Вся мощь в JWT, JWS, JSS JWS, JWA, JWK and JWE и зачем они нужны​

Transcript

1. communication between microservices JWT JWS JWE JWA JWK

2. about me something about me: - Alexey Firsov - Senior

   Python Developer (adv-experience) - aio-libs community member - one of the main contributor of aio-libs / aiopg Follow me on twitter, please @virmir49 Email: [email protected] Telegram: @virmir49

3. shortcomings microservices • Coupling

4. Coupling Verification SMS - gate

5. Coupling Verification SMS - gate Verification Email

6. Coupling Verification SMS - gate Verification Email Verification Push

7. Client logic Verification SMS - gate Email Push

8. Client logic Verification SMS - gate Email Push Authenticator

9. Client logic SMS - gate Email Push Authenticator backend desktop

   application backend mobile application Verification

10. Client logic Verification SMS - gate Email Push Authenticator backend

    desktop application backend mobile application

11. Client logic Verification SMS - gate Email Push Authenticator backend

    desktop application backend mobile application

12. shortcomings microservices • Coupling • Message format • Trust messages

    • Data security in the message

13. JSON • Coupling • Message format • Trust messages •

    Data security in the message

14. JWS - RFC 7515 BASE64URL(UTF8(JWS Protected Header)) '.' BASE64URL(JWS Payload)

    '.' BASE64URL(JWS Signature) eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9. eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkz ODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19 yb290Ijp0cnVlfQ. dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWF OEjXk

15. JWS - decode BASE64URL(UTF8(JWS Protected Header)) '.' BASE64URL(JWS Payload) '.'

    BASE64URL(JWS Signature) {"typ":"JWT", "alg":"HS256"} {"iss":"joe", "exp":1300819380, "http://example.com/is_root":true}. Binary Signature

16. Header Parameter • alg - Algorithm • jku - JWK

    Set URL • kid - Key ID • cty - Content Type • typ - Type • crit - Critical

17. Custom Header • alg - Algorithm • jku - JWK

    Set URL • kid - Key ID • cty - Content Type • typ - Type • crit - Critical • exp - expiration time

18. Example • alg - Algorithm • jku - JWK Set

    URL • kid - Key ID • cty - Content Type • typ - Type • crit - Critical • exp - expiration time { "alg": "HS256", "typ": "JWS", "kid": "test_key", "cty": "application/json", "crit": ["exp"], "exp": 1558945840 } { "first_name": "Alexey", "last_name": "Firsov" } eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyIsImtpZCI6InRlc3Rfa2V5IiwiY3R5IjoiYXBwbGljYXRpb2 4vanNvbiIsImNyaXQiOlsiZXhwIl0sImV4cCI6MTU1ODk0NTg0MH0.eyJmaXJzdF9uYW1lIjoiQ WxleGV5IiwibGFzdF9uYW1lIjoiRmlyc292In0.NzbnfSEmPDTMcNpsq9brFH8WOFTSKFE_Rs M4e2kPOVg

19. How to sign? • alg - Algorithm • jku -

    JWK Set URL • kid - Key ID • cty - Content Type • typ - Type • crit - Critical • exp - expiration time eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyIsImtpZCI6InRlc3Rfa2V5IiwiY3R5IjoiYXBwbGljYXRpb2 4vanNvbiIsImNyaXQiOlsiZXhwIl0sImV4cCI6MTU1ODk0NTg0MH0.eyJmaXJzdF9uYW1lIjoiQ WxleGV5IiwibGFzdF9uYW1lIjoiRmlyc292In0.NzbnfSEmPDTMcNpsq9brFH8WOFTSKFE_Rs M4e2kPOVg HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload) )

20. Want more signatures Verification SMS - gate auto withdrawal Billing

    backend desktop application

21. Want more signatures Verification SMS - gate auto withdrawal Billing

    backend desktop application customer rules list: • Verification signature • auto withdrawal signature

22. Want more signatures Verification SMS - gate auto withdrawal Billing

    backend desktop application customer rules list: • Verification signature • auto withdrawal signature

23. Want more signatures Verification SMS - gate auto withdrawal Billing

    backend desktop application customer rules list: • Verification signature • auto withdrawal signature

24. Want more signatures { "payload": base64UrlEncode(payload contents), "signatures": [ {

    "protected": base64UrlEncode(integrity-protected header 1 contents), "header": "non-integrity-protected header 1 contents", "signature": base64UrlEncode(signature 1 contents) }, { "protected": base64UrlEncode(integrity-protected header N content) "header": "non-integrity-protected header N contents", "signature": base64UrlEncode(signature N contents) } ] }

25. How to sign? { "payload": base64UrlEncode(payload contents), "signatures": [ {

    "protected": base64UrlEncode(integrity-protected header 1 contents), "header": "non-integrity-protected header 1 contents", "signature": ALG(base64UrlEncode(payload) . base64UrlEncode(protected 1)) }, { "protected": base64UrlEncode(integrity-protected header N content) "header": "non-integrity-protected header N contents", "signature": ALG(base64UrlEncode(payload) . base64UrlEncode(protected N)) } ] }

26. Example { "alg": "HS256", "typ": "JWS", "kid": "test_key", "cty": "application/json",

    "crit": ["exp"], "exp": 1558945840 } { "first_name": "Alexey", "last_name": "Firsov" } { "payload": "eyJmaXJzdF9uYW1lIjogIkFsZXhleSIsImxhc3RfbmFtZSI6ICJGaXJzb3YifQ", "signatures": [ { "header": { "sing1": 1}, "protected": "eyJhbGciOiJIUzI1NiIsImNyaXQiOlsiZXhwIl0sImN0eSI6ImFwcGxpY2F0aW9uL2pzb24iLCJleHAi OjE1NTg5NDU4NDAsImtpZCI6InRlc3Rfa2V5IiwidHlwIjoiSldTIn0", "signature": "HAW12TEqglCYMRd6oA371Fxr6cPYxa0CnaVpaG0cjdU" }, { "header": {"sing2": 1}, "protected": "eyJhbGciOiJIUzI1NiIsImNyaXQiOlsiZXhwIl0sImN0eSI6ImFwcGxpY2F0aW9uL2pzb24iLCJleHAi OjE1NTg5NDU4NDAsImtpZCI6InRlc3Rfa2V5Iiwic2luZzEiOjEsInR5cCI6IkpXUyJ9", "signature": "1IHPB-Tjfx3LKsi0n_0v5QFf_naRrDoPRa2iJm8S0TM" } ] }

27. Payload Option RFC 7797 { "alg": "HS256", "typ": "JWS", "kid":

    "test_key", "cty": "application/json", "crit": ["exp", "b64"], "b64": false, "exp": 1558945840 } { "first_name": "Alexey", "last_name": "Firsov" } { "payload": "{\"first_name\": \"Alexey\",\"last_name\": \"Firsov\"}", "signatures": [ { "header": { "sing1": 1}, "protected": "eyJhbGciOiJIUzI1NiIsImNyaXQiOlsiZXhwIl0sImN0eSI6ImFwcGxpY2F0aW9uL2pzb24iLCJleHAi OjE1NTg5NDU4NDAsImtpZCI6InRlc3Rfa2V5IiwidHlwIjoiSldTIn0", "signature": "HAW12TEqglCYMRd6oA371Fxr6cPYxa0CnaVpaG0cjdU" }, { "header": {"sing2": 1}, "protected": "eyJhbGciOiJIUzI1NiIsImNyaXQiOlsiZXhwIl0sImN0eSI6ImFwcGxpY2F0aW9uL2pzb24iLCJleHAi OjE1NTg5NDU4NDAsImtpZCI6InRlc3Rfa2V5Iiwic2luZzEiOjEsInR5cCI6IkpXUyJ9", "signature": "1IHPB-Tjfx3LKsi0n_0v5QFf_naRrDoPRa2iJm8S0TM" } ] }

28. chain of signatures { "crit": ["exp", "b64", "chs"], "chs": sha256(before

    signature or random string) }

29. JWA RFC 7518 • HS256 | HMAC using SHA-256 •

    HS384 | HMAC using SHA-384 • HS512 | HMAC using SHA-512 • RS256 | RSASSA-PKCS1-v1_5 using SHA-256 • RS384 | RSASSA-PKCS1-v1_5 using SHA-384 • RS512 | RSASSA-PKCS1-v1_5 using SHA-512 • ES256 | ECDSA using P-256 and SHA-256 • ES384 | ECDSA using P-384 and SHA-384 • ES512 | ECDSA using P-521 and SHA-512 • PS256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 • PS384 | RSASSA-PSS using SHA-384 and MGF1 with SHA-384 • PS512 | RSASSA-PSS using SHA-512 and MGF1 with SHA-512

30. JWK RFC 7517 { "e": "AQAB", "kty": "RSA", "kid": "test_key",

    "n": "pb9pGJH8K2TskqFoMCyCJm_….et3yxfAiD78hrnQ" } public key

31. JWK RFC 7517 { "e": "AQAB", "kty": "RSA", "kid": "test_key",

    "n": "pb9pGJH8K2TskqFoMCyCJm_….et3yxfAiD78hrnQ" } { "d": "EjRx_ZI7kd8RMD...Iq0MVhHGcQ", "dp": "av43dUwfxW…..R0i61QCI7HUOE", "dq": "Aym9LYF9Z2K...2T2xoUEOQZV51vpbc", "e": "AQAB", "kty": "RSA", "kid": "test_key", "n": "yvD8TKYK5AdGS….IGBv8oUyX-fKaMw", "p": "7ldikSxaOy_lW9Q..SQbJrR9EERTMOS5g8a1Sk", "q": "2forZ9Fn366e8k1VE..f39fbG19uRWEFxnI_s", "qi": "S6eXYaypzKvsJ_R..cnPRoE5jKr5v9Shl0g" } public key private key ->

32. shortcomings microservices • Coupling • Message format • Trust messages

    • Data security in the message

33. JWE RFC 7516 BASE64URL(UTF8(JWE Protected Header)) '.' BASE64URL(JWE Encrypted Key)

    '.' BASE64URL(JWE Initialization Vector) '.' BASE64URL(JWE Ciphertext) '.' BASE64URL(JWE Authentication Tag) eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00i fQ. OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMT YUmKoTCVJRgckCL9kiMT03JGeipsEdY3mx_etLbbW SrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9d-StnImG yFDbSv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdY wam_lDp5XnZAYpQdb76FdIKLaVmqgfwX7XWRxv23 22i-vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eOb dv0je81860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6 vFWXRcZ_ZT2LawVCWTIy3brGPi6UklfCpIMfIjf7iGdX KHzg. 48V1_ALb6US04U3b. 5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo 4vpzs9tX_EFShS8iB7j6jiSdiwkIr3ajwQzaBtQD_A.XFB oMYUZodetZdvTiFvSkQ

34. JWE RFC 7516 { "protected": "<integrity-protected shared header contents>", "unprotected":

    "<non-integrity-protected shared header contents>", "recipients": [ { "header": "<per-recipient unprotected header 1 contents>", "encrypted_key": "<encrypted key 1 contents>" }, { "header": "<per-recipient unprotected header N contents>", "encrypted_key": "<encrypted key N contents>" } ], "aad": "<additional authenticated data contents>", "iv": "<initialization vector contents>", "ciphertext": "<ciphertext contents>", "tag": "<authentication tag contents>" }

35. shortcomings microservices • Coupling • Message format • Trust messages

    • Data security in the message

36. JWT RFC 7519 Web Signature (JWS) structure or as the

    plaintext of a JSON Web Encryption (JWE) structure Registered Claim Names • iss - Issuer • sub - Subject • aud - Audience • exp - Expiration Time • nbf - Not Before • iat - Issued At • jti - JWT ID

37. JWT RFC 7519 Web Signature (JWS) structure or as the

    plaintext of a JSON Web Encryption (JWE) structure Registered Claim Names • iss - Issuer • sub - Subject • aud - Audience • exp - Expiration Time • nbf - Not Before • iat - Issued At • jti - JWT ID { "sub": "mobile_auth_token", "aud": ["mobile", "channel_news"], "iat": 1516239022, "exp": 1559204863, "nbf": 1559204715, "jti": "98e83856-e2a6-421f-8c1f-f80f75d400de" }

38. JWT RFC 7519 Web Signature (JWS) structure or as the

    plaintext of a JSON Web Encryption (JWE) structure Registered Claim Names • iss - Issuer • sub - Subject • aud - Audience • exp - Expiration Time • nbf - Not Before • iat - Issued At • jti - JWT ID { "sub": "mobile_auth_token", "aud": ["mobile", "channel_news"], "iat": 1516239022, "exp": 1559204863, "nbf": 1559204715, "jti": "98e83856-e2a6-421f-8c1f-f80f75d400de" }

39. useful links • https://jwt.io/#libraries-io • https://github.com/latchset/jwcrypto/ • https://tools.ietf.org/html/rfc7519 JWT •

    https://tools.ietf.org/html/rfc7515 JWS • https://tools.ietf.org/html/rfc7516 JWE • https://tools.ietf.org/html/rfc7797 b64

40. Questions something about me: - Alexey Firsov - Senior Python

    Developer (adv-experience) - aio-libs community member - one of the main contributor of aio-libs / aiopg Follow me on twitter, please @virmir49 Email: [email protected] Telegram: @virmir49