Top Banner
I left my JWT in San JOSE `` Brian Campbell @__b_c Cloud Identity Summit 2014 http://www.slideshare.net/ briandavidcampbell A technical overview of JSON Web Token (JWT) and JavaScript Object Signing and Encryption (JOSE)
39

I Left My JWT in San JOSE

Aug 23, 2014

Download

Internet

Brian Campbell

JSON Web Token (JWT) is emerging as the goto format for security tokens in next generation identity systems. This talk will provide a technical overview of JWT and it’s underpinnings, the JavaScript Object Signing and Encryption (JOSE) suite of specifications, and equip you with the knowledge and sills needed to talk about and use JWT and JOSE effectively. All the cool kids are doing it and JWT+JOSE recently won a Special European Identity Award for Best Innovation for Security in the API Economy at the 2014 European Identity & Cloud Conference.
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: I Left My JWT in San JOSE

I left my JWT in San JOSE

``Brian Campbell

@__b_cCloud Identity Summit 2014

http://www.slideshare.net/briandavidcampbell

A technical overview of JSON Web Token (JWT) and JavaScript Object

Signing and Encryption (JOSE)

Page 2: I Left My JWT in San JOSE

Introductions

http://blog.talkingidentity.com/2013/08/thanking-the-iam-venn-erables-in-my-own-way.html

Me

Page 3: I Left My JWT in San JOSE

More Introductions…

Copyright © 2014 Ping Identity Corp. All rights reserved. 3https://twitter.com/itickr/status/354999490928857088

https://flic.kr/p/f6PKjB

Page 4: I Left My JWT in San JOSE

• JavaScript Object Signing and Encryption (JOSE)– JSON Web Signature (JWS)

• A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding

– JSON Web Encryption (JWE)• Like JWS but for encrypting content

– JSON Web Key (JWK) • JSON data structures representing cryptographic keys

– JSON Web Algorithms • Defines the use cryptographic algorithms and identifiers for

JWS, JWE and JWK

• JSON Web Token (JWT)– A compact URL-safe means of representing

claims/attributes to be transferred between two parties

– A JWT is a JWS and/or a JWE with JSON claims as the payload Copyright © 2014 Ping Identity Corp. All rights

reserved. 4

JWT + JOSE Overview

JWS JWE

JWTJWK

JSON

Page 5: I Left My JWT in San JOSE

• Not even official RFCs yet but – Well regarded

– And widely used:• OAuth

• OpenID Connect

• Mozilla Persona (ahem)

• W3C Web Cryptography API

• + more…

Three nerds holding a blurry piece of paper they tell me is some kind of award for the JOSE & JWT work.

http://www.kuppingercole.com/article/award2014

5

JWT + JOSE in the Wild

Page 6: I Left My JWT in San JOSE

What’s in a Name?

https://twitter.com/metadaddy/status/454422069199900672

JW*

Page 7: I Left My JWT in San JOSE

Copyright © 2014 Ping Identity Corp. All rights reserved. 7

But you wouldn't name your child ‘Attila the Hun’ would you?

"Attila, Scourge of God"http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg

I didn’t…

Page 8: I Left My JWT in San JOSE

What would JOSE do? ‡

Call it

JW-STEAK

‡ I reluctantly credit Paul Madsen with WWJD. Unless you are offended by it, in which case I’m not at all reluctant about

blaming him. JW-

JWSJWTJWEJWAJWK

Page 9: I Left My JWT in San JOSE

Because who doesn’t like a good steak?

Don Julio is a famous (to gringo tourists anyway) steakhouse in Buenos Aires, Argentina - https://flic.kr/p/ezE99U

Page 10: I Left My JWT in San JOSE

Okay, fine…

• Technically speaking, my vegan coworker does not like steak

• Even if it is ‘good’• But let’s not split hairs on this

one…

Copyright © 2014 Ping Identity Corp. All rights reserved. 10

Page 11: I Left My JWT in San JOSE

Awkward Transition… into some of the more technical details

11

Few things are more awkward than Paul Madsen

eating a Slim Jim while wearing a sailor's outfit and

bowtie

Page 12: I Left My JWT in San JOSE

All The Cool Kids Are Doing It

Copyright © 2014 Ping Identity Corp. All rights reserved. 12

{"JSON" : "a lightweight & human-readable data-interchange format"}

Page 13: I Left My JWT in San JOSE

The 64 Character Question• base64

– A means of encoding binary data in a printable ASCII string format– Each 6 bits -> 1 character

• From a 64 character alphabet comprised of 62 alphanumeric characters and "+" and "/"

• Also padding "="

– 3 bytes -> 4 characters

• base64url – uses a URL safe alphabet rather than the nearly URL safe alphabet of regular base64 – "-" rather than "+" – "_" rather than "/"– Padding "=" is typically omitted

• A remaining unreserved URI character: "."– This will prove important shortly

Copyright © 2014 Ping Identity Corp. All rights reserved. 13

Example: 32 random bytes encoded

base64: qOo+pY+LPDB7sA2nuMp4TzmCThieol/J+bAXqcB8pAU=base64url: qOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAU

URL Encoded:qOo%2BpY%2BLPDB7sA2nuMp4TzmCThieol%2FJ%2BbAXqcB8pAU%3DqOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAU

Page 14: I Left My JWT in San JOSE

A closer look at JOSE’s bits and pieces: JWS

• JSON Web Signature (JWS)• A way of representing content secured with a digital signature or

MAC – Using a JSON data structure and base64url encoding– Encoded segments are concatenated with a "."– Intended for space constrained environments such as HTTP

Authorization headers and URI query parameters

• Conceptually Simple:– <Header>.<Payload>.<Signature>

Copyright © 2014 Ping Identity Corp. All rights reserved. 14

Page 15: I Left My JWT in San JOSE

JOSE’s bits and pieces: The JWS Header• JWS Header is a bit of JSON that describes the digital signature or MAC

operation applied to create the JWS Signature value• Reserved Header Parameters

– "alg": Algorithm– HMAC, RSA, RSA-PSS and ECDSA

– Unsigned/none (controversy!)

– Extensible

• "kid": Key ID• "jku": JWK Set URL• "jwk": JSON Web Key• "x5u": X.509 URL• "x5t": X.509 Thumbprint• "x5c": X.509 Certificate Chain• "typ": Type• "cty": Content Type Copyright © 2014 Ping Identity Corp. All rights

reserved. 15

Header Example:

"I signed this thing with RSA-SHA256 using key we known as ‘9er’ which you

can find the corresponding public key for at https://www.example.com/jwks"

{"alg":"RS256", "kid":"9er", "jku":"https://www.example.com/jwks"}

Page 16: I Left My JWT in San JOSE

JOSE’s bits and pieces: JWS Algorithms

Copyright © 2014 Ping Identity Corp. All rights reserved. 16

Digital Signature or Message Authentication Code Algorithm

JWS "alg" Parameter Values

HMAC using SHA2 HS256, HS384 and HS512

RSASSA-PKCS1-V1_5 Digital Signatures with with SHA2

RS256, RS384 and RS512

Elliptic Curve Digital Signatures (ECDSA) with SHA2 ES256, ES384 and ES512

RSASSA-PSS Digital Signatures with SHA2 PS256, PS384 and PS512

Unsigned Plaintext none

Page 17: I Left My JWT in San JOSE

USA&

Canada

vs.

a little context…

Page 18: I Left My JWT in San JOSE

Jingoistic JWS ExamplePayload -> USA #1!

base64url encoded payload -> VVNBICMxIQ

Header (going to sign with ECDSA P-256 SHA-256 via "my-first-key") -> {"alg":"ES256","kid":"my-first-key"}

base64url encoded header -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9

Secured Input ->

eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ

base64url encoded signature over the Secured Input ->QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-

TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA

JWS Compact Serialization (line breaks after dots added for readability) ->eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ.QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-

TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA

Which you can think of sort of like:{"alg":"ES256","kid":"my-first-key"}."USA #1!".<SIGNATURE>

Page 19: I Left My JWT in San JOSE

JOSE’s bits and pieces: JWE

• JSON Web Encryption

• Similar in motivation and design to JWS but for encrypting content

• A little more complicated

– Headers

• "alg": Algorithm (key wrap or agreement)

• "enc": Encryption Method (Authenticated Encryption only)

• "zip": Compression Algorithm

– "DEF" for the DEFLATE Compressed Data Format from RFC 1951 is currently the only one

• "kid”, “jku”, “jwk”, "x5u”, "x5t”, "x5c”, etc..

• Five Parts

<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>

Copyright © 2014 Ping Identity Corp. All rights reserved. 19

Page 20: I Left My JWT in San JOSE

JOSE’s bits and pieces: JWE Content Encryption Algorithms ("enc")

Copyright © 2014 Ping Identity Corp. All rights reserved. 20

Content Encryption Algorithm JWE "enc" Parameter ValuesAuthenticated encryption with Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM)

A128GCM, A192GCM and A256GCM

Authenticated encryption with an AES-CBC and HMAC-SHA2 composite

A128CBC-HS256, A192CBC-HS384 and A256CBC-HS512

Page 21: I Left My JWT in San JOSE

JOSE’s bits and pieces: JWE Key Management Algorithms ("alg")

Copyright © 2014 Ping Identity Corp. All rights reserved. 21

Key Management Algorithm JWE "alg" Parameter ValuesDirect encryption with a shared symmetric key

dir

RSAES-PKCS1-V1_5 key encryption RSA1_5RSAES using OAEP key encryption RSA-OAEP and RSA-OAEP-256AES key wrap A128KW, A192KW and A256KWAES GCM key encryption A128GCMKW, A192GCMKW and

A256GCMKWElliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF

ECDH-ES

Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF with AES key wrap

ECDH-ES+A128KW, ECDH-ES+A192KW and ECDH-ES+A256KW

PBES2 with HMAC SHA-2 and AES key wrapping

PBES2-HS256+A128KW, PBES2-HS384+A192KW and PBES2-HS512+A256KW

Page 22: I Left My JWT in San JOSE

Payload/plaintext -> I actually really like Canada

Header -> {"kid":"use this one eh","alg":"RSA-OAEP","enc":"A128CBC-HS256"}

base64url encode header -> eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ

IV: base64url encoded 128 bit initialization vector -> OMRMiwPvh13089vcWAw_mg

Encrypted Key: RSA OAEP used wrap a 256 bit random key which is base64url encoded -> knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ

Ciphertext: base64url encoded AES 128 CBC encrypted payload -> G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw

Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext -> rCjFpLbuWKQMJLzQEP4aSw

JWE Compact Serialization (<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>) ->

eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ.knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ.OMRMiwPvh13089vcWAw_mg.G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw.rCjFpLbuWKQMJLzQEP4aSw

Confessional JWE Example

Page 23: I Left My JWT in San JOSE

An aside, eh.

Looking for material, I started to Google "never trust a Canadian"…

Brian Campbell@__b_c

CIS 2014

Page 24: I Left My JWT in San JOSE

JWT

• JSON Web Token• Suggested pronunciation: "jot"• Compact URL-safe means of representing claims to be

transferred between two parties• JWS and/or JWE with JSON claims as the payload• JWT Claim

– A piece of information asserted about a subject (or the JWT itself)– Represented name/value pairs, consisting of a Claim Name and a

Claim Value (which can be any JSON object)

Copyright © 2014 Ping Identity Corp. All rights reserved. 24

Page 25: I Left My JWT in San JOSE

• "iss": Issuer – Who issued it

• "sub": Subject – Who’s it about

• "aud": Audience– Who’s it for

• "exp": Expiration Time– When it expires

• "nbf": Not Before– When it starts being value

• "iat": Issued At– When it was issued

• "jti": JWT ID– A unique identifier for it

Copyright © 2014 Ping Identity Corp. All rights reserved. 25

(some) Reserved JWT Claim Names

Page 26: I Left My JWT in San JOSE

jot or not?

Copyright © 2014 Ping Identity Corp. All rights reserved. 26

The JWTeyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg

The Header{"kid":"5","alg":"ES256"}

The Payload{"iss":"https:\/\/idp.example.com","exp":1357255788,"aud":"https:\/\/sp.example.org","jti":"tmYvYVU2x8LvN72B5Q_EacH._5A","acr":"2","sub":"Brian"}

The Signature[computery junk]

Page 27: I Left My JWT in San JOSE

it’s not the size of your token…

Copyright © 2014 Ping Identity Corp. All rights reserved. 27

eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg

<Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z" ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature><ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference></ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"> <AudienceRestriction><Audience>https://sp.example.org</Audience></AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext><AuthnContextClassRef>2</AuthnContextClassRef></AuthnContext> </AuthnStatement></Assertion>

JWT

SAML ASSERTION

Page 28: I Left My JWT in San JOSE

…it’s how you use it

• Simpler = Better• Web safe encoding w/ no canonicalization

(Because canonicalization is a four letter word*)

• Improved Interoperability & (hopefully) More Secure

• Eliminates entire classes of attacks – XSLT Transform DOS, Remote Code Execution, and Bypass

– C14N Hash Collision w/ & w/out comments

– Entity Expansion Attacks

– XPath Transform DOS and Bypass

– External Reference DOS

– Signature Wrapping Attacks

Copyright © 2014 Ping Identity Corp. All rights reserved. 28

Brad Hill, pictured here speaking at CIS in 2011, is wicked smaht and published some of these attacks

* especially when you spell it c14n

Page 29: I Left My JWT in San JOSE

JSON Web Key (JWK)

Copyright © 2014 Ping Identity Corp. All rights reserved. 29

• JSON data structure representing cryptographic key(s)– Public/private keys: RSA & Elliptic Curve

– Symmetric keys (octet sequence)

• Can can be– included in a JWS/JWE/JWT header

– published at an HTTPS endpoint and referenced

– used in place of self signed certificates

– saved in a file

– sent in an email

– and more

Page 30: I Left My JWT in San JOSE

JWK & JWT Working Together

Copyright © 2014 Ping Identity Corp. All rights reserved. 30

JWT/JWS Header{ "kid":"5", "alg":"ES256"}

JWK Set

{"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"}]}

Page 31: I Left My JWT in San JOSE

Simple Is As Simple Does

• The relative simplicity of JW[STEAK] implies a simple programming interface

• Numerous implementations already exist for a wide variety of languages/platforms

• Going to make you take quick look at one of them…

Copyright © 2014 Ping Identity Corp. All rights reserved. 31

Page 32: I Left My JWT in San JOSE

Introducing jose4j

• Open source Java implementation of the JOSE specification suite– https://bitbucket.org/b_c/jose4j

• Relies solely on the JCA APIs for cryptography• 100% Algorithm Support• Production ready

– Used throughout Ping Identity’s products

• Reference[able] implementation– Fact checked the JOSE cookbook:

http://tools.ietf.org/html/draft-ietf-jose-cookbook-02#appendix-A

• Completely free of NSA backdoors– (but I’m open to "sponsorship" opportunities) Copyright © 2014 Ping Identity Corp. All rights

reserved. 32

Page 33: I Left My JWT in San JOSE

Producing the aforementioned JWS

Copyright © 2014 Ping Identity Corp. All rights reserved. 33

PublicJsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);jwk.setKeyId("my-first-key");

JsonWebSignature jws = new JsonWebSignature();jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);jws.setPayload("USA #1!");jws.setKey(jwk.getPrivateKey());jws.setKeyIdHeaderValue(jwk.getKeyId());String compactSerialization = jws.getCompactSerialization();

System.out.println(compactSerialization);

Page 34: I Left My JWT in San JOSE

Consuming that JWS

Copyright © 2014 Ping Identity Corp. All rights reserved. 34

JsonWebKey jwk = JsonWebKey.Factory.newJwk("{\"kty\":\"EC\"," + "\"kid\":\"my-first-key\"," + "\"x\":\"xlKTWTx76fl9OZou4LHpDc3oHLC_vm-db7mdsFvO1JQ\"," + "\"y\":\"3jXBG649Uqf7pf8RHO_jcJ8Jrhy23hjD933i6QEVNkk\"," + "\"crv\":\"P-256\"}");

String compactSerialization = "eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9." + "VVNBICMxIQ." + "QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAU" + "REzF1FF25BbrgyohbKdGE1cB-hrA";

JsonWebSignature jws = new JsonWebSignature();jws.setCompactSerialization(compactSerialization);jws.setKey(jwk.getKey());String payload = jws.getPayload();

System.out.println(payload);

Page 35: I Left My JWT in San JOSE

Producing the aforementioned JWE

Copyright © 2014 Ping Identity Corp. All rights reserved. 35

String jwkJson = "{\"kty\":\"RSA\"," + "\"kid\":\"use this one eh\"," + "\"n\":\"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5X"+ "vT8bQO39k34s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtr" + "GJdXxQEgDE7Wg1YYi0yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZV" + "C5b61R37akzTB3abdAIBf4-UBLrvNgl0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw\"," + "\"e\":\"AQAB\"}";

JsonWebKey jwk = JsonWebKey.Factory.newJwk(jwkJson);

JsonWebEncryption jwe = new JsonWebEncryption();jwe.setPayload("I actually really like Canada");jwe.setKey(jwk.getKey());jwe.setKeyIdHeaderValue(jwk.getKeyId());jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256);String compactSerialization = jwe.getCompactSerialization();

System.out.println(compactSerialization);

Page 36: I Left My JWT in San JOSE

Consuming that JWE (1 of 2)

Copyright © 2014 Ping Identity Corp. All rights reserved. 36

String jwkJson = "{\"kty\":\"RSA\"," + "\"kid\":\"use this one eh\"," + "\"n\":\"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5XvT8bQO39k3" + "4s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtrGJdXxQEgDE7Wg1YYi0" + "yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZVC5b61R37akzTB3abdAIBf4-UBLrvNgl" + "0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw\"," + "\"e\":\"AQAB\"," + "\"d\":\"p1umPOWUnf-rTylRVnhG75sF7N3tyG_r86ZM2hV8qAShMgnzbZYefNg2Vxh2cobXUMLF0TncuUxAusCrNSgUyrjHjHDIws03" + "VdzphFPd3oI9o6_2hSBWJ6OWB5VEDAd1Cc_HKy4iPWUZWlk__G3RQg524_0Wfgp_1bTIyeGLEt6GGAasCRoi4crZ_cKLkzB3ZmwoIF" + "X4Z-jU6AKp_rCarj45tqdgpzIHKYuA2HjgGJwevknhTVEjY6stAiTXWJ4M8YxIwqQ-tCj1GM5pfvJNIzaW2KoZ234ll_DFnUDnAE1R" + "O22oBfW-iYsHcrNtslHxYDkGnOGFkJAOnbF8ihaQcQ\",\"p\":\"6JVJlrObtg02Sr0ZqERiOZMxf3lE8TK8j5cU5VBYYvfebtjI2" + "_wW_uT_N_wIETodgWJgkPlejrQM4B-inB8VfUPBe8RCRGmXf5jqyKf7r5XwGabda3UjaTwoAUxYSgb2HH4IU4KNMJ-rFuG2Nzz0t2W" + "7PtqHJjrcF3i952oKAGU\",\"q\":\"3-dPMaO1JerkElaP4FMV1Fio-ZFJwf5xCLMFdJZstLkKY7H63bxOb77iQ5xEOSWY4yScfXZ" + "hp2S1v0Plub-qTeuGHXt-T2rugGAmIKlPzkQU6aiGFXqwCK2TrETQkV5Pf__PRHhaJ1rTbGVyAvqL2vAoI46XwSMmLINncDy2xGM\"," + "\"dp\":\"T9bXYQ0cuZzFc1iAkzuOQFdf2XNmkCmrgtsJCELRZH_T8lcmdCWQO0WeurggiNFbSYvcvEduByyVcuZJKrCc7tgwde0EFn" + "ns0JdMmT7Y7ghZWGTogze9xSUqUm_Dqv3CxDsbXpdlIjjdQUiQBVw-YSph4YygciYoYUJIZkUHU-U\"," + "\"dq\":\"wklQ6t4HPlPIfDEov5rZAl28onJz8iX7p3TQcw5kXZ2DambyLJ5N4aFdbRWYDY6WT-Ng921V5474NnOQT9IE0YBh7AtQ21E" + "Ki9LiwsyoN2_URby6PMEtJxqXXZCI-ts_WO58yAk3EZc6hoCwoe0Olnh2HASLokgBw_ZyN243mck\"," + "\"qi\":\"4n-fctilEl81ig_NIa0GFHjV1wiMR5E9RuwJIrSnG6kDBZp2wxjRd8HY96xAC_mwKZzRLxHZnukLaSi4f43-wRuURQaIj8z" + "P8UFgH73C4sOp9rgRhsUlceniIasGE-3FKW0_2ofNMCNimYuSSIXfIyNvMdtptlg3BJv4gizH_l4\"}";

Page 37: I Left My JWT in San JOSE

Consuming that JWE (2 of 2)

Copyright © 2014 Ping Identity Corp. All rights reserved. 37

String jwecs = "eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ." + "knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0M" + "lmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4" + "wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhY" + "V-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ." + "OMRMiwPvh13089vcWAw_mg." + "G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw." + "rCjFpLbuWKQMJLzQEP4aSw";

PublicJsonWebKey jwk = PublicJsonWebKey.Factory.newPublicJwk(jwkJson);

JsonWebEncryption jwe = new JsonWebEncryption();jwe.setCompactSerialization(jwecs);jwe.setKey(jwk.getPrivateKey());String payload = jwe.getPayload();

System.out.println(payload);

Page 38: I Left My JWT in San JOSE

Are we finished yet?

38

Page 39: I Left My JWT in San JOSE

Yes, finished. See you at Boot Camp (maybe).

Thank you!

Brian Campbell@__b_c

CIS 2014

https://flic.kr/p/f7zK1V