[HN Gopher] Tokenized Tokens
___________________________________________________________________
Tokenized Tokens
Author : darthShadow
Score : 64 points
Date : 2023-07-12 18:21 UTC (4 hours ago)
(HTM) web link (fly.io)
(TXT) w3m dump (fly.io)
| js2 wrote:
| TL;DR: fly.io wrote two new programs ("some little security
| thingies") to reduce the attack surface of their codebase. First
| is Tokenizer:
|
| > Tokenizer is an HTTP proxy that injects third party
| authentication credentials into requests. Clients encrypt third
| party secrets using the proxy's public key. When the client wants
| to send a request to the third party service, it does so via the
| proxy, sending along the encrypted secret in the Proxy-Tokenizer
| header. The proxy decrypts the secret and injects it into the
| client's request. To ensure that encrypted secrets can only be
| used by authorized clients, the encrypted data also includes
| instructions on authenticating the client.
|
| https://github.com/superfly/tokenizer
|
| Second is Ssokenizer:
|
| > Ssokenizer provides a layer of abstraction for applications
| wanting to authenticate users and access 3rd party APIs via
| OAuth, but not wanting to directly handle users' API tokens.
| Ssokenizer is responsible for performing the OAuth dance,
| obtaining the user's OAuth access token. The token is then
| encrypted for use with the tokenizer HTTP proxy. By delegating
| OAuth authentication to ssokenizer and access token usage to
| tokenizer, applications limit the risk of tokens being lost,
| stolen, or misused.
|
| https://github.com/superfly/ssokenizer/
|
| If these sound interesting to you, click the submitted link for
| the "big long essay about how the thingies came to be."
| ShaneCurran wrote:
| Shameless plug, but we have a product at Evervault[0] called
| Outbound Relay[1] that's basically a hosted, managed version of
| this flow. Secrets can be encrypted anywhere you collect them
| (either from third-party APIs or directly from the user in their
| browser) and then used any time you send a request to a
| downstream API provider.
|
| [0]: https://evervault.com
|
| [1]: https://docs.evervault.com/products/outbound-relay
| evisdrenova wrote:
| This is pretty cool and I think the right direction. Would like
| to see more companies do this. I've built out systems like this
| in the past that essentially only handle tokens instead of
| sensitive data whether it's secrets, PII, etc.
|
| You can also take this a step further and do mathematical
| operations on encrypted data using homomorphic encryption without
| ever having to decrypt the data.
|
| Just one small nitpick (mainly because I worked in this space for
| a few years) is that tokens and encrypted values are different.
| Tokens aren't encrypted and instead randomly generated using a KV
| pair look up table so that an attacker could never reverse
| engineer them. Whereas encrypted values obviously use a key
| (whether symmetric or asymmetric) and could theoretically
| (although pretty much never practically if you're using something
| like AES256) be hacked if someone got the key.
| salgorithm wrote:
| I could imagine developers using something like this to get
| credentials off laptops.
| tptacek wrote:
| Psyched to get this out (I mean, I didn't do any of the work, but
| I'm still psyched it's getting out). I'm also a little bit
| surprised Vault doesn't already have a feature like this as a
| Secrets Engine.
| JoachimSchipper wrote:
| Yes, this is cool - thanks to fly.io for documenting and open-
| sourcing it!
___________________________________________________________________
(page generated 2023-07-12 23:00 UTC)