Application & Infrastructure Security:

JSON Web Tokens

Thomas S Shore III

Uniface SME

Agenda

The JWT standard

Applying JWT to Uniface

Uniface technology to support JWT

Sample application of JWT

And more...

What’s the problem?

AuthenticationSAML2 – Think single sign on / sign out (NTLM)

Oauth – Google, Facebook etc

Open ID – 3rd party login system

Information SharingTrusted

Not complex

Multi-client

SAML 2

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="pfx41d8ef22-e612-8c50-9960-1b16f15741b3" Version="2.0" ProviderName="SP test" IssueInstant="2014-07-16T23:52:45Z" Destination="http://idp.example.com/SSOService.php" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://sp.example.com/demo1/index.php?acs">

<saml:Issuer>http://sp.example.com/demo1/metadata.php</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">

<ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#pfx41d8ef22-e612-8c50-9960-1b16f15741b3">

<ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>

</ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>yJN6cXUwQxTmMEsPesBP2NkqYFI=</ds:DigestValue>

</ds:Reference></ds:SignedInfo>

<ds:SignatureValue>g5eM9yPnKsmmE/Kh2qS7nfK8HoF6yHrAdNQxh70kh8pRI4KaNbYNOL9sF8F57Yd+jO6iNga8nnbwhbATKGXIZOJJSugXGAMRyZsj/rqngwTJk5KmujbqouR1SLFsbo7Iuwze933EgefBbAE4JRI7V2aD9YgmB3socPqAi2Qf97E=</ds:SignatureValue>

<ds:KeyInfo><ds:X509Data>

<ds:X509Certificate>MIICajCCAdOgAwIBAgIBADANBgkqhkiG9w0BAQQFADBSMQswCQYDVQQGEwJ1czETMBEGA1UECAwKQ2FsaWZvcm5pYTEVMBMGA1UECgwMT25lbG9naW4gSW5jMRcwFQYDVQQDDA5zcC5leGFtcGxlLmNvbTAeFw0xNDA3MTcwMDI5MjdaFw0xNTA3MTcwMDI5MjdaMFIxCzAJBgNVBAYTAnVzMRMwEQYDVQQIDApDYWxpZm9ybmlhMRUwEwYDVQQKDAxPbmVsb2dpbiBJbmMxFzAVBgNVBAMMDnNwLmV4YW1wbGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7vU/6R/OBA6BKsZH4L2bIQ2cqBO7/aMfPjUPJPSn59d/f0aRqSC58YYrPuQODydUABiCknOn9yV0fEYm4bNvfjroTEd8bDlqo5oAXAUAI8XHPppJNz7pxbhZW0u35q45PJzGM9nCv9bglDQYJLby1ZUdHsSiDIpMbGgf/ZrxqawIDAQABo1AwTjAdBgNVHQ4EFgQU3s2NEpYx7wH6bq7xJFKa46jBDf4wHwYDVR0jBBgwFoAU3s2NEpYx7wH6bq7xJFKa46jBDf4wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQQFAAOBgQCPsNO2FG+zmk5miXEswAs30E14rBJpe/64FBpM1rPzOleexvMgZlr0/smF3P5TWb7H8Fy5kEiByxMjaQmml/nQx6qgVVzdhaTANpIE1ywEzVJlhdvw4hmRuEKYqTaFMLez0sRL79LUeDxPWw7Mj9FkpRYT+kAGiFomHop1nErV6Q==</ds:X509Certificate>

</ds:X509Data></ds:KeyInfo>

</ds:Signature><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" AllowCreate="true"/><samlp:RequestedAuthnContext Comparison="exact">

<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>

</samlp:AuthnRequest>

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorization data between security domains.(WikiPedia)

OAuth2

Complex

Authorization

No need to share a password

Sharing between sites if required

Allows Internet users to grant websites or applications access to their information on other websites but without giving them the passwords

Open ID

Federated Authentication

No sharing of data between providers/consumers

Allows users to be authenticated by co-operating sites (known as Relying Parties or RP) using a third party service.

Why should/do you care about this?

Web standards

Industry standard communication

Other technologies expect this!

Uniface is web aware and capable

There is no “out of the box” statement for this anywhere

What is JWT

JWTs represent a set of claims as a JSON object that is

encoded in a JWS and/or JWE structure. https://tools.ietf.org/html/rfc7519

Or from it’s original text

JSON Web Token (JWT) is a compact claims representation format intended

for space constrained environments such as HTTP Authorization headers and URI

query parameters. JWTs encode claims to be transmitted as a JSON [RFC7159]

object that is used as the payload of a JSON Web Signature (JWS) [JWS]

structure or as the plaintext of a JSON Web Encryption (JWE) [JWE]

structure, enabling the claims to be digitally signed or integrity protected with a

Message Authentication Code (MAC) and/or encrypted. JWTs are always

represented using the JWS Compact Serialization or the JWE Compact

Serialization. The suggested pronunciation of JWT is the same as the English

word "jot".

Original Klingon Text

Or English

JSON Web Token (JWT) is a compact claims representation format intended

for space constrained environments such as HTTP Authorization headers

and URI query parameters. JWTs encode claims to be transmitted as a

JSON [RFC7159] object that is used as the payload of a JSON Web

Signature (JWS) [JWS] structure or as the plaintext of a JSON Web

Encryption (JWE) [JWE] structure, enabling the claims to be digitally signed

or integrity protected with a Message Authentication Code (MAC) and/or

encrypted. JWTs are always represented using the JWS Compact

Serialization or the JWE Compact Serialization. The suggested pronunciation

of JWT is the same as the English word "jot".

What’s a Claim (from Dictionary.com)

Noun

6. a demand for something as due; an assertion of a right

or an alleged right:He made unreasonable claims on the doctor's time.

7. an assertion of something as a fact:He made no claims to originality.

It’s like a medicine bottle

Somewhat tamper-

proof

Labeled contents

Can be traced

I know who

prescribed it

I can see what’s in it

I know who filled it

I know when it is

expired

How might this work?

{ "iss" : "CVS\\/pharmacy","iat" : 1505908083,"exp" : 1537444083,"aud" : "Patient Name","sub" : "Happy Pills","jti" : "RX# 000000","quantity" : "30"

}

eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJDVlMvcGhhcm1hY3kiLCJpYXQiOjE1MDU5MDgwODMsImV4cCI6MTUzNzQ0NDA4MywiYXVkIjoiUGF0aWVudCBOYW1lIiwic3ViIjoiSGFwcHkgUGlsbHMiLCJqdGkiOiJSWCMgMDAwMDAwIiwicXVhbnRpdHkiOiIzMCJ9.ogrVq53XPuc77ffThZnej-DgDIfHEt1bgnsHh9_JZuU

So what does it look like?

Header.Payload.Signature

Signature = Encrypted Header.Payload

Here’s what we have

JWS – JSON Web Signature{

“typ”: “JWT”

“alg”:”HS256”

}

It’s a JSON Web Token (typ)

It’s encoded using the HMAC SHA-256 algorithm

Security Problem: alg set to none

Unsecured JWT

An Unsecured

JWT is a JWS using the "alg" Header Parameter value "none" and with

the empty string for its JWS Signature value, as defined in the JWA

specification [JWA]; it is an Unsecured JWS with the JWT Claims Set

as its JWS Payload.

So send me your JWT and I’ll modify the algorithm to “none” and I can change anything I want and it will be ok?

JWT Claims Set

Registered Claim NamesRegistered with IANA (www.iana.org)

o Claim Name: "iss"

o Claim Description: Issuer

o Change Controller: IESG

o Specification Document(s): Section 4.1.1 of RFC 7519

Private Claim Names

Must be unique

Registered Claims

Claim Name Description

iss Issuer

sub Subject

aud Audience

exp Expiration Date time (Unix epoch)

nbf Not before time (Unix epoch)

Iat Issued at

jti JWT ID

The jti (JWT ID) claim provides a unique identifier for the JWT. The identifier value MUST be assigned in a manner that ensures that there is a negligible probability that the same value will be accidentally assigned to a different data object. The jti claim can be used to prevent the JWT from being replayed. The jti value is case sensitive. This claim is OPTIONAL.

Validating a JWT

It has at least one period (‘.’)

JOSE Header is on the left

BASE 64 Encoded without carriage control or

whitespace

Header.Payload.Signature

Signature = Encrypted Header.Payload

JWT Libraries

.Net

Python

Node.js

Java

Javascript

Perl

Ruby

Elixir

Go

Haskell

Rust

Lua

Scala

D

Clojure

Objective-C

Swift

C

Kdb+/Q

Delphi

PHP

Crystal

1C

Where’s Uniface?

But no Uniface

We have all the technology in the product to create and

consume JSON Web Tokens

1. JSON creation

2. BASE64 encoding/decoding

3. HMAC_SHA256 Encryption

4. Manipulating Web Headers

Basic Operation

Uniface Web Application

Uniface Web ApplicationBrowserBrowser

Navigate to Web Application

Redirect to JWT Login Page

User enters valid username and password

Login ComponentLogin Component

Security Token Returned

Application Checks Token verifying expiration etc

Session verified Session Token added etc

JWT ComponentJWT Component

Request JWT Creation

Uniface particulars

Encode / Decode – BASE64

$encode(BASE64, source)

Encode HMAC_SHA256

$encode(HMAC_SHA256, source, security_key)

Sample Login

JWT Tester

DemoTime

Where is the stuff?

It will be placed on GitHub.com/uniface and possibly

uniface.info in the community samples area.

Thank You

& Questions