Presentation from October 2018 Software Peer2Peer event. Covers: JSON Web Tokens (JWTs) provide a mechanism to securely represent claims information between two parties. They can be used to support Authorization mechanisms, implement Single Sign On functionality, and securely exchange information on the internet. More about Silicon Halton's Sofware Peer2Peer: https://siliconhalton.com/silicon-halton-software-peer2peer/

1. JWTs
More than you think

2. History
• September 2011 - JOSE Working Group
founded
• April 2014 - RFC7165 - Use Cases and
Requirements for JSON Object Signing and
Encryption (JOSE)
• May 2015 - RFC7515(JWS), 7516(JWE),
7517(JWK), 7518(JWA) and 7519(JWT)

3. Terminology
• Base64URL - Base 64 encoding, making use of
only URL safe characters.
• Symmetric Encryption - Encryption that uses a
single key that is shared between the two
parties.
• Asymmetric Encryption - Encryption that uses
public private key pairs.

4. JWT or Not?
{
alg: RS256,
typ: JWT
},
{
iss: "Chris Larsen",
sub: 'JWT',
aud: 'Silicon Halton',
iat: Time.now
}
Is this a
JWT?

5. JWT or Not?
{
alg: RS256,
typ: JWT
},
{
iss: "Chris Larsen",
sub: 'JWT',
aud: 'Silicon Halton',
iat: Time.now
}
Yes and
No.
It’s a
type of
JWT
called a
JWS

6. Terminology - More
• JWS - JSON Web Signature. A JWT that includes
a signature formed by encrypting the header
and payload. These are encrypted with either
the sender’s symmetric key or private key.
• JWE - JSON Web Encryption. A JWT that
encrypts the payload for transmission. The
payload is encrypted using either a symmetric
key, or the receiver’s public key.

7. JWS vs JWE
JWS
• Transmits claims with
encrypted signature to ensure
authenticity.
• Compact serialization
contains 3 components.
• Example:
JWE
• Transmits message in
encrypted form to ensure
privacy.
• Compact serialization
contains 5 components.
• Example:

8. JWS - Process
1. Encode JWS Protected Header as BASE64URL(UTF8(JWS
Protected Header))
2. Encode JWS Payload as BASE64URL(UTF8(JWS Payload))
3. Encrypt ASCII(BASE64URL(UTF8(JWS Protected Header))
|| '.' || BASE64URL(JWS Payload)) using the algorithm
specified in the header and the key.
4. Concatenate these values in the order
Header.Payload.Signature.
5. This provides the URL safe JWS Compact Serialization

9. JWS - Summary

10. JWE - Process
1. Encode JWE Protected header as BASE64URL(UTF8(JWS Protected Header))
2. Generate a random Content Encryption Key(CEK)
3. Encrypt the CEK with the recipient's public key using the algorithm specified by “alg” in the
header
4. Base64url-encode the JWE Encrypted Key
5. Generate a random Initialization Vector, and Base64URL encode it
6. Generate the Additional Authenticated Data as a Base64URL encoding of the Protected
Header
7. Encrypt the plaintext with the algorithm specified by “enc” in the header, using the CEK as the
encryption key, the Initialization Vector, and the Additional Authenticated Data value
8. Concatenate these values in the order
ProtectedHeader.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag
9. This provides the URL safe JWE Compact Serialization

11. JWE - Summary

12. Libraries
• .NET - 3
• C - 2
• C++ - 3
• Elixir - 3
• Go - 11
• Java - 6
• JavaScript - 3
• Perl - 1
• PHP - 10
• Python - 4
• Ruby - 4
• Scala - 4
• Swift - 4
According to JWT.io

13. Additional Resources
• https://tools.ietf.org/html/rfc7519
• https://tools.ietf.org/html/rfc7165
• https://datatracker.ietf.org/wg/jose/documents/

14. Website: www.christianlarsen.ca
Blog: hclarsenblog.wordpress.com
Twitter: @thechrislarsen