SlideShare a Scribd company logo

I Left My JWT in San JOSE

Download as PPTX, PDF
Brian Campbell, profile picture
Brian Campbell

The document provides a technical overview of JSON Web Token (JWT) and JavaScript Object Signing and Encryption (JOSE), detailing their structures, functions, and use cases in secure data exchange. It explains components such as JSON Web Signature (JWS), JSON Web Encryption (JWE), and various algorithms used for authentication and encryption. Overall, the content emphasizes JWT's role as a compact and URL-safe means of representing claims transferred between parties.

Internet
1 of 39
Downloaded 120 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
`` Brian Campbell @__b_c Cloud Identity Summit 2014 http://www.slideshare.net/briandavidcampbell A technical overview of JSON Web Token (JWT) and JavaScript Object Signing and Encryption (JOSE)
Introductions http://blog.talkingidentity.com/2013/08/thanking-the-iam-venn-erables-in-my-own-way.html Me
More Introductions… Copyright © 2014 Ping Identity Corp. All rights reserved. 3https://twitter.com/itickr/status/354999490928857088 https://flic.kr/p/f6PKjB
• JavaScript Object Signing and Encryption (JOSE) – JSON Web Signature (JWS) • A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding – JSON Web Encryption (JWE) • Like JWS but for encrypting content – JSON Web Key (JWK) • JSON data structures representing cryptographic keys – JSON Web Algorithms • Defines the use cryptographic algorithms and identifiers for JWS, JWE and JWK • JSON Web Token (JWT) – A compact URL-safe means of representing claims/attributes to be transferred between two parties – A JWT is a JWS and/or a JWE with JSON claims as the payload Copyright © 2014 Ping Identity Corp. All rights reserved. 4 JWT + JOSE Overview JWS JWE JWT JWK JSON
• Not even official RFCs yet but – Well regarded – And widely used: • OAuth • OpenID Connect • Mozilla Persona (ahem) • W3C Web Cryptography API • + more… Three nerds holding a blurry piece of paper they tell me is some kind of award for the JOSE & JWT work. http://www.kuppingercole.com/article/award2014 5 JWT + JOSE in the Wild
What’s in a Name? https://twitter.com/metadaddy/status/454422069199900672 JW*
Copyright © 2014 Ping Identity Corp. All rights reserved. 7 But you wouldn't name your child ‘Attila the Hun’ would you? "Attila, Scourge of God" http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg I didn’t…
What would JOSE do? ‡ Call it JW-STEAK ‡ I reluctantly credit Paul Madsen with WWJD. Unless you are offended by it, in which case I’m not at all reluctant about blaming him. JW- JWS JWT JWE JWA JWK
Because who doesn’t like a good steak? Don Julio is a famous (to gringo tourists anyway) steakhouse in Buenos Aires, Argentina - https://flic.kr/p/ezE99U
Okay, fine… • Technically speaking, my vegan coworker does not like steak • Even if it is ‘good’ • But let’s not split hairs on this one… Copyright © 2014 Ping Identity Corp. All rights reserved. 10
Awkward Transition… into some of the more technical details 11 Few things are more awkward than Paul Madsen eating a Slim Jim while wearing a sailor's outfit and bowtie
All The Cool Kids Are Doing It Copyright © 2014 Ping Identity Corp. All rights reserved. 12 {"JSON" : "a lightweight & human-readable data-interchange format"}
The 64 Character Question • base64 – A means of encoding binary data in a printable ASCII string format – Each 6 bits -> 1 character • From a 64 character alphabet comprised of 62 alphanumeric characters and "+" and "/" • Also padding "=" – 3 bytes -> 4 characters • base64url – uses a URL safe alphabet rather than the nearly URL safe alphabet of regular base64 – "-" rather than "+" – "_" rather than "/" – Padding "=" is typically omitted • A remaining unreserved URI character: "." – This will prove important shortly Copyright © 2014 Ping Identity Corp. All rights reserved. 13 Example: 32 random bytes encoded base64: qOo+pY+LPDB7sA2nuMp4TzmCThieol/J+bAXqcB8pAU= base64url: qOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAU URL Encoded: qOo%2BpY%2BLPDB7sA2nuMp4TzmCThieol%2FJ%2BbAXqcB8pAU%3D qOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAU
A closer look at JOSE’s bits and pieces: JWS • JSON Web Signature (JWS) • A way of representing content secured with a digital signature or MAC – Using a JSON data structure and base64url encoding – Encoded segments are concatenated with a "." – Intended for space constrained environments such as HTTP Authorization headers and URI query parameters • Conceptually Simple: – <Header>.<Payload>.<Signature> Copyright © 2014 Ping Identity Corp. All rights reserved. 14
JOSE’s bits and pieces: The JWS Header • JWS Header is a bit of JSON that describes the digital signature or MAC operation applied to create the JWS Signature value • Reserved Header Parameters – "alg": Algorithm – HMAC, RSA, RSA-PSS and ECDSA – Unsigned/none (controversy!) – Extensible • "kid": Key ID • "jku": JWK Set URL • "jwk": JSON Web Key • "x5u": X.509 URL • "x5t": X.509 Thumbprint • "x5c": X.509 Certificate Chain • "typ": Type • "cty": Content Type Copyright © 2014 Ping Identity Corp. All rights reserved. 15 Header Example: "I signed this thing with RSA-SHA256 using key we known as ‘9er’ which you can find the corresponding public key for at https://www.example.com/jwks" {"alg":"RS256", "kid":"9er", "jku":"https://www.example.com/jwks"}
JOSE’s bits and pieces: JWS Algorithms Copyright © 2014 Ping Identity Corp. All rights reserved. 16 Digital Signature or Message Authentication Code Algorithm JWS "alg" Parameter Values HMAC using SHA2 HS256, HS384 and HS512 RSASSA-PKCS1-V1_5 Digital Signatures with with SHA2 RS256, RS384 and RS512 Elliptic Curve Digital Signatures (ECDSA) with SHA2 ES256, ES384 and ES512 RSASSA-PSS Digital Signatures with SHA2 PS256, PS384 and PS512 Unsigned Plaintext none
USA & Canada vs. a little context…
Jingoistic JWS Example Payload -> USA #1! base64url encoded payload -> VVNBICMxIQ Header (going to sign with ECDSA P-256 SHA-256 via "my-first-key") -> {"alg":"ES256","kid":"my-first-key"} base64url encoded header -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9 Secured Input -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ base64url encoded signature over the Secured Input -> QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA- TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA JWS Compact Serialization (line breaks after dots added for readability) -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9. VVNBICMxIQ. QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA- TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA Which you can think of sort of like: {"alg":"ES256","kid":"my-first-key"}."USA #1!".<SIGNATURE>
JOSE’s bits and pieces: JWE • JSON Web Encryption • Similar in motivation and design to JWS but for encrypting content • A little more complicated – Headers • "alg": Algorithm (key wrap or agreement) • "enc": Encryption Method (Authenticated Encryption only) • "zip": Compression Algorithm – "DEF" for the DEFLATE Compressed Data Format from RFC 1951 is currently the only one • "kid”, “jku”, “jwk”, "x5u”, "x5t”, "x5c”, etc.. • Five Parts <Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag> Copyright © 2014 Ping Identity Corp. All rights reserved. 19
JOSE’s bits and pieces: JWE Content Encryption Algorithms ("enc") Copyright © 2014 Ping Identity Corp. All rights reserved. 20 Content Encryption Algorithm JWE "enc" Parameter Values Authenticated encryption with Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) A128GCM, A192GCM and A256GCM Authenticated encryption with an AES-CBC and HMAC-SHA2 composite A128CBC-HS256, A192CBC- HS384 and A256CBC-HS512
JOSE’s bits and pieces: JWE Key Management Algorithms ("alg") Copyright © 2014 Ping Identity Corp. All rights reserved. 21 Key Management Algorithm JWE "alg" Parameter Values Direct encryption with a shared symmetric key dir RSAES-PKCS1-V1_5 key encryption RSA1_5 RSAES using OAEP key encryption RSA-OAEP and RSA-OAEP-256 AES key wrap A128KW, A192KW and A256KW AES GCM key encryption A128GCMKW, A192GCMKW and A256GCMKW Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF ECDH-ES Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF with AES key wrap ECDH-ES+A128KW, ECDH- ES+A192KW and ECDH-ES+A256KW PBES2 with HMAC SHA-2 and AES key wrapping PBES2-HS256+A128KW, PBES2-
Payload/plaintext -> I actually really like Canada Header -> {"kid":"use this one eh","alg":"RSA-OAEP","enc":"A128CBC-HS256"} base64url encode header -> eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFU CIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ IV: base64url encoded 128 bit initialization vector -> OMRMiwPvh13089vcWAw_mg Encrypted Key: RSA OAEP used wrap a 256 bit random key which is base64url encoded -> knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3 uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ- SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ Ciphertext: base64url encoded AES 128 CBC encrypted payload -> G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext -> rCjFpLbuWKQMJLzQEP4aSw JWE Compact Serialization (<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>) -> eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ. knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3 uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ- SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ. OMRMiwPvh13089vcWAw_mg. G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw. rCjFpLbuWKQMJLzQEP4aSw Confessional JWE Example
An aside, eh. Looking for material, I started to Google "never trust a Canadian"… Brian Campbell @__b_c CIS 2014
JWT • JSON Web Token • Suggested pronunciation: "jot" • Compact URL-safe means of representing claims to be transferred between two parties • JWS and/or JWE with JSON claims as the payload • JWT Claim – A piece of information asserted about a subject (or the JWT itself) – Represented name/value pairs, consisting of a Claim Name and a Claim Value (which can be any JSON object) Copyright © 2014 Ping Identity Corp. All rights reserved. 24
• "iss": Issuer – Who issued it • "sub": Subject – Who’s it about • "aud": Audience – Who’s it for • "exp": Expiration Time – When it expires • "nbf": Not Before – When it starts being value • "iat": Issued At – When it was issued • "jti": JWT ID – A unique identifier for it Copyright © 2014 Ping Identity Corp. All rights reserved. 25 (some) Reserved JWT Claim Names
jot or not? Copyright © 2014 Ping Identity Corp. All rights reserved. 26 The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9. The Header {"kid":"5","alg":"ES256"} The Payload {"iss":"https://idp.example.com", "exp":1357255788, "aud":"https://sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"}
it’s not the size of your token… Copyright © 2014 Ping Identity Corp. All rights reserved. 27 eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcG xlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUG wikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg <Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z" ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature><ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference></ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"> <AudienceRestriction><Audience>https://sp.example.org</Audience></AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext><AuthnContextClassRef>2</AuthnContextClassRef></AuthnContext> </AuthnStatement> </Assertion>
…it’s how you use it • Simpler = Better • Web safe encoding w/ no canonicalization (Because canonicalization is a four letter word*) • Improved Interoperability & (hopefully) More Secure • Eliminates entire classes of attacks – XSLT Transform DOS, Remote Code Execution, and Bypass – C14N Hash Collision w/ & w/out comments – Entity Expansion Attacks – XPath Transform DOS and Bypass – External Reference DOS – Signature Wrapping Attacks Copyright © 2014 Ping Identity Corp. All rights reserved. 28 Brad Hill, pictured here speaking at CIS in 2011, is wicked smaht and published some of these attacks * especially when you spell it c14n
JSON Web Key (JWK) Copyright © 2014 Ping Identity Corp. All rights reserved. 29 • JSON data structure representing cryptographic key(s) – Public/private keys: RSA & Elliptic Curve – Symmetric keys (octet sequence) • Can can be – included in a JWS/JWE/JWT header – published at an HTTPS endpoint and referenced – used in place of self signed certificates – saved in a file – sent in an email – and more
JWK & JWT Working Together Copyright © 2014 Ping Identity Corp. All rights reserved. 30 JWT/JWS Header { "kid":"5", "alg":"ES256" } JWK Set {"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"} ]}
Simple Is As Simple Does • The relative simplicity of JW[STEAK] implies a simple programming interface • Numerous implementations already exist for a wide variety of languages/platforms • Going to make you take quick look at one of them… Copyright © 2014 Ping Identity Corp. All rights reserved. 31
Introducing jose4j • Open source Java implementation of the JOSE specification suite – https://bitbucket.org/b_c/jose4j • Relies solely on the JCA APIs for cryptography • 100% Algorithm Support • Production ready – Used throughout Ping Identity’s products • Reference[able] implementation – Fact checked the JOSE cookbook: http://tools.ietf.org/html/draft-ietf-jose-cookbook-02#appendix-A • Completely free of NSA backdoors – (but I’m open to "sponsorship" opportunities) Copyright © 2014 Ping Identity Corp. All rights reserved. 32
Producing the aforementioned JWS Copyright © 2014 Ping Identity Corp. All rights reserved. 33 PublicJsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256); jwk.setKeyId("my-first-key"); JsonWebSignature jws = new JsonWebSignature(); jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256); jws.setPayload("USA #1!"); jws.setKey(jwk.getPrivateKey()); jws.setKeyIdHeaderValue(jwk.getKeyId()); String compactSerialization = jws.getCompactSerialization(); System.out.println(compactSerialization);
Consuming that JWS Copyright © 2014 Ping Identity Corp. All rights reserved. 34 JsonWebKey jwk = JsonWebKey.Factory.newJwk("{"kty":"EC"," + ""kid":"my-first-key"," + ""x":"xlKTWTx76fl9OZou4LHpDc3oHLC_vm-db7mdsFvO1JQ"," + ""y":"3jXBG649Uqf7pf8RHO_jcJ8Jrhy23hjD933i6QEVNkk"," + ""crv":"P-256"}"); String compactSerialization = "eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9." + "VVNBICMxIQ." + "QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAU" + "REzF1FF25BbrgyohbKdGE1cB-hrA"; JsonWebSignature jws = new JsonWebSignature(); jws.setCompactSerialization(compactSerialization); jws.setKey(jwk.getKey()); String payload = jws.getPayload(); System.out.println(payload);
Producing the aforementioned JWE Copyright © 2014 Ping Identity Corp. All rights reserved. 35 String jwkJson = "{"kty":"RSA"," + ""kid":"use this one eh"," + ""n":"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5X"+ "vT8bQO39k34s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtr" + "GJdXxQEgDE7Wg1YYi0yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZV" + "C5b61R37akzTB3abdAIBf4-UBLrvNgl0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw"," + ""e":"AQAB"}"; JsonWebKey jwk = JsonWebKey.Factory.newJwk(jwkJson); JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setPayload("I actually really like Canada"); jwe.setKey(jwk.getKey()); jwe.setKeyIdHeaderValue(jwk.getKeyId()); jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256); String compactSerialization = jwe.getCompactSerialization(); System.out.println(compactSerialization);
Consuming that JWE (1 of 2) Copyright © 2014 Ping Identity Corp. All rights reserved. 36 String jwkJson = "{"kty":"RSA"," + ""kid":"use this one eh"," + ""n":"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5XvT8bQO39k3" + "4s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtrGJdXxQEgDE7Wg1YYi0" + "yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZVC5b61R37akzTB3abdAIBf4-UBLrvNgl" + "0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw"," + ""e":"AQAB"," + ""d":"p1umPOWUnf-rTylRVnhG75sF7N3tyG_r86ZM2hV8qAShMgnzbZYefNg2Vxh2cobXUMLF0TncuUxAusCrNSgUyrjHjHDIws03" + "VdzphFPd3oI9o6_2hSBWJ6OWB5VEDAd1Cc_HKy4iPWUZWlk__G3RQg524_0Wfgp_1bTIyeGLEt6GGAasCRoi4crZ_cKLkzB3ZmwoIF" + "X4Z-jU6AKp_rCarj45tqdgpzIHKYuA2HjgGJwevknhTVEjY6stAiTXWJ4M8YxIwqQ-tCj1GM5pfvJNIzaW2KoZ234ll_DFnUDnAE1R" + "O22oBfW-iYsHcrNtslHxYDkGnOGFkJAOnbF8ihaQcQ","p":"6JVJlrObtg02Sr0ZqERiOZMxf3lE8TK8j5cU5VBYYvfebtjI2" + "_wW_uT_N_wIETodgWJgkPlejrQM4B-inB8VfUPBe8RCRGmXf5jqyKf7r5XwGabda3UjaTwoAUxYSgb2HH4IU4KNMJ-rFuG2Nzz0t2W" + "7PtqHJjrcF3i952oKAGU","q":"3-dPMaO1JerkElaP4FMV1Fio-ZFJwf5xCLMFdJZstLkKY7H63bxOb77iQ5xEOSWY4yScfXZ" + "hp2S1v0Plub-qTeuGHXt-T2rugGAmIKlPzkQU6aiGFXqwCK2TrETQkV5Pf__PRHhaJ1rTbGVyAvqL2vAoI46XwSMmLINncDy2xGM"," + ""dp":"T9bXYQ0cuZzFc1iAkzuOQFdf2XNmkCmrgtsJCELRZH_T8lcmdCWQO0WeurggiNFbSYvcvEduByyVcuZJKrCc7tgwde0EFn" + "ns0JdMmT7Y7ghZWGTogze9xSUqUm_Dqv3CxDsbXpdlIjjdQUiQBVw-YSph4YygciYoYUJIZkUHU-U"," + ""dq":"wklQ6t4HPlPIfDEov5rZAl28onJz8iX7p3TQcw5kXZ2DambyLJ5N4aFdbRWYDY6WT-Ng921V5474NnOQT9IE0YBh7AtQ21E" + "Ki9LiwsyoN2_URby6PMEtJxqXXZCI-ts_WO58yAk3EZc6hoCwoe0Olnh2HASLokgBw_ZyN243mck"," + ""qi":"4n-fctilEl81ig_NIa0GFHjV1wiMR5E9RuwJIrSnG6kDBZp2wxjRd8HY96xAC_mwKZzRLxHZnukLaSi4f43-wRuURQaIj8z" + "P8UFgH73C4sOp9rgRhsUlceniIasGE-3FKW0_2ofNMCNimYuSSIXfIyNvMdtptlg3BJv4gizH_l4"}";
Consuming that JWE (2 of 2) Copyright © 2014 Ping Identity Corp. All rights reserved. 37 String jwecs = "eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ." + "knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0M" + "lmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4" + "wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhY" + "V-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ." + "OMRMiwPvh13089vcWAw_mg." + "G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw." + "rCjFpLbuWKQMJLzQEP4aSw"; PublicJsonWebKey jwk = PublicJsonWebKey.Factory.newPublicJwk(jwkJson); JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setCompactSerialization(jwecs); jwe.setKey(jwk.getPrivateKey()); String payload = jwe.getPayload(); System.out.println(payload);
Are we finished yet? 38
Yes, finished. See you at Boot Camp (maybe). Thank you! Brian Campbell @__b_c CIS 2014 https://flic.kr/p/f7zK1V

More Related Content

PDF
Using Postman to Test OAuth/OIDC
Postman
 
PPTX
JOSE Can You See...
Brian Campbell
 
PDF
Token, token... From SAML to OIDC
Shiu-Fun Poon
 
PDF
OpenID Connect Explained
Vladimir Dzhuvinov
 
PDF
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
PPTX
Pentesting ReST API
Nutan Kumar Panda
 
PDF
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
PDF
Swagger UI
Walaa Hamdy Assy
 
Using Postman to Test OAuth/OIDC
Postman
 
JOSE Can You See...
Brian Campbell
 
Token, token... From SAML to OIDC
Shiu-Fun Poon
 
OpenID Connect Explained
Vladimir Dzhuvinov
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
Matt Tesauro
 
Pentesting ReST API
Nutan Kumar Panda
 
Security for oauth 2.0 - @topavankumarj
Pavan Kumar J
 
Swagger UI
Walaa Hamdy Assy
 

What's hot (20)

PPT
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
PDF
Introduction to OpenID Connect
Nat Sakimura
 
ODP
OAuth2 - Introduction
Knoldus Inc.
 
PDF
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
PPTX
An introduction to OAuth 2
Sanjoy Kumar Roy
 
ODP
Introduction to Swagger
Knoldus Inc.
 
ODP
Accelerate Quality with Postman - Basics
Knoldus Inc.
 
PDF
OWASP API Security Top 10 - API World
42Crunch
 
PPTX
OpenID Connect: An Overview
Pat Patterson
 
PPTX
REST Service Authetication with TLS & JWTs
Jon Todd
 
PPTX
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
PPTX
Troubleshooting Kerberos in Hadoop: Taming the Beast
DataWorks Summit
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
PPTX
Introducing Swagger
Tony Tam
 
PDF
Offzone | Another waf bypass
Дмитрий Бумов
 
PPTX
Distributed tracing 101
Itiel Shwartz
 
PDF
WEBINAR: OWASP API Security Top 10
42Crunch
 
PPTX
Intro to OAuth2 and OpenID Connect
LiamWadman
 
PDF
Designing APIs with OpenAPI Spec
Adam Paxton
 
PPTX
REST API Design & Development
Ashok Pundit
 
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Introduction to OpenID Connect
Nat Sakimura
 
OAuth2 - Introduction
Knoldus Inc.
 
OAuth & OpenID Connect Deep Dive
Nordic APIs
 
An introduction to OAuth 2
Sanjoy Kumar Roy
 
Introduction to Swagger
Knoldus Inc.
 
Accelerate Quality with Postman - Basics
Knoldus Inc.
 
OWASP API Security Top 10 - API World
42Crunch
 
OpenID Connect: An Overview
Pat Patterson
 
REST Service Authetication with TLS & JWTs
Jon Todd
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
Troubleshooting Kerberos in Hadoop: Taming the Beast
DataWorks Summit
 
Peeling the Onion: Making Sense of the Layers of API Security
Matt Tesauro
 
Introducing Swagger
Tony Tam
 
Offzone | Another waf bypass
Дмитрий Бумов
 
Distributed tracing 101
Itiel Shwartz
 
WEBINAR: OWASP API Security Top 10
42Crunch
 
Intro to OAuth2 and OpenID Connect
LiamWadman
 
Designing APIs with OpenAPI Spec
Adam Paxton
 
REST API Design & Development
Ashok Pundit
 
Ad

Viewers also liked (7)

PDF
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
PDF
Javascript Object Signing & Encryption
Aaron Zauner
 
PDF
Aplicando controles de segurança em API’s, por Erick Tedeschi
iMasters
 
PPTX
OpenID ConnectとSCIMによるエンタープライズでのID連携活用に向けて
Takashi Yahata
 
PDF
JSON Web Tokens (JWT)
Vladimir Dzhuvinov
 
PDF
第4回web技術勉強会 暗号技術編その2
tzm_freedom
 
PDF
JSON Web Tokens
Ivan Rosolen
 
Authentication: Cookies vs JWTs and why you’re doing it wrong
Derek Perkins
 
Javascript Object Signing & Encryption
Aaron Zauner
 
Aplicando controles de segurança em API’s, por Erick Tedeschi
iMasters
 
OpenID ConnectとSCIMによるエンタープライズでのID連携活用に向けて
Takashi Yahata
 
JSON Web Tokens (JWT)
Vladimir Dzhuvinov
 
第4回web技術勉強会 暗号技術編その2
tzm_freedom
 
JSON Web Tokens
Ivan Rosolen
 
Ad

Similar to I Left My JWT in San JOSE (20)

PDF
CIS14: I Left My JWT in San JOSE
CloudIDSummit
 
PPTX
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
Brian Campbell
 
PPTX
Introduction to the Emerging JSON-Based Identity and Security Protocols
Brian Campbell
 
PPTX
State of Authenticating RESTful APIs
robwinch
 
PDF
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Adam Englander
 
PDF
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Adam Englander
 
PDF
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
PDF
"Crypto wallets security. For developers", Julia Potapenko
Fwdays
 
PDF
Dodging WebCrypto API Landmines
Ernie Turner
 
PDF
Rails security: above and beyond the defaults
Matias Korhonen
 
PPTX
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Akana
 
PDF
Hadoop Security Now and Future
tcloudcomputing-tw
 
ODP
Introduction To Encryption in Lasso 8.5
bilcorry
 
PDF
Improving password-based authentication
Frank Denis
 
PDF
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB
 
PDF
Hardening cassandra for compliance or paranoia
zznate
 
PDF
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
DataStax Academy
 
PPTX
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Svetlin Nakov
 
PDF
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Jonathan Katz
 
PDF
7.3. iCloud keychain-2
defconmoscow
 
CIS14: I Left My JWT in San JOSE
CloudIDSummit
 
An Introduction to the Emerging JSON-Based Identity and Security Protocols (O...
Brian Campbell
 
Introduction to the Emerging JSON-Based Identity and Security Protocols
Brian Campbell
 
State of Authenticating RESTful APIs
robwinch
 
Con Foo 2017 - Don't Loose Sleep - Secure Your REST
Adam Englander
 
Don't Loose Sleep - Secure Your Rest - php[tek] 2017
Adam Englander
 
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz
 
"Crypto wallets security. For developers", Julia Potapenko
Fwdays
 
Dodging WebCrypto API Landmines
Ernie Turner
 
Rails security: above and beyond the defaults
Matias Korhonen
 
Securing Your APIs against the Recent Vulnerabilities in SSLv2/SSLv3
Akana
 
Hadoop Security Now and Future
tcloudcomputing-tw
 
Introduction To Encryption in Lasso 8.5
bilcorry
 
Improving password-based authentication
Frank Denis
 
MongoDB .local Bengaluru 2019: New Encryption Capabilities in MongoDB 4.2: A ...
MongoDB
 
Hardening cassandra for compliance or paranoia
zznate
 
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
DataStax Academy
 
Cryptography for Java Developers: Nakov jProfessionals (Jan 2019)
Svetlin Nakov
 
Safely Protect PostgreSQL Passwords - Tell Others to SCRAM
Jonathan Katz
 
7.3. iCloud keychain-2
defconmoscow
 

More from Brian Campbell (14)

PPTX
The Burden of Proof
Brian Campbell
 
PPTX
Token Binding Identiverse 2018
Brian Campbell
 
PPTX
IAM Overview Identiverse 2018
Brian Campbell
 
PPTX
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Brian Campbell
 
PPTX
Identity and Access Management - RSA 2017 Security Foundations Seminar
Brian Campbell
 
PDF
OAuth 2.0 Token Exchange: An STS for the REST of Us
Brian Campbell
 
PPTX
Denver Startup Week '15: Mobile SSO
Brian Campbell
 
PPTX
Mobile SSO: are we there yet?
Brian Campbell
 
PPTX
Mobile Single Sign-On (Gluecon '15)
Brian Campbell
 
PPTX
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
PPTX
Hope or Hype: A Look at the Next Generation of Identity Standards
Brian Campbell
 
PPTX
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
Brian Campbell
 
PPTX
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
PDF
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
Brian Campbell
 
The Burden of Proof
Brian Campbell
 
Token Binding Identiverse 2018
Brian Campbell
 
IAM Overview Identiverse 2018
Brian Campbell
 
Beyond Bearer: Token Binding as the Foundation for a More Secure Web
Brian Campbell
 
Identity and Access Management - RSA 2017 Security Foundations Seminar
Brian Campbell
 
OAuth 2.0 Token Exchange: An STS for the REST of Us
Brian Campbell
 
Denver Startup Week '15: Mobile SSO
Brian Campbell
 
Mobile SSO: are we there yet?
Brian Campbell
 
Mobile Single Sign-On (Gluecon '15)
Brian Campbell
 
OpenID Connect - a simple[sic] single sign-on & identity layer on top of OAut...
Brian Campbell
 
Hope or Hype: A Look at the Next Generation of Identity Standards
Brian Campbell
 
OAuth 101 & Secure APIs 2012 Cloud Identity Summit
Brian Campbell
 
OAuth 2.0 and Mobile Devices: Is that a token in your phone in your pocket or...
Brian Campbell
 
OAuth 101 & Secure API's - Paul Madsen and Brian Campbell, Ping Identity
Brian Campbell
 

Recently uploaded (20)

PDF
LB# 820-1889_051-7370_C000.schematic.pdf
matheusalbuquerqueco3
 
PDF
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
PPTX
The Latest Scam Shocking the USA in 2025.pptx
onlinescamreport4
 
PPTX
Unlocking Hope : How Crypto Recovery Services Can Reclaim Your Lost Funds
lionsgate network
 
PDF
Latest Scam Shocking the USA in 2025.pdf
onlinescamreport4
 
PPTX
Black Yellow Modern Minimalist Elegant Presentation.pptx
nothisispatrickduhh
 
PPTX
Perkembangan Perangkat jaringan komputer dan telekomunikasi 3.pptx
Prayudha3
 
PDF
Slides: PDF Eco Economic Epochs for World Game (s) pdf
Steven McGee
 
PPTX
B2B_Ecommerce_Internship_Simranpreet.pptx
LipakshiJindal
 
PPTX
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
PDF
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
PPTX
Google SGE SEO: 5 Critical Changes That Could Wreck Your Rankings in 2025
Reversed Out Creative
 
PPTX
Artificial-Intelligence-in-Daily-Life (2).pptx
nidhigoswami335
 
PPTX
Parallel & Concurrent ...
yashpavasiya892
 
PDF
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
PPT
1965 INDO PAK WAR which Pak will never forget.ppt
sanjaychief112
 
PPTX
谢尔丹学院毕业证购买|Sheridan文凭不见了怎么办谢尔丹学院成绩单
mookxk3
 
PPT
Introduction to dns domain name syst.ppt
MUHAMMADKAVISHSHABAN
 
PPTX
Blue and Dark Blue Modern Technology Presentation.pptx
ap177979
 
PDF
PDF document: World Game (s) Great Redesign.pdf
Steven McGee
 
LB# 820-1889_051-7370_C000.schematic.pdf
matheusalbuquerqueco3
 
APNIC Update, presented at PHNOG 2025 by Shane Hermoso
APNIC
 
The Latest Scam Shocking the USA in 2025.pptx
onlinescamreport4
 
Unlocking Hope : How Crypto Recovery Services Can Reclaim Your Lost Funds
lionsgate network
 
Latest Scam Shocking the USA in 2025.pdf
onlinescamreport4
 
Black Yellow Modern Minimalist Elegant Presentation.pptx
nothisispatrickduhh
 
Perkembangan Perangkat jaringan komputer dan telekomunikasi 3.pptx
Prayudha3
 
Slides: PDF Eco Economic Epochs for World Game (s) pdf
Steven McGee
 
B2B_Ecommerce_Internship_Simranpreet.pptx
LipakshiJindal
 
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
BGP Security Best Practices that Matter, presented at PHNOG 2025
APNIC
 
Google SGE SEO: 5 Critical Changes That Could Wreck Your Rankings in 2025
Reversed Out Creative
 
Artificial-Intelligence-in-Daily-Life (2).pptx
nidhigoswami335
 
Parallel & Concurrent ...
yashpavasiya892
 
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
1965 INDO PAK WAR which Pak will never forget.ppt
sanjaychief112
 
谢尔丹学院毕业证购买|Sheridan文凭不见了怎么办谢尔丹学院成绩单
mookxk3
 
Introduction to dns domain name syst.ppt
MUHAMMADKAVISHSHABAN
 
Blue and Dark Blue Modern Technology Presentation.pptx
ap177979
 
PDF document: World Game (s) Great Redesign.pdf
Steven McGee
 

I Left My JWT in San JOSE

  • 1. `` Brian Campbell @__b_c Cloud Identity Summit 2014 http://www.slideshare.net/briandavidcampbell A technical overview of JSON Web Token (JWT) and JavaScript Object Signing and Encryption (JOSE)
  • 3. More Introductions… Copyright © 2014 Ping Identity Corp. All rights reserved. 3https://twitter.com/itickr/status/354999490928857088 https://flic.kr/p/f6PKjB
  • 4. • JavaScript Object Signing and Encryption (JOSE) – JSON Web Signature (JWS) • A way of representing content secured with a digital signature or MAC using JSON data structures and base64url encoding – JSON Web Encryption (JWE) • Like JWS but for encrypting content – JSON Web Key (JWK) • JSON data structures representing cryptographic keys – JSON Web Algorithms • Defines the use cryptographic algorithms and identifiers for JWS, JWE and JWK • JSON Web Token (JWT) – A compact URL-safe means of representing claims/attributes to be transferred between two parties – A JWT is a JWS and/or a JWE with JSON claims as the payload Copyright © 2014 Ping Identity Corp. All rights reserved. 4 JWT + JOSE Overview JWS JWE JWT JWK JSON
  • 5. • Not even official RFCs yet but – Well regarded – And widely used: • OAuth • OpenID Connect • Mozilla Persona (ahem) • W3C Web Cryptography API • + more… Three nerds holding a blurry piece of paper they tell me is some kind of award for the JOSE & JWT work. http://www.kuppingercole.com/article/award2014 5 JWT + JOSE in the Wild
  • 6. What’s in a Name? https://twitter.com/metadaddy/status/454422069199900672 JW*
  • 7. Copyright © 2014 Ping Identity Corp. All rights reserved. 7 But you wouldn't name your child ‘Attila the Hun’ would you? "Attila, Scourge of God" http://en.wikipedia.org/wiki/File:Atilla_fl%C3%A9au_de_dieu.jpg I didn’t…
  • 8. What would JOSE do? ‡ Call it JW-STEAK ‡ I reluctantly credit Paul Madsen with WWJD. Unless you are offended by it, in which case I’m not at all reluctant about blaming him. JW- JWS JWT JWE JWA JWK
  • 9. Because who doesn’t like a good steak? Don Julio is a famous (to gringo tourists anyway) steakhouse in Buenos Aires, Argentina - https://flic.kr/p/ezE99U
  • 10. Okay, fine… • Technically speaking, my vegan coworker does not like steak • Even if it is ‘good’ • But let’s not split hairs on this one… Copyright © 2014 Ping Identity Corp. All rights reserved. 10
  • 11. Awkward Transition… into some of the more technical details 11 Few things are more awkward than Paul Madsen eating a Slim Jim while wearing a sailor's outfit and bowtie
  • 12. All The Cool Kids Are Doing It Copyright © 2014 Ping Identity Corp. All rights reserved. 12 {"JSON" : "a lightweight & human-readable data-interchange format"}
  • 13. The 64 Character Question • base64 – A means of encoding binary data in a printable ASCII string format – Each 6 bits -> 1 character • From a 64 character alphabet comprised of 62 alphanumeric characters and "+" and "/" • Also padding "=" – 3 bytes -> 4 characters • base64url – uses a URL safe alphabet rather than the nearly URL safe alphabet of regular base64 – "-" rather than "+" – "_" rather than "/" – Padding "=" is typically omitted • A remaining unreserved URI character: "." – This will prove important shortly Copyright © 2014 Ping Identity Corp. All rights reserved. 13 Example: 32 random bytes encoded base64: qOo+pY+LPDB7sA2nuMp4TzmCThieol/J+bAXqcB8pAU= base64url: qOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAU URL Encoded: qOo%2BpY%2BLPDB7sA2nuMp4TzmCThieol%2FJ%2BbAXqcB8pAU%3D qOo-pY-LPDB7sA2nuMp4TzmCThieol_J-bAXqcB8pAU
  • 14. A closer look at JOSE’s bits and pieces: JWS • JSON Web Signature (JWS) • A way of representing content secured with a digital signature or MAC – Using a JSON data structure and base64url encoding – Encoded segments are concatenated with a "." – Intended for space constrained environments such as HTTP Authorization headers and URI query parameters • Conceptually Simple: – <Header>.<Payload>.<Signature> Copyright © 2014 Ping Identity Corp. All rights reserved. 14
  • 15. JOSE’s bits and pieces: The JWS Header • JWS Header is a bit of JSON that describes the digital signature or MAC operation applied to create the JWS Signature value • Reserved Header Parameters – "alg": Algorithm – HMAC, RSA, RSA-PSS and ECDSA – Unsigned/none (controversy!) – Extensible • "kid": Key ID • "jku": JWK Set URL • "jwk": JSON Web Key • "x5u": X.509 URL • "x5t": X.509 Thumbprint • "x5c": X.509 Certificate Chain • "typ": Type • "cty": Content Type Copyright © 2014 Ping Identity Corp. All rights reserved. 15 Header Example: "I signed this thing with RSA-SHA256 using key we known as ‘9er’ which you can find the corresponding public key for at https://www.example.com/jwks" {"alg":"RS256", "kid":"9er", "jku":"https://www.example.com/jwks"}
  • 16. JOSE’s bits and pieces: JWS Algorithms Copyright © 2014 Ping Identity Corp. All rights reserved. 16 Digital Signature or Message Authentication Code Algorithm JWS "alg" Parameter Values HMAC using SHA2 HS256, HS384 and HS512 RSASSA-PKCS1-V1_5 Digital Signatures with with SHA2 RS256, RS384 and RS512 Elliptic Curve Digital Signatures (ECDSA) with SHA2 ES256, ES384 and ES512 RSASSA-PSS Digital Signatures with SHA2 PS256, PS384 and PS512 Unsigned Plaintext none
  • 18. Jingoistic JWS Example Payload -> USA #1! base64url encoded payload -> VVNBICMxIQ Header (going to sign with ECDSA P-256 SHA-256 via "my-first-key") -> {"alg":"ES256","kid":"my-first-key"} base64url encoded header -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9 Secured Input -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9.VVNBICMxIQ base64url encoded signature over the Secured Input -> QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA- TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA JWS Compact Serialization (line breaks after dots added for readability) -> eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9. VVNBICMxIQ. QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA- TDQEbNdTm2Wnj2sUSrBKZJAUREzF1FF25BbrgyohbKdGE1cB-hrA Which you can think of sort of like: {"alg":"ES256","kid":"my-first-key"}."USA #1!".<SIGNATURE>
  • 19. JOSE’s bits and pieces: JWE • JSON Web Encryption • Similar in motivation and design to JWS but for encrypting content • A little more complicated – Headers • "alg": Algorithm (key wrap or agreement) • "enc": Encryption Method (Authenticated Encryption only) • "zip": Compression Algorithm – "DEF" for the DEFLATE Compressed Data Format from RFC 1951 is currently the only one • "kid”, “jku”, “jwk”, "x5u”, "x5t”, "x5c”, etc.. • Five Parts <Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag> Copyright © 2014 Ping Identity Corp. All rights reserved. 19
  • 20. JOSE’s bits and pieces: JWE Content Encryption Algorithms ("enc") Copyright © 2014 Ping Identity Corp. All rights reserved. 20 Content Encryption Algorithm JWE "enc" Parameter Values Authenticated encryption with Advanced Encryption Standard (AES) in Galois/Counter Mode (GCM) A128GCM, A192GCM and A256GCM Authenticated encryption with an AES-CBC and HMAC-SHA2 composite A128CBC-HS256, A192CBC- HS384 and A256CBC-HS512
  • 21. JOSE’s bits and pieces: JWE Key Management Algorithms ("alg") Copyright © 2014 Ping Identity Corp. All rights reserved. 21 Key Management Algorithm JWE "alg" Parameter Values Direct encryption with a shared symmetric key dir RSAES-PKCS1-V1_5 key encryption RSA1_5 RSAES using OAEP key encryption RSA-OAEP and RSA-OAEP-256 AES key wrap A128KW, A192KW and A256KW AES GCM key encryption A128GCMKW, A192GCMKW and A256GCMKW Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF ECDH-ES Elliptic Curve Diffie-Hellman Ephemeral Static key agreement using Concat KDF with AES key wrap ECDH-ES+A128KW, ECDH- ES+A192KW and ECDH-ES+A256KW PBES2 with HMAC SHA-2 and AES key wrapping PBES2-HS256+A128KW, PBES2-
  • 22. Payload/plaintext -> I actually really like Canada Header -> {"kid":"use this one eh","alg":"RSA-OAEP","enc":"A128CBC-HS256"} base64url encode header -> eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFU CIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ IV: base64url encoded 128 bit initialization vector -> OMRMiwPvh13089vcWAw_mg Encrypted Key: RSA OAEP used wrap a 256 bit random key which is base64url encoded -> knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3 uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ- SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ Ciphertext: base64url encoded AES 128 CBC encrypted payload -> G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw Authentication Tag: base64url encoded left truncated SHA-256 HMAC of encoded header, IV and ciphertext -> rCjFpLbuWKQMJLzQEP4aSw JWE Compact Serialization (<Header>.<EncryptedKey>.<InitializationVector>.<Ciphertext>.<AuthenticationTag>) -> eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ. knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0MlmFwU6h5pSALNFH7guQpRZmW3h3 uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ- SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhYV-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ. OMRMiwPvh13089vcWAw_mg. G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw. rCjFpLbuWKQMJLzQEP4aSw Confessional JWE Example
  • 23. An aside, eh. Looking for material, I started to Google "never trust a Canadian"… Brian Campbell @__b_c CIS 2014
  • 24. JWT • JSON Web Token • Suggested pronunciation: "jot" • Compact URL-safe means of representing claims to be transferred between two parties • JWS and/or JWE with JSON claims as the payload • JWT Claim – A piece of information asserted about a subject (or the JWT itself) – Represented name/value pairs, consisting of a Claim Name and a Claim Value (which can be any JSON object) Copyright © 2014 Ping Identity Corp. All rights reserved. 24
  • 25. • "iss": Issuer – Who issued it • "sub": Subject – Who’s it about • "aud": Audience – Who’s it for • "exp": Expiration Time – When it expires • "nbf": Not Before – When it starts being value • "iat": Issued At – When it was issued • "jti": JWT ID – A unique identifier for it Copyright © 2014 Ping Identity Corp. All rights reserved. 25 (some) Reserved JWT Claim Names
  • 26. jot or not? Copyright © 2014 Ping Identity Corp. All rights reserved. 26 The JWT eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKIm V4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcGxlLm9yZyIsCiJqdGkiOiJ0bVl2WVZ VMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9. The Header {"kid":"5","alg":"ES256"} The Payload {"iss":"https://idp.example.com", "exp":1357255788, "aud":"https://sp.example.org", "jti":"tmYvYVU2x8LvN72B5Q_EacH._5A", "acr":"2", "sub":"Brian"}
  • 27. it’s not the size of your token… Copyright © 2014 Ping Identity Corp. All rights reserved. 27 eyJraWQiOiI1IiwiYWxnIjoiRVMyNTYifQ.eyJpc3MiOiJodHRwczpcL1wvaWRwLmV4YW1wbGUuY29tIiwKImV4cCI6MTM1NzI1NTc4OCwKImF1ZCI6Imh0dHBzOlwvXC9zcC5leGFtcG xlLm9yZyIsCiJqdGkiOiJ0bVl2WVZVMng4THZONzJCNVFfRWFjSC5fNUEiLAoiYWNyIjoiMiIsCiJzdWIiOiJCcmlhbiJ9.SbPJIx_JSRM1wluioY0SvfykKWK_yK4LO0BKBiESHu0GUG wikgC8iPrv8qnVkIK1aljVMXcbgYnZixZJ5UOArg <Assertion Version="2.0" IssueInstant="2013-01-03T23:34:38.546Z" ID="oPm.DxOqT3ZZi83IwuVr3x83xlr" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <Issuer>https://idp.example.com</Issuer> <ds:Signature><ds:SignedInfo> <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256"/> <ds:Reference URI="#oPm.DxOqT3ZZi83IwuVr3x83xlr"> <ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms> <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256"/> <ds:DigestValue>8JT03jjlsqBgXhStxmDhs2zlCPsgMkMTC1lIK9g7e0o=</ds:DigestValue> </ds:Reference></ds:SignedInfo> <ds:SignatureValue>SAXf8eCmTjuhV742blyvLvVumZJ+TqiG3eMsRDUQU8RnNSspZzNJ8MOUwffkT6kvAR3BXeVzob5p08jsb99UJQ==</ds:SignatureValue> </ds:Signature> <Subject> <NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">Brian</NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2013-01-03T23:39:38.552Z" Recipient="https://sp.example.org"/> </SubjectConfirmation> </Subject> <Conditions NotOnOrAfter="2013-01-03T23:39:38.552Z" NotBefore="2013-01-03T23:29:38.552Z"> <AudienceRestriction><Audience>https://sp.example.org</Audience></AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2013-01-03T23:34:38.483Z" SessionIndex="oPm.DxOqT3ZZi83IwuVr3x83xlr"> <AuthnContext><AuthnContextClassRef>2</AuthnContextClassRef></AuthnContext> </AuthnStatement> </Assertion>
  • 28. …it’s how you use it • Simpler = Better • Web safe encoding w/ no canonicalization (Because canonicalization is a four letter word*) • Improved Interoperability & (hopefully) More Secure • Eliminates entire classes of attacks – XSLT Transform DOS, Remote Code Execution, and Bypass – C14N Hash Collision w/ & w/out comments – Entity Expansion Attacks – XPath Transform DOS and Bypass – External Reference DOS – Signature Wrapping Attacks Copyright © 2014 Ping Identity Corp. All rights reserved. 28 Brad Hill, pictured here speaking at CIS in 2011, is wicked smaht and published some of these attacks * especially when you spell it c14n
  • 29. JSON Web Key (JWK) Copyright © 2014 Ping Identity Corp. All rights reserved. 29 • JSON data structure representing cryptographic key(s) – Public/private keys: RSA & Elliptic Curve – Symmetric keys (octet sequence) • Can can be – included in a JWS/JWE/JWT header – published at an HTTPS endpoint and referenced – used in place of self signed certificates – saved in a file – sent in an email – and more
  • 30. JWK & JWT Working Together Copyright © 2014 Ping Identity Corp. All rights reserved. 30 JWT/JWS Header { "kid":"5", "alg":"ES256" } JWK Set {"keys":[ {"kty":"EC", "kid":"4", "x":"LX-7aQn7RAx3jDDTioNssbODUfED_6XvZP8NsGzMlRo", "y":"dJbHEoeWzezPYuz6qjKJoRVLks7X8-BJXbewfyoJQ-A", "crv":"P-256"}, {"kty":"EC", "kid":"5", "x":"f83OJ3D2xF1Bg8vub9tLe1gHMzV76e8Tus9uPHvRVEU", "y":"x_FEzRu9m36HLN_tue659LNpXW6pCyStikYjKIWI5a0", "crv":"P-256"}, {"kty":"EC", "kid":"6", "x":"J8z237wci2YJAzArSdWIj4OgrOCCfuZ18WI77jsiS00", "y":"5tTxvax8aRMMJ4unKdKsV0wcf3pOI3OG771gOa45wBU", "crv":"P-256"} ]}
  • 31. Simple Is As Simple Does • The relative simplicity of JW[STEAK] implies a simple programming interface • Numerous implementations already exist for a wide variety of languages/platforms • Going to make you take quick look at one of them… Copyright © 2014 Ping Identity Corp. All rights reserved. 31
  • 32. Introducing jose4j • Open source Java implementation of the JOSE specification suite – https://bitbucket.org/b_c/jose4j • Relies solely on the JCA APIs for cryptography • 100% Algorithm Support • Production ready – Used throughout Ping Identity’s products • Reference[able] implementation – Fact checked the JOSE cookbook: http://tools.ietf.org/html/draft-ietf-jose-cookbook-02#appendix-A • Completely free of NSA backdoors – (but I’m open to "sponsorship" opportunities) Copyright © 2014 Ping Identity Corp. All rights reserved. 32
  • 33. Producing the aforementioned JWS Copyright © 2014 Ping Identity Corp. All rights reserved. 33 PublicJsonWebKey jwk = EcJwkGenerator.generateJwk(EllipticCurves.P256); jwk.setKeyId("my-first-key"); JsonWebSignature jws = new JsonWebSignature(); jws.setAlgorithmHeaderValue(AlgorithmIdentifiers.ECDSA_USING_P256_CURVE_AND_SHA256); jws.setPayload("USA #1!"); jws.setKey(jwk.getPrivateKey()); jws.setKeyIdHeaderValue(jwk.getKeyId()); String compactSerialization = jws.getCompactSerialization(); System.out.println(compactSerialization);
  • 34. Consuming that JWS Copyright © 2014 Ping Identity Corp. All rights reserved. 34 JsonWebKey jwk = JsonWebKey.Factory.newJwk("{"kty":"EC"," + ""kid":"my-first-key"," + ""x":"xlKTWTx76fl9OZou4LHpDc3oHLC_vm-db7mdsFvO1JQ"," + ""y":"3jXBG649Uqf7pf8RHO_jcJ8Jrhy23hjD933i6QEVNkk"," + ""crv":"P-256"}"); String compactSerialization = "eyJhbGciOiJFUzI1NiIsImtpZCI6Im15LWZpcnN0LWtleSJ9." + "VVNBICMxIQ." + "QJGB_sHj-w3yCBunJs2wxKgvZgG2Hq9PA-TDQEbNdTm2Wnj2sUSrBKZJAU" + "REzF1FF25BbrgyohbKdGE1cB-hrA"; JsonWebSignature jws = new JsonWebSignature(); jws.setCompactSerialization(compactSerialization); jws.setKey(jwk.getKey()); String payload = jws.getPayload(); System.out.println(payload);
  • 35. Producing the aforementioned JWE Copyright © 2014 Ping Identity Corp. All rights reserved. 35 String jwkJson = "{"kty":"RSA"," + ""kid":"use this one eh"," + ""n":"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5X"+ "vT8bQO39k34s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtr" + "GJdXxQEgDE7Wg1YYi0yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZV" + "C5b61R37akzTB3abdAIBf4-UBLrvNgl0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw"," + ""e":"AQAB"}"; JsonWebKey jwk = JsonWebKey.Factory.newJwk(jwkJson); JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setPayload("I actually really like Canada"); jwe.setKey(jwk.getKey()); jwe.setKeyIdHeaderValue(jwk.getKeyId()); jwe.setAlgorithmHeaderValue(KeyManagementAlgorithmIdentifiers.RSA_OAEP); jwe.setEncryptionMethodHeaderParameter(ContentEncryptionAlgorithmIdentifiers.AES_128_CBC_HMAC_SHA_256); String compactSerialization = jwe.getCompactSerialization(); System.out.println(compactSerialization);
  • 36. Consuming that JWE (1 of 2) Copyright © 2014 Ping Identity Corp. All rights reserved. 36 String jwkJson = "{"kty":"RSA"," + ""kid":"use this one eh"," + ""n":"y2wxwth07jctadDYgWr1gagmtGvi0iImK-aXYq7Z_rvQ0WsmMyb7JIZJg5Q6lbzL-FZUebxmAEBkT1q5QTR5XvT8bQO39k3" + "4s-kXywnWtEBwnI6Z1rmyzFdQMF5oD-6IWSHlQS0yntNHIZSTD75HAn8Ar5RAlkSRvnsxUyqrbAfKBKXxtrGJdXxQEgDE7Wg1YYi0" + "yrKsiO-Dua_uPkvks7vqhfvaOjymJES-zBs36VGP6BFsVAPwft9Si3PejTIOR-OvKRSwZVC5b61R37akzTB3abdAIBf4-UBLrvNgl" + "0AXiwH4pYPz0mQUt0UYykALp-pswr5hS4S-rigRnfl7Dw"," + ""e":"AQAB"," + ""d":"p1umPOWUnf-rTylRVnhG75sF7N3tyG_r86ZM2hV8qAShMgnzbZYefNg2Vxh2cobXUMLF0TncuUxAusCrNSgUyrjHjHDIws03" + "VdzphFPd3oI9o6_2hSBWJ6OWB5VEDAd1Cc_HKy4iPWUZWlk__G3RQg524_0Wfgp_1bTIyeGLEt6GGAasCRoi4crZ_cKLkzB3ZmwoIF" + "X4Z-jU6AKp_rCarj45tqdgpzIHKYuA2HjgGJwevknhTVEjY6stAiTXWJ4M8YxIwqQ-tCj1GM5pfvJNIzaW2KoZ234ll_DFnUDnAE1R" + "O22oBfW-iYsHcrNtslHxYDkGnOGFkJAOnbF8ihaQcQ","p":"6JVJlrObtg02Sr0ZqERiOZMxf3lE8TK8j5cU5VBYYvfebtjI2" + "_wW_uT_N_wIETodgWJgkPlejrQM4B-inB8VfUPBe8RCRGmXf5jqyKf7r5XwGabda3UjaTwoAUxYSgb2HH4IU4KNMJ-rFuG2Nzz0t2W" + "7PtqHJjrcF3i952oKAGU","q":"3-dPMaO1JerkElaP4FMV1Fio-ZFJwf5xCLMFdJZstLkKY7H63bxOb77iQ5xEOSWY4yScfXZ" + "hp2S1v0Plub-qTeuGHXt-T2rugGAmIKlPzkQU6aiGFXqwCK2TrETQkV5Pf__PRHhaJ1rTbGVyAvqL2vAoI46XwSMmLINncDy2xGM"," + ""dp":"T9bXYQ0cuZzFc1iAkzuOQFdf2XNmkCmrgtsJCELRZH_T8lcmdCWQO0WeurggiNFbSYvcvEduByyVcuZJKrCc7tgwde0EFn" + "ns0JdMmT7Y7ghZWGTogze9xSUqUm_Dqv3CxDsbXpdlIjjdQUiQBVw-YSph4YygciYoYUJIZkUHU-U"," + ""dq":"wklQ6t4HPlPIfDEov5rZAl28onJz8iX7p3TQcw5kXZ2DambyLJ5N4aFdbRWYDY6WT-Ng921V5474NnOQT9IE0YBh7AtQ21E" + "Ki9LiwsyoN2_URby6PMEtJxqXXZCI-ts_WO58yAk3EZc6hoCwoe0Olnh2HASLokgBw_ZyN243mck"," + ""qi":"4n-fctilEl81ig_NIa0GFHjV1wiMR5E9RuwJIrSnG6kDBZp2wxjRd8HY96xAC_mwKZzRLxHZnukLaSi4f43-wRuURQaIj8z" + "P8UFgH73C4sOp9rgRhsUlceniIasGE-3FKW0_2ofNMCNimYuSSIXfIyNvMdtptlg3BJv4gizH_l4"}";
  • 37. Consuming that JWE (2 of 2) Copyright © 2014 Ping Identity Corp. All rights reserved. 37 String jwecs = "eyJraWQiOiJ1c2UgdGhpcyBvbmUgZWgiLCJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkExMjhDQkMtSFMyNTYifQ." + "knTL6DMyEDMIUmE7rmTYPoWAwFmVOTy4ZtbVLToaMG4Q87csv1dg4iTutr8RCVG5gMctMf2aq5fq1O078ndkBRN0M" + "lmFwU6h5pSALNFH7guQpRZmW3h3uZ8FxbL_YbnNQndm12-LzXcXg42FF1i-j7dC6FFk79muv5hyTegp8XO7ss09CgWe0OVH4" + "wWQ0a_pq-thzrMtNxjy4SH8xTeFOfW1zpI_Tlpwk18zubyhqtDraAQ-SULQpDshOYT_PQ8lSYQIq3yDsRQXkr0A3fwQQhY" + "V-FEmanDFA4TvdMaUb6AJ8JZhennuowWqV_jCxpXgbUWyS61MASUg8g0MftuMMQ." + "OMRMiwPvh13089vcWAw_mg." + "G3UoJsj2jgPTBlmBpDo456jYUTTHnfWIYmpedDgn6Zw." + "rCjFpLbuWKQMJLzQEP4aSw"; PublicJsonWebKey jwk = PublicJsonWebKey.Factory.newPublicJwk(jwkJson); JsonWebEncryption jwe = new JsonWebEncryption(); jwe.setCompactSerialization(jwecs); jwe.setKey(jwk.getPrivateKey()); String payload = jwe.getPayload(); System.out.println(payload);
  • 38. Are we finished yet? 38
  • 39. Yes, finished. See you at Boot Camp (maybe). Thank you! Brian Campbell @__b_c CIS 2014 https://flic.kr/p/f7zK1V