IETF Logo Mail Archive

Re: [jose] JWS Signing of HTTP attachments

Sergey Beryozkin <sberyozkin@gmail.com> Mon, 15 May 2017 12:43 UTC

Return-Path: <sberyozkin@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 11A2C129541 for <jose@ietfa.amsl.com>; Mon, 15 May 2017 05:43:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OpgmVx_W64-B for <jose@ietfa.amsl.com>; Mon, 15 May 2017 05:43:38 -0700 (PDT)
Received: from mail-wm0-x244.google.com (mail-wm0-x244.google.com [IPv6:2a00:1450:400c:c09::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5DF0129B4B for <jose@ietf.org>; Mon, 15 May 2017 05:39:28 -0700 (PDT)
Received: by mail-wm0-x244.google.com with SMTP id d127so28142949wmf.1 for <jose@ietf.org>; Mon, 15 May 2017 05:39:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=UtkE1E2LFLIm8UrGdTV7Lo4YR3xlE302dErXlZtN/Eg=; b=L0uPfAvIU0pg34dJRffbWoZq/CDJof+5PU7MF0QZczIeWid0quC2D+BM1/UGLGKVMP iq7JvzouTZ1lCrgq+YWARLpVMwIlYwOUX58SUH1rr6EZNk5vrS29a3iYFoOD9nQJCdd5 mYfG5pPJkDkZgTaV6OyJTEFqBXzu0uPPbMkwg6LZQm9Odrn+k9hXQPoeps3I96nN+AGA 0Wu/QYco3YibLjsJDeYhutginBkXCsYjeudfBJ9icBtRt8R+vn1QeRtgXEFWfolUwZVA 9EuXiw3z8TDZk1MMRHF3R/TzoSmHnRd2hqDYhP18vKGj/MYo87j7rZLpL4zSFIQt9vkI lfyw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=UtkE1E2LFLIm8UrGdTV7Lo4YR3xlE302dErXlZtN/Eg=; b=oeRXJm7Ms1aDsUaQI0jLiVt7dqxkUZrwZHto0nHFL0qTkfqt03VU1QLz7iOxKx/REm FVG/gP/Q+dFxiVUtEAoxaJSfQETcV6yVIsrMDxqw43Bhg2H6k1ua1cEn7wjXH0mQA+PA 7kILJc4RJNj6PAQhOaOjrntWI7RgdsECdA+GjE1Thhtz6sGvB3Rphgpur0xSM4sB1iQg rI1dpbGBC/046HGZoJD7eS+STFlxP7YJsqVKkuR54wg4aueOEK3QcR3MIR8BlkGKaoum jZCFskcp5K/jfHEoJIMt1jU7GnxQKXY5c49fyG61QlvyhSR0JdKTvgypio73sHLBp6pn PYGQ==
X-Gm-Message-State: AODbwcBhNM1zVDBHfIxNfO83FlY/iKHQMdO4vtXEJlKDGsgZeUHAmEOu pDrGB09FB0DYEA==
X-Received: by 10.223.173.74 with SMTP id p68mr3833494wrc.163.1494851967181; Mon, 15 May 2017 05:39:27 -0700 (PDT)
Received: from [10.36.226.98] ([80.169.137.53]) by smtp.googlemail.com with ESMTPSA id 30sm8782789wrp.6.2017.05.15.05.39.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 May 2017 05:39:25 -0700 (PDT)
To: Jim Schaad <ietf@augustcellars.com>, 'Ilari Liusvaara' <ilariliusvaara@welho.com>
References: <33ea6034-2e07-59dc-0561-58b45dfeefe7@gmail.com> <20170512155248.GA30318@LK-Perkele-V2.elisa-laajakaista.fi> <ee972cc0-3ada-1304-d62e-2e92f84629e4@gmail.com> <014001d2cb3f$3bbbfe80$b333fb80$@augustcellars.com> <d7559110-28d5-74c1-065c-c1d2b60e173b@gmail.com>
Cc: jose@ietf.org
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <0f7ca1ad-6f25-5191-1475-c3ccfb40f9a2@gmail.com>
Date: Mon, 15 May 2017 13:39:25 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <d7559110-28d5-74c1-065c-c1d2b60e173b@gmail.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/IwJAXA-YJQ446bt4AYBL7Cxe4D8>
Subject: Re: [jose] JWS Signing of HTTP attachments
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 May 2017 12:43:41 -0000

I've implemented the optional buffering of the attachment streams on 
receiving end, and prototyped the following text, I don't have the 
experience to drive it further, nor do I expect it to make it to the 
draft stage, but I thought I'd type in some prototype.

Thanks, Sergey

Using Json Web Signature (JWS) to sign HTTP Multipart payloads

Abstract.

JSON Web Signature (JWS) represents content secured with digital
signatures or Message Authentication Codes (MACs) using JSON-based
data structures, with the content being optionally detached [RFC7515].
The content can also be secured without it being Base64URL-encoded 
[RFC7797].
HTTP Multipart payloads are HTTP messages constructed according to HTTP 
multipart
media type rules [RFC1341]. This specification describes how HTTP 
multipart payloads
can be signed using JWS With Detached and Unencoded Content mechanism.

Introduction.

HTTP Multipart data structure, in combination with JWS With Detached and 
Unencoded Content mechanism,
can provide for the end to end integrity protection of HTTP Multiparts.

The sender of such secured payloads will stream and have no need to 
buffer the data while the receiver may optionally continue
streaming the data (see Security Considerations).

Implementation.

Implementations supporting this specification will need to intercept 
HTTP Multipart write and read processes.

When request or response attachment parts are about to be submitted to 
the HTTP Multipart serialization provider, JWS Multipart Output Filter 
initializes a JWS Signature object which can dynamically build up a 
signature. Next every parts's output stream is replaced with the 
filtering output stream which updates the signature object on every 
write operation. Finally this multipart filter adds one more attachment 
part to the list of the attachments to be written - this part holds a 
reference to JWS Signature. When this last part is written, JWSSignature 
produces the signature bytes which are encoded using either JWS Compact 
or JWS JSON format, with the detached and unencoded content already 
being pushed to the output stream.

When the attachment parts are about to be read by the Multipart 
deserialization provider, their signature carried over in the last part 
will need to be verified. Just before the parts are about to be read in 
order to be made available to the application code, JWS Multipart Input 
Filter checks the last part and initializes a JWS Verification Signature 
object which can dynamically build up a signature. Next for every 
attachment but the last one it replaces the input stream with the 
filtering input stream which updates the signature verification object 
on every read operation. Once all the data have been read it compares 
the calculated signature with the received signature.

Example.

JWS-signed HTTP Multipart payload captured on the wire

Security Considerations.

Using JWS to validate Detached Content implies that the content and the 
signature have been obtained
via the different channels with the receiver starting the signature 
verification process once both the
data and the signature have been received.

In the case of this specification the references to the attachment data 
can become available to the receiving code
before the data have been validated, with the data read process failing 
to complete in case of the signature verification failure.

However, if, as part of the read process, the receiver copies the data 
to the medium which can pro-actively interpret the copied bytes,
example, the client receiver copies the data to the embedded browser 
window, then, in order to avoid the side-effects, the receiver of signed 
HTTP multipart payload MUST buffer and validate the multipart data first 
before making it available to the application code.

References.

https://tools.ietf.org/html/rfc7515
https://tools.ietf.org/html/rfc7797
http://www.w3.org/Protocols/rfc1341/7_2_Multipart.html

See also:

https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-09


On 12/05/17 20:14, Sergey Beryozkin wrote:
> Hi,
>
> On 12/05/17 17:45, Jim Schaad wrote:
>>
>>
>> -----Original Message-----
>> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Sergey Beryozkin
>> Sent: Friday, May 12, 2017 9:04 AM
>> To: Ilari Liusvaara <ilariliusvaara@welho.com>
>> Cc: jose@ietf.org
>> Subject: Re: [jose] JWS Signing of HTTP attachments
>>
>> Thanks for the initial feedback. I'm not following at the moment how
>> any of
>> these attacks can affect it. Perhaps I'll need to work on making it more
>> obvious how it is all implemented.
>>
>> It is simply a concrete implementation of JWS with Detached Content.
>> The content is written out and by the time it's finished the JWS payload
>> will be finished and will accompany this content.
>>
>> On the receiving end the verification provider will be instantiated (with
>> the proper care, example, the server will not support the dynamic
>> verification provider selection process - i.e - will be expected to
>> process
>> only RSA or HMAC etc signatures). Once this provider is available it will
>> then get all the data which is being read passing through the
>> verification
>> process and finally compare the signatures
>>
>> [JLS] To be clear here, the question that is being asked is - are we
>> going
>> to show content to the user, and perhaps start executing script,
>> before we
>> have finished verifying the signature.  This is normal for browsers as
>> they
>> do incremental display as things are processed.  And then, what
>> happens to
>> the display if the signature fails to verify.
>
> Right, I understand what the concern is, thanks.
>
> I believe this is a general security issue to be considered for JWS With
> Detached Content - the secured data and their signature have reached the
> destinations via the different channels, where the data has already been
> obtained (possibly read completely), and now is passed to the JOSE
> library to verify the data are still OK.
>
> I guess it should be noted that JWS With Detached Content should be used
> with care when it is expected that the data will be made available to
> the user's display or similar. Perhaps I'll send another email to keep
> the issue tracked ?
>
> For my project I think I'll introduce an optional (possibly enabled by
> default) buffering of the attachments on the receiving end - so it will
> be 50%  (sender-only) streaming friendly in this case :-).
>
> FYI my primary goal has been to ensure the client application, Java
> based or browser-based, can post the secured attachments to the HTTP
> service - say a service will need to copy InputStream to the disk - in
> this case, even though the code will access the stream immediately, the
> copy process will fail to complete, etc. I suspect it could be
> acceptable in some cases especially if the task is to protect 1MB.etc
> attachments.
>
> However I do understand that if such data are started immediately acted
> upon before the read process is even complete, either on the server, or
> especially on the UI-aware client side then there could be the
> side-effects and as I noted I'll optionally support the caching of the
> attachment parts before they are submitted to the service code.
>
> Thanks very much, Sergey
>>
>>
>>
>> Cheers, Sergey
>>
>> On 12/05/17 16:52, Ilari Liusvaara wrote:
>>> On Fri, May 12, 2017 at 01:59:21PM +0100, Sergey Beryozkin wrote:
>>>> Hi All,
>>>>
>>>> I've experimented in our project with having HTTP attachment parts
>>>> protected using JWS with Detached Content and Unencoded Payload options
>> [1].
>>>>
>>>> This approach appears to be quite effective to me. It also appears to
>>>> me that the data as shown in the example at [1], can, in principle,
>>>> be produced and processed by any HTTP stack that can work with
>>>> multiparts, assuming a JOSE library supporting the detached and
>>>> unencoded content is also available.
>>>>
>>>> I'd appreciate if the experts could comment on 1) do you see some
>>>> weaknesses in the proposed approach and 2) can someone see a point in
>>>> drafting some text around it (I can contribute if it is of interest) ?
>>>
>>> It look from the text that the implementation can produce output
>>> before the entiere signature (or tag in case of encryption) has been
>> verified.
>>> This is very dangerous if so.
>>>
>>>
>>> Then there are the standard attacks against JOSE (the JOSE library
>>> must not be vulernable to these):
>>>
>>> - The JWS HMAC versus signature confusion
>>> - The JWE ECDH-ES invalid curve attack.
>>>
>>>
>>> -Ilari
>>>
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>
>

v2.23.0 | Report a Bug | By Email