A technical overview of JSON Web Token (JWT) and its JOSE underpinnings, which are poised to be the next generation identity token, as well as a look at using one open source implementation (jose4j).
Also some (bad) jokes.
Advancing Engineering with AI through the Next Generation of Strategic Projec...
JOSE Can You See...
1. JOSE CAN YOU SEE…‡
A technical overview of JWT and its
JOSE underpinnings, which are
poised to be the next generation
identity token, as well as a look at
using one open source
implementation.
Brian Campbell
@__b_c
IIW #18
May 2014
‡ Partial credit for the title goes to
Brad Tumy
5. 5
What‟s in a name?
https://twitter.com/metadaddy/status/454422069199900672
6. 6
But you wouldn't name your child
„Attila the Hun‟ would you?
I didn‟t…
"Attila, Scourge of God"
http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg
14. 14
JWS Example
Payload -> USA #1!
base64url encoded payload -> VVNBICMxIQ
Header (going to sign with ECDSA P-256 SHA-256 using “my-first-key”) -> {"alg":"ES256","kid":"my-first-key"}
base64url encoded header -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9
Secured Input -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ
base64url encoded signature over the Secured Input
->QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
JWS Compact Serialization (line breaks after dots added for readability) ->
eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.
VVNBICMxIQ.
QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
Which you can think of sort of like:
{"alg":"ES256","kid":"my-first-key”}.”USA #1!”.<SIGNATURE>
28. 28
…it‟s how you use it
• Simpler = Better
• Web safe encoding w/ no canonicalization
– Because canonicalization is a four letter word (especially
when you spell it c14n)
• Improved Interoperability & (hopefully) More Secure
• Eliminates entire classes of attacks
– XSLT Transform DOS, Remote Code Execution, and Bypass
– C14N Hash Collision w/ & w/out comments
– Entity Expansion Attacks
– XPath Transform DOS and Bypass
– External Reference DOS
– Signature Wrapping Attacks†
Brad Hill, pictured here speaking at CIS, is wicked smaht and published some
of these attacks
† This poor bastard was the „victim‟ in my POC of a signature wrapping
vulnerability in SAML SSO for Google Apps
http://www.google.com/about/appsecurity/hall-of-fame/reward/