Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens

Mike Jones <> Mon, 23 April 2018 17:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id EB2A5126BFD; Mon, 23 Apr 2018 10:43:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id uSSZd3RcHEOg; Mon, 23 Apr 2018 10:43:56 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9B6F81242F7; Mon, 23 Apr 2018 10:43:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zzEqG799gIHR0EG9XZJQJQyYALPrWPmzX2iPlQucsIc=; b=W86SMo1H3R7L9L7kypGnwgVQVVf+aSxZ0VubNxIRbw9ysoPPCBs2X21uSnqhQ0mu8MNF7bUl6Lu57w1WH7yQIAR6fuHKvMz3K3VcMTdUm5Zlee1OTFZQ/g9jvVpJ5/AP57Xm3brU7gEn5YgHultSa3uVJYQC2POf4yGpqmMpVjE=
Received: from (2603:10b6:4:9e::37) by (2603:10b6:4:a0::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.746.0; Mon, 23 Apr 2018 17:43:52 +0000
Received: from ([fe80::e0eb:d2f7:29c5:1a1b]) by ([fe80::e0eb:d2f7:29c5:1a1b%2]) with mapi id 15.20.0747.000; Mon, 23 Apr 2018 17:43:52 +0000
From: Mike Jones <>
To: Neil Madden <>, David Adrian <>
CC: Carsten Bormann <>, "" <>, "" <>
Thread-Topic: [jose] [Cfrg] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens
Thread-Index: AQHT2yI+vfumLsHVbkCu3qp7vd4JgaQOmkyg
Date: Mon, 23 Apr 2018 17:43:52 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-04-23T17:43:50.3030398Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:6::36]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR00MB0390; 7:JL5aJ7odi6y0OzCET1lRwRPkCroSRL9PH7E/5M1O8kONC8Ztv3oG4Rq2s63DHn64aXsrivyuLh6uu3HBLVQlJpRYHz8JWJKmrbknf2zalMxlZgKjyCRGnBPdiQmygFc5QFQwrFH0YmMRVBidIfVrp4t9HAePXNW/887D+/xTmjWDLwQ4nwpFmwvMOG7LfhXfbKzx3NVjZZ6WiZrj5DapFCZpSQiCl1CfEJdmzp+fqscJwmCs2BNjX+KXISl81gCO; 20:KPhsCyu3Sf8k6ZWSEgVi9vFb30zcyF5gYmbmBp8QWVr3ByYTm38LSoPl+pty/rss6zW4mRphFl40WGDOgFkqqLrwcdlMqljgqNV+LawoluQ739Fp+s1FxU+d/Pf9Myvh12vgIzqGkZwnrzQ0b646TA6Xl1ykrOiyYJKDpyByFUw=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:DM5PR00MB0390;
x-ms-traffictypediagnostic: DM5PR00MB0390:
authentication-results: spf=none (sender IP is );
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820)(192374486261705)(177329092695168)(21532816269658);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(5005006)(8121501046)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(3231232)(944501410)(52105095)(93006095)(93001095)(10201501046)(3002001)(6055026)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123560045)(20161123564045)(20161123562045)(6072148)(201708071742011); SRVR:DM5PR00MB0390; BCL:0; PCL:0; RULEID:; SRVR:DM5PR00MB0390;
x-forefront-prvs: 06515DA04B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(376002)(39860400002)(366004)(39380400002)(13464003)(10290500003)(966005)(7110500001)(229853002)(72206003)(2420400007)(478600001)(3660700001)(39060400002)(3280700002)(2906002)(15650500001)(6116002)(10710500007)(8936002)(7736002)(25786009)(53936002)(81166006)(2171002)(6246003)(55016002)(8676002)(53376002)(74316002)(305945005)(6306002)(9686003)(110136005)(54906003)(6436002)(33656002)(4326008)(316002)(5660300001)(46003)(14454004)(10090500001)(476003)(11346002)(446003)(16799955002)(93886005)(5250100002)(2900100001)(53546011)(59450400001)(86612001)(99286004)(6506007)(86362001)(52396003)(7696005)(22452003)(76176011)(8656006)(8990500004)(186003)(102836004); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR00MB0390;; FPR:; SPF:None; LANG:en; MLV:ovrnspm; PTR:InfoNoRecords;
received-spf: None ( does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Oni6KzDli/VfOyXpxcFBbsY3rMCZFsdn4FVW7oPFLuUlmBMhrE3ee0NUH1fVZn+04238HMzqrNE2DMdbMBWcxKNyZEbWi5LdvQHrG+gJPq9Bab3tLnO8YKgymExGI9b3JSjy2R1g9CR6g5aUxVzT2eWi7RKsXtvZC8ZWFV93OKl1tcdH21fH2HUrLaDtjJex
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 60677138-17e8-4cde-4c01-08d5a941c796
X-MS-Exchange-CrossTenant-Network-Message-Id: 60677138-17e8-4cde-4c01-08d5a941c796
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2018 17:43:52.7886 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR00MB0390
Archived-At: <>
Subject: Re: [Cfrg] [jose] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Crypto Forum Research Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Apr 2018 17:44:00 -0000

I realize that, as described in, some libraries did allow a RSA public key value to be used as an HMAC key.  As I see it, this is a problem with those implementations - not with the specification.  RSA public keys don't even have the same syntax as HMAC keys! (The former has "e" and "n" values and "kty":"RSA" and the latter has a "k" value and "kty":"oct".)  An implementation that would allow the two to be used interchangeably isn't even providing type safety - let alone security.  Note that this implementation problem is already also covered in

The fact that there have been implementation bugs isn't overly surprising.  That happens in all code.  This, to me, makes the case that we should have good public test suites for JWS/JWE/JWT implementations to ferret out these bugs - just like we have the OpenID Certification test suite for OpenID Connect implementations.  Whereas changing to a different standard would just result in different bugs, and would reduce interoperability.

				-- Mike

-----Original Message-----
From: jose <> On Behalf Of Neil Madden
Sent: Monday, April 23, 2018 9:43 AM
To: David Adrian <>
Cc: Carsten Bormann <>rg>;; Mike Jones <>rg>;
Subject: Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens

> On 23 Apr 2018, at 14:44, David Adrian <> wrote:
> > If we have to invent a new standard each time an existing standard is implemented with a security flaw, we have a lot of work to do.
> You fundamentally cannot fix a standard with unusable to the point of broken negotiation by extending the negotiation. If you don't want PASETO to be a new standard, call it JOSEv3.

I don’t believe that PASETO is actually fundamentally different from JOSE in this respect. Is there a meaningful distinction between v1.local.<token> and {“alg”:”v1.local”}.<token> ?

One of the critical vulnerabilities historically in JOSE implementations was [1], whereby if an implementation was using RSA signed JWTs an attacker could get the server’s public key and use it as if it was a HMAC key to produce a forged JWT with {“alg”:”HS256”} in the header. If the JWT library just provided a verify(String jwt, Key key) function then it might be tricked into using the attacker’s choice of algorithm (HS256) with the server’s RSA public key and the JWT would validate. Oops!

This flaw has been rightly criticised, including by the authors of PASETO. Don’t let the attacker chose the algorithm!

But wait, aren’t PASETO implementations potentially vulnerable to *exactly the same vulnerability*?! If my server is set up to use v2.public (Ed25519) signed PASETO tokens, what is to stop an attacker grabbing my Ed25519 public key (which is a 32 byte value) and using it to create a PASETO token using v2.local? Recall that v2.local takes a 32 byte symmetric key. If the PASETO library just has a function verify(String paseto, Key key) and looks at the header to decide how to process the token, then it will have exactly the same vulnerability that those JOSE libraries had. So how does PASETO the spec make this vulnerability less likely?

Looking at the reference implementation [2], it seems that if the library user didn’t set an allowed purpose then the only thing stopping this is a type check on the public key class. In other words, the implementor took extra safe-guards beyond those documented in the specification. Phew!

Am I missing something here? As far as I can tell, the PASETO docs and draft RFC don’t even mention this as a consideration. How is this better than JOSE?


jose mailing list