Re: [jose] JOSE dependence on "Key Guessing"
Anders Rundgren <anders.rundgren.net@gmail.com> Wed, 07 February 2018 10:07 UTC
Return-Path: <anders.rundgren.net@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA432129515 for <jose@ietfa.amsl.com>; Wed, 7 Feb 2018 02:07:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nAlbTomk3eQI for <jose@ietfa.amsl.com>; Wed, 7 Feb 2018 02:07:26 -0800 (PST)
Received: from mail-lf0-x242.google.com (mail-lf0-x242.google.com [IPv6:2a00:1450:4010:c07::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 080C6127601 for <jose@ietf.org>; Wed, 7 Feb 2018 02:07:26 -0800 (PST)
Received: by mail-lf0-x242.google.com with SMTP id g72so510707lfg.5 for <jose@ietf.org>; Wed, 07 Feb 2018 02:07:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=baCkrf55rPHWVcPrAo5AEVjIDiTGoBFhOQbuUcsyWjY=; b=Iv5CPCs0RnCmucfaHcSI/zaSKeYzwXXByB2q6kBGT5x9BYlmKV90kU9rv3wM6YgzWL TAZ5X8fFntMdMZtmH++Mih0XKUKYOeCPGdL5KmQIiWaXeWt7cna0JCOdglJakjaBV1BT JjMhhkdpQ8H/8UulvjESBN9PkV186xZ24gOAg7fimRcBHm6dLIYghFasgtVaxuuQQwjk rIFHiUKyYQfkhrGZvUD78ToQBfjMIPbzD2dGtV+sCoSYVD3mXyJTKXgKv3ADM00byEps 22Px9+GHGYKXIHbWsa18AwcAspxu9xKzHcIeEu7OqB3q8GBqzP1zdyYLYC4WNf5R/otp tbrg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=baCkrf55rPHWVcPrAo5AEVjIDiTGoBFhOQbuUcsyWjY=; b=CCq61MyoLf9LqnI86U4u0Leyk51RxSvkbiokgkqlCfXmKJCmmaonoOuuvIrjDmzQ33 1htEmwLgT5va286V1yZ/1OH3TI0wUH7W7+mmTAUIWkaEQ4sygPVJFYP1S9eEGL3vDoeM luXovrZDp1mOVSZFHQ7m9OsECbSUba0CLm+sATrfI+mbH2NU8xEAwRM87GBh/Iz0EHiC 8yhxqFUs1E4NkNPtjOZNVB3fp0bC9eyDUTw0RrUDemUOQ29tds0hoZSMh1caWY39HGuE ys/oqb2THKAwVZaYG5Dx+U+Hrq423piouHJiqPy9yFpi9Hj2tFt+K6dgvn2CiucXzzU4 UWCA==
X-Gm-Message-State: APf1xPBrvT3Q6uar3q94rWuzr+8USdJmozxFKYFlwU0Q5ELSsbLnu3YN dcrxOeK6pNTq67Lhuq3AbrB5Ww==
X-Google-Smtp-Source: AH8x22769QHTgITcngk6VFGBcaasqJqrGXUYqUMOn0bxRlWfqXKZSl7+6l3Lk+QYMcK1yOLidnCxJg==
X-Received: by 10.46.36.21 with SMTP id k21mr3641322ljk.14.1517996654788; Wed, 07 Feb 2018 01:44:14 -0800 (PST)
Received: from [192.168.1.79] (25.131.146.77.rev.sfr.net. [77.146.131.25]) by smtp.googlemail.com with ESMTPSA id t23sm204226ljd.67.2018.02.07.01.44.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Feb 2018 01:44:13 -0800 (PST)
To: Neil Madden <neil.madden@forgerock.com>
Cc: "jose@ietf.org" <jose@ietf.org>
References: <6b3f854d-f370-8f94-12ca-0f8ae0051362@gmail.com> <SN6PR2101MB09437284FC84E3154BC8C64EF5FC0@SN6PR2101MB0943.namprd21.prod.outlook.com> <e3c7e41b-ad42-828f-86d4-ef77c2c26292@gmail.com> <C1F11BB2-F135-483C-B8CB-E8724DD7737C@forgerock.com>
From: Anders Rundgren <anders.rundgren.net@gmail.com>
Message-ID: <bb45b889-9fab-4e62-b00a-b131f64bfafd@gmail.com>
Date: Wed, 07 Feb 2018 10:44:11 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.6.0
MIME-Version: 1.0
In-Reply-To: <C1F11BB2-F135-483C-B8CB-E8724DD7737C@forgerock.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/4m81VveQ5hb6iuxbHppU7l9U1LU>
Subject: Re: [jose] JOSE dependence on "Key Guessing"
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 10:07:29 -0000
On 2018-02-07 09:06, Neil Madden wrote: > > On 7 Feb 2018, at 07:18, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: > >> On 2018-02-07 07:22, Mike Jones wrote: >>> Anders, you misunderstand the feature and its purpose. The ability to reference a set of keys is essential to performing key roll-over - a critical security function. The "kid" (key ID) value is typically used to indicate which member of the key set was employed. There is no "key guessing". >>> For an example of how JWK sets are used for key roll-over in a production system, see http://openid.net/specs/openid-connect-core-1_0.html#Signing. >> >> "If there are multiple keys in the referenced JWK Set document, >> a kid value MUST be provided in the JOSE Header" >> >> This is what I was referring to. JKU as a standalone property is useless unless the set of keys is restricted to 1. > > Can you clarify why? You can just try each applicable key. This is what the posting referred to as "Key Guessing" which I consider an invalid concept. That the OpenID folks do not utilize this either indirectly supports this stance. >> This is not mentioned in the JOSE specifications but fundamental for interoperabiity and testing. >> The OpenID scheme does not only presume that there's an additional "kid" in the header, but that the referred key set also contains matching "kid"s. >> >> Maybe the "right" solution is providing an interoperability section with a reference to JKU as well? >> >> My (strong) wish is getting away from any kind of key guessing as a part of a test suite and reference implementation. Yes, the are indeed JOSE implementations that support key guessing. > > Remember that the “kid” parameter is only integrity protected by the same signature that you are verifying so it should only be a hint. If an attacker can forge a signature for any key in the set then they can almost certainly also forge a kid value to go with it. If an attacker has access to the genuine user's private keys it is usually game over. > A bigger problem with “jku” would be the potential for SSRF (https://cwe.mitre.org/data/definitions/918.html) and similar attacks based on getting the server to access arbitrary URLs before it has validated the signature. My reference implementation barfs at URLs that: - Do not use the "https://" scheme - Do not return HTTP 200 - Do not point to trusted servers - Do not return properly formatted JWK key sets thanx, Anders > > — Neil
- [jose] JOSE dependence on "Key Guessing" Anders Rundgren
- Re: [jose] JOSE dependence on "Key Guessing" Mike Jones
- Re: [jose] JOSE dependence on "Key Guessing" Anders Rundgren
- Re: [jose] JOSE dependence on "Key Guessing" Neil Madden
- Re: [jose] JOSE dependence on "Key Guessing" Anders Rundgren
- Re: [jose] JOSE dependence on "Key Guessing" Neil Madden
- Re: [jose] JOSE dependence on "Key Guessing" Manger, James