Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Overview of JSON Object Signing and Encryption

1,144 views

Published on

Title:
Overview of JSON Object Signing and Encryption

Abstract:
JavaScript Object Notation (JSON) is a text format for the serialization of structured data. The JSON format is often used for serializing and transmitting structured data over a network connection.
JSON Object Signing and Encryption (JOSE) WG in IETF standardized mechanism for integrity protection (signature and MAC) and encryption as well as the format for keys and algorithm identifiers to support interoperability of security services for protocols that use the JSON.
There are specifications such as JSON Web Key (JWK), JSON Web Signature (JWS) and JSON Web Encryption (JWE) in JOSE WG. This lightning talk will introduce overview of them.

WebHack #11 Feb 20, 2018
URL:https://webhack.connpass.com/event/78719/

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Overview of JSON Object Signing and Encryption

  1. 1. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. February 20, 2018 Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. Masaru Kurahayashi WebHack #11 Overview of JSON Object Signing and Encryption
  2. 2. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. Profile 2 Masaru Kurahayashi (kura) Yahoo Japan Corporation CISO-Board Authentication Technology Kuro-obi OpenID Foundation Japan Evangelist @kura_lab
  3. 3. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. Kuro-obi system 3 Kuro-obi is a title given to an individual who is a leading expert that holds outstanding expertise and skills in a certain field Kuro-obi system http://hr.yahoo.co.jp/workplace/culture.html
  4. 4. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. Agenda 1. Overview 2. Use cases 3. JWS (JWT) & Demonstration 4. JWE 5. JWK 6. JWA 7. Conclusion 4
  5. 5. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. 5 JOSE
  6. 6. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JOSE • JOSE = JSON Object Signing and Encryption • Working Group in IETF • Integrity protection (signature and MAC) and encryption • 9 RFCs (and more) defined by the WG 6
  7. 7. JOSE JWA JWK JWT Reference Reference JWEJWS
  8. 8. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. Use cases • Security Tokens • OAuth • OpenID Connect • Web Cryptography • Constrained Devices (IoT), etc. 8
  9. 9. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JWS • JSON Web Signature (RFC 7515) • Content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based integrity protection 10
  10. 10. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JWS Compact Serialization BASE64URL(UTF8(JWS Protected Header)) || '.' || BASE64URL(JWS Payload) || '.' || BASE64URL(JWS Signature) 11
  11. 11. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JWT • JSON Web Token (RFC 7519) • This specification was defined by OAuth WG • The suggested pronunciation of JWT is the same as the English word "jot” • JWTs represent a set of claims as a JSON object that is encoded in a JWS and/or JWE structure 12
  12. 12. https://jwt.io
  13. 13. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JWE • JSON Web Encryption (RFC 7516) • JWE Compact Serialization • JWE JSON Serialization 14
  14. 14. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JWE Compact Serialization BASE64URL(UTF8(JWE Protected Header)) || '.' || BASE64URL(JWE Encrypted Key) || '.' || BASE64URL(JWE Initialization Vector) || '.' || BASE64URL(JWE Ciphertext) || '.' || BASE64URL(JWE Authentication Tag) 15
  15. 15. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JWK • JSON Web Key (RFC 7517) • JSON data structure that represents a cryptographic key • JWKs and JWK Sets are used in the JWS and JWE specifications 16
  16. 16. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. JWA • JSON Web Algorithms (RFC 7518) • Cryptographic algorithms and identifiers to be used with JWS, JWE, and JWK specifications • HMAC-SHA256, RSA-SHA256, ECDSA- SHA256 and RSASSA-PSS SHA256, etc. 17
  17. 17. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. Conclusion 1. JOSE WG in IETF 2. JOSE are used with OpenID Connect and OAuth, etc. 3. Overview of 5 RFCs • JWS (JWT), JWE, JWK, JWA 18
  18. 18. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. 19 Letʼs see JOSE !! https://datatracker.ietf.org/wg/jose/
  19. 19. Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved.Copyright © 2018 Yahoo Japan Corporation. All Rights Reserved. Thank you for your kind attention!

×