-
Be the first to like this
Upcoming SlideShare
Overview of JSON Object Signing and Encryption
- 1. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. February 20, 2018 Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. Masaru Kurahayashi WebHack #11 Overview of JSON Object Signing and Encryption
- 2. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. Profile 2 Masaru Kurahayashi (kura) Yahoo Japan Corporation CISO-Board Authentication Technology Kuro-obi OpenID Foundation Japan Evangelist @kura_lab
- 3. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. Kuro-obi system 3 Kuro-obi is a title given to an individual who is a leading expert that holds outstanding expertise and skills in a certain field Kuro-obi system http://hr.yahoo.co.jp/workplace/culture.html
- 4. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. Agenda 1. Overview 2. Use cases 3. JWS (JWT) & Demonstration 4. JWE 5. JWK 6. JWA 7. Conclusion 4
- 5. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. 5 JOSE
- 6. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JOSE • JOSE = JSON Object Signing and Encryption • Working Group in IETF • Integrity protection (signature and MAC) and encryption • 9 RFCs (and more) defined by the WG 6
- 7. JOSE JWA JWK JWT Reference Reference JWEJWS
- 8. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. Use cases • Security Tokens • OAuth • OpenID Connect • Web Cryptography • Constrained Devices (IoT), etc. 8
- 9. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JWS • JSON Web Signature (RFC 7515) • Content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based integrity protection 10
- 10. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JWS Compact Serialization BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS Signature) 11
- 11. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JWT • JSON Web Token (RFC 7519) • This specification was defined by OAuth WG • The suggested pronunciation of JWT is the same as the English word "jot” • JWTs represent a set of claims as a JSON object that is encoded in a JWS and/or JWE structure 12
- 12. https://jwt.io
- 13. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JWE • JSON Web Encryption (RFC 7516) • JWE Compact Serialization • JWE JSON Serialization 14
- 14. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JWE Compact Serialization BASE64URL(UTF8(JWE Protected Header)) || '.' || BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE Initialization Vector) || '.' || BASE64URL(JWE Ciphertext) || '.' || BASE64URL(JWE Authentication Tag) 15
- 15. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JWK • JSON Web Key (RFC 7517) • JSON data structure that represents a cryptographic key • JWKs and JWK Sets are used in the JWS and JWE specifications 16
- 16. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JWA • JSON Web Algorithms (RFC 7518) • Cryptographic algorithms and identifiers to be used with JWS, JWE, and JWK specifications • HMAC-SHA256, RSA-SHA256, ECDSA- SHA256 and RSASSA-PSS SHA256, etc. 17
- 17. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. Conclusion 1. JOSE WG in IETF 2. JOSE are used with OpenID Connect and OAuth, etc. 3. Overview of 5 RFCs • JWS (JWT), JWE, JWK, JWA 18
- 18. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. 19 Letʼs see JOSE !! https://datatracker.ietf.org/wg/jose/
- 19. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved.Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. Thank you for your kind attention!
Be the first to comment