No way JOSE! Lessons for authors and implementers of open standards
Action | Key |
---|---|
Play / Pause | K or space |
Mute / Unmute | M |
Toggle fullscreen mode | F |
Select next subtitles | C |
Select next audio track | A |
Toggle automatic slides maximization | V |
Seek 5s backward | left arrow |
Seek 5s forward | right arrow |
Seek 10s backward | shift + left arrow or J |
Seek 10s forward | shift + right arrow or L |
Seek 60s backward | control + left arrow |
Seek 60s forward | control + right arrow |
Seek 1 frame backward | alt + left arrow |
Seek 1 frame forward | alt + right arrow |
Decrease volume | shift + down arrow |
Increase volume | shift + up arrow |
Decrease playback rate | < |
Increase playback rate | > |
Seek to end | end |
Seek to beginning | beginning |
Share this media
Download links
HLS video stream
You can use an external player to play this stream (like VLC).
HLS video streamWhen subscribed to notifications, an email will be sent to you for all added annotations.
Your user account has no email address.
Information on this media
Protocol and data format specifications can be ambiguous, insecure or have other problems. Programmers and users bear the brunt of these issues. Using JOSE as a case study, I’ll discuss mistakes for standards authors to avoid, and demonstrate programming techniques for mitigating some kinds of problems.
JOSE (JSON Object Signing and Encryption) is a set of IETF standards for JSON-based cryptographic objects. You might know it as JWT or JWS. It is used in OpenID Connect, ACME, and other protocols. JOSE emerged a few years ago and has been causing headaches for the presenter ever since.
Using JOSE as a case study, this presentation looks at mistakes to avoid when specifying a data format or cryptographic protocol. We’ll also explore programming techniques for mitigating some kinds of problems in specifications. In particular, we will cover:
- the flawed rationale for the JOSE working group
- why JSON is a poor wire format for cryptographic objects
- cryptography issues in the JOSE specifications
- ambiguities and interoperability problems in the specifications
- common vulnerabilities in JOSE libraries
- how library authors can encourage or enforce safe use
- advice for standards authors or working groups
Each topic will culminate in one simple, actionable takeaway.
Programming principles and techniques will be demonstrated using Haskell and its joselibrary, which is maintained by the presenter.
Fraser Tweedale
Fraser works at Red Hat on the FreeIPA identity management system and Dogtag Certificate System. He’s interested in security, cryptography and functional programming. Jalapeño aficionado from the land Down Under.
Other media in the channel "2018"
116 views, 4 this yearGlassfish from (IN)Secure adminJuly 6th, 2018
161 views, 1 this yearShadow on the Wall - Risks and Flaws with ShadowsocksJuly 6th, 2018
57 viewsOpen Hardware for (software) offensive securityJuly 6th, 2018
48 viewsFreedom Fighting Mode - Open Source Hacking HarnessJuly 6th, 2018
79 views, 2 this yearExpl-iot: IoT Security Testing FrameworkJuly 6th, 2018
23 viewsIo(M)T Security: A year in reviewJuly 6th, 2018