Re: [jose] JWS Signing of HTTP attachments
Sergey Beryozkin <sberyozkin@gmail.com> Fri, 12 May 2017 16:09 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56C2212EC7C for <jose@ietfa.amsl.com>; Fri, 12 May 2017 09:09:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I3zdnBCqXxAW for <jose@ietfa.amsl.com>; Fri, 12 May 2017 09:09:23 -0700 (PDT)
Received: from mail-wm0-x235.google.com (mail-wm0-x235.google.com [IPv6:2a00:1450:400c:c09::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBEC512EB46 for <jose@ietf.org>; Fri, 12 May 2017 09:03:53 -0700 (PDT)
Received: by mail-wm0-x235.google.com with SMTP id u65so12086897wmu.1 for <jose@ietf.org>; Fri, 12 May 2017 09:03:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=g/3eiTTK46V6nBd1Wj/VpLGisTMnxUD1eBYdWN5fMV0=; b=aTMxFUe4K9WPmhCib+EDO9QDvsnet3xjxjgACutckyrzg4dyVUJaOPWEul9Wl70rw2 lkbAPSaHQb5LHCgMNE0dUdbB7xa+Sjea28T5DYx9LJRMQsT4q04fuObcmmNaGxzogVs0 sd/t+CNSzFyQPyNyJmhIsb1faBRWGXoj99JcOysGwRxv+65TyhDH3csf1ZgXJpd+MvR2 3J8XEwSKeq8Y4K+wNuP391ZYkZAY0FECphnVXE1XMBlnfIL37MNBOdikZlpZfa2yid/v GeeMXDKuVjX/kqjMhHNXpD9eWzmDBWki+pkP8QLKV/+fGUnJpiPXfv/v/DYMDXZrRpB/ N0aQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=g/3eiTTK46V6nBd1Wj/VpLGisTMnxUD1eBYdWN5fMV0=; b=Uhw5H7uN3mQ9sj1HTO3xIQQhKa76Ib5uA9rUezu1JjWdVf7rU6yZ9YyNKZWDw9yo5h it4nK8uoZQnYbAWl/n0rhaNTrzki9h27MjbKu07clwqkwXQqal+ksq+P6vRXZD2j1uem MXCXZD8kTZXvexMMTHXZ7RlON1/Lx0aLUMrbQVcXe68hpXNbIgwnm/kGTwe9qSr0iKGc ZqhD5zayfDBXs4AKj1Xrv/h7YHnnK/vXpCrK52Yl/xBavFRu4D/1Ktin3mHwT040JE6f qHB0u9O866I7FOXfXVWrNHdKesvZwO4deEzf/uZ8I53YwfVvUl2fNPtNCc23ClA91TM8 SLOg==
X-Gm-Message-State: AODbwcACLYiCeMVAj8Sds0bsmf6JRsPJgfHTj+x0jOrmPMP0vxJ4orbs GXSr+HMaE2PV+g==
X-Received: by 10.28.138.73 with SMTP id m70mr2811264wmd.99.1494605032420; Fri, 12 May 2017 09:03:52 -0700 (PDT)
Received: from [10.36.226.98] ([80.169.137.53]) by smtp.googlemail.com with ESMTPSA id y6sm4639451wrc.51.2017.05.12.09.03.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 May 2017 09:03:51 -0700 (PDT)
To: Ilari Liusvaara <ilariliusvaara@welho.com>
References: <33ea6034-2e07-59dc-0561-58b45dfeefe7@gmail.com> <20170512155248.GA30318@LK-Perkele-V2.elisa-laajakaista.fi>
Cc: "jose@ietf.org" <jose@ietf.org>
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <ee972cc0-3ada-1304-d62e-2e92f84629e4@gmail.com>
Date: Fri, 12 May 2017 17:03:51 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <20170512155248.GA30318@LK-Perkele-V2.elisa-laajakaista.fi>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/6cijNoG8l3wwpnCUsWpfrY3G4Kk>
Subject: Re: [jose] JWS Signing of HTTP attachments
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2017 16:09:25 -0000
Thanks for the initial feedback. I'm not following at the moment how any of these attacks can affect it. Perhaps I'll need to work on making it more obvious how it is all implemented. It is simply a concrete implementation of JWS with Detached Content. The content is written out and by the time it's finished the JWS payload will be finished and will accompany this content. On the receiving end the verification provider will be instantiated (with the proper care, example, the server will not support the dynamic verification provider selection process - i.e - will be expected to process only RSA or HMAC etc signatures). Once this provider is available it will then get all the data which is being read passing through the verification process and finally compare the signatures Cheers, Sergey On 12/05/17 16:52, Ilari Liusvaara wrote: > On Fri, May 12, 2017 at 01:59:21PM +0100, Sergey Beryozkin wrote: >> Hi All, >> >> I've experimented in our project with having HTTP attachment parts protected >> using JWS with Detached Content and Unencoded Payload options [1]. >> >> This approach appears to be quite effective to me. It also appears to me >> that the data as shown in the example at [1], can, in principle, be produced >> and processed by any HTTP stack that can work with multiparts, assuming a >> JOSE library supporting the detached and unencoded content is also >> available. >> >> I'd appreciate if the experts could comment on 1) do you see some weaknesses >> in the proposed approach and 2) can someone see a point in drafting some >> text around it (I can contribute if it is of interest) ? > > It look from the text that the implementation can produce output before > the entiere signature (or tag in case of encryption) has been verified. > This is very dangerous if so. > > > Then there are the standard attacks against JOSE (the JOSE library must > not be vulernable to these): > > - The JWS HMAC versus signature confusion > - The JWE ECDH-ES invalid curve attack. > > > -Ilari >
- [jose] JWS Signing of HTTP attachments Sergey Beryozkin
- Re: [jose] JWS Signing of HTTP attachments Ilari Liusvaara
- Re: [jose] JWS Signing of HTTP attachments Sergey Beryozkin
- Re: [jose] JWS Signing of HTTP attachments Ilari Liusvaara
- Re: [jose] JWS Signing of HTTP attachments Sergey Beryozkin
- Re: [jose] JWS Signing of HTTP attachments Jim Schaad
- Re: [jose] JWS Signing of HTTP attachments Sergey Beryozkin
- Re: [jose] JWS Signing of HTTP attachments Sergey Beryozkin