Tuesday, May 31, 2016

Practical Cryptography with Apache CXF JOSE

It has been a year since I had a chance to talk about Practical JOSE in Apache CXF at Apache Con NA 2015.

We have significantly improved CXF JOSE implementation  since then, with Colm helping a lot with the code, tests, documentation. The code has become more thoroughly tested, the configuration - better, with the documentation being updated recently. 

Production quality CXF STS service can now issue JOSE-protected JWT assertions and Fediz OpenId Connect project directly depends on JOSE in order to secure OIDC IdTokens.

But it is important to realize that doing JOSE does not mean you need to do OAuth2 in general or OpenId Connect in particular, though it is definitely true that understanding JOSE will help when you decide to work with OAuth2/OIDC.
As such, a web service developer can experiment with JOSE in a number of ways.

One approach is to use JWS Signature or JWE Encryption helpers to sign and/or encrypt the arbitrary data.

For example, have your service receiving a confidential String over 2-way HTTPS, then JWE-encrypt and save it to the database to ensure the data is safe or JWS-sign only and forward further, being assured the data won't be modified, and choose between JWS Compact or JSON representations.

Have you already heard JOSE sequences have the data Base64 URL encoded ? Try JWS JSON with an unencoded payload option.

Another approach is let CXF do JOSE for you. Use CXF JOSE filters and make service data secured by typing few lines of text in the configuration properties.
These filters will do the best effort at streaming the outbound data while preparing JOSE sequences.

Would you like to link client JWT assertions obtained with the progressive services such as CXF STS to the data being protected ? Add a couple of filters

I honestly think that JOSE is the best technology which can help many of us  understand better what cryptography is.

Start with selecting a signature algorithm. You most likely have a Java JKS key store somewhere around, so go for 'RS256'. Get the private key out and sign, then get a public key and validate as shown here.
Next try to encrypt, select RSA-OEPA to make it real fast given that you have this JKS store. Use a public key to secure a content encryption key generated by CXF for you and then do A128GCM content encryption. Finish with decrypting the content with a private key.

Works ? Interested in trying different key sizes or combinations of JOSE algorithms ? No problems, try them fast. Learn more about these algorithms next. See how it all works when the CXF JOSE filters do the work.

We've thought a lot on how to help developers start experimenting with JOSE as fast and easy as possible and I hope those of you who will start working with CXF JOSE code will help us make it even better.

Would like to use some other quality JOSE libraries such as these ones ?  No problems, use them inside your custom JAX-RS filters or directly in the service code.

You may say, I'm not really seeing others use JOSE in regular HTTP services work. Let me finish with this advice: please do not worry about it, be a pioneer, experiment and find new interesting ways to secure your services and prepare them to work in the world of JOSE-protected tokens and data flowing everywhere.

Do JOSE today, convince your boss your team needs it :-), become a cryptography expert. Enjoy !

Tuesday, May 24, 2016

Observations about Apache Con NA 2016

This year Apache Con NA was held in Vancouver BC.

As usual, being at Apache Con gives a chance to talk to your fellow Open Source developers and this year it was as great as ever - meeting my old and new Talend colleagues, talking to those I already have met before and getting to know other people attending the conference was nice. 
The conference hotel was few hundred meters away from the waterfront where one could walk or run to a green Stanley Park:

Now let me talk about the actual conference. Big Data and Core conference are no longer run at the same time, with a single day intersection only. I guess I was preferring a more compact 'mix-in' format as I could attend to either BigData or Core presentations in a fewer number of days. But organizing a successful conference is very difficult - in the end of the day whatever format works best for Apache Con is the winning format.

I did like and learn something new from all the keynotes I listened to but I particularly enjoyed an Open Source is a Positive Sum Game by Sam Ramji. Have you ever  looked at the schedule, not sure what to expect from the listed talks, and then someone starts speaking and you realize you are listening to a visionary ?  This is what I felt when listening to Sam.

A number of other talks were interesting. My colleague JB's presentations were both interesting and entertaining, and I was also happy to see Hadrian and Jamie, both my former colleagues :-), co-presenting

I think Colm and myself had a good audience during our presentation. It must've been difficult for those who attended to listen to a lot of security related information presented on Friday after lunch :-) and we are grateful to all who were there. I did overrun by 1 minute though and we had no chance to talk to the audience afterwards but we did convey a lot of information during our talk.

And then finally we had the last few presentations to choose from and we made it to a Shawn McKinney's presentation. Now imagine it is 16.00, late Friday afternoon, and you are about to listen to yet another security related talk :-). I think Shawn did remarkably well. Shawn's down to earth, likeable presentation style made the real difference. And while I did learn few things about Role Based Access Control (such as the temporal restrictions), what really did get to me were Shawn's advices to "test and re-use".  You may say it is all quite obvious but sometimes one can get lax on either of those fundamentals, myself including. I'd like to talk about some of the thoughts I've had about the 're-use vs implement yourself' later on.

It was great to be there :-)