diff --git a/content/day-2/09_e2e-authenticity.md b/content/day-2/09_e2e-authenticity.md new file mode 100644 index 0000000..43b8b79 --- /dev/null +++ b/content/day-2/09_e2e-authenticity.md @@ -0,0 +1,83 @@ +--- +title: End to End Message Authenticity in Cloud Native Systems +weight: 9 +tags: + - rejekts + - security +--- + + + +## Why does e2e authenticity matter? + +- Classic Setup: Micro-Services with TLS and auth via Bearer + ```mermaid + graph LR + User-->|TLS|Gateway + Gateway-->|mTLS|Server + Server-->|mTLS|Gateway + Gateway-->|TLS|User + ``` +- Intrusion: Hacked Gateway + - Can modify the request + - Could log auth tokens + - Could replay requests with different body or token + + +## Baseline OIDC +- Only IDP has private key for signing +- Anyone can fetch the private key and verify +- Usage: SSO, Trust Federation +- Problem: Symmetric Credential can be forwarded if leaked + +## Fixes + +### HTTP Message Signatures + +- Idea: + - Client can sign the content and headers with a symmstric/asynmetric key + - Server can verify the signature +- Implementation: Basicly just an additional Signature Header and a Header that tells us what is included in the signature + ``` + HTTPS POST /test + Authorization: Bearer + Signature-Input: "authorization" @body + Signature: ahsz7d9zahbsdoih + ``` +- Problem: Key distribution +- Real-World: AWS v4 Signature shares accesskey and secretkey out of band and signs header with accesskey (symmatric) +- Transitive Trust + +### OIDC Key binding + +TODO: Steal image from slides + +### Proof of Posession + +> Basicly adds a nonce that we have to sign and the idp now knows that we really posess it + +TODO: Steal image from Slides + +### OpenPubKey + +> Assigns meaning to the nonce and can reconstruct the nonce for a reverse check + +## Demo + +The demo uses GitHub as a PKI (since all public keys get exposed via github). +Pretty cool: They automated the demo via a go cli. + +TODO: Link to demo code +TODO: Steal image from Slides + +## Next steps + +- SPIFFE is the de-facto standard for distributing identities to workloads + 1. Workloads asks "Who am I" + 2. Agent attests the workload + 3. Agent provides OIDC or X.509 to Workloads + +* WIMSE RFC: Basicly DPoP/OpenPub + 1. Workload get's a private key + 2. Issuer binds workload identity to the public key + 3. Auth trusts SPIFFE, it can trust the key \ No newline at end of file