Date post: | 26-Feb-2018 |
Category: |
Documents |
Upload: | cristobal-del-fierro |
View: | 218 times |
Download: | 0 times |
of 48
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
1/48
An Introduction to the Emerging JSON-BasedIdentity and Security Protocols
As Portfolio Architect for Ping Identity, Brian Campbell aspires to one day know what a
Portfolio Architect actually does for a living. In the meantime, he tries to make himself
useful by building software systems such as Pings flagship product Pingederate.
!hen not making himself useful, he contributes to various identity and security
standards including a two"year stint as co"chair of the #A$I$ $ecurity $ervices
%echnical Committee &$A'() and a current focus on #Auth *.+, #$- and #penI
Connect. /e holds a B.A., magna cum laude, in Computer $cience from Amherst
College in 'assachusetts. espite spending four years in the state, he has to look up
how to spell 0'assachusetts0 every time he writes it.
Brian Campbell
1wee2n3uiet'indpresents
Glue Conference 2!"slides4 http455is.gd563o'78
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
2/48
9 Backstory
: !ith a ;uick $A'( Intro5
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
3/48
9 Security Assertion #arkup $anguage
9 7'("based framework that allows identity and
security information to be shared across
security domains9 Primarily used for cross domain !eb browser
single sign"on
9 Assertion is a &usually signed, sometimes
encrypted) security token
9 -nterprisy
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
4/48
?
one of the leading visionaries and analysts in the
computer industry declared thatD
SA#$is
%EA%&
Craig Burton
LastJuly
at
the
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
5/48
E
!% $A'( is deadFIve got a mortgage to
payD
Beer is still
alive
thoughD
Mean
while
atthe
Gisclaimer4 I work with these guys
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
6/48
>
'he Ne(s 'ra)eled *ast Beyond the Conference +alls
SAML
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
7/48
H
%eath isn,t So Badon your death.ed/ you (ill recei)e total
consciousness0
http455blogs.kuppingercole.com5kearns5*+6*5+H565the"death"
and"life"of"a"protocol5
Some 1ualification Clarification (as Offered
Burton said4 $A'( is the !indows 7P of Identity.
=o funding. =o innovation. People still use it. But it
has no future. And added, %here is no future for
$A'(. =o one is putting money into $A'(
development. =# #=- is writing new $A'( code.
$A'( is dead.
And then he reiterated for the hard of
understanding4 $A'( is dead does not mean
$A'( is bad. $A'( is dead does not mean $A'(
isnt useful. $A'( is dead means $A'( is not thefuture.
and Ive got *J K years of mortgage
payments left and kids in private school so
maybe I should find out what GisG the futureD
http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/http://blogs.kuppingercole.com/kearns/2012/07/31/the-death-and-life-of-a-protocol/7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
8/48
L
'he *uture
-uropean Identity and Cloud Conference4
MBest Innovation5=ew $tandard in Information $ecurity went to #penI Connect forProviding the ConsumeriNation of $A'(. riving the adoption of federation and making
this much simpler.
M#penI Connect is a simple $#=5
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
9/48
J
!ebinger
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
10/48
base>?url
9 Its like regular base>? but betterO: Both are a means of encoding binary data in an A$CII
string format
: -ach > bits " 6 character
: bytes " ? characters9 2ses a 2
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
11/48
9 Javascript Object Signing and Encryption
9 IETF Working Group
: JWS
: JWE: JWK
: JWA
#$-
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
12/48
9 J$#= +eb Signature
9 A way of representing content secured with a digital
signature or 'AC using $#= data structures and
base>?url encoding
: -ncoded segment are concatenated with a .
9 Intended for space constrained environments such
as /%%P AuthoriNation headers and 2
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
13/48
9 !$ /eader
: A bit of $#= that describes the digital signature or 'AC operation applied to create the !$
$ignature value
9
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
14/48
!$ -Tample
Payload -> USA # 1!base64url encoded payload -> VVNBICM I
"eader $o%n$ &o s%$n ' %&( )C*SA P-+,6 S"A-+,6 -> ./al$/0/)S+,6/base64url encoded (eader -> ey2(b3c% %25UI1N%27
$ecured Input " ey2(b3c% %25UI1N%278VVNBICM I
base64url encoded s%$na&ure o9er &(e Secured Inpu&-> :; ' +)77as9:9< AB-r;=%$IC6?$u@4BVrP%%c 4l:D;b=$,u" @r6b%1U@D$4e5' PAelrM M
2 S Co< pac& Ser%al%a&%on ->ey2(b3c%%25U I1N%278VVNBICM I8:;' +)77as9:9< AB-r;=%$IC6?$u@4BVrP%%c 4l:D;b=$,u" @r6b%1U@D$4e5' PAelrM M '
(%c( you can &(%n oE sor& oE l%e0
./al$/0/)S+,6/8USA # 1!8F SI3NADUG)>
E3am4le
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
15/48
9 $imple W
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
16/48
9 J$#= +eb Encryption
9 $imilar in motivation and design to !$ but for encrypting
content
: /eader.-ncryptedey.InitialiNationYector.CipherteTt.Authentication%ag
9 'ore complicated: 'ore headers
9 alg4 Algorithm &key wrap or agreement)
9 enc4 -ncryption 'ethod &Authenticated -ncryption only)
9 Nip4 Compression Algorithm
9 And more: 'ore options and variations
: 'ore parts
!-
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
17/48
9 J$#= +eb 'oken
9 $uggested pronunciation4 0@ot
9 Compact 2
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
18/48
9 A piece of information asserted about a sub@ect &or the !% itself).
/ere, Claims are represented name5value pairs, consisting of a
Claim =ame and a Claim Yalue &which can be any $#= ob@ect).
9
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
19/48
!% -Tample
D(e 2S N cla%< s oE a 2 D say%n$ &(a& &(e subHec& %s Br%an &(e 2 D ' as %ssued by(&&ps0JJ%dp8ea< ple8co< ep%res a& suc( and suc( a &%< e and %s %n&ended Eorconsu< p&%on by(&&ps0JJsp8ea< ple8or$K a Ee' o&(er &(%n$s ' ould loo l%e &(%s0
./%ss/0/(&&ps0LJLJ%dp8ea< ple8co< //ep/01;,=+,,=/aud/0/(&&ps0LJLJsp8ea< ple8or$//H&%/0/&< :9:VU+9N=+B, )ac"8,AO/acr/0/+/
/sub/0/Br%anO
(%c( beco< es &(e 2 S payload8
2 S "eader say%n$ %&s s%$ned ' %&( )C*SA P-+,6 S"A-+,6 -> ./al$/0/)S+,6/
And &(e ' (ole 2 D->ey2(b3c%%25UI1N %278ey2pc;M % %2od"G' cpc1' 9a G' < V4: 1' b3 Uu:+7&I%' %Q(' IHoM U;M HU1N$4C2(d % %2od"G' cpc1' 9c;AuQ((bQBsS,9c< c%C2Rd3%%2@bVl+ VVM n$4D" N2CNV5EG 5HSC,ENU)%C2(:;I% %IyI%' %c;V%IHo% n2p:4%E 8+(&2"bu+p UnE' crER&?u(:92P?U4 7p5B%ea4E9pU" ?6M y H=4)%B"ruaar*3np' a5r &dbN@6A
E3am4le
https://idp.example.com/https://idp.example.com/https://sp.example.org/https://sp.example.org/https://sp.example.org/https://sp.example.org/https://idp.example.com/https://idp.example.com/7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
20/48
!% alongside a comparable $A'( Assertion
ey2(b3c%%25U I1N%278ey2pc;M %%2od"G' cpc1' 9a G' < V4: 1' b3Uu:+7&I%' %Q(' IHoMU;M HU1N$4C2(d % %2od"G' cpc1' 9c;AuQ((bQBsS,9c< c%C2Rd3 % %2@bVl+ VVM n$4D" N2CNV5EG 5HSC,ENU)%C2(:;I%%IyI%' %c;V%IHo%n2p: 4%E8+(&2 "bu+p UnE' crER&?u(:92P?U4 7p5B%ea4E9pU " ?6M yH=4)%B" ruaar*3np' a5r&dbN @6A
F Asser&%on Vers%on /+8@/ IssueIns&an& /+@1;-@1-@;D+;0;40;8,46O I* /oP< 8* RD;%;I' uVr;;lr/< lns /urn0oas%s0na< es0&c0SAM 0+8@0asser&%onO < lns0ds /(&&p0JJ' ' '8' ;8or$J+@@@J@7J< lds%$# />F Issuer> (&&ps0JJ%dp8ea< ple8co< F JIssuer>F ds0S%$na&ure> F ds0S%$nedInEo> F ds0Canon%cal%a&%onM e&(od Al$or%&(< /(&&p0JJ' ' '8' ;8or$J+@@1J1@J< l-ec-c14n# /J> F ds0S%$na&ureM e&(od Al$or%&(< /(&&p0JJ' ' '8' ;8or$J+@@1J@4J< lds%$-< ore# ecdsa-s(a+,6/J> F ds0GeEerence UGI /# oP< 8*RD;%;I' uVr;;lr/> F ds0DransEor< s> F ds0DransEor< Al$or%&(< /(&&p0JJ' ' '8' ;8or$J+@@@J@7J< lds%$# en9eloped-s%$na&ure/J> F ds0DransEor< Al$or%&(< /(&&p0JJ' ' '8' ;8or$J+@@1J1@J< l-ec-c14n# /J>
F Jds0DransEor< s> F ds0*%$es&M e&(od Al$or%&(< /(&&p0JJ' ' '8' ;8or$J+@@1J@4J< lenc# s(a+,6/J> F ds0*%$es&Value> 2D@;HHlsRB$Q(S&< *(s+lCPs$M M DC1lI?7$=e@o F Jds0*%$es&Value> F Jds0GeEerence> F Jds0S%$nedInEo> F ds0S%$na&ureValue> SAQEeC< DHu(V=4+bly99Vu< 2K DR%3;eM sG* U UGnNSspN2M U' EED69AG;BQeVob,p@Hsb77U 2 F Jds0S%$na&ureValue>F Jds0S%$na&ure>F SubHec&> F Na< eI* 5or< a& /urn0oas%s0na< es0&c0SAM 01810na< e%d-Eor< a&0unspec%E%ed/>Br%anF JNa< eI*> F SubHec&ConE%r< a&%on M e&(od /urn0oas%s0na< es0&c0SAM 0+8@0c< 0bearer/> F SubHec&ConE%r< a&%on*a&a No& n rAE&er/+@1;-@1-@;D+;0;70;8,,+/ Gec%p%en& /(&&ps0JJsp8ea< ple8or$/J> F JSubHec&ConE%r< a&%on>F JSubHec&>F Cond%&%ons No&n rAE&er /+@1;-@1-@;D+;0;70;8,,+/ No&BeEore /+@1;-@1-@;D+;0+70;8,,+/> F Aud%enceGes&r%c&%on> F Aud%ence> (&&ps0JJsp8ea< ple8or$F JAud%ence> F JAud%enceGes&r%c&%on>FJCond%&%ons>F Au&(nS&a&e< en& Au&(nIns&an& /+@1;-@1-@;D+;0;40;84;/ Sess%onInde /oP< 8*RD;%;I' uVr;;lr/> F Au&(nCon&e&> F Au&(nCon&e&ClassGeE> +F JAu&(nCon&e&ClassGeE> F JAu&(nCon&e&>
F JAu&(nS&a&e< en&>F JAsser&%on>
!%
$A'(
E3am4les
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
21/48
9 J$#= +eb 6ey
9 $#= representation of public keys with
some metadata
:
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
22/48
! Parameters and -Tample
U0keys04
W
U0kty040-C0,
0crv040P"*E>0,
0T040'BC%=Ic2$ii66y$sE*>i[LAi%oH%u>PA3vH?0, 0y040?-tl>$
0kid04Jer0V,
U0kty040?t[R*!"Es8\?/cEnJyB7ArwlJl3tHRCf+h?;y;Ev">E\8@;L;;'icAta$3NsL[gn\bJcHd+NgdA[/Nu>3';v
7/25/2019 Gluecon2013 Intro Json Based Security Campbell 130522072315 Phpapp01
23/48
$ide by $ide ! Z 7E+J Cer&%E%ca&e0 *a&a0 Vers%on0 ; @+ Ser%al Nu< ber0 @10;c0@,0Ee0,104b S%$na&ure Al$or%&(< 0 s(a1 %&(GSA)ncryp&%on Issuer0 C AU Sull and Bones CN Br%anTs ?ey Val%d%&y
No& BeEore0 2an 4 140;60, +@1; 3M D No& AE&er 0 2an 6 140;60, +@1; 3M D SubHec&0 C AU Sull and Bones CN Br%anTs ?ey SubHec& Publ%c ?ey InEo0 Publ%c ?ey Al$or%&(< 0 rsa)ncryp&%on GSA Publ%c ?ey0 +@4 b%& M odulus +@4 b%&0 @@0;0aa0470640=+0a10@d0a607;0ee0e06a0;a0740 +606e0;d01d0a0;a0,E0+e0;10b0=0=604E0,06d0 7+04a0a10e@04@01E0ce0d,0c0b=01b07;0@;0c,06,0 =707070410c,0+e0=;0e40b0101E0d60ae0=40@e0 +70@E0@40E70@04,0+;0e70;0bE0b60=70c,0;e0cd0 ,;0E0,70e=0+0b0cb04E0=;0@e06d0401;0b;06=0
e@0E@0740d607,0eE0E@0;d0ec0cc0+10+0a+0640cc0 e0d70;=0b60e70ac01@0+a0eE0d@0,+0e+0,E0c406=0 E10Eb00;,07d0;70ae0,d04,0+=0d10+107E0;;010 E;0a,06E01;0+@0b40b70,0dd0e07;0+07c0+06a0 6,0a@0a40460@a0=+0,e0e,07;0@e0+10,@0a04e01b0 c+01,0e60b=0==0+;0de07a0b06;0a+0,;0;e0a;0e,0 6E06a0dd0E40,=0c40c40d0d;040e=0;E0440E;0660 ,c0660,70@e0dE0bE00d60;d0ba0a,0dd06e0c=0+70 cb0ac0740b@0c707E0=e0410E40d;0ea0cE0bd0a01;0 c+0a,0ad06=07607e06@0;c0a10170eb0+7014010a60 cc0e607b0E0E+0470c10bb0ab0bb0d+0a@0d10760ad0 7+0+E )ponen&0 6,,;= @1@@@1 S%$na&ure Al$or%&(< 0 s(a1 %&(GSA )ncryp&%on +40,@0,@0de0c;0740E@0e0;+00a406c0;60c;0E;0b@0,70dc0 ,60;70dd0;60@d060+b0;E04d04c0de0eE0E40EE0+;0ba0a70a;0 ;c0c0+70410+10@e0d;074070a0de0c0E+01E01@04e0,=0160 ,c0=a0;60+c0,c0dE0+e0EE0cE0=e07e01e06b0+60=b0ee0b+0a0 60+70cb0=a0b1060a0a0ba0740b406d0ab0=70,+06e040;70 1E0+0;,0b70ee0ec0,10=d0++0;;0+0e=06c0a07c04,0e0a=0 ab07;0=70;707E0;06+0c107a01d0640bc0b;0;70c70,@0e40=0 b;0c0c40ea0d,0d;0d=0410c;06106@0,,04e0+@0a,0E+0,60;@0 6c0E@0b,0,04,00c10=70;10E40ed0ab0+d01e0;e0+10c,0+E0 a;0;b0c0,b0;0@40d0a=0@+04c0@70b;0101c0a;0470,@0,a0 760a0+40;0@0ee0c@0=0;c0c406701d01@0cb0;+0b606107b0 a10=;01a0E+0,;0E0+70e10=a04+0140,=0==01c0,70;=0Eb0770 E70c60c600c@06=0,70c=0eb0ac0e@0+c0bd0=0=c0+=0a60E,0
4@0b;0e10760==04@0ec0+e0ca0ed0+b0,40Eb0710@c060@=0160 @107607e0Ea
-----B)3 IN C)GDI5ICAD)-----M IICK *C CAeC$A' IBA$I3AD'5Jl5M A@3 CSR3 SIb;* )BB UAM *@CA2B$NVBA:DA5VM G$'5$:*V ?)' 7Da;VsbCB(b< $ < 7uQM5*ASB$NVBAM DC@2ya 5u2;M $S+V,M B4Q* D)M *)' N* )@M :15oQ*D)M *)' NH)@M :15o' PD)MA3
A1U)B(MC VU3 *A B$NVBAoD* 1Nrd sI35uCBC b+,lc)UM BI3A 1U)AM n2p:4ncyBQ' $$)%M A@3 CSR3 SIb;* )BA UAA4IB* ' A' $$)?AoIBA C* RlcR)NppPu63o6lCuPG+? luM b(4d7:b2?oeBA" =VHcb' P5Q< :%U" 5nPuI)E1R,@* %PBP< AGSPpK+ecUK VP eeCuM&Pc' ,&(BK *' lNaV=JA7=M ' ($R2HN =bprBAR=7BS4lJ)J"=%* d a,dGSEGI3PlbM $&l:;:6D$p' oa< $p):?cl=l'4(U?( 3IV,rd;I76au3 %U6H, 7R;EGQM SN@4DnP@Dl< =E94HPbRl; ="?cusl*2n;,B7NPR=+?)?lr e n< AoGnr?G :ps< < 4JySc3=R=9SoN3
rI9A$M BAA )' *:2?oI(9cNA )5BA *$$)B ACG UN =*lP*oM o%b*b* =B;5:,;D:NaCsJDUe=JDJI=RpoI?U)(*& U%aHeyPIE)),Q5l6N %c;y=J;6e" < s