IETF Logo Mail Archive

Re: [jose] backwards compatibility attack on JWT impls (was: I-D Action: draft-ietf-jose-json-web-algorithms-02.txt)

"Juraj Somorovsky" <juraj.somorovsky@rub.de> Wed, 27 March 2013 07:36 UTC

Return-Path: <juraj.somorovsky@rub.de>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3906A21F900B for <jose@ietfa.amsl.com>; Wed, 27 Mar 2013 00:36:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.249
X-Spam-Level:
X-Spam-Status: No, score=-6.249 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OkLvP5SXQ5-Z for <jose@ietfa.amsl.com>; Wed, 27 Mar 2013 00:36:50 -0700 (PDT)
Received: from mx4.rz.ruhr-uni-bochum.de (mi.ruhr-uni-bochum.de [134.147.64.53]) by ietfa.amsl.com (Postfix) with SMTP id 1CE8821F8FFB for <jose@ietf.org>; Wed, 27 Mar 2013 00:36:49 -0700 (PDT)
X-Queued: (qmail 12374 invoked by alias); 27 Mar 2013 07:36:49 -0000
X-Queued: (qmail 12359 invoked from network); 27 Mar 2013 07:36:49 -0000
Received: from c2-3-4.rz.ruhr-uni-bochum.de (134.147.64.5) by mx4.rz.ruhr-uni-bochum.de with SMTP; 27 Mar 2013 07:36:49 -0000
X-Queued: (qmail 19350 invoked by uid 281); 27 Mar 2013 07:36:48 -0000
X-Qmailscanner: from 134.147.40.78 (7Cil8M2CiUxUH/PRCe4KGA==@134.147.40.78) by c2-3-4.rz.ruhr-uni-bochum.de (envelope-from <juraj.somorovsky@rub.de>, uid 80) with qmail-scanner-2.01 (sophie: 3.05/3.37/4.83. Clear:RC:1(134.147.40.78):. Processed in 0.072953 secs); 27 Mar 2013 07:36:48 -0000
Received: from jontop.nds.ruhr-uni-bochum.de (HELO ?134.147.40.78?) (7Cil8M2CiUxUH/PRCe4KGA==@134.147.40.78) by c2-3-4.rz.ruhr-uni-bochum.de with (DHE-RSA-CAMELLIA256-SHA encrypted) SMTP; 27 Mar 2013 07:36:48 -0000
Date: Wed, 27 Mar 2013 08:36:45 +0100
Message-ID: <5152A18D.5040504@rub.de>
From: Juraj Somorovsky <juraj.somorovsky@rub.de>
To: "Manger, James H" <James.H.Manger@team.telstra.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130308 Thunderbird/17.0.4
MIME-Version: 1.0
References: <20130325070200.cc40c4f3d92d2001859047cd8cabb9ab.b714da08bb.wbe@email07.europe.secureserver.net> <51505BFA.7080100@rub.de> <255B9BB34FB7D647A506DC292726F6E1150BE3C5A5@WSMSG3153V.srv.dir.telstra.com> <5150E950.5060301@rub.de> <255B9BB34FB7D647A506DC292726F6E1150BEFF2FC@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E1150BEFF2FC@WSMSG3153V.srv.dir.telstra.com>
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Mailman-Approved-At: Thu, 28 Mar 2013 08:03:32 -0700
Cc: IETF JOSE WG <jose@ietf.org>, Vladimir Dzhuvinov / NimbusDS <vladimir@nimbusds.com>
Subject: Re: [jose] backwards compatibility attack on JWT impls (was: I-D Action: draft-ietf-jose-json-web-algorithms-02.txt)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2013 07:36:51 -0000

On 03/26/2013 02:30 AM, Manger, James H wrote:
>>>> 	SecretKey randomCMK = AES.generateAESCMK(keyLength);
>>>>
>>>> 	try {
>>>> 		cmk = RSA1_5.decryptCMK(privateKey, encryptedKey.decode(),
>>>> keyLength);
>>>> 	} catch (Exception e) {
>>>> 		// Protect against MMA attack by generating random CMK on
>> failure,
>>>> 		// see http://www.ietf.org/mail-
>>>> archive/web/jose/current/msg01832.html
>>>> 		cmk = randomCMK;
>>>> 	}
>>>> }
>>>>
> For a start the fixes need to be much lower down where the PKCS#1 padding is first handled, not way up the stack were you see an exception vs a normal return.
> 
> The Go language appears to have code with decent protections to avoid leaking crucial timing details: http://golang.org/src/pkg/crypto/rsa/pkcs1v15.go.
> 
> The Java code I found in a quick search (sun.security.rsa.RSAPadding#unpadV15) makes no effort to be constant time. I doubt there is anything (reasonable) that can be done at a higher layer (such as com.nimbusds.jose.crypto.RSA1_5) to make RSAES-PKCS1-V1_5 safe with that foundation.
> [http://grepcode.com/file/repository.grepcode.com/java/root/jdk/openjdk/7-b147/sun/security/rsa/RSAPadding.java#RSAPadding.unpadV15%28byte%5B%5D%29]
Such countermeasures are very precise, but are also very difficult to
implement. I do not think they are necessary to implement against the
state-of-the art timing attacks. I would say the countermeasure that I
presented is enough and would thwart practical Bleichenbacher timing
attacks.

Regards
Juraj

v2.23.0 | Report a Bug | By Email