Json web tokens

•Download as PPTX, PDF•

0 likes•156 views

ThirupathiReddy Vajjala

JSON Web Token helps to secure your REST API by encrypting PII information while sharing between two parties.

Technology

JSON Web Tokens
Data Obfuscation and Authorization
EMAIL: TVAJJALA@GMAIL.COM

What is JWT
JSON Web Token (JWT) is an open
standard (RFC 7519) that defines a
compact and self-contained way for
securely transmitting information
between parties as a JSON object.

JWT
Implementations
JWT specification comes
with two different
implementations
1. JSON Web Signature
2. JSON Web Encryption

JavaScript Object Signing and
Encryption (JOSE)
JWT defines the token format and uses complementary specifications to
handle signing and encryption, this collection of specifications is known as
JOSE (JavaScript Object Signing & Encryption) and consists of the
following components
1. JWS - Defines the process to digitally signing JWT
2. JWE - Defines the process to encrypt a JWT
3. JWA - Defines list of algorithms for signing and encryption
4. JWK - Defines how a cryptographic keys to be represented

JWT Claims
JWT defines seven pre-defined(optional) claims to represent the token
iss Issuer of the token
sub Subject that the JWT is representing
aud Audience for the JWT
exp Time the JWT is set to expire
nbf Time the JWT is valid from (not-before)
iat Time when JWT issued
jti JWT ID (unique ID)

Authorization Tokens
JWT Token contains three parts separated by period (.) and starts with Bearer
Bearer eyJhbGciOiJIUzI1NiIsInR5IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImlh6MTUxNjIzOTAyMn0.sVt6cyu3HKd89LZVMNbqT0DTl3FvG9oYbj8hBDqU
NOTE: The Bearer scheme is used by many APIs for its simplicity. The name Bearer implies that the application
making the request is the bearer of the following pre-agreed token. In summary: you need to put Bearer up front to
tell the server that what follows is an API token, and not something else.

Data Obfuscation
Data masking or data obfuscation is the process of hiding original data
with modified content The main reason for applying masking to a data
field is to protect data that is classified as personally identifiable
information(PII) , sensitive personal data, or commercially sensitive data.

Data Obfuscation Using JWT
1. Create a class that contains sensitive information.
2. Add @Obfuscate annotation to the sensitive data attributes
3. Extend that class to WebToken.
4. Pass the object to WebTokenUtil.generateToken(T ) method to generate JWT Token.
Method signature:
public static <T extends WebToken> String generateToken(final T clazz);

CustomerInfo customerInfo = new CustomerInfo();
customerInfo.setAccountId(939939939);
customerInfo.setCard("4123773773838838");
customerInfo.setSocial(”999-99-9999”);
transactionKey.setPhone(”999-999-9999”);

public class CustomerInfo extends WebToken {
@Obfuscate(strategy = Strategy.CARD)
@JsonProperty(”card")
private String card;
@JsonProperty("ssn")
@Obfuscate(strategy = Strategy.SSN)
private String social;
@JsonProperty("phn")
@Obfuscate(strategy = Strategy.PHONE)
private String phone;
}

The Uniface Lectures are an ongoing series of free monthly technical webinars that cover a wide range of useful topics. In this edition of the Lectures webinar on Application & Infrastructure Security - JSON Web Tokens we cover the following main topics: • The JWT standard • Applying JWT to Uniface • Uniface technology to support JWT • Sample application of JWT • And more… Session video recording is on: youtube.com/unifacesme Webinar video recording archive: go.uniface.com/Lectures-page

Knockout js

hhassann

Understanding JWT Exploitation

AkshaeyBhosale

Pentesting jwt

Jaya Kumar Kondapalli

Jwt Security

Seid Yassin

Json web token

Mayank Patel

MongoDB World 2019: Using Client Side Encryption in MongoDB 4.2 Link

MongoDB

Encryption is not a new concept to MongoDB. Encryption may occur in-transit (with TLS) and at-rest (with the encrypted storage engine). But MongoDB 4.2 introduces support for Client Side Encryption, ensuring the most sensitive data is encrypted before ever leaving the client application. Even full access to your MongoDB servers is not enough to decrypt this data. And better yet, client side encryption can be enabled at the "flick of a switch". This session covers using client side encryption in your applications. This includes the necessary setup, how to encrypt data without sacrificing queryability, and what trade-offs to expect.

Learn how to build real world nTier applications with the new Entity Framework and related services. Make sure to attend Part 1. This second part to the series will focus on using the Entity Framework in an nTier/ SOA world by separating out the different layers using T4 templates and using the new WCF Data Services to easily expose entity models via REST and to Silverlight clients. Lots of code!

JSON WEB TOKEN

Knoldus Inc.

WebRTC Identity in SAML Federations

Mihály Mészáros

"SL-SKE (Signature Less-Secret Key Encryption) For DataSharing in Clouds"

iosrjce

Cloud cоmрutіոg іs tyріcаlly defіոed as а type of cоmрutіոg that relies оո shаrіոg cоmрutіոg resources. The Іոfrаstructure as а Service іո cloud offers the dаtа-ceոter servіces to stоre аոd mаոаge іոfоrmаtіоո, the рrіvаte іոfоrmаtіоո cаո be shared аmоոg the busіոess-cоmраոy employees or the member’s of а cоmmuոіty. Рreservіոg data рrіvаcy requires it to be encrypted before uрlоаdіոg іոtо the cloud server. The аuthоrіzed users’ are оոly іոteոded to dоwոlоаd аոd decrypt usіոg а secret-key. The рreseոtly exіstіոg cryрtоgrарhіc models use key mаոаgemeոt рrоtоcоls tо address key revоcаtіоո рrоblems аոd some other uses relіаble security cоոtrоller for іssuіոg the sіgոаtures аոd аttаch secret-keys tо the users. This leads to а lot of оverheаd. Іո our рrороsed model, we іոtrоduce а ոоvel secure data shаrіոg аlgоrіthm SL-SKE (Sіgոаture Less-Secret Key Eոcryрtіоո) does ոоt require а dіgіtаl-sіgոаture аոd also ոо аddіtіоаl relіаble security cоոtrоller іs required. The complete аlgоrіthm runs аmоոg the cloud server, data owner аոd the trusted-users. The newly generated keys are fully based оո the user’s рrоfіle. It will be іոtіmаted to the user through аո emаіl. Fіոаlly the results shows that it mіոіmіzes the оverheаds аոd the аddіtіоոаl requirements like а trusted third раrty.

D017623439

IOSR Journals

ANDROID BASED WS SECURITY AND MVC BASED UI REPRESENTATION OF DATA

IJCSEIT Journal

Google’s Android is open source; Programmable software framework is subject to typical Smartphone attacks. Such attacks can make the phone partially or fully unusable, cause unwanted changes. While accessing data over web services there should be security mechanisms like encryption of data on server side and decryption using key on client side so that attacks can cause minimal damage to device and data integrity In the second part we have tried to implement here is that representation of data in UI in MVC architecture so that data can be separated from the representation details and user can view data in a manner whichever gives him/her comfort in analyzing the data.

Unit8 javamrecedu

Building nTier Applications with Entity Framework Services (Part 2)

David McCarter

Jwt

Frank Linehan

Jwt with flask slide deck - alan swenson

Jeffrey Clark

Securing RESTful API

Muhammad Zbeedat

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Vladimir Iglovikov, Ph.D.

Presented by Vladimir Iglovikov: - https://www.linkedin.com/in/iglovikov/ - https://x.com/viglovikov - https://www.instagram.com/ternaus/ This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation. Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners. This case study covers various aspects, including: People: The contributors and community that have supported Albumentations. Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions. Challenges: The hurdles in monetizing open-source projects and measuring user engagement. Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration. Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community. Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations. Mental Health: Maintaining balance and not feeling pressured by user demands. Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth. Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects. Explore more about Albumentations and join the community at: GitHub: https://github.com/albumentations-team/albumentations Website: https://albumentations.ai/ LinkedIn: https://www.linkedin.com/company/100504475 Twitter: https://x.com/albumentations

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

Do you want to learn how to model and simulate an electrical network from scratch in under an hour? Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)! During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook. PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides: - A fully editable and extendable library for grid component modelling; - Visualization tools to display your network; - Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses; The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well. What you will learn during the webinar: - For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills; - For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.

Similar to Json web tokens

5 easy steps to understanding json web tokens (jwt)

Amit Gupta

Landscape

Amit Gupta

Landscape

Amit Gupta

Using JSON Web Tokens for REST Authentication

Mediacurrent

Jwt the complete guide to json web tokens

remayssat

Microservices Security Patterns & Protocols with Spring & PCF

VMware Tanzu

JWTs and JOSE in a flash

Evan J Johnson (Not a CISSP)

Introduction to JWT and How to integrate with Spring Security

Bruno Henrique Rother

[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager

WSO2

Building nTier Applications with Entity Framework Services (Part 2)

David McCarter

JSON WEB TOKEN

Knoldus Inc.

WebRTC Identity in SAML Federations

Mihály Mészáros

"SL-SKE (Signature Less-Secret Key Encryption) For DataSharing in Clouds"

iosrjce

D017623439

IOSR Journals

ANDROID BASED WS SECURITY AND MVC BASED UI REPRESENTATION OF DATA

IJCSEIT Journal

Unit8 javamrecedu

Building nTier Applications with Entity Framework Services (Part 2)

David McCarter

Jwt

Frank Linehan

Jwt with flask slide deck - alan swenson

Jeffrey Clark

Securing RESTful API

Muhammad Zbeedat

Similar to Json web tokens (20)

5 easy steps to understanding json web tokens (jwt)

Landscape

Using JSON Web Tokens for REST Authentication

Jwt the complete guide to json web tokens

Microservices Security Patterns & Protocols with Spring & PCF

JWTs and JOSE in a flash

Introduction to JWT and How to integrate with Spring Security

[WSO2 API Manager Community Call] Mastering JWTs with WSO2 API Manager

Building nTier Applications with Entity Framework Services (Part 2)

JSON WEB TOKEN

WebRTC Identity in SAML Federations

"SL-SKE (Signature Less-Secret Key Encryption) For DataSharing in Clouds"

D017623439

ANDROID BASED WS SECURITY AND MVC BASED UI REPRESENTATION OF DATA

Unit8 java

Building nTier Applications with Entity Framework Services (Part 2)

Jwt

Jwt with flask slide deck - alan swenson

Securing RESTful API

Recently uploaded

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

Vladimir Iglovikov, Ph.D.

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

DanBrown980551

How to Get CNIC Information System with Paksim Ga.pptx

danishmna97

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

SOFTTECHHUB

As the digital landscape continually evolves, operating systems play a critical role in shaping user experiences and productivity. The launch of Nitrux Linux 3.5.0 marks a significant milestone, offering a robust alternative to traditional systems such as Windows 11. This article delves into the essence of Nitrux Linux 3.5.0, exploring its unique features, advantages, and how it stands as a compelling choice for both casual users and tech enthusiasts.

A tale of scale & speed: How the US Navy is enabling software delivery from l...

sonjaschweigert1

Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved: - Reduction in onboarding time from 5 weeks to 1 day - Improved developer experience and productivity through actionable findings and reduction of false positives - Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO) Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production. We will cover: - How to remove silos in DevSecOps - How to build efficient development pipeline roles and component templates - How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence) - How to streamline operations with automated policy checks on container images

National Security Agency - NSA mobile device best practices

Quotidiano Piemontese

20240609 QFM020 Irresponsible AI Reading List May 2024

Matthew Sinclair

PCI PIN Basics Webinar from the Controlcase Team

ControlCase

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Uni Systems S.M.S.A.

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

Paige Cruz

Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack. While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack. I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:

みなさんこんにちはこれ何文字まで入るの？40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの？えこ...

名前です男

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Neo4j

Microsoft - Power Platform_G.Aspiotis.pdf

Uni Systems S.M.S.A.

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Neo4j

Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.

Building RAG with self-deployed Milvus vector database and Snowpark Container...

Zilliz

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Nexer Digital

Mind map of terminologies used in context of Generative AI

Kumud Singh

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Aggregage

Removing Uninteresting Bytes in Software Fuzzing

Aftab Hussain

Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process. In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds. - These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.

Pushing the limits of ePRTC: 100ns holdover for 100 days

Adtran

Recently uploaded (20)

Enchancing adoption of Open Source Libraries. A case study on Albumentations.AI

LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...

How to Get CNIC Information System with Paksim Ga.pptx

Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!

A tale of scale & speed: How the US Navy is enabling software delivery from l...

National Security Agency - NSA mobile device best practices

20240609 QFM020 Irresponsible AI Reading List May 2024

PCI PIN Basics Webinar from the Controlcase Team

Uni Systems Copilot event_05062024_C.Vlachos.pdf

Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf

GraphSummit Singapore | Neo4j Product Vision & Roadmap - Q2 2024

Microsoft - Power Platform_G.Aspiotis.pdf

GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...

Building RAG with self-deployed Milvus vector database and Snowpark Container...

Elizabeth Buie - Older adults: Are we really designing for our future selves?

Mind map of terminologies used in context of Generative AI

Generative AI Deep Dive: Advancing from Proof of Concept to Production

Removing Uninteresting Bytes in Software Fuzzing

Pushing the limits of ePRTC: 100ns holdover for 100 days

Json web tokens

1. JSON Web Tokens Data Obfuscation and Authorization EMAIL: TVAJJALA@GMAIL.COM

2. What is JWT JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

3. JWT Implementations JWT specification comes with two different implementations 1. JSON Web Signature 2. JSON Web Encryption

4. JavaScript Object Signing and Encryption (JOSE) JWT defines the token format and uses complementary specifications to handle signing and encryption, this collection of specifications is known as JOSE (JavaScript Object Signing & Encryption) and consists of the following components 1. JWS - Defines the process to digitally signing JWT 2. JWE - Defines the process to encrypt a JWT 3. JWA - Defines list of algorithms for signing and encryption 4. JWK - Defines how a cryptographic keys to be represented

5. JWT Claims JWT defines seven pre-defined(optional) claims to represent the token iss Issuer of the token sub Subject that the JWT is representing aud Audience for the JWT exp Time the JWT is set to expire nbf Time the JWT is valid from (not-before) iat Time when JWT issued jti JWT ID (unique ID)

6. Authorization Tokens JWT Token contains three parts separated by period (.) and starts with Bearer Bearer eyJhbGciOiJIUzI1NiIsInR5IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsImlh6MTUxNjIzOTAyMn0.sVt6cyu3HKd89LZVMNbqT0DTl3FvG9oYbj8hBDqU NOTE: The Bearer scheme is used by many APIs for its simplicity. The name Bearer implies that the application making the request is the bearer of the following pre-agreed token. In summary: you need to put Bearer up front to tell the server that what follows is an API token, and not something else.

8. Data Obfuscation Data masking or data obfuscation is the process of hiding original data with modified content The main reason for applying masking to a data field is to protect data that is classified as personally identifiable information(PII) , sensitive personal data, or commercially sensitive data.

9. Data Obfuscation Using JWT 1. Create a class that contains sensitive information. 2. Add @Obfuscate annotation to the sensitive data attributes 3. Extend that class to WebToken. 4. Pass the object to WebTokenUtil.generateToken(T ) method to generate JWT Token. Method signature: public static <T extends WebToken> String generateToken(final T clazz);

10. CustomerInfo customerInfo = new CustomerInfo(); customerInfo.setAccountId(939939939); customerInfo.setCard("4123773773838838"); customerInfo.setSocial(”999-99-9999”); transactionKey.setPhone(”999-999-9999”);

11. public class CustomerInfo extends WebToken { @Obfuscate(strategy = Strategy.CARD) @JsonProperty(”card") private String card; @JsonProperty("ssn") @Obfuscate(strategy = Strategy.SSN) private String social; @JsonProperty("phn") @Obfuscate(strategy = Strategy.PHONE) private String phone; }

Json web tokens

Recommended

Recommended

More Related Content

Similar to Json web tokens

Similar to Json web tokens (20)

Recently uploaded

Recently uploaded (20)

Json web tokens