CIS14: I Left My JWT in San JOSE

`` Brian Campbell!

@__b_c!Cloud Identity Summit 2014!

http://www.slideshare.net/briandavidcampbell! !

A technical overview of JSON Web Token (JWT) and JavaScript Object

Signing and Encryption (JOSE)!

Introductions!

http://blog.talkingidentity.com/2013/08/thanking-the-iam-venn-erables-in-my-own-way.html!

Me!

More Introductions…!

Copyright © 2014 Ping Identity Corp. All rights reserved. 3 https://twitter.com/itickr/status/354999490928857088!

https://flic.kr/p/f6PKjB!

•  JavaScript Object Signing and Encryption (JOSE)

–  JSON Web Signature (JWS)

•  A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding

–  JSON Web Encryption (JWE)

•  Like JWS but for encrypting content

–  JSON Web Key (JWK)

•  JSON data structures representing cryptographic keys

–  JSON Web Algorithms

•  Defines the use cryptographic algorithms and identifiers for JWS, JWE and JWK !

•  JSON Web Token (JWT)

–  A compact URL-safe means of representing claims/attributes to be transferred between two parties

–  A JWT is a JWS and/or a JWE with JSON claims as the payload Copyright © 2014 Ping Identity Corp. All rights reserved. 4

JWT + JOSE Overview!

JWS JWE

JWT

JWK

JSON

•  Not even official RFCs yet but –  Well regarded

–  And widely used: •  OAuth

•  OpenID Connect

•  Mozilla Persona (ahem)

•  W3C Web Cryptography API

•  + more… Three nerds holding a blurry piece of paper they tell me is

some kind of award for the JOSE & JWT work.

http://www.kuppingercole.com/article/award2014 !

5

JWT + JOSE in the Wild!

What’s in a Name?!

https://twitter.com/metadaddy/status/454422069199900672

JW*!

Copyright © 2014 Ping Identity Corp. All rights reserved. 7

But you wouldn't name your child ‘Attila the Hun’ would you?!

"Attila, Scourge of God" http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg

I didn’t…

What would JOSE do? ‡ !

Call it

JW-STEAK

‡ I reluctantly credit Paul Madsen with WWJD. Unless you are offended by it, in which case I’m not at all reluctant about blaming him. JW-

JWS JWT JWE JWA JWK

Because who doesn’t like a good steak? !

Don Julio is a famous (to gringo tourists anyway) steakhouse in Buenos Aires, Argentina - https://flic.kr/p/ezE99U

Okay, fine…!

• Technically speaking, my vegan coworker does not like steak

• Even if it is ‘good’ • But let’s not split hairs on this

one…


Awkward Transition… into some of the more technical details!

11

Few things are more awkward than Paul Madsen

eating a Slim Jim while wearing a sailor's outfit and

bowtie

All The Cool Kids Are Doing It!


{"JSON" : "a lightweight & human-readable data-interchange format"}!

The 64 Character Question!•  base64

–  A means of encoding binary data in a printable ASCII string format

–  Each 6 bits -> 1 character

•  From a 64 character alphabet comprised of 62 alphanumeric characters and "+" and "/"

•  Also padding "="

–  3 bytes -> 4 characters

•  base64url

–  uses a URL safe alphabet rather than the nearly URL safe alphabet of regular base64

–  "-" rather than "+" and "_" rather than "/"

–  Padding "=" is typically omitted

•  A remaining unreserved URI character: "."

–  This will prove important shortly


Example: 32 random bytes encoded

base64: qOo+pY+LPDB7sA2nuMp4TzmCThieol/J+bAXqcB8pAU=base64url: qOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAUURL Encoded:qOo%2BpY%2BLPDB7sA2nuMp4TzmCThieol%2FJ%2BbAXqcB8pAU%3DqOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAU

A closer look at JOSE’s bits and pieces: JWS!

•  JSON Web Signature (JWS) •  A way of representing content secured with a digital signature

or MAC –  Using a JSON data structure and base64url encoding –  Encoded segments are concatenated with a "." –  Intended for space constrained environments such as HTTP

Authorization headers and URI query parameters

•  Conceptually Simple: –  <Header>.<Payload>.<Signature>


JOSE’s bits and pieces: The JWS Header!•  JWS Header is a bit of JSON that describes the digital signature or MAC operation applied

to create the JWS Signature value

•  Reserved Header Parameters –  "alg": Algorithm

–  HMAC, RSA, RSA-PSS and ECDSA

–  Unsigned/none (controversy!)

–  Extensible

•  "kid": Key ID

•  "jku": JWK Set URL

•  "jwk": JSON Web Key

•  "x5u": X.509 URL

•  "x5t": X.509 Thumbprint

•  "x5c": X.509 Certificate Chain

•  "typ": Type

•  "cty": Content Type Copyright © 2014 Ping Identity Corp. All rights reserved. 15

Header Example:

"I signed this thing with RSA-SHA256 using key we known as ‘9er’ which you

can find the corresponding public key for at https://www.example.com/jwks"

{"alg":"RS256", "kid":"9er",

"jku":"https://www.example.com/jwks"}

JOSE’s bits and pieces: JWS Algorithms!


Digital Signature or Message Authentication Code Algorithm!

JWS "alg" Parameter Values!

HMAC using SHA2! HS256, HS384 and HS512!

RSASSA-PKCS1-V1_5 Digital Signatures with with SHA2!

RS256, RS384 and RS512!

Elliptic Curve Digital Signatures (ECDSA) with SHA2! ES256, ES384 and ES512!!

RSASSA-PSS Digital Signatures with SHA2! PS256, PS384 and PS512!!

Unsigned Plaintext! none!

USA!&!

Canada

vs.

a little context…

Jingoistic JWS Example!Payload -> USA #1! base64url encoded payload -> VVNBICMxIQ Header (going to sign with ECDSA P-256 SHA-256 via "my-first-key") ->

{"alg":"ES256","kid":"my-first-key"} base64url encoded header ->

eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9 Secured Input ->

eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ base64url encoded signature over the Secured Input ->

QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA- TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA

JWS Compact Serialization (line breaks after dots added for readability) ->

eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9. VVNBICMxIQ. QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA- TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA

Which you can think of sort of like:

{"alg":"ES256","kid":"my-first-key"}."USA #1!".<SIGNATURE>

JOSE’s bits and pieces: JWE!

•  JSON Web Encryption

•  Similar in motivation and design to JWS but for encrypting content

•  A little more complicated

–  Headers

•  "alg": Algorithm (key wrap or agreement)

•  "enc": Encryption Method (Authenticated Encryption only)

•  "zip": Compression Algorithm

–  "DEF" for the DEFLATE Compressed Data Format from RFC 1951 is currently the only one

•  "kid”, “jku”, “jwk”, "x5u”, "x5t”, "x5c”, etc..

•  Five Parts

<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>


JOSE’s bits and pieces: !JWE Content Encryption Algorithms ("enc")!


Content Encryption Algorithm! JWE "enc" Parameter Values!Authenticated encryption with Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM)!

A128GCM, A192GCM and A256GCM!

Authenticated encryption with an AES-CBC and HMAC-SHA2 composite !

A128CBC-HS256, A192CBC-HS384 and A256CBC-HS512!

JOSE’s bits and pieces: !JWE Key Management Algorithms ("alg")!


Key Management Algorithm! JWE "alg" Parameter Values!Direct encryption with a shared symmetric key! dir!

RSAES-PKCS1-V1_5 key encryption! RSA1_5!

RSAES using OAEP key encryption! RSA-OAEP and RSA-OAEP-256!

AES key wrap! A128KW, A192KW and A256KW!

AES GCM key encryption! A128GCMKW, A192GCMKW and A256GCMKW!

Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF!

ECDH-ES!

Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF with AES key wrap!

ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW!

PBES2 with HMAC SHA-2 and AES key wrapping! PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW!

Payload/plaintext -> I actually really like Canada Header -> {"kid":"use this one eh","alg":"RSA-OAEP","enc":"A128CBC-HS256"} base64url encode header -> eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFU CIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ IV: base64url encoded 128 bit initialization vector -> OMRMiwPvh13089vcWAw_mg Encrypted Key: RSA OAEP used wrap a 256 bit random key which is base64url encoded -> knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ Ciphertext: base64url encoded AES 128 CBC encrypted payload -> G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext -> rCjFpLbuWKQMJLzQEP4aSw JWE Compact Serialization (<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>) -> eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ. knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ. OMRMiwPvh13089vcWAw_mg. G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw. rCjFpLbuWKQMJLzQEP4aSw

Confessional JWE Example!

An aside, eh. !Looking for material, I started to Google "never trust a Canadian"…

Brian Campbell!@__b_c!

CIS 2014

JWT!

•  JSON Web Token •  Suggested pronunciation: "jot" •  Compact URL-safe means of representing claims to be

transferred between two parties •  JWS and/or JWE with JSON claims as the payload •  JWT Claim

–  A piece of information asserted about a subject (or the JWT itself)

–  Represented name/value pairs, consisting of a Claim Name and a Claim Value (which can be any JSON object)


•  "iss": Issuer –  Who issued it

•  "sub": Subject –  Who’s it about

•  "aud": Audience –  Who’s it for

•  "exp": Expiration Time –  When it expires

•  "nbf": Not Before –  When it starts being value

•  "iat": Issued At –  When it was issued

•  "jti": JWT ID –  A unique identifier for it


(some) Reserved JWT Claim Names!

jot or not?!


The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.

The Header {"kid":"5","alg":"ES256"}

The Payload {"iss":"https:\/\/idp.example.com", "exp":1357255788, "aud":"https:\/\/sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"}

it’s not the size of your token…!


eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg <Assertion Version="2.0" IssueInstant="2013-‐01-‐03T23:34:38.546Z" ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature><ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-‐exc-‐c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-‐more#ecdsa-‐sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-‐signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-‐exc-‐c14n#"/></ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference></ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-‐format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-‐01-‐03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-‐01-‐03T23:39:38.552Z" NotBefore="2013-‐01-‐03T23:29:38.552Z"> <AudienceRestriction><Audience>https://sp.example.org</Audience></AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-‐01-‐03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext><AuthnContextClassRef>2</AuthnContextClassRef></AuthnContext> </AuthnStatement> </Assertion>

…it’s how you use it!

•  Simpler = Better •  Web safe encoding w/ no canonicalization

(Because canonicalization is a four letter word*)

•  Improved Interoperability & (hopefully) More Secure

•  Eliminates entire classes of attacks –  XSLT Transform DOS, Remote Code Execution, and Bypass

–  C14N Hash Collision w/ & w/out comments

–  Entity Expansion Attacks

–  XPath Transform DOS and Bypass

–  External Reference DOS

–  Signature Wrapping Attacks


Brad Hill, pictured here speaking at CIS in 2011, is wicked smaht and published some of these attacks

* especially when you spell it c14n

JSON Web Key (JWK)!


•  JSON data structure representing cryptographic key(s) –  Public/private keys: RSA & Elliptic Curve

–  Symmetric keys (octet sequence)

•  Can can be –  included in a JWS/JWE/JWT header

–  published at an HTTPS endpoint and referenced

–  used in place of self signed certificates

–  saved in a file

–  sent in an email

–  and more

JWK & JWT Working Together!


JWT/JWS Header { "kid":"5", "alg":"ES256" }

JWK Set {"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"} ]}

Simple Is As Simple Does!

• The relative simplicity of JW[STEAK] implies a simple programming interface!

• Numerous implementations already exist for a wide variety of languages/platforms !

• Going to make you take quick look at one of them… !


Introducing jose4j!

•  Open source Java implementation of the JOSE specification suite –  https://bitbucket.org/b_c/jose4j

•  Relies solely on the JCA APIs for cryptography •  100% Algorithm Support

•  Production ready –  Used throughout Ping Identity’s products

•  Reference[able] implementation –  Fact checked the JOSE cookbook: http://tools.ietf.org/html/draft-ietf-jose-cookbook-02#appendix-A

•  Completely free of NSA backdoors –  (but I’m open to "sponsorship" opportunities)


Producing the aforementioned JWS !


PublicJsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);!jwk.setKeyId("my-first-key");!!JsonWebSignature jws = new JsonWebSignature();!jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);!jws.setPayload("USA #1!");!jws.setKey(jwk.getPrivateKey());!jws.setKeyIdHeaderValue(jwk.getKeyId());!String compactSerialization = jws.getCompactSerialization();!!System.out.println(compactSerialization);!!

Consuming that JWS!


JsonWebKey jwk = JsonWebKey.Factory.newJwk("{\"kty\":\"EC\"," +! "\"kid\":\"my-first-key\"," +! "\"x\":\"xlKTWTx76fl9OZou4LHpDc3oHLC_vm-db7mdsFvO1JQ\"," +! "\"y\":\"3jXBG649Uqf7pf8RHO_jcJ8Jrhy23hjD933i6QEVNkk\"," +! "\"crv\":\"P-256\"}");!!String compactSerialization = ! "eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9." +! "VVNBICMxIQ." +! "QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAU" + ! "REzF1FF25BbrgyohbKdGE1cB-hrA";!!JsonWebSignature jws = new JsonWebSignature();!jws.setCompactSerialization(compactSerialization);!jws.setKey(jwk.getKey());!String payload = jws.getPayload();!!System.out.println(payload);!!

Producing the aforementioned JWE !


String jwkJson =! "{\"kty\":\"RSA\"," +! "\"kid\":\"use this one eh\"," +! "\"n\":\"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5X"+! "vT8bQO39k34s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtr" +! "GJdXxQEgDE7Wg1YYi0yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZV" +! "C5b61R37akzTB3abdAIBf4-UBLrvNgl0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw\"," +! "\"e\":\"AQAB\"}";!!JsonWebKey jwk = JsonWebKey.Factory.newJwk(jwkJson);!!JsonWebEncryption jwe = new JsonWebEncryption();!jwe.setPayload("I actually really like Canada");!jwe.setKey(jwk.getKey());!jwe.setKeyIdHeaderValue(jwk.getKeyId());!jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP);! jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256);!String compactSerialization = jwe.getCompactSerialization();!!System.out.println(compactSerialization); !!

Consuming that JWE (1 of 2) !


String jwkJson =! "{\"kty\":\"RSA\"," +! "\"kid\":\"use this one eh\"," +! "\"n\":\"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5XvT8bQO39k3" +! "4s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtrGJdXxQEgDE7Wg1YYi0" +! "yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZVC5b61R37akzTB3abdAIBf4-UBLrvNgl" +! "0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw\"," +! "\"e\":\"AQAB\"," +! "\"d\":\"p1umPOWUnf-rTylRVnhG75sF7N3tyG_r86ZM2hV8qAShMgnzbZYefNg2Vxh2cobXUMLF0TncuUxAusCrNSgUyrjHjHDIws03" +! "VdzphFPd3oI9o6_2hSBWJ6OWB5VEDAd1Cc_HKy4iPWUZWlk__G3RQg524_0Wfgp_1bTIyeGLEt6GGAasCRoi4crZ_cKLkzB3ZmwoIF" +! "X4Z-jU6AKp_rCarj45tqdgpzIHKYuA2HjgGJwevknhTVEjY6stAiTXWJ4M8YxIwqQ-tCj1GM5pfvJNIzaW2KoZ234ll_DFnUDnAE1R" +! "O22oBfW-iYsHcrNtslHxYDkGnOGFkJAOnbF8ihaQcQ\",\"p\":\"6JVJlrObtg02Sr0ZqERiOZMxf3lE8TK8j5cU5VBYYvfebtjI2" +! "_wW_uT_N_wIETodgWJgkPlejrQM4B-inB8VfUPBe8RCRGmXf5jqyKf7r5XwGabda3UjaTwoAUxYSgb2HH4IU4KNMJ-rFuG2Nzz0t2W" +! "7PtqHJjrcF3i952oKAGU\",\"q\":\"3-dPMaO1JerkElaP4FMV1Fio-ZFJwf5xCLMFdJZstLkKY7H63bxOb77iQ5xEOSWY4yScfXZ" +! "hp2S1v0Plub-qTeuGHXt-T2rugGAmIKlPzkQU6aiGFXqwCK2TrETQkV5Pf__PRHhaJ1rTbGVyAvqL2vAoI46XwSMmLINncDy2xGM\"," +! "\"dp\":\"T9bXYQ0cuZzFc1iAkzuOQFdf2XNmkCmrgtsJCELRZH_T8lcmdCWQO0WeurggiNFbSYvcvEduByyVcuZJKrCc7tgwde0EFn" +! "ns0JdMmT7Y7ghZWGTogze9xSUqUm_Dqv3CxDsbXpdlIjjdQUiQBVw-YSph4YygciYoYUJIZkUHU-U\"," +! "\"dq\":\"wklQ6t4HPlPIfDEov5rZAl28onJz8iX7p3TQcw5kXZ2DambyLJ5N4aFdbRWYDY6WT-Ng921V5474NnOQT9IE0YBh7AtQ21E" +! "Ki9LiwsyoN2_URby6PMEtJxqXXZCI-ts_WO58yAk3EZc6hoCwoe0Olnh2HASLokgBw_ZyN243mck\"," +! "\"qi\":\"4n-fctilEl81ig_NIa0GFHjV1wiMR5E9RuwJIrSnG6kDBZp2wxjRd8HY96xAC_mwKZzRLxHZnukLaSi4f43-wRuURQaIj8z" +! "P8UFgH73C4sOp9rgRhsUlceniIasGE-3FKW0_2ofNMCNimYuSSIXfIyNvMdtptlg3BJv4gizH_l4\"}";!

Consuming that JWE (2 of 2) !


String jwecs = ! "eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ." + ! "knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0M" + ! "lmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4" +! "wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhY" + ! "V-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ." +! "OMRMiwPvh13089vcWAw_mg." +! "G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw." +! "rCjFpLbuWKQMJLzQEP4aSw";!!PublicJsonWebKey jwk = PublicJsonWebKey.Factory.newPublicJwk(jwkJson);!!JsonWebEncryption jwe = new JsonWebEncryption();!jwe.setCompactSerialization(jwecs);!jwe.setKey(jwk.getPrivateKey());!String payload = jwe.getPayload();!!System.out.println(payload);!!

Are we finished yet?!

38

Yes, finished. See you at Boot Camp (maybe).!

Thank you!!!!!!!!!!!

Brian Campbell!@__b_c!

CIS 2014 !

https://flic.kr/p/f7zK1V!

CIS14: I Left My JWT in San JOSE

Technology

jws jwe jwt jwk json

jws header

ping identity corp

jws algorithms

json claims

json web encryption

json web key x5u

jws andor