gluecon2013 intro json based security campbell 130522072315 phpapp01

7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01

1/48

An Introduction to the Emerging JSON-BasedIdentity and Security Protocols

As Portfolio Architect for Ping Identity, Brian Campbell aspires to one day know what a

Portfolio Architect actually does for a living. In the meantime, he tries to make himself

useful by building software systems such as Pings flagship product Pingederate.

!hen not making himself useful, he contributes to various identity and security

standards including a two"year stint as co"chair of the #A$I$ $ecurity $ervices

%echnical Committee &$A'() and a current focus on #Auth *.+, #$- and #penI

Connect. /e holds a B.A., magna cum laude, in Computer $cience from Amherst

College in 'assachusetts. espite spending four years in the state, he has to look up

how to spell 0'assachusetts0 every time he writes it.

Brian Campbell

1wee2n3uiet'indpresents

Glue Conference 2!"slides4 http455is.gd563o'78


2/48

9 Backstory

: !ith a ;uick $A'( Intro5


3/48

9 Security Assertion #arkup $anguage

9 7'("based framework that allows identity and

security information to be shared across

security domains9 Primarily used for cross domain !eb browser

single sign"on

9 Assertion is a &usually signed, sometimes

encrypted) security token

9 -nterprisy


4/48

?

one of the leading visionaries and analysts in the

computer industry declared thatD

SA#$is

%EA%&

Craig Burton

LastJuly

at

the


5/48

E

!% $A'( is deadFIve got a mortgage to

payD

Beer is still

alive

thoughD

Mean

while

atthe

Gisclaimer4 I work with these guys


6/48

>

'he Ne(s 'ra)eled *ast Beyond the Conference +alls

SAML


7/48

H

%eath isn,t So Badon your death.ed/ you (ill recei)e total

consciousness0

http455blogs.kuppingercole.com5kearns5*+6*5+H565the"death"

and"life"of"a"protocol5

Some 1ualification Clarification (as Offered

Burton said4 $A'( is the !indows 7P of Identity.

=o funding. =o innovation. People still use it. But it

has no future. And added, %here is no future for

$A'(. =o one is putting money into $A'(

development. =# #=- is writing new $A'( code.

$A'( is dead.

And then he reiterated for the hard of

understanding4 $A'( is dead does not mean

$A'( is bad. $A'( is dead does not mean $A'(

isnt useful. $A'( is dead means $A'( is not thefuture.

and Ive got *J K years of mortgage

payments left and kids in private school so

maybe I should find out what GisG the futureD
http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/


8/48

L

'he *uture

-uropean Identity and Cloud Conference4

MBest Innovation5=ew $tandard in Information $ecurity went to #penI Connect forProviding the ConsumeriNation of $A'(. riving the adoption of federation and making

this much simpler.

M#penI Connect is a simple $#=5


9/48

J

!ebinger


10/48

base>?url

9 Its like regular base>? but betterO: Both are a means of encoding binary data in an A$CII

string format

: -ach > bits " 6 character

: bytes " ? characters9 2ses a 2


11/48

9 Javascript Object Signing and Encryption

9 IETF Working Group

: JWS

: JWE: JWK

: JWA

#$-


12/48

9 J$#= +eb Signature

9 A way of representing content secured with a digital

signature or 'AC using $#= data structures and

base>?url encoding

: -ncoded segment are concatenated with a .

9 Intended for space constrained environments such

as /%%P AuthoriNation headers and 2


13/48

9 !$ /eader

: A bit of $#= that describes the digital signature or 'AC operation applied to create the !$

$ignature value

9


14/48

!$ -Tample

Payload -> USA # 1!base64url encoded payload -> VVNBICM I

"eader $o%n$ &o s%$n ' %&( )C*SA P-+,6 S"A-+,6 -> ./al$/0/)S+,6/base64url encoded (eader -> ey2(b3c% %25UI1N%27

$ecured Input " ey2(b3c% %25UI1N%278VVNBICM I

base64url encoded s%$na&ure o9er &(e Secured Inpu&-> :; ' +)77as9:9< AB-r;=%$IC6?$u@4BVrP%%c 4l:D;b=$,u" @r6b%1U@D$4e5' PAelrM M

2 S Co< pac& Ser%al%a&%on ->ey2(b3c%%25U I1N%278VVNBICM I8:;' +)77as9:9< AB-r;=%$IC6?$u@4BVrP%%c 4l:D;b=$,u" @r6b%1U@D$4e5' PAelrM M '

(%c( you can &(%n oE sor& oE l%e0

./al$/0/)S+,6/8USA # 1!8F SI3NADUG)>

E3am4le


15/48

9 $imple W


16/48

9 J$#= +eb Encryption

9 $imilar in motivation and design to !$ but for encrypting

content

: /eader.-ncryptedey.InitialiNationYector.CipherteTt.Authentication%ag

9 'ore complicated: 'ore headers

9 alg4 Algorithm &key wrap or agreement)

9 enc4 -ncryption 'ethod &Authenticated -ncryption only)

9 Nip4 Compression Algorithm

9 And more: 'ore options and variations

: 'ore parts

!-


17/48

9 J$#= +eb 'oken

9 $uggested pronunciation4 0@ot

9 Compact 2


18/48

9 A piece of information asserted about a sub@ect &or the !% itself).

/ere, Claims are represented name5value pairs, consisting of a

Claim =ame and a Claim Yalue &which can be any $#= ob@ect).

9


19/48

!% -Tample

D(e 2S N cla%< s oE a 2 D say%n$ &(a& &(e subHec& %s Br%an &(e 2 D ' as %ssued by(&&ps0JJ%dp8ea< ple8co< ep%res a& suc( and suc( a &%< e and %s %n&ended Eorconsu< p&%on by(&&ps0JJsp8ea< ple8or$K a Ee' o&(er &(%n$s ' ould loo l%e &(%s0

./%ss/0/(&&ps0LJLJ%dp8ea< ple8co< //ep/01;,=+,,=/aud/0/(&&ps0LJLJsp8ea< ple8or$//H&%/0/&< :9:VU+9N=+B, )ac"8,AO/acr/0/+/

/sub/0/Br%anO

(%c( beco< es &(e 2 S payload8

2 S "eader say%n$ %&s s%$ned ' %&( )C*SA P-+,6 S"A-+,6 -> ./al$/0/)S+,6/

And &(e ' (ole 2 D->ey2(b3c%%25UI1N %278ey2pc;M % %2od"G' cpc1' 9a G' < V4: 1' b3 Uu:+7&I%' %Q(' IHoM U;M HU1N$4C2(d % %2od"G' cpc1' 9c;AuQ((bQBsS,9c< c%C2Rd3%%2@bVl+ VVM n$4D" N2CNV5EG 5HSC,ENU)%C2(:;I% %IyI%' %c;V%IHo% n2p:4%E 8+(&2"bu+p UnE' crER&?u(:92P?U4 7p5B%ea4E9pU" ?6M y H=4)%B"ruaar*3np' a5r &dbN@6A

E3am4le
https://idp.example.com/https://idp.example.com/https://sp.example.org/https://sp.example.org/https://sp.example.org/https://sp.example.org/https://idp.example.com/https://idp.example.com/


20/48

!% alongside a comparable $A'( Assertion

ey2(b3c%%25U I1N%278ey2pc;M %%2od"G' cpc1' 9a G' < V4: 1' b3Uu:+7&I%' %Q(' IHoMU;M HU1N$4C2(d % %2od"G' cpc1' 9c;AuQ((bQBsS,9c< c%C2Rd3 % %2@bVl+ VVM n$4D" N2CNV5EG 5HSC,ENU)%C2(:;I%%IyI%' %c;V%IHo%n2p: 4%E8+(&2 "bu+p UnE' crER&?u(:92P?U4 7p5B%ea4E9pU " ?6M yH=4)%B" ruaar*3np' a5r&dbN @6A

F Asser&%on Vers%on /+8@/ IssueIns&an& /+@1;-@1-@;D+;0;40;8,46O I* /oP< 8* RD;%;I' uVr;;lr/< lns /urn0oas%s0na< es0&c0SAM 0+8@0asser&%onO < lns0ds /(&&p0JJ' ' '8' ;8or$J+@@@J@7J< lds%$# />F Issuer> (&&ps0JJ%dp8ea< ple8co< F JIssuer>F ds0S%$na&ure> F ds0S%$nedInEo> F ds0Canon%cal%a&%onM e&(od Al$or%&(< /(&&p0JJ' ' '8' ;8or$J+@@1J1@J< l-ec-c14n# /J> F ds0S%$na&ureM e&(od Al$or%&(< /(&&p0JJ' ' '8' ;8or$J+@@1J@4J< lds%$-< ore# ecdsa-s(a+,6/J> F ds0GeEerence UGI /# oP< 8*RD;%;I' uVr;;lr/> F ds0DransEor< s> F ds0DransEor< Al$or%&(< /(&&p0JJ' ' '8' ;8or$J+@@@J@7J< lds%$# en9eloped-s%$na&ure/J> F ds0DransEor< Al$or%&(< /(&&p0JJ' ' '8' ;8or$J+@@1J1@J< l-ec-c14n# /J>

F Jds0DransEor< s> F ds0*%$es&M e&(od Al$or%&(< /(&&p0JJ' ' '8' ;8or$J+@@1J@4J< lenc# s(a+,6/J> F ds0*%$es&Value> 2D@;HHlsRB$Q(S&< *(s+lCPs$M M DC1lI?7$=e@o F Jds0*%$es&Value> F Jds0GeEerence> F Jds0S%$nedInEo> F ds0S%$na&ureValue> SAQEeC< DHu(V=4+bly99Vu< 2K DR%3;eM sG* U UGnNSspN2M U' EED69AG;BQeVob,p@Hsb77U 2 F Jds0S%$na&ureValue>F Jds0S%$na&ure>F SubHec&> F Na< eI* 5or< a& /urn0oas%s0na< es0&c0SAM 01810na< e%d-Eor< a&0unspec%E%ed/>Br%anF JNa< eI*> F SubHec&ConE%r< a&%on M e&(od /urn0oas%s0na< es0&c0SAM 0+8@0c< 0bearer/> F SubHec&ConE%r< a&%on*a&a No& n rAE&er/+@1;-@1-@;D+;0;70;8,,+/ Gec%p%en& /(&&ps0JJsp8ea< ple8or$/J> F JSubHec&ConE%r< a&%on>F JSubHec&>F Cond%&%ons No&n rAE&er /+@1;-@1-@;D+;0;70;8,,+/ No&BeEore /+@1;-@1-@;D+;0+70;8,,+/> F Aud%enceGes&r%c&%on> F Aud%ence> (&&ps0JJsp8ea< ple8or$F JAud%ence> F JAud%enceGes&r%c&%on>FJCond%&%ons>F Au&(nS&a&e< en& Au&(nIns&an& /+@1;-@1-@;D+;0;40;84;/ Sess%onInde /oP< 8*RD;%;I' uVr;;lr/> F Au&(nCon&e&> F Au&(nCon&e&ClassGeE> +F JAu&(nCon&e&ClassGeE> F JAu&(nCon&e&>

F JAu&(nS&a&e< en&>F JAsser&%on>

!%

$A'(

E3am4les


21/48

9 J$#= +eb 6ey

9 $#= representation of public keys with

some metadata

:


22/48

! Parameters and -Tample

U0keys04

W

U0kty040-C0,

0crv040P"*E>0,

0T040'BC%=Ic2$ii66y$sE*>i[LAi%oH%u>PA3vH?0, 0y040?-tl>$

0kid04Jer0V,

U0kty040?t[R*!"Es8\?/cEnJyB7ArwlJl3tHRCf+h?;y;Ev">E\8@;L;;'icAta$3NsL[gn\bJcHd+NgdA[/Nu>3';v


23/48

$ide by $ide ! Z 7E+J Cer&%E%ca&e0 *a&a0 Vers%on0 ; @+ Ser%al Nu< ber0 @10;c0@,0Ee0,104b S%$na&ure Al$or%&(< 0 s(a1 %&(GSA)ncryp&%on Issuer0 C AU Sull and Bones CN Br%anTs ?ey Val%d%&y

No& BeEore0 2an 4 140;60, +@1; 3M D No& AE&er 0 2an 6 140;60, +@1; 3M D SubHec&0 C AU Sull and Bones CN Br%anTs ?ey SubHec& Publ%c ?ey InEo0 Publ%c ?ey Al$or%&(< 0 rsa)ncryp&%on GSA Publ%c ?ey0 +@4 b%& M odulus +@4 b%&0 @@0;0aa0470640=+0a10@d0a607;0ee0e06a0;a0740 +606e0;d01d0a0;a0,E0+e0;10b0=0=604E0,06d0 7+04a0a10e@04@01E0ce0d,0c0b=01b07;0@;0c,06,0 =707070410c,0+e0=;0e40b0101E0d60ae0=40@e0 +70@E0@40E70@04,0+;0e70;0bE0b60=70c,0;e0cd0 ,;0E0,70e=0+0b0cb04E0=;0@e06d0401;0b;06=0

e@0E@0740d607,0eE0E@0;d0ec0cc0+10+0a+0640cc0 e0d70;=0b60e70ac01@0+a0eE0d@0,+0e+0,E0c406=0 E10Eb00;,07d0;70ae0,d04,0+=0d10+107E0;;010 E;0a,06E01;0+@0b40b70,0dd0e07;0+07c0+06a0 6,0a@0a40460@a0=+0,e0e,07;0@e0+10,@0a04e01b0 c+01,0e60b=0==0+;0de07a0b06;0a+0,;0;e0a;0e,0 6E06a0dd0E40,=0c40c40d0d;040e=0;E0440E;0660 ,c0660,70@e0dE0bE00d60;d0ba0a,0dd06e0c=0+70 cb0ac0740b@0c707E0=e0410E40d;0ea0cE0bd0a01;0 c+0a,0ad06=07607e06@0;c0a10170eb0+7014010a60 cc0e607b0E0E+0470c10bb0ab0bb0d+0a@0d10760ad0 7+0+E )ponen&0 6,,;= @1@@@1 S%$na&ure Al$or%&(< 0 s(a1 %&(GSA )ncryp&%on +40,@0,@0de0c;0740E@0e0;+00a406c0;60c;0E;0b@0,70dc0 ,60;70dd0;60@d060+b0;E04d04c0de0eE0E40EE0+;0ba0a70a;0 ;c0c0+70410+10@e0d;074070a0de0c0E+01E01@04e0,=0160 ,c0=a0;60+c0,c0dE0+e0EE0cE0=e07e01e06b0+60=b0ee0b+0a0 60+70cb0=a0b1060a0a0ba0740b406d0ab0=70,+06e040;70 1E0+0;,0b70ee0ec0,10=d0++0;;0+0e=06c0a07c04,0e0a=0 ab07;0=70;707E0;06+0c107a01d0640bc0b;0;70c70,@0e40=0 b;0c0c40ea0d,0d;0d=0410c;06106@0,,04e0+@0a,0E+0,60;@0 6c0E@0b,0,04,00c10=70;10E40ed0ab0+d01e0;e0+10c,0+E0 a;0;b0c0,b0;0@40d0a=0@+04c0@70b;0101c0a;0470,@0,a0 760a0+40;0@0ee0c@0=0;c0c406701d01@0cb0;+0b606107b0 a10=;01a0E+0,;0E0+70e10=a04+0140,=0==01c0,70;=0Eb0770 E70c60c600c@06=0,70c=0eb0ac0e@0+c0bd0=0=c0+=0a60E,0

4@0b;0e10760==04@0ec0+e0ca0ed0+b0,40Eb0710@c060@=0160 @107607e0Ea

-----B)3 IN C)GDI5ICAD)-----M IICK *C CAeC$A' IBA$I3AD'5Jl5M A@3 CSR3 SIb;* )BB UAM *@CA2B$NVBA:DA5VM G$'5$:*V ?)' 7Da;VsbCB(b< $ < 7uQM5*ASB$NVBAM DC@2ya 5u2;M $S+V,M B4Q* D)M *)' N* )@M :15oQ*D)M *)' NH)@M :15o' PD)MA3

A1U)B(MC VU3 *A B$NVBAoD* 1Nrd sI35uCBC b+,lc)UM BI3A 1U)AM n2p:4ncyBQ' $$)%M A@3 CSR3 SIb;* )BA UAA4IB* ' A' $$)?AoIBA C* RlcR)NppPu63o6lCuPG+? luM b(4d7:b2?oeBA" =VHcb' P5Q< :%U" 5nPuI)E1R,@* %PBP< AGSPpK+ecUK VP eeCuM&Pc' ,&(BK *' lNaV=JA7=M ' ($R2HN =bprBAR=7BS4lJ)J"=%* d a,dGSEGI3PlbM $&l:;:6D$p' oa< $p):?cl=l'4(U?( 3IV,rd;I76au3 %U6H, 7R;EGQM SN@4DnP@Dl< =E94HPbRl; ="?cusl*2n;,B7NPR=+?)?lr e n< AoGnr?G :ps< < 4JySc3=R=9SoN3

rI9A$M BAA )' *:2?oI(9cNA )5BA *$$)B ACG UN =*lP*oM o%b*b* =B;5:,;D:NaCsJDUe=JDJI=RpoI?U)(*& U%aHeyPIE)),Q5l6N %c;y=J;6e" < s

gluecon2013 intro json based security campbell 130522072315 phpapp01

Documents