JSON Web Token

Transcript

1. JSON Web Token

2. Laura Eck @laura_nobilis / Morred

3. None

4. What?

5. JSON Web Token (JWT) • open standard (RFC 7519) •

   transmit information between parties as a JSON object • compact and self-contained • can be verified and trusted with a digital signature

6. Open Standard (RFC 7519)

7. JSON Web Token (JWT) • open standard (RFC 7519) •

   transmit information between parties as a JSON object • compact and self-contained • can be verified and trusted with a digital signature

8. JSON { "event" : { "title" : "Tokyo Rubyist Meetup",

   "date" : "2016-07-07", "location" : { "company" : "VOYAGE GROUP", "address" : "౦ژ౎ौ୩۠ਆઘொ8-16" } }

9. JSON Web Token (JWT) • open standard (RFC 7519) •

   transmit information between parties as a JSON object • compact and self-contained • can be verified and trusted with a digital signature

10. Compact & Self-contained Compact: Relatively small —> can be sent

    through an URL, POST parameter, or inside an HTTP header Self-contained: Carries necessary information within itself

11. JSON Web Token (JWT) • open standard (RFC 7519) •

    transmit information between parties as a JSON object • compact and self-contained • can be verified and trusted via digital signature

12. Verification • sign information with digital signature (JWS) • verify

    with secret signing key • can also be encrypted (JWE)

13. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e yJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik pvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJV A95OrM7E2cBab30RMHrHDcEfxjoYZgeFO NFh7HgQ

14. None

15. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e yJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik pvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJV A95OrM7E2cBab30RMHrHDcEfxjoYZgeFO NFh7HgQ

16. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e yJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik pvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJV A95OrM7E2cBab30RMHrHDcEfxjoYZgeFO NFh7HgQ Header Payload Signature

17. Header { "alg": "HS256", "typ": "JWT" } Base64 eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

18. Payload { "sub": "1234567890", "name": "John Doe", "admin": true }

    Base64 eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6I kpvaG4gRG9lIiwiYWRtaW4iOnRydWV9

19. Claims • Registered claims: iss, sub, exp, jti, … •

    Public claims • Private claims

20. Signature HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret ) Base64

    TJVA95OrM7E2cBab30RMHrHDcEfxjoYZg eFONFh7HgQ

21. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e yJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik pvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJV A95OrM7E2cBab30RMHrHDcEfxjoYZgeFO NFh7HgQ Header Payload Signature

22. Why?

23. No sessions

24. Shareable between systems

25. Relevant info in token

26. Verifiable

27. Standard based

28. How?

29. S U username, password

30. S U username, password JWT U S

31. S U username, password JWT U S

32. S U username, password JWT U S U REQUEST S

33. REQUEST S U username, password JWT U S U S

34. S U username, password JWT U S U REQUEST S

    RESPONSE

35. S U username, password JWT U S U REQUEST S

36. None

37. Some things to keep in mind… • Secure the secret

    signing key

38. Some things to keep in mind… • Secure the secret

    signing key • Always verify the signature before trusting information from the token

39. Some things to keep in mind… • Secure the secret

    signing key • Always verify the signature before trusting information from the token • Don't accept tokens with { "alg": "none" } in the header unless you have a very good reason

40. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e yJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6Ik pvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJV A95OrM7E2cBab30RMHrHDcEfxjoYZgeFO NFh7HgQ Header Payload Signature { "alg":

    "HS256", "typ": "JWT" }

41. Some things to keep in mind… • Secure the secret

    signing key • Always verify the signature before trusting information from the token • Don't accept tokens with { "alg": "none" } in the header unless you have a very good reason

42. Some things to keep in mind… • Secure the secret

    signing key • Always verify the signature before trusting information from the token • Don't accept tokens with { "alg": "none" } in the header unless you have a very good reason • Make sure your library has no security holes

43. RSA <> HMAC vulnerability in some libraries

44. None

45. Some things to keep in mind… • Secure the secret

    signing key • Always verify the signature before trusting information from the token • Don't accept tokens with { "alg": "none" } in the header unless you have a very good reason • Make sure your library has no security holes

46. • Don't contain sensitive data in a JWT Signed, not

    encrypted If you need encryption, check out JWE Some things to keep in mind…

47. • Don't contain sensitive data in a JWT Signed, not

    encrypted If you need encryption, check out JWE • Use exp claim to let the token expire, add jti claim if you're worried about replay attacks Some things to keep in mind…

48. • Don't contain sensitive data in a JWT Signed, not

    encrypted If you need encryption, check out JWE • Use exp claim to let the token expire, add jti claim if you're worried about replay attacks • The token needs to be stored client side, so make sure that's secure too! Some things to keep in mind…

49. Gems https://github.com/eigenbart/rack-jwt https://github.com/jwt/ruby-jwt https://github.com/garyf/json_web_token …

50. Resources https://jwt.io/ https://jwt.io/introduction/ https://tools.ietf.org/html/rfc7519 https://stormpath.com/blog/jwt-the-right-way https://stormpath.com/blog/build-secure-user-interfaces- using-jwts https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in- json-web-token-libraries/

51. Laura Eck @laura_nobilis / Morred