You wanna crypto in AEM
•
3 likes•3,087 views
This document introduces cryptography concepts like encryption, integrity protection, and digital signatures. It discusses how Adobe Experience Manager (AEM) implements cryptography to encrypt tokens and protect against CSRF attacks. Specifically, AEM uses JSON Web Tokens (JWTs) to encapsulate tokens, signs them with an HMAC key for integrity, and includes the token in non-GET requests to prevent CSRF without requiring changes to application code or dependencies on server-side sessions. Developers do not need to handle the CSRF token explicitly in their JavaScript code.
Report
Share
More Related Content
What's hot
What's hot (19)
Similar to You wanna crypto in AEM
Similar to You wanna crypto in AEM (20)
Recently uploaded
Recently uploaded (20)
You wanna crypto in AEM
- 1. So, you wanna crypto (in AEM) Damien Antipa (@visiongeist) Antonio Sanso (@asanso) Adobe Research Switzerland
- 2. Who are these guys BTW Damien Antipa Senior UX Engineer Adobe Research Switzerland
- 3. Who are these guys BTW Antonio Sanso Software Engineer Adobe Research Switzerland Committer and PMC Member for Apache Sling VP (Chair) for Apache Oltu (OAuth Protocol Implementation in Java) Internet Bug Bounty, Google Security Hall of Fame, Facebook Security Whitehat, GitHub Security Bug Bounty, Microsoft Honor Roll
- 4. What is Cryptography? DISCLAIMER – I am not a cryptographer Cryptography is the art of protecting information
- 5. Confidentiality vs Integrity Encryption Sign/Validate Integrity Protection
- 9. Why not DIY #1? I need to encrypt
- 10. Why not DIY #2? Plaintext: hello Ciphertext: ΠΞιιΘ AES ECB ! AES ECB
- 11. Encryption is NOT Authentication ★
- 12. Encrypt Than MAC
- 13. AEM Use Case: Encapsulate Token
- 15. JSON Web Token eyJhbGciOiJIUzI1NiIs InR5cCI6IkpXVCJ9. eyJpc3MiOiJhZW0iLC JzdWIiOiJhc2Fuc28iL CJleHAiOjE0MzUwNj g3MTEsImlhdCI6MT QzNTA2NTExMX0. MaGUiPg07ezuP9yA OaVLETQH6HMOpfo Gwg_c0-PDw {"alg":"HS256","typ":"JWT"}Header Claims {"iss":"aem","sub":"asanso","exp": 1435068711,"iat":1435065111} Signature HMAC ★
- 17. AEM Use Case: CSRF Protection
- 18. Problem - CSRF CSRF = Cross site request forgery OWASP TOP 10
- 19. CSRF – How does the attack work? POST http://bank.com/transfer.do HTTP/1.1 acct=BOB&amount=100 The Attack (Mallory Page) <form action="http://bank.com/transfer.do" method="POST"> <input type="hidden" name="acct" value=”ANTONIO"/> <input type="hidden" name=amount" value="100000"/> <input type="submit" value=”Show pictures"/> </form> Browsers make requests (with cookies) to any other origin
- 20. CSRF – AEM <= 6.0 Protection Apache Sling Referrer Filter White list of allowed referrer for POST/PUT/DELETE operations Q. IS IT SAFE ? A. YES
- 21. CSRF – AEM <= 6.0 Protection HTTP HTTP Referer HTTPS HTTPS Referer HTTP HTTPS Referer HTTPS HTTP <html> <script> function load() { var postdata = '<form id=dynForm method=POST action='http://bank.com/transfer.do'>' + '<input type=hidden name=acct value=ANTONIO />' + '<input type=hidden name=amount value=100000 />' + '</form>'; top.frames[0].document.body.innerHTML=postdata; top.frames[0].document.getElementById('dynForm').submit(); } </script> <body onload="load()"> <iframe src="about:blank" id="noreferer"></iframe> </body> </html>
- 22. CSRF – Token (Classic solution) - Include a hidden form field <form action="http://bank.com/transfer.do" method="POST"> ... <input type="hidden" name="csrfToken" value=“ewqakjdsa��/> </form> - Store the token server side in a database - Check if the token match - Not cachable ! - Not scalable !
- 23. Goals of the CSRF implementation ★ - Easy to use - Transparent to application code - No dependencies - Auto refresh - Available on author and publish - No leakage to other domain - Browser support - IE8+ - Scalable and Cacheable - No sticky sessions - No HTTP Sessions
- 24. How to use it in a project If you are building an admin UI based on Granite, you need to do: NOTHING - we include it for you If you are building an independent or public facing login, you to: you need to add granite.csrf.standalone client library In both scenarios your Javascript code does NOT need to do anything or be aware of the CSRF token.
- 25. Ensure Integrity and Caching - Use JSON Web Token - Sign using system HMAC key - Validate the token using standard JWT validation - Short expiration time - Asynchronous update http://localhost:4502/libs/granite/csrf/token.json
- 26. Covered Communication - HTML forms. Make sure the synchronous POST includes the TOKEN - Make sure all non-GET AJAX calls include the token - “Asynchronous” file upload for legacy IE. Make sure that form submissions to dynamically created iFrames include the TOKEN.
- 28. XMLHttpRequest.prototype.send = function(method) { this.setRequestHeader('CSRF-Token', globalToken); send.apply(this, arguments); };
- 29. function handleForm(ev) { var form = ev.target; if (form.nodeName.toLowerCase() === 'form') { input = document.createElement('input'); input.setAttribute('type', 'hidden'); input.setAttribute('name', 'CSRF-Token'); input.setAttribute('value', globalToken); form.appendChild(input); } } document.addEventListener( 'submit', handleForm, true /* capture phase */);
- 30. https://docs.adobe.com/docs/en/aem/6-0/develop/ref/javadoc/com/ adobe/granite/crypto/CryptoSupport.html https://docs.adobe.com/docs/en/aem/6-0/develop/ref/javadoc/com/ adobe/granite/oauth/jwt/package-summary.html Documentation Questions? Damien Antipa, Senior UX Engineer Twitter: @visiongeist Antonio Sanso, Software Engineer Twitter: @asanso