Re: [jose] Use of ECDH-ES in JWE

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 24 February 2017 18:56 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 957391294CA for <jose@ietfa.amsl.com>; Fri, 24 Feb 2017 10:56:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ITBqaQfZdwsi for <jose@ietfa.amsl.com>; Fri, 24 Feb 2017 10:56:43 -0800 (PST)
Received: from mail-qk0-x232.google.com (mail-qk0-x232.google.com [IPv6:2607:f8b0:400d:c09::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CE19129486 for <jose@ietf.org>; Fri, 24 Feb 2017 10:56:43 -0800 (PST)
Received: by mail-qk0-x232.google.com with SMTP id x71so26368554qkb.3 for <jose@ietf.org>; Fri, 24 Feb 2017 10:56:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=gLuoBL4tpebxplh8P7UtHR4+LFmP0A8NEuUheDy0tfE=; b=GT9TXaz2GUrWF/5Elhdsz58j8ZOnCM09m+vJlpUg5SEfNxbKaiHXlkvE8FrLUtG5lc RqYcVSI2x5DJj3NikXU0gdamhAtL71ViIt6wQBc8wreKK+4zE+K1+cDtL2ZEQxGU4Uyo CJTjP34CiaG6+X6oHriQnMChMoV2p6+gabqFfxanYisZCLwiwHYs7o3S8gtnPGd1WBIt c9UGG1yoDCt7hLlYbjAoXW1o1v+yN8kzIrZHxmbvfAQP0Ovq/MgwG3PZWgZ8xJULNR1n +XCxCiLsLomm3CDB0TGHn3dv9KX3xiE4YsDu5Ha9S3l1E1PZxWK47fB0ttdnHTGl9cVo xg7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=gLuoBL4tpebxplh8P7UtHR4+LFmP0A8NEuUheDy0tfE=; b=E5xnAB3OJmg5y9inXh03mphL9dLdvzph0ZKkcz5a+HPVJn5GKXRzlKJuZeIW5mRn8P ULOBsZwTLKJJMxo/aU4d+d3j2Q2eBp8HR6Nqcc/NxP+aJJVFNFmwDTi6H1P9CMbVM5qA QlgLcvwycdxQpZzg6qve8QIX/WmZL4HjeohFeb1Kvyrnb5n/WJmaoMQLf5lQORql2KI0 /TGKCPCNQ6hENEVeqrYdduBrqFRU5V63ngy+p7JXfTi4SF9Gb7KXbqJIPasjZXz/xSKy e3t3ghrF1Om8Gfg3MlUVwokI4YqQ8POIzkGd030SAkJPuw7wnWODAaEEN0nXUvAR+bVg WWiQ==
X-Gm-Message-State: AMke39knmPRIqYy6sQ6Q0aQgzrdfB/KP8uv+pW/j6IP/IB78dmNpWxP8UJS3tYGip/bQ0i3+fY8VJaQ/c8qNyQ==
X-Received: by 10.55.104.135 with SMTP id d129mr4898735qkc.114.1487962602657; Fri, 24 Feb 2017 10:56:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.170.77 with HTTP; Fri, 24 Feb 2017 10:56:42 -0800 (PST)
In-Reply-To: <B96D47CA-F0B1-4E39-9900-1EE75875FEC7@adobe.com>
References: <7465DFB4-1F4E-4C8C-9BF9-6534EEC0AB1D@adobe.com> <9f370d1c-8258-7fbe-fd46-f8a7c4786900@connect2id.com> <24F1FEB8-5416-431A-AB7B-AC5C4B1D6CD1@adobe.com> <9DD23B00-17B0-4364-A9E5-FD4AA21F3648@ve7jtb.com> <CA+k3eCRVzLHhKfrgdDBgCFs_Q9Lt4-6cKXA-eU3wMzaa4O7QBw@mail.gmail.com> <03be01d28cbc$5a8aecc0$0fa0c640$@augustcellars.com> <B96D47CA-F0B1-4E39-9900-1EE75875FEC7@adobe.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 24 Feb 2017 13:56:42 -0500
Message-ID: <CAHbuEH4fwNoFE=JkhfvnMg_rufPpSnTxbRiKvmOBgVdiiMXYKA@mail.gmail.com>
To: Antonio Sanso <asanso@adobe.com>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/emqvfT7SGbm8qUF9086W8vwr7Sc>
Cc: John Bradley <ve7jtb@ve7jtb.com>, Jim Schaad <ietf@augustcellars.com>, Brian Campbell <bcampbell@pingidentity.com>, "jose@ietf.org" <jose@ietf.org>, Vladimir Dzhuvinov <vladimir@connect2id.com>
Subject: Re: [jose] Use of ECDH-ES in JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 18:56:45 -0000

On Fri, Feb 24, 2017 at 7:40 AM, Antonio Sanso <asanso@adobe.com> wrote:
> Thanks a lot guys for the suggestions. I will take a stub so and submit an
> errata…

Thank you.  List members - please review and I'll accept the errata
once language is agreed to.  I also think this is good for future
document updates.


>
> regards
>
> antonio
>
> On Feb 22, 2017, at 4:32 AM, Jim Schaad <ietf@augustcellars.com> wrote:
>
> I would welcome an errata even for the people that might miss it from
> reading the documents.  If nothing else, it gives us some hints about what
> things need to be dealt with in the (presumably) next revisions of the
> documents.
>
> Jim
>
>
> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Brian Campbell
> Sent: Tuesday, February 21, 2017 12:23 PM
> To: John Bradley <ve7jtb@ve7jtb.com>
> Cc: Antonio Sanso <asanso@adobe.com>om>; jose@ietf.org; Vladimir Dzhuvinov
> <vladimir@connect2id.com>
> Subject: Re: [jose] Use of ECDH-ES in JWE
>
>
> This seems similar in nature to some of the security consideration advice in
> JWE https://tools.ietf.org/html/rfc7516#section-11.4 and
> https://tools.ietf.org/html/rfc7516#section-11.5 and JWA
> https://tools.ietf.org/html/rfc7518#section-8.3 and
> https://tools.ietf.org/html/rfc7518#section-8.4 that an average implementer
> (like myself) would very likely not be aware of unless some attention is
> called to it.
>
> The point about people missing the errata is totally legit. But in the
> absence of some other way to convey it, perhaps it'd be better to have it
> written down as errata than not at all? Maybe Antonio would be the one to
> submit an errata for RFC 7518 https://www.rfc-editor.org/errata.php ?
>
> Certification for JOSE/JWT libraries sounds interesting. Having an errata
> for this would serve as a reminder for at least one negative test that
> should be done in that, if/when it comes to pass.
>
> On Mon, Feb 13, 2017 at 8:34 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:
>
> An errata is possible.   There is no way to update the original RFC.
>
> The problem tends to be that most developers miss the errata when reading
> specs if they ever look at the specs at all.
>
> We probably also need a more direct way to communicate this to library
> developers as well.
>
> In the OIDF we are talking about developing a certification for JOSE/JWT
> libraries like we have for overall server implementations.
>
> John B.
>
>
>
>> On Feb 13, 2017, at 7:57 AM, Antonio Sanso <asanso@adobe.com> wrote:
>>
>> hi Vladimir,
>>
>> thanks a lot for taking the time and verifying.
>> I really think it should be mentioned somewhere.
>> The problem is that Elliptic Curves are over the head of many
>> people/developer and it should be at least
>> some reference on the JOSE spec about defending against this attack.
>> Said that I have so far reviewed 3 implementations and all 3 were somehow
>> vulnerable. And counting….
>>
>> regards
>>
>> antonio
>>
>> On Feb 13, 2017, at 7:41 AM, Vladimir Dzhuvinov <vladimir@connect2id.com>
>> wrote:
>>
>>> Hi Antonio,
>>>
>>> Thank you for making us aware of this.
>>>
>>> I just checked the ECDH-ES section in JWA, and the curve check
>>> apparently hasn't been mentioned:
>>>
>>> https://tools.ietf.org/html/rfc7518#section-4.6
>>>
>>> It's not in the security considerations either:
>>>
>>> https://tools.ietf.org/html/rfc7518#section-8
>>>
>>>
>>> Vladimir
>>>
>>> On 09/02/17 12:39, Antonio Sanso wrote:
>>>> hi all,
>>>>
>>>> this mail is highly inspired from a research done by Quan Nguyen [0].
>>>>
>>>> As he discovered and mention in his talk there is an high chance the
>>>> JOSE libraries implementing ECDH-ES in JWE are vulnerable to invalid curve
>>>> attack.
>>>> Now I read the JWA spec and I did not find any mention that the
>>>> ephemeral public key contained in the message should be validate in order to
>>>> be on the curve.
>>>> Did I miss this advice in the spec or is it just missing? If it is not
>>>> clear enough the outcome of the attack will be the attacker completely
>>>> recover the private static key of the receiver.
>>>> Quan already found a pretty well known JOSE library vulnerable to it. So
>>>> did I.
>>>>
>>>> WDYT?
>>>>
>>>> regards
>>>>
>>>> antonio
>>>>
>>>> [0] https://research.google.com/pubs/pub45790.html
>>>> [1] https://tools.ietf.org/html/rfc7518
>>>> _______________________________________________
>>>> jose mailing list
>>>> jose@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/jose
>>>
>>>
>>> _______________________________________________
>>> jose mailing list
>>> jose@ietf.org
>>> https://www.ietf.org/mailman/listinfo/jose
>>
>> _______________________________________________
>> jose mailing list
>> jose@ietf.org
>> https://www.ietf.org/mailman/listinfo/jose
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>



-- 

Best regards,
Kathleen