JOSE Can You See...

JOSE CAN YOU SEE…‡
A technical overview of JWT and its
JOSE underpinnings, which are
poised to be the next generation
identity token, as well as a look at
using one open source
implementation.
Brian Campbell
@__b_c
IIW #18
May 2014
‡ Partial credit for the title goes to
Brad Tumy

2
JWT + JOSE Overview
• JSON Web Token (JWT)
– Compact URL-safe means of representing claims to be
transferred between two parties
– JWS and/or JWE with JSON claims as the payload
• Javascript Object Signing and Encryption (JOSE)
– JSON Web Signature (JWS)
• A way of representing content secured with a digital signature or MAC
using JSON data structures and base64url encoding
– JSON Web Encryption (JWE)
• Like JWS but for encrypting content
– JSON Web Key (JWK)
• JSON data structure representing cryptographic key(s)
Copyright © 2014 Brian Campbell. All rights reserved.

3
JWT + JOSE in the Wild
• Not even an RFC
yet but widely used:
– OAuth
– OpenID Connect
– Mozilla Persona
(ahem)
– W3C Web
Cryptography API
– And more…
three nerds holding a blurry piece of paper
they tell me is some kind of award for
OpenID Connect

4
jose4j Overview
• Open source (free as in beer) Java implementation of the JOSE specification suite
– Get yours at https://bitbucket.org/b_c/jose4j
• Relies solely on the JCA APIs for cryptography
• 100% (Dammit Mike!) 97.5% Algorithm Support
• Reference[able] implementation
– Fact checked the cookbook: http://tools.ietf.org/html/draft-ietf-jose-cookbook-02#appendix-A
• Completely free of intentional NSA backdoors
– (but I‟m open to “sponsorship” opportunities)
• Production ready: used throughout Ping Identity‟s products
• Rated the #1 JOSE implementation in the world (based on an unbiased survey of the library author‟s mother)
• Did I mention free? Easy too.
• All proceeds from sales go to a charity that provides comfort and support to dying
identity protocols living out their final days
• Take a stand against monoculture (did heartbleed teach us nothing?)

5
What‟s in a name?
https://twitter.com/metadaddy/status/454422069199900672

6
But you wouldn't name your child
„Attila the Hun‟ would you?
I didn‟t…
"Attila, Scourge of God"
http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg

7
What would JOSE do? ‡
• Call it “JW-STEAK”!
• „cause who doesn‟t like a
good steak?
•JW-
–JWS
–JWT
–JWE
–JWA
–JWK
Don Julio is a famous (to gringo tourists anyway) steakhouse
in Buenos Aires, Argentina - https://flic.kr/p/ezE99U
‡ I reluctantly credit Paul Madsen with WWJD. Unless you are offended
by it, in which case I‟m not at all reluctant about blaming him.

8
Okay, fine…
• Technically speaking, my vegan coworker
does not like steak
• Even if it is „good‟
• But let‟s not split hairs on this one…

9
Awkward Transition
…into some more technical details

10
The 64 Character Question
• base64url is *almost* like base64
– Both are a means of encoding binary data in a printable ASCII string format
– Each 6 bits -> 1 character (from a 64 character alphabet)
– 3 bytes -> 4 characters
• But base64url uses a URL safe alphabet rather than the nearly URL safe
alphabet of regular base64
– 62 alphanumeric characters
– “-” rather than “+”
– “_” rather than “/”
– Padding “=” is typically omitted
• A remaining unreserved URI character: “.”
– This will prove important shortly

11
A closer look at JOSE‟s bits and pieces: JWS
• JSON Web Signature (JWS)
• A way of representing content secured with a
digital signature or MAC using JSON data
structures and base64url encoding
– Encoded segment are concatenated with a “.”
• Intended for space constrained environments
such as HTTP Authorization headers and URI
query parameters
• Conceptually Simple:
– <Header>.<Payload>.<Signature>

12
JOSE‟s bits and pieces: JWS Header
• JWS Header is a bit of JSON that describes the digital signature or
MAC operation applied to create the JWS Signature value
• Reserved Header Parameters
– “alg”: Algorithm
– HMAC, RSA, RSA-PSS and ECDSA
– None (controversy!)
– Extensible
• “kid”: Key ID
• “jku”: JWK Set URL
• “jwk”: JSON Web Key
• “x5u”: X.509 URL
• “x5t”: X.509 Thumbprint
• “x5c”: X.509 Certificate Chain
• “typ”: Type
• “cty”: Content Type
Header Example:
“I signed this thing with RSA-SHA256
using key we known as „9er‟ which you
can find the corresponding public key for
at https://www.example.com/jwks”
{"alg":"RS256", "kid":”9er",
"jku”:"https://www.example.com/jwks"}

13
JOSE‟s bits and pieces: JWS Algorithms

14
JWS Example
Payload -> USA #1!
base64url encoded payload -> VVNBICMxIQ
Header (going to sign with ECDSA P-256 SHA-256 using “my-first-key”) -> {"alg":"ES256","kid":"my-first-key"}
base64url encoded header -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9
Secured Input -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ
base64url encoded signature over the Secured Input
->QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
JWS Compact Serialization (line breaks after dots added for readability) ->
eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.
VVNBICMxIQ.
QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
Which you can think of sort of like:
{"alg":"ES256","kid":"my-first-key”}.”USA #1!”.<SIGNATURE>

15
Producing a JWS using jose4j
More examples or using jose4j to work with JWS can be found at
https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples
PublicJsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);
jwk.setKeyId("my-first-key");
JsonWebSignature jws = new JsonWebSignature();
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);
jws.setPayload("USA #1!");
jws.setKey(jwk.getPrivateKey());
jws.setKeyIdHeaderValue(jwk.getKeyId());
String compactSerialization = jws.getCompactSerialization();
System.out.println(compactSerialization);

16
Consuming a JWS using jose4j
More examples or using jose4j to work with JWS can be found at
https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples
JsonWebKey jwk = JsonWebKey.Factory.newJwk("{"kty":"EC"," +
""kid":"my-first-key"," +
""x":"xlKTWTx76fl9OZou4LHpDc3oHLC_vm-db7mdsFvO1JQ"," +
""y":"3jXBG649Uqf7pf8RHO_jcJ8Jrhy23hjD933i6QEVNkk"," +
""crv":"P-256"}");
String compactSerialization =
"eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9." +
"VVNBICMxIQ." +
"QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA”;
JsonWebSignature jws = new JsonWebSignature();
jws.setCompactSerialization(compactSerialization);
jws.setKey(jwk.getKey());
String payload = jws.getPayload();
System.out.println(payload);

17
JOSE‟s bits and pieces: JWE
• JSON Web Encryption
• Similar in motivation and design to JWS but for encrypting content
• A little more complicated
– Headers
• “alg”: Algorithm (key wrap or agreement)
• “enc”: Encryption Method (Authenticated Encryption only)
• “zip”: Compression Algorithm
• Etc.
• Five Parts
<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>

18
JOSE‟s bits and pieces:
JWE Key Management Algorithms (“alg”)

19
JOSE‟s bits and pieces:
JWE Content Encryption Algorithms (“enc”)
Note that all of the encryption methods
are AEAD algorithms, which is nice

20
JWE Example
Payload/plaintext
-> I actually really like Canada
Header
-> {"alg":"PBES2-HS256+A128KW","enc":"A128CBC-HS256","p2c":8192,"p2s":"QkbLQniKLUTQVP4l"}
base64url encode header
->
eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDRsIn0
Encrypted Key: PBES2 used to AES Key wrap a 256 bit random key which is base64url encoded
-> g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg
IV: base64url encoded 128 bit initialization vector
-> 6h172lww9VqemjMQMaVPdg
Ciphertext: base64url encoded AES 128 CBC encrypted payload
-> YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0
Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext
-> Ie4iYLbdQCqwMWJf37rEZg
JWE Compact Serialization (<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>) ->
eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDRsIn0.
g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg.
6h172lww9VqemjMQMaVPdg.
YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0.
Ie4iYLbdQCqwMWJf37rEZg

21
Producing a JWE using jose4j
More examples or using jose4j to work with JWE can be found at
https://bitbucket.org/b_c/jose4j/wiki/JWE%20Examples
JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setPayload("I actually really like Canada");
jwe.setKey(new PbkdfKey("don't-tell-p@ul|pam!"));
jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.PBES2_HS256_A128KW);
jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256);
String compactSerialization = jwe.getCompactSerialization();
System.out.println(compactSerialization);

22
Consuming a JWE using jose4j
More examples or using jose4j to work with JWE can be found at
https://bitbucket.org/b_c/jose4j/wiki/JWE%20Examples
String compactSerialization =
"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDR
sIn0." +
"g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg." +
"6h172lww9VqemjMQMaVPdg." +
"YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0." +
"Ie4iYLbdQCqwMWJf37rEZg";
JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setCompactSerialization(compactSerialization);
jwe.setKey(new PbkdfKey("don't-tell-p@ul|pam!"));
String payload = jwe.getPayload();
System.out.println(payload);

23
An aside, eh.
• As I tried to Google “never trust a Canadian”…

24
JWT
• JSON Web Token
• Suggested pronunciation: "jot”
• Compact URL-safe means of representing
claims to be transferred between two parties
• JWS and/or JWE with JSON claims as the
payload
• JWT Claim
– A piece of information asserted about a subject
(or the JWT itself).
– Represented name/value pairs, consisting of a
Claim Name and a Claim Value (which can be
any JSON object).

25
Reserved JWT Claim Names
• “iss”: Issuer
• “sub”: Subject
• “aud”: Audience
• “exp”: Expiration Time
• “nbf”: Not Before
• “iat”: Issued At
• “jti”: JWT ID

26
jot or not?
The JWT
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm
V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ
VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.
The Header
{"kid":"5","alg":"ES256"}
The Payload
{"iss":"https://idp.example.com",
"exp":1357255788,
"aud":"https://sp.example.org",
"jti":"tmYvYVU2x8LvN72B5Q_EacH._5A",
"acr":"2",
"sub":"Brian"}

27
it‟s not the size of your token…
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC
5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK
4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg
<Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<Issuer>https://idp.example.com</Issuer>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/>
</SubjectConfirmation>
</Subject>
<Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z">
<AudienceRestriction>
<Audience>https://sp.example.org</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr">
<AuthnContext>
<AuthnContextClassRef>2</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>

28
…it‟s how you use it
• Simpler = Better
• Web safe encoding w/ no canonicalization
– Because canonicalization is a four letter word (especially
when you spell it c14n)
• Improved Interoperability & (hopefully) More Secure
• Eliminates entire classes of attacks
– XSLT Transform DOS, Remote Code Execution, and Bypass
– C14N Hash Collision w/ & w/out comments
– Entity Expansion Attacks
– XPath Transform DOS and Bypass
– External Reference DOS
– Signature Wrapping Attacks†
Brad Hill, pictured here speaking at CIS, is wicked smaht and published some
of these attacks
† This poor bastard was the „victim‟ in my POC of a signature wrapping
vulnerability in SAML SSO for Google Apps
http://www.google.com/about/appsecurity/hall-of-fame/reward/

29
JSON Web Key (JWK)
• JSON data structure representing cryptographic key(s) which can be
– included in a JWS/JWE/JWT header
– saved in a file
– used in place of self signed certificates
– published at an HTTPS endpoint and referenced
JWT/JWS Header
{"kid":"5",
"alg":"ES256"}
{"keys":[
{"kty":"EC",
"kid":"4",
"x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo",
"y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A",
"crv":"P-256"},
{"kty":"EC",
"kid":"5",
"x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
"crv":"P-256"},
{"kty":"EC",
"kid":"6",
"x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00",
"y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU",
"crv":"P-256"}
]}

30
Generating JWK and JWKS using jose4j
List<JsonWebKey> jwkList = new LinkedList<>();
for (int kid = 4; kid < 7; kid++)
{
JsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);
jwk.setKeyId(String.valueOf(kid));
jwkList.add(jwk);
}
JsonWebKeySet jwks = new JsonWebKeySet(jwkList);
System.out.println(jwks.toJson(JsonWebKey.OutputControlLevel.PUBLIC_ONLY));

31
Consuming a JWKS using jose4j
String jwksJson =
"{"keys":[n" +
" {"kty":"EC",n"kid":"4",n" +
" "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", n" +
" "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A",n" +
" "crv":"P-256"},n" +
" {"kty":"EC",n"kid":"5",n" +
" "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",n" +
" "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",n" +
" "crv":"P-256"},n" +
" {"kty":"EC",n"kid":"6",n" +
" "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00",n" +
" "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU",n" +
" "crv":"P-256"}n" +
"]}";
JsonWebKeySet jwks = new JsonWebKeySet(jwksJson);
JsonWebKey jwk = jwks.findJsonWebKey("5", null, null, null);
System.out.println(jwk.getKey());

32
Are we finished yet?

33
Yes, finished. See you in the circle (maybe).
https://flic.kr/p/ay3VVS

JOSE Can You See...

More Related Content

What's hot

Similar to JOSE Can You See...

More from Brian Campbell

Recently uploaded

JOSE Can You See...