OpenID Foundation FAPI WG: June 2017 Update
-
Upload
nat-sakimura -
Category
Internet
-
view
8.908 -
download
0
Transcript of OpenID Foundation FAPI WG: June 2017 Update
Nomura Research Institute
Nat Sakimura Chairman of the Board, OpenID Foundation Research Fellow, Nomura Research Institute
Foundation Financial API WG
• OpenID® is a registered trademark of OpenID Foundation. • *Unless otherwise noted, all the photos and vector images are licensed by GraphicStocks.
June 2017
Anoop Saxena FAPI WG co-chair, OpenID Foundation Architect, Intuit
http://openid.net/wg/fapi/
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 2 ?Do you use Personal Finance Software?
What are the current problems?
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 3
When NRI started screen scraping in 2001, we thought it will be a temporally solution.
3
“There was OFX, and SAML was coming. SOAP was gaining momentum. We should be able to get out of scraping business in a few years time!”
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 5
After 15 years, we are still screen scraping.
5
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 6
The situation is changing though.
6
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 7
Fintech is gaining a lot of interest lately
(SOURCE)Google Trends
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 8
API is known to be one of the three main component of FinTech
8
Use cases for Identity Federation API in Financial sector
1. Account Opening (incl. KYC) 2. Personal Asset Managment 3. Payment, Sending Money 4. Loan Application 5. AI assisted portfolio management
(Source) Nikkei BP: Fintech Revolution P.4
(Source)Nikkei BP: FinTech Yearbook
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 9
I
n JSON , XML + OAuth 2.0
INDUSTRY PUSH > US: FS-ISAC Durable Data API
9
(Source) FS-ISAC FSDDA WG
OpenID Financial API
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 10
REGULATORY PUSH> EU Payment Service Directive 2 mandates API availability by the end of 2017.
10(SOURCE) ODI OBWG: The Open Banking Standard (2016)
JSON REST OAuth
OpenID Connect
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 11
“LEGO Model” provided by APIs creates a new customer segment “B-to-D”
11
Laurens Hamerlinck Innovation Manager ABN AMRO Bank @lhamerlinck
• Open Banking APIs are drawing fintech companies to UK. • API creates Lego model. You do not need to build everything yourself. • OEaS:=Our Expertise as a Service • Financial sector becomes more Open. Not only in EU. Also in US and elsewhere.
• iOS app platforms did not have any developers in the beginning but see what happened by opening up the ecosystem.
• What happened to a company who did not open it? • B-to-D: API = New Customer Segment.
『Bank as a Platform: Exploring a new Role in the Age of Technology』 (European Identity Summit 2017 講演より)
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 12
Automation through API makes it possible for financial institutions to provide services to hitherto unreachable segment.
n Operational loan provided to small business. l Banks providing operational loans to a
small business through automated credit clearance based on the ledger data using Artificial Intelligence.
n Transaction insurance offered to SME. l Transaction insurance has only been
offered to large enterprises due to the low insurance rate compared to the cost of the evaluation of the deals.
l With APIs, the cost is significantly driven down and now it can be offered to SMEs.
12
42.5 57.5
Gross Value Add
Large SME
1
99
Number
Large SME
Reaching the hitherto inaccessible (due to benefit/cost) market
(source) Eurostat: Number of enterprises, persons employed and gross value added (GVA) and the share of SMEs, 2012.
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 13
Saying “use #oauth” does not solve the problem.
13
-- Mark O’Neill, Gartner
(SOURCE) Photo taken by Nat Sakimura @APIDays on 13th Dec. 2016
@APIDays Paris 2016
In the era of “Mobile First”, OAuth is an obvious choice for API protection but …
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 14
Because OAuth 2.0 is a framework as the name indicates
14
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 15
and needs to be profiled to suit the circumstances and use case.
15
Valu
e at
sta
ke
Environmental Control LevelHigh Low
High
Low
Social sharing
Closed circuit Factory
application
Financial API – Read & Write
For example:
Basic OAuth is good enough
Bearer token Not OK
Stock RFC6749 and 6750 is not
enough.
Not all security requirements need to be fulfilled by OAuth.
Need to be careful in the case of higher value at stake in a low environmental control scenario, such as an internet banking.
Financial API – Read only
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 16
RFC6749 state of the source, destination, and message authentication
16
Sender Authentication
Receiver Authentication
Message Authentication
Authorization Request
Indirect None None
Authorization Response
None None None
Token Request
Weak Good Good
Token Response
Good Good Good
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 17
OAuth 2.0 related options and the security levels
Security Level
Authorization types
Description
JWS Authz Req w/Hybrid Flow
Authz Request protected
Hybrid Flow*1
(confidential client) Authz Response protected (ID Token acts as the detatched signature for the response.)
Code Flow (confidential client)
Client authentication
Implicit Flow No client authentication
Plain OAuth Anonymous
*1) state injection taken care of by including ‘s_hash’
Authorization Request/Response types and the security levels
Token Types and the security levelsSecurity Level
Token Type Description
Sender Constrained Token
Only the named Party with a correct Key can use the token
Bearer Token Anyone can use The token
17
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 18
e.g., tighten up the source, destination, and message authentication
18
Sender Authentication
Receiver Authentication
Message Authentication
Authorization Request
Request Object Request Object Request object
Authorization Response
Hybrid Flow Hybrid Flow Hybrid Flow
Token Request
Good Good Good
Token Response
Good Good Good
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 19
To create an appropriate OAuth profile for financial API use, we need to consider multiple
factors:
19
These are not taken into account too often resulting in too many unsafe OAuth 2.0 implementations.
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 20
Example of factors:
20
n 1 Server/client assumptionn Message authenticationn Source authenticationn Desitination authenticationn User authenticationn Message confidentialityn Token Phishing/Replay
Financial API Profile needs to Solve them all.
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 21
OAuth’s primary security assumption is that there is only 1 Authz Server per client:
n In case of a Personal Finance Management Software/Client, it will necessarily have multiple Authz Servers. l Make sure to have virtual separation, i.e., having different redirect endpoints
for each server to avoid Authz server mix-up attack etc.
v.s.
C1O
C1R
UA
A1Z
C2R
C2O
A2Z
1 Authz Server / client Model
C2R
C1O
C1R UA
A1Z
C2OA2Z
n Authz Server / client Model
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 22
Message Authentication Problems
n Communication through UA are not authenticated and thus can be tainted, but often used without taint check.
n Neither ‘code’ nor ‘state’ can be taken at its face value, but we do...
C1O
C1R
UA A1Z
TLS terminates here. Not authenticated (response_type, client_id, redirect_uri, scope, state)
Not authenticated (code, state)
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 23
Message Source Authentication Problems
n Since the authorization request and response goes through the browser, the receiving ends cannot be sure of who is the real sender.
C1O
C1R
UA A1Z
TLS terminates here. A1Z cannot verify that the Authz request is from C1O
C1R cannot verify that the Authz response is from C1O
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 24
Message Destination Authentication Problems
n We are in a mobile app world, right? n “Code phishing” on public clients a.k.a. mobile apps n Custom scheme etc. can be hijacked by malware on the device.
l It has been exploited against popular apps. l RFC7636 OAuth PKCE exists for the mitigation of this problem.
24
Good App
Bad App
UA A1Z
Redirect uri = goodapp://
I am goodapp!
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 25
Identity and authentication problems
25
n OAuth has no notion of user identity. n User authentication is “out of scope”.
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 26 26Created by @nishantk
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 27
Message confidentiality problems
n Authorization request is not encrypted in the application layer thus can be seen by the Man-in-the-browser etc.
n And we know that malware abounds. l The most popular Online Banking attack in Japan since 2014 is man-in-the-browser.
C1O
C1R
UA A1Z
TLS terminates here.
Malware can see the payload
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 28
Token Phishing / Token Replay
n Clients sends token requests and resource requests to forged/compromised servers. Then, these servers can act as a hostile client to replay the request. l E.g.,
▪ Sending a fake email to developer that the endpoints has been changed. (We know that about 1 in 20 trained engineer gets phished.)
▪ Combination of TLS certs mis-issuances and DNS spoofing, etc. ß there seems to be real examples for the attacks against banks.
28
Client XYZ
Attacker
ABC Bank
Hi I am ABC Bank
API
Hi I am Client XYZ
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 29
To solve these problems, OpenID Foundation Financial API (FAPI) WG was formed.
n Scope l The goal of FAPI is to provide JSON data
schemas, REST APIs, and security & privacy recommendations and protocols to: ▪ applications to utilize the data stored in the
financial account, ▪ applications to interact with the financial
account, and ▪ users to control the security and privacy
settings. n Both commercial and investment banking account
as well as insurance, and credit card accounts are to be considered.
29
(Source) OpenID Foundation Financial API WG draft charter
JSON REST OAuth
OpenID Connect
(SOURCE) ODI OBWG: The Open Banking Standard (2016)
For details, see: https://openid.net/wg/fapi/
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 30
Why OpenID Foundation?
• Authors of OAuth, JWT, JWS, OpenID Connect are all here.
Right People
• Royalty Free, Mutual Non-Assert, so that everyone can use it freely. Right IPR
• Free to join WGs. (Sponsors welcome) • WTO TBT Compliant Process.
Right Structure
30
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 31
In a IPR safe and Completely Open Environment
n IPR regime l Mutually assured patent non-assert l Trademark (OpenID®) control against false claim of
the spec support l Certification support to reinforce the interoperability
n Completely Open Environment l Free of charge to join the WG as long as you file the
IPR agreement l Bitbucket (git) to track the changes ▪ File an issue and send a pull request!
n Made possible by these sponsors!
31
Sustaining corporate members (board members)
Corporate members
Non-profit members
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 32
WG works through the weekly conference calls (alternating times for the Atlantic and the Pacific time zones), the mailing list, and the project repository (https://bitbucket.org/openid/fapi/ )
32
Issue Tracking
Meeting Notes etc.
Commit History
Pull Request
Draft Text
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 33
Working Together
33
OpenID FAPI
(Chair)(Co-Chair)(Co-Chair)
(UK OBIE Liaison)
Liaison Organizations
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 34
Current Specs. n Financial Services – Financial API –
l Part 1: Read Only API Security Profile http://openid.net/specs/openid-financial-api-part-1.html ▪ Implementer’s Draft (I-D) ~Implementations going on
l Part 2: Read and Write API Security Profile http://openid.net/specs/openid-financial-api-part-2.html ▪ Under Public Review
l Part 3: Open Data API ▪ Waiting for the UK OBIE Contribution
l Part 4: Protected Data API and Schema - Read only ▪ Bank Account – Based on the US FS-ISAC Contribution
l Part 5: Protected Data API and Schema - Read and Write ▪ Waiting for UK OBIE Contribution
▪ Using Claims Request to obtain granular consent
34
Swagger files are going to be provided
Probably need to be registry entries rather than “Parts”
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 35
Financial Services – Financial API -- Part 1: Read Only API Security Profile
n Note: ISO Keywords, “shall”, “should”, “may”, “can” are used.
n Lots of “shall”s. Need to fulfill them all for an adequate security level.
35(出所)Financial Services – Financial API -- Part 1: Read Only API Security Profile Implementer’s Draft
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 36
Adoption among the industry is great!
36
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 37
Japanese Banker’s Association Recommendation (16 March 2017)
37
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 38
Open Banking Implementation Entity Announcement (17 May 2017)
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 39 ?How do you know that it has been
implemented correctly?
39
© 2017 by Nat Sakimura. CC-BY-SA.
Copyright © 2016 Nat Sakimura. All Rights Reserved. 40
A certification test suite is being planned to be provided online
40
For more details, see http://openid.net/certification/
Passing publicly available test suit
Self declaration and public listing
We currently only have a generic test for Basic OpenID Connect capabilities. We need to add tests for FAPI. Directed funding is being sought now.