Re: [jose] JOSE dependence on "Key Guessing"
Neil Madden <neil.madden@forgerock.com> Wed, 07 February 2018 08:07 UTC
Return-Path: <neil.madden@forgerock.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6851B12421A for <jose@ietfa.amsl.com>; Wed, 7 Feb 2018 00:07:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6D5Gg2qsXe7i for <jose@ietfa.amsl.com>; Wed, 7 Feb 2018 00:07:03 -0800 (PST)
Received: from mail-wm0-x242.google.com (mail-wm0-x242.google.com [IPv6:2a00:1450:400c:c09::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35CCF120726 for <jose@ietf.org>; Wed, 7 Feb 2018 00:07:03 -0800 (PST)
Received: by mail-wm0-x242.google.com with SMTP id f71so1368215wmf.0 for <jose@ietf.org>; Wed, 07 Feb 2018 00:07:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=blYjH5x+/M3hjjsRMPB97Sxx/8W+v/RnBr8rFtGAy6A=; b=akrAxmElr/jTmVFRHVs4yFUKbLxfTAI6EN7uz2JxLTFmKHNxqJ6okawPpVzWE68z6o T8NjPBdHR+Zvr0HeYz9QhiKBEiBpO33BlC+fOhBGW2xNAHqhLSTYbyIdQszpZ7QxcLnD PimDUHJ+69AFb+c4aLovou6HHog0jqiMJ6YAc=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=blYjH5x+/M3hjjsRMPB97Sxx/8W+v/RnBr8rFtGAy6A=; b=p8fZ/ojDqeGguVUdDoqlVMJ3po0IuAAhIDkIdGNQAMbhZlbZKBTQAYw2t+9Z3CYFEP mANYuEPu7CebzON/KfwdhAHY5ZJpGdrWeb9tjhGggAPAb7dPPojCdDRB7WQtz5Eb/Kcd LLD7+UFvExCnHqjmuNNPLYCRXMtbciWe0cJhxYOuTfSA23WQkalW0lln7xBRObF/sC5k SsgIlR28qnqTkHkt/2SbODjijtuFzTVfKG/lIs7YmOjLHBuhfB5f3NizULQrXXauwdzh 4V4dTYkyCA+HmEd683V1bztbC83SIy7P6N9yPBaLTRgZib9RufPauXHgaoR8oSGpL+7i yEow==
X-Gm-Message-State: APf1xPAvJsYxC1u8d/qyZ4t74MGHMJsWN8UM/MtURrkexKx+LD1IXy3j 7MGU0MSDY2f9jDsuTl8IJeYYdk/4cmytpEqEjDQmO0OpQqMudf/QFYKO70o8DZcU447LKQOd0x+ K94FOBYqfI7egexV8DFKxDnpX19FKw5FC5V5O5qaBue2Bb2GF3W7HsQ/3yVAokQ==
X-Google-Smtp-Source: AH8x2264ZYcZ9oXRLRX133E1Jt10nHPM9IRHnRCCqdD1crf1XXaCWLch0+xS6WPCe71d8SLLlMarFg==
X-Received: by 10.80.204.133 with SMTP id q5mr7250871edi.112.1517990821433; Wed, 07 Feb 2018 00:07:01 -0800 (PST)
Received: from [192.168.1.81] (52.33.198.146.dyn.plus.net. [146.198.33.52]) by smtp.gmail.com with ESMTPSA id z2sm812569edc.50.2018.02.07.00.07.00 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Feb 2018 00:07:00 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail-D8D9C37D-D664-4177-8632-440A7A9201DA"
Mime-Version: 1.0 (1.0)
From: Neil Madden <neil.madden@forgerock.com>
X-Mailer: iPhone Mail (15D60)
In-Reply-To: <e3c7e41b-ad42-828f-86d4-ef77c2c26292@gmail.com>
Date: Wed, 07 Feb 2018 08:06:59 +0000
Cc: Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <C1F11BB2-F135-483C-B8CB-E8724DD7737C@forgerock.com>
References: <6b3f854d-f370-8f94-12ca-0f8ae0051362@gmail.com> <SN6PR2101MB09437284FC84E3154BC8C64EF5FC0@SN6PR2101MB0943.namprd21.prod.outlook.com> <e3c7e41b-ad42-828f-86d4-ef77c2c26292@gmail.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/-A7uKrl6QYj_bPozaqvaheysfxI>
Subject: Re: [jose] JOSE dependence on "Key Guessing"
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 08:07:06 -0000
>> On 7 Feb 2018, at 07:18, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: >> >> On 2018-02-07 07:22, Mike Jones wrote: >> Anders, you misunderstand the feature and its purpose. The ability to reference a set of keys is essential to performing key roll-over - a critical security function. The "kid" (key ID) value is typically used to indicate which member of the key set was employed. There is no "key guessing". >> For an example of how JWK sets are used for key roll-over in a production system, see http://openid.net/specs/openid-connect-core-1_0.html#Signing. > > "If there are multiple keys in the referenced JWK Set document, > a kid value MUST be provided in the JOSE Header" > > This is what I was referring to. JKU as a standalone property is useless unless the set of keys is restricted to 1. Can you clarify why? You can just try each applicable key. > > This is not mentioned in the JOSE specifications but fundamental for interoperabiity and testing. > The OpenID scheme does not only presume that there's an additional "kid" in the header, but that the referred key set also contains matching "kid"s. > > Maybe the "right" solution is providing an interoperability section with a reference to JKU as well? > > My (strong) wish is getting away from any kind of key guessing as a part of a test suite and reference implementation. Yes, the are indeed JOSE implementations that support key guessing. Remember that the “kid” parameter is only integrity protected by the same signature that you are verifying so it should only be a hint. If an attacker can forge a signature for any key in the set then they can almost certainly also forge a kid value to go with it. A bigger problem with “jku” would be the potential for SSRF (https://cwe.mitre.org/data/definitions/918.html) and similar attacks based on getting the server to access arbitrary URLs before it has validated the signature. — Neil
- [jose] JOSE dependence on "Key Guessing" Anders Rundgren
- Re: [jose] JOSE dependence on "Key Guessing" Mike Jones
- Re: [jose] JOSE dependence on "Key Guessing" Anders Rundgren
- Re: [jose] JOSE dependence on "Key Guessing" Neil Madden
- Re: [jose] JOSE dependence on "Key Guessing" Anders Rundgren
- Re: [jose] JOSE dependence on "Key Guessing" Neil Madden
- Re: [jose] JOSE dependence on "Key Guessing" Manger, James