IETF Logo Mail Archive

Re: [jose] #26: Allow for signature payload to not be base64 encoded

Richard Barnes <rlb@ipv.sx> Wed, 03 July 2013 16:04 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 73CAD21F9C8E for <jose@ietfa.amsl.com>; Wed, 3 Jul 2013 09:04:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.973
X-Spam-Level:
X-Spam-Status: No, score=-0.973 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1, TRACKER_ID=2.003]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pWp01oHoeYcW for <jose@ietfa.amsl.com>; Wed, 3 Jul 2013 09:04:44 -0700 (PDT)
Received: from mail-oa0-f47.google.com (mail-oa0-f47.google.com [209.85.219.47]) by ietfa.amsl.com (Postfix) with ESMTP id E568921F99D5 for <jose@ietf.org>; Wed, 3 Jul 2013 09:04:43 -0700 (PDT)
Received: by mail-oa0-f47.google.com with SMTP id m1so410343oag.20 for <jose@ietf.org>; Wed, 03 Jul 2013 09:04:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type:x-gm-message-state; bh=9bSyDMIgqZvMgyQKbHBhLVHGh4JLIourykAfphk3wxo=; b=jCqNiQPskYMPmqilLCEfNNCVTEr5Kfb31tu90pfpv1IAUv098HGMFJpFA9ae9yEC71 kUAlmq3SzjRgaKc3mgIOOU8Z+Y3vWv4Dy9q32OSEm6PA89Tay5O6CVKQhdJqLGQTaj+0 V+4mm3gRmIbFVdwuLW5EqtkbR+bcOqwvKQPa5ZQy4VHqtNt+t9XstUaJC1G45F5Y6qOe qrBiX2/j+CjcH0bGuU5ligE36U9I7N6cQes5UGL5QAWB+z5365AtaZxeeKRUySRbwACl z+em/3oK4U58TX9w3HmfmE8b2T440sMdlMxO6HuoCCUqL05EvgoOrAAwVyeOqr4uMipc pgvA==
MIME-Version: 1.0
X-Received: by 10.60.124.228 with SMTP id ml4mr1398127oeb.47.1372867483402; Wed, 03 Jul 2013 09:04:43 -0700 (PDT)
Received: by 10.60.26.135 with HTTP; Wed, 3 Jul 2013 09:04:43 -0700 (PDT)
X-Originating-IP: [108.18.40.68]
In-Reply-To: <DED9A23D-E0C9-4498-B894-D2A461EA67C1@gmail.com>
References: <061.c2fcfec0a75d48eb8b194991ce56157e@trac.tools.ietf.org> <076.3f5d1244c042cd87bfb07814924fcbc9@trac.tools.ietf.org> <033a01ce729b$26bc3910$7434ab30$@augustcellars.com> <51CBA981.4050006@nri.co.jp> <048f01ce7355$19f05bc0$4dd11340$@augustcellars.com> <4E1F6AAD24975D4BA5B1680429673943678A0114@TK5EX14MBXC283.redmond.corp.microsoft.com> <04bf01ce7359$5ab862c0$10292840$@augustcellars.com> <CAL02cgTkUrQptGqOfQyhCembS1e3Qxw3peRFnO5QjswUW=XR-w@mail.gmail.com> <CAD9ie-sZ+w_HADMTnnkTC8XRJmjZvwYOmA+AhvJGTNPhhK=Z4g@mail.gmail.com> <CAL02cgQbAQ8zhumdR_uvXjhbZM0iXpfPnmgcJrMUuh4+bj11NA@mail.gmail.com> <CAD9ie-sBGnv5QbjFeQiXiMJ0Git06LPsAkoNeN7KZxRNqukv3w@mail.gmail.com> <CAL02cgSFjiBUECdUoVbArdszRCPgsfLX_Yr11zDUjrrX3RTPaw@mail.gmail.com> <DED9A23D-E0C9-4498-B894-D2A461EA67C1@gmail.com>
Date: Wed, 03 Jul 2013 12:04:43 -0400
Message-ID: <CAL02cgQ2kiYJb2ucQLLHbYrQNg7_1nvuBoqyZKqWZiZoEmcjZA@mail.gmail.com>
From: Richard Barnes <rlb@ipv.sx>
To: Dick Hardt <dick.hardt@gmail.com>
Content-Type: multipart/alternative; boundary="047d7b3a9286ac12e604e09d9e81"
X-Gm-Message-State: ALoCoQmHs/13mqQ2Zu0Rn5eU+Fez+NN8WMl1qzwjkL/Ezexl7hzIkBNEHo15jgyua35cb+/+SfmS
Cc: Jim Schaad <ietf@augustcellars.com>, n-sakimura <n-sakimura@nri.co.jp>, Mike Jones <Michael.Jones@microsoft.com>, "jose@ietf.org" <jose@ietf.org>, "draft-ietf-jose-json-web-signature@tools.ietf.org" <draft-ietf-jose-json-web-signature@tools.ietf.org>
Subject: Re: [jose] #26: Allow for signature payload to not be base64 encoded
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/jose>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2013 16:04:48 -0000

On Tue, Jul 2, 2013 at 8:14 PM, Dick Hardt <dick.hardt@gmail.com> wrote:

> Hi Richard, thanks for the example, some comments and questions:
>
> To clarify, in the JSON (non-compact) version, the payload is restricted
> to being a string? ie. it cannot be a JSON object? If so, that seems really
> limiting.
>

The payload can be anything that can be expressed as a JSON string.  The
payload needs to be serialized, not as a JSON entity (object, array,
number), because it's going to be input to a signature verification
operation (so it needs to be canonical).  Every JSON string has a unique
representation in UTF-8, so we can use that for anything that can be put
into a string.


> I don't understand why "cenc" needs to be added to the compact
> serialization. The recipient will need to know if it is in the compact
> format or in JSON before parsing.
>

You're correct: "cenc" isn't expressed in the compact serialization, it's
part of the definition that the payload is always base64-encoded.  I just
included it in Case 2 to show the equivalent JSON form (since it's *not*
fixed in JSON).


> My gut tells me that signing the header is useful and will thwart some
> attacks -- but I am not an expert in that area. Is there some research that
> says it makes no difference? I think it would help catch implementation
> errors.
>

We had a thread on CFRG on this a while back [1].  The upshot is that you
can't prevent an attacker from making someone execute the wrong algorithm,
because he has to execute the algorithm in order to realize that the header
is bad.  The one real attack we have is that RSA-PSS does not protect the
hash value, so if an attacker can, say, find a SHA-1 collision that
produces the same signature as the "RS256" output, then he can change the
algorithm to exploit that attack.  So we need to have the ability to
protect the "alg" header for that case (cf. as RFC 6211 does for CMS [2]);
everything else is warm fuzzies.

--Richard

[1] <http://www.ietf.org/mail-archive/web/cfrg/current/msg03381.html>
[2] <https://tools.ietf.org/html/rfc6211>




>
> -- Dick
>
> On Jul 2, 2013, at 3:20 PM, Richard Barnes <rlb@ipv.sx> wrote:
>
> Glad that helped.  Detailed examples below.
>
> Couple of high-level points to help the examples make sense:
> 1. Define a "cenc" header parameter, for "Content ENCoding", with one
> value, "b64u".  When present in the JSON serialization, the "payload" field
> is base64url encoded; when it is absent, the "payload" field represents the
> payload directly (as a UTF-8 string).
> 2. For the compact serialization, "cenc" is always "b64u".
> 3. When protected a header are present (always for the compact
> serialization), the JWS Signing Input is base64(protected).base64(payload),
> as it is in -11.  When no protected header is present, the JWS Signing
> Input is simply the octets of the payload.
>
> With that in mind, let's look at a few test cases.  We'll use the
> following inputs:
>
> Header: {"alg":"HS256","kid":"2"}
> == 7b22616c67223a224853323536222c226b6964223a2232227d (hex UTF-8)
> == eyJhbGciOiJIUzI1NiIsImtpZCI6IjIifQ (base64 UTF-8)
>
> Key (kid=2): 0x0001020304050607 (8 octets)
>
> Payload: "café"
> == 636166c3a9 (hex UTF-8)
> == Y2Fmw6k (hex UTF-8)
>
> With those inputs, let's consider 4 cases that show the possibilities
> discussed above.
>
> ### CASE 1: Compact / protected / b64u
>
> eyJhbGciOiJIUzI1NiIsImtpZCI6IjIifQ
> .Y2Fmw6k
> .QUoMVpjxLXjH1ZAX9tw4QEPnL6G_Hvd4EjD-JsHilyk
>
> No change here.  The compact case just represents the special case where
> the payload is base64-encoded and all the headers are protected.  Thus, we
> use the base64.base64 form for the JSON Signing Input.
> JWS Signing Input: eyJhbGciOiJIUzI1NiIsImtpZCI6IjIifQ.Y2Fmw6k (as a UTF-8
> string)
> == 65794a68624763694f694a49557a49314e694973496d74705a434936496a496966512e5932466d77366b
> (hex)
>
> ### CASE 2: JSON / protected / b64u
>
> {
>   "unprotected":{"cenc":"b64u"},
>   "protected":"eyJhbGciOiJIUzI1NiIsImtpZCI6IjIifQ",
>   "payload":"Y2Fmw6k",
>   "signature":"QUoMVpjxLXjH1ZAX9tw4QEPnL6G_Hvd4EjD-JsHilyk"
> }
>
> This is just the JSON equivalent to Case 1.
>
> ### CASE 3: JSON / unprotected / b64u
>
> {
>   "unprotected":{"alg":"HS256","kid":"2","cenc":"b64u"},
>   "payload":"Y2Fmw6k",
>   "signature":"X-GwEVfz9WEi0UhrmK1muKXecqxMipngSL_ZenXw5Lo"
> }
>
> Here we've removed the integrity protection from the headers (because who
> needs it? ;) ).  So the signature is different, because JWS Signing Input
> here is just the payload.
> JWS Signing Input: café (as a UTF-8 string)
> == 636166c3a9 (hex)
>
> ### CASE 4: JSON / unprotected / plain
>
> {
>   "unprotected":{"alg":"HS256","kid":"2"},
>   "payload":"café",
>   "signature":"X-GwEVfz9WEi0UhrmK1muKXecqxMipngSL_ZenXw5Lo"
> }
>
> This object is equivalent to Case 3, but with the payload expressed
> directly as a JSON string instead of base64-encoded.  And, if you ask me,
> the prettiest and most human-readable of the whole menagerie here :)
>
> I've written a script to generate these test cases, in case you want to
> play with this some more:
> <http://test.polycrypt.net/temp/hello-jose.html>
>
> Hope this helps,
> --Richard
>
>
> On Fri, Jun 28, 2013 at 7:04 PM, Dick Hardt <dick.hardt@gmail.com> wrote:
>
>> Hi Richard, that helps.
>>
>> Our you looking at a way of effectively signing a JSON payload? A
>> complete, real world example would help alot.
>>
>>
>> On Fri, Jun 28, 2013 at 3:57 PM, Richard Barnes <rlb@ipv.sx> wrote:
>>
>>> Hey Dick,
>>>
>>> I guess I should have been clearer that I was only talking about the
>>> JSON serialization.  My proposed change would have no impact on the compact
>>> serialization.  Hopefully that answers your questions about separators,
>>> etc.; they payload would just be a normal JSON string.
>>>
>>> --Richard
>>>
>>>
>>> On Thu, Jun 27, 2013 at 7:56 PM, Dick Hardt <dick.hardt@gmail.com>wrote:
>>>
>>>>
>>>>
>>>>
>>>> On Thu, Jun 27, 2013 at 3:24 PM, Richard Barnes <rlb@ipv.sx> wrote:
>>>>
>>>>> I think there are two separable issues here, both of which Mike and I
>>>>> probably have divergent opinions on :)
>>>>> 1. Syntax: Should it be possible for the "payload" field JWS to be a
>>>>> JSON string (instead of base64) when the payload is simply a UTF-8 string?
>>>>>
>>>>
>>>> One of the goals of the token was that it not require encoding for it
>>>> to be transported in a request. IE that it be safe and SIMPLE to include in
>>>> an HTTP header or in a URL
>>>>
>>>>
>>>>> 2. Crypto: Must the JWS Signing Input be base64url encoded.
>>>>>
>>>>> The current answers to these questions are:
>>>>> 1. It is not possible.  Payload is always base64url encoded.
>>>>> 2. It is always base64url encoded.
>>>>>
>>>>> The answers should be:
>>>>> 1. The payload should not be base64url encoded unless it cannot be
>>>>> represented as a JSON string.
>>>>>
>>>>
>>>> How does an implementation determine which parts are separated? Are '.'
>>>> escaped? Does the implementation need to parse the JSON to determine a
>>>> valid separator? How does it know the end of the JSON? That sounds really
>>>> hard to implement, or I am misunderstanding what you are proposing.
>>>>
>>>>
>>>>
>>>>> 2. The JWS Signing Input should not be base64url encoded unless there
>>>>> is a JWS Protected Header
>>>>>
>>>>> Neither of these are complicated changes:
>>>>> 1. Add a "b64" header parameter that indicates that the payload is
>>>>> base64url-encoded binary, as opposed to a UTF-8 string.  Specify that this
>>>>> parameter is on by default in compact-formatted JWS objects.
>>>>>
>>>>
>>>> And how is the header separated from the payload?
>>>>
>>>>
>>>>>  2. Modify the signing/verification instructions to switch based on
>>>>> the presence of a JWS Protected Header: "If the JWS Protected Header is
>>>>> absent or empty, then the JWS Signing Input is simply the JWS Payload (not
>>>>> encoded).  If the JWS Protected Header has a non-empty value, then the the
>>>>> JWS Signing Input is the concatenation of the Encoded JWS Header, a period
>>>>> ('.') character, and the Encoded JWS Payload"
>>>>>
>>>>> There are two reasons for these, both of which are important to make
>>>>> sure that this spec is applicable to a broad variety of use cases:
>>>>> 1. Compactness.  As Jim notes, quoted strings are shorter than
>>>>> base64url-encoded strings
>>>>>
>>>>
>>>> The tokens are already compact enough.
>>>>
>>>>
>>>>>  2. Crypto-compatibility: Avoiding base64-encoding means that there's
>>>>> nothing JWS-specific about the signature value.  So for example, you could
>>>>> translate a JWS with no protected attributes to a CMS SignedData object
>>>>> with no protected attributes.
>>>>>
>>>>
>>>> Not a useful feature from my point of view.
>>>>
>>>> -- Dick
>>>>
>>>
>>>
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>>
>>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>
>

v2.36.0 | Report a Bug | By Email | System Status