O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Keystone JWS Tokens: Past, Present, and Future

23 visualizações

Publicada em

Keystone has had multiple Token formats in the past. With JSON Web Signatures (JWS) we introduce yet another one.

It turns out that there are several reasons, including lessons learned from previous token formats like PKI and Fernet. In this talk, we discuss what tokens mean for distributed computing. We will focus on how the different token formats provide trade-offs in performance and scalability. Then we will discuss the JWS format, how it works, and what benefits it provides. We'll close with a look at the future and the features we can build on top of JWS.

Publicada em: Tecnologia
  • Seja o primeiro a comentar

  • Seja a primeira pessoa a gostar disto

Keystone JWS Tokens: Past, Present, and Future

  1. 1. Adam Young (ayoung) Lance Bragstad (lbragstad) JWS tokens Past, Present, and Future
  2. 2. IMAGINE IF we had a token compatible with OpenStack and everything else
  3. 3. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
  4. 4. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
  5. 5. What is a token? GET /v2/b5a951/servers HTTP/1.1 Host: servers.api.openstack.org Accept: application/json X-Auth-Token: $TOKEN
  6. 6. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
  7. 7. Why not use UUID tokens? They must be persisted. 779810523fb24886b67a23f4f823b685
  8. 8. Why not use PKI tokens? They are huge. MIIE-gYJKoZIhvcNAQcCoIIE7zCCBOsCAQExDTALBglghkgBZQMEAgEwggNMBgkqhkiG9w0BBwGgggM9BIIDO XsidG9rZW4iOnsibWV0aG9kcyI6WyJwYXNzd29yZCJdLCJyb2xlcyI6W3siaWQiOiIzNjBiMTc3ZDhjMjM0 N2ZmOTVlMGFjMTYxNWJhOGZiNiIsIm5hbWUiOiJhZG1pbiJ9XSwiZXhwaXJlc19hdCI6IjIwMTUtMDItMjZ UMDU6NDg6MjYuMDk0MDk4WiIsInByb2plY3QiOnsiZG9tYWluIjp7ImlkIjoiZGVmYXVsdCIsIm5hbWUiOi JEZWZhdWx0In0sImlkIjoiNTkwMDJjZTczOWYxNDNiYjhiMmNjMzNjYWY5OGZjZjkiLCJuYW1lIjoiYWRta W4ifSwiY2F0YWxvZyI6W3siZW5kcG9pbnRzIjpbeyJyZWdpb25faWQiOm51bGwsInVybCI6Imh0dHA6Ly8x MDQuMjM5LjE2My4yMTU6MzUzNTcvdjMiLCJyZWdpb24iOm51bGwsImludGVyZmFjZSI6ImFkbWluIiwiaWQ iOiI5YTI5ZWFmMjBmNzk0MmI2YjljOTZjZmIwYWEwMmEzZSJ9LHsicmVnaW9uX2lkIjpudWxsLCJ1cmwiOi JodHRwOi8vMTA0LjIzOS4xNjMuMjE1OjM1MzU3L3YzIiwicmVnaW9uIjpudWxsLCJpbnRlcmZhY2UiOiJwd WJsaWMiLCJpZCI6ImQzMjMzYWZkMmI2MDQxZDRhMzlmOGFjMTIzMzc1N2ZkIn1dLCJ0eXBlIjoiaWRlbnRp dHkiLCJpZCI6IjFiNzk2ZTIxNGY4MTQwMTE4MTA4YTdlNGU0Y2E2ZTE2IiwibmFtZSI6IktleXN0b25lIn1 dLCJleHRyYXMiOnt9LCJ1c2VyIjp7ImRvbWFpbiI6eyJpZCI6ImRlZmF1bHQiLCJuYW1lIjoiRGVmYXVsdC J9LCJpZCI6Ijg1YTlhZjE0NWRkYjRkMTlhOTU0NGRmYmVhYzVkMWYwIiwibmFtZSI6ImFkbWluIn0sImF1Z Gl0X2lkcyI6WyJZeW9iU2FIY1ROQ3U3c2V1c2RUdHBRIl0sImlzc3VlZF9hdCI6IjIwMTUtMDItMjZUMDU6 MzM6MjYuMDk0MTI3WiJ9fTGCAYUwggGBAgEBMFwwVzELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVVuc2V0MQ4 wDAYDVQQHDAVVbnNldDEOMAwGA1UECgwFVW5zZXQxGDAWBgNVBAMMD3d3dy5leGFtcGxlLmNvbQIBATALBg lghkgBZQMEAgEwDQYJKoZIhvcNAQEBBQAEggEAYJR+ETbjA4RpgToeRm0qh-zxRWyBL4RdN99hLHV6foIpc r6uXMN-DaUJvGygPDi1wi-HAbpErJAe9iRHk4+8BUnX--jQRTaYhkg237eyjpYHU8Hgt8Ydn7Wdnn0hriXK t+RZBG-ZEnnP-MZ9V9GGJz-BoAMHx42uF5j6mlfVvUxtJGSaZ2wPROkLIHAjrX-8zEo8YhtGQHi-rFvXOoP +w8TVb907R2WNsGs3LbFKRmDv-yev6pMnz+gQu8uImf2idd18hyEYdw8M9bgZc2YsGBiPSeIm-VhzH9qTX0 e7fK-chhAE+saIEbl5Mw0PzybhTyKHRzqtsW4HWFOlbE0yOA==
  9. 9. Why not use PKIZ tokens? They are still huge. PKIZ_eJxtVcmSozgUvPMVc6_oKMBgm0Mf2IzBCIpVlm4sNiAEtssLy9eP7K6Jqo4YboCUysyX7-nXL_ZopmV7 _-gger784oBtm-8VcnYnbNePwlODQj-xb6tZ1zX_qquBORqx6moVreq20nAATLUyh6rygFa1F65uG0sZeE0 brKqqgKLZtuHvr01pKZ8YSo3fX5scpnxmKW0x2Us4OQPae3MpKhPWnZJzdWfKxZG-fi6uTQaDxm9s2TPAgE gwe10i-9DkPWLOfkwpIJWMYq32LId4c7LgfN2-2p1c5zBhG50aW8I5bxxlHw0N3tdDtndoISh1qdtLm9gDi JMbMOwbIDgBBlpyIEZLQII7mNuJnTrDhgH2GmN1pmgRvCRgS7khSO82Oa_sjrY2ObFvaYf26ZUr_2ZgYojr Eo683fPX78WmhOaw82MgITHtPCvhgWjzvpW2HLBwh4nX-kYgYENtmCd3BAX63IhgeMuYkUcmB4kbHsHxgb- 8wlBuC0s5c3kfzoxafpicCcPynIvy8WVkJwu5NTA56ZQ_9Xc1X27VpTutR2AwyQTILjFFDkzSxIxZgjmZvb h4lAQ8WXyBSd9AHb2XVjrhbkNw9ATctDnzhbOb4at0Tu2RkIC4HX3DHDFBPIYhRXG1AHNKEUEy6hAPIJhw5 Cju9toUXdpzGVTue_Fp1vnOzLuy04WiG56Ap3IbDn6zfoBY5V1iz34kjR4BjL4p-AQI4JkDd4HmJ4sn2hPs B9CZ-UOLDtdIfFVoKKFzzeBL4hm_fAELDhgVQy07TwwpjkMmg9a-0cqsTIJnPdPXDqBDC7sXSraRP-y1V4U yJo8dcObKbfuNSBIex7YErISFqlpgI-CxUdYotmcQOy0mxeiJKYuwR5-s825z416Otjd62Hs8KyH9Ooketu GE9oAl8aa8fBHT6U8Sw0cONyzu9pKV_sz90cLodxsh3wZ_BSn8imupO8o3S6_GsSkxhjyaW55jNAVECtm37 AUmlQQgK6eFJCAC-T-aP-v-J-IbAVuUf1aP--rxNklGMekrIRM290g8NxnFt6yjJOmd3qavvpiLRUrx5u_O 5H62JjDMH52JJMja-hhbuooSNoEsjU0iDWyGIZ1NF6itpQqJyWk10NMUjAZR2YjyUrYKaGl6Z6bxIJAGQ0V GGgRbQ03TvPdoaZg-UIfXZr0aNlwK5Rnvg9EyVPgHAABjUS7KSaYHa3MrrJG6nffIA1tT_2c2ckbwc6Camh aoZlWZ6s5fHiM7FSN_F4LPwIZ62eK-Ck7bCCpG5gpWk55VZuJb-wZ30-Uwfh6c4_0Srgp12Ak0si9usTwdm uUcuHlIuqUjXarRXcN-_THIn6tdAN-nPSg57PGwD4Wt2Avm6qpmghnW1w0ZrGUX7cQ3MprKmr7nWFmkufam ysNiZfWSqNPDabMl54Q7ykPw2Gzxx1G8gzcNvGvRvTCjTLAqtQ1dZ7xM-zxbbam8Vha3SgGNhxL8-bESItc 8SiF3PhHSXD4Mfztp16N2Em_F8CYqviBlaj917zPUwf2h-1nsiVSIpWGKeu-Gdtc6rtfD2eRWEbn5VNhNU- wivHb8i14U1yo6RNH7qf0Y4ValpVTG9nR4NMHv39zrQjM94_ty-xc2_Erg
  10. 10. Why not use Fernet tokens? They require symmetric encryption and signing. gAAAAABU7roWGiCuOvgFcckec- 0ytpGnMZDBLG9hA7Hr9qfvdZDHjsak39YN98HXxoYLIqVm19Egku5YR3wyI7heVrOmPNEtmr- fIM1rtahudEdEAPM4HCiMrBmiA1Lw6SU8jc2rPLC7FK7nBCia_BGhG17NVHuQu0S7waA306jyKNhHwUnp sBQ=
  11. 11. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
  12. 12. What is a JSON Web Token? An open standard for sharing authorization data.
  13. 13. What is a JSON Web Token? detailed in RFC 75[1][9568] defines a set of public claims allows implementations to supply private claims supports signed and encrypted payloads supports asymmetric cryptography
  14. 14. JSON Web Token (RFC 7519) relatively small, non-persistent, asymmetric, setup, online validation eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcGVuc3RhY2tfcHJvamVjdF9pZCI6IjMzMzNhMDQ0ZW MyYzQxMzNhMWQ0NGI1ZmRhYjBjMjg2Iiwic3ViIjoiM2ZlMTUxMTNjZjc5NGU4ZjljNWRhZDlmMTA3M2I wODkiLCJleHAiOjE1NTQxMzMzMzEsIm9wZW5zdGFja19hdWRpdF9pZHMiOlsiZW1BUVRCZWVSVmFidzI4 QW9FRURqdyJdLCJpYXQiOjE1NTQxMjk3MzEsIm9wZW5zdGFja19tZXRob2RzIjpbInBhc3N3b3JkIl19. tHcVIaW43RwREduckh2itJ_RrZ5Dc- tFElox1SsORO3Q7DsDLlWDQbuhCRuRd6_QgB0Brm1x_q7aB2lZcHy_fw=
  15. 15. JWT header eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcGVuc3RhY2tfcHJvamVjdF9pZCI6IjMzMzNhMDQ0ZW MyYzQxMzNhMWQ0NGI1ZmRhYjBjMjg2Iiwic3ViIjoiM2ZlMTUxMTNjZjc5NGU4ZjljNWRhZDlmMTA3M2I wODkiLCJleHAiOjE1NTQxMzMzMzEsIm9wZW5zdGFja19hdWRpdF9pZHMiOlsiZW1BUVRCZWVSVmFidzI4 QW9FRURqdyJdLCJpYXQiOjE1NTQxMjk3MzEsIm9wZW5zdGFja19tZXRob2RzIjpbInBhc3N3b3JkIl19. tHcVIaW43RwREduckh2itJ_RrZ5Dc- tFElox1SsORO3Q7DsDLlWDQbuhCRuRd6_QgB0Brm1x_q7aB2lZcHy_fw=
  16. 16. {"alg": "ES256", "typ": "JWT"}
  17. 17. JWT payload eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcGVuc3RhY2tfcHJvamVjdF9pZCI6IjMzMzNhMDQ0ZW MyYzQxMzNhMWQ0NGI1ZmRhYjBjMjg2Iiwic3ViIjoiM2ZlMTUxMTNjZjc5NGU4ZjljNWRhZDlmMTA3M2I wODkiLCJleHAiOjE1NTQxMzMzMzEsIm9wZW5zdGFja19hdWRpdF9pZHMiOlsiZW1BUVRCZWVSVmFidzI4 QW9FRURqdyJdLCJpYXQiOjE1NTQxMjk3MzEsIm9wZW5zdGFja19tZXRob2RzIjpbInBhc3N3b3JkIl19. tHcVIaW43RwREduckh2itJ_RrZ5Dc- tFElox1SsORO3Q7DsDLlWDQbuhCRuRd6_QgB0Brm1x_q7aB2lZcHy_fw=
  18. 18. {"openstack_project_id": "3333a044ec2c4133a1d44b5fdab0c286","sub": "3fe15113cf794e8f9c5dad9f1073b089","exp": 1554133331,"openstack_audit_ids": ["emAQTBeeRVabw28AoEEDjw"],"iat": 1554129731,"openstack_methods": ["password"]}
  19. 19. JWT signature eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJvcGVuc3RhY2tfcHJvamVjdF9pZCI6IjMzMzNhMDQ0ZW MyYzQxMzNhMWQ0NGI1ZmRhYjBjMjg2Iiwic3ViIjoiM2ZlMTUxMTNjZjc5NGU4ZjljNWRhZDlmMTA3M2I wODkiLCJleHAiOjE1NTQxMzMzMzEsIm9wZW5zdGFja19hdWRpdF9pZHMiOlsiZW1BUVRCZWVSVmFidzI4 QW9FRURqdyJdLCJpYXQiOjE1NTQxMjk3MzEsIm9wZW5zdGFja19tZXRob2RzIjpbInBhc3N3b3JkIl19. tHcVIaW43RwREduckh2itJ_RrZ5Dc- tFElox1SsORO3Q7DsDLlWDQbuhCRuRd6_QgB0Brm1x_q7aB2lZcHy_fw=
  20. 20. ECDSASHA256(baseUrlEncode(header) + "." + baseUrlEncode(payload), publicKey, privateKey)
  21. 21. ECDSASHA256(baseUrlEncode(header) + "." + baseUrlEncode(payload), publicKey, privateKey)
  22. 22. ECDSASHA256(baseUrlEncode(header) + "." + baseUrlEncode(payload), publicKey, privateKey)
  23. 23. ECDSASHA256(baseUrlEncode(header) + "." + baseUrlEncode(payload), publicKey, privateKey)
  24. 24. Public claims principal of the JWT expiration time issued at time
  25. 25. Public claims "sub": "3fe15113cf794e8f9c5dad9f1073b089" "exp": 1554133331 "iat": 1554129731
  26. 26. Private claims token scope auditing information authentication methods
  27. 27. Private claims "openstack_project_id": "3333a044ec2c4133a1d44b5fdab0c286" "openstack_audit_ids": ["emAQTBeeRVabw28AoEEDjw"] "openstack_methods": ["password"]
  28. 28. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
  29. 29. Comparing Fernet and JWS non-persistence and online validation* opacity, symmetric versus asymmetric, key rotation and distribution
  30. 30. Encryption and signing details Fernet uses a 128-bit AES-CBC encryption key + 128-bit SHA256 HMAC signing key
  31. 31. Encryption and signing details JWS uses the ES256 JWA signing with ECDSA using the P-256 curve and the SHA256 HMAC
  32. 32. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
  33. 33. Configuring JWS keystone.conf [token] provider = jws keystone.conf [jwt_tokens] jws_public_key_repository keystone.conf [jwt_tokens] jws_private_key_repository
  34. 34. Configuring JWS keystone.conf [token] provider = jws /etc/keystone/jws-keys/public /etc/keystone/jws-keys/private
  35. 35. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
  36. 36. How do we create key pairs? keystone-manage create_jws_keypair ECDSA key pair using a secp256r1 (NIST P-256) curve
  37. 37. JWS key rotation and distribution on-disk key repositories each API server needs a public-private key pair keystone-manage doesn't handle rotation
  38. 38. JWS key-pair management node1 node2 node3 create key pair distribute public key configure private key
  39. 39. JWS key-pair management node1 node2 node3 pub1.pem create key pair pri1.pem distribute public key configure private key
  40. 40. JWS key-pair management node1 node2 node3 pub1.pem pub1.pem pub1.pem create key pair pri1.pem distribute public key configure private key
  41. 41. JWS key-pair management node1 node2 node3 pub1.pem pub1.pem pub1.pem create key pair pri1.pem pub2.pem distribute public key pri2.pem configure private key
  42. 42. JWS key-pair management node1 node2 node3 pub1.pem pub1.pem pub1.pem create key pair pub2.pem pub2.pem pub2.pem distribute public key pri1.pem pri2.pem configure private key
  43. 43. JWS key-pair management node1 node2 node3 pub1.pem pub1.pem pub1.pem create key pair pub2.pem pub2.pem pub2.pem distribute public key pri1.pem pri2.pem pub3.pem configure private key pri3.pem
  44. 44. JWS key-pair management node1 node2 node3 pub1.pem pub1.pem pub1.pem create key pair pub2.pem pub2.pem pub2.pem distribute public key pub3.pem pub3.pem pub3.pem configure private key pri1.pem pri2.pem pri3.pem
  45. 45. JWS key-pair management node1 node2 node3 pub1.pem pub1.pem pub1.pem create key pair pub2.pem pub2.pem pub2.pem distribute public key pub3.pem pub3.pem pub3.pem configure private key pri1.pem pri2.pem pri3.pem
  46. 46. JWS tokens What is a token? Understanding historical context behind token formats What is a JWT/S? Comparing Fernet and JWS Configuring JWS Notes about key rotation and distribution What's next for JWS? Q&A
  47. 47. What's next for JWS? beyond OpenStack operations nested JWTs offline validation per-domain token signing additional JWA algorithms
  48. 48. beyond OpenStack operations test with OpenID Connect interoperability with kubernetes identify other JWS consumers identify other private claims
  49. 49. nested JWTs encrypt then sign privacy drop-in replacement for fernet
  50. 50. offline validation make use of PKI token contains all information for validation caching role information and token catalog at the service short token lifespan is required to avoid revocation Keystone-to-Keystone (K2K) federation use cases
  51. 51. per-domain token signing split massive deployments into regions multiple domains per region consolidate assignments independent upgradeability across clusters
  52. 52. additional JWA algorithms currently only support ES256 better cryto-agility

×