Scaling Backend Authentication at Facebook Kevin Lewi , Callen Rain , - PowerPoint PPT Presentation


 Scaling Backend Authentication at Facebook Kevin Lewi , Callen Rain , Stephen Weis, Yueting Lee, Haozhi Xiong, Benjamin Yang 
 Facebook

Infrastructure Security Network Perimeter Trusted Services

Building from a Root of Trust ] " Walled Garden " Less trust More trust More machines Fewer machines

How can we scale authentication while minimizing our root of trust?

Trusted Components Key Server Root CA (Holds Master Keys) (Signs Certificates) Login Server Authorization Server (Signs Sessions) (Signs ACLs)

Authentication and Authorization Identities Access Control Lists (ACLs) User: "Callen Rain" Resource: 
 "Who can access table X in database Y?" - Identity1 
 Machine: server123.fb.com - Identity2 
 ... Service: Image Uploading

Service Authentication with TLS Identity Distribution Authorization Root CA ACL Check Request Cert Permission Auth Server Check Deploy Cert Permission TLS Client ACL Server

Service Authentication with TLS Check ALLOW I am "Client" Permission ACL: 
 Client Server “Client is ok”

Service Authentication with TLS Client 1 Check ALLOW ? Permission ACL: 
 Client 2 Server “Client is ok” Client 3

Intermediate Proxies Check REJECT I am "Client" I am "Proxy" Permission ACL: 
 Client Proxy Server “Client is ok”

Intermediate Proxies Check ALLOW ALLOW ACL: 
 I am "Client" I am "Proxy" Permission "Client is ok" 
 Client Proxy Server "Proxy is ok" Check Permission ACL: 
 "Client is ok" 
 "Proxy is ok"

Intermediate Proxies Check ACL: 
 Permission Server 1 Proxy Client 1 "Client 1 is ok" ACL: 
 Client 2 Server 2 Proxy "Client 2 is ok" ACL: 
 Client 3 Proxy Server 3 "Client 3 is ok" Check Permission ?

Tokens $ Check ALLOW Permission ACL: 
 Client Proxy Server “Client is ok” TLS TLS

Tokens 1. Certificate-Based Tokens 2. Crypto Auth Tokens (CATs)

Certificate-Based Tokens $ Client Proxy Server build( ) verify( ) CA Cert Key Cert

Certificate-Based Token Creation - client certificate - proxies Cert - metadata - resource - signature - actions serialize 1d229271928d3f9e2bb0375bdf572d 396fae9206628714fb2ce00f72e94f2 258f6ce5857596baa7e917bc7 ff f34f b8730b48d248969ecc2d86151b63c 214b0eba55fb8730b48d248969ecc2 d86151b63c214b0eba55bda19e0b1 5fde576ce41679aa47656b256a11df signature( private key, metadata ) Key 5e110124750ba169fdbfb8730b48d2 48969ecc2d86151b63c214b0eba55 db6c6d348d9

Certificate-Based Token Verification Certificate-Based Token Signature Token Data Certificate Proxy Resource Actions

Caching Certificate-Based Tokens $ Client Proxy Server hash(metadata) hash( ) metadata $ $ LRU Creation Cache LRU Validation Cache

Tradeo ff s with Cert-Based Tokens Pros Cons Reliable Large Simple Public-Key Generic x509

A Symmetric-Key Variant (analogous to Kerberos) MAC $ Proxy Client Server session key "service name" service key Key Server All direct communications are encrypted / authenticated with TLS

"Crypto Auth Tokens" (CATs) = MAC(session key, request) || client + "info" $ Login Server Proxy Client Server session key "service name" service key Key Server service key = PRF(master key, "service" + info) session key = PRF(service key, "client" + info) All direct communications are encrypted / authenticated with TLS

Summary 1. We build from a small root of trust 
 2. TLS by itself isn't enough 
 3. Tokens Public-Key • Symmetric-Key •

Acknowledgments