JOSE Can You See...

3,237 views

Published on


A technical overview of JSON Web Token (JWT) and its JOSE underpinnings, which are poised to be the next generation identity token, as well as a look at using one open source implementation (jose4j).

Also some (bad) jokes.

Published in: Software, Technology, Education
0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,237
On SlideShare
0
From Embeds
0
Number of Embeds
60
Actions
Shares
0
Downloads
35
Comments
0
Likes
5
Embeds 0
No embeds

No notes for slide

JOSE Can You See...

  1. 1. JOSE CAN YOU SEE…‡ A technical overview of JWT and its JOSE underpinnings, which are poised to be the next generation identity token, as well as a look at using one open source implementation. Brian Campbell @__b_c IIW #18 May 2014 ‡ Partial credit for the title goes to Brad Tumy
  2. 2. 2 JWT + JOSE Overview • JSON Web Token (JWT) – Compact URL-safe means of representing claims to be transferred between two parties – JWS and/or JWE with JSON claims as the payload • Javascript Object Signing and Encryption (JOSE) – JSON Web Signature (JWS) • A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding – JSON Web Encryption (JWE) • Like JWS but for encrypting content – JSON Web Key (JWK) • JSON data structure representing cryptographic key(s) Copyright © 2014 Brian Campbell. All rights reserved.
  3. 3. 3 JWT + JOSE in the Wild • Not even an RFC yet but widely used: – OAuth – OpenID Connect – Mozilla Persona (ahem) – W3C Web Cryptography API – And more… Copyright © 2014 Brian Campbell. All rights reserved. three nerds holding a blurry piece of paper they tell me is some kind of award for OpenID Connect
  4. 4. 4 jose4j Overview • Open source (free as in beer) Java implementation of the JOSE specification suite – Get yours at https://bitbucket.org/b_c/jose4j • Relies solely on the JCA APIs for cryptography • 100% (Dammit Mike!) 97.5% Algorithm Support • Reference[able] implementation – Fact checked the cookbook: http://tools.ietf.org/html/draft-ietf-jose-cookbook-02#appendix-A • Completely free of intentional NSA backdoors – (but I‟m open to “sponsorship” opportunities) • Production ready: used throughout Ping Identity‟s products • Rated the #1 JOSE implementation in the world (based on an unbiased survey of the library author‟s mother) • Did I mention free? Easy too. • All proceeds from sales go to a charity that provides comfort and support to dying identity protocols living out their final days • Take a stand against monoculture (did heartbleed teach us nothing?) Copyright © 2014 Brian Campbell. All rights reserved.
  5. 5. 5 What‟s in a name? https://twitter.com/metadaddy/status/454422069199900672
  6. 6. 6 But you wouldn't name your child „Attila the Hun‟ would you? I didn‟t… "Attila, Scourge of God" http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg
  7. 7. 7 What would JOSE do? ‡ • Call it “JW-STEAK”! • „cause who doesn‟t like a good steak? Copyright © 2014 Brian Campbell. All rights reserved. •JW- –JWS –JWT –JWE –JWA –JWK Don Julio is a famous (to gringo tourists anyway) steakhouse in Buenos Aires, Argentina - https://flic.kr/p/ezE99U ‡ I reluctantly credit Paul Madsen with WWJD. Unless you are offended by it, in which case I‟m not at all reluctant about blaming him.
  8. 8. 8 Okay, fine… • Technically speaking, my vegan coworker does not like steak • Even if it is „good‟ • But let‟s not split hairs on this one… Copyright © 2014 Brian Campbell. All rights reserved.
  9. 9. 9 Awkward Transition Copyright © 2014 Brian Campbell. All rights reserved. …into some more technical details
  10. 10. 10 The 64 Character Question • base64url is *almost* like base64 – Both are a means of encoding binary data in a printable ASCII string format – Each 6 bits -> 1 character (from a 64 character alphabet) – 3 bytes -> 4 characters • But base64url uses a URL safe alphabet rather than the nearly URL safe alphabet of regular base64 – 62 alphanumeric characters – “-” rather than “+” – “_” rather than “/” – Padding “=” is typically omitted • A remaining unreserved URI character: “.” – This will prove important shortly Copyright © 2014 Brian Campbell. All rights reserved.
  11. 11. 11 A closer look at JOSE‟s bits and pieces: JWS • JSON Web Signature (JWS) • A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding – Encoded segment are concatenated with a “.” • Intended for space constrained environments such as HTTP Authorization headers and URI query parameters • Conceptually Simple: – <Header>.<Payload>.<Signature> Copyright © 2014 Brian Campbell. All rights reserved.
  12. 12. 12 JOSE‟s bits and pieces: JWS Header • JWS Header is a bit of JSON that describes the digital signature or MAC operation applied to create the JWS Signature value • Reserved Header Parameters – “alg”: Algorithm – HMAC, RSA, RSA-PSS and ECDSA – None (controversy!) – Extensible • “kid”: Key ID • “jku”: JWK Set URL • “jwk”: JSON Web Key • “x5u”: X.509 URL • “x5t”: X.509 Thumbprint • “x5c”: X.509 Certificate Chain • “typ”: Type • “cty”: Content Type Copyright © 2014 Brian Campbell. All rights reserved. Header Example: “I signed this thing with RSA-SHA256 using key we known as „9er‟ which you can find the corresponding public key for at https://www.example.com/jwks” {"alg":"RS256", "kid":”9er", "jku”:"https://www.example.com/jwks"}
  13. 13. 13 JOSE‟s bits and pieces: JWS Algorithms
  14. 14. 14 JWS Example Payload -> USA #1! base64url encoded payload -> VVNBICMxIQ Header (going to sign with ECDSA P-256 SHA-256 using “my-first-key”) -> {"alg":"ES256","kid":"my-first-key"} base64url encoded header -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9 Secured Input -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ base64url encoded signature over the Secured Input ->QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA JWS Compact Serialization (line breaks after dots added for readability) -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9. VVNBICMxIQ. QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA Which you can think of sort of like: {"alg":"ES256","kid":"my-first-key”}.”USA #1!”.<SIGNATURE>
  15. 15. 15 Producing a JWS using jose4j More examples or using jose4j to work with JWS can be found at https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples Copyright © 2014 Brian Campbell. All rights reserved. PublicJsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256); jwk.setKeyId("my-first-key"); JsonWebSignature jws = new JsonWebSignature(); jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256); jws.setPayload("USA #1!"); jws.setKey(jwk.getPrivateKey()); jws.setKeyIdHeaderValue(jwk.getKeyId()); String compactSerialization = jws.getCompactSerialization(); System.out.println(compactSerialization);
  16. 16. 16 Consuming a JWS using jose4j Copyright © 2014 Brian Campbell. All rights reserved. More examples or using jose4j to work with JWS can be found at https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples JsonWebKey jwk = JsonWebKey.Factory.newJwk("{"kty":"EC"," + ""kid":"my-first-key"," + ""x":"xlKTWTx76fl9OZou4LHpDc3oHLC_vm-db7mdsFvO1JQ"," + ""y":"3jXBG649Uqf7pf8RHO_jcJ8Jrhy23hjD933i6QEVNkk"," + ""crv":"P-256"}"); String compactSerialization = "eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9." + "VVNBICMxIQ." + "QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA”; JsonWebSignature jws = new JsonWebSignature(); jws.setCompactSerialization(compactSerialization); jws.setKey(jwk.getKey()); String payload = jws.getPayload(); System.out.println(payload);
  17. 17. 17 JOSE‟s bits and pieces: JWE • JSON Web Encryption • Similar in motivation and design to JWS but for encrypting content • A little more complicated – Headers • “alg”: Algorithm (key wrap or agreement) • “enc”: Encryption Method (Authenticated Encryption only) • “zip”: Compression Algorithm • Etc. • Five Parts <Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag> Copyright © 2014 Brian Campbell. All rights reserved.
  18. 18. 18 JOSE‟s bits and pieces: JWE Key Management Algorithms (“alg”) Copyright © 2014 Brian Campbell. All rights reserved.
  19. 19. 19 JOSE‟s bits and pieces: JWE Content Encryption Algorithms (“enc”) Copyright © 2014 Brian Campbell. All rights reserved. Note that all of the encryption methods are AEAD algorithms, which is nice
  20. 20. 20 JWE Example Copyright © 2014 Brian Campbell. All rights reserved. Payload/plaintext -> I actually really like Canada Header -> {"alg":"PBES2-HS256+A128KW","enc":"A128CBC-HS256","p2c":8192,"p2s":"QkbLQniKLUTQVP4l"} base64url encode header -> eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDRsIn0 Encrypted Key: PBES2 used to AES Key wrap a 256 bit random key which is base64url encoded -> g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg IV: base64url encoded 128 bit initialization vector -> 6h172lww9VqemjMQMaVPdg Ciphertext: base64url encoded AES 128 CBC encrypted payload -> YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0 Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext -> Ie4iYLbdQCqwMWJf37rEZg JWE Compact Serialization (<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>) -> eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDRsIn0. g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg. 6h172lww9VqemjMQMaVPdg. YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0. Ie4iYLbdQCqwMWJf37rEZg
  21. 21. 21 Producing a JWE using jose4j More examples or using jose4j to work with JWE can be found at https://bitbucket.org/b_c/jose4j/wiki/JWE%20Examples Copyright © 2014 Brian Campbell. All rights reserved. JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setPayload("I actually really like Canada"); jwe.setKey(new PbkdfKey("don't-tell-p@ul|pam!")); jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.PBES2_HS256_A128KW); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256); String compactSerialization = jwe.getCompactSerialization(); System.out.println(compactSerialization);
  22. 22. 22 Consuming a JWE using jose4j More examples or using jose4j to work with JWE can be found at https://bitbucket.org/b_c/jose4j/wiki/JWE%20Examples Copyright © 2014 Brian Campbell. All rights reserved. String compactSerialization = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDR sIn0." + "g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg." + "6h172lww9VqemjMQMaVPdg." + "YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0." + "Ie4iYLbdQCqwMWJf37rEZg"; JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setCompactSerialization(compactSerialization); jwe.setKey(new PbkdfKey("don't-tell-p@ul|pam!")); String payload = jwe.getPayload(); System.out.println(payload);
  23. 23. 23 An aside, eh. • As I tried to Google “never trust a Canadian”… Copyright © 2014 Brian Campbell. All rights reserved.
  24. 24. 24 JWT • JSON Web Token • Suggested pronunciation: "jot” • Compact URL-safe means of representing claims to be transferred between two parties • JWS and/or JWE with JSON claims as the payload • JWT Claim – A piece of information asserted about a subject (or the JWT itself). – Represented name/value pairs, consisting of a Claim Name and a Claim Value (which can be any JSON object). Copyright © 2014 Brian Campbell. All rights reserved.
  25. 25. 25 Reserved JWT Claim Names • “iss”: Issuer • “sub”: Subject • “aud”: Audience • “exp”: Expiration Time • “nbf”: Not Before • “iat”: Issued At • “jti”: JWT ID Copyright © 2014 Brian Campbell. All rights reserved.
  26. 26. 26 jot or not? The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9. The Header {"kid":"5","alg":"ES256"} The Payload {"iss":"https://idp.example.com", "exp":1357255788, "aud":"https://sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"}
  27. 27. 27 it‟s not the size of your token… eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC 5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK 4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg <Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"> <AudienceRestriction> <Audience>https://sp.example.org</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext> <AuthnContextClassRef>2</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion>
  28. 28. 28 …it‟s how you use it • Simpler = Better • Web safe encoding w/ no canonicalization – Because canonicalization is a four letter word (especially when you spell it c14n) • Improved Interoperability & (hopefully) More Secure • Eliminates entire classes of attacks – XSLT Transform DOS, Remote Code Execution, and Bypass – C14N Hash Collision w/ & w/out comments – Entity Expansion Attacks – XPath Transform DOS and Bypass – External Reference DOS – Signature Wrapping Attacks† Brad Hill, pictured here speaking at CIS, is wicked smaht and published some of these attacks † This poor bastard was the „victim‟ in my POC of a signature wrapping vulnerability in SAML SSO for Google Apps http://www.google.com/about/appsecurity/hall-of-fame/reward/
  29. 29. 29 JSON Web Key (JWK) Copyright © 2014 Brian Campbell. All rights reserved. • JSON data structure representing cryptographic key(s) which can be – included in a JWS/JWE/JWT header – saved in a file – used in place of self signed certificates – published at an HTTPS endpoint and referenced JWT/JWS Header {"kid":"5", "alg":"ES256"} {"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"} ]}
  30. 30. 30 Generating JWK and JWKS using jose4j Copyright © 2014 Brian Campbell. All rights reserved. List<JsonWebKey> jwkList = new LinkedList<>(); for (int kid = 4; kid < 7; kid++) { JsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256); jwk.setKeyId(String.valueOf(kid)); jwkList.add(jwk); } JsonWebKeySet jwks = new JsonWebKeySet(jwkList); System.out.println(jwks.toJson(JsonWebKey.OutputControlLevel.PUBLIC_ONLY));
  31. 31. 31 Consuming a JWKS using jose4j Copyright © 2014 Brian Campbell. All rights reserved. String jwksJson = "{"keys":[n" + " {"kty":"EC",n"kid":"4",n" + " "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", n" + " "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A",n" + " "crv":"P-256"},n" + " {"kty":"EC",n"kid":"5",n" + " "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",n" + " "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",n" + " "crv":"P-256"},n" + " {"kty":"EC",n"kid":"6",n" + " "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00",n" + " "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU",n" + " "crv":"P-256"}n" + "]}"; JsonWebKeySet jwks = new JsonWebKeySet(jwksJson); JsonWebKey jwk = jwks.findJsonWebKey("5", null, null, null); System.out.println(jwk.getKey());
  32. 32. 32 Are we finished yet? Copyright © 2014 Brian Campbell. All rights reserved.
  33. 33. 33 Yes, finished. See you in the circle (maybe). https://flic.kr/p/ay3VVS Copyright © 2014 Brian Campbell. All rights reserved.

×