JOSE Can You See...

JOSE CAN YOU SEE…‡

A technical overview of JWT and its JOSE underpinnings, which are poised to be the next generation identity token, as well as a look at using one open source implementation.

Brian Campbell@__b_c

IIW #18May 2014

‡ Partial credit for the title goes to Brad Tumy

https://twitter.com/brad_tumy/status/3372505030

77552128

2

JWT + JOSE Overview

• JSON Web Token (JWT)– Compact URL-safe means of representing claims to be transferred

between two parties– JWS and/or JWE with JSON claims as the payload

• Javascript Object Signing and Encryption (JOSE)– JSON Web Signature (JWS)

• A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding

– JSON Web Encryption (JWE)• Like JWS but for encrypting content

– JSON Web Key (JWK) • JSON data structure representing cryptographic key(s)

Copyright © 2014 Brian Campbell. All rights reserved.

3

JWT + JOSE in the Wild

• Not even an RFC yet but widely used:

– OAuth– OpenID Connect– Mozilla Persona

(ahem)– W3C Web

Cryptography API– And more…


three nerds holding a blurry piece of paper they tell me is some kind of award for

OpenID Connect

4

jose4j Overview

• Open source (free as in beer) Java implementation of the JOSE specification suite

– Get yours at https://bitbucket.org/b_c/jose4j

• Relies solely on the JCA APIs for cryptography• 100% (Dammit Mike!) 97.5% Algorithm Support• Reference[able] implementation

– Fact checked the cookbook: http://tools.ietf.org/html/draft-ietf-jose-cookbook-02#appendix-A

• Completely free of intentional NSA backdoors– (but I’m open to “sponsorship” opportunities)

• Production ready: used throughout Ping Identity’s products• Rated the #1 JOSE implementation in the world (based on an unbiased survey of the library

author’s mother)

• Did I mention free? Easy too.• All proceeds from sales go to a charity that provides comfort and support

to dying identity protocols living out their final days• Take a stand against monoculture (did heartbleed teach us nothing?)


https://bitbucket.org/b_c/jose4j

https://bitbucket.org/b_c/jose4j

http://tools.ietf.org/html/draft-ietf-jose-cookbook-02%23appendix-A

http://tools.ietf.org/html/draft-ietf-jose-cookbook-02%23appendix-A

5

What’s in a name?

https://twitter.com/metadaddy/status/454422069199900672

6

But you wouldn't name your child ‘Attila the Hun’ would you?

I didn’t…"Attila, Scourge of God"http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg

7

What would JOSE do? ‡

• Call it “JW-STEAK”!• ‘cause who doesn’t like a

good steak?


•JW-–JWS–JWT–JWE–JWA–JWK

Don Julio is a famous (to gringo tourists anyway) steakhouse in Buenos Aires, Argentina - https://flic.kr/p/ezE99U

‡ I reluctantly credit Paul Madsen with WWJD. Unless you are offended by it, in which case I’m not at all reluctant about blaming him.

8

Okay, fine…

• Technically speaking, my vegan coworker does not like steak

• Even if it is ‘good’• But let’s not split hairs on this one…


9

Awkward Transition


…into some more technical details

10

The 64 Character Question

• base64url is *almost* like base64 – Both are a means of encoding binary data in a printable ASCII string format– Each 6 bits -> 1 character (from a 64 character alphabet)– 3 bytes -> 4 characters

• But base64url uses a URL safe alphabet rather than the nearly URL safe alphabet of regular base64

– 62 alphanumeric characters– “-” rather than “+”– “_” rather than “/”– Padding “=” is typically omitted

• A remaining unreserved URI character: “.”– This will prove important shortly


11

A closer look at JOSE’s bits and pieces: JWS

• JSON Web Signature (JWS)• A way of representing content secured with a digital

signature or MAC using JSON data structures and base64url encoding

– Encoded segment are concatenated with a “.”

• Intended for space constrained environments such as HTTP Authorization headers and URI query parameters

• Conceptually Simple:– <Header>.<Payload>.<Signature>


12

JOSE’s bits and pieces: JWS Header

• JWS Header is a bit of JSON that describes the digital signature or MAC operation applied to create the JWS Signature value

• Reserved Header Parameters – “alg”: Algorithm

– HMAC, RSA, RSA-PSS and ECDSA

– None (controversy!)

– Extensible

• “kid”: Key ID• “jku”: JWK Set URL• “jwk”: JSON Web Key• “x5u”: X.509 URL• “x5t”: X.509 Thumbprint• “x5c”: X.509 Certificate Chain• “typ”: Type• “cty”: Content Type


Header Example:

“I signed this thing with RSA-SHA256 using key we known as ‘9er’ which you can find the corresponding public key for at https://www.example.com/jwks”

{"alg":"RS256", "kid":”9er", "jku”:"https://www.example.com/jwks"}

13

JOSE’s bits and pieces: JWS Algorithms

14

JWS Example

Payload -> USA #1!base64url encoded payload -> VVNBICMxIQ

Header (going to sign with ECDSA P-256 SHA-256 using “my-first-key”) -> {"alg":"ES256","kid":"my-first-key"}base64url encoded header -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9

Secured Input -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ

base64url encoded signature over the Secured Input ->QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA

JWS Compact Serialization (line breaks after dots added for readability) ->eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ.QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA

Which you can think of sort of like:{"alg":"ES256","kid":"my-first-key”}.”USA #1!”.<SIGNATURE>

15

Producing a JWS using jose4j

More examples or using jose4j to work with JWS can be found at https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples


PublicJsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256);jwk.setKeyId("my-first-key");

JsonWebSignature jws = new JsonWebSignature();jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256);jws.setPayload("USA #1!");jws.setKey(jwk.getPrivateKey());jws.setKeyIdHeaderValue(jwk.getKeyId());String compactSerialization = jws.getCompactSerialization();

System.out.println(compactSerialization);

16

Consuming a JWS using jose4j


More examples or using jose4j to work with JWS can be found at https://bitbucket.org/b_c/jose4j/wiki/JWS%20Examples

JsonWebKey jwk = JsonWebKey.Factory.newJwk("{\"kty\":\"EC\"," + "\"kid\":\"my-first-key\"," + "\"x\":\"xlKTWTx76fl9OZou4LHpDc3oHLC_vm-db7mdsFvO1JQ\"," + "\"y\":\"3jXBG649Uqf7pf8RHO_jcJ8Jrhy23hjD933i6QEVNkk\"," + "\"crv\":\"P-256\"}");

String compactSerialization = "eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9." + "VVNBICMxIQ." + "QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA”;

JsonWebSignature jws = new JsonWebSignature();jws.setCompactSerialization(compactSerialization);jws.setKey(jwk.getKey());String payload = jws.getPayload();

System.out.println(payload);

17

JOSE’s bits and pieces: JWE

• JSON Web Encryption

• Similar in motivation and design to JWS but for encrypting content

• A little more complicated

– Headers

• “alg”: Algorithm (key wrap or agreement)

• “enc”: Encryption Method (Authenticated Encryption only)

• “zip”: Compression Algorithm

• Etc.

• Five Parts

<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>


18

JOSE’s bits and pieces: JWE Key Management Algorithms (“alg”)


19

JOSE’s bits and pieces: JWE Content Encryption Algorithms (“enc”)


Note that all of the encryption methods are AEAD algorithms, which is nice

20

JWE Example


Payload/plaintext -> I actually really like Canada

Header -> {"alg":"PBES2-HS256+A128KW","enc":"A128CBC-HS256","p2c":8192,"p2s":"QkbLQniKLUTQVP4l"}

base64url encode header ->

eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDRsIn0

Encrypted Key: PBES2 used to AES Key wrap a 256 bit random key which is base64url encoded -> g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg

IV: base64url encoded 128 bit initialization vector -> 6h172lww9VqemjMQMaVPdg

Ciphertext: base64url encoded AES 128 CBC encrypted payload -> YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0

Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext -> Ie4iYLbdQCqwMWJf37rEZg

JWE Compact Serialization (<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>) ->

eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDRsIn0.g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg.6h172lww9VqemjMQMaVPdg.YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0.Ie4iYLbdQCqwMWJf37rEZg

21

Producing a JWE using jose4j

More examples or using jose4j to work with JWE can be found at https://bitbucket.org/b_c/jose4j/wiki/JWE%20Examples


JsonWebEncryption jwe = new JsonWebEncryption();jwe.setPayload("I actually really like Canada");jwe.setKey(new PbkdfKey("don't-tell-p@ul|pam!"));jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.PBES2_HS256_A128KW);jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256);String compactSerialization = jwe.getCompactSerialization();

System.out.println(compactSerialization);

22

Consuming a JWE using jose4j

More examples or using jose4j to work with JWE can be found at https://bitbucket.org/b_c/jose4j/wiki/JWE%20Examples


String compactSerialization = "eyJhbGciOiJQQkVTMi1IUzI1NitBMTI4S1ciLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwicDJjIjo4MTkyLCJwMnMiOiJRa2JMUW5pS0xVVFFWUDRsIn0." + "g7s-MxHFn5WHCfO33hgWYiAtH1lB83TnufWoaFIEujEYb14pqeH9Mg." + "6h172lww9VqemjMQMaVPdg." + "YMg_F8aoT3ZByou3CURhKzaGX1nc5QJDo3cWyUSyow0." + "Ie4iYLbdQCqwMWJf37rEZg";

JsonWebEncryption jwe = new JsonWebEncryption();jwe.setCompactSerialization(compactSerialization);jwe.setKey(new PbkdfKey("don't-tell-p@ul|pam!"));String payload = jwe.getPayload();

System.out.println(payload);

23

An aside, eh.

• As I tried to Google “never trust a Canadian”…


24

JWT

• JSON Web Token• Suggested pronunciation: "jot”• Compact URL-safe means of representing claims

to be transferred between two parties• JWS and/or JWE with JSON claims as the

payload• JWT Claim

– A piece of information asserted about a subject (or the JWT itself).

– Represented name/value pairs, consisting of a Claim Name and a Claim Value (which can be any JSON object).


25

Reserved JWT Claim Names

• “iss”: Issuer • “sub”: Subject • “aud”: Audience• “exp”: Expiration Time • “nbf”: Not Before • “iat”: Issued At• “jti”: JWT ID


26

jot or not?

The JWTeyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg

The Header{"kid":"5","alg":"ES256"}

The Payload{"iss":"https:\/\/idp.example.com","exp":1357255788,"aud":"https:\/\/sp.example.org","jti":"tmYvYVU2x8LvN72B5Q_EacH._5A","acr":"2","sub":"Brian"}

The Signature[computery junk]

27

it’s not the size of your token…eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg

<Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"> <AudienceRestriction> <Audience>https://sp.example.org</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext> <AuthnContextClassRef>2</AuthnContextClassRef> </AuthnContext> </AuthnStatement></Assertion>

JWT

SAML ASSERTION

28

…it’s how you use it

• Simpler = Better• Web safe encoding w/ no canonicalization

– Because canonicalization is a four letter word (especially when you spell it c14n)

• Improved Interoperability & (hopefully) More Secure • Eliminates entire classes of attacks

– XSLT Transform DOS, Remote Code Execution, and Bypass

– C14N Hash Collision w/ & w/out comments

– Entity Expansion Attacks

– XPath Transform DOS and Bypass

– External Reference DOS

– Signature Wrapping Attacks†

Brad Hill, pictured here speaking at CIS, is wicked smaht and published some of these attacks

† This poor bastard was the ‘victim’ in my POC of a signature wrapping vulnerability in SAML SSO for Google Apps http://www.google.com/about/appsecurity/hall-of-fame/reward/

29

JSON Web Key (JWK)


• JSON data structure representing cryptographic key(s) which can be

– included in a JWS/JWE/JWT header

– saved in a file

– used in place of self signed certificates

– published at an HTTPS endpoint and referenced

JWT/JWS Header{"kid":"5","alg":"ES256"}

{"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"}]}

30

Generating JWK and JWKS using jose4j


List<JsonWebKey> jwkList = new LinkedList<>();for (int kid = 4; kid < 7; kid++){ JsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256); jwk.setKeyId(String.valueOf(kid)); jwkList.add(jwk);}JsonWebKeySet jwks = new JsonWebKeySet(jwkList);

System.out.println(jwks.toJson(JsonWebKey.OutputControlLevel.PUBLIC_ONLY));

31

Consuming a JWKS using jose4j


String jwksJson = "{\"keys\":[\n" + " {\"kty\":\"EC\",\n\"kid\":\"4\",\n" + " \"x\":\"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo\", \n" + " \"y\":\"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A\",\n" + " \"crv\":\"P-256\"},\n" + " {\"kty\":\"EC\",\n\"kid\":\"5\",\n" + " \"x\":\"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU\",\n" + " \"y\":\"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0\",\n" + " \"crv\":\"P-256\"},\n" + " {\"kty\":\"EC\",\n\"kid\":\"6\",\n" + " \"x\":\"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00\",\n" + " \"y\":\"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU\",\n" + " \"crv\":\"P-256\"}\n" + "]}";

JsonWebKeySet jwks = new JsonWebKeySet(jwksJson);JsonWebKey jwk = jwks.findJsonWebKey("5", null, null, null);System.out.println(jwk.getKey());

32

Are we finished yet?


33

Yes, finished. See you in the circle (maybe).

https://flic.kr/p/ay3VVSCopyright © 2014 Brian Campbell. All rights reserved.

JOSE Can You See...

Software

json data

representing

url safe alphabet

representing

digital signature

json claims

safe means

rights reserved