IETF Logo Mail Archive

[jose] Deprecation of legacy algorithms

Neil Madden <neil.e.madden@gmail.com> Tue, 05 March 2024 15:56 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 88DF2C14F6B2 for <jose@ietfa.amsl.com>; Tue, 5 Mar 2024 07:56:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VFbS62xj9uWk for <jose@ietfa.amsl.com>; Tue, 5 Mar 2024 07:56:38 -0800 (PST)
Received: from mail-wm1-x32f.google.com (mail-wm1-x32f.google.com [IPv6:2a00:1450:4864:20::32f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 904A8C14F61F for <jose@ietf.org>; Tue, 5 Mar 2024 07:56:33 -0800 (PST)
Received: by mail-wm1-x32f.google.com with SMTP id 5b1f17b1804b1-412db7067d6so1304425e9.1 for <jose@ietf.org>; Tue, 05 Mar 2024 07:56:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1709654191; x=1710258991; darn=ietf.org; h=to:date:message-id:subject:mime-version:from:from:to:cc:subject :date:message-id:reply-to; bh=3W01rQwYbDVQgTmwtz0hCtNWzAN4kmzCv3yOtgYQFsU=; b=nMtc/WpNRMR8l96k4RtEhRvRmMhp1ctjNDZBV/DRVazuYslcgIKnqmmCoYbQqWESjX ac56xUUpzX6zVufooNKaV7PsxYNpwbT3WzbsHrUdCBfwbbTE6zTiMoBbPaE2E4y6d4GD V4t8OoElGsCcqDGBPWHTLt5Pu2XJF3+HwspFWWDlEWNpVFaJ3cbXKldn7YhDFyxmRZ54 Hch6YDgDVsk4T5ja561CG85Id0aRZLC7t2vosh+gusKZtCg9wJDb5GCcjrkbDshFTri5 7LqAr2r8YfY10cq6KA2BwNaDr9Lz4u93FDPh5gFzmEx7NsvQoQs8sRiMW5SAjR+iRfSe 608Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1709654191; x=1710258991; h=to:date:message-id:subject:mime-version:from:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=3W01rQwYbDVQgTmwtz0hCtNWzAN4kmzCv3yOtgYQFsU=; b=d8QX2Xmiyx5ULNkAOmW1aQrLEw64BPlpwFnlC3xfB0A0nH64FGLeQfTBADZUzaMFd4 XoNXD5hxydKTHeMmfNcRap4pH3XyKX56QGvMEStCAkSGcbdx42alsZP911B9MpnBgmV2 tdEUmjqCS1UPSlp/TU5Ok4ngTgKFlgFdYVwGlDhbRRsiYisKjd7LLeA6ewHW94LiakXv x9THVuc3kZ9i3DNo3G0e9FfeCDtZL5Ov8DU//nPtuJ0jjce5wBNcDX2gc+2oK6FQC52M E8CpZnF1zOAt73Prwewh+E5g1ifQMjCe1EezPDH1vxGoogH53/pMgLy1tQiSho4B0AUJ qC7g==
X-Gm-Message-State: AOJu0YwMeazw43t9hXxk3M6LL81HDo+UVzgFxMReYvJgDzTj7Y3rojtp B9uB1Wo9qwzOXUwu8zOgczV/Fhk+jR0UJJNdtwMtwDM4GzeZuJd5xji7ycbxoRw=
X-Google-Smtp-Source: AGHT+IExJDV3FKDz5LPnIBRhZ4n9xmQxRH+eKkF+fQdT05VpzPEZuasSquOBz/r2jFO95mPoM5QE5g==
X-Received: by 2002:a05:600c:1c9b:b0:412:eee0:a5e4 with SMTP id k27-20020a05600c1c9b00b00412eee0a5e4mr580566wms.1.1709654191368; Tue, 05 Mar 2024 07:56:31 -0800 (PST)
Received: from smtpclient.apple (232.211.93.209.dyn.plus.net. [209.93.211.232]) by smtp.gmail.com with ESMTPSA id q11-20020a05600c46cb00b00412b4dca795sm18517346wmo.7.2024.03.05.07.56.30 for <jose@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 05 Mar 2024 07:56:30 -0800 (PST)
From: Neil Madden <neil.e.madden@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_EF6F8056-9989-4B86-9A30-B32385149110"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.120.41.1.4\))
Message-Id: <30D0C208-4543-48C0-952D-59B57633C1EA@gmail.com>
Date: Tue, 05 Mar 2024 15:56:30 +0000
To: JOSE WG <jose@ietf.org>
X-Mailer: Apple Mail (2.3696.120.41.1.4)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/9btXucyZmHEuEk9lY0okBQviEz8>
Subject: [jose] Deprecation of legacy algorithms
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 15:56:42 -0000

Hi all,

Leaving aside all the exciting work on shiny new algorithms to *add* to JOSE, I would like to raise the prospect of deprecating some existing algorithms that have passed their best. Before I start work on writing the drafts for these, I'd like to gauge if there is some support or this is likely to be wasted effort. The algorithms I think that should be deprecated are:

RSA1_5 - currently marked as Recommended- in the IANA registry. PKCS#1 v1.5 padding for encryption has been a source of repeated vulnerabilities over the years, and they keep cropping up. I believe the main reason this exists at all was to allow continued use of legacy hardware, in particular where FIPS approval was required. However, PKCS#1 v1.5 padding has been forbidden by FIPS (for encryption) since the end of this 2023 [1]. If someone is really stuck with a hardware device that only supports this encryption mode then they can use it to encrypt local files containing keys for other algorithms rather than using it directly.

none - I know this one is more controversial in some quarters, but alg=none has been responsible for a steady stream of serious security vulnerabilities, and even spawned its own website: https://www.howmanydayssinceajwtalgnonevuln.com <https://www.howmanydayssinceajwtalgnonevuln.com/>. I'm not sure there has actually been a year where this algorithm *hasn't* caused a vulnerability. I've yet to see a genuine use-case for it in the wild. The pain:gain ratio on this algorithm is extremely high.

I would also like to write a draft (either combined with the above or separate) that establishes some baseline security properties for future algorithm registrations:

* All signature algorithms MUST achieve unforgeability under chosen message attack (EUF-CMA).
* All encryption algorithms MUST achieve at least IND-CCA2.

[1]: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf <https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf> (see table 5 on page 15)

Thoughts?

-- Neil

v2.23.0 | Report a Bug | By Email