Ignite Talk: I AM a robot, how do I log in?
•Download as PPTX, PDF•
1 like•269 views
SpringOne Platform 2016 Speaker: Jayson Delancy
Recommended
Recommended
More Related Content
What's hot
Similar to Ignite Talk: I AM a robot, how do I log in?
Similar to Ignite Talk: I AM a robot, how do I log in? (20)
More from VMware Tanzu
More from VMware Tanzu (20)
Recently uploaded
Recently uploaded (20)
Ignite Talk: I AM a robot, how do I log in?
- 2. Jayson Delancey I am a robot, how do I login
- 5. UAA User Account and Authentication Server
- 6. SSO OAuth2
- 9. • Headless • Exposed • Accessible • Sensitive data • Sensitive Hardware
- 10. draft-ietf-oauth-jwt-bearer This specification defines the use of a JSON Web Token (JWT) Bearer Token as a means for requesting an OAuth 2.0 access token as well as for use as a means of client authentication.
- 12. Header { "alg":"RS256" } Payload { "iss": <clientID> "sub": <device ID> "aud": <uaa> "exp": <expiration time of this token> "tenant_id": <tenant_id> } Signature SHA256withRSA( <base64(Header)>.<base64(Payload)>, <private key> )
- 13. • Certificate-Signing Request • Certificate Authority • Signature
- 14. • Device name • Device serial no. • Shared secret
- 15. Hardware Security Module (HSM)
- 16. • MAC address • Device UUID • Tenant ID
- 18. Bearer Token Access Token
- 19. 401 Unauthorized
- 20. UAA + JWT
- 21. Sense, Plan, Act
- 22. Robots are users too. https://github.com/GESoftware-CF/uaa jwt_grant_3.4.0 branch
Editor's Notes
- If you’ve used reCAPTCHA you’ve had to check “I’m not a robot”, but what if you were a robot or other industrial machine how would you log in?
- Authentication is the effort of proving you are who you say you are. For most users this works by providing an email address and a password. It is a combination that only you should know. For robots however, this isn’t as straightforward.
- Multi-tenant identity management that is part of the Cloud Foundry multi-cloud platform
- Stop the flow of unwanted users but more importantly for oauth2, issues tokens for client applications to act on behalf of users, and authenticate using credentials, etc.
- Private Key Infrastructure -- Private key is kept secret, public key is shared with everybody
- That’s all well and good for human users, but a different story for devices Devices have data recovery which makes it hard to guess or hard to recover
- Additionally, trouble in industrial cases is that devices are headless, exposed, accessible, control sensitive data and hardware
- Implementation and Architecture Details OAuth2 JWT Bearer Tokens - This specification proposes a way to pass the certificate and identity by constructing a JWT token. It will carry the client information.
- Authorization header bearer
- It’s hard to be hardware, so what’s a good robot to do. Alg = algorithm for digital signature Iss = client issuer Subject = device key Aud = audience, in our case uaa expiration
- Certificate-based Enrollment also important as providing a signature or proof of trust by an authority
- Step 1: Adding devices… Embedded software tied to a cloud environment can use device name, serial number, and a shared secret key that is cryptographically random and of sufficient strength
- Device requirements for managing digital keys, strong authentication, cryptoprocessing, and contacting CA
- CSR; tenantID; device UUID; MAC address
- A number of things can go wrong resulting in Unauthorized access
- UAA and JWT can work together to help robots; of course, robots are stand-ins for devices
- Definition of robot I like is a goal oriented machine that can sense, plan, and act
- Thanks: Dario, Jiaqi, Sanjeev, Calvin, Sam, Owen