Exploring Alternatives to JSON Web Tokens (JWT) — Talk 21st November, 2018 Wesley Hill Burrows CGI @hakobyte 1 

Agenda — Explanation of JWTs and their security implications — Compare and contrast alternatives to JWT — Which of these alternative tokens should you use 2 

eyJhbGciOiJIUzI1NiIsInR5c... <- JWT 3 

JWT — JSON Web Tokens JSON Web Tokens (JWT) is a token format (RFC 7519) to securely send information between two parties. JWT’s can be signed (RFC 7515) or encrypted (RFC 7515) and it forms part of the JavaScript Object Signing and Encryption (JOSE) standard. — A JWT is JSON data that is cryptographically signed 4 

JWT — JSON Web Tokens Algorithm Header (alg) + { "sub": "1234567890", "name": "John Doe", "admin": true } + Signature (e.g HMAC, RSA, ...) 5 

JWT usecases — For verifying data that has not been modified — Situations where they are used only once and the tokens expire very quickly — Tempoary download links — Password reset mechanism 6 

JWT pitfalls — JWT's on their own are not encrypted 7 

JWT pitfalls — JWT's on their own are not encrypted — Cannot invalidate individual JWT tokens 8 

JWT pitfalls — JWT's on their own are not encrypted — Cannot invalidate JWT tokens — Flaws in the JOSE standard 9 

JWT pitfalls — JWT's on their own are not encrypted — Cannot invalidate JWT tokens — Flaws in the JOSE standard — "Algorithm Header Agility" - Giving developer the choice of cipher algorithm to use, easy to misuse and is very error prone 10 

JWT pitfalls: Algorithm Header Agility { "alg": "none" } 11 

JWT pitfalls: Algorithm Header Agility { "alg": "none" } ??? No Way, JOSE! Javascript Object Signing and Encryption is a Bad Standard That Everyone Should Avoid - Scott Arciszewski (@CiPHPerCoder) 12 

Alternatives to JWT / JOSE PASETO Branca Macaroons 13 

PASETO — Platform Agnostic SEcurity TOkens — Versioned Protocols over 'Algorithm Agility' — Paseto has two versions (v1 (for compatability) and v2 is recommended): — Paseto has two 'purposes': — local - Symmetric Encryption — public - Asymmetric Encryption — github.com/o1egl/paseto - Go Implementation 14 

Branca — Based on Fernet tokens (Developed by Heroku) Branca is a modernised version of Fernet — Uses modern crypto algorithms. XChaCha20-Poly1305 over AES-CBC (Fernet) — Tokens are encrypted and authenticated by default (AEAD) — Payload is not specified, allows payload customisation The difference between Branca and JWT is the encryption scheme used and that the token is encrypted and also authenticated. This means modification of any part of the token it will be detected. Lastly the payload format is not specified so you can customise the payload of a branca token 15 

Branca github.com/hako/branca - Go Implementation b := branca.NewBranca("supersecretkeyyoushouldnotcommit") // Must be 32 bytes long // Encode String to Branca Token. token, err := b.EncodeToString("Hello world!") if err != nil { fmt.Println(err) } fmt.Println(token) // 87y8da.... // Decode Branca Token. message, err := b.DecodeToString(token) if err != nil { fmt.Println(err) // token is expired. return } fmt.Println(message) // Hello world! 16 

Macaroons — Macaroons are a token made by Google — Similar to signed cookies but are designed to delegate authorization data with the use of (First Party or Third Party) caveats — First Party - deals with access of resources, read write and validity restrictions — Third Party - deals with external restrictions — Macaroons can be used in situations in keeping a user authenticated in cross domain situations such as different subdomains. 17 

Macaroons — github.com/go-macaroon/macaroon - Go Implementation — Macaroons Paper1 — Macaroons 101 - Intro to Macaroons by Evan Cordell2 — macaroons.io - Macaroons Playground 2 Macaroons 101: Contextual Confinement Elegent authorization, for a more civilized age 1 Birgisson, A., et.al (2014). Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud. 18 

Comparison Matrix JWT PASETO Branca Macaroons Token Mitigates Algorithm Agility ❌ ✅ ✅ ✅ Digital Signatures (Public-Private Keys) ✅ ✅ v1 & v2 public ❌ ❌ Authenticated ✅ ✅ v1 & v2 local ✅ ✅ Encrypted ❌ not without JWE ✅ v1 & v2 local ✅ ❌ Standardised ✅ ❌ ❌ ❌ Expiration ✅ ✅ v1 & v2 local ✅ ✅ 19 

Which alternative token should I use? — Use Branca if you want a simpler version of PASETO with no digital signatures — Branca & PASETO (v2.local) are the same — Micro Technologies (makers of go-micro) uses Branca for API keys in it's enterprise offering — Use Macaroons in the usecase of delegating authorization, although an alternative to JWT, it may be overkill for a simple usecase — HyperDex uses Macaroons for authorization — Use PASETO if you want a secure and robust replacement to JWT — PASETO's versioned protocols are designed to be safer than JWT, making it unlikely for developers to use PASETO insecurely 20 

Questions? 21 

Thanks twitter: @hakobyte github: @hako 22 

Appendix: PASETO Token format: version.purpose.payload Serialised PASETO token: (e.g v2) v2.local.QAxIpVe-ECVNI1z4xQbm_qQYomy... 23 

Appendix: Branca Token format: Version (1B) | Timestamp (4B) | Nonce (24B) | Ciphertext (*B) | Tag (16B) Serialised Branca token: 87y8daMzSkn7PA7JsvrTT0JUq1OhCjw9K8w2eyY... 24 

Appendix: Macaroons Token format: location https://example.com identifier 123456789 signature 6e104669a... Serialised Macaroon token: MDAyMWxvY2F0aW9uIGh0dHBzOi8v... 25 

Appendix: Links - JWT jwt.io - JWT site Introduction to JWT - Introduction to JWT Stop using JWT for sessions - joepie91's post on JWT in the context of sessions 26 

Appendix: Links - PASETO paseto.io - PASETO site github.com/paragonie/paseto - PASETO Specification 27 

Appendix: Links - Branca branca.io - Branca site github.com/tuupola/branca-spec - Branca Specification Branca as an Alternative to JWT? - Post by the creator of Branca, Mika Tuupola 28 

Appendix: Links - Macaroons macaroons.io - Macaroons site Macaroons Paper - Macaroons: Cookies with Contextual Caveats for Decentralized Authorization in the Cloud Macaroons 101 - Lovely introduction to Macaroons by Evan Cordell 29