IETF Logo Mail Archive

Re: [jose] comments on draft-jones-json-web-signature and draft-jones-json-web-encryption

John Bradley <ve7jtb@ve7jtb.com> Sun, 12 February 2012 19:58 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B39521F8636 for <jose@ietfa.amsl.com>; Sun, 12 Feb 2012 11:58:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Level:
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D1ql9XbfNXdF for <jose@ietfa.amsl.com>; Sun, 12 Feb 2012 11:58:38 -0800 (PST)
Received: from mail-gx0-f172.google.com (mail-gx0-f172.google.com [209.85.161.172]) by ietfa.amsl.com (Postfix) with ESMTP id 3152721F8617 for <jose@ietf.org>; Sun, 12 Feb 2012 11:58:38 -0800 (PST)
Received: by ggnq2 with SMTP id q2so2419275ggn.31 for <jose@ietf.org>; Sun, 12 Feb 2012 11:58:37 -0800 (PST)
Received: by 10.236.124.2 with SMTP id w2mr16856170yhh.83.1329076717728; Sun, 12 Feb 2012 11:58:37 -0800 (PST)
Received: from [192.168.1.213] (186-107-148-253.baf.movistar.cl. [186.107.148.253]) by mx.google.com with ESMTPS id a38sm16613848ana.17.2012.02.12.11.58.34 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 12 Feb 2012 11:58:35 -0800 (PST)
Mime-Version: 1.0 (Apple Message framework v1257)
Content-Type: multipart/signed; boundary="Apple-Mail=_3596B670-D134-432A-A8B7-B30C473FFF56"; protocol="application/pkcs7-signature"; micalg="sha1"
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <193BB50D-89DF-43DD-93A1-9483217BC5A1@gmail.com>
Date: Sun, 12 Feb 2012 16:58:28 -0300
Message-Id: <0BBBE883-7C70-4A7D-979C-A11418ED91F5@ve7jtb.com>
References: <193BB50D-89DF-43DD-93A1-9483217BC5A1@gmail.com>
To: Matthew Green <matthewdgreen@gmail.com>
X-Mailer: Apple Mail (2.1257)
X-Gm-Message-State: ALoCoQkDuvPx2dShAk8zbmHZ9M2HvcYRMqyZYwNdbBUyuUIegqzO6rwa/MznTqxlatXX8MS/+I0N
Cc: jose@ietf.org
Subject: Re: [jose] comments on draft-jones-json-web-signature and draft-jones-json-web-encryption
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 12 Feb 2012 19:58:39 -0000

While it would be nice to have GWC on all platforms it is not currently.   openssl is a prime culprit at the moment.  

So totally removing AES-CBC is not practical.  

We have discussed adding MAC integrity to CBC in the next draft.   

The question is should CBC be allowed without integrity.   Personally I would be on the no side of that question.

I don't yet have a sense of the WG on that question.  I do think there is consensus on adding a integrity check to CBC as a preferred option.

John B.


On 2012-02-12, at 4:23 PM, Matthew Green wrote:

> I'm apologize for stepping into this conversation so late. I recently came across the draft-jones-json-web-encryption spec, and I was surprised to see that it doesn't explicitly mandate the use of authenticated encryption. This seems extremely dangerous to me, and I was hoping I could convince this group to reconsider.
> 
> Many of my concerns were already raised by David McGrew in a post he wrote back in November.* David cites most of the academic literature on padding oracle attacks, which are an efficient class of attacks that can be leveraged against unauthenticated encryption modes used in online systems. I wanted to add that this problem is hardly academic. Padding oracle attacks are easy to implement (I've had undergrads code them as an assignment), and there are toolkits available to help people run them on most systems. Moreover, they're almost impossible to defend on without some sort of authentication. This authentication would be provided via an AEAD mode like GCM, or through use of a MAC.
> 
> Probably the most relevant example is Jager and Somorovsky's recent attack against the 2002 W3C XML Encryption standard (as implemented in JBoss and Axis2), which serves almost the same purpose as json-web-encryption. Given all the press that attack received, I think would be particularly unfortunate to have this brand new standard fall to same sort of attack.
> 
> I understand that the standard gives the /option/ to use authenticated encryption (GCM mode) or unauthenticated CBC-mode. What's missing, I think is the appropriate warning to non-expert implementers. I would phrase it along these lines:
> 
> * If you choose to implement this specification using unauthenticated encryption (CBC mode), your ciphertexts will be vulnerable to simple attacks that lead to complete plaintext recovery. Therefore, we do not recommend the use of CBC mode in any application where message confidentiality is critical to system security.
> 
> On the other hand, why should you ever have to write something like that into an encryption standard? It seems like the proper solution would be to simply remove the CBC option altogether.
> 
> Regards,
> 
> Matt Green
> 
> * http://www.ietf.org/mail-archive/web/jose/current/msg00304.html
> 
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email