[jose] Re: Do you need the JWP JSON Serialization?

Neil Madden <neil.e.madden@gmail.com> Fri, 09 August 2024 07:00 UTC

Return-Path: <neil.e.madden@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85679C151525 for <jose@ietfa.amsl.com>; Fri, 9 Aug 2024 00:00:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.213
X-Spam-Level:
X-Spam-Status: No, score=-1.213 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, MIME_HTML_ONLY_MULTI=0.001, MIME_QP_LONG_LINE=0.001, MPART_ALT_DIFF=0.79, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Bmj4cPop72Ly for <jose@ietfa.amsl.com>; Fri, 9 Aug 2024 00:00:49 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BA205C14F6E8 for <jose@ietf.org>; Fri, 9 Aug 2024 00:00:49 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id 38308e7fff4ca-2eea0cbc96bso1657981fa.2 for <jose@ietf.org>; Fri, 09 Aug 2024 00:00:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1723186848; x=1723791648; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=YZl7qlKxZocX792ADapJIQuGIWHANPGdSVj3Y+e4j50=; b=ESPO4tYLgBH1JLD7KlV6jg2BPc7yy+BzuOdE9T2AYivbRZfDQro6SWNEP+XyFXs2PI EYbTMkkSOzhRUPOB5KReqOxQEsc3reoqQdKII/DhIN7zRzH/fE8NFhvf94uV4Q8CCwzr PIdgF94RioNRGS1JAuLzUlrPZWzo2ip2CgfwrWl6TXVpp7nlyPLOq0gSmofrNRjg8lOb ztO8/9DSWDEuFB8JGRq36jzPyK+6q3CktAE+thYj8DGS9hebmk9YgGHFIE7fTh+mcZ4T Y6NWMK8WnDYVWqNKFlI3sgr3ZOVZfzX8JkkeSlMPsTZLYDJmJy9vX4BtDOztRlpy2zMG qelQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1723186848; x=1723791648; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YZl7qlKxZocX792ADapJIQuGIWHANPGdSVj3Y+e4j50=; b=O7A7JxnmIM3y1pVsg2cE6NZH8RPsa4rYENGODRSgOTBaK9WTHGZppYBg/Ds3DLgXJb i27cM0BaUkrl5z8aLkuNVvuZBzHahdyQpTeIqTXKVRPi1CRT4TtNMjKnAoXhInzGnoII Dqig5LQYXuQY+ypL9vz5YbOLr2u/WYif92iUpeDccYeNF7lRgh5KEmivkAY02Ms3Y9aO W6RM4ORDIASjjN94E7VkBd5pLsjDg+Qw0I+hSdBCulkOdabEldEH1Ad42lwQwQn982Qs 4+ddKqq2vOVDzWKq4TLoOQVPgabguaO2TmrdM5vDFt+nLlkVjsTgInMYZCm7RXEh/MCD 4VmQ==
X-Forwarded-Encrypted: i=1; AJvYcCWoIlkzSEsgsxI3449DHQ36ZBhspP+jqztzOPTr6rfrChTuZcc8b4myqF27fzAvdMjPZz40@ietf.org
X-Gm-Message-State: AOJu0Yx55N/DAayaVXHViB5b1mefwJiTvxxp8AV1E5Jfit7rt2QFPUUw 8a8LxFFVuLK7ytat4XiRLTHy/+efHon93h4loEOKKQKiYbc+EvOaas+5sQ==
X-Google-Smtp-Source: AGHT+IH4I5b1tY5zn/OqfTYasBhnpy/jKAQT6zFysumz/9UqrW6IMaEj0ZuUnotVJUpjGoUJXRTweA==
X-Received: by 2002:a05:651c:221c:b0:2ef:29fc:f950 with SMTP id 38308e7fff4ca-2f1a6cecf6dmr2799251fa.6.1723186846990; Fri, 09 Aug 2024 00:00:46 -0700 (PDT)
Received: from smtpclient.apple (250.205.115.87.dyn.plus.net. [87.115.205.250]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4290c779d1csm60369115e9.34.2024.08.09.00.00.46 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Fri, 09 Aug 2024 00:00:46 -0700 (PDT)
From: Neil Madden <neil.e.madden@gmail.com>
X-Google-Original-From: Neil Madden <Neil.E.Madden@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail-1EF211A7-9D99-4466-94C2-1E181F7880B9"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (1.0)
Date: Fri, 09 Aug 2024 08:00:35 +0100
Message-Id: <D1EB7404-573A-46F2-A7D5-EC72E917F24C@gmail.com>
References: <CAN8C-_JeE=RCsw4VhMT85DOVwyxvs4PCDHWQOOh-WENVt=CbPg@mail.gmail.com>
In-Reply-To: <CAN8C-_JeE=RCsw4VhMT85DOVwyxvs4PCDHWQOOh-WENVt=CbPg@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
X-Mailer: iPhone Mail (21F90)
Message-ID-Hash: KVYD4HOAXFJVDAYTYEGH4TWMN3DICVGB
X-Message-ID-Hash: KVYD4HOAXFJVDAYTYEGH4TWMN3DICVGB
X-MailFrom: neil.e.madden@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-jose.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Brian Campbell <bcampbell@pingidentity.com>, jose@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [jose] Re: Do you need the JWP JSON Serialization?
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/_z6w4UzXgvqVp-NP_JbSXxRCafs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Owner: <mailto:jose-owner@ietf.org>
List-Post: <mailto:jose@ietf.org>
List-Subscribe: <mailto:jose-join@ietf.org>
List-Unsubscribe: <mailto:jose-leave@ietf.org>



On 8 Aug 2024, at 23:34, Orie Steele <orie@transmute.industries> wrote:

On Thu, Aug 8, 2024 at 3:26 PM Neil Madden <neil.e.madden@gmail.com> wrote:


On 8 Aug 2024, at 20:44, Orie Steele <orie@transmute.industries> wrote:


That only applies to "SD-JWT+KB"

I don’t think so, otherwise SD-JWT would not be secure. The signature covers the claims, which includes the hashes of all the disclosures. Thus the disclosures are all protected (cannot be altered/forged) and immutable. 

In SD-JWT (without +KB) the Issuer's signature covers the claims which include hashes of the disclosures, that is true.

The order of ~ separated stuff is not secured ... because that stuff is not included in the claims.

What security property do you think is being violated here?

There could also be extra stuff that appears to be disclosures, but is actually not in the issuer SD-JWT.
See: https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-5.3.1" rel="nofollow">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-5.3.1



[..]

Unless I am mistaken, there is no ordering requirement for the SD-JWT without key binding, so the disclosures are mutable, until the holder makes them immutable by applying key binding:

They are an unordered set, so this “mutability” is irrelevant. 

Exactly, they are unordered, and unsecured (they are outside of the JWT).

This is not what unsecured means. 


See https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-8.1" rel="nofollow">https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-10#section-8.1

"""
If any digest value is encountered more than once in the Issuer-signed JWT payload (directly or recursively via other Disclosures), the SD-JWT MUST be rejected.
If any Disclosure was not referenced by digest value in the Issuer-signed JWT (directly or recursively via other Disclosures), the SD-JWT MUST be rejected.
"""

This means it is possible for an adversary to cause an SD-JWT without key binding to be rejected, by dropping or adding properties... in between the issuer and the holder, before the key binding token is even possible to produce.

This is trivially possible in any signature/MAC scheme: the crypto detects modifications it doesn’t prevent them.

With apologies to Lea Kissner: cryptography is a tool for turning confidentiality and integrity threats into denial of service threats. 


The only way to know if this is the case as a holder is to perform the validation steps in 8.1 on the issuer signed SD-JWT (without KB) before considering attempting to use it.
This property is ensured by: "The Holder or the Verifier MUST perform the following (or equivalent) steps when receiving an SD-JWT..."
In case of the General JSON Serialization, there are multiple unprotected headers (one per signature). If present, disclosures and kb_jwt, MUST be included in the first unprotected header and MUST NOT be present in any following unprotected headers.
"""

In SD-JWT JSON Serialization, disclosures and kbt are transmitted in unprotected headers... You need to process them carefully as described in section 8.1, in order to be assured that they have not been tampered with.

I’m not sure what you’re arguing here. There are things you have to do to validate any signature scheme. If you don’t do them, the security properties don’t apply. (If you want to discuss more misuse-resistant APIs, we can do that). 

In SD-JWT Compact serialization, disclosures and kbt are transmitted as concatenated strings... You need to process them carefully as described in section 8.1, in order to be assured that they have not been tampered with.

The major difference between these 2 approaches is that there is no ability to include "other" unprotected material in the jwp compact serialization... this property is unique to JOSE compact serializations, because they cannot express unprotected headers.
COSE / CWP will not have this problem... assuming it follows conventions.

I think JOSE / JWP would be improved if support for unprotected headers was consistent in both compact and json.

I don’t think this follows at all from your arguments. 

— Neil