An Introduction to the Emerging JSON-Based Identity and Security Protocols (OWASP Vancouver edition)

An Introduction to the
Emerging JSON-Based
Identity and Security
Protocols
OWASP Vancouver
1

Brian Campbell
@__b_c
November 2013
Slides: http://goo.gl/cQIQSf
Copyright ©2013 Ping Identity Corporation. All rights reserved.

Agenda

• Introductions
• Backstory
• Technical Overview of a few of the new(ish)
JSON-Based Protocols

2


Brian Campbell
Brian Campbell

As Portfolio Architect for Ping Identity, Brian Campbell aspires to one day know what a Portfolio Architect
actually does for a living. In the meantime, he's tried to make himself useful with little things like
designing and building much of PingFederate, the product that put Ping Identity on the map. When not
making himself useful, he contributes to various identity and security standards including a two-year stint
as co-chair of the OASIS Security Services Technical Committee (SAML) and is currently contributing to
OAuth and JOSE in the IETF as well as OpenID Connect. He holds a B.A., magna cum laude, in
Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he
has to look up how to spell "Massachusetts" every time he writes it.
3


4


That Sam-I-am!

• Security Assertion Markup Language
– SAML sounded better than SCML

• XML-based framework that allows identity and
security information to be shared across security
domains
• Primarily used for cross domain Web browser single
sign-on
• Assertion is a (usually signed, sometimes encrypted)
security token
– XML Digital Signatures
– XML Encryption

• Enterprisy Reputation
• Paying my bills for nearly a decade
5


http://flic.kr/s/aHsjAP3nKo

6


SAML
is DEAD!
SAML

7

* http://www.linkedin.com/in/burtonian


WTF “SAML is dead”?
I‟ve got a mortgage to
pay…

But I just
started
this job!

@ian13550
@paulmadsen

*Disclaimer: I work with these guys at Ping
8


it was the age of wisdom…

* @dak3

meanwhile I‟ve got 29 years of mortgage payments remaining and kids
in private school so I thought maybe I should figure out what *is* the
future…

9

** Burton actually said it but Kearns quotes him in
http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/
Copyright ©2013 wanted to use “Crusty Curmudgeon”
and I really Ping Identity Corporation. All rights reserved.

on your deathbed, you will receive total
consciousness
*I did actually
receive permission
to use this photo

Sometimes reinventing
the wheel gets you
something a little more
round
–
–
–
–

JSON Web Token
JSON Web Signature
JSON Web Encryption
JSON Web Key

JW* or JW[STEAK]
10


base64 vs. base64url

• base64url is *almost* like base64
– Both are a means of encoding binary data in a printable ASCII
string format
– Each 6 bits -> 1 character (from a 64 character alphabet)
– 3 bytes -> 4 characters

• But base64url uses a URL safe alphabet rather than the
nearly URL safe alphabet of regular base64
–
–
–
–

62 alphanumeric characters
“-” rather than “+”
“_” rather than “/”
Padding “=” is typically omitted

• A remaining unreserved URI character: “.”
– This will prove important shortly

11


JWS

• JSON Web Signature
• A way of representing content secured with a
digital signature or MAC using JSON data
structures and base64url encoding
– Encoded segment are concatenated with a “.”

• Intended for space constrained environments
such as HTTP Authorization headers and URI
query parameters
• Conceptually Simple:
– Header.Payload.Signature

12


JWS Header
•

JWS Header
–

•

A bit of JSON that describes the digital signature or MAC operation applied to
create the JWS Signature value

Reserved Header Parameter Names
– “alg”: Algorithm
•
•
•

–
–
–
–
–
–
–
–

•

HMAC, RSA and ECDSA
None (controversy!)
Extensible

“kid”: Key ID
“jku”: JWK Set URL
“jwk”: JSON Web Key
“x5u”: X.509 URL
“x5t”: X.509 Certificate Thumbprint
“x5c”: X.509 Certificate Chain
“typ”: Type
“cty”: Content Type

Header Example
“I signed this thing with RSA-SHA256 using key ID of „9er‟ and you can find the
corresponding public key at https://www.example.com/jwk”

{"alg":"RS256", "kid":”9er", "jwk”:"https://www.example.com/jwk"}
13


JWS Algorithms

http://tools.ietf.org/id/draft-ietf-jose-json-web-algorithms-17.html

14


JWS Example

Payload -> USA #1!
base64url encoded payload -> VVNBICMxIQ
Header (going to sign with ECDSA P-256 SHA-256) -> {"alg":"ES256"}
base64url encoded header -> eyJhbGciOiJFUzI1NiJ9
Secured Input -> eyJhbGciOiJFUzI1NiJ9.VVNBICMxIQ
base64url encoded signature over the Secured Input
-> Zi1ZJeptOMNJ7Yb-WjlVQyz8sk4GZTy-EZh4dI_8UiZOu7nKK6xjTapsLRfe7fYoKtpCcHOYo1m8DNl6hLoISw
JWS Compact Serialization ->
eyJhbGciOiJFUzI1NiJ9.VVNBICMxIQ.Zi1ZJeptOMNJ7Yb-WjlVQyz8sk4GZTy-EZh4dI_8UiZOu7nKK6xjTapsLRfe7fYoKtpCcHOYo1m8DNl6hLoISw

Which you can think of sort of like:
{"alg":"ES256"}.USA #1!.<SIGNATURE>

15


JWE

• JSON Web Encryption
• Similar in motivation and design to JWS but for encrypting
content
• A little more complicated
– Headers
•
•
•
•

“alg”: Algorithm (key wrap or agreement)
“enc”: Encryption Method (Authenticated Encryption only)
“zip”: Compression Algorithm
Etc.

• Five Parts
Header.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag

16


JWE Key Management Algorithms (“alg”)

17



JWE Content Encryption Algorithms (“enc”)


• Note that all of the encryption methods are AEAD
algorithms

18


Payload/plaintext -> I actually really like Canada

JWE Example

Header -> {"alg":"ECDH-ES+A128KW","enc":"A128CBCHS256","epk":{"kty":"EC","x":"Y9YfiejQGZW4o47zj4q7THlRRwhSpJPvtf5oF0sOMVA","y":"DnYzBhlR
57cW4Y8_Ae2s9WRm1Ju0Pi81aLY0VkA2Gnk","crv":"P-256"}}
base64url encode header ->
eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4
IjoiWTlZZmllalFHWlc0bzQ3emo0cTdUSGxSUndoU3BKUHZ0ZjVvRjBzT01WQSIsInkiOiJEbll6QmhsUjU3Y1c0
WThfQWUyczlXUm0xSnUwUGk4MWFMWTBWa0EyR25rIiwiY3J2IjoiUC0yNTYifX0
Encrypted Key: ECDH-ES key agreement used to AES Key wrap a 256 bit random key which is
base64url encoded -> DhHq778-jzaFU8I9i4BQOGAPi0gBWp4L8hqlaSvuwq1-eHpruLwlNg
IV: base64url encoded 128 bit initialization vector -> wAnQy_IfyJd5cW3ZKYzzIg
Ciphertext: AES 128 CBC plaintext is base64url encoded -> teyZQzpSBgEQtfLGduU9HlO0pZYo9ALnLHLIvPT0n8
Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV
and ciphertext -> Mlc19AsGhJBUA1J3-vojD
Header.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag
eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4
IjoiWTlZZmllalFHWlc0bzQ3emo0cTdUSGxSUndoU3BKUHZ0ZjVvRjBzT01WQSIsInkiOiJEbll6QmhsUjU3Y1c0
WThfQWUyczlXUm0xSnUwUGk4MWFMWTBWa0EyR25rIiwiY3J2IjoiUC0yNTYifX0.
DhHq778-jzaFU8I9i4BQOGAPi0gBWp4L8hqlaSvuwq1-eHpruLwlNg.
wAnQy_IfyJd5cW3ZKYzzIg.
teyZQzpS-BgEQtfLGduU9HlO0pZYo9ALnLHLIvPT0n8.
19
Mlc19AsGhJBUA1J3-vojD

JWT
• JSON Web Token
• Suggested pronunciation: "jot”
• Compact URL-safe means of representing claims to
be transferred between two parties
• JWS and/or JWE with JSON claims as the payload
• JWT Claim
– A piece of information asserted about a subject (or the JWT
itself).
– Represented name/value pairs, consisting of a Claim Name
and a Claim Value (which can be any JSON object).
– Reserved Claim Names

20

•
•
•
•
•
•
•

“iss”: Issuer
“sub”: Subject
“aud”: Audience
“exp”: Expiration Time
“nbf”: Not Before
“iat”: Issued At
“jti”: JWT ID


jot or not?

The Header
{"kid":"5","alg":"ES256"}

The Payload
{"iss":"https://idp.example.com",
"exp":1357255788,
"aud":"https://sp.example.org",
"jti":"tmYvYVU2x8LvN72B5Q_EacH._5A",
"acr":"2",
"sub":"Brian"}

The JWT
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm
V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ
VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0
SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg

The Signature
[computery junk]
21


it‟s not the size of your token…
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOl wvXC9zcC
5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK
4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg

<Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<Issuer>https://idp.example.com</Issuer>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/>
</SubjectConfirmation>
</Subject>
<Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z">
<AudienceRestriction>
<Audience>https://sp.example.org</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr">
<AuthnContext>
<AuthnContextClassRef>2</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
22


…it‟s how you use it

• Simpler = Better
• Web safe encoding w/ no canonicalization
– Because canonicalization is a four letter word
(especially when you spell it c14n)

• Improved Interoperability & (hopefully) More
Secure
• Eliminates entire classes of attacks
–
–
–
–
–
–

XSLT Transform DOS, Remote Code Execution, and Bypass
C14N Hash Collision w/ & w/out comments
Entity Expansion Attacks
XPath Transform DOS and Bypass
External Reference DOS
Signature Wrapping Attacks*

* This poor bastard was the „victim‟ in my POC of a signature
wrapping vulnerability in SAML SSO for Google Apps
http://www.google.com/about/appsecurity/hall-of-fame/reward/

23

Copyright wicked smaht and Corporation. All rights reserved.
Brad Hill is ©2013 Ping Identitypublished some of the attacks listed here

JSON Web Key (JWK)
• JSON data structure that represents cryptographic
key(s) which can be
–
–
–
–

included in a JWS/JWE/JWT header
saved in a file
used in place of self signed certificates
published at an HTTPS endpoint and referenced

JWT/JWS Header
{"kid":"5",
"alg":"ES256"}

24

{"keys":[
{"kty":"EC",
"kid":"4",
"x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo",
"y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A",
"crv":"P-256"},
{"kty":"EC",
"kid":"5",
"x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
"crv":"P-256"},
{"kty":"EC",
"kid":"6",
"x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00",
"y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU",
"crv":"P-256"}
]}

JW[STEAK] in Action
• Compossible, reusable and being used
–
–
–
–
–

OAuth
OpenID Connect
Mozilla Persona
W3C Web Cryptography API
And more…

• *Approaching* finalization as RFCs
–
–
–
–
–
25

three nerds holding a blurry piece of
paper they tell me is some kind of
award for OpenID Connect

http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-12
http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-17
http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-17
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-17
http://tools.ietf.org/html/draft-ietf-jose-json-web-key-17

JW[STEAK] Implementations

•

Java
–

•

Ruby
–

•

• Note that
inclusion here
does not imply
endorsement of
any kind (except
for jose4j) and is
informational in
nature and
intended only to
show that there is
widespread
support for the
emerging new
standards

https://github.com/ritou/php-Akita_JOSE

.NET
–

26

https://pypi.python.org/pypi/jws/0.1.0
https://github.com/rohe/pyjwkest

PHP
–

•

https://metacpan.org/module/JSON::WebToken
https://github.com/kjur/jwsverify.pl
https://github.com/xaicron/p5-JSON-WebToken

Python
–
–

•

http://kjur.github.com/jsjws/
https://npmjs.org/package/jwt
https://npmjs.org/package/green-jwt
https://npmjs.org/package/jsjws

Perl
–
–
–

•

https://github.com/nov/json-jwt

JavaScript
–
–
–
–

•

https://bitbucket.org/b_c/jose4j

https://github.com/johnsheehan/jwt

JW[STEAK] implies a simple programming interface
• Which is nice
• The JWS and JWE examples in this presentation
were created using jose4j and just a few lines of code

https://bitbucket.org/b_c/jose4j in case you missed the URL on the last slide

27


You’ve been Introduced to some
JSON-Based Identity and Security
Protocols
Any Questions?

SAML

And thanks for putting up with me for the last hour.

28

Brian Campbell
@__b_c
November 2013
http://goo.gl/cQIQSf

An Introduction to the Emerging JSON-Based Identity and Security Protocols (OWASP Vancouver edition)

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a An Introduction to the Emerging JSON-Based Identity and Security Protocols (OWASP Vancouver edition)

Semelhante a An Introduction to the Emerging JSON-Based Identity and Security Protocols (OWASP Vancouver edition) (20)

Mais de Brian Campbell

Mais de Brian Campbell (14)

Último

Último (20)

An Introduction to the Emerging JSON-Based Identity and Security Protocols (OWASP Vancouver edition)