Re: [jose] Secdir review of draft-ietf-jose-json-web-signature-31

Richard Barnes <rlb@ipv.sx> Fri, 12 September 2014 21:51 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80D2F1A00F8 for <jose@ietfa.amsl.com>; Fri, 12 Sep 2014 14:51:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ePL_SicEUh_m for <jose@ietfa.amsl.com>; Fri, 12 Sep 2014 14:51:21 -0700 (PDT)
Received: from mail-la0-f41.google.com (mail-la0-f41.google.com [209.85.215.41]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA45E1A0035 for <jose@ietf.org>; Fri, 12 Sep 2014 14:51:20 -0700 (PDT)
Received: by mail-la0-f41.google.com with SMTP id s18so1780868lam.28 for <jose@ietf.org>; Fri, 12 Sep 2014 14:51:19 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=grfJkGKJsHYDbQ9yihBjigcFrGpHwerdbWSq2PjzV3Q=; b=iEjMABwWiad2AcChZJ3TD7gOzVd4p8oNceZXk7CN7mnMYG2iG54BpUZfPYWgoGJhzr vyCcvbsQ/msImSlEWjWyWH83RF6dYbPS3zUM5y1Bg2QhltfdLA+W7KbNAdezPY7Usvv7 dDRPNvmgLTeVGQXvnUsyMVy5JC23ctm7Tr3G9Ll1ChgHf41ZJMGH3r+t15qn/pSG8WFa yimaJ27KOlshTLQHnX5AbXpsOsKqxdF0oRvf8HXbJjpz7WmptIukwdG4ybDt/6PI3oib TMESzj1BfNua3foJr56IjqAuBJCReuToTi206l0bPmQEmOWrK3zimNHcGHcfOH2XA597 e6uQ==
X-Gm-Message-State: ALoCoQlBhIiZVpVxNCVbeEY4X3Mw3dWpfz8pezKMoDrZA3ZEc7dkfYR8oKbH5ogHZ9OyrrKVdBoe
MIME-Version: 1.0
X-Received: by 10.112.53.199 with SMTP id d7mr6356580lbp.106.1410558679025; Fri, 12 Sep 2014 14:51:19 -0700 (PDT)
Received: by 10.25.159.84 with HTTP; Fri, 12 Sep 2014 14:51:18 -0700 (PDT)
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439AE9DD47@TK5EX14MBXC292.redmond.corp.microsoft.com>
References: <21512.21725.209461.976375@fireball.kivinen.iki.fi> <4E1F6AAD24975D4BA5B16804296739439AE9DD47@TK5EX14MBXC292.redmond.corp.microsoft.com>
Date: Fri, 12 Sep 2014 17:51:18 -0400
Message-ID: <CAL02cgSsi603XL2o4S89pAw64yLv0JRZaDg823uiyuTkm02AHA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a1133d09eff9f140502e548e3"
Archived-At: http://mailarchive.ietf.org/arch/msg/jose/Zp6A4ZN-IxJKU49KtT4hF0nQR4I
Cc: "ietf@ietf.org" <ietf@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, Tero Kivinen <kivinen@iki.fi>, "iesg@ietf.org" <iesg@ietf.org>, "jose@ietf.org" <jose@ietf.org>, "draft-ietf-jose-json-web-signature.all@tools.ietf.org" <draft-ietf-jose-json-web-signature.all@tools.ietf.org>
Subject: Re: [jose] Secdir review of draft-ietf-jose-json-web-signature-31
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Sep 2014 21:51:25 -0000

On Fri, Sep 5, 2014 at 8:56 PM, Mike Jones <Michael.Jones@microsoft.com>
wrote:

>  Thanks for the useful review, Tero.  I’ve cc’ed the working group to
> make them aware of the contents of your review.  Also, Richard Barnes,
> please see a request for a reply from you on one issue below.  Replies are
> inline below…
>
>
>
> -----Original Message-----
> From: Tero Kivinen [mailto:kivinen@iki.fi]
> Sent: Thursday, September 04, 2014 5:03 AM
> To: iesg@ietf.org; secdir@ietf.org; ietf@ietf.org;
> draft-ietf-jose-json-web-signature.all@tools.ietf.org
> Subject: Secdir review of draft-ietf-jose-json-web-signature-31
>
>
>
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.
> These comments were written primarily for the benefit of the security area
> directors.  Document editors and WG chairs should treat these comments just
> like any other last call comments.
>
>
>
> Summary: This document has issues.
>
>
>
> This document is part of the jose-json document set, and describres the
> JSON Web Signatures.
>
>
>
> The security considerations section includes text which says:
>
>
>
>    The entire list of security considerations is beyond the scope of
>
>    this document, but some significant considerations are listed here.
>
>
>
>
>
> but also lists quite a lot of security considerations. I think the
> security considerations covering this document should be in scope with the
> document. Of course there are generic security considerations which might
> be outside the scope of this document, but I do not think we need to
> explictly mention those.
>
>
>
> Several reviewers have objected to this sentence.  Its removal is planned.
>
>
>
> Also, additional security considerations will be described in the process
> of resolving Russ Housley’s gen-art review comments.
>
>
>
> I have following issues about the draft:
>
>
>
>    1) "alg" and Protected Header
>
>
>
>    2) Hash inside "alg" and inside the signature
>
>
>
>    3) There is no explict warning about the "alg" "none".
>
>
>
>    4) Thumbprint formats
>
>
>
> There is also following nit:
>
>
>
>    5) Terminology ordering.
>
>
>
> ----------------------------------------------------------------------
>
>
>
> 1) "alg" and Protected Header
>
>
>
> Question: Shouldn't the "alg" header parameter be protected by the
> signature, i.e. wouldn't it make sense to say MUST be in the "Protected
> Header"?
>
>
>
> If it is part of the "Unprotected Header" and is not protected by the
> signature, that would allow all kind of attacks, i.e. changing the "alg" to
> be "none" or changing the hash algorithm of the signature.
>
>
>
> If it should be part of the "Protected Header" then that would mean that
> "Proteced Header" cannot be empty, as "alg" is mandatory header parameter,
> and MUST be present.
>
>
>
> There are several cases where the text indicates that "Protected Header"
> could be empty, which would mean that "alg" could be part of the
> "Unprotected Header". (Section 5.1, 4. bullet; section 7.2, "protected"
> element and other places in same section). In all examples the "alg" is
> always in the "Proteced Header".
>
>
>
> I think the draft needs text saying something about the situation where
> "alg" is not in "Protected Header" in the security sections section. I.e.
> either say, that it has been analyzed that there is no problem even when
> the "alg" is not protected, and reference to such analysis, or otherwise
> add text/warning that it MUST/SHOULD be in the "Protected Header". I do not
> know enough about the proposed signature algorithms to know which one is
> true, especially as there might be new algorithms in the future.
>
>
>
> Richard Barnes, do you want to answer this one?  You were the primary
> advocate for allowing the algorithm to be unprotected in the JSON
> Serialization.
>
>
>
> As I recall, the motivation had to do with the fact that, by default, CMS
> does not protect the algorithm (although it was later extended to enable it
> to be protected).  Some others in the working group thought that having
> unprotected algorithms was a bad idea, in line with your comment above.
>
The only need for protection of the "alg" value is to prevent algorithm
substitution attacks, as discussed in RFC 6211.
https://tools.ietf.org/html/rfc6211

These attacks are fairly limited in their applicability, since they require
that:
 * The attacker is able to compute an input that is valid for the signature
using a different, weaker algorithm
 * The attacker's input is valid according to whatever application rules
are being applied
 * A relying party will accept the weaker algorithm

Given all those criteria, it seems reasonable that some signers might
regard algorithm substitution attacks as an acceptable risk.  For example,
in an application that set explicit minimum algorithm requirements (e.g.,
SHA-3 only!), there may be no risk of a relying party accepting the weaker
algorithm.  Or the application payload might have low enough entropy that
it's impossible to find a valid forged input.

And if an application is concerned about algorithm substitution attacks, it
can protect itself by including the algorithm in the payload, as X.509 does.

I would be happy to have some advisory text in the security considerations,
but I don't think this rises to the level of SHOULD/MUST.

--Richard



>
>
> --
>
>
>
> 2) Hash inside "alg" and inside the signature
>
>
>
> Also in some cases the signature itself has the hash function stored
> internally, i.e. RSASSA-PKCS1-V1_5 contains the hash function oid inside
> the signature, so what should the implementation do if the "alg" parameter
> outside the signature does not match the oid inside the signature? I.e the
> signature using "alg" of "RS256", but inside the signature the oid is using
> the "SHA1". Most crypto libraries will just take the oid from the
> signature, and use that to verify the message. Adding some description what
> to do in such situation would be needed.
>
>
>
> I think there’s some confusion here, since the JWS spec does not use any
> OIDs or ASN.1 for signatures.  Rather, the cryptographic operations to be
> performed are fully specified by the “alg” value and the signatures are
> represented as base64url encoded octet sequences representing the signature
> values produced by the signature algorithms.
>
>
>
> --
>
>
>
> 3) There is no explict warning about the "alg" "none".
>
>
>
> In the section 5.2 it says that "at least one signature ... MUST
> successfully validate", but that does not limit alg "none" out from it.
> I.e. if the application policy is to "one signature needs to validate", and
> it gets JWS that has "none" as one of the algorithms, then it will accept
> it.
>
>
>
> I think there should be warning here or in the security considerations
> section about the "none" algorithm, especially as the algorithm itself is
> defined in the different draft (perhaps just reference to the section 8.5
> of the [JWA] draft).
>
>
>
> This warning is present in the spec where the algorithm is defined –
> specifically
> http://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-31#section-8.5.
> (Note that the working group decided to define algorithms in a separate
> spec than the ones in which they are used.)
>
>
>
> Also note that it is up to applications which algorithms are acceptable in
> a given context – not just “none” but also other algorithms that might be
> deprecated or inappropriate for some other reason.  Unless the signature
> algorithm used is acceptable to the application, it should not accept the
> JWT.
>
>
>
> --
>
>
>
> 4) Thumbprint formats
>
>
>
> Section 4.1.7 and 4.1.8 defines a x5t and x5t#S256 thumbprints, but those
> are over the whole certificate.
>
>
>
> With the thumbprints, it has been noted lately, that quite often it is
> more useful to use the hash of the SubjectPublicKeyInfo object of the
>
> X.509 certificate, than the full X.509 certificate. This method has been
> used in the raw public key methods (draft-ietf-tls-oob-pubkey,
> draft-kivinen-ipsecme-oob-pubkey), and also in the DANE (it has two options
> one for the full certificate and another for the SubjectPublicKeyInfo
> object of the certificate).
>
>
>
> Using hash of the SubjectPublicKeyInfo object allows changing the
> certificate without invalidiating the certificates, i.e. when changing CAs,
> or switching from SHA1 to SHA2 in certificates, or just renewing the
> certificate. It also allows using raw public keys which do not have defined
> X.509 certificate format, but which can be converted to the
> SubjectPublicKeyInfo object when calculating the thumbprints. This is very
> important in the Internet of Things type of things, which might not be
> using the full X.509 certificates.
>
>
>
> This thumbprint definition matches existing practice in commonly used
> software packages.  For instance, both openssl and Windows use certificate
> thumbprints of this kind.
>
>
>
> That being said, there’s nothing preventing another specification from
> defining a different thumbprint calculation over the SPKI information and a
> header parameter used to represent it.  The header parameters are
> extensible via a registry.
>
>
>
> --
>
>
>
> 5) Terminology ordering.
>
>
>
> Terminology is not in any order. It would be useful to have it either in
> logical order (i.e. define terms before they are used), or in alphabetical
> order.
>
>
>
> Now for example the "JWS Protected Header" is used before it is defined in
> the "JWS Signature", and "Header Paramater" is between "JWS Signature" and
> "JWS Protected Header", also "JWS Signature" uses both "JWS Payload" and
> "JWS Protected Header", and one of those is defined before and one after
> the "JWS Signature".
>
>
>
> The terms are listed in top-down order, with related terms grouped
> together.  Thus “JSON Web Signature” is first, the members that make up a
> JWS object are listed together in the order that they appear in a JWS,
> etc.  That being said, I’ll plan to review the orderings and make sure that
> they consistently follow those ordering rules.
>
>
>
> --
>
> kivinen@iki.fi
>
>
>
>                                                                 Thanks
> again,
>
>                                                                 -- Mike
>
>
>