Wang Jiajun
Apr 22nd, 2014
Almost everyone is familiar with password.
We use password for:
Assume:
An n-bit password ([a-zA-Z0-9])
62n possible combinations
Also some papers focus on password, e.g.
The Quest to Replace Passwords
Some other mechanism:
Android lock pattern
Multiple accounts/passwords in one site.
For example, in SJTU
{electsys,mail,jdcw,mypower}.sjtu.edu.cn
We have Jaccount!
OpenID
An open standard
A decentralized SSO system
Allows users to be authenticated by certain site by a third party service.
Site: "Who are you?"
Me: "I am chris.vertonghen.org"
Site: "Prove it!"
(some magic happens)
Site: "OK. You are in."
Avoid redundant registering
No Leaking of your password
Better User Experience
Decentralized: Not owned by any one company
Website must support it
Phishing attack
Single point failure
OpenID gives us a way to quickly login
But we also need to fill in our profiles
Avatars, Nicknames, Email addresses, etc.
You have multiple photos on Google+
Need to edit the photos, but on another site
Download the photos and upload to the site
Give your Google account & password to this site
You have to fully TRUST the third party applications!
Can we let the site only access to my photos while not knowing my password?
OAuth
Application: "I wanna know your name and get the access to your photos on Google+."
Me: "Alright."
(Application opens a website)
Google: "Do you really want to give it the access?"
Me: "Yes!"
(Google gives an access token to the application)
Google: "You can use the access token to do what you want (with the photos and the name)."
Application: "Cooooool!"
Configuring a email client, you need to provide:
username
password
{imap,pop3} server
smtp server
Google allow developers to use oauth api to control your accounts
Scope
Revoke
Refresh
Has its own accounts system
Integrated with OpenID(Always OAuth)
Binding its own user with a user's openid
Looking good, but always some programming mistakes :(
Representational state transfer
Introduced and defined by Roy Fielding in 2000
Doctoral dissertation: Architectural Styles and the Design of Network-based Software Architectures
A RESTful application
Authentication: who is this user?
Authorization: can this user do that?
Involves 3 parties
Open protocols
HTTP based (RESTful)
not mutual exclusive
Sharing: Identity vs Resources
Decentralized vs Centralized