This document discusses cryptography and security in Adobe Experience Manager (AEM). It introduces the presenters Damien Antipa and Antonio Sanso and defines cryptography. It then discusses encryption, integrity protection, and different cryptographic techniques like AES, RSA, HMAC, and JSON Web Tokens. The document also covers use cases for AEM like encapsulating tokens and preventing CSRF attacks. It explains how CSRF protection works transparently in AEM using JSON Web Tokens signed with an HMAC key to ensure integrity and allow caching.
So, you wanna crypto (in AEM) - Cryptography and security in AEM
1. So, you wanna crypto (in AEM)
Damien Antipa (@visiongeist)
Antonio Sanso (@asanso)
Adobe Research Switzerland
2. Who are these guys BTW
Damien Antipa
Senior UX Engineer Adobe Research Switzerland
3. Who are these guys BTW
Antonio Sanso
Software Engineer Adobe Research Switzerland
Committer and PMC Member for Apache Sling
VP (Chair) for Apache Oltu (OAuth Protocol Implementation in Java)
Internet Bug Bounty, Google Security Hall of Fame, Facebook Security
Whitehat, GitHub Security Bug Bounty, Microsoft Honor Roll
19. CSRF – How does the attack work?
POST http://bank.com/transfer.do HTTP/1.1
acct=BOB&amount=100
The Attack (Mallory Page)
<form action="http://bank.com/transfer.do" method="POST">
<input type="hidden" name="acct" value=”ANTONIO"/>
<input type="hidden" name=amount" value="100000"/>
<input type="submit" value=”Show pictures"/>
</form>
Browsers make requests (with cookies) to any other origin
20. CSRF – AEM <= 6.0 Protection
Apache Sling Referrer Filter
White list of allowed referrer
for
POST/PUT/DELETE operations
Q. IS IT SAFE ? A. YES
22. CSRF – Token (Classic solution)
- Include a hidden form field
<form action="http://bank.com/transfer.do" method="POST">
...
<input type="hidden" name="csrfToken" value=“ewqakjdsa”/>
</form>
- Store the token server side in a database
- Check if the token match
- Not cachable !
- Not scalable !
23. Goals of the CSRF implementation
★
- Easy to use
- Transparent to application code
- No dependencies
- Auto refresh
- Available on author and publish
- No leakage to other domain
- Browser support
- IE8+
- Scalable and Cacheable
- No sticky sessions
- No HTTP Sessions
24. How to use it in a project
If you are building an admin UI based on Granite, you need to do:
NOTHING - we include it for you
If you are building an independent or public facing login, you to:
you need to add granite.csrf.standalone client library
In both scenarios your Javascript code does NOT need to do
anything or be aware of the CSRF token.
25. Ensure Integrity and Caching
- Use JSON Web Token
- Sign using system HMAC key
- Validate the token using standard JWT validation
- Short expiration time
- Asynchronous update
http://localhost:4502/libs/granite/csrf/token.json
26. Covered Communication
- HTML forms. Make sure the synchronous POST includes the TOKEN
- Make sure all non-GET AJAX calls include the token
- “Asynchronous” file upload for legacy IE.
Make sure that form submissions to dynamically created
iFrames include the TOKEN.
do not want to bore you with the details but in case you are wondering…
for instance for the AJAX call we patched the XMLHttpRequest prototype. and add a HTTP Request header
As an app dev you can simply ignore this, you can keep using jQuery etc.
(this is simplified code)
globalToken includes the token