Re: [jose] backwards compatibility attack on JWT impls (was: I-D Action: draft-ietf-jose-json-web-algorithms-02.txt)

["Juraj Somorovsky" <juraj.somorovsky@rub.de>]

I assume this also depends on the scenario. If you use public key
signatures, you can sign whatever you want with your key, even the the
RSA1_5 / RSA_OAEP ciphertexts and their algorithms
(again, I am not familiar with the json scenarios, but in XML Encryption
applications, the RSA ciphertexts are typically *not* signed)

If you use HMACs, you need to transport somehow your HMAC key. You would
do this probably with RSA-OAEP. In this case, the scenario described by
Brian applies.

Juraj

On 03/14/2013 05:38 PM, Brian Campbell wrote:
> But the integrity protected encryption happens using the key that's been
> wrapped/encrypted using "RSA-OAEP" or "RSA1_5".  That key needs to be
> unwrapped/decrypted before any of the integrity checks even come into play,
> which is where the attack takes place. So I don't see how the AEAD (or
> composite AEAD like) algorithms help for preventing Bleichenbacher attacks
> on RSA1_5 or BC attacks on RSA-OAEP to RSA1_5?
> 
> (the general disclaimer correcting me, if I'm wrong, applies)
> 
> 
> On Thu, Mar 14, 2013 at 11:48 AM, Mike Jones <Michael.Jones@microsoft.com>wrote:
> 
>> I believe that these attacks are only possible on encryption without
>> integrity, which in turn was only possible, because Nimbus-JWT continued to
>> implement encryption algorithms without integrity protection.  Someone
>> should please correct me if I'm misunderstanding the situation.
>>
>> As most of you know, JWE now only allows authenticated encryption
>> algorithms to be used, for reasons exactly such as these.
>>
>>                                 -- Mike
>>
>> -----Original Message-----
>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of
>> =JeffH
>> Sent: Thursday, March 14, 2013 8:17 AM
>> To: IETF JOSE WG
>> Cc: Juraj Somorovsky
>> Subject: [jose] backwards compatibility attack on JWT impls (was: I-D
>> Action: draft-ietf-jose-json-web-algorithms-02.txt)
>>
>> back on Fri, 6 Jul 2012  Mike Jones said:
>>  >
>>  > Looking at this again, it seems to me that because JWE provides
>> integrity  > protection for the algorithm, it should be impossible for you
>> to replace  > "RSA-OAEP" with "RSA1_5" in the header because then the
>> integrity check will  > fail.  Thus, the attack that you describe below is
>> prevented by the integrity  > protection of the header.
>>  >
>>  > Hence, correct JWE implementations do no provide the OAEP decryption
>> oracle  > that you describe.  However if I'm missing something, please
>> point it out to  > me, since if there's an issue, I'd like to understand it
>> and how to mitigate  > it.
>>
>> just fyi/fwiw...apologies if this has already been followed up on, but I
>> didn't find further discussion of this after the above-quoted msg...
>>
>> Juraj Somorovsky et al's NDSS-2013 "Backwards Compatibility (BC) attacks"
>> paper [1] is now out, and it may help answer the above questions. There's
>> also Kenny Patterson's talk [2] from the recent Workshop on Real-World
>> Cryptography.
>>
>> It seems, from an admittedly cursory glance at both
>> draft-ietf-jose-json-web-algorithms (-08) and the above paper/slides, that
>> perhaps there should be more implementation advice and security
>> considerations in (at least) the -json-web-algorithms spec.
>>
>> Here's some excerpts from the paper for context...
>>                 ...
>> In the public-key setting, we show how the well-known attack of
>> Bleichenbacher [13] gives rise to a BC [Backwards Compatibility] attack
>> that allows an attacker to decrypt ciphertexts of PKCS#1 v2.0 encryption in
>> both XML Encryption [27] and JSON Web Encryption [42], and to forge
>> signatures for arbitrary messages in XML Signature [30] and JSON Web
>> Signature [41]. The attack principle is described in Section 4. We
>> furthermore report on our experimental results, executed against the Java
>> implementation of JSON Web Encryption and JSON Web Signature Nimbus-JWT
>> [53], in Section 5.3.
>>                 ...
>>
>> Platform for Experimental Analysis: We investigate the practicality and
>> performance of our attacks on JWE and JWS by applying them to the
>> Nimbus-JWT library [53]. Nimbus-JWT is a Java implementation of JSON Web
>> Encryption (JWE) and JSON Web Signature (JWS), developed by NimbusDS to
>> support their Cloud Identity management portfolio.
>>
>> Even though Nimbus-JWT claims to implement version 02 of the JWE standard
>> draft, it still supports usage of AESCBC (without MAC), which was available
>> in version 01, but not in version 02 or any subsequent versions.
>>                 ...
>>
>> 5.2.3 Evaluation
>>
>> We evaluated performance of our attacks against both WSS4J and Nimbus-JWT.
>> We first used the libraries to generate valid messages containing AES-GCM
>> ciphertexts. Then we modified the algorithm parameters in the messages,
>> forcing the receiver to process the ciphertexts using AES-CBC, and executed
>> the attack described in Algorithm 1. The required ciphertext validity
>> oracles were based on error messages generated by the libraries.
>>                 ...
>>
>> Experimental Results. In order to assess the practicability and
>> performance of the attack, we implemented Bleichenbacher’s attack on XML
>> Encryption [13, 38] and applied it to the Nimbus-JWT library. The PKCS#1
>> v1.5 validity oracle was provided by exceptions thrown by this library.11
>>                 ...
>>
>> 11 In practice one would instead use the more elaborate attack techniques
>> of [38] to determine whether a given ciphertext is PKCS#1 v1.5 valid.
>>                 ...
>>
>> [13] D. Bleichenbacher. Chosen ciphertext attacks against protocols based
>> on the RSA encryption standard PKCS#1. In H. Krawczyk, editor, Advances in
>> Cryptology – CRYPTO’98, volume 1462 of Lecture Notes in Computer Science,
>> pages 1–12.
>> Springer, Aug. 1998.
>>
>> [38] T. Jager, S. Schinzel, and J. Somorovsky. Bleichenbacher’s attack
>> strikes
>> again: breaking PKCS#1 v1.5 in XML Encryption. In S. Foresti and M. Yung,
>> editors, Computer Security - ESORICS 2012 - 17th European Symposium on
>> Research in Computer Security, Pisa, Italy, September 10-14, 2012.
>> Proceedings, LNCS.
>> Springer, 2012.
>>
>> [53] Nimbus Directory Services. Nimbus JSON Web Token, May 2012.
>> https://bitbucket.org/nimbusds/nimbus-jwt.
>>
>> ###
>>
>> [1] One Bad Apple: Backwards Compatibility Attacks on
>>   State-of-the-Art Cryptography
>>
>> http://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2013/03/08/BackwardsCompatibilityAttacks.pdf
>>
>> [2] Key Reuse: Theory and Practice
>> http://crypto.stanford.edu/RealWorldCrypto/slides/kenny.pdf
>>
>>
>> HTH,
>>
>> =JeffH
>>
>>
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>
>