Re: [jose] backwards compatibility attack on JWT impls (was: I-D Action: draft-ietf-jose-json-web-algorithms-02.txt)
"Juraj Somorovsky" <juraj.somorovsky@rub.de> Thu, 14 March 2013 17:02 UTC
Return-Path: <juraj.somorovsky@rub.de>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE20111E8138 for <jose@ietfa.amsl.com>; Thu, 14 Mar 2013 10:02:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.949
X-Spam-Level:
X-Spam-Status: No, score=-5.949 tagged_above=-999 required=5 tests=[AWL=-0.300, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_31=0.6, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QbSxwt+2G2g1 for <jose@ietfa.amsl.com>; Thu, 14 Mar 2013 10:02:34 -0700 (PDT)
Received: from mx6.rz.ruhr-uni-bochum.de (mi.ruhr-uni-bochum.de [134.147.64.30]) by ietfa.amsl.com (Postfix) with SMTP id E5A4F11E8110 for <jose@ietf.org>; Thu, 14 Mar 2013 10:02:24 -0700 (PDT)
X-Queued: (qmail 7355 invoked by alias); 14 Mar 2013 17:02:23 -0000
X-Queued: (qmail 7325 invoked from network); 14 Mar 2013 17:02:23 -0000
Received: from c2-3-4.rz.ruhr-uni-bochum.de (134.147.64.5) by mx6.rz.ruhr-uni-bochum.de with SMTP; 14 Mar 2013 17:02:23 -0000
X-Queued: (qmail 30622 invoked by uid 281); 14 Mar 2013 17:02:23 -0000
X-Qmailscanner: from 134.147.40.78 (7Cil8M2CiUz3vk0eT+Su4Q==@134.147.40.78) by c2-3-4.rz.ruhr-uni-bochum.de (envelope-from <juraj.somorovsky@rub.de>, uid 80) with qmail-scanner-2.01 (sophie: 3.05/3.37/4.83. Clear:RC:1(134.147.40.78):. Processed in 0.077996 secs); 14 Mar 2013 17:02:23 -0000
Received: from jontop.nds.ruhr-uni-bochum.de (HELO ?134.147.40.78?) (7Cil8M2CiUz3vk0eT+Su4Q==@134.147.40.78) by c2-3-4.rz.ruhr-uni-bochum.de with (DHE-RSA-CAMELLIA256-SHA encrypted) SMTP; 14 Mar 2013 17:02:23 -0000
Date: Thu, 14 Mar 2013 18:02:21 +0100
Message-ID: <5142029D.7090302@rub.de>
From: Juraj Somorovsky <juraj.somorovsky@rub.de>
To: Brian Campbell <bcampbell@pingidentity.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130221 Thunderbird/17.0.3
MIME-Version: 1.0
References: <5141E9D6.6030003@KingsMountain.com> <4E1F6AAD24975D4BA5B16804296739436750F9CB@TK5EX14MBXC283.redmond.corp.microsoft.com> <CA+k3eCRdrOhVMrDQK5Za=Q+T-9_SCMRfd4acrZE+W-zWiaNr1Q@mail.gmail.com>
In-Reply-To: <CA+k3eCRdrOhVMrDQK5Za=Q+T-9_SCMRfd4acrZE+W-zWiaNr1Q@mail.gmail.com>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Mailman-Approved-At: Fri, 15 Mar 2013 11:25:48 -0700
Cc: Mike Jones <Michael.Jones@microsoft.com>, IETF JOSE WG <jose@ietf.org>, =JeffH <Jeff.Hodges@kingsmountain.com>
Subject: Re: [jose] backwards compatibility attack on JWT impls (was: I-D Action: draft-ietf-jose-json-web-algorithms-02.txt)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2013 17:02:38 -0000
I assume this also depends on the scenario. If you use public key signatures, you can sign whatever you want with your key, even the the RSA1_5 / RSA_OAEP ciphertexts and their algorithms (again, I am not familiar with the json scenarios, but in XML Encryption applications, the RSA ciphertexts are typically *not* signed) If you use HMACs, you need to transport somehow your HMAC key. You would do this probably with RSA-OAEP. In this case, the scenario described by Brian applies. Juraj On 03/14/2013 05:38 PM, Brian Campbell wrote: > But the integrity protected encryption happens using the key that's been > wrapped/encrypted using "RSA-OAEP" or "RSA1_5". That key needs to be > unwrapped/decrypted before any of the integrity checks even come into play, > which is where the attack takes place. So I don't see how the AEAD (or > composite AEAD like) algorithms help for preventing Bleichenbacher attacks > on RSA1_5 or BC attacks on RSA-OAEP to RSA1_5? > > (the general disclaimer correcting me, if I'm wrong, applies) > > > On Thu, Mar 14, 2013 at 11:48 AM, Mike Jones <Michael.Jones@microsoft.com>wrote: > >> I believe that these attacks are only possible on encryption without >> integrity, which in turn was only possible, because Nimbus-JWT continued to >> implement encryption algorithms without integrity protection. Someone >> should please correct me if I'm misunderstanding the situation. >> >> As most of you know, JWE now only allows authenticated encryption >> algorithms to be used, for reasons exactly such as these. >> >> -- Mike >> >> -----Original Message----- >> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of >> =JeffH >> Sent: Thursday, March 14, 2013 8:17 AM >> To: IETF JOSE WG >> Cc: Juraj Somorovsky >> Subject: [jose] backwards compatibility attack on JWT impls (was: I-D >> Action: draft-ietf-jose-json-web-algorithms-02.txt) >> >> back on Fri, 6 Jul 2012 Mike Jones said: >> > >> > Looking at this again, it seems to me that because JWE provides >> integrity > protection for the algorithm, it should be impossible for you >> to replace > "RSA-OAEP" with "RSA1_5" in the header because then the >> integrity check will > fail. Thus, the attack that you describe below is >> prevented by the integrity > protection of the header. >> > >> > Hence, correct JWE implementations do no provide the OAEP decryption >> oracle > that you describe. However if I'm missing something, please >> point it out to > me, since if there's an issue, I'd like to understand it >> and how to mitigate > it. >> >> just fyi/fwiw...apologies if this has already been followed up on, but I >> didn't find further discussion of this after the above-quoted msg... >> >> Juraj Somorovsky et al's NDSS-2013 "Backwards Compatibility (BC) attacks" >> paper [1] is now out, and it may help answer the above questions. There's >> also Kenny Patterson's talk [2] from the recent Workshop on Real-World >> Cryptography. >> >> It seems, from an admittedly cursory glance at both >> draft-ietf-jose-json-web-algorithms (-08) and the above paper/slides, that >> perhaps there should be more implementation advice and security >> considerations in (at least) the -json-web-algorithms spec. >> >> Here's some excerpts from the paper for context... >> ... >> In the public-key setting, we show how the well-known attack of >> Bleichenbacher [13] gives rise to a BC [Backwards Compatibility] attack >> that allows an attacker to decrypt ciphertexts of PKCS#1 v2.0 encryption in >> both XML Encryption [27] and JSON Web Encryption [42], and to forge >> signatures for arbitrary messages in XML Signature [30] and JSON Web >> Signature [41]. The attack principle is described in Section 4. We >> furthermore report on our experimental results, executed against the Java >> implementation of JSON Web Encryption and JSON Web Signature Nimbus-JWT >> [53], in Section 5.3. >> ... >> >> Platform for Experimental Analysis: We investigate the practicality and >> performance of our attacks on JWE and JWS by applying them to the >> Nimbus-JWT library [53]. Nimbus-JWT is a Java implementation of JSON Web >> Encryption (JWE) and JSON Web Signature (JWS), developed by NimbusDS to >> support their Cloud Identity management portfolio. >> >> Even though Nimbus-JWT claims to implement version 02 of the JWE standard >> draft, it still supports usage of AESCBC (without MAC), which was available >> in version 01, but not in version 02 or any subsequent versions. >> ... >> >> 5.2.3 Evaluation >> >> We evaluated performance of our attacks against both WSS4J and Nimbus-JWT. >> We first used the libraries to generate valid messages containing AES-GCM >> ciphertexts. Then we modified the algorithm parameters in the messages, >> forcing the receiver to process the ciphertexts using AES-CBC, and executed >> the attack described in Algorithm 1. The required ciphertext validity >> oracles were based on error messages generated by the libraries. >> ... >> >> Experimental Results. In order to assess the practicability and >> performance of the attack, we implemented Bleichenbacher’s attack on XML >> Encryption [13, 38] and applied it to the Nimbus-JWT library. The PKCS#1 >> v1.5 validity oracle was provided by exceptions thrown by this library.11 >> ... >> >> 11 In practice one would instead use the more elaborate attack techniques >> of [38] to determine whether a given ciphertext is PKCS#1 v1.5 valid. >> ... >> >> [13] D. Bleichenbacher. Chosen ciphertext attacks against protocols based >> on the RSA encryption standard PKCS#1. In H. Krawczyk, editor, Advances in >> Cryptology – CRYPTO’98, volume 1462 of Lecture Notes in Computer Science, >> pages 1–12. >> Springer, Aug. 1998. >> >> [38] T. Jager, S. Schinzel, and J. Somorovsky. Bleichenbacher’s attack >> strikes >> again: breaking PKCS#1 v1.5 in XML Encryption. In S. Foresti and M. Yung, >> editors, Computer Security - ESORICS 2012 - 17th European Symposium on >> Research in Computer Security, Pisa, Italy, September 10-14, 2012. >> Proceedings, LNCS. >> Springer, 2012. >> >> [53] Nimbus Directory Services. Nimbus JSON Web Token, May 2012. >> https://bitbucket.org/nimbusds/nimbus-jwt. >> >> ### >> >> [1] One Bad Apple: Backwards Compatibility Attacks on >> State-of-the-Art Cryptography >> >> http://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2013/03/08/BackwardsCompatibilityAttacks.pdf >> >> [2] Key Reuse: Theory and Practice >> http://crypto.stanford.edu/RealWorldCrypto/slides/kenny.pdf >> >> >> HTH, >> >> =JeffH >> >> >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose >> >
- [jose] backwards compatibility attack on JWT impl… =JeffH
- Re: [jose] backwards compatibility attack on JWT … Mike Jones
- Re: [jose] backwards compatibility attack on JWT … Brian Campbell
- Re: [jose] backwards compatibility attack on JWT … Mike Jones
- Re: [jose] backwards compatibility attack on JWT … Justin Richer
- Re: [jose] backwards compatibility attack on JWT … Juraj Somorovsky
- Re: [jose] backwards compatibility attack on JWT … Juraj Somorovsky
- Re: [jose] backwards compatibility attack on JWT … Juraj Somorovsky
- Re: [jose] backwards compatibility attack on JWT … Juraj Somorovsky
- Re: [jose] backwards compatibility attack on JWT … Brian Campbell
- Re: [jose] backwards compatibility attack on JWT … Richard Barnes
- Re: [jose] backwards compatibility attack on JWT … Richard Barnes
- Re: [jose] backwards compatibility attack on JWT … Juraj Somorovsky
- Re: [jose] backwards compatibility attack on JWT … Juraj Somorovsky
- Re: [jose] backwards compatibility attack on JWT … Vladimir Dzhuvinov / NimbusDS
- Re: [jose] backwards compatibility attack on JWT … Peck, Michael A
- Re: [jose] backwards compatibility attack on JWT … Juraj Somorovsky
- Re: [jose] backwards compatibility attack on JWT … Richard Barnes
- Re: [jose] backwards compatibility attack on JWT … Manger, James H
- Re: [jose] backwards compatibility attack on JWT … Manger, James H
- Re: [jose] backwards compatibility attack on JWT … Juraj Somorovsky
- Re: [jose] backwards compatibility attack on JWT … Vladimir Dzhuvinov / NimbusDS
- Re: [jose] backwards compatibility attack on JWT … Manger, James H
- Re: [jose] backwards compatibility attack on JWT … Juraj Somorovsky