Más contenido relacionado La actualidad más candente (20) Similar a An Introduction to the Emerging JSON-Based Identity and Security Protocols (OWASP Vancouver edition) (20) Más de Brian Campbell (14) An Introduction to the Emerging JSON-Based Identity and Security Protocols (OWASP Vancouver edition)1. An Introduction to the
Emerging JSON-Based
Identity and Security
Protocols
OWASP Vancouver
1
Brian Campbell
@__b_c
November 2013
Slides: http://goo.gl/cQIQSf
Copyright ©2013 Ping Identity Corporation. All rights reserved.
3. Brian Campbell
Brian Campbell
As Portfolio Architect for Ping Identity, Brian Campbell aspires to one day know what a Portfolio Architect
actually does for a living. In the meantime, he's tried to make himself useful with little things like
designing and building much of PingFederate, the product that put Ping Identity on the map. When not
making himself useful, he contributes to various identity and security standards including a two-year stint
as co-chair of the OASIS Security Services Technical Committee (SAML) and is currently contributing to
OAuth and JOSE in the IETF as well as OpenID Connect. He holds a B.A., magna cum laude, in
Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he
has to look up how to spell "Massachusetts" every time he writes it.
3
Copyright ©2013 Ping Identity Corporation. All rights reserved.
5. That Sam-I-am!
• Security Assertion Markup Language
– SAML sounded better than SCML
• XML-based framework that allows identity and
security information to be shared across security
domains
• Primarily used for cross domain Web browser single
sign-on
• Assertion is a (usually signed, sometimes encrypted)
security token
– XML Digital Signatures
– XML Encryption
• Enterprisy Reputation
• Paying my bills for nearly a decade
5
Copyright ©2013 Ping Identity Corporation. All rights reserved.
8. WTF “SAML is dead”?
I‟ve got a mortgage to
pay…
But I just
started
this job!
@ian13550
@paulmadsen
*Disclaimer: I work with these guys at Ping
8
Copyright ©2013 Ping Identity Corporation. All rights reserved.
9. it was the age of wisdom…
* @dak3
meanwhile I‟ve got 29 years of mortgage payments remaining and kids
in private school so I thought maybe I should figure out what *is* the
future…
9
** Burton actually said it but Kearns quotes him in
http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/
Copyright ©2013 wanted to use “Crusty Curmudgeon”
and I really Ping Identity Corporation. All rights reserved.
10. on your deathbed, you will receive total
consciousness
*I did actually
receive permission
to use this photo
Sometimes reinventing
the wheel gets you
something a little more
round
–
–
–
–
JSON Web Token
JSON Web Signature
JSON Web Encryption
JSON Web Key
JW* or JW[STEAK]
10
Copyright ©2013 Ping Identity Corporation. All rights reserved.
11. base64 vs. base64url
• base64url is *almost* like base64
– Both are a means of encoding binary data in a printable ASCII
string format
– Each 6 bits -> 1 character (from a 64 character alphabet)
– 3 bytes -> 4 characters
• But base64url uses a URL safe alphabet rather than the
nearly URL safe alphabet of regular base64
–
–
–
–
62 alphanumeric characters
“-” rather than “+”
“_” rather than “/”
Padding “=” is typically omitted
• A remaining unreserved URI character: “.”
– This will prove important shortly
11
Copyright ©2013 Ping Identity Corporation. All rights reserved.
12. JWS
• JSON Web Signature
• A way of representing content secured with a
digital signature or MAC using JSON data
structures and base64url encoding
– Encoded segment are concatenated with a “.”
• Intended for space constrained environments
such as HTTP Authorization headers and URI
query parameters
• Conceptually Simple:
– Header.Payload.Signature
12
Copyright ©2013 Ping Identity Corporation. All rights reserved.
13. JWS Header
•
JWS Header
–
•
A bit of JSON that describes the digital signature or MAC operation applied to
create the JWS Signature value
Reserved Header Parameter Names
– “alg”: Algorithm
•
•
•
–
–
–
–
–
–
–
–
•
HMAC, RSA and ECDSA
None (controversy!)
Extensible
“kid”: Key ID
“jku”: JWK Set URL
“jwk”: JSON Web Key
“x5u”: X.509 URL
“x5t”: X.509 Certificate Thumbprint
“x5c”: X.509 Certificate Chain
“typ”: Type
“cty”: Content Type
Header Example
“I signed this thing with RSA-SHA256 using key ID of „9er‟ and you can find the
corresponding public key at https://www.example.com/jwk”
{"alg":"RS256", "kid":”9er", "jwk”:"https://www.example.com/jwk"}
13
Copyright ©2013 Ping Identity Corporation. All rights reserved.
15. JWS Example
Payload -> USA #1!
base64url encoded payload -> VVNBICMxIQ
Header (going to sign with ECDSA P-256 SHA-256) -> {"alg":"ES256"}
base64url encoded header -> eyJhbGciOiJFUzI1NiJ9
Secured Input -> eyJhbGciOiJFUzI1NiJ9.VVNBICMxIQ
base64url encoded signature over the Secured Input
-> Zi1ZJeptOMNJ7Yb-WjlVQyz8sk4GZTy-EZh4dI_8UiZOu7nKK6xjTapsLRfe7fYoKtpCcHOYo1m8DNl6hLoISw
JWS Compact Serialization ->
eyJhbGciOiJFUzI1NiJ9.VVNBICMxIQ.Zi1ZJeptOMNJ7Yb-WjlVQyz8sk4GZTy-EZh4dI_8UiZOu7nKK6xjTapsLRfe7fYoKtpCcHOYo1m8DNl6hLoISw
Which you can think of sort of like:
{"alg":"ES256"}.USA #1!.<SIGNATURE>
15
Copyright ©2013 Ping Identity Corporation. All rights reserved.
16. JWE
• JSON Web Encryption
• Similar in motivation and design to JWS but for encrypting
content
• A little more complicated
– Headers
•
•
•
•
“alg”: Algorithm (key wrap or agreement)
“enc”: Encryption Method (Authenticated Encryption only)
“zip”: Compression Algorithm
Etc.
• Five Parts
Header.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag
16
Copyright ©2013 Ping Identity Corporation. All rights reserved.
17. JWE Key Management Algorithms (“alg”)
17
Copyright ©2013 Ping Identity Corporation. All rights reserved.
http://tools.ietf.org/id/draft-ietf-jose-json-web-algorithms-17.html
18. JWE Content Encryption Algorithms (“enc”)
http://tools.ietf.org/id/draft-ietf-jose-json-web-algorithms-17.html
• Note that all of the encryption methods are AEAD
algorithms
18
Copyright ©2013 Ping Identity Corporation. All rights reserved.
19. Payload/plaintext -> I actually really like Canada
JWE Example
Header -> {"alg":"ECDH-ES+A128KW","enc":"A128CBCHS256","epk":{"kty":"EC","x":"Y9YfiejQGZW4o47zj4q7THlRRwhSpJPvtf5oF0sOMVA","y":"DnYzBhlR
57cW4Y8_Ae2s9WRm1Ju0Pi81aLY0VkA2Gnk","crv":"P-256"}}
base64url encode header ->
eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4
IjoiWTlZZmllalFHWlc0bzQ3emo0cTdUSGxSUndoU3BKUHZ0ZjVvRjBzT01WQSIsInkiOiJEbll6QmhsUjU3Y1c0
WThfQWUyczlXUm0xSnUwUGk4MWFMWTBWa0EyR25rIiwiY3J2IjoiUC0yNTYifX0
Encrypted Key: ECDH-ES key agreement used to AES Key wrap a 256 bit random key which is
base64url encoded -> DhHq778-jzaFU8I9i4BQOGAPi0gBWp4L8hqlaSvuwq1-eHpruLwlNg
IV: base64url encoded 128 bit initialization vector -> wAnQy_IfyJd5cW3ZKYzzIg
Ciphertext: AES 128 CBC plaintext is base64url encoded -> teyZQzpSBgEQtfLGduU9HlO0pZYo9ALnLHLIvPT0n8
Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV
and ciphertext -> Mlc19AsGhJBUA1J3-vojD
Header.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag
eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4
IjoiWTlZZmllalFHWlc0bzQ3emo0cTdUSGxSUndoU3BKUHZ0ZjVvRjBzT01WQSIsInkiOiJEbll6QmhsUjU3Y1c0
WThfQWUyczlXUm0xSnUwUGk4MWFMWTBWa0EyR25rIiwiY3J2IjoiUC0yNTYifX0.
DhHq778-jzaFU8I9i4BQOGAPi0gBWp4L8hqlaSvuwq1-eHpruLwlNg.
wAnQy_IfyJd5cW3ZKYzzIg.
teyZQzpS-BgEQtfLGduU9HlO0pZYo9ALnLHLIvPT0n8.
19
Copyright ©2013 Ping Identity Corporation. All rights reserved.
Mlc19AsGhJBUA1J3-vojD
20. JWT
• JSON Web Token
• Suggested pronunciation: "jot”
• Compact URL-safe means of representing claims to
be transferred between two parties
• JWS and/or JWE with JSON claims as the payload
• JWT Claim
– A piece of information asserted about a subject (or the JWT
itself).
– Represented name/value pairs, consisting of a Claim Name
and a Claim Value (which can be any JSON object).
– Reserved Claim Names
20
•
•
•
•
•
•
•
“iss”: Issuer
“sub”: Subject
“aud”: Audience
“exp”: Expiration Time
“nbf”: Not Before
“iat”: Issued At
“jti”: JWT ID
Copyright ©2013 Ping Identity Corporation. All rights reserved.
21. jot or not?
The Header
{"kid":"5","alg":"ES256"}
The Payload
{"iss":"https://idp.example.com",
"exp":1357255788,
"aud":"https://sp.example.org",
"jti":"tmYvYVU2x8LvN72B5Q_EacH._5A",
"acr":"2",
"sub":"Brian"}
The JWT
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm
V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ
VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0
SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg
The Signature
[computery junk]
21
Copyright ©2013 Ping Identity Corporation. All rights reserved.
22. it‟s not the size of your token…
eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOl wvXC9zcC
5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK
4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg
<Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr"
xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<Issuer>https://idp.example.com</Issuer>
<ds:Signature>
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/>
<ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/>
<ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue>
</ds:Signature>
<Subject>
<NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID>
<SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/>
</SubjectConfirmation>
</Subject>
<Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z">
<AudienceRestriction>
<Audience>https://sp.example.org</Audience>
</AudienceRestriction>
</Conditions>
<AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr">
<AuthnContext>
<AuthnContextClassRef>2</AuthnContextClassRef>
</AuthnContext>
</AuthnStatement>
</Assertion>
22
Copyright ©2013 Ping Identity Corporation. All rights reserved.
23. …it‟s how you use it
• Simpler = Better
• Web safe encoding w/ no canonicalization
– Because canonicalization is a four letter word
(especially when you spell it c14n)
• Improved Interoperability & (hopefully) More
Secure
• Eliminates entire classes of attacks
–
–
–
–
–
–
XSLT Transform DOS, Remote Code Execution, and Bypass
C14N Hash Collision w/ & w/out comments
Entity Expansion Attacks
XPath Transform DOS and Bypass
External Reference DOS
Signature Wrapping Attacks*
* This poor bastard was the „victim‟ in my POC of a signature
wrapping vulnerability in SAML SSO for Google Apps
http://www.google.com/about/appsecurity/hall-of-fame/reward/
23
Copyright wicked smaht and Corporation. All rights reserved.
Brad Hill is ©2013 Ping Identitypublished some of the attacks listed here
24. JSON Web Key (JWK)
• JSON data structure that represents cryptographic
key(s) which can be
–
–
–
–
included in a JWS/JWE/JWT header
saved in a file
used in place of self signed certificates
published at an HTTPS endpoint and referenced
JWT/JWS Header
{"kid":"5",
"alg":"ES256"}
24
{"keys":[
{"kty":"EC",
"kid":"4",
"x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo",
"y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A",
"crv":"P-256"},
{"kty":"EC",
"kid":"5",
"x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU",
"y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0",
"crv":"P-256"},
{"kty":"EC",
"kid":"6",
"x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00",
"y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU",
"crv":"P-256"}
Copyright ©2013 Ping Identity Corporation. All rights reserved.
]}
25. JW[STEAK] in Action
• Compossible, reusable and being used
–
–
–
–
–
OAuth
OpenID Connect
Mozilla Persona
W3C Web Cryptography API
And more…
• *Approaching* finalization as RFCs
–
–
–
–
–
25
three nerds holding a blurry piece of
paper they tell me is some kind of
award for OpenID Connect
http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-12
http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-17
http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-17
http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-17
http://tools.ietf.org/html/draft-ietf-jose-json-web-key-17
Copyright ©2013 Ping Identity Corporation. All rights reserved.
26. JW[STEAK] Implementations
•
Java
–
•
Ruby
–
•
• Note that
inclusion here
does not imply
endorsement of
any kind (except
for jose4j) and is
informational in
nature and
intended only to
show that there is
widespread
support for the
emerging new
standards
https://github.com/ritou/php-Akita_JOSE
.NET
–
26
https://pypi.python.org/pypi/jws/0.1.0
https://github.com/rohe/pyjwkest
PHP
–
•
https://metacpan.org/module/JSON::WebToken
https://github.com/kjur/jwsverify.pl
https://github.com/xaicron/p5-JSON-WebToken
Python
–
–
•
http://kjur.github.com/jsjws/
https://npmjs.org/package/jwt
https://npmjs.org/package/green-jwt
https://npmjs.org/package/jsjws
Perl
–
–
–
•
https://github.com/nov/json-jwt
JavaScript
–
–
–
–
•
https://bitbucket.org/b_c/jose4j
https://github.com/johnsheehan/jwt
Copyright ©2013 Ping Identity Corporation. All rights reserved.
27. JW[STEAK] implies a simple programming interface
• Which is nice
• The JWS and JWE examples in this presentation
were created using jose4j and just a few lines of code
https://bitbucket.org/b_c/jose4j in case you missed the URL on the last slide
27
Copyright ©2013 Ping Identity Corporation. All rights reserved.
28. You’ve been Introduced to some
JSON-Based Identity and Security
Protocols
Any Questions?
SAML
And thanks for putting up with me for the last hour.
28
Brian Campbell
@__b_c
November 2013
http://goo.gl/cQIQSf
Copyright ©2013 Ping Identity Corporation. All rights reserved.