InfoconDB

Presented at LocoMocoSec 2018, April 6, 2018, 9:50 a.m. (40 minutes)

The overwhelming majority of security tokens used today on the web are bearer tokens (e.g. HTTP cookies, OpenID Connect ID tokens, SAML assertions, OAuth tokens). Any party in possession of a bearer token is able to use it to gain access to the associated protected resources, which makes them a highly attractive target for attackers. Although there have been many efforts to provide better than bearer security, none have achieved widespread deployment success. Token Binding is a new IETF protocol that enables strong cryptographic defenses against the use of stolen security tokens and, with a novel approach and the backing of some very significant industry players, has the potential to find the success that’s been elusive to previous attempts. This session will provide an overview of how Token Binding works and its application to higher level protocols like OpenID Connect and OAuth. Some bad jokes and gratuitous photography will be included to take the edge off the otherwise very nerdy content.

Presenters:

Brian Campbell - Ping Identity
As a Distinguished Engineer for Ping Identity, Brian Campbell aspires to one day know what a Distinguished Engineer actually does for a living. In the meantime, he's tried to make himself useful with little things like designing and building much of PingFederate, the product that put Ping Identity on the map, and creating the popular open source JWT library jose4j. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee (SAML) and ongoing contributions to OAuth, JOSE and Token Binding in the IETF as well as OpenID Connect. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts.

Beyond Bearer: Token Binding as the Foundation for a More Secure Web

Presenters:

Links:

Similar Presentations: