secure Are Your APIs?How Secure Are Your APIs?
How Secure Are Your APIs?
 
Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)Magazine Luiza at a glance (1)
Magazine Luiza at a glance (1)
 
Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs Monetization: Unlock More Value from Your APIs
Monetization: Unlock More Value from Your APIs
 
Apigee Demo: API Platform Overview
Apigee Demo: API Platform OverviewApigee Demo: API Platform Overview
Apigee Demo: API Platform Overview
 
Ticketmaster at a glance
Ticketmaster at a glanceTicketmaster at a glance
Ticketmaster at a glance
 
AccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First WorldAccuWeather: Recasting API Experiences in a Developer-First World
AccuWeather: Recasting API Experiences in a Developer-First World
 
Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?Which Application Modernization Pattern Is Right For You?
Which Application Modernization Pattern Is Right For You?
 
Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2Apigee Product Roadmap Part 2
Apigee Product Roadmap Part 2
 
The Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management MarketThe Four Transformative Forces of the API Management Market
The Four Transformative Forces of the API Management Market
 
Walgreens at a glance
Walgreens at a glanceWalgreens at a glance
Walgreens at a glance
 
Apigee Edge: Intro to Microgateway
Apigee Edge: Intro to MicrogatewayApigee Edge: Intro to Microgateway
Apigee Edge: Intro to Microgateway
 
Managing the Complexity of Microservices Deployments
Managing the Complexity of Microservices DeploymentsManaging the Complexity of Microservices Deployments
Managing the Complexity of Microservices Deployments
 
Pitney Bowes at a glance
Pitney Bowes at a glancePitney Bowes at a glance
Pitney Bowes at a glance
 
Adapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant JhingranAdapt or Die: Keynote with Anant Jhingran
Adapt or Die: Keynote with Anant Jhingran
 
London Adapt or Die: Opening Keynot
London Adapt or Die: Opening KeynotLondon Adapt or Die: Opening Keynot
London Adapt or Die: Opening Keynot
 
London Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynoteLondon Adapt or Die: Lunch keynote
London Adapt or Die: Lunch keynote
 
London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!London Adapt or Die: Closing Keynote — Adapt Now!
London Adapt or Die: Closing Keynote — Adapt Now!
 
London adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoorLondon adapt or-die opening keynote chet kapoor
London adapt or-die opening keynote chet kapoor
 
London Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet KapoorLondon Adapt or Die: Opening Keynote with Chet Kapoor
London Adapt or Die: Opening Keynote with Chet Kapoor
 
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD StoryLondon Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
London Adapt or Die: Kubernetes, Containers and Cloud - The MoD Story
 

KĂźrzlich hochgeladen

%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
masabamasaba
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
Papp KrisztiĂĄn
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
VictoriaMetrics
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
OnePlan Solutions
 

KĂźrzlich hochgeladen (20)

%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
%+27788225528 love spells in Knoxville Psychic Readings, Attraction spells,Br...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
VTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learnVTU technical seminar 8Th Sem on Scikit-learn
VTU technical seminar 8Th Sem on Scikit-learn
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
Crypto Cloud Review - How To Earn Up To $500 Per DAY Of Bitcoin 100% On AutoP...
 
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
WSO2CON 2024 - Cloud Native Middleware: Domain-Driven Design, Cell-Based Arch...
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
Large-scale Logging Made Easy: Meetup at Deutsche Bank 2024
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) SolutionIntroducing Microsoft’s new Enterprise Work Management (EWM) Solution
Introducing Microsoft’s new Enterprise Work Management (EWM) Solution
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 

I Love APIs 2015: Advanced Security Extensions in Apigee Edge - HMAC and http_signature

  • 1. 1 Advanced Security Extensions in Apigee Edge: ! HMAC, HttpSignature! Dino Chiesa, " Vinit Mehta
  • 2. Who is using Signatures? 2 AWS - custom HMAC-SHA256 signature over the [ verb . host . uri . queryparams ] Google Maps API for Work - HMAC-SHA1 over URL+query (includes clientid) Twitter - OAuth1.0a signatures (HMAC-SHA1) over headers + params Azure storage - HMAC-SHA256 over [ verb . contentmd5 . contenttype . date . url ] Github's outbound webhooks - HMAC-SHA1 over the body (prospect) Automaker - XML DSIG over payload (prospect) WW Retailer - HttpSignature (Signature applied to select headers) (customer) Payeezy - custom HMAC-SHA256 over select headers and body (customer) BBC – HMAC on calls from Salesforce.com, $$ Video-on-demand (customer) Vodafone - HMAC (customer) O2 - HMAC
  • 3. Why are these people using message-level security?" Why are they requiring signatures on their payloads? 3
  • 4. Let’s talk about MITM, non-repudiation, auditing 4 POST /accounts/12334566/update API-Key: ryJIXSIAMjuyDii8 Host: api.example.com Content-Type: application/json Content-Length: 132 { "rty": "MRA", "n": "5SGw1jcqyFYEZaf3VduzmRk_jcBNFFLQgOf9U", "e": "AQAB", "gla": "Rm425", "use": "sig", "kid": "196" }
  • 5. Let’s talk about MITM, Non-repudiation, Auditing 5 POST /accounts/12334566/update API-Key: ryJIXSIAMjuyDii8 Host: api.example.com Content-Type: application/json Content-Length: 132 { "rty": "MRA", "n": "5SGw1jcqyFYEZaf3VduzmRk_jcBNFFLQgOf9U", "e": "AQAB", "gla": "Rm425", "use": "sig", "kid": "196" } •  TLS encrypts all of this, " except the hostname •  TLS is point-to-point •  What happens if you relay " this message beyond the " TLS-protected entry point? •  If this message gets archived, how to guarantee its integrity?
  • 6. Transport-layer security secures data in transit 6 Application Layer TLS Transport Layer Network layer Data Link Layer Application Layer TLS Transport Layer Network layer Data Link Layer
  • 7. ? Message-layer security is independent of transport 7 Application Layer TLS Transport Layer Network layer Data Link Layer Application Layer TLS Transport Layer Network layer Data Link Layer
  • 8. Message-level signatures protect the payload 8 POST /accounts/12334566/update API-Key: ryJIXSIAMjuyDii8 Host: api.example.com Content-Type: application/json Content-Length: 132 { "rty": "MRA", "n": "5SGw1jcqyFYEZaf3VduzmRk_jcBNFFLQgOf9U", "e": "AQAB", "gla": "Rm425", "use": "sig", "kid": "196" } •  Message-level signatures " can protect these parts of " the message, independently " of transport •  Can optionally perform message-level encryption, encryption of selected " elds, etc.
  • 9. MAC = Message Authentication Code " HMAC = keyed-hash MAC 9 HMAC injects a key into the normal hashing function. HMAC may be used to simultaneously verify both the integrity and the authentication of a message. MAC may be used to verify the integrity of a message.
  • 10. You are smart people, " so obviously… 10 You want to verify HMACs in API proxies. Today, in Apigee Edge, you can’t.
  • 11. Apigee Edge includes standard policies for many security tasks. " " But it does not include a policy to generate or validate HMACs. You’re hosed. 11
  • 12. Apigee Edge includes standard policies for many security tasks. " " But it does not include a policy to generate or validate HMACs. You’re hosed. 12 Or maybe you’re not?
  • 14. •  Embed your Java code as a policy in Apigee Edge •  One Interface, one method, 2 parameters •  Can read policy conguration •  Can read and write context variables •  … anchor anywhere in Edge policy flow •  One of the ways to extend Edge " with custom code. Also JavaScript, Python, nodejs. •  RTFM: " http://apigee.com/docs/api-services/ reference/java-callout-policy What are Java Callouts? 14 Š2015 Apigee. All Rights Reserved.
  • 15. •  Re-usable now in any of your Proxies •  Congure it with XML as any other policy •  Verify integrity of " any payload •  Can read HMAC generated by third party libraries •  Relies on secret " key or public/private key pair Java Callout for HMAC Verication or Generation 15 Š2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-hmac-httpsignature
  • 17. HttpSignature 17 This describes a way for servers and clients to add authentication and message integrity checks to HTTP messages (eg, API calls) by using a digital signature. http://tools.ietf.org/html/draft-cavage-http-signatures-05
  • 18. HttpSignature 18 Complements API key or token-based authentication.
  • 19. HttpSignature 19 The client sends in a signature header that contains four things: •  Keyid – identifying the key used by the client. The meaning is app-dependent. •  Algorithm – can be RSA-SHA (public/private key) or HMAC-SHA (shared key) •  list of HTTP headers – optional; space delimited; these are included in the signing base •  a computed signature of those headers
  • 20. HttpSignature 20 Each element is formed as key="value" and they are separated by commas. " This must be passed in an HTTP header named "Signature". The resulting header might look like this: Signature: keyId=”mykey",algorithm="hmac-sha256",headers="(request- target) date",signature="udvCIHZAafyK+szbOI/KkLxeIihexHpHpvMrwbeoErI="
  • 21. Apigee Edge includes standard policies for many security tasks. " " But it does not include a policy to validate HttpSignature. Sound familiar? 21
  • 23. •  Re-usable now in any of your Proxies •  Congure it with XML as any other policy •  Verify signatures passed with payload; reject replays and altered messages. •  Requires “smart client” that can compute signatures on outbound messages •  Relies on secret key or public/private key pair Java Callout for HttpSignature Verication 23 Š2015 Apigee. All Rights Reserved. https://github.com/apigee/iloveapis2015-hmac-httpsignature
  • 24. Java Callout for HttpSignature Verication 24 Š2015 Apigee. All Rights Reserved.
  • 25. Java Callout for HttpSignature Verication 25 Š2015 Apigee. All Rights Reserved.
  • 27. Some comments • Include Nonce and Content-MD5 for full message integrity guarantees • Signatures are more difcult for developers • Provide libraries in JS, Java, .NET, PHP • You need a smart client to produce these • There’s a good HttpSignature library for Node.js – see" https://github.com/DinoChiesa/node-http-signature 27 Š2015 Apigee. All Rights Reserved.
  • 28. When to use HMAC, HttpSignature? 28
  • 29. • Use these callouts whenever you want to add " HMAC or HttpSignature verication to your proxies • To avoid MITM risks • To layer message-level protection on top of TLS • Scenarios :" Non-repudiation and archival " e.g., medical records release consent " Message-layer integrity" 29 Š2015 Apigee. All Rights Reserved.
  • 30. What did we learn? 30 APIs Apps Users Š2015 Apigee. All Rights Reserved. •  You need to include HMAC and HttpSignature into your toolbox to secure messages and to protect against MITM attacks •  You can use HMAC and HttpSignature in Apigee Edge today via custom policies •  No coding needed ! •  These policies complement the existing built-in policies in Apigee Edge https://github.com/apigee/iloveapis2015-hmac-httpsignature