Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens

Mike Jones <> Mon, 23 April 2018 17:53 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 001DD126BFD for <>; Mon, 23 Apr 2018 10:53:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id XjHdxYA3hwP8 for <>; Mon, 23 Apr 2018 10:53:28 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D8470124F57 for <>; Mon, 23 Apr 2018 10:53:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=xUfgvYPcX448z9IR7uNS4LTcsusaI/6fQGLWFxPcytk=; b=Gjg9S4wUWkpsbgrx+U+XgEOqgLbqmsymNeeckPvmdWgK8rXGL3KIAPvVLwldQ/jCTF0z2/TPSFIjMlCfuJOg9juGAGraYICo4QldTqBZszkS9YLpU+kDfSXVxCR8NGzw+wJFpaMUvA3OIFp2ZJVUxtBb7BR9BcR+yK3xychkot0=
Received: from (2603:10b6:4:9e::37) by (2603:10b6:4:9f::26) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.745.0; Mon, 23 Apr 2018 17:53:25 +0000
Received: from ([fe80::e0eb:d2f7:29c5:1a1b]) by ([fe80::e0eb:d2f7:29c5:1a1b%2]) with mapi id 15.20.0747.000; Mon, 23 Apr 2018 17:53:25 +0000
From: Mike Jones <>
To: Jim Schaad <>, 'Neil Madden' <>, 'David Adrian' <>
CC: "" <>
Thread-Topic: [jose] [Cfrg] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens
Thread-Index: AQHT2yI+vfumLsHVbkCu3qp7vd4JgaQOmQSAgAAGOlA=
Date: Mon, 23 Apr 2018 17:53:25 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <011201d3db27$a6275780$f2760680$>
In-Reply-To: <011201d3db27$a6275780$f2760680$>
Accept-Language: en-US
Content-Language: en-US
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2018-04-23T17:53:24.1317512Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic; Sensitivity=General
x-originating-ip: [2001:4898:80e8:6::36]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR00MB0312; 7:e9lLnLHtQiRcw7Ts2bQRbaY+prwaS5yvKrSM8a/f4yR10GA4e57zmro0in3etC1n3TZY8HHEPtXBabfBsqdIrdPCXv1s7zN1NECfV1EtHTylsSZxUYh6eUdecRHPunzpU1uJO3eHqTqmGhmP+8nOeY1d8lDuNPyPCwJhoUc2rLjpUIetouCunvoyXAYyB4tNxjTdCMBUnQryhyzHP7Ss5Zdww1KAqyAo9nhWdzEvy/KIxtH00jje+yULmk99j9lf; 20:Hr3TJ7tH/LfFszlI5LgCu7aIq7mCDQbKHqLDHJfaNflSylL1hgfUlaLwKwH6trsodb+k14cVV3PCmWPBed5dO+JFSLtZzDr9LHqMD94zn2rPnUO+rwW1YrQxZ/HEsYgnbTj7e8Wgb8V4xYz59TTNywrvbSfrUMyFv3kKs1kWwoM=
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7193020); SRVR:DM5PR00MB0312;
x-ms-traffictypediagnostic: DM5PR00MB0312:
authentication-results: spf=none (sender IP is );
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863)(278428928389397)(166708455590820)(192374486261705)(85827821059158)(177329092695168);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(2017102700009)(2017102701064)(6040522)(2401047)(8121501046)(5005006)(2017102702064)(20171027021009)(20171027022009)(20171027023009)(20171027024009)(20171027025009)(20171027026009)(2017102703076)(3231232)(944501410)(52105095)(93006095)(93001095)(10201501046)(3002001)(6055026)(6041310)(20161123562045)(20161123564045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:DM5PR00MB0312; BCL:0; PCL:0; RULEID:; SRVR:DM5PR00MB0312;
x-forefront-prvs: 06515DA04B
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(396003)(39860400002)(366004)(346002)(376002)(13464003)(99286004)(93886005)(55016002)(6246003)(22452003)(74316002)(59450400001)(305945005)(110136005)(52396003)(5660300001)(9686003)(8656006)(6506007)(7696005)(53546011)(76176011)(446003)(53936002)(2171002)(39060400002)(476003)(11346002)(4326008)(86362001)(6436002)(2900100001)(229853002)(316002)(102836004)(5250100002)(46003)(186003)(10090500001)(72206003)(3660700001)(966005)(8990500004)(25786009)(15650500001)(10290500003)(6116002)(81166006)(14454004)(6306002)(7736002)(478600001)(16799955002)(3280700002)(8676002)(8936002)(86612001)(33656002)(2906002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR00MB0312;; FPR:; SPF:None; LANG:en; MLV:ovrnspm; PTR:InfoNoRecords;
received-spf: None ( does not designate permitted sender hosts)
x-microsoft-antispam-message-info: MaWmglS5XkwuPEI7V4HT6ls31thxCObRTTdqX3PstPkoq0S7APgi3jMFhY/Dc4bYcuJ/pdSu6U8qvYt3AdWLwPqQj2wEc7O2gZyuMtzRbWf5AYDNa2lFBs9RI9MRgLkaDRHAanxT911Tx0eXcafclB3WZjbx6pC4B3+Ypkx2CfCRScp6FV8cU7m/sVGMuJeI
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 82ead046-c98b-4bca-1baa-08d5a9431d00
X-MS-Exchange-CrossTenant-Network-Message-Id: 82ead046-c98b-4bca-1baa-08d5a9431d00
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Apr 2018 17:53:25.5971 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR00MB0312
Archived-At: <>
Subject: Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 23 Apr 2018 17:53:31 -0000

As you know from being JOSE chair, Jim, there are numerous use cases for "alg":"none", and its inclusion in JOSE had widespread support.  Several people tried to kill it during standardization and the working group stood up for retaining it each time.  I can dig up the issuer tracker references if there is any doubt about this.

The last paragraph of JWS Section 5.2 Message Signature or MAC Validation says:
   Finally, note that it is an application decision which algorithms may
   be used in a given context.  Even if a JWS can be successfully
   validated, unless the algorithm(s) used in the JWS are acceptable to
   the application, it SHOULD consider the JWS to be invalid.

This isn't there just because of "none".  It's a general statement that applications need to ensure that acceptable algorithms are used.  Rejecting obsolete algorithms and/or algorithms not used by the application is just as important as rejecting "none" when used in an inappropriate context.  One could even argue that having "none" make it obvious to application writers that the algorithm MUST be checked, thereby increasing security.  Note that this point is also covered in the JWT BCP at

				-- Mike

-----Original Message-----
From: jose <> On Behalf Of Jim Schaad
Sent: Monday, April 23, 2018 10:22 AM
To: 'Neil Madden' <>om>; 'David Adrian' <>
Cc: 'Mike Jones' <>rg>;
Subject: Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens

It would make sense for JOSE to add the same tests that are in COSE where the key type is required to be checked before the key value is used.  However, if one is only checking for trust based on the public key value, then one has more of a problem than this.  One should also be checking that the key type and exponent are also correct. 

I would be more than happy to shepherd through a draft which deprecates the signature value of none if somebody wants to write it.

> -----Original Message-----
> From: jose <> On Behalf Of Neil Madden
> Sent: Monday, April 23, 2018 9:43 AM
> To: David Adrian <>
> Cc: Carsten Bormann <>rg>;; Mike Jones 
> <>rg>;
> Subject: Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Agnotic 
> SEcurity TOkens
> > On 23 Apr 2018, at 14:44, David Adrian <> wrote:
> >
> > > If we have to invent a new standard each time an existing standard 
> > > is
> implemented with a security flaw, we have a lot of work to do.
> >
> > You fundamentally cannot fix a standard with unusable to the point 
> > of
> broken negotiation by extending the negotiation. If you don't want 
> PASETO to be a new standard, call it JOSEv3.
> I don’t believe that PASETO is actually fundamentally different from 
> JOSE in this respect. Is there a meaningful distinction between 
> v1.local.<token> and {“alg”:”v1.local”}.<token> ?
> One of the critical vulnerabilities historically in JOSE 
> implementations was [1], whereby if an implementation was using RSA 
> signed JWTs an attacker could get the server’s public key and use it 
> as if it was a HMAC key to produce a forged JWT with {“alg”:”HS256”} 
> in the header. If the JWT library just provided a verify(String jwt, 
> Key key) function then it might be tricked into using the attacker’s 
> choice of algorithm (HS256) with the server’s RSA public key and the JWT would validate. Oops!
> This flaw has been rightly criticised, including by the authors of 
> PASETO. Don’t let the attacker chose the algorithm!
> But wait, aren’t PASETO implementations potentially vulnerable to 
> *exactly the same vulnerability*?! If my server is set up to use 
> v2.public (Ed25519) signed PASETO tokens, what is to stop an attacker 
> grabbing my Ed25519 public key (which is a 32 byte value) and using it 
> to create a PASETO token using v2.local? Recall that v2.local takes a 
> 32 byte symmetric key. If the PASETO library just has a function 
> verify(String paseto, Key key) and looks at the header to decide how 
> to process the token, then it will have exactly the same vulnerability 
> that those JOSE libraries had. So how does PASETO the spec make this vulnerability less likely?
> Looking at the reference implementation [2], it seems that if the 
> library user didn’t set an allowed purpose then the only thing 
> stopping this is a type check on the public key class. In other words, 
> the implementor took extra safe-guards beyond those documented in the specification. Phew!
> Am I missing something here? As far as I can tell, the PASETO docs and 
> draft RFC don’t even mention this as a consideration. How is this better than JOSE?
> [1]
> libraries/
> [2] 
> Neil
> _______________________________________________
> jose mailing list

jose mailing list