Re: [jose] #27: member names MUST be unique needs additional text
Richard Barnes <rlb@ipv.sx> Thu, 27 June 2013 22:56 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E75811E8115 for <jose@ietfa.amsl.com>; Thu, 27 Jun 2013 15:56:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.309
X-Spam-Level:
X-Spam-Status: No, score=-3.309 tagged_above=-999 required=5 tests=[AWL=-0.333, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2KsKSEvzOGrr for <jose@ietfa.amsl.com>; Thu, 27 Jun 2013 15:55:57 -0700 (PDT)
Received: from mail-ob0-f174.google.com (mail-ob0-f174.google.com [209.85.214.174]) by ietfa.amsl.com (Postfix) with ESMTP id 8560A11E8108 for <jose@ietf.org>; Thu, 27 Jun 2013 15:55:57 -0700 (PDT)
Received: by mail-ob0-f174.google.com with SMTP id wd20so1318845obb.5 for <jose@ietf.org>; Thu, 27 Jun 2013 15:55:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=tI8KHhPRap8NwdGF0BVLCt9EiKg5vezOjYFXg7dZv2E=; b=Pwv3srsmpg1tWeWsmyouKauJeNMDy7M8NE3zniEmb+Ckqb935EdmVYPYQC+ABWgJqp i5Xkh4ydpmdn+IlSJFoYYys3Cu0GZibBpIdIfihDK/CziP+wBi79AnKK/I1bnIqbbXcY smebFdtSnQmzHpQ5zGWxagTw/QMDEd9BbUA079pwhGgwv8FYA1U62sYzBj2vOULgiQuk Fvh8QwfqjuH3KbaJM62UwWm6HTzzunDTKQgs3fP00geBnnm1WzLrOjRpGYXIN+yZ/hD6 BdLr59IjiWaDgZpqZTWRQTOnmDsHbhVMbYr3gt4aOMrtPXHqudn7HrnplD20fn/AlI3c yM/w==
MIME-Version: 1.0
X-Received: by 10.182.142.104 with SMTP id rv8mr5255123obb.3.1372373757052; Thu, 27 Jun 2013 15:55:57 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Thu, 27 Jun 2013 15:55:56 -0700 (PDT)
X-Originating-IP: [192.1.51.93]
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943678A1B91@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <061.bb7bbe0b618ec6b74904f48bdb9bb312@trac.tools.ietf.org> <076.a597050ecb4fb25084cec65f7174dc7e@trac.tools.ietf.org> <033b01ce729b$26ff5c90$74fe15b0$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436789B4CC@TK5EX14MBXC283.redmond.corp.microsoft.com> <03b401ce72e5$002c65f0$008531d0$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436789D4EA@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAHBU6ivNow2xhDvRj7gG2gmHQ+C-ejEHCQubK=LwUtrXxdW6MA@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1151BE45737@WSMSG3153V.srv.dir.telstra.com> <CAHBU6itHZ4NvGLyRqfDFaC9gkWD1_6dxhY=uVmwpyL+5Ay+j2w@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1151BEDDD3C@WSMSG3153V.srv.dir.telstra.com> <CAHBU6iss5JbmHAue_2-AFDYSMVjAEnMLeLcESei3xTGTWP8_jQ@mail.gmail.com> <16F5858A-B77F-498B-9296-A42F84D5244D@ve7jtb.com> <4E1F6AAD24975D4BA5B1680429673943678A009C@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgT4y4_zMC67ZKD5b=8JQHLVzuZSDP9ThiBF2Y_HYzMi5A@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943678A1B91@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Thu, 27 Jun 2013 18:55:56 -0400
Message-ID: <CAL02cgS3Hq2EGH9=+UH9wssfnsB9=Ns43jbTjhzqX9cMrhwtvw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11c2eaae49ce5e04e02aaae9"
X-Gm-Message-State: ALoCoQmqr9qxYYS305ZO/70E2PlZZjqXrgcqMRwWUd/rw0Typb3k9vo1ALQSA+yl4olNUul6QC/Z
Cc: Jim Schaad <ietf@augustcellars.com>, Tim Bray <tbray@textuality.com>, "jose@ietf.org" <jose@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>, "Manger, James H" <James.H.Manger@team.telstra.com>, "draft-ietf-jose-json-web-signature@tools.ietf.org" <draft-ietf-jose-json-web-signature@tools.ietf.org>
Subject: Re: [jose] #27: member names MUST be unique needs additional text
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 22:56:02 -0000
In a JSON-formatted JWS, the top-level JSON fields are not covered by the signature (only the protected header). See the examples in my previous mail and in John's. --Richard On Thu, Jun 27, 2013 at 6:51 PM, Mike Jones <Michael.Jones@microsoft.com>wrote: > If an intermediary reorders the fields the signature validation will > fail, so I’m not worried about that.**** > > ** ** > > -- Mike*** > * > > ** ** > > *From:* Richard Barnes [mailto:rlb@ipv.sx] > *Sent:* Thursday, June 27, 2013 3:48 PM > *To:* Mike Jones > *Cc:* John Bradley; Tim Bray; Jim Schaad; Manger, James H; jose@ietf.org; > draft-ietf-jose-json-web-signature@tools.ietf.org > > *Subject:* Re: [jose] #27: member names MUST be unique needs additional > text**** > > ** ** > > On Thu, Jun 27, 2013 at 12:42 PM, Mike Jones <Michael.Jones@microsoft.com> > wrote:**** > > I’ve come to believe that James’ proposed language does a good job of > making security-appropriate restrictions while allowing the use of existing > parsers. It was:**** > > **** > > A creator of a JOSE message MUST NOT put duplicate names in any JSON > object in a JOSE header. To prevent attacks where a JOSE message is > interpreted as different valid messages by different recipients, each > recipient MUST either reject messages with duplicate names or accept only > the last name.**** > > **** > > I might change “or accept only the last name” to “or use a parser that > always uses the lexically last name for any duplicate member names, per > [ECMAScript]” for clarity, but the intent is the same.**** > > **** > > Would that work for people?**** > > **** > > -- Mike**** > > ** ** > > ** ** > > That's close. I don't think we can allow the "lexically last" because > elements in a JSON dictionary can be re-ordered. Suppose there a helpful > intermediary that sorts a JSON dictionary in descending alphabetical order > of values. **** > > When it gets: { "payload": "bad stuff", "payload": "good stuff", ... }*** > * > > It emits: { "payload": "good stuff", "payload": "bad stuff", ... }**** > > ** ** > > The only way to avoid the ambiguity is to reject objects with duplicate > keys.**** > > ** ** > > > I realize that this renders most JSON parsers incompatible. Implementors > will need to add a secondary check. I feel your pain. But hopefully this > pain will be temporary; the ambiguity will be fixed by the JSON WG and > ECMA, and parsers will be updated. Even in the short run, it doesn't seem > like it would be that hard to mod existing parsers to have a "strict" flag. > **** > > ** ** > > """**** > > A creator of a JOSE message MUST NOT put duplicate names in any JSON > object in a JOSE header. To prevent attacks where a JOSE message is > interpreted as different valid messages by different recipients, each > recipient MUST reject messages. Implementations MUST NOT select the > lexically last name, as required by [ECMAScript], since this could lead > them to select the incorrect value if an intermediary re-orders the fields > in a dictionary. If an implementation uses a JSON parser that does not > reject objects with duplicate fields, then it MUST verify that there are no > dictionaries with duplicate fields in the JSON object.**** > > """**** > > ** ** > > --Richard **** > > ** ** > > ** ** > > ** ** > > ** ** > > **** > > **** > > *From:* John Bradley [mailto:ve7jtb@ve7jtb.com] > *Sent:* Thursday, June 27, 2013 8:49 AM > *To:* Tim Bray > *Cc:* Manger, James H; Mike Jones; Jim Schaad; jose@ietf.org; > draft-ietf-jose-json-web-signature@tools.ietf.org**** > > > *Subject:* Re: [jose] #27: member names MUST be unique needs additional > text**** > > **** > > The problem is not wanting to leave a hole for malicious signers to create > JWT that may be misinterpreted by the receiver. Accidental interop > problems from bad signers are not a big concern for me and are covered by > MUST NOT emit dups.**** > > **** > > Accepting malformed JSON as the envelope may lead to real security issues. > **** > > **** > > This may be more of an issue for the JSON encoding than the compact as > there you need to be careful the body you process for the signature is the > body that the application uses.**** > > **** > > What happens if you receive.**** > > **** > > {"protected":<integrity-protected shared header contents>",**** > > "unprotected":<non-integrity-protected shared header contents>",**** > > "payload":"<original payload contents>",**** > > "payload":"<bad payload contents inserted by attacker>"**** > > "signatures":[**** > > {"header":"<per-signature unprotected header 1 contents>",**** > > "signature":"<signature 1 contents>"},**** > > ...**** > > {"header":"<per-signature unprotected header N contents>",**** > > "signature":"<signature N contents>"}],**** > > }**** > > **** > > If the JOSE library validates on the first version of "payload" and the > application using a different JSON parser only sees the second "payload" we > have a wrapping attack similar to xmldsig.**** > > **** > > I can't off the top of my head think of what you could do in the compact > serialization that would lead to a successful attack given that the > signature is over the base64url encoded segments, that prevents attackers > from modifying the JSON while maintaining integrity.**** > > **** > > It is a real issue for the JSON serialization though.**** > > **** > > John B.**** > > **** > > On 2013-06-27, at 11:20 AM, Tim Bray <tbray@textuality.com> wrote:**** > > ** ** > > The approach just seems wrong. If we require that conforming > implementations MUST NOT emit dupes, then authors of receiving software can > just pick the best-performing parser with the nicest API, because they > *all* perform correctly when there are no dupes. > > Who’s going to own the responsibility for making the authoritative finding > that of the many JSON parsers in the Java ecosystem, these ones, but not > those ones, are usable in JOSE applications? And suppose one that has been > previously OK is quietly optimized on GitHub to run 30% faster and as a > side-effect silently ignores dupes? **** > > The benefit of using JSON is that there is widely deployed software to > handle it. It is a known problem that sloppy spec drafting has allowed > various kinds of problems to occur when dupe keys are received. “Doctor, it > hurts when I do this.” “So... don’t do that.”**** > > Are we also going to specify the behavior of receiving software when the > JSON has a misplaced quotation mark? A missing trailing “}”?**** > > -T**** > > **** > > **** > > On Wed, Jun 26, 2013 at 11:29 PM, Manger, James H < > James.H.Manger@team.telstra.com> wrote:**** > > Most JSON libraries that silently accept [sob] dupe keys at least > consistently use the last key. Allowing just that behaviour (or rejecting > dupes), while forbidding acceptance of a non-last dupe (eg first key), is > safe and allows most JSON libraries to be used. Since this accepts most > libraries I think it is practical.**** > > **** > > Hence I suggest:**** > > **** > > > A creator of a JOSE message MUST NOT put duplicate names in any JSON** > ** > > > object in a JOSE header.**** > > > To prevent attacks where a JOSE message is interpreted as different*** > * > > > valid messages by different recipients, each recipient MUST either**** > > > reject messages with duplicate names or accept only the last name.**** > > **** > > This isn’t “truly predictable” as a message with dupes might be accepted > or rejected. The crucial point is that if a message is accepted it is > predictable.**** > > **** > > --**** > > James Manger**** > > **** > > *From:* Tim Bray [mailto:tbray@textuality.com] > *Sent:* Thursday, 27 June 2013 4:16 PM > *To:* Manger, James H > *Cc:* Mike Jones; Jim Schaad; jose@ietf.org; > draft-ietf-jose-json-web-signature@tools.ietf.org**** > > > *Subject:* Re: [jose] #27: member names MUST be unique needs additional > text**** > > **** > > **** > > Well, you have a practical problem in that most implementers will want to > use a standard JSON library, which is good practice because it will be > well-debugged, and most libraries [sob] silently take care of dupe keys and > don’t have a way to tell the client software what happened. So if you want > truly predictable behavior, you’re forcing the use of hand-constructed JSON > parsers. And that sucks, because getting good performance in JSON parsing > is surprisingly hard, with dramatic performance differences between > implementations. So you’re forcing receiving software which wants to be > conformant to use a hand-rolled parser which will probably have lousy > performance and have other bugs which in fact may compromise security more > than dupe-key tricks could. -T**** > > **** > > On Wed, Jun 26, 2013 at 10:39 PM, Manger, James H < > James.H.Manger@team.telstra.com> wrote:**** > > > I think it’s a nice clean minimal solution to say that producers MUST > > NOT generate dupes, end of story. I don’t think saying anything beyond > > that adds value. -T**** > > Clean and minimal that may be, but it ignores the security issue. We don't > want a malicious producer (who is so malicious they ignore a MUST) to > create JOSE messages that a JOSE-compliant security layer accepts as > "benign interpretation #1" so it passes the message on to the > JOSE-compliant backend app that acts on "nasty interpretation #2". > > -- > James Manger**** > > **** > > **** > > **** > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose**** > > ** ** >
- [jose] #27: member names MUST be unique needs add… jose issue tracker
- Re: [jose] #27: member names MUST be unique needs… jose issue tracker
- Re: [jose] #27: member names MUST be unique needs… Jim Schaad
- Re: [jose] #27: member names MUST be unique needs… Mike Jones
- Re: [jose] #27: member names MUST be unique needs… Jim Schaad
- Re: [jose] #27: member names MUST be unique needs… Mike Jones
- Re: [jose] #27: member names MUST be unique needs… Tim Bray
- Re: [jose] #27: member names MUST be unique needs… Manger, James H
- Re: [jose] #27: member names MUST be unique needs… Manger, James H
- Re: [jose] #27: member names MUST be unique needs… Tim Bray
- Re: [jose] #27: member names MUST be unique needs… Manger, James H
- Re: [jose] #27: member names MUST be unique needs… Carsten Bormann
- Re: [jose] #27: member names MUST be unique needs… Manger, James H
- Re: [jose] #27: member names MUST be unique needs… Tim Bray
- Re: [jose] #27: member names MUST be unique needs… John Bradley
- Re: [jose] #27: member names MUST be unique needs… Mike Jones
- Re: [jose] #27: member names MUST be unique needs… Jim Schaad
- Re: [jose] #27: member names MUST be unique needs… Jim Schaad
- Re: [jose] #27: member names MUST be unique needs… Jim Schaad
- Re: [jose] #27: member names MUST be unique needs… Richard Barnes
- Re: [jose] #27: member names MUST be unique needs… Richard Barnes
- Re: [jose] #27: member names MUST be unique needs… Mike Jones
- Re: [jose] #27: member names MUST be unique needs… Mike Jones
- Re: [jose] #27: member names MUST be unique needs… Richard Barnes
- Re: [jose] #27: member names MUST be unique needs… Mike Jones
- Re: [jose] #27: member names MUST be unique needs… jose issue tracker