Вся мощь в JWT, JWS, JSS JWS, JWA, JWK and JWE и зачем они нужны​

Transcript

1. communication between
   microservices
   JWT
   JWS JWE
   JWA JWK
   

   View Slide

2. about me
   something about me:
   - Alexey Firsov
   - Senior Python Developer (adv-experience)
   - aio-libs community member
   - one of the main contributor of aio-libs / aiopg
   Follow me on twitter, please @virmir49
   Email: [email protected]
   Telegram: @virmir49
   

   View Slide

3. shortcomings microservices
   ● Coupling
   

   View Slide

4. Coupling
   Verification SMS - gate
   

   View Slide

5. Coupling
   Verification SMS - gate
   Verification Email
   

   View Slide

6. Coupling
   Verification SMS - gate
   Verification Email
   Verification Push
   

   View Slide

7. Client logic
   Verification
   SMS - gate
   Email
   Push
   

   View Slide

8. Client logic
   Verification
   SMS - gate
   Email
   Push
   Authenticator
   

   View Slide

9. Client logic
   SMS - gate
   Email
   Push
   Authenticator
   backend desktop
   application
   backend mobile
   application
   Verification
   

   View Slide

10. Client logic
    Verification SMS - gate
    Email
    Push
    Authenticator
    backend desktop
    application
    backend mobile
    application
    

    View Slide

11. Client logic
    Verification SMS - gate
    Email
    Push
    Authenticator
    backend desktop
    application
    backend mobile
    application
    

    View Slide

12. shortcomings microservices
    ● Coupling
    ● Message format
    ● Trust messages
    ● Data security in the message
    

    View Slide

13. JSON
    ● Coupling
    ● Message format
    ● Trust messages
    ● Data security in the message
    

    View Slide

14. JWS - RFC 7515
    BASE64URL(UTF8(JWS Protected Header)) '.'
    BASE64URL(JWS Payload) '.'
    BASE64URL(JWS Signature)
    eyJ0eXAiOiJKV1QiLA0KICJhbGciOiJIUzI1NiJ9.
    eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkz
    ODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19
    yb290Ijp0cnVlfQ.
    dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWF
    OEjXk
    

    View Slide

15. JWS - decode
    BASE64URL(UTF8(JWS Protected Header)) '.'
    BASE64URL(JWS Payload) '.'
    BASE64URL(JWS Signature)
    {"typ":"JWT", "alg":"HS256"}
    {"iss":"joe", "exp":1300819380,
    "http://example.com/is_root":true}.
    Binary Signature
    

    View Slide

16. Header Parameter
    ● alg - Algorithm
    ● jku - JWK Set URL
    ● kid - Key ID
    ● cty - Content Type
    ● typ - Type
    ● crit - Critical
    

    View Slide

17. Custom Header
    ● alg - Algorithm
    ● jku - JWK Set URL
    ● kid - Key ID
    ● cty - Content Type
    ● typ - Type
    ● crit - Critical
    ● exp - expiration time
    

    View Slide

18. Example
    ● alg - Algorithm
    ● jku - JWK Set URL
    ● kid - Key ID
    ● cty - Content Type
    ● typ - Type
    ● crit - Critical
    ● exp - expiration time
    {
    "alg": "HS256",
    "typ": "JWS",
    "kid": "test_key",
    "cty": "application/json",
    "crit": ["exp"],
    "exp": 1558945840
    }
    {
    "first_name": "Alexey",
    "last_name": "Firsov"
    }
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyIsImtpZCI6InRlc3Rfa2V5IiwiY3R5IjoiYXBwbGljYXRpb2
    4vanNvbiIsImNyaXQiOlsiZXhwIl0sImV4cCI6MTU1ODk0NTg0MH0.eyJmaXJzdF9uYW1lIjoiQ
    WxleGV5IiwibGFzdF9uYW1lIjoiRmlyc292In0.NzbnfSEmPDTMcNpsq9brFH8WOFTSKFE_Rs
    M4e2kPOVg
    

    View Slide

19. How to sign?
    ● alg - Algorithm
    ● jku - JWK Set URL
    ● kid - Key ID
    ● cty - Content Type
    ● typ - Type
    ● crit - Critical
    ● exp - expiration time
    eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXUyIsImtpZCI6InRlc3Rfa2V5IiwiY3R5IjoiYXBwbGljYXRpb2
    4vanNvbiIsImNyaXQiOlsiZXhwIl0sImV4cCI6MTU1ODk0NTg0MH0.eyJmaXJzdF9uYW1lIjoiQ
    WxleGV5IiwibGFzdF9uYW1lIjoiRmlyc292In0.NzbnfSEmPDTMcNpsq9brFH8WOFTSKFE_Rs
    M4e2kPOVg
    HMACSHA256(
    base64UrlEncode(header)
    + "." +
    base64UrlEncode(payload)
    )
    

    View Slide

20. Want more signatures
    Verification SMS - gate
    auto
    withdrawal
    Billing
    backend desktop
    application
    

    View Slide

21. Want more signatures
    Verification SMS - gate
    auto
    withdrawal
    Billing
    backend desktop
    application
    customer rules list:
    ● Verification signature
    ● auto withdrawal signature
    

    View Slide

22. Want more signatures
    Verification SMS - gate
    auto
    withdrawal
    Billing
    backend desktop
    application
    customer rules list:
    ● Verification signature
    ● auto withdrawal signature
    

    View Slide

23. Want more signatures
    Verification SMS - gate
    auto
    withdrawal
    Billing
    backend desktop
    application
    customer rules list:
    ● Verification signature
    ● auto withdrawal signature
    

    View Slide

24. Want more signatures
    {
    "payload": base64UrlEncode(payload contents),
    "signatures": [
    {
    "protected": base64UrlEncode(integrity-protected header 1 contents),
    "header": "non-integrity-protected header 1 contents",
    "signature": base64UrlEncode(signature 1 contents)
    },
    {
    "protected": base64UrlEncode(integrity-protected header N content)
    "header": "non-integrity-protected header N contents",
    "signature": base64UrlEncode(signature N contents)
    }
    ]
    }
    

    View Slide

25. How to sign?
    {
    "payload": base64UrlEncode(payload contents),
    "signatures": [
    {
    "protected": base64UrlEncode(integrity-protected header 1 contents),
    "header": "non-integrity-protected header 1 contents",
    "signature": ALG(base64UrlEncode(payload) . base64UrlEncode(protected 1))
    },
    {
    "protected": base64UrlEncode(integrity-protected header N content)
    "header": "non-integrity-protected header N contents",
    "signature": ALG(base64UrlEncode(payload) . base64UrlEncode(protected N))
    }
    ]
    }
    

    View Slide

26. Example
    {
    "alg": "HS256",
    "typ": "JWS",
    "kid": "test_key",
    "cty": "application/json",
    "crit": ["exp"],
    "exp": 1558945840
    }
    {
    "first_name": "Alexey",
    "last_name": "Firsov"
    }
    {
    "payload": "eyJmaXJzdF9uYW1lIjogIkFsZXhleSIsImxhc3RfbmFtZSI6ICJGaXJzb3YifQ",
    "signatures": [
    {
    "header": { "sing1": 1},
    "protected":
    "eyJhbGciOiJIUzI1NiIsImNyaXQiOlsiZXhwIl0sImN0eSI6ImFwcGxpY2F0aW9uL2pzb24iLCJleHAi
    OjE1NTg5NDU4NDAsImtpZCI6InRlc3Rfa2V5IiwidHlwIjoiSldTIn0",
    "signature": "HAW12TEqglCYMRd6oA371Fxr6cPYxa0CnaVpaG0cjdU"
    },
    {
    "header": {"sing2": 1},
    "protected":
    "eyJhbGciOiJIUzI1NiIsImNyaXQiOlsiZXhwIl0sImN0eSI6ImFwcGxpY2F0aW9uL2pzb24iLCJleHAi
    OjE1NTg5NDU4NDAsImtpZCI6InRlc3Rfa2V5Iiwic2luZzEiOjEsInR5cCI6IkpXUyJ9",
    "signature": "1IHPB-Tjfx3LKsi0n_0v5QFf_naRrDoPRa2iJm8S0TM"
    }
    ]
    }
    

    View Slide

27. Payload Option RFC 7797
    {
    "alg": "HS256",
    "typ": "JWS",
    "kid": "test_key",
    "cty": "application/json",
    "crit": ["exp", "b64"],
    "b64": false,
    "exp": 1558945840
    }
    {
    "first_name": "Alexey",
    "last_name": "Firsov"
    }
    {
    "payload": "{\"first_name\": \"Alexey\",\"last_name\": \"Firsov\"}",
    "signatures": [
    {
    "header": { "sing1": 1},
    "protected":
    "eyJhbGciOiJIUzI1NiIsImNyaXQiOlsiZXhwIl0sImN0eSI6ImFwcGxpY2F0aW9uL2pzb24iLCJleHAi
    OjE1NTg5NDU4NDAsImtpZCI6InRlc3Rfa2V5IiwidHlwIjoiSldTIn0",
    "signature": "HAW12TEqglCYMRd6oA371Fxr6cPYxa0CnaVpaG0cjdU"
    },
    {
    "header": {"sing2": 1},
    "protected":
    "eyJhbGciOiJIUzI1NiIsImNyaXQiOlsiZXhwIl0sImN0eSI6ImFwcGxpY2F0aW9uL2pzb24iLCJleHAi
    OjE1NTg5NDU4NDAsImtpZCI6InRlc3Rfa2V5Iiwic2luZzEiOjEsInR5cCI6IkpXUyJ9",
    "signature": "1IHPB-Tjfx3LKsi0n_0v5QFf_naRrDoPRa2iJm8S0TM"
    }
    ]
    }
    

    View Slide

28. chain of signatures
    {
    "crit": ["exp", "b64", "chs"],
    "chs": sha256(before signature or random string)
    }
    

    View Slide

29. JWA RFC 7518
    ● HS256 | HMAC using SHA-256
    ● HS384 | HMAC using SHA-384
    ● HS512 | HMAC using SHA-512
    ● RS256 | RSASSA-PKCS1-v1_5 using SHA-256
    ● RS384 | RSASSA-PKCS1-v1_5 using SHA-384
    ● RS512 | RSASSA-PKCS1-v1_5 using SHA-512
    ● ES256 | ECDSA using P-256 and SHA-256
    ● ES384 | ECDSA using P-384 and SHA-384
    ● ES512 | ECDSA using P-521 and SHA-512
    ● PS256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256
    ● PS384 | RSASSA-PSS using SHA-384 and MGF1 with SHA-384
    ● PS512 | RSASSA-PSS using SHA-512 and MGF1 with SHA-512
    

    View Slide

30. JWK RFC 7517
    {
    "e": "AQAB",
    "kty": "RSA",
    "kid": "test_key",
    "n": "pb9pGJH8K2TskqFoMCyCJm_….et3yxfAiD78hrnQ"
    }
    public key
    

    View Slide

31. JWK RFC 7517
    {
    "e": "AQAB",
    "kty": "RSA",
    "kid": "test_key",
    "n": "pb9pGJH8K2TskqFoMCyCJm_….et3yxfAiD78hrnQ"
    }
    {
    "d": "EjRx_ZI7kd8RMD...Iq0MVhHGcQ",
    "dp": "av43dUwfxW…..R0i61QCI7HUOE",
    "dq": "Aym9LYF9Z2K...2T2xoUEOQZV51vpbc",
    "e": "AQAB",
    "kty": "RSA",
    "kid": "test_key",
    "n": "yvD8TKYK5AdGS….IGBv8oUyX-fKaMw",
    "p": "7ldikSxaOy_lW9Q..SQbJrR9EERTMOS5g8a1Sk",
    "q": "2forZ9Fn366e8k1VE..f39fbG19uRWEFxnI_s",
    "qi": "S6eXYaypzKvsJ_R..cnPRoE5jKr5v9Shl0g"
    }
    public key
    private key ->
    

    View Slide

32. shortcomings microservices
    ● Coupling
    ● Message format
    ● Trust messages
    ● Data security in the message
    

    View Slide

33. JWE RFC 7516
    BASE64URL(UTF8(JWE Protected Header)) '.'
    BASE64URL(JWE Encrypted Key) '.'
    BASE64URL(JWE Initialization Vector) '.'
    BASE64URL(JWE Ciphertext)
    '.' BASE64URL(JWE Authentication Tag)
    eyJhbGciOiJSU0EtT0FFUCIsImVuYyI6IkEyNTZHQ00i
    fQ.
    OKOawDo13gRp2ojaHV7LFpZcgV7T6DVZKTyKOMT
    YUmKoTCVJRgckCL9kiMT03JGeipsEdY3mx_etLbbW
    SrFr05kLzcSr4qKAq7YN7e9jwQRb23nfa6c9d-StnImG
    yFDbSv04uVuxIp5Zms1gNxKKK2Da14B8S4rzVRltdY
    wam_lDp5XnZAYpQdb76FdIKLaVmqgfwX7XWRxv23
    22i-vDxRfqNzo_tETKzpVLzfiwQyeyPGLBIO56YJ7eOb
    dv0je81860ppamavo35UgoRdbYaBcoh9QcfylQr66oc6
    vFWXRcZ_ZT2LawVCWTIy3brGPi6UklfCpIMfIjf7iGdX
    KHzg.
    48V1_ALb6US04U3b.
    5eym8TW_c8SuK0ltJ3rpYIzOeDQz7TALvtu6UG9oMo
    4vpzs9tX_EFShS8iB7j6jiSdiwkIr3ajwQzaBtQD_A.XFB
    oMYUZodetZdvTiFvSkQ
    

    View Slide

34. JWE RFC 7516
    {
    "protected": "",
    "unprotected": "",
    "recipients": [
    {
    "header": "",
    "encrypted_key": ""
    },
    {
    "header": "",
    "encrypted_key": ""
    }
    ],
    "aad": "",
    "iv": "",
    "ciphertext": "",
    "tag": ""
    }
    

    View Slide

35. shortcomings microservices
    ● Coupling
    ● Message format
    ● Trust messages
    ● Data security in the message
    

    View Slide

36. JWT RFC 7519
    Web Signature (JWS) structure or as the plaintext of a
    JSON Web Encryption (JWE) structure
    Registered Claim Names
    ● iss - Issuer
    ● sub - Subject
    ● aud - Audience
    ● exp - Expiration Time
    ● nbf - Not Before
    ● iat - Issued At
    ● jti - JWT ID
    

    View Slide

37. JWT RFC 7519
    Web Signature (JWS) structure or as the plaintext of a
    JSON Web Encryption (JWE) structure
    Registered Claim Names
    ● iss - Issuer
    ● sub - Subject
    ● aud - Audience
    ● exp - Expiration Time
    ● nbf - Not Before
    ● iat - Issued At
    ● jti - JWT ID
    {
    "sub": "mobile_auth_token",
    "aud": ["mobile", "channel_news"],
    "iat": 1516239022,
    "exp": 1559204863,
    "nbf": 1559204715,
    "jti": "98e83856-e2a6-421f-8c1f-f80f75d400de"
    }
    

    View Slide

38. JWT RFC 7519
    Web Signature (JWS) structure or as the plaintext of a
    JSON Web Encryption (JWE) structure
    Registered Claim Names
    ● iss - Issuer
    ● sub - Subject
    ● aud - Audience
    ● exp - Expiration Time
    ● nbf - Not Before
    ● iat - Issued At
    ● jti - JWT ID
    {
    "sub": "mobile_auth_token",
    "aud": ["mobile", "channel_news"],
    "iat": 1516239022,
    "exp": 1559204863,
    "nbf": 1559204715,
    "jti": "98e83856-e2a6-421f-8c1f-f80f75d400de"
    }
    

    View Slide

39. useful links
    ● https://jwt.io/#libraries-io
    ● https://github.com/latchset/jwcrypto/
    ● https://tools.ietf.org/html/rfc7519 JWT
    ● https://tools.ietf.org/html/rfc7515 JWS
    ● https://tools.ietf.org/html/rfc7516 JWE
    ● https://tools.ietf.org/html/rfc7797 b64
    

    View Slide

40. Questions
    something about me:
    - Alexey Firsov
    - Senior Python Developer (adv-experience)
    - aio-libs community member
    - one of the main contributor of aio-libs / aiopg
    Follow me on twitter, please @virmir49
    Email: [email protected]
    Telegram: @virmir49
    

    View Slide