JOSE Can You See...

JOSE CAN YOU SEE…‡
A technical overview of JWT and its
JOSE underpinnings, which are
poised to be the next generation
identity token, as well as a look at
using one open source
implementation.
Brian Campbell
@__b_c
IIW #18
May 2014
‡ Partial credit for the title goes to
Brad Tumy

2
JWT + JOSE Overview
• JSON Web Token (JWT)
– Compact URL-safe means of representing claims to be
transferred between two parties
– JWS and/or JWE with JSON claims as the payload
• Javascript Object Signing and Encryption (JOSE)
– JSON Web Signature (JWS)
• A way of representing content secured with a digital signature or MAC
using JSON data structures and base64url encoding
– JSON Web Encryption (JWE)
• Like JWS but for encrypting content
– JSON Web Key (JWK)
• JSON data structure representing cryptographic key(s)
Copyright © 2014 Brian Campbell. All rights reserved.

3
JWT + JOSE in the Wild
• Not even an RFC
yet but widely used:
– OAuth
– OpenID Connect
– Mozilla Persona
(ahem)
– W3C Web
Cryptography API
– And more…
three nerds holding a blurry piece of paper
they tell me is some kind of award for
OpenID Connect

4
jose4j Overview
• Open source (free as in beer) Java implementation of the JOSE specification suite
– Get yours at https://bitbucket.org/b_c/jose4j
• Relies solely on the JCA APIs for cryptography
• 100% (Dammit Mike!) 97.5% Algorithm Support
• Reference[able] implementation
– Fact checked the cookbook: http://tools.ietf.org/html/draft-ietf-jose-cookbook-02#appendix-A
• Completely free of intentional NSA backdoors
– (but I‟m open to “sponsorship” opportunities)
• Production ready: used throughout Ping Identity‟s products
• Rated the #1 JOSE implementation in the world (based on an unbiased survey of the library author‟s mother)
• Did I mention free? Easy too.
• All proceeds from sales go to a charity that provides comfort and support to dying
identity protocols living out their final days
• Take a stand against monoculture (did heartbleed teach us nothing?)

5
What‟s in a name?
https://twitter.com/metadaddy/status/454422069199900672

6
But you wouldn't name your child
„Attila the Hun‟ would you?
I didn‟t…
"Attila, Scourge of God"
http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg

7
What would JOSE do? ‡
• Call it “JW-STEAK”!
• „cause who doesn‟t like a
good steak?
•JW-
–JWS
–JWT
–JWE
–JWA
–JWK
Don Julio is a famous (to gringo tourists anyway) steakhouse
in Buenos Aires, Argentina - https://flic.kr/p/ezE99U
‡ I reluctantly credit Paul Madsen with WWJD. Unless you are offended
by it, in which case I‟m not at all reluctant about blaming him.

8
Okay, fine…
• Technically speaking, my vegan coworker
does not like steak
• Even if it is „good‟
• But let‟s not split hairs on this one…

9
Awkward Transition
…into some more technical details

10
The 64 Character Question
• base64url is *almost* like base64
– Both are a means of encoding binary data in a printable ASCII string format
– Each 6 bits -> 1 character (from a 64 character alphabet)
– 3 bytes -> 4 characters
• But base64url uses a URL safe alphabet rather than the nearly URL safe
alphabet of regular base64
– 62 alphanumeric characters
– “-” rather than “+”
– “_” rather than “/”
– Padding “=” is typically omitted
• A remaining unreserved URI character: “.”
– This will prove important shortly

11
A closer look at JOSE‟s bits and pieces: JWS
• JSON Web Signature (JWS)
• A way of representing content secured with a
digital signature or MAC using JSON data
structures and base64url encoding
– Encoded segment are concatenated with a “.”
• Intended for space constrained environments
such as HTTP Authorization headers and URI
query parameters
• Conceptually Simple:
– <Header>.<Payload>.<Signature>

12
JOSE‟s bits and pieces: JWS Header
• JWS Header is a bit of JSON that describes the digital signature or
MAC operation applied to create the JWS Signature value
• Reserved Header Parameters
– “alg”: Algorithm
– HMAC, RSA, RSA-PSS and ECDSA
– None (controversy!)
– Extensible
• “kid”: Key ID
• “jku”: JWK Set URL
• “jwk”: JSON Web Key
• “x5u”: X.509 URL
• “x5t”: X.509 Thumbprint
• “x5c”: X.509 Certificate Chain
• “typ”: Type
• “cty”: Content Type
Header Example:
“I signed this thing with RSA-SHA256
using key we known as „9er‟ which you
can find the corresponding public key for
at https://www.example.com/jwks”
{"alg":"RS256", "kid":”9er",
"jku”:"https://www.example.com/jwks"}

13
JOSE‟s bits and pieces: JWS Algorithms

14
JWS Example
Payload -> USA #1!
base64url encoded payload -> VVNBICMxIQ
Header (going to sign with ECDSA P-256 SHA-256 using “my-first-key”) -> {"alg":"ES256","kid":"my-first-key"}
base64url encoded header -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9
Secured Input -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ
base64url encoded signature over the Secured Input
->QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
JWS Compact Serialization (line breaks after dots added for readability) ->
eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.
VVNBICMxIQ.
QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
Which you can think of sort of like:
{"alg":"ES256","kid":"my-first-key”}.”USA #1!”.<SIGNATURE>

15
Producing a JWS using jose4j
More examples or using jose4j to work with JWS can be found at
https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples
PublicJsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);
jwk.setKeyId("my-first-key");
JsonWebSignature jws = new JsonWebSignature();
jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);
jws.setPayload("USA #1!");
jws.setKey(jwk.getPrivateKey());
jws.setKeyIdHeaderValue(jwk.getKeyId());
String compactSerialization = jws.getCompactSerialization();
System.out.println(compactSerialization);

16
Consuming a JWS using jose4j
More examples or using jose4j to work with JWS can be found at
https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples
JsonWebKey jwk = JsonWebKey.Factory.newJwk("{"kty":"EC"," +
""kid":"my-first-key"," +
""x":"xlKTWTx76fl9OZou4LHpDc3oHLC_vm-db7mdsFvO1JQ"," +
""y":"3jXBG649Uqf7pf8RHO_jcJ8Jrhy23hjD933i6QEVNkk"," +
""crv":"P-256"}");
String compactSerialization =
"eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9." +
"VVNBICMxIQ." +
"QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA”;
JsonWebSignature jws = new JsonWebSignature();
jws.setCompactSerialization(compactSerialization);
jws.setKey(jwk.getKey());
String payload = jws.getPayload();
System.out.println(payload);

17
JOSE‟s bits and pieces: JWE
• JSON Web Encryption
• Similar in motivation and design to JWS but for encrypting content
• A little more complicated
– Headers
• “alg”: Algorithm (key wrap or agreement)
• “enc”: Encryption Method (Authenticated Encryption only)
• “zip”: Compression Algorithm
• Etc.
• Five Parts
<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>

18
JOSE‟s bits and pieces:
JWE Key Management Algorithms (“alg”)

19
JOSE‟s bits and pieces:
JWE Content Encryption Algorithms (“enc”)
Note that all of the encryption methods
are AEAD algorithms, which is nice

20
JWE Example
Payload/plaintext
-> I actually really like Canada
Header
-> {"alg":"PBES2-HS256+A128KW","enc":"A128CBC-HS256","p2c":8192,"p2s":"QkbLQniKLUTQVP4l"}
base64url encode header
->
eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDRsIn0
Encrypted Key: PBES2 used to AES Key wrap a 256 bit random key which is base64url encoded
-> g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg
IV: base64url encoded 128 bit initialization vector
-> 6h172lww9VqemjMQMaVPdg
Ciphertext: base64url encoded AES 128 CBC encrypted payload
-> YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0
Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext
-> Ie4iYLbdQCqwMWJf37rEZg
JWE Compact Serialization (<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>) ->
eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDRsIn0.
g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg.
6h172lww9VqemjMQMaVPdg.
YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0.
Ie4iYLbdQCqwMWJf37rEZg

21
Producing a JWE using jose4j
More examples or using jose4j to work with JWE can be found at
https://bitbucket.org/b_c/jose4j/wiki/JWE%20Examples
JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setPayload("I actually really like Canada");
jwe.setKey(new PbkdfKey("don't-tell-p@ul|pam!"));
jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.PBES2_HS256_A128KW);
jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256);
String compactSerialization = jwe.getCompactSerialization();
System.out.println(compactSerialization);

22
Consuming a JWE using jose4j
More examples or using jose4j to work with JWE can be found at
https://bitbucket.org/b_c/jose4j/wiki/JWE%20Examples
String compactSerialization =
"eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDR
sIn0." +
"g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg." +
"6h172lww9VqemjMQMaVPdg." +
"YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0." +
"Ie4iYLbdQCqwMWJf37rEZg";
JsonWebEncryption jwe = new JsonWebEncryption();
jwe.setCompactSerialization(compactSerialization);
jwe.setKey(new PbkdfKey("don't-tell-p@ul|pam!"));
String payload = jwe.getPayload();
System.out.println(payload);

23
An aside, eh.
• As I tried to Google “never trust a Canadian”…

24
JWT
• JSON Web Token
• Suggested pronunciation: "jot”
• Compact URL-safe means of representing
claims to be transferred between two parties
• JWS and/or JWE with JSON claims as the
payload
• JWT Claim
– A piece of information asserted about a subject
(or the JWT itself).
– Represented name/value pairs, consisting of a
Claim Name and a Claim Value (which can be
any JSON object).

25
Reserved JWT Claim Names
• “iss”: Issuer
• “sub”: Subject
• “aud”: Audience
• “exp”: Expiration Time
• “nbf”: Not Before
• “iat”: Issued At
• “jti”: JWT ID

26
jot or not?
The JWT
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm
V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ
VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.
The Header
{"kid":"5","alg":"ES256"}
The Payload
{"iss":"https://idp.example.com",
"exp":1357255788,
"aud":"https://sp.example.org",
"jti":"tmYvYVU2x8LvN72B5Q_EacH._5A",
"acr":"2",
"sub":"Brian"}

27
it‟s not the size of your token…
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC
5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK
4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg
<Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<Issuer>https://idp.example.com</Issuer>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/>
</SubjectConfirmation>
</Subject>
<Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z">
<AudienceRestriction>
<Audience>https://sp.example.org</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr">
<AuthnContext>
<AuthnContextClassRef>2</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>

28
…it‟s how you use it
• Simpler = Better
• Web safe encoding w/ no canonicalization
– Because canonicalization is a four letter word (especially
when you spell it c14n)
• Improved Interoperability & (hopefully) More Secure
• Eliminates entire classes of attacks
– XSLT Transform DOS, Remote Code Execution, and Bypass
– C14N Hash Collision w/ & w/out comments
– Entity Expansion Attacks
– XPath Transform DOS and Bypass
– External Reference DOS
– Signature Wrapping Attacks†
Brad Hill, pictured here speaking at CIS, is wicked smaht and published some
of these attacks
† This poor bastard was the „victim‟ in my POC of a signature wrapping
vulnerability in SAML SSO for Google Apps
http://www.google.com/about/appsecurity/hall-of-fame/reward/

29
JSON Web Key (JWK)
• JSON data structure representing cryptographic key(s) which can be
– included in a JWS/JWE/JWT header
– saved in a file
– used in place of self signed certificates
– published at an HTTPS endpoint and referenced
JWT/JWS Header
{"kid":"5",
"alg":"ES256"}
{"keys":[
{"kty":"EC",
"kid":"4",
"x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo",
"y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A",
"crv":"P-256"},
{"kty":"EC",
"kid":"5",
"x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
"crv":"P-256"},
{"kty":"EC",
"kid":"6",
"x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00",
"y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU",
"crv":"P-256"}
]}

30
Generating JWK and JWKS using jose4j
List<JsonWebKey> jwkList = new LinkedList<>();
for (int kid = 4; kid < 7; kid++)
{
JsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);
jwk.setKeyId(String.valueOf(kid));
jwkList.add(jwk);
}
JsonWebKeySet jwks = new JsonWebKeySet(jwkList);
System.out.println(jwks.toJson(JsonWebKey.OutputControlLevel.PUBLIC_ONLY));

31
Consuming a JWKS using jose4j
String jwksJson =
"{"keys":[n" +
" {"kty":"EC",n"kid":"4",n" +
" "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", n" +
" "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A",n" +
" "crv":"P-256"},n" +
" {"kty":"EC",n"kid":"5",n" +
" "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",n" +
" "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",n" +
" "crv":"P-256"},n" +
" {"kty":"EC",n"kid":"6",n" +
" "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00",n" +
" "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU",n" +
" "crv":"P-256"}n" +
"]}";
JsonWebKeySet jwks = new JsonWebKeySet(jwksJson);
JsonWebKey jwk = jwks.findJsonWebKey("5", null, null, null);
System.out.println(jwk.getKey());

32
Are we finished yet?

33
Yes, finished. See you in the circle (maybe).
https://flic.kr/p/ay3VVS

JOSE Can You See...

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to JOSE Can You See...

Similar to JOSE Can You See... (20)

More from Brian Campbell

More from Brian Campbell (14)

Recently uploaded

Recently uploaded (20)

JOSE Can You See...