Re: [jose] encrypting AND signing a token
<Axel.Nennker@telekom.de> Mon, 05 November 2012 21:11 UTC
Return-Path: <Axel.Nennker@telekom.de>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1E91C21F8665 for <jose@ietfa.amsl.com>; Mon, 5 Nov 2012 13:11:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.749
X-Spam-Level:
X-Spam-Status: No, score=-4.749 tagged_above=-999 required=5 tests=[AWL=0.500, BAYES_00=-2.599, GB_I_LETTER=-2, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UQdwLL1ETrp4 for <jose@ietfa.amsl.com>; Mon, 5 Nov 2012 13:11:15 -0800 (PST)
Received: from tcmail13.telekom.de (tcmail13.telekom.de [80.149.113.165]) by ietfa.amsl.com (Postfix) with ESMTP id 71CC621F85FC for <jose@ietf.org>; Mon, 5 Nov 2012 13:11:14 -0800 (PST)
Received: from he111527.emea1.cds.t-internal.com ([10.125.90.86]) by tcmail11.telekom.de with ESMTP/TLS/AES128-SHA; 05 Nov 2012 22:10:59 +0100
Received: from HE113559.emea1.cds.t-internal.com (10.125.65.101) by HE111527.EMEA1.CDS.T-INTERNAL.COM (10.125.90.86) with Microsoft SMTP Server (TLS) id 8.3.245.1; Mon, 5 Nov 2012 22:10:59 +0100
Received: from HE111541.emea1.cds.t-internal.com ([10.125.90.94]) by HE113559.emea1.cds.t-internal.com ([2002:7cd:4165::7cd:4165]) with mapi; Mon, 5 Nov 2012 22:10:58 +0100
From: Axel.Nennker@telekom.de
To: dick.hardt@gmail.com
Date: Mon, 05 Nov 2012 22:10:57 +0100
Thread-Topic: [jose] encrypting AND signing a token
Thread-Index: Ac27jmjkLQCkg5PAR9ycNDpKpaJfOQACNvXg
Message-ID: <CE8995AB5D178F44A2154F5C9A97CAF4025219B05330@HE111541.emea1.cds.t-internal.com>
References: <4ACFC778-31A9-4C79-9F4E-7C01719F51AD@gmail.com> <4E1F6AAD24975D4BA5B168042967394366887325@TK5EX14MBXC285.redmond.corp.microsoft.com> <E73A223A-6546-4A3A-A839-8627B3DBCB8F@gmail.com> <000b01cdbab9$967ef070$c37cd150$@augustcellars.com> <210E03E3-FD49-449A-8953-571ECA9E5FBE@gmail.com> <CE8995AB5D178F44A2154F5C9A97CAF4025219B05190@HE111541.emea1.cds.t-internal.com> <E764984F-95B1-4B57-8BA7-397CBFEC2724@gmail.com>
In-Reply-To: <E764984F-95B1-4B57-8BA7-397CBFEC2724@gmail.com>
Accept-Language: de-DE
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: de-DE
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: jose@ietf.org
Subject: Re: [jose] encrypting AND signing a token
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2012 21:11:19 -0000
I am using an RP that uses an openid-url scheme to let the Android App know the openid connect object. openid://?response_type=id_token&client_id=https://gabunomi.net/seminar/callback.html&request=header.payload.signatur&state=50982a45f0ec1&nonce=50982a45f12ab The id_token is returned to the RP in a fragment. https://server/callback.html#id_token=signed-then-encrypted-id_token I did not test the size limits but it worked for an id_token with claims email, display name and picture url. Inside is a user_jwk with a public key. The corresponding private key is used to sign the id_token. It is unique per RP. The algs used are RSA1_5 and A256CBC+HS256. I don't know whether I can name the RP's url here. Maybe its owner wants to do that. The RP is currently moving to another domain. I guess it is public after the move. Axel -----Original Message----- From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf Of Dick Hardt Sent: Monday, November 05, 2012 8:47 PM To: Nennker, Axel Cc: Michael.Jones@microsoft.com; jose@ietf.org; dick.hardt@gmail.com Subject: Re: [jose] encrypting AND signing a token Thanks Axel. Nice to know the implementation I am working on is not the only one. Do you know what algorithm is being used for signing and encrypting in deployments? The implementation I am working on passes the token using a custom scheme in iOS and Android. I am concerned about the token size, but don't know the limits. -- Dick On Nov 5, 2012, at 6:57 AM, <Axel.Nennker@telekom.de> wrote: > A OpenID Connect self-issued token is a signed and then encrypted id_token using JWS then JWE. > Because the audience is part of the id_token the re-encryption issue is not valid in this case. > The signed-and-encrypted JWT is then transported to the RP as a URL fragment. > > I have not hit any url length limits on Android but saving some bytes through a combined signend-and-encrypted-format would be good. > > -----Original Message----- > From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf > Of Dick Hardt > Sent: Sunday, November 04, 2012 8:56 PM > To: Jim Schaad > Cc: 'Mike Jones'; jose@ietf.org; 'Dick Hardt' > Subject: Re: [jose] encrypting AND signing a token > > Thanks Jim. An interesting historical reference. > > In my use case, who signed or who the token is for is not a secret. The payload needs to be kept a secret. > > Does no one sign and encrypt SAML tokens? > Is this not a common use case? > > If it does need to be solved, it would seem to me that a standards body would be the place to have lots of eyes look at how to sign and encrypt a token so that people do not do naive sign and encrypt. > > Q: does anyone else need to sign and encrypt? > > -- Dick > > On Nov 4, 2012, at 10:24 AM, "Jim Schaad" <ietf@augustcellars.com> wrote: > >> <personal> >> >> I would note that the original PKCS#7 specifications had a mode that >> provided a similar sign and encrypt as a single operation mode. When >> the >> PKCS#7 specifications where adopted by the IETF as part of the CMS >> work, this mode was discussed and very deliberately dropped because >> of numerous security problems that had been found. These included >> (but are not limited >> to) the fact that it was signed or who signed it was sometimes a >> security leak. Also there were attacks where the signed and >> encrypted mode could be converted to just an encrypted mode. >> >> I would think that there would be a need for a very detailed security >> analysis that we are not prepared to do in order to support a signed >> and encrypted mode. >> >> Jim >> >> >>> -----Original Message----- >>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On Behalf >>> Of Dick Hardt >>> Sent: Friday, November 02, 2012 12:30 PM >>> To: Mike Jones >>> Cc: jose@ietf.org >>> Subject: Re: [jose] encrypting AND signing a token >>> >>> Not only is my original token increasing in size by 4/3, I am also >>> adding another header, payload and signature. >>> >>> One of the objectives of JWT was to enabled compact tokens. It would >>> seem that we should be able to support both signing and encryption >>> of the same token. >>> >>> All the encryption use cases I can think of involving asymmetric >>> keys >> would >>> also require signing with the senders private key. >>> >>> My suggestion is to be explicit in what the algorithm etc. is used for: >>> >>> Rather than "alg" and "enc", we have: >>> >>> "algs" - algorithm for token signing "algk" - algorithm for content >>> management key encryption "alge" - >> algorithm >>> for payload encryption >>> >>> Similiarly, >>> >>> "kids" - key id for signing >>> "kidk" - key id for content managment key encryption >>> >>> We could probably make these three or even two letter codes if you >>> want to save a couple bytes. >>> >>> -- Dick >>> >>> On Nov 2, 2012, at 8:46 AM, Mike Jones <Michael.Jones@microsoft.com> >>> wrote: >>> >>>> The way you put it brings one straightforward solution to mind. >>>> Solve >> 1-3 >>> with a JWE. Solve 4-5 by signing the JWE as a JWS payload. Done. >>>> >>>> I do understand that the 4/3 space blowup-of double base64url >>>> encoding >>> the JWE motivates your earlier proposal about nested signing. (See >>> Dick's >>> 10/29/12 message "[jose] signing an existing JWT".) I also >>> understand >> that if >>> you could do integrity with the asymmetric signature then the >>> integrity provided by the JWE itself may be redundant. I don't have >>> a specific >> proposal >>> on how to do that. >>>> >>>> -- Mike >>>> >>>> -----Original Message----- >>>> From: jose-bounces@ietf.org [mailto:jose-bounces@ietf.org] On >>>> Behalf Of Dick Hardt >>>> Sent: Friday, November 02, 2012 8:22 AM >>>> To: jose@ietf.org >>>> Subject: [jose] encrypting AND signing a token >>>> >>>> I am trying to figure out how to implement JWT/JWS/JWE to solve a >>>> real >>> world problem. >>>> >>>> 1) Bob sends a token to Charlie via Alice. (Alice gets token from >>>> Bob and then Alice gives token to Charlie) >>>> 2) Alice must be prevented from reading the token. (token needs to >>>> be >>>> encrypted) >>>> 3) Bob and Charlie can share a symmetric key. >>>> >>>> I can solve this with JWE. >>>> >>>> Now let's add another condition. >>>> >>>> 4) Charlie wants non-repuditation that Bob created the token. >>>> 5) Bob has a private key and a public key >>>> >>>> I don't see how to do this using JWE. It seems I have to sign the >>>> same >> token >>> I had previously with JWS. This seems inefficient since I should be >>> able >> to >>> replace the JWE integrity computation done with the symmetric key >>> with the private key -- but the "alg" parameter is the same in both >>> encrypting and signing. >>>> >>>> Now let's expand this to replacing the symmetric key with a >> public/private >>> key pair for encryption. Bob encrypts with Charlies public key and >>> signs >> with >>> Bob's private key (we also need to make sure we are not doing naive >>> encryption and signing here, would be a really useful to specify >>> what >> needs >>> to be done there). Now we need to have parameters for both >>> public/private key pairs in the header. >>>> >>>> Am I missing something here? >>>> >>>> Seems like we can do this if we change the header parameters to >>>> specify >> if >>> they ("alg", "kid", et.c) are for token signing, payload encryption >>> or >> content >>> key encryption. >>>> >>>> -- Dick >>>> >>>> >>>> _______________________________________________ >>>> jose mailing list >>>> jose@ietf.org >>>> https://www.ietf.org/mailman/listinfo/jose >>> >>> _______________________________________________ >>> jose mailing list >>> jose@ietf.org >>> https://www.ietf.org/mailman/listinfo/jose >> > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose _______________________________________________ jose mailing list jose@ietf.org https://www.ietf.org/mailman/listinfo/jose
- [jose] encrypting AND signing a token Dick Hardt
- Re: [jose] encrypting AND signing a token Mike Jones
- Re: [jose] encrypting AND signing a token Dick Hardt
- Re: [jose] encrypting AND signing a token Jim Schaad
- Re: [jose] encrypting AND signing a token Dick Hardt
- Re: [jose] encrypting AND signing a token Jim Schaad
- Re: [jose] encrypting AND signing a token Mike Scott
- Re: [jose] encrypting AND signing a token Axel.Nennker
- Re: [jose] encrypting AND signing a token Dick Hardt
- Re: [jose] encrypting AND signing a token Axel.Nennker
- Re: [jose] encrypting AND signing a token Axel.Nennker
- Re: [jose] encrypting AND signing a token John Bradley
- Re: [jose] encrypting AND signing a token John Bradley
- Re: [jose] encrypting AND signing a token Jim Schaad
- Re: [jose] encrypting AND signing a token Richard L. Barnes
- Re: [jose] encrypting AND signing a token John Bradley
- Re: [jose] encrypting AND signing a token John Bradley
- Re: [jose] encrypting AND signing a token Dick Hardt
- Re: [jose] encrypting AND signing a token Dick Hardt