SlideShare a Scribd company logo

An Introduction to the Emerging JSON-Based Identity and Security Protocols (OWASP Vancouver edition)

Brian Campbell
Brian Campbell

A short technical introduction, presented at an OWASP Vancouver chapter meeting, to some aspects of JOSE (JWS, JWE, and JWK) as well as JSON Web Token (JWT).

TechnologyEducation
1 of 28
Download to read offline
An Introduction to the Emerging JSON-Based Identity and Security Protocols OWASP Vancouver 1 Brian Campbell @__b_c November 2013 Slides: http://goo.gl/cQIQSf Copyright ©2013 Ping Identity Corporation. All rights reserved.
Agenda • Introductions • Backstory • Technical Overview of a few of the new(ish) JSON-Based Protocols 2 Copyright ©2013 Ping Identity Corporation. All rights reserved.
Brian Campbell Brian Campbell As Portfolio Architect for Ping Identity, Brian Campbell aspires to one day know what a Portfolio Architect actually does for a living. In the meantime, he's tried to make himself useful with little things like designing and building much of PingFederate, the product that put Ping Identity on the map. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee (SAML) and is currently contributing to OAuth and JOSE in the IETF as well as OpenID Connect. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it. 3 Copyright ©2013 Ping Identity Corporation. All rights reserved.
4 Copyright ©2013 Ping Identity Corporation. All rights reserved.
That Sam-I-am! • Security Assertion Markup Language – SAML sounded better than SCML • XML-based framework that allows identity and security information to be shared across security domains • Primarily used for cross domain Web browser single sign-on • Assertion is a (usually signed, sometimes encrypted) security token – XML Digital Signatures – XML Encryption • Enterprisy Reputation • Paying my bills for nearly a decade 5 Copyright ©2013 Ping Identity Corporation. All rights reserved.
http://flic.kr/s/aHsjAP3nKo 6 Copyright ©2013 Ping Identity Corporation. All rights reserved.
SAML is DEAD! SAML 7 * http://www.linkedin.com/in/burtonian Copyright ©2013 Ping Identity Corporation. All rights reserved.
WTF “SAML is dead”? I‟ve got a mortgage to pay… But I just started this job! @ian13550 @paulmadsen *Disclaimer: I work with these guys at Ping 8 Copyright ©2013 Ping Identity Corporation. All rights reserved.
it was the age of wisdom… * @dak3 meanwhile I‟ve got 29 years of mortgage payments remaining and kids in private school so I thought maybe I should figure out what *is* the future… 9 ** Burton actually said it but Kearns quotes him in http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/ Copyright ©2013 wanted to use “Crusty Curmudgeon” and I really Ping Identity Corporation. All rights reserved.
on your deathbed, you will receive total consciousness *I did actually receive permission to use this photo Sometimes reinventing the wheel gets you something a little more round – – – – JSON Web Token JSON Web Signature JSON Web Encryption JSON Web Key JW* or JW[STEAK] 10 Copyright ©2013 Ping Identity Corporation. All rights reserved.
base64 vs. base64url • base64url is *almost* like base64 – Both are a means of encoding binary data in a printable ASCII string format – Each 6 bits -> 1 character (from a 64 character alphabet) – 3 bytes -> 4 characters • But base64url uses a URL safe alphabet rather than the nearly URL safe alphabet of regular base64 – – – – 62 alphanumeric characters “-” rather than “+” “_” rather than “/” Padding “=” is typically omitted • A remaining unreserved URI character: “.” – This will prove important shortly 11 Copyright ©2013 Ping Identity Corporation. All rights reserved.
JWS • JSON Web Signature • A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding – Encoded segment are concatenated with a “.” • Intended for space constrained environments such as HTTP Authorization headers and URI query parameters • Conceptually Simple: – Header.Payload.Signature 12 Copyright ©2013 Ping Identity Corporation. All rights reserved.
JWS Header • JWS Header – • A bit of JSON that describes the digital signature or MAC operation applied to create the JWS Signature value Reserved Header Parameter Names – “alg”: Algorithm • • • – – – – – – – – • HMAC, RSA and ECDSA None (controversy!) Extensible “kid”: Key ID “jku”: JWK Set URL “jwk”: JSON Web Key “x5u”: X.509 URL “x5t”: X.509 Certificate Thumbprint “x5c”: X.509 Certificate Chain “typ”: Type “cty”: Content Type Header Example “I signed this thing with RSA-SHA256 using key ID of „9er‟ and you can find the corresponding public key at https://www.example.com/jwk” {"alg":"RS256", "kid":”9er", "jwk”:"https://www.example.com/jwk"} 13 Copyright ©2013 Ping Identity Corporation. All rights reserved.
JWS Algorithms http://tools.ietf.org/id/draft-ietf-jose-json-web-algorithms-17.html 14 Copyright ©2013 Ping Identity Corporation. All rights reserved.
JWS Example Payload -> USA #1! base64url encoded payload -> VVNBICMxIQ Header (going to sign with ECDSA P-256 SHA-256) -> {"alg":"ES256"} base64url encoded header -> eyJhbGciOiJFUzI1NiJ9 Secured Input -> eyJhbGciOiJFUzI1NiJ9.VVNBICMxIQ base64url encoded signature over the Secured Input -> Zi1ZJeptOMNJ7Yb-WjlVQyz8sk4GZTy-EZh4dI_8UiZOu7nKK6xjTapsLRfe7fYoKtpCcHOYo1m8DNl6hLoISw JWS Compact Serialization -> eyJhbGciOiJFUzI1NiJ9.VVNBICMxIQ.Zi1ZJeptOMNJ7Yb-WjlVQyz8sk4GZTy-EZh4dI_8UiZOu7nKK6xjTapsLRfe7fYoKtpCcHOYo1m8DNl6hLoISw Which you can think of sort of like: {"alg":"ES256"}.USA #1!.<SIGNATURE> 15 Copyright ©2013 Ping Identity Corporation. All rights reserved.
JWE • JSON Web Encryption • Similar in motivation and design to JWS but for encrypting content • A little more complicated – Headers • • • • “alg”: Algorithm (key wrap or agreement) “enc”: Encryption Method (Authenticated Encryption only) “zip”: Compression Algorithm Etc. • Five Parts Header.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag 16 Copyright ©2013 Ping Identity Corporation. All rights reserved.
JWE Key Management Algorithms (“alg”) 17 Copyright ©2013 Ping Identity Corporation. All rights reserved. http://tools.ietf.org/id/draft-ietf-jose-json-web-algorithms-17.html
JWE Content Encryption Algorithms (“enc”) http://tools.ietf.org/id/draft-ietf-jose-json-web-algorithms-17.html • Note that all of the encryption methods are AEAD algorithms 18 Copyright ©2013 Ping Identity Corporation. All rights reserved.
Payload/plaintext -> I actually really like Canada JWE Example Header -> {"alg":"ECDH-ES+A128KW","enc":"A128CBCHS256","epk":{"kty":"EC","x":"Y9YfiejQGZW4o47zj4q7THlRRwhSpJPvtf5oF0sOMVA","y":"DnYzBhlR 57cW4Y8_Ae2s9WRm1Ju0Pi81aLY0VkA2Gnk","crv":"P-256"}} base64url encode header -> eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4 IjoiWTlZZmllalFHWlc0bzQ3emo0cTdUSGxSUndoU3BKUHZ0ZjVvRjBzT01WQSIsInkiOiJEbll6QmhsUjU3Y1c0 WThfQWUyczlXUm0xSnUwUGk4MWFMWTBWa0EyR25rIiwiY3J2IjoiUC0yNTYifX0 Encrypted Key: ECDH-ES key agreement used to AES Key wrap a 256 bit random key which is base64url encoded -> DhHq778-jzaFU8I9i4BQOGAPi0gBWp4L8hqlaSvuwq1-eHpruLwlNg IV: base64url encoded 128 bit initialization vector -> wAnQy_IfyJd5cW3ZKYzzIg Ciphertext: AES 128 CBC plaintext is base64url encoded -> teyZQzpSBgEQtfLGduU9HlO0pZYo9ALnLHLIvPT0n8 Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext -> Mlc19AsGhJBUA1J3-vojD Header.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4 IjoiWTlZZmllalFHWlc0bzQ3emo0cTdUSGxSUndoU3BKUHZ0ZjVvRjBzT01WQSIsInkiOiJEbll6QmhsUjU3Y1c0 WThfQWUyczlXUm0xSnUwUGk4MWFMWTBWa0EyR25rIiwiY3J2IjoiUC0yNTYifX0. DhHq778-jzaFU8I9i4BQOGAPi0gBWp4L8hqlaSvuwq1-eHpruLwlNg. wAnQy_IfyJd5cW3ZKYzzIg. teyZQzpS-BgEQtfLGduU9HlO0pZYo9ALnLHLIvPT0n8. 19 Copyright ©2013 Ping Identity Corporation. All rights reserved. Mlc19AsGhJBUA1J3-vojD
JWT • JSON Web Token • Suggested pronunciation: "jot” • Compact URL-safe means of representing claims to be transferred between two parties • JWS and/or JWE with JSON claims as the payload • JWT Claim – A piece of information asserted about a subject (or the JWT itself). – Represented name/value pairs, consisting of a Claim Name and a Claim Value (which can be any JSON object). – Reserved Claim Names 20 • • • • • • • “iss”: Issuer “sub”: Subject “aud”: Audience “exp”: Expiration Time “nbf”: Not Before “iat”: Issued At “jti”: JWT ID Copyright ©2013 Ping Identity Corporation. All rights reserved.
jot or not? The Header {"kid":"5","alg":"ES256"} The Payload {"iss":"https://idp.example.com", "exp":1357255788, "aud":"https://sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"} The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0 SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg The Signature [computery junk] 21 Copyright ©2013 Ping Identity Corporation. All rights reserved.
it‟s not the size of your token… eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOl wvXC9zcC 5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK 4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg <Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"> <AudienceRestriction> <Audience>https://sp.example.org</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext> <AuthnContextClassRef>2</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> 22 Copyright ©2013 Ping Identity Corporation. All rights reserved.
…it‟s how you use it • Simpler = Better • Web safe encoding w/ no canonicalization – Because canonicalization is a four letter word (especially when you spell it c14n) • Improved Interoperability & (hopefully) More Secure • Eliminates entire classes of attacks – – – – – – XSLT Transform DOS, Remote Code Execution, and Bypass C14N Hash Collision w/ & w/out comments Entity Expansion Attacks XPath Transform DOS and Bypass External Reference DOS Signature Wrapping Attacks* * This poor bastard was the „victim‟ in my POC of a signature wrapping vulnerability in SAML SSO for Google Apps http://www.google.com/about/appsecurity/hall-of-fame/reward/ 23 Copyright wicked smaht and Corporation. All rights reserved. Brad Hill is ©2013 Ping Identitypublished some of the attacks listed here
JSON Web Key (JWK) • JSON data structure that represents cryptographic key(s) which can be – – – – included in a JWS/JWE/JWT header saved in a file used in place of self signed certificates published at an HTTPS endpoint and referenced JWT/JWS Header {"kid":"5", "alg":"ES256"} 24 {"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"} Copyright ©2013 Ping Identity Corporation. All rights reserved. ]}
JW[STEAK] in Action • Compossible, reusable and being used – – – – – OAuth OpenID Connect Mozilla Persona W3C Web Cryptography API And more… • *Approaching* finalization as RFCs – – – – – 25 three nerds holding a blurry piece of paper they tell me is some kind of award for OpenID Connect http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-12 http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-17 http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-17 http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-17 http://tools.ietf.org/html/draft-ietf-jose-json-web-key-17 Copyright ©2013 Ping Identity Corporation. All rights reserved.
JW[STEAK] Implementations • Java – • Ruby – • • Note that inclusion here does not imply endorsement of any kind (except for jose4j) and is informational in nature and intended only to show that there is widespread support for the emerging new standards https://github.com/ritou/php-Akita_JOSE .NET – 26 https://pypi.python.org/pypi/jws/0.1.0 https://github.com/rohe/pyjwkest PHP – • https://metacpan.org/module/JSON::WebToken https://github.com/kjur/jwsverify.pl https://github.com/xaicron/p5-JSON-WebToken Python – – • http://kjur.github.com/jsjws/ https://npmjs.org/package/jwt https://npmjs.org/package/green-jwt https://npmjs.org/package/jsjws Perl – – – • https://github.com/nov/json-jwt JavaScript – – – – • https://bitbucket.org/b_c/jose4j https://github.com/johnsheehan/jwt Copyright ©2013 Ping Identity Corporation. All rights reserved.
JW[STEAK] implies a simple programming interface • Which is nice • The JWS and JWE examples in this presentation were created using jose4j and just a few lines of code https://bitbucket.org/b_c/jose4j in case you missed the URL on the last slide 27 Copyright ©2013 Ping Identity Corporation. All rights reserved.
You’ve been Introduced to some JSON-Based Identity and Security Protocols Any Questions? SAML And thanks for putting up with me for the last hour. 28 Brian Campbell @__b_c November 2013 http://goo.gl/cQIQSf Copyright ©2013 Ping Identity Corporation. All rights reserved.

Recommended

I Left My JWT in San JOSE
I Left My JWT in San JOSEI Left My JWT in San JOSE
I Left My JWT in San JOSEBrian Campbell
 
JOSE Can You See...
JOSE Can You See...JOSE Can You See...
JOSE Can You See...Brian Campbell
 
Javascript Object Signing & Encryption
Javascript Object Signing & EncryptionJavascript Object Signing & Encryption
Javascript Object Signing & EncryptionAaron Zauner
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsIntroduction to the Emerging JSON-Based Identity and Security Protocols
Introduction to the Emerging JSON-Based Identity and Security ProtocolsBrian Campbell
 
JSON Web Tokens (JWT)
JSON Web Tokens (JWT)JSON Web Tokens (JWT)
JSON Web Tokens (JWT)Vladimir Dzhuvinov
 
CIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSECIS14: I Left My JWT in San JOSE
CIS14: I Left My JWT in San JOSECloudIDSummit
 
JSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJohn Anderson
 
MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...
MongoDB .local Munich 2019: New Encryption Capabilities in MongoDB 4.2: A Dee...MongoDB
 

More Related Content

What's hot

Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenIDBastian Hofmann
 
MongoDB .local Chicago 2019: Using Client Side Encryption in MongoDB 4.2
MongoDB .local Chicago 2019: Using Client Side Encryption in MongoDB 4.2MongoDB .local Chicago 2019: Using Client Side Encryption in MongoDB 4.2
MongoDB .local Chicago 2019: Using Client Side Encryption in MongoDB 4.2MongoDB
 
Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012DefCamp
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityBruno Henrique Rother
 
Session 5 - NGSI-LD Advanced Operations | Train the Trainers Program
Session 5 - NGSI-LD Advanced Operations | Train the Trainers ProgramSession 5 - NGSI-LD Advanced Operations | Train the Trainers Program
Session 5 - NGSI-LD Advanced Operations | Train the Trainers ProgramFIWARE
 
MongoDB .local Munich 2019: Tips and Tricks++ for Querying and Indexing MongoDB
MongoDB .local Munich 2019: Tips and Tricks++ for Querying and Indexing MongoDBMongoDB .local Munich 2019: Tips and Tricks++ for Querying and Indexing MongoDB
MongoDB .local Munich 2019: Tips and Tricks++ for Querying and Indexing MongoDBMongoDB
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carolcgvwzq
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT ExploitationAkshaeyBhosale
 
JSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJohn Anderson
 
JSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJohn Anderson
 
Password Security
Password SecurityPassword Security
Password SecurityCSCJournals
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use casesEnrico Zimuel
 
Using Mongoid with Ruby on Rails
Using Mongoid with Ruby on RailsUsing Mongoid with Ruby on Rails
Using Mongoid with Ruby on RailsNicholas Altobelli
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsMartin Vigo
 
Password Security
Password SecurityPassword Security
Password SecurityAlex Hyer
 
MongoDB + Java - Everything you need to know
MongoDB + Java - Everything you need to know MongoDB + Java - Everything you need to know
MongoDB + Java - Everything you need to know Norberto Leite
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 

What's hot (20)

Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
Distributed Identities with OpenID
Distributed Identities with OpenIDDistributed Identities with OpenID
Distributed Identities with OpenID
 
MongoDB .local Chicago 2019: Using Client Side Encryption in MongoDB 4.2
MongoDB .local Chicago 2019: Using Client Side Encryption in MongoDB 4.2MongoDB .local Chicago 2019: Using Client Side Encryption in MongoDB 4.2
MongoDB .local Chicago 2019: Using Client Side Encryption in MongoDB 4.2
 
Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012Top Ten Web Defenses - DefCamp 2012
Top Ten Web Defenses - DefCamp 2012
 
Introduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring SecurityIntroduction to JWT and How to integrate with Spring Security
Introduction to JWT and How to integrate with Spring Security
 
Session 5 - NGSI-LD Advanced Operations | Train the Trainers Program
Session 5 - NGSI-LD Advanced Operations | Train the Trainers ProgramSession 5 - NGSI-LD Advanced Operations | Train the Trainers Program
Session 5 - NGSI-LD Advanced Operations | Train the Trainers Program
 
MongoDB .local Munich 2019: Tips and Tricks++ for Querying and Indexing MongoDB
MongoDB .local Munich 2019: Tips and Tricks++ for Querying and Indexing MongoDBMongoDB .local Munich 2019: Tips and Tricks++ for Querying and Indexing MongoDB
MongoDB .local Munich 2019: Tips and Tricks++ for Querying and Indexing MongoDB
 
A XSSmas carol
A XSSmas carolA XSSmas carol
A XSSmas carol
 
Understanding JWT Exploitation
Understanding JWT ExploitationUnderstanding JWT Exploitation
Understanding JWT Exploitation
 
Data Modeling with NGSI, NGSI-LD
Data Modeling with NGSI, NGSI-LDData Modeling with NGSI, NGSI-LD
Data Modeling with NGSI, NGSI-LD
 
JSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your Life
 
JSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your LifeJSON Web Tokens Will Improve Your Life
JSON Web Tokens Will Improve Your Life
 
Password Security
Password SecurityPassword Security
Password Security
 
ActiveRecord vs Mongoid
ActiveRecord vs MongoidActiveRecord vs Mongoid
ActiveRecord vs Mongoid
 
Cryptography in PHP: use cases
Cryptography in PHP: use casesCryptography in PHP: use cases
Cryptography in PHP: use cases
 
Using Mongoid with Ruby on Rails
Using Mongoid with Ruby on RailsUsing Mongoid with Ruby on Rails
Using Mongoid with Ruby on Rails
 
Breaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secretsBreaking vaults: Stealing Lastpass protected secrets
Breaking vaults: Stealing Lastpass protected secrets
 
Password Security
Password SecurityPassword Security
Password Security
 
MongoDB + Java - Everything you need to know
MongoDB + Java - Everything you need to know MongoDB + Java - Everything you need to know
MongoDB + Java - Everything you need to know
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 

Similar to An Introduction to the Emerging JSON-Based Identity and Security Protocols (OWASP Vancouver edition)

A story of Netflix and AB Testing in the User Interface using DynamoDB - DAT3...
A story of Netflix and AB Testing in the User Interface using DynamoDB - DAT3...A story of Netflix and AB Testing in the User Interface using DynamoDB - DAT3...
A story of Netflix and AB Testing in the User Interface using DynamoDB - DAT3...Amazon Web Services
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryPriyanka Aash
 
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...Cisco DevNet
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTAdam Englander
 
Client Cert Deployment Models and Hardware Tokens/Smart Cards
Client Cert Deployment Models and Hardware Tokens/Smart CardsClient Cert Deployment Models and Hardware Tokens/Smart Cards
Client Cert Deployment Models and Hardware Tokens/Smart CardsEd Dodds
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Economies of Scaling Software
Economies of Scaling SoftwareEconomies of Scaling Software
Economies of Scaling SoftwareJoshua Long
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applicationsKarthik Gaekwad
 
State of Authenticating RESTful APIs
State of Authenticating RESTful APIsState of Authenticating RESTful APIs
State of Authenticating RESTful APIsrobwinch
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror StoriesEC-Council
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsrobertjd
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud CA API Management
 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStackpiyush_harsh
 
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28Frédéric Harper
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthnFIDO Alliance
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsLewis Ardern
 
Attacking XML Security
Attacking XML SecurityAttacking XML Security
Attacking XML SecurityYusuf Motiwala
 

Similar to An Introduction to the Emerging JSON-Based Identity and Security Protocols (OWASP Vancouver edition) (20)

A story of Netflix and AB Testing in the User Interface using DynamoDB - DAT3...
A story of Netflix and AB Testing in the User Interface using DynamoDB - DAT3...A story of Netflix and AB Testing in the User Interface using DynamoDB - DAT3...
A story of Netflix and AB Testing in the User Interface using DynamoDB - DAT3...
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Node.js
Node.jsNode.js
Node.js
 
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
DEVNET-2002 Coding 201: Coding Skills 201: Going Further with REST and Python...
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your RESTCon Foo 2017 - Don't Loose Sleep - Secure Your REST
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
 
Client Cert Deployment Models and Hardware Tokens/Smart Cards
Client Cert Deployment Models and Hardware Tokens/Smart CardsClient Cert Deployment Models and Hardware Tokens/Smart Cards
Client Cert Deployment Models and Hardware Tokens/Smart Cards
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Economies of Scaling Software
Economies of Scaling SoftwareEconomies of Scaling Software
Economies of Scaling Software
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
 
Scim overview
Scim overviewScim overview
Scim overview
 
State of Authenticating RESTful APIs
State of Authenticating RESTful APIsState of Authenticating RESTful APIs
State of Authenticating RESTful APIs
 
Codemash-2017
Codemash-2017Codemash-2017
Codemash-2017
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror Stories
 
Building Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTsBuilding Secure User Interfaces With JWTs
Building Secure User Interfaces With JWTs
 
Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud Patterns to Bring Enterprise and Social Identity to the Cloud
Patterns to Bring Enterprise and Social Identity to the Cloud
 
Interoperability and APIs in OpenStack
Interoperability and APIs in OpenStackInteroperability and APIs in OpenStack
Interoperability and APIs in OpenStack
 
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
Firefox OS, HTML5 pour le mobile - Code(love) Hackathon - 2014-05-28
 
Getting Started With WebAuthn
Getting Started With WebAuthnGetting Started With WebAuthn
Getting Started With WebAuthn
 
OWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript ApplicationsOWASP SF - Reviewing Modern JavaScript Applications
OWASP SF - Reviewing Modern JavaScript Applications
 
Attacking XML Security
Attacking XML SecurityAttacking XML Security
Attacking XML Security
 

More from Brian Campbell

Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018 Brian Campbell
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018Brian Campbell
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBrian Campbell
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarBrian Campbell
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsBrian Campbell
 
Denver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSODenver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSOBrian Campbell
 
Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Brian Campbell
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Brian Campbell
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...Brian Campbell
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsBrian Campbell
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitBrian Campbell
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...Brian Campbell
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityBrian Campbell
 

More from Brian Campbell (14)

The Burden of Proof
The Burden of ProofThe Burden of Proof
The Burden of Proof
 
Token Binding Identiverse 2018
Token Binding Identiverse 2018 Token Binding Identiverse 2018
Token Binding Identiverse 2018
 
IAM Overview Identiverse 2018
IAM Overview Identiverse 2018IAM Overview Identiverse 2018
IAM Overview Identiverse 2018
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure WebBeyond Bearer: Token Binding as the Foundation for a More Secure Web
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations SeminarIdentity and Access Management - RSA 2017 Security Foundations Seminar
Identity and Access Management - RSA 2017 Security Foundations Seminar
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of UsOAuth 2.0 Token Exchange: An STS for the REST of Us
OAuth 2.0 Token Exchange: An STS for the REST of Us
 
Denver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSODenver Startup Week '15: Mobile SSO
Denver Startup Week '15: Mobile SSO
 
Mobile SSO: are we there yet?
Mobile SSO: are we there yet?Mobile SSO: are we there yet?
Mobile SSO: are we there yet?
 
Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)Mobile Single Sign-On (Gluecon '15)
Mobile Single Sign-On (Gluecon '15)
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity StandardsHope or Hype: A Look at the Next Generation of Identity Standards
Hope or Hype: A Look at the Next Generation of Identity Standards
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity SummitOAuth 101 & Secure APIs 2012 Cloud Identity Summit
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping IdentityOAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
 

Recently uploaded

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialJoão Esperancinha
 

Recently uploaded (20)

The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.How Tech Giants Cut Corners to Harvest Data for A.I.
How Tech Giants Cut Corners to Harvest Data for A.I.
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Kuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorialKuma Meshes Part I - The basics - A tutorial
Kuma Meshes Part I - The basics - A tutorial
 

An Introduction to the Emerging JSON-Based Identity and Security Protocols (OWASP Vancouver edition)

  • 1. An Introduction to the Emerging JSON-Based Identity and Security Protocols OWASP Vancouver 1 Brian Campbell @__b_c November 2013 Slides: http://goo.gl/cQIQSf Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 2. Agenda • Introductions • Backstory • Technical Overview of a few of the new(ish) JSON-Based Protocols 2 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 3. Brian Campbell Brian Campbell As Portfolio Architect for Ping Identity, Brian Campbell aspires to one day know what a Portfolio Architect actually does for a living. In the meantime, he's tried to make himself useful with little things like designing and building much of PingFederate, the product that put Ping Identity on the map. When not making himself useful, he contributes to various identity and security standards including a two-year stint as co-chair of the OASIS Security Services Technical Committee (SAML) and is currently contributing to OAuth and JOSE in the IETF as well as OpenID Connect. He holds a B.A., magna cum laude, in Computer Science from Amherst College in Massachusetts. Despite spending four years in the state, he has to look up how to spell "Massachusetts" every time he writes it. 3 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 4. 4 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 5. That Sam-I-am! • Security Assertion Markup Language – SAML sounded better than SCML • XML-based framework that allows identity and security information to be shared across security domains • Primarily used for cross domain Web browser single sign-on • Assertion is a (usually signed, sometimes encrypted) security token – XML Digital Signatures – XML Encryption • Enterprisy Reputation • Paying my bills for nearly a decade 5 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 6. http://flic.kr/s/aHsjAP3nKo 6 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 7. SAML is DEAD! SAML 7 * http://www.linkedin.com/in/burtonian Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 8. WTF “SAML is dead”? I‟ve got a mortgage to pay… But I just started this job! @ian13550 @paulmadsen *Disclaimer: I work with these guys at Ping 8 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 9. it was the age of wisdom… * @dak3 meanwhile I‟ve got 29 years of mortgage payments remaining and kids in private school so I thought maybe I should figure out what *is* the future… 9 ** Burton actually said it but Kearns quotes him in http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/ Copyright ©2013 wanted to use “Crusty Curmudgeon” and I really Ping Identity Corporation. All rights reserved.
  • 10. on your deathbed, you will receive total consciousness *I did actually receive permission to use this photo Sometimes reinventing the wheel gets you something a little more round – – – – JSON Web Token JSON Web Signature JSON Web Encryption JSON Web Key JW* or JW[STEAK] 10 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 11. base64 vs. base64url • base64url is *almost* like base64 – Both are a means of encoding binary data in a printable ASCII string format – Each 6 bits -> 1 character (from a 64 character alphabet) – 3 bytes -> 4 characters • But base64url uses a URL safe alphabet rather than the nearly URL safe alphabet of regular base64 – – – – 62 alphanumeric characters “-” rather than “+” “_” rather than “/” Padding “=” is typically omitted • A remaining unreserved URI character: “.” – This will prove important shortly 11 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 12. JWS • JSON Web Signature • A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding – Encoded segment are concatenated with a “.” • Intended for space constrained environments such as HTTP Authorization headers and URI query parameters • Conceptually Simple: – Header.Payload.Signature 12 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 13. JWS Header • JWS Header – • A bit of JSON that describes the digital signature or MAC operation applied to create the JWS Signature value Reserved Header Parameter Names – “alg”: Algorithm • • • – – – – – – – – • HMAC, RSA and ECDSA None (controversy!) Extensible “kid”: Key ID “jku”: JWK Set URL “jwk”: JSON Web Key “x5u”: X.509 URL “x5t”: X.509 Certificate Thumbprint “x5c”: X.509 Certificate Chain “typ”: Type “cty”: Content Type Header Example “I signed this thing with RSA-SHA256 using key ID of „9er‟ and you can find the corresponding public key at https://www.example.com/jwk” {"alg":"RS256", "kid":”9er", "jwk”:"https://www.example.com/jwk"} 13 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 15. JWS Example Payload -> USA #1! base64url encoded payload -> VVNBICMxIQ Header (going to sign with ECDSA P-256 SHA-256) -> {"alg":"ES256"} base64url encoded header -> eyJhbGciOiJFUzI1NiJ9 Secured Input -> eyJhbGciOiJFUzI1NiJ9.VVNBICMxIQ base64url encoded signature over the Secured Input -> Zi1ZJeptOMNJ7Yb-WjlVQyz8sk4GZTy-EZh4dI_8UiZOu7nKK6xjTapsLRfe7fYoKtpCcHOYo1m8DNl6hLoISw JWS Compact Serialization -> eyJhbGciOiJFUzI1NiJ9.VVNBICMxIQ.Zi1ZJeptOMNJ7Yb-WjlVQyz8sk4GZTy-EZh4dI_8UiZOu7nKK6xjTapsLRfe7fYoKtpCcHOYo1m8DNl6hLoISw Which you can think of sort of like: {"alg":"ES256"}.USA #1!.<SIGNATURE> 15 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 16. JWE • JSON Web Encryption • Similar in motivation and design to JWS but for encrypting content • A little more complicated – Headers • • • • “alg”: Algorithm (key wrap or agreement) “enc”: Encryption Method (Authenticated Encryption only) “zip”: Compression Algorithm Etc. • Five Parts Header.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag 16 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 17. JWE Key Management Algorithms (“alg”) 17 Copyright ©2013 Ping Identity Corporation. All rights reserved. http://tools.ietf.org/id/draft-ietf-jose-json-web-algorithms-17.html
  • 18. JWE Content Encryption Algorithms (“enc”) http://tools.ietf.org/id/draft-ietf-jose-json-web-algorithms-17.html • Note that all of the encryption methods are AEAD algorithms 18 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 19. Payload/plaintext -> I actually really like Canada JWE Example Header -> {"alg":"ECDH-ES+A128KW","enc":"A128CBCHS256","epk":{"kty":"EC","x":"Y9YfiejQGZW4o47zj4q7THlRRwhSpJPvtf5oF0sOMVA","y":"DnYzBhlR 57cW4Y8_Ae2s9WRm1Ju0Pi81aLY0VkA2Gnk","crv":"P-256"}} base64url encode header -> eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4 IjoiWTlZZmllalFHWlc0bzQ3emo0cTdUSGxSUndoU3BKUHZ0ZjVvRjBzT01WQSIsInkiOiJEbll6QmhsUjU3Y1c0 WThfQWUyczlXUm0xSnUwUGk4MWFMWTBWa0EyR25rIiwiY3J2IjoiUC0yNTYifX0 Encrypted Key: ECDH-ES key agreement used to AES Key wrap a 256 bit random key which is base64url encoded -> DhHq778-jzaFU8I9i4BQOGAPi0gBWp4L8hqlaSvuwq1-eHpruLwlNg IV: base64url encoded 128 bit initialization vector -> wAnQy_IfyJd5cW3ZKYzzIg Ciphertext: AES 128 CBC plaintext is base64url encoded -> teyZQzpSBgEQtfLGduU9HlO0pZYo9ALnLHLIvPT0n8 Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext -> Mlc19AsGhJBUA1J3-vojD Header.EncryptedKey.InitializationVector.Ciphertext.AuthenticationTag eyJhbGciOiJFQ0RILUVTK0ExMjhLVyIsImVuYyI6IkExMjhDQkMtSFMyNTYiLCJlcGsiOnsia3R5IjoiRUMiLCJ4 IjoiWTlZZmllalFHWlc0bzQ3emo0cTdUSGxSUndoU3BKUHZ0ZjVvRjBzT01WQSIsInkiOiJEbll6QmhsUjU3Y1c0 WThfQWUyczlXUm0xSnUwUGk4MWFMWTBWa0EyR25rIiwiY3J2IjoiUC0yNTYifX0. DhHq778-jzaFU8I9i4BQOGAPi0gBWp4L8hqlaSvuwq1-eHpruLwlNg. wAnQy_IfyJd5cW3ZKYzzIg. teyZQzpS-BgEQtfLGduU9HlO0pZYo9ALnLHLIvPT0n8. 19 Copyright ©2013 Ping Identity Corporation. All rights reserved. Mlc19AsGhJBUA1J3-vojD
  • 20. JWT • JSON Web Token • Suggested pronunciation: "jot” • Compact URL-safe means of representing claims to be transferred between two parties • JWS and/or JWE with JSON claims as the payload • JWT Claim – A piece of information asserted about a subject (or the JWT itself). – Represented name/value pairs, consisting of a Claim Name and a Claim Value (which can be any JSON object). – Reserved Claim Names 20 • • • • • • • “iss”: Issuer “sub”: Subject “aud”: Audience “exp”: Expiration Time “nbf”: Not Before “iat”: Issued At “jti”: JWT ID Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 21. jot or not? The Header {"kid":"5","alg":"ES256"} The Payload {"iss":"https://idp.example.com", "exp":1357255788, "aud":"https://sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"} The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0 SvfykKWK_yK4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg The Signature [computery junk] 21 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 22. it‟s not the size of your token… eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOl wvXC9zcC 5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK 4LO0BKBiESHu0GUGwikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg <Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z” ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion” xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature> <ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms> <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> </ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference> </ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"> <AudienceRestriction> <Audience>https://sp.example.org</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext> <AuthnContextClassRef>2</AuthnContextClassRef> </AuthnContext> </AuthnStatement> </Assertion> 22 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 23. …it‟s how you use it • Simpler = Better • Web safe encoding w/ no canonicalization – Because canonicalization is a four letter word (especially when you spell it c14n) • Improved Interoperability & (hopefully) More Secure • Eliminates entire classes of attacks – – – – – – XSLT Transform DOS, Remote Code Execution, and Bypass C14N Hash Collision w/ & w/out comments Entity Expansion Attacks XPath Transform DOS and Bypass External Reference DOS Signature Wrapping Attacks* * This poor bastard was the „victim‟ in my POC of a signature wrapping vulnerability in SAML SSO for Google Apps http://www.google.com/about/appsecurity/hall-of-fame/reward/ 23 Copyright wicked smaht and Corporation. All rights reserved. Brad Hill is ©2013 Ping Identitypublished some of the attacks listed here
  • 24. JSON Web Key (JWK) • JSON data structure that represents cryptographic key(s) which can be – – – – included in a JWS/JWE/JWT header saved in a file used in place of self signed certificates published at an HTTPS endpoint and referenced JWT/JWS Header {"kid":"5", "alg":"ES256"} 24 {"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"} Copyright ©2013 Ping Identity Corporation. All rights reserved. ]}
  • 25. JW[STEAK] in Action • Compossible, reusable and being used – – – – – OAuth OpenID Connect Mozilla Persona W3C Web Cryptography API And more… • *Approaching* finalization as RFCs – – – – – 25 three nerds holding a blurry piece of paper they tell me is some kind of award for OpenID Connect http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-12 http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-17 http://tools.ietf.org/html/draft-ietf-jose-json-web-encryption-17 http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-17 http://tools.ietf.org/html/draft-ietf-jose-json-web-key-17 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 26. JW[STEAK] Implementations • Java – • Ruby – • • Note that inclusion here does not imply endorsement of any kind (except for jose4j) and is informational in nature and intended only to show that there is widespread support for the emerging new standards https://github.com/ritou/php-Akita_JOSE .NET – 26 https://pypi.python.org/pypi/jws/0.1.0 https://github.com/rohe/pyjwkest PHP – • https://metacpan.org/module/JSON::WebToken https://github.com/kjur/jwsverify.pl https://github.com/xaicron/p5-JSON-WebToken Python – – • http://kjur.github.com/jsjws/ https://npmjs.org/package/jwt https://npmjs.org/package/green-jwt https://npmjs.org/package/jsjws Perl – – – • https://github.com/nov/json-jwt JavaScript – – – – • https://bitbucket.org/b_c/jose4j https://github.com/johnsheehan/jwt Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 27. JW[STEAK] implies a simple programming interface • Which is nice • The JWS and JWE examples in this presentation were created using jose4j and just a few lines of code https://bitbucket.org/b_c/jose4j in case you missed the URL on the last slide 27 Copyright ©2013 Ping Identity Corporation. All rights reserved.
  • 28. You’ve been Introduced to some JSON-Based Identity and Security Protocols Any Questions? SAML And thanks for putting up with me for the last hour. 28 Brian Campbell @__b_c November 2013 http://goo.gl/cQIQSf Copyright ©2013 Ping Identity Corporation. All rights reserved.