I just committed some new code to the xmldap code repository. WebToken.java signs and encrypts JSON Web Tokens and WebTokenTest.java contains the JUNIT tests. These tests also show how WebToken.java is used.
Today I added Password Based Encryption (PBE) and AES encryption.
PBE uses PBEWithMD5AndDES with DESede.
AES is used in CBC mode.
PBE and RSA encryption yield in a three segment token:
jwtHeaderSegment.jwtKeySegment.jwtCryptoSegment
where
- the header segment describes the algorithm and key used,
- the key segment contains the encrypted key that is actually used to encrypt the payload
- the crypto segment contains the encrypted content.
As always each segment is base64 url encoded.
AES encryption yields in a two segment token:
jwtHeaderSegment.jwtCryptoSegment
The jwtKeySegment is not needed because AES uses a shared secret to encrypt the payload. It makes no sense to put this secret key into the token.
PBE and RSA encryption generate the encryption key and therefore this key is encrypted and send as the jwtKeySegment. JSON WebToken encryption with RSA was explained in yesterdays blog post.
Here are some example tokens (without lengthy explanation):
PBE jwtHeaderSegment: {"alg":"EPBE",
"kid":"iauxBG<9"}
PBE password: password
PBE jwtHeaderSegment base64: eyJhbGciOiJFUEJFIiwNCiAia2lkIjoiaWF1eEJHPDkifQ
PBE jwtKeySegment: {"slt":"PS023Hz4xuI","wrp":"o50kyveiYHrqg6sIPldlU4Fbi4QEnGY99FhpU_G1-zk"}
PBE jwtKeySegment base64: eyJzbHQiOiJQUzAyM0h6NHh1SSIsIndycCI6Im81MGt5dmVpWUhycWc2c0lQbGRsVTRGYmk0UUVuR1k5OUZocFVfRzEtemsifQ
PBE jwtCryptoSegment base64: CZCiieIHmirOHW17xXECoPmvIaT1de8DF5Czw0Uv1ktJ7uDAEaPj7fHM3__vnqtNLD86u2HeR7yV-UnhHn-3wF0tppv1_EJ7
fixed AES192 keybytes
[126, -34, -48, -34, 61, 72, -63, -36, 14, 53, -27, -7, -35, -57, 59, -89, 51, 84, 115, -119, -1, -125, -115, 108]
AES192 jwtCryptoSegment base64: K2xsdGRCb0tzcVdEMk1NNWdmeFlLYzdkY0V3Ry95cU5PclZZYkE0V25XMFZocW5sMVhjeDFzQWhIN2kvMVZGYms2emdHNFVrQXVSNmJjVzNaWmNBbUxtZ08xcEFybnpwYkdSWldJRlpleTRxMGI2KzVQV1hiV2JIUGh2d1kxeEM
The payload is the same as in Mike Jones' draft:
{"iss":"joe",
"exp":1300819380,
"http://example.com/is_root":true}
Enjoy.
OpenID Federation Session at April 2024 IIW
4 days ago
No comments:
Post a Comment