IETF Logo Mail Archive

Re: [jose] #27: member names MUST be unique needs additional text

Richard Barnes <rlb@ipv.sx> Thu, 27 June 2013 22:56 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E75811E8115 for <jose@ietfa.amsl.com>; Thu, 27 Jun 2013 15:56:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.309
X-Spam-Level:
X-Spam-Status: No, score=-3.309 tagged_above=-999 required=5 tests=[AWL=-0.333, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2KsKSEvzOGrr for <jose@ietfa.amsl.com>; Thu, 27 Jun 2013 15:55:57 -0700 (PDT)
Received: from mail-ob0-f174.google.com (mail-ob0-f174.google.com [209.85.214.174]) by ietfa.amsl.com (Postfix) with ESMTP id 8560A11E8108 for <jose@ietf.org>; Thu, 27 Jun 2013 15:55:57 -0700 (PDT)
Received: by mail-ob0-f174.google.com with SMTP id wd20so1318845obb.5 for <jose@ietf.org>; Thu, 27 Jun 2013 15:55:57 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=tI8KHhPRap8NwdGF0BVLCt9EiKg5vezOjYFXg7dZv2E=; b=Pwv3srsmpg1tWeWsmyouKauJeNMDy7M8NE3zniEmb+Ckqb935EdmVYPYQC+ABWgJqp i5Xkh4ydpmdn+IlSJFoYYys3Cu0GZibBpIdIfihDK/CziP+wBi79AnKK/I1bnIqbbXcY smebFdtSnQmzHpQ5zGWxagTw/QMDEd9BbUA079pwhGgwv8FYA1U62sYzBj2vOULgiQuk Fvh8QwfqjuH3KbaJM62UwWm6HTzzunDTKQgs3fP00geBnnm1WzLrOjRpGYXIN+yZ/hD6 BdLr59IjiWaDgZpqZTWRQTOnmDsHbhVMbYr3gt4aOMrtPXHqudn7HrnplD20fn/AlI3c yM/w==
MIME-Version: 1.0
X-Received: by 10.182.142.104 with SMTP id rv8mr5255123obb.3.1372373757052; Thu, 27 Jun 2013 15:55:57 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Thu, 27 Jun 2013 15:55:56 -0700 (PDT)
X-Originating-IP: [192.1.51.93]
In-Reply-To: <4E1F6AAD24975D4BA5B1680429673943678A1B91@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <061.bb7bbe0b618ec6b74904f48bdb9bb312@trac.tools.ietf.org> <076.a597050ecb4fb25084cec65f7174dc7e@trac.tools.ietf.org> <033b01ce729b$26ff5c90$74fe15b0$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436789B4CC@TK5EX14MBXC283.redmond.corp.microsoft.com> <03b401ce72e5$002c65f0$008531d0$@augustcellars.com> <4E1F6AAD24975D4BA5B16804296739436789D4EA@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAHBU6ivNow2xhDvRj7gG2gmHQ+C-ejEHCQubK=LwUtrXxdW6MA@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1151BE45737@WSMSG3153V.srv.dir.telstra.com> <CAHBU6itHZ4NvGLyRqfDFaC9gkWD1_6dxhY=uVmwpyL+5Ay+j2w@mail.gmail.com> <255B9BB34FB7D647A506DC292726F6E1151BEDDD3C@WSMSG3153V.srv.dir.telstra.com> <CAHBU6iss5JbmHAue_2-AFDYSMVjAEnMLeLcESei3xTGTWP8_jQ@mail.gmail.com> <16F5858A-B77F-498B-9296-A42F84D5244D@ve7jtb.com> <4E1F6AAD24975D4BA5B1680429673943678A009C@TK5EX14MBXC283.redmond.corp.microsoft.com> <CAL02cgT4y4_zMC67ZKD5b=8JQHLVzuZSDP9ThiBF2Y_HYzMi5A@mail.gmail.com> <4E1F6AAD24975D4BA5B1680429673943678A1B91@TK5EX14MBXC283.redmond.corp.microsoft.com>
Date: Thu, 27 Jun 2013 18:55:56 -0400
Message-ID: <CAL02cgS3Hq2EGH9=+UH9wssfnsB9=Ns43jbTjhzqX9cMrhwtvw@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Mike Jones <Michael.Jones@microsoft.com>
Content-Type: multipart/alternative; boundary="001a11c2eaae49ce5e04e02aaae9"
X-Gm-Message-State: ALoCoQmqr9qxYYS305ZO/70E2PlZZjqXrgcqMRwWUd/rw0Typb3k9vo1ALQSA+yl4olNUul6QC/Z
Cc: Jim Schaad <ietf@augustcellars.com>, Tim Bray <tbray@textuality.com>, "jose@ietf.org" <jose@ietf.org>, John Bradley <ve7jtb@ve7jtb.com>, "Manger, James H" <James.H.Manger@team.telstra.com>, "draft-ietf-jose-json-web-signature@tools.ietf.org" <draft-ietf-jose-json-web-signature@tools.ietf.org>
Subject: Re: [jose] #27: member names MUST be unique needs additional text
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 22:56:02 -0000

In a JSON-formatted JWS, the top-level JSON fields are not covered by the
signature (only the protected header).  See the examples in my previous
mail and in John's.
--Richard


On Thu, Jun 27, 2013 at 6:51 PM, Mike Jones <Michael.Jones@microsoft.com>wrote:

>  If an intermediary reorders the fields the signature validation will
> fail, so I’m not worried about that.****
>
> ** **
>
>                                                                 -- Mike***
> *
>
> ** **
>
> *From:* Richard Barnes [mailto:rlb@ipv.sx]
> *Sent:* Thursday, June 27, 2013 3:48 PM
> *To:* Mike Jones
> *Cc:* John Bradley; Tim Bray; Jim Schaad; Manger, James H; jose@ietf.org;
> draft-ietf-jose-json-web-signature@tools.ietf.org
>
> *Subject:* Re: [jose] #27: member names MUST be unique needs additional
> text****
>
> ** **
>
> On Thu, Jun 27, 2013 at 12:42 PM, Mike Jones <Michael.Jones@microsoft.com>
> wrote:****
>
>  I’ve come to believe that James’ proposed language does a good job of
> making security-appropriate restrictions while allowing the use of existing
> parsers.  It was:****
>
>  ****
>
> A creator of a JOSE message MUST NOT put duplicate names in any JSON
> object in a JOSE header.  To prevent attacks where a JOSE message is
> interpreted as different valid messages by different recipients, each
> recipient MUST either reject messages with duplicate names or accept only
> the last name.****
>
>  ****
>
> I might change “or accept only the last name” to “or use a parser that
> always uses the lexically last name for any duplicate member names, per
> [ECMAScript]” for clarity, but the intent is the same.****
>
>  ****
>
> Would that work for people?****
>
>  ****
>
>                                                             -- Mike****
>
>  ** **
>
> ** **
>
> That's close.  I don't think we can allow the "lexically last" because
> elements in a JSON dictionary can be re-ordered.  Suppose there a helpful
> intermediary that sorts a JSON dictionary in descending alphabetical order
> of values. ****
>
> When it gets: { "payload": "bad stuff",  "payload": "good stuff", ... }***
> *
>
> It emits: { "payload": "good stuff",  "payload": "bad stuff", ... }****
>
> ** **
>
> The only way to avoid the ambiguity is to reject objects with duplicate
> keys.****
>
> ** **
>
>
> I realize that this renders most JSON parsers incompatible.  Implementors
> will need to add a secondary check.  I feel your pain.  But hopefully this
> pain will be temporary; the ambiguity will be fixed by the JSON WG and
> ECMA, and parsers will be updated.  Even in the short run, it doesn't seem
> like it would be that hard to mod existing parsers to have a "strict" flag.
> ****
>
> ** **
>
> """****
>
> A creator of a JOSE message MUST NOT put duplicate names in any JSON
> object in a JOSE header.  To prevent attacks where a JOSE message is
> interpreted as different valid messages by different recipients, each
> recipient MUST reject messages.  Implementations MUST NOT select the
> lexically last name, as required by [ECMAScript], since this could lead
> them to select the incorrect value if an intermediary re-orders the fields
> in a dictionary.  If an implementation uses a JSON parser that does not
> reject objects with duplicate fields, then it MUST verify that there are no
> dictionaries with duplicate fields in the JSON object.****
>
> """****
>
> ** **
>
> --Richard ****
>
> ** **
>
> ** **
>
> ** **
>
> ** **
>
>  ****
>
>   ****
>
> *From:* John Bradley [mailto:ve7jtb@ve7jtb.com]
> *Sent:* Thursday, June 27, 2013 8:49 AM
> *To:* Tim Bray
> *Cc:* Manger, James H; Mike Jones; Jim Schaad; jose@ietf.org;
> draft-ietf-jose-json-web-signature@tools.ietf.org****
>
>
> *Subject:* Re: [jose] #27: member names MUST be unique needs additional
> text****
>
>  ****
>
> The problem is not wanting to leave a hole for malicious signers to create
> JWT that may be misinterpreted by the receiver.  Accidental interop
> problems from bad signers are not a big concern for me and are covered by
> MUST NOT emit dups.****
>
>  ****
>
> Accepting malformed JSON as the envelope may lead to real security issues.
> ****
>
>  ****
>
> This may be more of an issue for the JSON encoding than the compact as
> there you need to be careful the body you process for the signature is the
> body that the application uses.****
>
>  ****
>
> What happens if you receive.****
>
>  ****
>
> {"protected":<integrity-protected shared header contents>",****
>
>       "unprotected":<non-integrity-protected shared header contents>",****
>
>       "payload":"<original payload contents>",****
>
>       "payload":"<bad payload contents inserted by attacker>"****
>
>       "signatures":[****
>
>        {"header":"<per-signature unprotected header 1 contents>",****
>
>         "signature":"<signature 1 contents>"},****
>
>        ...****
>
>        {"header":"<per-signature unprotected header N contents>",****
>
>         "signature":"<signature N contents>"}],****
>
>      }****
>
>   ****
>
> If the JOSE library validates on the first version of "payload" and the
> application using a different JSON parser only sees the second "payload" we
> have a wrapping attack similar to xmldsig.****
>
>  ****
>
> I can't off the top of my head think of what you could do in the compact
> serialization that would lead to a successful attack given that the
> signature is over the base64url encoded segments, that prevents attackers
> from modifying the JSON while maintaining integrity.****
>
>  ****
>
> It is a real issue for the JSON serialization though.****
>
>  ****
>
> John B.****
>
>  ****
>
> On 2013-06-27, at 11:20 AM, Tim Bray <tbray@textuality.com> wrote:****
>
> ** **
>
> The approach just seems wrong.  If we require that conforming
> implementations MUST NOT emit dupes, then authors of receiving software can
> just pick the best-performing parser with the nicest API, because they
> *all* perform correctly when there are no dupes.
>
> Who’s going to own the responsibility for making the authoritative finding
> that of the many JSON parsers in the Java ecosystem, these ones, but not
> those ones, are usable in JOSE applications?  And suppose one that has been
> previously OK is quietly optimized on GitHub to run 30% faster and as a
> side-effect silently ignores dupes?  ****
>
> The benefit of using JSON is that there is widely deployed software to
> handle it.  It is a known problem that sloppy spec drafting has allowed
> various kinds of problems to occur when dupe keys are received. “Doctor, it
> hurts when I do this.” “So... don’t do that.”****
>
> Are we also going to specify the behavior of receiving software when the
> JSON has a misplaced quotation mark?  A missing trailing “}”?****
>
>  -T****
>
>  ****
>
>  ****
>
> On Wed, Jun 26, 2013 at 11:29 PM, Manger, James H <
> James.H.Manger@team.telstra.com> wrote:****
>
> Most JSON libraries that silently accept [sob] dupe keys at least
> consistently use the last key. Allowing just that behaviour (or rejecting
> dupes), while forbidding acceptance of a non-last dupe (eg first key), is
> safe and allows most JSON libraries to be used. Since this accepts most
> libraries I think it is practical.****
>
>  ****
>
> Hence I suggest:****
>
>  ****
>
> >   A creator of a JOSE message MUST NOT put duplicate names in any JSON**
> **
>
> > object in a JOSE header.****
>
> >   To prevent attacks where a JOSE message is interpreted as different***
> *
>
> > valid messages by different recipients, each recipient MUST either****
>
> > reject messages with duplicate names or accept only the last name.****
>
>  ****
>
> This isn’t “truly predictable” as a message with dupes might be accepted
> or rejected. The crucial point is that if a message is accepted it is
> predictable.****
>
>  ****
>
> --****
>
> James Manger****
>
>  ****
>
> *From:* Tim Bray [mailto:tbray@textuality.com]
> *Sent:* Thursday, 27 June 2013 4:16 PM
> *To:* Manger, James H
> *Cc:* Mike Jones; Jim Schaad; jose@ietf.org;
> draft-ietf-jose-json-web-signature@tools.ietf.org****
>
>
> *Subject:* Re: [jose] #27: member names MUST be unique needs additional
> text****
>
>  ****
>
>  ****
>
> Well, you have a practical problem in that most implementers will want to
> use a standard JSON library, which is good practice because it will be
> well-debugged, and most libraries [sob] silently take care of dupe keys and
> don’t have a way to tell the client software what happened. So if you want
> truly predictable behavior, you’re forcing the use of hand-constructed JSON
> parsers. And that sucks, because getting good performance in JSON parsing
> is surprisingly hard, with dramatic performance differences between
> implementations. So you’re forcing receiving software which wants to be
> conformant to use a hand-rolled parser which will probably have lousy
> performance and have other bugs which in fact may compromise security more
> than dupe-key tricks could.  -T****
>
>  ****
>
> On Wed, Jun 26, 2013 at 10:39 PM, Manger, James H <
> James.H.Manger@team.telstra.com> wrote:****
>
> > I think it’s a nice clean minimal solution to say that producers MUST
> > NOT generate dupes, end of story.  I don’t think saying anything beyond
> > that adds value. -T****
>
> Clean and minimal that may be, but it ignores the security issue. We don't
> want a malicious producer (who is so malicious they ignore a MUST) to
> create JOSE messages that a JOSE-compliant security layer accepts as
> "benign interpretation #1" so it passes the message on to the
> JOSE-compliant backend app that acts on "nasty interpretation #2".
>
> --
> James Manger****
>
>  ****
>
>  ****
>
>  ****
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose****
>
>  ** **
>

v2.23.0 | Report a Bug | By Email