[HN Gopher] Tokenized Tokens ___________________________________________________________________ Tokenized Tokens Author : darthShadow Score : 64 points Date : 2023-07-12 18:21 UTC (4 hours ago) (HTM) web link (fly.io) (TXT) w3m dump (fly.io) | js2 wrote: | TL;DR: fly.io wrote two new programs ("some little security | thingies") to reduce the attack surface of their codebase. First | is Tokenizer: | | > Tokenizer is an HTTP proxy that injects third party | authentication credentials into requests. Clients encrypt third | party secrets using the proxy's public key. When the client wants | to send a request to the third party service, it does so via the | proxy, sending along the encrypted secret in the Proxy-Tokenizer | header. The proxy decrypts the secret and injects it into the | client's request. To ensure that encrypted secrets can only be | used by authorized clients, the encrypted data also includes | instructions on authenticating the client. | | https://github.com/superfly/tokenizer | | Second is Ssokenizer: | | > Ssokenizer provides a layer of abstraction for applications | wanting to authenticate users and access 3rd party APIs via | OAuth, but not wanting to directly handle users' API tokens. | Ssokenizer is responsible for performing the OAuth dance, | obtaining the user's OAuth access token. The token is then | encrypted for use with the tokenizer HTTP proxy. By delegating | OAuth authentication to ssokenizer and access token usage to | tokenizer, applications limit the risk of tokens being lost, | stolen, or misused. | | https://github.com/superfly/ssokenizer/ | | If these sound interesting to you, click the submitted link for | the "big long essay about how the thingies came to be." | ShaneCurran wrote: | Shameless plug, but we have a product at Evervault[0] called | Outbound Relay[1] that's basically a hosted, managed version of | this flow. Secrets can be encrypted anywhere you collect them | (either from third-party APIs or directly from the user in their | browser) and then used any time you send a request to a | downstream API provider. | | [0]: https://evervault.com | | [1]: https://docs.evervault.com/products/outbound-relay | evisdrenova wrote: | This is pretty cool and I think the right direction. Would like | to see more companies do this. I've built out systems like this | in the past that essentially only handle tokens instead of | sensitive data whether it's secrets, PII, etc. | | You can also take this a step further and do mathematical | operations on encrypted data using homomorphic encryption without | ever having to decrypt the data. | | Just one small nitpick (mainly because I worked in this space for | a few years) is that tokens and encrypted values are different. | Tokens aren't encrypted and instead randomly generated using a KV | pair look up table so that an attacker could never reverse | engineer them. Whereas encrypted values obviously use a key | (whether symmetric or asymmetric) and could theoretically | (although pretty much never practically if you're using something | like AES256) be hacked if someone got the key. | salgorithm wrote: | I could imagine developers using something like this to get | credentials off laptops. | tptacek wrote: | Psyched to get this out (I mean, I didn't do any of the work, but | I'm still psyched it's getting out). I'm also a little bit | surprised Vault doesn't already have a feature like this as a | Secrets Engine. | JoachimSchipper wrote: | Yes, this is cool - thanks to fly.io for documenting and open- | sourcing it! ___________________________________________________________________ (page generated 2023-07-12 23:00 UTC)