IETF Logo Mail Archive

Re: [jose] #26: Allow for signature payload to not be base64 encoded

Dick Hardt <dick.hardt@gmail.com> Wed, 03 July 2013 00:14 UTC

Return-Path: <dick.hardt@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6DCF111E8117 for <jose@ietfa.amsl.com>; Tue, 2 Jul 2013 17:14:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.597
X-Spam-Level:
X-Spam-Status: No, score=-1.597 tagged_above=-999 required=5 tests=[AWL=-1.002, BAYES_00=-2.599, HTML_MESSAGE=0.001, TRACKER_ID=2.003]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EqIrTWhrRiW6 for <jose@ietfa.amsl.com>; Tue, 2 Jul 2013 17:14:52 -0700 (PDT)
Received: from mail-pd0-x234.google.com (mail-pd0-x234.google.com [IPv6:2607:f8b0:400e:c02::234]) by ietfa.amsl.com (Postfix) with ESMTP id 6CAD611E810A for <jose@ietf.org>; Tue, 2 Jul 2013 17:14:52 -0700 (PDT)
Received: by mail-pd0-f180.google.com with SMTP id 10so4031265pdi.25 for <jose@ietf.org>; Tue, 02 Jul 2013 17:14:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to:x-mailer; bh=/QG6wygBqJrSY2bEyQbMOvxfP+stjQ01+zSnfNfHRng=; b=MOFTu9A72LwG2N94S9zPr5bWLNxdFPpXNraeBulPXRtUT7kJbP9K8/CLy04l9DlEmL qtFdxhFvHMuo6fjG4rq37ztV9gdGcwq9kkgpBFS4riH5L16t9MBfa+402F0o1gFKelB6 B/BadU9Fp/F5svhgFR7hXn5wa5lH8hN/87N41VlVhrOjT6UBjFS0/t7uIQwtR5SENCxq F1c7gjy6t99JUcIa4FzMz7xi3/53HwrCnSKqtr6xK/oldmVBDuVC7sTomKu3mixwaTtC Kykoxng9qI/4XFDvzpb4L4dLNHuUPiXtVauUWbgbXFNa7KyZd5O0F5JQyVMvNuAtjMkX 0NxA==
X-Received: by 10.68.251.234 with SMTP id zn10mr30991543pbc.188.1372810492092; Tue, 02 Jul 2013 17:14:52 -0700 (PDT)
Received: from [10.0.0.80] (c-98-210-193-30.hsd1.ca.comcast.net. [98.210.193.30]) by mx.google.com with ESMTPSA id kc8sm29250588pbc.18.2013.07.02.17.14.49 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Tue, 02 Jul 2013 17:14:50 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail=_24097EF4-C368-452D-8F4E-EE6E85A7CC87"
Mime-Version: 1.0 (Mac OS X Mail 6.5 \(1508\))
From: Dick Hardt <dick.hardt@gmail.com>
In-Reply-To: <CAL02cgSFjiBUECdUoVbArdszRCPgsfLX_Yr11zDUjrrX3RTPaw@mail.gmail.com>
Date: Tue, 02 Jul 2013 17:14:46 -0700
Message-Id: <DED9A23D-E0C9-4498-B894-D2A461EA67C1@gmail.com>
References: <061.c2fcfec0a75d48eb8b194991ce56157e@trac.tools.ietf.org> <076.3f5d1244c042cd87bfb07814924fcbc9@trac.tools.ietf.org> <033a01ce729b$26bc3910$7434ab30$@augustcellars.com> <51CBA981.4050006@nri.co.jp> <048f01ce7355$19f05bc0$4dd11340$@augustcellars.com> <4E1F6AAD24975D4BA5B1680429673943678A0114@TK5EX14MBXC283.redmond.corp.microsoft.com> <04bf01ce7359$5ab862c0$10292840$@augustcellars.com> <CAL02cgTkUrQptGqOfQyhCembS1e3Qxw3peRFnO5QjswUW=XR-w@mail.gmail.com> <CAD9ie-sZ+w_HADMTnnkTC8XRJmjZvwYOmA+AhvJGTNPhhK=Z4g@mail.gmail.com> <CAL02cgQbAQ8zhumdR_uvXjhbZM0iXpfPnmgcJrMUuh4+bj11NA@mail.gmail.com> <CAD9ie-sBGnv5QbjFeQiXiMJ0Git06LPsAkoNeN7KZxRNqukv3w@mail.gmail.com> <CAL02cgSFjiBUECdUoVbArdszRCPgsfLX_Yr11zDUjrrX3RTPaw@mail.gmail.com>
To: Richard Barnes <rlb@ipv.sx>
X-Mailer: Apple Mail (2.1508)
Cc: Dick Hardt <dick.hardt@gmail.com>, Jim Schaad <ietf@augustcellars.com>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>, n-sakimura <n-sakimura@nri.co.jp>, "draft-ietf-jose-json-web-signature@tools.ietf.org" <draft-ietf-jose-json-web-signature@tools.ietf.org>
Subject: Re: [jose] #26: Allow for signature payload to not be base64 encoded
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2013 00:14:54 -0000

Hi Richard, thanks for the example, some comments and questions:

To clarify, in the JSON (non-compact) version, the payload is restricted to being a string? ie. it cannot be a JSON object? If so, that seems really limiting.

I don't understand why "cenc" needs to be added to the compact serialization. The recipient will need to know if it is in the compact format or in JSON before parsing.

My gut tells me that signing the header is useful and will thwart some attacks -- but I am not an expert in that area. Is there some research that says it makes no difference? I think it would help catch implementation errors.

-- Dick

On Jul 2, 2013, at 3:20 PM, Richard Barnes <rlb@ipv.sx> wrote:

> Glad that helped.  Detailed examples below.
> 
> Couple of high-level points to help the examples make sense:
> 1. Define a "cenc" header parameter, for "Content ENCoding", with one value, "b64u".  When present in the JSON serialization, the "payload" field is base64url encoded; when it is absent, the "payload" field represents the payload directly (as a UTF-8 string).
> 2. For the compact serialization, "cenc" is always "b64u".
> 3. When protected a header are present (always for the compact serialization), the JWS Signing Input is base64(protected).base64(payload), as it is in -11.  When no protected header is present, the JWS Signing Input is simply the octets of the payload.
> 
> With that in mind, let's look at a few test cases.  We'll use the following inputs:
> 
> Header: {"alg":"HS256","kid":"2"} 
> == 7b22616c67223a224853323536222c226b6964223a2232227d (hex UTF-8)
> == eyJhbGciOiJIUzI1NiIsImtpZCI6IjIifQ (base64 UTF-8)
> 
> Key (kid=2): 0x0001020304050607 (8 octets)
> 
> Payload: "café" 
> == 636166c3a9 (hex UTF-8)
> == Y2Fmw6k (hex UTF-8)
> 
> With those inputs, let's consider 4 cases that show the possibilities discussed above.
> 
> ### CASE 1: Compact / protected / b64u
> 
> eyJhbGciOiJIUzI1NiIsImtpZCI6IjIifQ
> .Y2Fmw6k
> .QUoMVpjxLXjH1ZAX9tw4QEPnL6G_Hvd4EjD-JsHilyk
> 
> No change here.  The compact case just represents the special case where the payload is base64-encoded and all the headers are protected.  Thus, we use the base64.base64 form for the JSON Signing Input.
> JWS Signing Input: eyJhbGciOiJIUzI1NiIsImtpZCI6IjIifQ.Y2Fmw6k (as a UTF-8 string)
> == 65794a68624763694f694a49557a49314e694973496d74705a434936496a496966512e5932466d77366b (hex)
> 
> ### CASE 2: JSON / protected / b64u
> 
> {
>   "unprotected":{"cenc":"b64u"},
>   "protected":"eyJhbGciOiJIUzI1NiIsImtpZCI6IjIifQ",
>   "payload":"Y2Fmw6k",
>   "signature":"QUoMVpjxLXjH1ZAX9tw4QEPnL6G_Hvd4EjD-JsHilyk"
> }
> 
> This is just the JSON equivalent to Case 1.  
> 
> ### CASE 3: JSON / unprotected / b64u
> 
> {
>   "unprotected":{"alg":"HS256","kid":"2","cenc":"b64u"},
>   "payload":"Y2Fmw6k",
>   "signature":"X-GwEVfz9WEi0UhrmK1muKXecqxMipngSL_ZenXw5Lo"
> }
> 
> Here we've removed the integrity protection from the headers (because who needs it? ;) ).  So the signature is different, because JWS Signing Input here is just the payload.
> JWS Signing Input: café (as a UTF-8 string)
> == 636166c3a9 (hex)
> 
> ### CASE 4: JSON / unprotected / plain
> 
> {
>   "unprotected":{"alg":"HS256","kid":"2"},
>   "payload":"café",
>   "signature":"X-GwEVfz9WEi0UhrmK1muKXecqxMipngSL_ZenXw5Lo"
> }
> 
> This object is equivalent to Case 3, but with the payload expressed directly as a JSON string instead of base64-encoded.  And, if you ask me, the prettiest and most human-readable of the whole menagerie here :)
> 
> I've written a script to generate these test cases, in case you want to play with this some more:
> <http://test.polycrypt.net/temp/hello-jose.html>
> 
> Hope this helps,
> --Richard
> 
> 
> On Fri, Jun 28, 2013 at 7:04 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
> Hi Richard, that helps. 
> 
> Our you looking at a way of effectively signing a JSON payload? A complete, real world example would help alot.
> 
> 
> On Fri, Jun 28, 2013 at 3:57 PM, Richard Barnes <rlb@ipv.sx> wrote:
> Hey Dick,
> 
> I guess I should have been clearer that I was only talking about the JSON serialization.  My proposed change would have no impact on the compact serialization.  Hopefully that answers your questions about separators, etc.; they payload would just be a normal JSON string.
> 
> --Richard
> 
> 
> On Thu, Jun 27, 2013 at 7:56 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
> 
> 
> 
> On Thu, Jun 27, 2013 at 3:24 PM, Richard Barnes <rlb@ipv.sx> wrote:
> I think there are two separable issues here, both of which Mike and I probably have divergent opinions on :)
> 1. Syntax: Should it be possible for the "payload" field JWS to be a JSON string (instead of base64) when the payload is simply a UTF-8 string?
> 
> One of the goals of the token was that it not require encoding for it to be transported in a request. IE that it be safe and SIMPLE to include in an HTTP header or in a URL
>  
> 2. Crypto: Must the JWS Signing Input be base64url encoded.
> 
> The current answers to these questions are:
> 1. It is not possible.  Payload is always base64url encoded.
> 2. It is always base64url encoded.
> 
> The answers should be:
> 1. The payload should not be base64url encoded unless it cannot be represented as a JSON string.
> 
> How does an implementation determine which parts are separated? Are '.' escaped? Does the implementation need to parse the JSON to determine a valid separator? How does it know the end of the JSON? That sounds really hard to implement, or I am misunderstanding what you are proposing.
> 
>  
> 2. The JWS Signing Input should not be base64url encoded unless there is a JWS Protected Header
> 
> Neither of these are complicated changes:
> 1. Add a "b64" header parameter that indicates that the payload is base64url-encoded binary, as opposed to a UTF-8 string.  Specify that this parameter is on by default in compact-formatted JWS objects.
> 
> And how is the header separated from the payload?
>  
> 2. Modify the signing/verification instructions to switch based on the presence of a JWS Protected Header: "If the JWS Protected Header is absent or empty, then the JWS Signing Input is simply the JWS Payload (not encoded).  If the JWS Protected Header has a non-empty value, then the the JWS Signing Input is the concatenation of the Encoded JWS Header, a period ('.') character, and the Encoded JWS Payload"
> 
> There are two reasons for these, both of which are important to make sure that this spec is applicable to a broad variety of use cases:
> 1. Compactness.  As Jim notes, quoted strings are shorter than base64url-encoded strings
> 
> The tokens are already compact enough.
>  
> 2. Crypto-compatibility: Avoiding base64-encoding means that there's nothing JWS-specific about the signature value.  So for example, you could translate a JWS with no protected attributes to a CMS SignedData object with no protected attributes.
> 
> Not a useful feature from my point of view.
> 
> -- Dick
> 
> 
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
> 
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.36.0 | Report a Bug | By Email | System Status