A technical overview of JSON Web Token (JWT) and its JOSE underpinnings, which are poised to be the next generation identity token, as well as a look at using one open source implementation (jose4j).
Also some (bad) jokes.
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
JOSE Can You See...
1. JOSE CAN YOU SEE…‡
A technical overview of JWT and its
JOSE underpinnings, which are
poised to be the next generation
identity token, as well as a look at
using one open source
implementation.
Brian Campbell
@__b_c
IIW #18
May 2014
‡ Partial credit for the title goes to
Brad Tumy
5. 5
What‟s in a name?
https://twitter.com/metadaddy/status/454422069199900672
6. 6
But you wouldn't name your child
„Attila the Hun‟ would you?
I didn‟t…
"Attila, Scourge of God"
http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg
14. 14
JWS Example
Payload -> USA #1!
base64url encoded payload -> VVNBICMxIQ
Header (going to sign with ECDSA P-256 SHA-256 using “my-first-key”) -> {"alg":"ES256","kid":"my-first-key"}
base64url encoded header -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9
Secured Input -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ
base64url encoded signature over the Secured Input
->QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
JWS Compact Serialization (line breaks after dots added for readability) ->
eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.
VVNBICMxIQ.
QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA
Which you can think of sort of like:
{"alg":"ES256","kid":"my-first-key”}.”USA #1!”.<SIGNATURE>
28. 28
…it‟s how you use it
• Simpler = Better
• Web safe encoding w/ no canonicalization
– Because canonicalization is a four letter word (especially
when you spell it c14n)
• Improved Interoperability & (hopefully) More Secure
• Eliminates entire classes of attacks
– XSLT Transform DOS, Remote Code Execution, and Bypass
– C14N Hash Collision w/ & w/out comments
– Entity Expansion Attacks
– XPath Transform DOS and Bypass
– External Reference DOS
– Signature Wrapping Attacks†
Brad Hill, pictured here speaking at CIS, is wicked smaht and published some
of these attacks
† This poor bastard was the „victim‟ in my POC of a signature wrapping
vulnerability in SAML SSO for Google Apps
http://www.google.com/about/appsecurity/hall-of-fame/reward/