Demystifying JWT

Transcript

1. Demystifying JWT Pradheepa Pullanieswaran 18-DEC-2024

2. What is “Security”?

3. Boring !!!!

4. Scary !!!!

5. Complex !!!!

6. • Bore • Scare • Complicate Today’s Agenda

7. • JWT - What is it? • Vulnerabilities Today’s Agenda

8. Me

9. Me Pradheepa Pullanieswaran Security Solution Architect Mother of Twin Daughters

   www.pradheepa.com

10. JWT

11. Passwords ?

12. A Digital Identity

13. 1. Should not be Guessable 2. Numbers, Special Character, Length

    3. Do not share 4. MFA

14. Asymmetric Algorithm

15. Public Key Private Key

16. Digitally Signed with Private Key Verified the message using the

    public key

17. Signed Message - How does it ensure security? Signature

18. 1. Signer prepares the message Signer Verifier

19. 2. Signer creates the hash of the message Signer Verifier

    Hashing Function #######

20. 3. Signer encrypts the hash Signer Verifier Hashing Function #######

    K Private Encrypt

21. 4. Signer adds the signature to the message Signer Verifier

    Hashing Function ####### K Private Encrypt Signature

22. 5. Verifier hashes the message Signer Verifier Hashing Function #######

    K Private Encrypt Signature Hashing Function #######

23. 6. Verifier decrypts the signature Signer Verifier Hashing Function #######

    K Private Encrypt Signature Hashing Function ####### Decrypt ####### K Public

24. 7. Verifier matches and verifies Signer Verifier Hashing Function #######

    K Private Encrypt Signature Hashing Function ####### Decrypt ####### K Public Equals?

25. 8. Signature guarantees the message Signer Verifier Signature 1. Message

    is not tampered 2. The signer owns the private key

26. JSON WEB TOKEN

27. JWT - When did u last use this?

28. OAuth OIDC

29. Provides access to the Application

30. JWT • Widely adopted method for stateless authentication and secure

    data transmission, especially in the context of API authentication and single sign-on (SSO) systems. • Popular with the rise of RESTful APIs and the need for decentralized authentication, particularly with frameworks like OAuth 2.0 and OpenID Connect. • JWT's simplicity, flexibility, and ease of use have made it the de facto standard for token-based authentication in many modern web applications.

31. JWT Development Timeline • 2010: The idea of JWT was

    conceived by Mike Jones. The need for a compact and secure way to transmit information between parties led to the creation of JWT as an alternative to earlier standards like SAML (Security Assertion Markup Language). • 2011: The JWT format started to gain traction, and early discussions and drafts emerged, leading to the creation of libraries and tools that implemented it. • 2015: JWT was officially standardized with the publication of RFC 7519 by the IETF Security Area. This RFC defines how JWTs should be structured, signed, and validated, making it a formal and interoperable standard.

32. JWT • “JOT”/JSON WEB TOKEN • Base64 encoded • Signed

    • Encrypted <base64url-encoded-header>. <base64url-encoded-payload>. <base64url-encoded-signature>

33. Sample JWT eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9.eyJzdWIiOiAiMTIzNDU2Nzg 5MCIsICJuYW1lIjogIkpvaG4gRG9lIiwgImlhdCI6IDE1MTYyMzkwMjJ9.eY0_1j sIu8FZp7Oo7Nq6fys13BcBQGR3hImy5Gh6uww

34. Header eyJhbGciOiAiSFMyNTYiLCAidHlwIjogIkpXVCJ9. { "alg": "HS256", "typ": "JWT" }

35. Payload eyJzdWIiOiAiMTIzNDU2Nzg5MCIsICJuYW1lIjogIkpvaG4gRG9lIiwgImlhdCI6 IDE1MTYyMzkwMjJ9. { "sub": "1234567890", "name": "John Doe", "iat":

    1516239022 }

36. Footer eY0_1jsIu8FZp7Oo7Nq6fys13BcBQGR3hImy5Gh6uww Encoded and Encrypted Signature

37. JWT with HS256

38. Key Generator

39. JWT with RS256

40. JWT - Vulnerabilities

41. None

42. 1. Token without Verification

43. JWT Valid Without Footer?

44. Unfortunately Yes

45. What is the significance of Footer?

46. Remember this slide ?? Signer Verifier Hashing Function ####### K

    Private Encrypt Signature Hashing Function ####### Decrypt ####### K Public Equals?

47. If you are not verifying, you are trusting

48. None

49. 2. Weak Secret

50. None

51. Prone to Brute-Force

52. Key Takeaways

53. Choose the proper signature algorithm ➔ HMACs are only useful

    internally in an application ➔ All other scenarios should rely on asymmetric signatures Follow JWT security recommendations ➔ Explicitly type your JWT ➔ Use strong signature algorithms ➔ Use reserved claims and their meaning Explicitly verify the security of the backend application ➔ Libraries should be actively supported and up to date ➔ JWTs with none signatures should be rejected case-insensitively ➔ JWTs with invalid signatures should be rejected

54. Any Questions

55. Thank You

56. References https://owasp.org/www-chapter-belgium/assets/2021/2021-02-18/JWT-Security.pdf https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ https://8gwifi.org/jwsgen.jsp