Loading…
This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
View analytic
Friday, May 12 • 16:15 - 17:00
On the (in-)security of JavaScript Object Signing and Encryption

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
JavaScript Object Signing and Encryption (JOSE) has been standardized as a lightweight alternative to XML Signature and Encryption. It has early been integrated in authentication and authorization protocols like OpenID Connect and OAuth. In addition, it has been adopted in Web services.
In our research, we provide the first study regarding the JSON security adapting and extending known attack techniques. We provide an evaluation of four different libraries revealing critical cryptographic attacks, ranging from attacks bypassing JSON Signature (Signature exclusion, Key Confusion, and Timing Attack on HMAC), to JSON Encryption (Bleichenbacher Million Message Attack).
To facilitate the analysis we developed JOSEPH - the first open-source automated tool for evaluating JSON security. The extensible design of JOSEPH allows one to implement further cryptographic attacks, for example, padding oracle or invalid curve attacks.

Speakers
avatar for Dennis Detering

Dennis Detering

IT Security Consultant, CSPi GmbH
Dennis Detering has a Master's degree of IT security from the Ruhr University Bochum and works as a penetration tester at the CSPi GmbH in cologne.

Trainers
avatar for Christian Mainka

Christian Mainka

Security Consultant, Hackmanit GmbH
Christian Mainka is a Security Researcher at the Ruhr University Bochum, Chair for Network and Data Security. Since 2009, he focuses on XML and Web Services technologies and develops his penetration testing tool WS-Attacker and has published several papers in the field of XML sec... Read More →
avatar for Vladislav Mladenov

Vladislav Mladenov

Ruhr University Bochum
Vladislav Mladenov is a PhD Student at the Ruhr University Bochum, Chair for Network and Data Security. He is interested in the security of XML-based services. Additionally, he investigates different Single Sign-On protocols like OAuth, OpenID, OpenID Connect and SAML. Other topi... Read More →



Friday May 12, 2017 16:15 - 17:00
Waterfront Center: Hall 1A

Attendees (36)