• JOSE CAN YOU SEE…‡ A technical overview of JWT and its JOSE underpinnings, which are poised to be the next generation identity token, as well as a look at using one open source implementation. Brian Campbell @__b_c IIW #18 May 2014 ‡ Partial credit for the title goes to Brad Tumy
  • 2 JWT + JOSE Overview • JSON Web Token (JWT) – Compact URL-safe means of representing claims to be transferred between two parties – JWS and/or JWE with JSON claims as the payload • Javascript Object Signing and Encryption (JOSE) – JSON Web Signature (JWS) • A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding – JSON Web Encryption (JWE) • Like JWS but for encrypting content – JSON Web Key (JWK) • JSON data structure representing cryptographic key(s) Copyright © 2014 Brian Campbell. All rights reserved.
  • 3 JWT + JOSE in the Wild • Not even an RFC yet but widely used: – OAuth – OpenID Connect – Mozilla Persona (ahem) – W3C Web Cryptography API – And more… Copyright © 2014 Brian Campbell. All rights reserved. three nerds holding a blurry piece of paper they tell me is some kind of award for OpenID Connect
  • 4 jose4j Overview • Open source (free as in beer) Java implementation of the JOSE specification suite – Get yours at https://bitbucket.org/b_c/jose4j • Relies solely on the JCA APIs for cryptography • 100% (Dammit Mike!) 97.5% Algorithm Support • Reference[able] implementation – Fact checked the cookbook: http://tools.ietf.org/html/draft-ietf-jose-cookbook-02#appendix-A • Completely free of intentional NSA backdoors – (but I‟m open to “sponsorship” opportunities) • Production ready: used throughout Ping Identity‟s products • Rated the #1 JOSE implementation in the world (based on an unbiased survey of the library author‟s mother) • Did I mention free? Easy too. • All proceeds from sales go to a charity that provides comfort and support to dying identity protocols living out their final days • Take a stand against monoculture (did heartbleed teach us nothing?) Copyright © 2014 Brian Campbell. All rights reserved.
  • 5 What‟s in a name? https://twitter.com/metadaddy/status/454422069199900672
  • 6 But you wouldn't name your child „Attila the Hun‟ would you? I didn‟t… "Attila, Scourge of God" http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg
  • 7 What would JOSE do? ‡ • Call it “JW-STEAK”! • „cause who doesn‟t like a good steak? Copyright © 2014 Brian Campbell. All rights reserved. •JW- –JWS –JWT –JWE –JWA –JWK Don Julio is a famous (to gringo tourists anyway) steakhouse in Buenos Aires, Argentina - https://flic.kr/p/ezE99U ‡ I reluctantly credit Paul Madsen with WWJD. Unless you are offended by it, in which case I‟m not at all reluctant about blaming him.
  • 8 Okay, fine… • Technically speaking, my vegan coworker does not like steak • Even if it is „good‟ • But let‟s not split hairs on this one… Copyright © 2014 Brian Campbell. All rights reserved.
  • 9 Awkward Transition Copyright © 2014 Brian Campbell. All rights reserved. …into some more technical details
  • 10 The 64 Character Question • base64url is *almost* like base64 – Both are a means of encoding binary data in a printable ASCII string format – Each 6 bits -> 1 character (from a 64 character alphabet) – 3 bytes -> 4 characters • But base64url uses a URL safe alphabet rather than the nearly URL safe alphabet of regular base64 – 62 alphanumeric characters – “-” rather than “+” – “_” rather than “/” – Padding “=” is typically omitted • A remaining unreserved URI character: “.” – This will prove important shortly Copyright © 2014 Brian Campbell. All rights reserved.
  • 11 A closer look at JOSE‟s bits and pieces: JWS • JSON Web Signature (JWS) • A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding – Encoded segment are concatenated with a “.” • Intended for space constrained environments such as HTTP Authorization headers and URI query parameters • Conceptually Simple: – <Header>.<Payload>.<Signature> Copyright © 2014 Brian Campbell. All rights reserved.
  • 12 JOSE‟s bits and pieces: JWS Header • JWS Header is a bit of JSON that describes the digital signature or MAC operation applied to create the JWS Signature value • Reserved Header Parameters – “alg”: Algorithm – HMAC, RSA, RSA-PSS and ECDSA – None (controversy!) – Extensible • “kid”: Key ID • “jku”: JWK Set URL • “jwk”: JSON Web Key • “x5u”: X.509 URL • “x5t”: X.509 Thumbprint • “x5c”: X.509 Certificate Chain • “typ”: Type • “cty”: Content Type Copyright © 2014 Brian Campbell. All rights reserved. Header Example: “I signed this thing with RSA-SHA256 using key we known as „9er‟ which you can find the corresponding public key for at https://www.example.com/jwks” {"alg":"RS256", "kid":”9er", "jku”:"https://www.example.com/jwks"}
  • 13 JOSE‟s bits and pieces: JWS Algorithms
  • 14 JWS Example Payload -> USA #1! base64url encoded payload -> VVNBICMxIQ Header (going to sign with ECDSA P-256 SHA-256 using “my-first-key”) -> {"alg":"ES256","kid":"my-first-key"} base64url encoded header -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9 Secured Input -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ base64url encoded signature over the Secured Input ->QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA JWS Compact Serialization (line breaks after dots added for readability) -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9. VVNBICMxIQ. QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA Which you can think of sort of like: {"alg":"ES256","kid":"my-first-key”}.”USA #1!”.<SIGNATURE>
  • 15 Producing a JWS using jose4j More examples or using jose4j to work with JWS can be found at https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples Copyright © 2014 Brian Campbell. All rights reserved. PublicJsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256); jwk.setKeyId("my-first-key"); JsonWebSignature jws = new JsonWebSignature(); jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256); jws.setPayload("USA #1!"); jws.setKey(jwk.getPrivateKey()); jws.setKeyIdHeaderValue(jwk.getKeyId()); String compactSerialization = jws.getCompactSerialization(); System.out.println(compactSerialization);
  • 16 Consuming a JWS using jose4j Copyright © 2014 Brian Campbell. All rights reserved. More examples or using jose4j to work with JWS can be found at https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples JsonWebKey jwk = JsonWebKey.Factory.newJwk("{"kty":"EC"," + ""kid":"my-first-key"," + ""x":"xlKTWTx76fl9OZou4LHpDc3oHLC_vm-db7mdsFvO1JQ"," + ""y":"3jXBG649Uqf7pf8RHO_jcJ8Jrhy23hjD933i6QEVNkk"," + ""crv":"P-256"}"); String compactSerialization = "eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9." + "VVNBICMxIQ." + "QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA”; JsonWebSignature jws = new JsonWebSignature(); jws.setCompactSerialization(compactSerialization); jws.setKey(jwk.getKey()); String payload = jws.getPayload(); System.out.println(payload);
  • 17 JOSE‟s bits and pieces: JWE • JSON Web Encryption • Similar in motivation and design to JWS but for encrypting content • A little more complicated – Headers • “alg”: Algorithm (key wrap or agreement) • “enc”: Encryption Method (Authenticated Encryption only) • “zip”: Compression Algorithm • Etc. • Five Parts <Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag> Copyright © 2014 Brian Campbell. All rights reserved.
  • 18 JOSE‟s bits and pieces: JWE Key Management Algorithms (“alg”) Copyright © 2014 Brian Campbell. All rights reserved.
  • 19 JOSE‟s bits and pieces: JWE Content Encryption Algorithms (“enc”) Copyright © 2014 Brian Campbell. All rights reserved. Note that all of the encryption methods are AEAD algorithms, which is nice
  • 20 JWE Example Copyright © 2014 Brian Campbell. All rights reserved. Payload/plaintext -> I actually really like Canada Header -> {"alg":"PBES2-HS256+A128KW","enc":"A128CBC-HS256","p2c":8192,"p2s":"QkbLQniKLUTQVP4l"} base64url encode header -> eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDRsIn0 Encrypted Key: PBES2 used to AES Key wrap a 256 bit random key which is base64url encoded -> g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg IV: base64url encoded 128 bit initialization vector -> 6h172lww9VqemjMQMaVPdg Ciphertext: base64url encoded AES 128 CBC encrypted payload -> YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0 Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext -> Ie4iYLbdQCqwMWJf37rEZg JWE Compact Serialization (<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>) -> eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDRsIn0. g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg. 6h172lww9VqemjMQMaVPdg. YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0. Ie4iYLbdQCqwMWJf37rEZg
  • 21 Producing a JWE using jose4j More examples or using jose4j to work with JWE can be found at https://bitbucket.org/b_c/jose4j/wiki/JWE%20Examples Copyright © 2014 Brian Campbell. All rights reserved. JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setPayload("I actually really like Canada"); jwe.setKey(new PbkdfKey("[email protected]|pam!")); jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.PBES2_HS256_A128KW); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256); String compactSerialization = jwe.getCompactSerialization(); System.out.println(compactSerialization);
  • 22 Consuming a JWE using jose4j More examples or using jose4j to work with JWE can be found at https://bitbucket.org/b_c/jose4j/wiki/JWE%20Examples Copyright © 2014 Brian Campbell. All rights reserved. String compactSerialization = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDR sIn0." + "g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg." + "6h172lww9VqemjMQMaVPdg." + "YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0." + "Ie4iYLbdQCqwMWJf37rEZg"; JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setCompactSerialization(compactSerialization); jwe.setKey(new PbkdfKey("[email protected]|pam!")); String payload = jwe.getPayload(); System.out.println(payload);
  • 23 An aside, eh. • As I tried to Google “never trust a Canadian”… Copyright © 2014 Brian Campbell. All rights reserved.
  • 24 JWT • JSON Web Token • Suggested pronunciation: "jot” • Compact URL-safe means of representing claims to be transferred between two parties • JWS and/or JWE with JSON claims as the payload • JWT Claim – A piece of information asserted about a subject (or the JWT itself). – Represented name/value pairs, consisting of a Claim Name and a Claim Value (which can be any JSON object). Copyright © 2014 Brian Campbell. All rights reserved.
  • 25 Reserved JWT Claim Names • “iss”: Issuer • “sub”: Subject • “aud”: Audience • “exp”: Expiration Time • “nbf”: Not Before • “iat”: Issued At • “jti”: JWT ID Copyright © 2014 Brian Campbell. All rights reserved.
  • 26 jot or not? The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9. The Header {"kid":"5","alg":"ES256"} The Payload {"iss":"https://idp.example.com", "exp":1357255788, "aud":"https://sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"}
  • 27 it‟s not the size of your token… eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC 5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK 4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg <Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"> <AudienceRestriction> <Audience>https://sp.example.org</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext> <AuthnContextClassRef>2</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion>
  • 28 …it‟s how you use it • Simpler = Better • Web safe encoding w/ no canonicalization – Because canonicalization is a four letter word (especially when you spell it c14n) • Improved Interoperability & (hopefully) More Secure • Eliminates entire classes of attacks – XSLT Transform DOS, Remote Code Execution, and Bypass – C14N Hash Collision w/ & w/out comments – Entity Expansion Attacks – XPath Transform DOS and Bypass – External Reference DOS – Signature Wrapping Attacks† Brad Hill, pictured here speaking at CIS, is wicked smaht and published some of these attacks † This poor bastard was the „victim‟ in my POC of a signature wrapping vulnerability in SAML SSO for Google Apps http://www.google.com/about/appsecurity/hall-of-fame/reward/
  • 29 JSON Web Key (JWK) Copyright © 2014 Brian Campbell. All rights reserved. • JSON data structure representing cryptographic key(s) which can be – included in a JWS/JWE/JWT header – saved in a file – used in place of self signed certificates – published at an HTTPS endpoint and referenced JWT/JWS Header {"kid":"5", "alg":"ES256"} {"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"} ]}
  • 30 Generating JWK and JWKS using jose4j Copyright © 2014 Brian Campbell. All rights reserved. List<JsonWebKey> jwkList = new LinkedList<>(); for (int kid = 4; kid < 7; kid++) { JsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256); jwk.setKeyId(String.valueOf(kid)); jwkList.add(jwk); } JsonWebKeySet jwks = new JsonWebKeySet(jwkList); System.out.println(jwks.toJson(JsonWebKey.OutputControlLevel.PUBLIC_ONLY));
  • 31 Consuming a JWKS using jose4j Copyright © 2014 Brian Campbell. All rights reserved. String jwksJson = "{"keys":[n" + " {"kty":"EC",n"kid":"4",n" + " "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", n" + " "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A",n" + " "crv":"P-256"},n" + " {"kty":"EC",n"kid":"5",n" + " "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",n" + " "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",n" + " "crv":"P-256"},n" + " {"kty":"EC",n"kid":"6",n" + " "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00",n" + " "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU",n" + " "crv":"P-256"}n" + "]}"; JsonWebKeySet jwks = new JsonWebKeySet(jwksJson); JsonWebKey jwk = jwks.findJsonWebKey("5", null, null, null); System.out.println(jwk.getKey());
  • 32 Are we finished yet? Copyright © 2014 Brian Campbell. All rights reserved.
  • 33 Yes, finished. See you in the circle (maybe). https://flic.kr/p/ay3VVS Copyright © 2014 Brian Campbell. All rights reserved.
Please download to view
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
...

JOSE Can You See...

by brian-campbell

on

Report

Category:

Software

Download: 0

Comment: 0

534

views

Comments

Description


A technical overview of JSON Web Token (JWT) and its JOSE underpinnings, which are poised to be the next generation identity token, as well as a look at using one open source implementation (jose4j).

Also some (bad) jokes.
Download JOSE Can You See...

Transcript

  • JOSE CAN YOU SEE…‡ A technical overview of JWT and its JOSE underpinnings, which are poised to be the next generation identity token, as well as a look at using one open source implementation. Brian Campbell @__b_c IIW #18 May 2014 ‡ Partial credit for the title goes to Brad Tumy
  • 2 JWT + JOSE Overview • JSON Web Token (JWT) – Compact URL-safe means of representing claims to be transferred between two parties – JWS and/or JWE with JSON claims as the payload • Javascript Object Signing and Encryption (JOSE) – JSON Web Signature (JWS) • A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding – JSON Web Encryption (JWE) • Like JWS but for encrypting content – JSON Web Key (JWK) • JSON data structure representing cryptographic key(s) Copyright © 2014 Brian Campbell. All rights reserved.
  • 3 JWT + JOSE in the Wild • Not even an RFC yet but widely used: – OAuth – OpenID Connect – Mozilla Persona (ahem) – W3C Web Cryptography API – And more… Copyright © 2014 Brian Campbell. All rights reserved. three nerds holding a blurry piece of paper they tell me is some kind of award for OpenID Connect
  • 4 jose4j Overview • Open source (free as in beer) Java implementation of the JOSE specification suite – Get yours at https://bitbucket.org/b_c/jose4j • Relies solely on the JCA APIs for cryptography • 100% (Dammit Mike!) 97.5% Algorithm Support • Reference[able] implementation – Fact checked the cookbook: http://tools.ietf.org/html/draft-ietf-jose-cookbook-02#appendix-A • Completely free of intentional NSA backdoors – (but I‟m open to “sponsorship” opportunities) • Production ready: used throughout Ping Identity‟s products • Rated the #1 JOSE implementation in the world (based on an unbiased survey of the library author‟s mother) • Did I mention free? Easy too. • All proceeds from sales go to a charity that provides comfort and support to dying identity protocols living out their final days • Take a stand against monoculture (did heartbleed teach us nothing?) Copyright © 2014 Brian Campbell. All rights reserved.
  • 5 What‟s in a name? https://twitter.com/metadaddy/status/454422069199900672
  • 6 But you wouldn't name your child „Attila the Hun‟ would you? I didn‟t… "Attila, Scourge of God" http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg
  • 7 What would JOSE do? ‡ • Call it “JW-STEAK”! • „cause who doesn‟t like a good steak? Copyright © 2014 Brian Campbell. All rights reserved. •JW- –JWS –JWT –JWE –JWA –JWK Don Julio is a famous (to gringo tourists anyway) steakhouse in Buenos Aires, Argentina - https://flic.kr/p/ezE99U ‡ I reluctantly credit Paul Madsen with WWJD. Unless you are offended by it, in which case I‟m not at all reluctant about blaming him.
  • 8 Okay, fine… • Technically speaking, my vegan coworker does not like steak • Even if it is „good‟ • But let‟s not split hairs on this one… Copyright © 2014 Brian Campbell. All rights reserved.
  • 9 Awkward Transition Copyright © 2014 Brian Campbell. All rights reserved. …into some more technical details
  • 10 The 64 Character Question • base64url is *almost* like base64 – Both are a means of encoding binary data in a printable ASCII string format – Each 6 bits -> 1 character (from a 64 character alphabet) – 3 bytes -> 4 characters • But base64url uses a URL safe alphabet rather than the nearly URL safe alphabet of regular base64 – 62 alphanumeric characters – “-” rather than “+” – “_” rather than “/” – Padding “=” is typically omitted • A remaining unreserved URI character: “.” – This will prove important shortly Copyright © 2014 Brian Campbell. All rights reserved.
  • 11 A closer look at JOSE‟s bits and pieces: JWS • JSON Web Signature (JWS) • A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding – Encoded segment are concatenated with a “.” • Intended for space constrained environments such as HTTP Authorization headers and URI query parameters • Conceptually Simple: – <Header>.<Payload>.<Signature> Copyright © 2014 Brian Campbell. All rights reserved.
  • 12 JOSE‟s bits and pieces: JWS Header • JWS Header is a bit of JSON that describes the digital signature or MAC operation applied to create the JWS Signature value • Reserved Header Parameters – “alg”: Algorithm – HMAC, RSA, RSA-PSS and ECDSA – None (controversy!) – Extensible • “kid”: Key ID • “jku”: JWK Set URL • “jwk”: JSON Web Key • “x5u”: X.509 URL • “x5t”: X.509 Thumbprint • “x5c”: X.509 Certificate Chain • “typ”: Type • “cty”: Content Type Copyright © 2014 Brian Campbell. All rights reserved. Header Example: “I signed this thing with RSA-SHA256 using key we known as „9er‟ which you can find the corresponding public key for at https://www.example.com/jwks” {"alg":"RS256", "kid":”9er", "jku”:"https://www.example.com/jwks"}
  • 13 JOSE‟s bits and pieces: JWS Algorithms
  • 14 JWS Example Payload -> USA #1! base64url encoded payload -> VVNBICMxIQ Header (going to sign with ECDSA P-256 SHA-256 using “my-first-key”) -> {"alg":"ES256","kid":"my-first-key"} base64url encoded header -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9 Secured Input -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ base64url encoded signature over the Secured Input ->QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA JWS Compact Serialization (line breaks after dots added for readability) -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9. VVNBICMxIQ. QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA Which you can think of sort of like: {"alg":"ES256","kid":"my-first-key”}.”USA #1!”.<SIGNATURE>
  • 15 Producing a JWS using jose4j More examples or using jose4j to work with JWS can be found at https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples Copyright © 2014 Brian Campbell. All rights reserved. PublicJsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256); jwk.setKeyId("my-first-key"); JsonWebSignature jws = new JsonWebSignature(); jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256); jws.setPayload("USA #1!"); jws.setKey(jwk.getPrivateKey()); jws.setKeyIdHeaderValue(jwk.getKeyId()); String compactSerialization = jws.getCompactSerialization(); System.out.println(compactSerialization);
  • 16 Consuming a JWS using jose4j Copyright © 2014 Brian Campbell. All rights reserved. More examples or using jose4j to work with JWS can be found at https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples JsonWebKey jwk = JsonWebKey.Factory.newJwk("{"kty":"EC"," + ""kid":"my-first-key"," + ""x":"xlKTWTx76fl9OZou4LHpDc3oHLC_vm-db7mdsFvO1JQ"," + ""y":"3jXBG649Uqf7pf8RHO_jcJ8Jrhy23hjD933i6QEVNkk"," + ""crv":"P-256"}"); String compactSerialization = "eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9." + "VVNBICMxIQ." + "QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA”; JsonWebSignature jws = new JsonWebSignature(); jws.setCompactSerialization(compactSerialization); jws.setKey(jwk.getKey()); String payload = jws.getPayload(); System.out.println(payload);
  • 17 JOSE‟s bits and pieces: JWE • JSON Web Encryption • Similar in motivation and design to JWS but for encrypting content • A little more complicated – Headers • “alg”: Algorithm (key wrap or agreement) • “enc”: Encryption Method (Authenticated Encryption only) • “zip”: Compression Algorithm • Etc. • Five Parts <Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag> Copyright © 2014 Brian Campbell. All rights reserved.
  • 18 JOSE‟s bits and pieces: JWE Key Management Algorithms (“alg”) Copyright © 2014 Brian Campbell. All rights reserved.
  • 19 JOSE‟s bits and pieces: JWE Content Encryption Algorithms (“enc”) Copyright © 2014 Brian Campbell. All rights reserved. Note that all of the encryption methods are AEAD algorithms, which is nice
  • 20 JWE Example Copyright © 2014 Brian Campbell. All rights reserved. Payload/plaintext -> I actually really like Canada Header -> {"alg":"PBES2-HS256+A128KW","enc":"A128CBC-HS256","p2c":8192,"p2s":"QkbLQniKLUTQVP4l"} base64url encode header -> eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDRsIn0 Encrypted Key: PBES2 used to AES Key wrap a 256 bit random key which is base64url encoded -> g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg IV: base64url encoded 128 bit initialization vector -> 6h172lww9VqemjMQMaVPdg Ciphertext: base64url encoded AES 128 CBC encrypted payload -> YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0 Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext -> Ie4iYLbdQCqwMWJf37rEZg JWE Compact Serialization (<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>) -> eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDRsIn0. g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg. 6h172lww9VqemjMQMaVPdg. YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0. Ie4iYLbdQCqwMWJf37rEZg
  • 21 Producing a JWE using jose4j More examples or using jose4j to work with JWE can be found at https://bitbucket.org/b_c/jose4j/wiki/JWE%20Examples Copyright © 2014 Brian Campbell. All rights reserved. JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setPayload("I actually really like Canada"); jwe.setKey(new PbkdfKey("[email protected]|pam!")); jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.PBES2_HS256_A128KW); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256); String compactSerialization = jwe.getCompactSerialization(); System.out.println(compactSerialization);
  • 22 Consuming a JWE using jose4j More examples or using jose4j to work with JWE can be found at https://bitbucket.org/b_c/jose4j/wiki/JWE%20Examples Copyright © 2014 Brian Campbell. All rights reserved. String compactSerialization = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDR sIn0." + "g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg." + "6h172lww9VqemjMQMaVPdg." + "YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0." + "Ie4iYLbdQCqwMWJf37rEZg"; JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setCompactSerialization(compactSerialization); jwe.setKey(new PbkdfKey("[email protected]|pam!")); String payload = jwe.getPayload(); System.out.println(payload);
  • 23 An aside, eh. • As I tried to Google “never trust a Canadian”… Copyright © 2014 Brian Campbell. All rights reserved.
  • 24 JWT • JSON Web Token • Suggested pronunciation: "jot” • Compact URL-safe means of representing claims to be transferred between two parties • JWS and/or JWE with JSON claims as the payload • JWT Claim – A piece of information asserted about a subject (or the JWT itself). – Represented name/value pairs, consisting of a Claim Name and a Claim Value (which can be any JSON object). Copyright © 2014 Brian Campbell. All rights reserved.
  • 25 Reserved JWT Claim Names • “iss”: Issuer • “sub”: Subject • “aud”: Audience • “exp”: Expiration Time • “nbf”: Not Before • “iat”: Issued At • “jti”: JWT ID Copyright © 2014 Brian Campbell. All rights reserved.
  • 26 jot or not? The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9. The Header {"kid":"5","alg":"ES256"} The Payload {"iss":"https://idp.example.com", "exp":1357255788, "aud":"https://sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"}
  • 27 it‟s not the size of your token… eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC 5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK 4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg <Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"> <AudienceRestriction> <Audience>https://sp.example.org</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext> <AuthnContextClassRef>2</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion>
  • 28 …it‟s how you use it • Simpler = Better • Web safe encoding w/ no canonicalization – Because canonicalization is a four letter word (especially when you spell it c14n) • Improved Interoperability & (hopefully) More Secure • Eliminates entire classes of attacks – XSLT Transform DOS, Remote Code Execution, and Bypass – C14N Hash Collision w/ & w/out comments – Entity Expansion Attacks – XPath Transform DOS and Bypass – External Reference DOS – Signature Wrapping Attacks† Brad Hill, pictured here speaking at CIS, is wicked smaht and published some of these attacks † This poor bastard was the „victim‟ in my POC of a signature wrapping vulnerability in SAML SSO for Google Apps http://www.google.com/about/appsecurity/hall-of-fame/reward/
  • 29 JSON Web Key (JWK) Copyright © 2014 Brian Campbell. All rights reserved. • JSON data structure representing cryptographic key(s) which can be – included in a JWS/JWE/JWT header – saved in a file – used in place of self signed certificates – published at an HTTPS endpoint and referenced JWT/JWS Header {"kid":"5", "alg":"ES256"} {"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"} ]}
  • 30 Generating JWK and JWKS using jose4j Copyright © 2014 Brian Campbell. All rights reserved. List<JsonWebKey> jwkList = new LinkedList<>(); for (int kid = 4; kid < 7; kid++) { JsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256); jwk.setKeyId(String.valueOf(kid)); jwkList.add(jwk); } JsonWebKeySet jwks = new JsonWebKeySet(jwkList); System.out.println(jwks.toJson(JsonWebKey.OutputControlLevel.PUBLIC_ONLY));
  • 31 Consuming a JWKS using jose4j Copyright © 2014 Brian Campbell. All rights reserved. String jwksJson = "{"keys":[n" + " {"kty":"EC",n"kid":"4",n" + " "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", n" + " "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A",n" + " "crv":"P-256"},n" + " {"kty":"EC",n"kid":"5",n" + " "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",n" + " "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",n" + " "crv":"P-256"},n" + " {"kty":"EC",n"kid":"6",n" + " "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00",n" + " "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU",n" + " "crv":"P-256"}n" + "]}"; JsonWebKeySet jwks = new JsonWebKeySet(jwksJson); JsonWebKey jwk = jwks.findJsonWebKey("5", null, null, null); System.out.println(jwk.getKey());
  • 32 Are we finished yet? Copyright © 2014 Brian Campbell. All rights reserved.
  • 33 Yes, finished. See you in the circle (maybe). https://flic.kr/p/ay3VVS Copyright © 2014 Brian Campbell. All rights reserved.
Fly UP