IETF Logo Mail Archive

Re: [jose] JWS Signing of HTTP attachments

Sergey Beryozkin <sberyozkin@gmail.com> Fri, 12 May 2017 16:46 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A60181294AB for <jose@ietfa.amsl.com>; Fri, 12 May 2017 09:46:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DK-dL6LO_7AL for <jose@ietfa.amsl.com>; Fri, 12 May 2017 09:46:43 -0700 (PDT)
Received: from mail-wr0-x234.google.com (mail-wr0-x234.google.com [IPv6:2a00:1450:400c:c0c::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5FA9E129AD8 for <jose@ietf.org>; Fri, 12 May 2017 09:41:23 -0700 (PDT)
Received: by mail-wr0-x234.google.com with SMTP id l9so47396000wre.1 for <jose@ietf.org>; Fri, 12 May 2017 09:41:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=TENX1dxABU+ozU6L4cqLzMabpGW4+PevEVfR/P1IzLU=; b=ZLBnwvRM8F8lW1vhVne2OU7oBhXFRZtc5rd8XAHkPSlmuD8vtFvWhlhqF/QFO3VmWC zqeB6aRf2OVHWh4TSdlbKKIwsZ+etL0URZLgh+GO9XXFDjVe7ps41WgWOMtfnYhgdjZJ eWA1NKNspa+2bKeOyQBHCPKPavNM/2xU3aZGAkZa07/0rcA1I6zXbJElH5dR5haai/V/ ocPWi3JNpLrxk7YsxUI5HLprN/qXDY1cQCdFdVDXbdcP/yCBqktVzJ0XeJejFvYpolAd b/OqmqHVNd6cGnCeQWkyyV7tXesJKv6elND9TIPjmln/DXLfJho14u+kYJNInrcgmwMD ojEA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=TENX1dxABU+ozU6L4cqLzMabpGW4+PevEVfR/P1IzLU=; b=rzakJv7Cc6VBrNbOHHVdIRruc/Rph9YA3f2FKN7jlJRiwj2qI+Wi6EAnAvK1DyOgwU F6YfnnoOocVbCTGOQVO+jVj4vQT096ensDwBMjY7jn2JjcrtivA8JVN/KzxH9eWxZ48c /lma8QnGnX1f+6NPRTuSSXTSbfWnn4i0G6uomHSYCvfPEtwVQ2N/Qf2mEWbOjpGkbef8 QXgYS6rdTVYeEdislMX46tHCcIPYXlcwCLzf54QzP+rFRa4yFH25ZKQoFvw2TdTSgCuR ENcPhEgE6ylqE7cadoFyek55PwV3ZmxuROrpSuOIElog1P05y8uhPrgCCXCknEHsyFii kZRw==
X-Gm-Message-State: AODbwcB0J+DobfQOv/OGKrMG3IP34VvCJ9oUzYqtxNmc97kGvbcUXVms WTanjkudWMzNdQ==
X-Received: by 10.223.163.137 with SMTP id l9mr3449602wrb.128.1494607281896; Fri, 12 May 2017 09:41:21 -0700 (PDT)
Received: from [10.36.226.98] ([80.169.137.53]) by smtp.googlemail.com with ESMTPSA id 203sm3476369wmv.18.2017.05.12.09.41.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 May 2017 09:41:21 -0700 (PDT)
To: Ilari Liusvaara <ilariliusvaara@welho.com>
References: <33ea6034-2e07-59dc-0561-58b45dfeefe7@gmail.com> <20170512155248.GA30318@LK-Perkele-V2.elisa-laajakaista.fi> <ee972cc0-3ada-1304-d62e-2e92f84629e4@gmail.com> <20170512162400.GB30318@LK-Perkele-V2.elisa-laajakaista.fi>
Cc: "jose@ietf.org" <jose@ietf.org>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <e4e76975-65fb-8369-f539-368ab6609e88@gmail.com>
Date: Fri, 12 May 2017 17:41:10 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <20170512162400.GB30318@LK-Perkele-V2.elisa-laajakaista.fi>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/34n_BHt-uLf90Y17uAXWiI0Advg>
Subject: Re: [jose] JWS Signing of HTTP attachments
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2017 16:46:45 -0000

Right, the reference to the incoming signed data (the protected payload) 
is indeed available but the read process will fail to complete if the 
verification process fails.

I'll need to make it more obvious in the docs.

Thanks, Sergey

On 12/05/17 17:24, Ilari Liusvaara wrote:
> On Fri, May 12, 2017 at 05:03:51PM +0100, Sergey Beryozkin wrote:
>> Thanks for the initial feedback. I'm not following at the moment how any of
>> these attacks can affect it. Perhaps I'll need to work on making it more
>> obvious how it is all implemented.
>
> Well, from the description I gathered that (partial) output is passed
> to application before the signature is verified. This is bad. But
> perhaps the description is just a bit misleading, and all input is
> buffered until signature is verified, and only then is the signed
> content sent to the application.
>
> JWS has an issue where signatures and MACs can be confused, leading to
> signature forgery if JWS implementation is not careful.
>
> JWE when used with ECDH-ES with NIST curves has an issue that
> compromises the private decryption key if JWE implementation is not
> careful.
>
>
> -Ilari
>

v2.23.0 | Report a Bug | By Email