Re: [jose] Use of ECDH-ES in JWE
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 24 February 2017 18:56 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 957391294CA for <jose@ietfa.amsl.com>; Fri, 24 Feb 2017 10:56:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ITBqaQfZdwsi for <jose@ietfa.amsl.com>; Fri, 24 Feb 2017 10:56:43 -0800 (PST)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CE19129486 for <jose@ietf.org>; Fri, 24 Feb 2017 10:56:43 -0800 (PST)
Received: by mail-qk0-x232.google.com with SMTP id x71so26368554qkb.3 for <jose@ietf.org>; Fri, 24 Feb 2017 10:56:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=gLuoBL4tpebxplh8P7UtHR4+LFmP0A8NEuUheDy0tfE=; b=GT9TXaz2GUrWF/5Elhdsz58j8ZOnCM09m+vJlpUg5SEfNxbKaiHXlkvE8FrLUtG5lc RqYcVSI2x5DJj3NikXU0gdamhAtL71ViIt6wQBc8wreKK+4zE+K1+cDtL2ZEQxGU4Uyo CJTjP34CiaG6+X6oHriQnMChMoV2p6+gabqFfxanYisZCLwiwHYs7o3S8gtnPGd1WBIt c9UGG1yoDCt7hLlYbjAoXW1o1v+yN8kzIrZHxmbvfAQP0Ovq/MgwG3PZWgZ8xJULNR1n +XCxCiLsLomm3CDB0TGHn3dv9KX3xiE4YsDu5Ha9S3l1E1PZxWK47fB0ttdnHTGl9cVo xg7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=gLuoBL4tpebxplh8P7UtHR4+LFmP0A8NEuUheDy0tfE=; b=E5xnAB3OJmg5y9inXh03mphL9dLdvzph0ZKkcz5a+HPVJn5GKXRzlKJuZeIW5mRn8P ULOBsZwTLKJJMxo/aU4d+d3j2Q2eBp8HR6Nqcc/NxP+aJJVFNFmwDTi6H1P9CMbVM5qA QlgLcvwycdxQpZzg6qve8QIX/WmZL4HjeohFeb1Kvyrnb5n/WJmaoMQLf5lQORql2KI0 /TGKCPCNQ6hENEVeqrYdduBrqFRU5V63ngy+p7JXfTi4SF9Gb7KXbqJIPasjZXz/xSKy e3t3ghrF1Om8Gfg3MlUVwokI4YqQ8POIzkGd030SAkJPuw7wnWODAaEEN0nXUvAR+bVg WWiQ==
X-Gm-Message-State: AMke39knmPRIqYy6sQ6Q0aQgzrdfB/KP8uv+pW/j6IP/IB78dmNpWxP8UJS3tYGip/bQ0i3+fY8VJaQ/c8qNyQ==
X-Received: by 10.55.104.135 with SMTP id d129mr4898735qkc.114.1487962602657; Fri, 24 Feb 2017 10:56:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.170.77 with HTTP; Fri, 24 Feb 2017 10:56:42 -0800 (PST)
In-Reply-To: <B96D47CA-F0B1-4E39-9900-1EE75875FEC7@adobe.com>
References: <7465DFB4-1F4E-4C8C-9BF9-6534EEC0AB1D@adobe.com> <9f370d1c-8258-7fbe-fd46-f8a7c4786900@connect2id.com> <24F1FEB8-5416-431A-AB7B-AC5C4B1D6CD1@adobe.com> <9DD23B00-17B0-4364-A9E5-FD4AA21F3648@ve7jtb.com> <CA+k3eCRVzLHhKfrgdDBgCFs_Q9Lt4-6cKXA-eU3wMzaa4O7QBw@mail.gmail.com> <03be01d28cbc$5a8aecc0$0fa0c640$@augustcellars.com> <B96D47CA-F0B1-4E39-9900-1EE75875FEC7@adobe.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 24 Feb 2017 13:56:42 -0500
Message-ID: <CAHbuEH4fwNoFE=JkhfvnMg_rufPpSnTxbRiKvmOBgVdiiMXYKA@mail.gmail.com>
To: Antonio Sanso <asanso@adobe.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/emqvfT7SGbm8qUF9086W8vwr7Sc>
Cc: John Bradley <ve7jtb@ve7jtb.com>, Jim Schaad <ietf@augustcellars.com>, Brian Campbell <bcampbell@pingidentity.com>, "jose@ietf.org" <jose@ietf.org>, Vladimir Dzhuvinov <vladimir@connect2id.com>
Subject: Re: [jose] Use of ECDH-ES in JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 18:56:45 -0000
On Fri, Feb 24, 2017 at 7:40 AM, Antonio Sanso <asanso@adobe.com> wrote: > Thanks a lot guys for the suggestions. I will take a stub so and submit an > errata… Thank you. List members - please review and I'll accept the errata once language is agreed to. I also think this is good for future document updates. > > regards > > antonio > > On Feb 22, 2017, at 4:32 AM, Jim Schaad <ietf@augustcellars.com> wrote: > > I would welcome an errata even for the people that might miss it from > reading the documents. If nothing else, it gives us some hints about what > things need to be dealt with in the (presumably) next revisions of the > documents. > > Jim > > > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Brian Campbell > Sent: Tuesday, February 21, 2017 12:23 PM > To: John Bradley <ve7jtb@ve7jtb.com> > Cc: Antonio Sanso <asanso@adobe.com>; jose@ietf.org; Vladimir Dzhuvinov > <vladimir@connect2id.com> > Subject: Re: [jose] Use of ECDH-ES in JWE > > > This seems similar in nature to some of the security consideration advice in > JWE https://tools.ietf.org/html/rfc7516#section-11.4 and > https://tools.ietf.org/html/rfc7516#section-11.5 and JWA > https://tools.ietf.org/html/rfc7518#section-8.3 and > https://tools.ietf.org/html/rfc7518#section-8.4 that an average implementer > (like myself) would very likely not be aware of unless some attention is > called to it. > > The point about people missing the errata is totally legit. But in the > absence of some other way to convey it, perhaps it'd be better to have it > written down as errata than not at all? Maybe Antonio would be the one to > submit an errata for RFC 7518 https://www.rfc-editor.org/errata.php ? > > Certification for JOSE/JWT libraries sounds interesting. Having an errata > for this would serve as a reminder for at least one negative test that > should be done in that, if/when it comes to pass. > > On Mon, Feb 13, 2017 at 8:34 AM, John Bradley <ve7jtb@ve7jtb.com> wrote: > > An errata is possible. There is no way to update the original RFC. > > The problem tends to be that most developers miss the errata when reading > specs if they ever look at the specs at all. > > We probably also need a more direct way to communicate this to library > developers as well. > > In the OIDF we are talking about developing a certification for JOSE/JWT > libraries like we have for overall server implementations. > > John B. > > > >> On Feb 13, 2017, at 7:57 AM, Antonio Sanso <asanso@adobe.com> wrote: >> >> hi Vladimir, >> >> thanks a lot for taking the time and verifying. >> I really think it should be mentioned somewhere. >> The problem is that Elliptic Curves are over the head of many >> people/developer and it should be at least >> some reference on the JOSE spec about defending against this attack. >> Said that I have so far reviewed 3 implementations and all 3 were somehow >> vulnerable. And counting…. >> >> regards >> >> antonio >> >> On Feb 13, 2017, at 7:41 AM, Vladimir Dzhuvinov <vladimir@connect2id.com> >> wrote: >> >>> Hi Antonio, >>> >>> Thank you for making us aware of this. >>> >>> I just checked the ECDH-ES section in JWA, and the curve check >>> apparently hasn't been mentioned: >>> >>> https://tools.ietf.org/html/rfc7518#section-4.6 >>> >>> It's not in the security considerations either: >>> >>> https://tools.ietf.org/html/rfc7518#section-8 >>> >>> >>> Vladimir >>> >>> On 09/02/17 12:39, Antonio Sanso wrote: >>>> hi all, >>>> >>>> this mail is highly inspired from a research done by Quan Nguyen [0]. >>>> >>>> As he discovered and mention in his talk there is an high chance the >>>> JOSE libraries implementing ECDH-ES in JWE are vulnerable to invalid curve >>>> attack. >>>> Now I read the JWA spec and I did not find any mention that the >>>> ephemeral public key contained in the message should be validate in order to >>>> be on the curve. >>>> Did I miss this advice in the spec or is it just missing? If it is not >>>> clear enough the outcome of the attack will be the attacker completely >>>> recover the private static key of the receiver. >>>> Quan already found a pretty well known JOSE library vulnerable to it. So >>>> did I. >>>> >>>> WDYT? >>>> >>>> regards >>>> >>>> antonio >>>> >>>> [0] https://research.google.com/pubs/pub45790.html >>>> [1] https://tools.ietf.org/html/rfc7518 >>>> _______________________________________________ >>>> jose mailing list >>>> jose@ietf.org >>>> https://www.ietf.org/mailman/listinfo/jose >>> >>> >>> _______________________________________________ >>> jose mailing list >>> jose@ietf.org >>> https://www.ietf.org/mailman/listinfo/jose >> >> _______________________________________________ >> jose mailing list >> jose@ietf.org >> https://www.ietf.org/mailman/listinfo/jose > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > -- Best regards, Kathleen
- [jose] Use of ECDH-ES in JWE Antonio Sanso
- Re: [jose] Use of ECDH-ES in JWE Antonio Sanso
- Re: [jose] Use of ECDH-ES in JWE Vladimir Dzhuvinov
- Re: [jose] Use of ECDH-ES in JWE John Bradley
- Re: [jose] Use of ECDH-ES in JWE Brian Campbell
- Re: [jose] Use of ECDH-ES in JWE Jim Schaad
- Re: [jose] Use of ECDH-ES in JWE Antonio Sanso
- Re: [jose] Use of ECDH-ES in JWE Kathleen Moriarty
- Re: [jose] Use of ECDH-ES in JWE Antonio Sanso