IETF Logo Mail Archive

Re: [jose] Towards a More Secure JOSE Standard

Justin Richer <jricher@mit.edu> Wed, 29 March 2017 18:23 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E399212778D for <jose@ietfa.amsl.com>; Wed, 29 Mar 2017 11:23:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hHZrq3KUyYYL for <jose@ietfa.amsl.com>; Wed, 29 Mar 2017 11:22:53 -0700 (PDT)
Received: from dmz-mailsec-scanner-8.mit.edu (dmz-mailsec-scanner-8.mit.edu [18.7.68.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 51E031292FD for <jose@ietf.org>; Wed, 29 Mar 2017 11:22:52 -0700 (PDT)
X-AuditID: 12074425-62bff70000001350-d2-58dbfb7b1753
Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 92.AF.04944.B7BFBD85; Wed, 29 Mar 2017 14:22:51 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id v2TIMo6P027857; Wed, 29 Mar 2017 14:22:50 -0400
Received: from [192.168.1.71] (104-182-133-163.lightspeed.cicril.sbcglobal.net [104.182.133.163]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id v2TIMljU005579 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 29 Mar 2017 14:22:49 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <FCF428D5-9FF5-460D-8C54-D148177A38F9@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_43069A7D-907E-40F7-B1A5-28974F62E1A2"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Wed, 29 Mar 2017 13:22:46 -0500
In-Reply-To: <CAKws9z0UxAFynhW1jf34VARyV82VHVEwhg4E4rcyMMtSGeHj4w@mail.gmail.com>
Cc: jose@ietf.org
To: Paragon Initiative Enterprises Security Team <security@paragonie.com>
References: <CAKws9z0UxAFynhW1jf34VARyV82VHVEwhg4E4rcyMMtSGeHj4w@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFmphleLIzCtJLcpLzFFi42IRYrdT0a3+fTvCYPdhdos1a7qZLB50rGJx YPJYsuQnk8f1Rs8Apigum5TUnMyy1CJ9uwSujMkrXzMV3CmqONf/nLmB8WhqFyMnh4SAicTD V9eYuhi5OIQE2pgkPn3rZYRwNjJKnHoyEypzj0ni17c2dpAWNgFVielrWphAbF4BK4mZUw+y gdjMAkkSR/avZYGI60vMPnMJzBYWMJdo33mcFcRmAep9sXcJWD2nQKDEpRlLmSB6BSUmPd7A CGKLCHhKnNowBywuJBAgcXvzAnaIU2Ul3v5awjyBkX8WknWzkKyDiGtLLFv4mhnC1pTY370c i7iGROe3iawLGNlWMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Vro5WaW6KWmlG5iBAe2i+oOxjl/ vQ4xCnAwKvHwVqy9HSHEmlhWXJl7iFGSg0lJlPeEIVCILyk/pTIjsTgjvqg0J7X4EKMEB7OS CK/WJ6Acb0piZVVqUT5MSpqDRUmcV1yjMUJIID2xJDU7NbUgtQgmK8PBoSTBG/ALqFGwKDU9 tSItM6cEIc3EwQkynAdo+MOfIMOLCxJzizPTIfKnGBWlxHlFQJoFQBIZpXlwvaDEk7GtdfEr RnGgV4R5o0GqeIBJC677FdBgJqDB4ja3QAaXJCKkpBoYfXKuPgj78WzamsqPbsV9uUmHLzwW feVofGttr6uljs6CWeu1W3tv9E+b3/bs+bEFzilCQj+/ddu+evpJZmO5BuMBM/vuNb7O1ode 7Tk1aU/sEyE2XRbllJ9uKvZ8D4MitvXW+vQ73rVknPUjlsEx2mBiJJfXXNd1hYvTtLMq2x52 PbSokpNRYinOSDTUYi4qTgQAFZt4ThcDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/HCO1UxeJWbD4lVSF3-Da4wL2lTg>
Subject: Re: [jose] Towards a More Secure JOSE Standard
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 18:23:03 -0000

If the problem is substituting “alg: RS256” with “alg: HS256” or the like, how is that any different from substituting “mode: ps” with “mode: sa”? There have been some reasonable arguments for removing the algorithm selection from the JOSE package, but this proposal doesn’t do that. Instead, it simply defines *new* headers for algorithm selection. Ergo, unless I’m missing a key point here, this is just kicking things down the road a little bit.

 — Justin

> On Mar 29, 2017, at 11:19 AM, Paragon Initiative Enterprises Security Team <security@paragonie.com> wrote:
> 
> Hello,
> 
> We've outlined some suggestions to make a JOSE replacement/upgrade more secure. Our suggestions are outlined at https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03 <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03>, but I have mirrored them below.
> 
> Changes to JOSE that will prevent insecurity
> 
>  <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#deletions>Deletions
> 
>  <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#jws-and-jwe>JWS and JWE
> 
>  <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#drop-the-alg-header>Drop the alg header
> 
> Neither JOSE users nor JOSE library designers should be required to understand cryptography primitives. At a lower level, this can lead to badly implemented primitives <http://www.cryptofails.com/post/70059600123/saltstack-rsa-e-d-1>. On a higher level, this can lead to reasoning by lego <http://www.cryptofails.com/post/121201011592/reasoning-by-lego-the-wrong-way-to-think-about>.
> 
> For all the reasons outlined here <https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid> and here <https://storify.com/jcuid/thomas-h-ptacek-don-t-use-json-web-tokens>, the alg header (and algorithm agility in its entirety) should be considered harmful.
> 
>  <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#jwe>JWE
> 
>  <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#drop-the-enc-header>Drop the enc header
> 
> For the same reason we're dropping the alg header, we should drop the enc header.
> 
>  <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#consider-dropping-the-zip-header>Consider dropping the zip header
> 
> As we've seen with CRIME <https://en.wikipedia.org/wiki/CRIME> and BREACH <http://breachattack.com/>, as well as this error oracle attack against iMessage <https://blog.cryptographyengineering.com/2016/03/21/attack-of-week-apple-imessage/>, compression can introduce side-channels that totally undermine confidentiality.
> 
> This one is less of a hard-and-fast requirement to make JOSE secure, but I still strongly recommend it.
> 
>  <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#additions>Additions
> 
>  <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#jws-and-jwe-1>JWS and JWE
> 
>  <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#new-header-ver-version>New header: ver (version)
> 
> Instead of letting library developers and users mix-and-match cryptography algorithms, the only choice they should be given is, "Which version are we using?" Versions can look like this:
> 
> Version 1:
> HMAC-SHA256 for shared-key authentication
> AES-128-CBC + HMAC-SHA256 in Encrypt-then-MAC mode for shared-key encryption
> RSA-OAEP with MGF1-SHA256 and e=65537 + AES-128-CBC in KEM+DEM for public-key encryption, min. key size: 2048-bit
> RSASSA-PSS with MGF1-SHA256 and e=65537 for public-key digital signatures, min. key size: 2048-bit
> Version 2:
> HMAC-SHA256 for shared-key authentication
> AES-256-GCM for shared-key encryption
> ECDH over secp256r1 (NIST P-256) + AES-256-GCM for public-key encryption
> Libraries must verify that the point is on the curve
> ECDSA over secp256r1 (NIST P-256), adhering to RFC 6979 (deterministic ECDSA), for public-key digital signatures
> Version 3:
> HMAC-SHA512-256 for shared-key authentication
> As per NaCl, this is HMAC-SHA-512 truncated to 256 bits, not HMAC-SHA-512/256.
> Xsalsa20poly1305 for shared-key encryption
> X25519 + Xsalsa20poly1305 for public-key encryption
> Ed25519 for public-key digital signatures
> Libraries that support version 3 SHOULD NOT support version 1.
> 
>  <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#new-header-mode>New header: mode
> 
> Only four options (case-insensitive):
> 
> se = Shared-key Encryption
> sa = Shared-key Authentication
> pe = Public-key Encryption
> ps = Public-key digital Signatures
>  
> ​Kind regards,
> 
> Security Team
> Paragon Initiative Enterprises <https://paragonie.com/security>_______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email