On the 14th and 15th of July, we had the OAuth Security Workshop 2016 at the University of Trier. Further, we had a IETF 96 side meeting on OAuth security at 18:20 in the beautiful Café am Neuen See to further discuss it. Below is the summery of what I got as the …
(Following is the transcript of my speech at the TUAC Forum at the 2016 OECD Ministerial on the Digital Economy) Q. Why is access to an open internet important? Simply put, it is because the open access to the internet is a key to achieving more productivity and equitable distribution of …
Here is the presentation file that I used for my 10 minutes OpenID Foundattion Financial API WG presentation at the Open Data in Finance Conference ( June 15, 2016). To join the Working Group, please sign the IPR Contribution agreement online by clicking here or download the PDF form and fill it, scan …
Here is the script of the Chair’s remark at the opening of the Open Data in Fianance Conference in London (June 15, 2016) 09:00 – 09:10 Chair’s Welcome Nat SakimuraSenior ResearcherNomura Research Institute Hello. Welcome to the Open Data in Finance Conference. I am really excited to be a part …
@JamieXML pinged me about the @18F breach that I completely missed. I quickly googled it and found this article. IG report:18F’s unauthorized Slack use caused breach of 100 GSA Google Drives It refers to “MANAGEMENT ALERT REPORT:GSA Data Breach” [JE16-004], which is a very strange report. It says “over 100 …
I have many bank accounts. If I wanted to use a new and shiny graphing service, I have to get authorization from each banks individually. That’s a bit of nuisance. Instead of doing that, if I can instruct each banks to delegate authorization on my accounts to my Authorization server, …
The so called ‘cut and pasted code attack’ also known as ‘Frankenstein Monster Attack’ is an attack that the adversary swaps the ‘code’ in the authorization response with the victim’s ‘code’ that the adversary has gotten hold of somehow. It can be through the Code Phishing attack, or some other attacks. …
Code phishing attack is the attack that the adversary obtains the code and client credentials from the legitimate client and uses them against the honest token endpoint to obtain tokens thereby accessing the protected resources illegitimately. Assumptions There are not much assumptions needed for this attack. The client and the server …
On Sunday 10, 2016, OAuth Security Advisory: Authorization Server Mix-Up was issued. Nov Matake wrote an excellent article about it in Japanese. To help understand the readers of the attack, I am translating the portion of his blog post explaining the attack with his permission, then expand on it. Assumptions The …
2015 was a hectic year: Bunch of the specs that I have been working on (JWS [RFC7515], JWT [RFC7519], OAuth PKCE [RFC7636], JWK Thumbprint [RFC7638])got published and the work to convert ISO/IEC 29100 Privacy Framework into Japan Industry Standard started. We had OpenID Summit Tokyo 2015 gathering around 500 audience also. (The last time was back …
![Cut and pasted code attack in OAuth 2.0 [RFC6749]](https://i1.wp.com/nat.sakimura.org/wp-content/uploads/2016/01/cut-and-pasted-code.png?resize=476%2C350&ssl=1)
![Code phishing attack on OAuth 2.0 [RFC6749]](https://i0.wp.com/nat.sakimura.org/wp-content/uploads/2016/01/code_token_phishing.png?resize=476%2C350&ssl=1)
![IdP Mix-up Attack on OAuth [RFC6749]](https://i2.wp.com/nat.sakimura.org/wp-content/uploads/2016/01/oauth-idp-mixup.png?resize=476%2C350&ssl=1)
