Upload
uniface
View
191
Download
5
Embed Size (px)
Citation preview
Application & Infrastructure Security:
JSON Web Tokens
Thomas S Shore III
Uniface SME
Agenda
The JWT standard
Applying JWT to Uniface
Uniface technology to support JWT
Sample application of JWT
And more...
What’s the problem?
AuthenticationSAML2 – Think single sign on / sign out (NTLM)
Oauth – Google, Facebook etc
Open ID – 3rd party login system
Information SharingTrusted
Not complex
Multi-client
SAML 2
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx41d8ef22-e612-8c50-9960-1b16f15741b3" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs">
<saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#pfx41d8ef22-e612-8c50-9960-1b16f15741b3">
<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>yJN6cXUwQxTmMEsPesBP2NkqYFI=</ds:DigestValue>
</ds:Reference></ds:SignedInfo>
<ds:SignatureValue>g5eM9yPnKsmmE/Kh2qS7nfK8HoF6yHrAdNQxh70kh8pRI4KaNbYNOL9sF8F57Yd+jO6iNga8nnbwhbATKGXIZOJJSugXGAMRyZsj/rqngwTJk5KmujbqouR1SLFsbo7Iuwze933EgefBbAE4JRI7V2aD9YgmB3socPqAi2Qf97E=</ds:SignatureValue>
<ds:KeyInfo><ds:X509Data>
<ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcwMDI5MjdaFw0xNTA3MTcwMDI5MjdaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7vU/6R/OBA6BKsZH4L2bIQ2cqBO7/aMfPjUPJPSn59d/f0aRqSC58YYrPuQODydUABiCknOn9yV0fEYm4bNvfjroTEd8bDlqo5oAXAUAI8XHPppJNz7pxbhZW0u35q45PJzGM9nCv9bglDQYJLby1ZUdHsSiDIpMbGgf/ZrxqawIDAQABo1AwTjAdBgNVHQ4EFgQU3s2NEpYx7wH6bq7xJFKa46jBDf4wHwYDVR0jBBgwFoAU3s2NEpYx7wH6bq7xJFKa46jBDf4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQCPsNO2FG+zmk5miXEswAs30E14rBJpe/64FBpM1rPzOleexvMgZlr0/smF3P5TWb7H8Fy5kEiByxMjaQmml/nQx6qgVVzdhaTANpIE1ywEzVJlhdvw4hmRuEKYqTaFMLez0sRL79LUeDxPWw7Mj9FkpRYT+kAGiFomHop1nErV6Q==</ds:X509Certificate>
</ds:X509Data></ds:KeyInfo>
</ds:Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/><samlp:RequestedAuthnContext Comparison="exact">
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>
</samlp:AuthnRequest>
Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains.(WikiPedia)
OAuth2
Complex
Authorization
No need to share a password
Sharing between sites if required
Allows Internet users to grant websites or applications access to their information on other websites but without giving them the passwords
Open ID
Federated Authentication
No sharing of data between providers/consumers
Allows users to be authenticated by co-operating sites (known as Relying Parties or RP) using a third party service.
Why should/do you care about this?
Web standards
Industry standard communication
Other technologies expect this!
Uniface is web aware and capable
There is no “out of the box” statement for this anywhere
What is JWT
JWTs represent a set of claims as a JSON object that is
encoded in a JWS and/or JWE structure. https://tools.ietf.org/html/rfc7519
Or from it’s original text
JSON Web Token (JWT) is a compact claims representation format intended
for space constrained environments such as HTTP Authorization headers and URI
query parameters. JWTs encode claims to be transmitted as a JSON [RFC7159]
object that is used as the payload of a JSON Web Signature (JWS) [JWS]
structure or as the plaintext of a JSON Web Encryption (JWE) [JWE]
structure, enabling the claims to be digitally signed or integrity protected with a
Message Authentication Code (MAC) and/or encrypted. JWTs are always
represented using the JWS Compact Serialization or the JWE Compact
Serialization. The suggested pronunciation of JWT is the same as the English
word "jot".
Original Klingon Text
Or English
JSON Web Token (JWT) is a compact claims representation format intended
for space constrained environments such as HTTP Authorization headers
and URI query parameters. JWTs encode claims to be transmitted as a
JSON [RFC7159] object that is used as the payload of a JSON Web
Signature (JWS) [JWS] structure or as the plaintext of a JSON Web
Encryption (JWE) [JWE] structure, enabling the claims to be digitally signed
or integrity protected with a Message Authentication Code (MAC) and/or
encrypted. JWTs are always represented using the JWS Compact
Serialization or the JWE Compact Serialization. The suggested pronunciation
of JWT is the same as the English word "jot".
What’s a Claim (from Dictionary.com)
Noun
6. a demand for something as due; an assertion of a right
or an alleged right:He made unreasonable claims on the doctor's time.
7. an assertion of something as a fact:He made no claims to originality.
It’s like a medicine bottle
Somewhat tamper-
proof
Labeled contents
Can be traced
I know who
prescribed it
I can see what’s in it
I know who filled it
I know when it is
expired
How might this work?
{ "iss" : "CVS\\/pharmacy","iat" : 1505908083,"exp" : 1537444083,"aud" : "Patient Name","sub" : "Happy Pills","jti" : "RX# 000000","quantity" : "30"
}
eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJDVlMvcGhhcm1hY3kiLCJpYXQiOjE1MDU5MDgwODMsImV4cCI6MTUzNzQ0NDA4MywiYXVkIjoiUGF0aWVudCBOYW1lIiwic3ViIjoiSGFwcHkgUGlsbHMiLCJqdGkiOiJSWCMgMDAwMDAwIiwicXVhbnRpdHkiOiIzMCJ9.ogrVq53XPuc77ffThZnej-DgDIfHEt1bgnsHh9_JZuU
So what does it look like?
Header.Payload.Signature
Signature = Encrypted Header.Payload
Here’s what we have
JWS – JSON Web Signature{
“typ”: “JWT”
“alg”:”HS256”
}
It’s a JSON Web Token (typ)
It’s encoded using the HMAC SHA-256 algorithm
Security Problem: alg set to none
Unsecured JWT
An Unsecured
JWT is a JWS using the "alg" Header Parameter value "none" and with
the empty string for its JWS Signature value, as defined in the JWA
specification [JWA]; it is an Unsecured JWS with the JWT Claims Set
as its JWS Payload.
So send me your JWT and I’ll modify the algorithm to “none” and I can change anything I want and it will be ok?
JWT Claims Set
Registered Claim NamesRegistered with IANA (www.iana.org)
o Claim Name: "iss"
o Claim Description: Issuer
o Change Controller: IESG
o Specification Document(s): Section 4.1.1 of RFC 7519
Private Claim Names
Must be unique
Registered Claims
Claim Name Description
iss Issuer
sub Subject
aud Audience
exp Expiration Date time (Unix epoch)
nbf Not before time (Unix epoch)
Iat Issued at
jti JWT ID
The jti (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object. The jti claim can be used to prevent the JWT from being replayed. The jti value is case sensitive. This claim is OPTIONAL.
Validating a JWT
It has at least one period (‘.’)
JOSE Header is on the left
BASE 64 Encoded without carriage control or
whitespace
Header.Payload.Signature
Signature = Encrypted Header.Payload
JWT Libraries
.Net
Python
Node.js
Java
Javascript
Perl
Ruby
Elixir
Go
Haskell
Rust
Lua
Scala
D
Clojure
Objective-C
Swift
C
Kdb+/Q
Delphi
PHP
Crystal
1C
Where’s Uniface?
But no Uniface
We have all the technology in the product to create and
consume JSON Web Tokens
1. JSON creation
2. BASE64 encoding/decoding
3. HMAC_SHA256 Encryption
4. Manipulating Web Headers
Basic Operation
Uniface Web Application
Uniface Web ApplicationBrowserBrowser
Navigate to Web Application
Redirect to JWT Login Page
User enters valid username and password
Login ComponentLogin Component
Security Token Returned
Application Checks Token verifying expiration etc
Session verified Session Token added etc
JWT ComponentJWT Component
Request JWT Creation
Uniface particulars
Encode / Decode – BASE64
$encode(BASE64, source)
Encode HMAC_SHA256
$encode(HMAC_SHA256, source, security_key)
Sample Login
JWT Tester
DemoTime
Where is the stuff?
It will be placed on GitHub.com/uniface and possibly
uniface.info in the community samples area.
Thank You
& Questions