Re: [jose] High risk vulnerability in RFC 7515
Nathaniel McCallum <npmccallum@redhat.com> Wed, 14 September 2016 16:45 UTC
Return-Path: <npmccallum@redhat.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ABFF012B24E for <jose@ietfa.amsl.com>; Wed, 14 Sep 2016 09:45:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.411
X-Spam-Level:
X-Spam-Status: No, score=-7.411 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_FROM=0.998, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.508, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G79pXLTIxmFe for <jose@ietfa.amsl.com>; Wed, 14 Sep 2016 09:45:36 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4371912B213 for <jose@ietf.org>; Wed, 14 Sep 2016 09:45:36 -0700 (PDT)
Received: from int-mx14.intmail.prod.int.phx2.redhat.com (int-mx14.intmail.prod.int.phx2.redhat.com [10.5.11.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id A773561981; Wed, 14 Sep 2016 16:45:35 +0000 (UTC)
Received: from dhcp137-207.rdu.redhat.com (dhcp137-207.rdu.redhat.com [10.13.137.207]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u8EGjYjk004806 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 14 Sep 2016 12:45:34 -0400
Message-ID: <1473871534.10979.12.camel@redhat.com>
From: Nathaniel McCallum <npmccallum@redhat.com>
To: Quan Nguyen <quannguyen@google.com>, Michael Jones <mbj@microsoft.com>, John Bradley <ve7jtb@ve7jtb.com>, 崎村夏彦 <n-sakimura@nri.co.jp>, Thai Duong <thaidn@google.com>, jose@ietf.org
Date: Wed, 14 Sep 2016 12:45:34 -0400
In-Reply-To: <CAKkgqz2s8GKSYQ4_LGgupahrkyhmb0e9jWYenLR3X7bMePFy5w@mail.gmail.com>
References: <CAKkgqz3GdMG2Q=5jcuLnccWTs4jOjjR_8DzBdoiRE2uEkTLr1g@mail.gmail.com> <CAKkgqz2s8GKSYQ4_LGgupahrkyhmb0e9jWYenLR3X7bMePFy5w@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.27
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.38]); Wed, 14 Sep 2016 16:45:35 +0000 (UTC)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/eZ4BD5198FGAONK_ZMznFMfn4jU>
Subject: Re: [jose] High risk vulnerability in RFC 7515
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2016 16:45:39 -0000
OTOH, removing the 'jwk' parameter means that all attributes of keys need to be duplicated in the header namespace. I concur that nobody should trust the contents of the jwk parameter without additional verification. And I would support language of this type in an errata. But I think the 'jwk' parameter does have real value. On Wed, 2016-09-14 at 08:34 -0700, Quan Nguyen wrote: > > On Tue, Sep 13, 2016 at 8:43 PM, Quan Nguyen <quannguyen@google.com> > wrote: Hi, I'm Quan Nguyen, a Google Information Security Engineer. RFC 7515, https://tools.ietf.org/html/rfc7515#section-4.1.3 "jwk" > (JSON Web Key) Header Parameter allows the signature to include the > public key that corresponds to the key used to digitally sign the > JWS. This is a really dangerous option [1] This option allows any attacker to just generate private key /public > key pair, send the public key together with the signature and and > signature will be valid. It means that the signature is meaningless > and easily bypassed. Note that even if it's OPTIONAL, the attacker or > MITM can always include that field. I'm aware that you have a section 6 and Appendix D talking about key > trust decision. However: 1. There is no reason to trust this key 2. There is no way to verify public key's truthfulness to make > trust decision, unless the receiver already knows the public key in > advance (in that case, "kid" is enough). I've seen library making this mistake, but they just followed the > RFC, so it's hard to convince them to fix the issue. In the end of > the day, users are vulnerable. Furthermore, I believe this is RFC's > vulnerability, not the library. Regards, -Quan [1] I'm aware that there may be a rare use-case that needs to send > the public key, e.g., certificate signing request, but even in that > case, the user can send the public key, e.g, in opaque field in JWT. _______________________________________________ jose mailing list jose@ietf.org https://www.
- Re: [jose] High risk vulnerability in RFC 7515 Quan Nguyen
- Re: [jose] High risk vulnerability in RFC 7515 Nathaniel McCallum
- Re: [jose] High risk vulnerability in RFC 7515 Jim Schaad
- Re: [jose] High risk vulnerability in RFC 7515 Thai Duong
- Re: [jose] High risk vulnerability in RFC 7515 Thai Duong
- Re: [jose] High risk vulnerability in RFC 7515 Thai Duong
- Re: [jose] High risk vulnerability in RFC 7515 Quan Nguyen