IETF Logo Mail Archive

Re: [jose] JWS Unencoded Payload Option spec addressing shepherd comments

Mike Jones <Michael.Jones@microsoft.com> Thu, 19 November 2015 05:02 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 527DC1A87A8 for <jose@ietfa.amsl.com>; Wed, 18 Nov 2015 21:02:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JFt9f7J0gWRT for <jose@ietfa.amsl.com>; Wed, 18 Nov 2015 21:01:59 -0800 (PST)
Received: from na01-bl2-obe.outbound.protection.outlook.com (mail-bl2on0129.outbound.protection.outlook.com [65.55.169.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F4231A87A4 for <jose@ietf.org>; Wed, 18 Nov 2015 21:01:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=wYxsDGVHCpLq+ZcrZ8z0udSkuITTNlksP/sUBGJ+lN4=; b=EYw/DPNBycmkbPK2Uqp0T2f8PfFQZrK+Y1ZZ2Re/kCDU+GElukM/L1aJmQyuWMsODzWm6mlHupOOu3tl6d3YkXWILbjyX8CLa4FHlhcGLaRxGyOqlr1HyHmy3fPJN/7tHuhwv90VZPug1CPIvS8evYr9/yNfs5hLGmM7yVtd3oQ=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB443.namprd03.prod.outlook.com (10.141.141.152) with Microsoft SMTP Server (TLS) id 15.1.325.17; Thu, 19 Nov 2015 05:01:55 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0325.019; Thu, 19 Nov 2015 05:01:55 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Jim Schaad <ietf@augustcellars.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] JWS Unencoded Payload Option spec addressing shepherd comments
Thread-Index: AdEc3/UJsudnK/vcQjS75uKgE1sFMAAuO+sAAAbXIRABNL7eYA==
Date: Thu, 19 Nov 2015 05:01:55 +0000
Message-ID: <BY2PR03MB442B469373BE8014B88045FF51B0@BY2PR03MB442.namprd03.prod.outlook.com>
References: <255B9BB34FB7D647A506DC292726F6E13BB1CDF231@WSMSG3153V.srv.dir.telstra.com> <00d001d11d98$e53a4210$afaec630$@augustcellars.com> <BY2PR03MB442B3196D61036BF11286DEF5110@BY2PR03MB442.namprd03.prod.outlook.com>
In-Reply-To: <BY2PR03MB442B3196D61036BF11286DEF5110@BY2PR03MB442.namprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.85.157]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB443; 5:9NgUmLzy21BMnUN6sEr0phsSNjGFplUT1QlWj1tz9yfwQD1XDdCudJXXAjLZRy82in7/oTrp3bU5cOCrusaHLgFzCdB8iu/8FDbMBW6HIKx9mK1mXPl5OTkDGfeAU+o+VQWMxjntbXtGc2ktsSS4+Q==; 24:mnkbI71SRfLC9jAor0Pg0zC06HjpuG376OJDQ9w+l2Yfz/GOYgZFjStOMxtKpZeXzixnqxHGJejms80klM6aBHZEJO5DaUHzC0YAHMNkTQo=; 20:MIwCuL6pTNA3eklkroRG2FykOtGuyTpgcQidbACHlBogQyhMddn/jP/2u2cmBkikINUtPTFuooy5kYMSbhOwGA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB443;
x-microsoft-antispam-prvs: <BY2PR03MB443ED431926E7C35D0AA0B6F51B0@BY2PR03MB443.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(189930954265078)(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(520078)(5005006)(8121501046)(10201501046)(3002001)(61426024)(61427024); SRVR:BY2PR03MB443; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB443;
x-forefront-prvs: 07658B8EA3
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(209900001)(189002)(55674003)(199003)(52604005)(377454003)(122556002)(2501003)(5005710100001)(19609705001)(92566002)(586003)(10290500002)(10400500002)(5008740100001)(8990500004)(76576001)(10090500001)(50986999)(33656002)(101416001)(15975445007)(16236675004)(5003600100002)(76176999)(19625215002)(2950100001)(87936001)(77096005)(2900100001)(106356001)(105586002)(99286002)(81156007)(189998001)(5002640100001)(74316001)(54356999)(19300405004)(5004730100002)(66066001)(19617315012)(86362001)(5001960100002)(5007970100001)(19580395003)(40100003)(11100500001)(97736004)(5001770100001)(3846002)(790700001)(86612001)(107886002)(102836003)(6116002)(19580405001)(5001920100001)(6606295002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB443; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB442B469373BE8014B88045FF51B0BY2PR03MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Nov 2015 05:01:55.1912 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB443
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/__EHU-T-_x1qNYlCS2UDn0XjTts>
Subject: Re: [jose] JWS Unencoded Payload Option spec addressing shepherd comments
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Nov 2015 05:02:05 -0000

The security considerations have been reworked in the manner that you suggested, using an example supplied by James.  Thanks to both of you for your diligence.

                                                            -- Mike

From: Mike Jones
Sent: Thursday, November 12, 2015 5:50 PM
To: 'Jim Schaad'; jose@ietf.org
Subject: RE: [jose] JWS Unencoded Payload Option spec addressing shepherd comments

OK, I can take a stab at rewriting it that way.

It's not that I think there isn't ever a problem but I do think that there are lots of real cases in which there's only a problem if the producer is intentionally creating a JWS designed to confuse - in which case the producer is an attacker.  Do see any other cases in which there is a problem to address other than when the producer is intentionally emitting "b64":true but signing as if "b64" was false?

The current security considerations text was intended to do a case analysis of when there is and isn't a problem, breaking things down by who implements the extension and who doesn't.  In my analysis, if the recipient rejects a signature that it doesn't understand, I didn't consider that a security problem.  Do you agree with that?

While, yes, in retrospect I wish we'd talked about in person too, in fairness, I did write to the list in my November 2nd note that "I will add the thoughts above to the Security Considerations section", and that's what I did, keeping the factual content, but attempting to change the tone from e-mail conversational to factual.

But I'll try it your way instead, while also keeping the case analysis where appropriate.  In the meantime, please let me know your thoughts on the two questions I asked above.

                                                            -- Mike

From: Jim Schaad [mailto:ietf@augustcellars.com]
Sent: Thursday, November 12, 2015 2:24 PM
To: Mike Jones; jose@ietf.org
Subject: RE: [jose] JWS Unencoded Payload Option spec addressing shepherd comments

Mike,

I wish that we had talked about this last week at the F2F meeting.

This does not read like a security consideration, it read like an email that is sent to the list saying that there is nothing to talk about here and it can be completely ignored.  If that is the way that you feel about this, you need to get census that there is no problem and kill the text.

How I would approach writing this consideration is as follows:


1.       Describe what the problem is.  While both James and I provided one scenario that was easy to understand, it should not be thought of as the only case that there is a problem.  The basic description of the problem is that there are now two different strings that will generate the same signature value, without there being a weakness in the hash algorithm.

2.      Describe the set of things that can be done to address this problem.

a.      Use the "crit" parameter

b.      Use a profile of the application that states there is only one possible value

c.      Make sure that all implementations support the b64 parameter

Jim





From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Manger, James
Sent: Wednesday, November 11, 2015 4:21 PM
To: Mike Jones <Michael.Jones@microsoft.com<mailto:Michael.Jones@microsoft.com>>; jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: [jose] JWS Unencoded Payload Option spec addressing shepherd comments

Mike, thanks for trying to explain with a page of Security Considerations the ambiguity arising since existing (OLD) JWS implementations will silently ignore the "b64":false signal.

It is still wrong. The extra text starts by saying "there is no security problem... since the signature will fail" when "b64":false is ignored, but then ends by saying "crit":["b64"] is necessary when "b64":false is ignored. It cannot be both!

   There is no security problem if a JWS correctly created using "b64"
   with a "false" value is received by an implementation not supporting
   the "b64" Header Parameter, since the signature will fail to verify
   and the JWS will therefore be rejected.
  ...
   Only if the application dynamically switches between "false" and
   "true" values for "b64" (something NOT RECOMMENDED in Section 6),
   would it be necessary for the application to require the use of
   "crit" with a value of "["b64"]" in such application contexts.


The signature can, in fact, still verify when "b64":false is ignored - giving the verifier the wrong content.
We could have chosen a different signing input to avoid all ambiguity, but decided against that (as it was aesthetically nice to keep a lower-layer invariant somewhere inside JWS implementations of signing-up-to-the-2nd-dot).
We could have required "crit":["b64"], but would prefer to avoid the extra handful of bytes (and probably aren't that confident that everyone implements "crit" properly anyway).
We could leave it to users to avoid the ambiguity at higher layers by having totally separate contexts that do & don't use "b64":false, trying to help them get it right with advice about "application profiles", "application context", a "NOT RECOMMENDED", and 5 extra Security Considerations paragraphs (though what "application" means here is not that clear).

To me, this is a design failure.



The extra text about trust is dangerous.

   If the trust established by
   verifying the signer's key does not actually establish that the
   creator is a trusted party, then this case in which JWS libraries
   supporting and not supporting the extension may respectively
   interpret the attacker's payload as being encoded or unencoded is the
   least of the application's worries.

CAs issuing certificates to millions of HTTPS web sites (used to verify the signer's key) absolutely DO NOT establish that the creator (web site) is a trusted party, merely what the creator's name is. Misinterpreting what a signer means is bad regardless of trust.

--
James Manger


From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Mike Jones
Sent: Thursday, 12 November 2015 2:37 AM
To: jose@ietf.org<mailto:jose@ietf.org>
Subject: [jose] JWS Unencoded Payload Option spec addressing shepherd comments

Draft -04 of the JWS Unencoded Payload Option specification addresses the shepherd comments.  Thanks to Jim Schaad for his careful review.  The primary change was adding additional security considerations text, including describing when "crit" should be used.

The specification is available at:

*         https://tools.ietf.org/html/draft-ietf-jose-jws-signing-input-options-04

An HTML formatted version is also available at:

*         http://self-issued.info/docs/draft-ietf-jose-jws-signing-input-options-04.html

                                                                -- Mike

P.S.  This note was also published at http://self-issued.info/?p=1474 and as @selfissued<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2ftwitter.com%2fselfissued&data=01%7c01%7cmichael.jones%40microsoft.com%7c3a69db7b8b6c4d47da0f08d2937a3d82%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=ggurSMkRVW%2bR8Nv93Mnbsf16CmVGqfjB9lW8SV5gAKM%3d>.

v2.23.0 | Report a Bug | By Email