Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Primer on JSON Web Tokens

275 views

Published on

Presentation from October 2018 Software Peer2Peer event.

Covers: JSON Web Tokens (JWTs) provide a mechanism to securely represent claims information between two parties. They can be used to support Authorization mechanisms, implement Single Sign On functionality, and securely exchange information on the internet.

More about Silicon Halton's Sofware Peer2Peer: https://siliconhalton.com/silicon-halton-software-peer2peer/

Published in: Technology
  • Be the first to comment

  • Be the first to like this

A Primer on JSON Web Tokens

  1. 1. JWTs More than you think
  2. 2. History • September 2011 - JOSE Working Group founded • April 2014 - RFC7165 - Use Cases and Requirements for JSON Object Signing and Encryption (JOSE) • May 2015 - RFC7515(JWS), 7516(JWE), 7517(JWK), 7518(JWA) and 7519(JWT)
  3. 3. Terminology • Base64URL - Base 64 encoding, making use of only URL safe characters. • Symmetric Encryption - Encryption that uses a single key that is shared between the two parties. • Asymmetric Encryption - Encryption that uses public private key pairs.
  4. 4. JWT or Not? { alg: RS256, typ: JWT }, { iss: "Chris Larsen", sub: 'JWT', aud: 'Silicon Halton', iat: Time.now } Is this a JWT?
  5. 5. JWT or Not? { alg: RS256, typ: JWT }, { iss: "Chris Larsen", sub: 'JWT', aud: 'Silicon Halton', iat: Time.now } Yes and No. It’s a type of JWT called a JWS
  6. 6. Terminology - More • JWS - JSON Web Signature. A JWT that includes a signature formed by encrypting the header and payload. These are encrypted with either the sender’s symmetric key or private key. • JWE - JSON Web Encryption. A JWT that encrypts the payload for transmission. The payload is encrypted using either a symmetric key, or the receiver’s public key.
  7. 7. JWS vs JWE JWS • Transmits claims with encrypted signature to ensure authenticity. • Compact serialization contains 3 components. • Example: JWE • Transmits message in encrypted form to ensure privacy. • Compact serialization contains 5 components. • Example:
  8. 8. JWS - Process 1. Encode JWS Protected Header as BASE64URL(UTF8(JWS Protected Header)) 2. Encode JWS Payload as BASE64URL(UTF8(JWS Payload)) 3. Encrypt ASCII(BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload)) using the algorithm specified in the header and the key. 4. Concatenate these values in the order Header.Payload.Signature. 5. This provides the URL safe JWS Compact Serialization
  9. 9. JWS - Summary
  10. 10. JWE - Process 1. Encode JWE Protected header as BASE64URL(UTF8(JWS Protected Header)) 2. Generate a random Content Encryption Key(CEK) 3. Encrypt the CEK with the recipient's public key using the algorithm specified by “alg” in the header 4. Base64url-encode the JWE Encrypted Key 5. Generate a random Initialization Vector, and Base64URL encode it 6. Generate the Additional Authenticated Data as a Base64URL encoding of the Protected Header 7. Encrypt the plaintext with the algorithm specified by “enc” in the header, using the CEK as the encryption key, the Initialization Vector, and the Additional Authenticated Data value 8. Concatenate these values in the order ProtectedHeader.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag 9. This provides the URL safe JWE Compact Serialization
  11. 11. JWE - Summary
  12. 12. Libraries • .NET - 3 • C - 2 • C++ - 3 • Elixir - 3 • Go - 11 • Java - 6 • JavaScript - 3 • Perl - 1 • PHP - 10 • Python - 4 • Ruby - 4 • Scala - 4 • Swift - 4 According to JWT.io
  13. 13. Additional Resources • https://tools.ietf.org/html/rfc7519 • https://tools.ietf.org/html/rfc7165 • https://datatracker.ietf.org/wg/jose/documents/
  14. 14. Website: www.christianlarsen.ca Blog: hclarsenblog.wordpress.com Twitter: @thechrislarsen

×