More Related Content
Similar to 170724 JP/UK Open Banking Summit English Translation
Similar to 170724 JP/UK Open Banking Summit English Translation (20)
More from Nat Sakimura (20)
170724 JP/UK Open Banking Summit English Translation
- 1. Copyright© Nomura Research Institute, Ltd. All rights reserved.
FAPI and beyond
仕様策定者の立場から
Nat Sakimura, Research Fellow, NRI
Chairman, OpenID Foundation
@_nat_en
🌏 https://nat.sakimura.org/
linkedin.com/in/natsakimura
- 3. Copyright© Nomura Research Institute, Ltd. All rights reserved.
崎村夏彦(Nat Sakimura)
• 著作:
– OpenID Connect Core 1.0
– JSON Web Token [RFC7519]
– JSON Web Signature [7515]
– OAuth PKCE [RFC7636]
– OAuth JAR [IETF Last Call]
– Etc.
• Editor of:
– ISO/IEC 29184 Guidelines for online notice and consent
– ISO/IEC 29100 AMD: Privacy Framework – Amendment 1
– ISO/IEC 27551 Requirements for attribute based
unlinkable entity authentication
– Etc.
• OpenID Foundation 理事長
• Financial API WG議長
• ISO/IEC JTC 1/SC 27/WG5国
内小委員会主査
• WG5〜OECD/SPDEリエゾン
• 野村総合研究所上席研究員
3
• https://www.sakimura.org
• https://nat.sakimura.org
• @_nat_en (English)
• @_nat (日本語)
• https://www.linkedin.com/
in/natsakimura
• https://ja.wikipedia.org/wi
ki/崎村夏彦
- 6. Copyright© Nomura Research Institute, Ltd. All rights reserved.
“combining the correct component
is the important thing. Just saying
use OAuth is not a solution”
6
-- Mark O’Neill, Gartner
(SOURCE) Photo taken by Nat Sakimura @APIDays on 13th Dec. 2016
@APIDays Paris 2016
In the mobile first era, using Oauth 2.0 is the way to
go but
Because…
- 7. Copyright© Nomura Research Institute, Ltd. All rights reserved.
OAuth is a Framework
This framework was designed with the clear expectation that
future work will define prescriptive profiles and extensions
necessary to achieve full web-scale interoperability.
“
- 9. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Which options should we choose to achieve
high enough security for financial usage?
9
資源の価値
環境制御レベルHigh Low
High
Low
ソーシャル共有
閉域網アプリ
ケーション
金融 API
– Read & Write
e.g.,
Basic choices ok.
Bearer token Not OK
Basic choices
NOT OK
金融 API
– Read only
- 11. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Financial-
Grade
Financial-Grade API (FAPI) Security Profile
11
Valueoftheresource
Environment control levelHigh Low
High
Low
Social sharing
Closed circuit
Factory
application
e.g.,
Basic choices ok.
No need to satisfy all the security
requirments by OAuth
- 12. Copyright© Nomura Research Institute, Ltd. All rights reserved.
There are multiple consideration
points when we think about it.
12
These are often not
observed in
implementations.
Financial profile needs to
address all of them.
• Assumption of One Client One
Server
• Message Authentication
• Sender Authentication
• Receiver Authentication
• User Authentication
• Message Confidentiality
• Token Phishing / Replay
- 13. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Paraphrased BCM*1 Principles
13
4 Criteria
(a) Unique Source Identifier
(b)Protocol + Version + Message Identifier
(c) List of all actors/roles
(d)Detection fo the message integrity loss
Basin, D., Cremers, C., Meier, S.: Provably Repairing the ISO/IEC 9798
Standard for Entity Authentication. Journal of Computer Security - Security and Trust Principles
archive Volume 21 Issue 6, 817-846 (2013)
*1
- 14. Copyright© Nomura Research Institute, Ltd. All rights reserved.
RFC6749 OAuth – code grant protocol messages
• Authorization Request
• Authorization Response
• Token Request
• Token Response
• Assume:
– a network attacker (e.g. Browser malware)
– the crypto & TLS are not broken
– pure RFC6749 – Three parties static OAuth 2.0
14
UA
Client AS
- 15. Copyright© Nomura Research Institute, Ltd. All rights reserved.
RFC 6749 Situation
Message Parameters (a) Unique Source
Identifier
(b) Protocol +
version identifier
(c) Full list of
actor/roles
(d) Message
Authentication
Authorization
Request
response type
client id
redirect uri
scope
state
Authorization
Response
code
state
other extension
parameters
Token Request grant type
code
redirect uri
client
credential/client id
.
Token Response access token
token_type
expires_in
refresh_token
others
15
Parameters combination in
each messages are different
so (b)= Good!
Legend
Required Parameter
Optional Parameter
Recommended Parameter
But that’s the end of the
happy land.
- 16. Copyright© Nomura Research Institute, Ltd. All rights reserved.
RFC 6749 – mostly RED
Message Parameters (a) Unique Source
Identifier
(b) Protocol +
version identifier
(c) Full list of
actor/roles
(d) Message
Authentication
Authorization
Request
response type
client id
redirect uri
scope
state
Client ID is not
globally unique.
Tampering possible
OK, but it is not
integrity protected
No. No.
Authorization
Response
code
state
other extension
parameters
No source identifier OK, but it is not
integrity protected
No No
Token Request grant type
code
redirect uri
client
credential/client id
Client ID is not
globally unique.
OK (as long as there
is no OAuth 3.0)
No. OK
Token Response access token
token_type
expires_in
refresh_token
others
No source identifier As above No. OK
16
- 17. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Sender, Receiver, Message authentication in RFC6749
17
Sender AuthN Receiver AuthN Msg AuthN
AuthZ Req Indirect None None
AuthZ Res None None None
Token Req Weak Good Good
Token Res Good Good Good
- 19. Copyright© Nomura Research Institute, Ltd. All rights reserved.
OAuth 2.0 options and the security levels
Security
Level
Functionality Note
JWS Authz Req
w/Hybrid Flow
認可要求の保護
Hybrid Flow*1
(confidential
client)
認可応答の保護
Code Flow
(confidential
client)
+ PKCE + MTLS
code injectionへの対応
長期Bearer Tokenの排除
Code Flow
(confidential
client)
クライアント認証
Implicit Flow クライアント認証無し
Plain OAuth Anonymous
*1) stateインジェクションの回避のために、‘s_hash’ を含む。
Authorization Req/Res and the security Levels Token Types and Security Level
Security
Level
Functionality Note
記名式トークン
(Sender
Constrained
Token)
発行をうけた者しかトー
クン利用不能
持参人トークン
(Bearer Token)
盗難されたトークンも
利用可能
19
Part 1
Part 2
- 20. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Can be strengthened
Message Parameters (a) Unique Source
Identifier
(b) Protocol +
version identifier
(c) Full list of
actor/roles
(d) Message
Authentication
Authorization
Request
response type
client id
redirect uri
scope
state
Unique redirect URI
+ Client ID
OK (Unique
Parameter List)
(a) + state as the UA
identifier / TBID as
UA identifier
Request signing by
JAR
Authorization
Response
code
state
other extension
parameters
Unique redirect URI OK (Unique
Parameter List)
(a) + client_id + state
as the UA identifier /
TBID as UA identifier
Response signing by
ID Token + s_hash
Token Request grant type
code
redirect uri
client
credential/client id
Unique redirect URI
+ Client ID
OK (Unique
Parameter List)
(a) + state as the UA
identifier / TBID as
UA identifier
TLS Protected
Token Response access token
token_type
expires_in
refresh_token
others
Unique redirect URI OK (Unique
Parameter List)
(a) + client_id + state
as the UA identifier /
TBID as UA identifier
TLS Protected
20
- 21. Copyright© Nomura Research Institute, Ltd. All rights reserved.
FAPI RW Security Profile
21
Sender AuthN Receiver AuthN Msg AuthN
AuthZ Req Request Object Request Object Request object
AuthZ Res Hybrid Flow Hybrid Flow Hybrid Flow
Token Req Good Good Good
Token Res Good Good Good
- 22. Copyright© Nomura Research Institute, Ltd. All rights reserved.
PKCE [RFC7636]
+
JAR [RFCxxxx]
+
Hybrid Flow [OIDC]
+
Sender Constrained Tokens
(MTLS / Token Binding)
22
FAPI
Security
Profile
=
- 23. Copyright© Nomura Research Institute, Ltd. All rights reserved.
PKCE: RFC7636
• 認可リクエスト、認可レスポンス、トーク
ンリクエストを結びつけるための仕組み。
• 1回限りの鍵を認可リクエスト送信時に生
成、そのハッシュを認可リクエストにつけ
て送る。
• 認可サーバは、このハッシュとcodeを結び
つけておく。
• トークン要求には、生成した鍵をつけて送
ることにより、一連のメッセージフローを
紐付けることができる。
- 24. Copyright© Nomura Research Institute, Ltd. All rights reserved.
JAR (JWS Authorization Request)
• 認可リクエストに署名をつけることによ
り、改ざんを検知。
• 公開鍵署名を使うことによって、証拠性
を向上、否認を難しくしている。
- 25. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Hybrid Flow
• 認可応答に署名を掛ける方式
(Detatched Signature)
• IDトークンを認可応答に含めて返す。
– このIDトークンはDetached Signatureであ
り、個人を識別するものではないことに注意
- 26. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Sender Constrained Token
• Bearer Token がだれでも使えるのに対して、
Sender Constrained Tokenは、対応する鍵
を持っていないと使えないタイプのトーク
ン
– MTLS https://datatracker.ietf.org/doc/draft-
ietf-oauth-mtls/
– Token Binding
https://tools.ietf.org/html/draft-ietf-oauth-
token-binding-07
- 28. Copyright© Nomura Research Institute, Ltd. All rights reserved.
(Source) Chris Mitchel, “Banking is now more open”, Identify 2017
(出所) @UKOpenBanking https://twitter.com/UKOpenBanking/status/1017675263243702272
- 29. Copyright© Nomura Research Institute, Ltd. All rights reserved.
29
(source) https://www.zenginkyo.or.jp/fileadmin/res/news/news290713_1.pdf
- 33. Copyright© Nomura Research Institute, Ltd. All rights reserved.
• 2つのImplementer’s Draft を策定。(近々Updateの予定)
Valueoftheresource
Environment control levelHigh Low
High
Low
Social sharing
Closed circuit
Factory
application
Financial API
– Read & Write
e.g.,
Basic choices ok.
Financial API
– Read only
- 34. Copyright© Nomura Research Institute, Ltd. All rights reserved.
これらはリダイレクト・アプローチを採用
• Part 1: Read Only Security Profile
• Part 2: Read and Write Security Profile
34
Redirect
Approach
Decoupled
Approach
Embedded
Approach
- 35. Copyright© Nomura Research Institute, Ltd. All rights reserved.
すべての要件に番号がついたチェックリスト形式なの
で、対応のチェックも簡単。
(source) https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md
- 36. Copyright© Nomura Research Institute, Ltd. All rights reserved.
暗号要件も絞り込んであるため、安全か
つ相互運用性高く運用可能
(source)
https://bitbucket.org/openid/f
api/src/master/Financial_API_
WD_002.md
- 37. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Decoupled アプローチも検討中
• CIBA (client initiated backchannel authentication) profile.
37
Redirect
Approach
Decoupled
Approach
Embedded
Approach
https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_CIBA.md
- 38. Copyright© Nomura Research Institute, Ltd. All rights reserved.
Embedded Approach…
• Giving one’s bearer token to a third party is a bad idea.
• What about giving application password (aka access token) by
hand?
38
Redirect
Approach
Decoupled
Approach
Embedded
Approach
- 39. Copyright© Nomura Research Institute, Ltd. All rights reserved.
その他にも…
39
• E.g. The
OpenBanking
OpenID
Dynamic Client
Registration
Specification
- 40. Copyright© Nomura Research Institute, Ltd. All rights reserved.
• Intent registration endpoint
40
Intent Registration EP
Authorization EP
Token EP
ServerPushing the intent,
e.g., to send $1,000 to
Bob’s account
Intent ID
AuthZ Req w/Intent ID
AuthZ Response
Redirect URI
Client
- 42. Copyright© Nomura Research Institute, Ltd. All rights reserved.
42
(出所)https://twitter.com/IdentityMonk/status/1011960862272294912
- 44. Copyright© Nomura Research Institute, Ltd. All rights reserved.
@_nat_en (English)
@_nat (Japanese)
🌏 https://nat.sakimura.org/
https://linkedin.com/in/natsakimura
https://nat.sakimura.org/youtube.php
Subscribe!