Re: [jose] High risk vulnerability in RFC 7515

Quan Nguyen <quannguyen@google.com> Wed, 14 September 2016 15:55 UTC

Return-Path: <quannguyen@google.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD76012B3CF for <jose@ietfa.amsl.com>; Wed, 14 Sep 2016 08:55:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.208
X-Spam-Level:
X-Spam-Status: No, score=-4.208 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5wjocXmSkxNM for <jose@ietfa.amsl.com>; Wed, 14 Sep 2016 08:55:51 -0700 (PDT)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 267B112B9E4 for <jose@ietf.org>; Wed, 14 Sep 2016 08:35:14 -0700 (PDT)
Received: by mail-oi0-x22b.google.com with SMTP id q188so27086230oia.3 for <jose@ietf.org>; Wed, 14 Sep 2016 08:35:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=dnASvlS4kSueOFwvH7wuaWAuCwqfz647/VprHAfUBtg=; b=XU8d3q7M3V/7ZliGNAKTrKOikWuaH1KbXO99fA30CjHM7kB2vHk2M37NONdJz1gueq A9S2gfpLviEBdQbuFGn5P+wmOCE3Lyri8cxBF1LzbNlYHeOy+SxVjUBZ1WQp6T61G9Kd IqxW+QTRESrToql9HdV41wE4CYcwyV1TYDh8A5NZ/rihNAWUnED8sSG/BIfoq/heuYXY VqWh8Ii/bGAp5SqQvnlJVLlz5gb7ZZyA5ZLkeOOa3vWG3zABW5fwfXk0XcA2GUMKTPP6 m4/ej6bnV0aVpiyqr71wTT3zcRHviv8xfDM1dil1YnzKsYT5Bgq2W0Cu6JDPtBTjkCba xdOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=dnASvlS4kSueOFwvH7wuaWAuCwqfz647/VprHAfUBtg=; b=OQWFVEUvPhfvi1OZGNPxygeYjeuwFvw+Z6wBOHNFdkkRRydbY6qVk5IUQ07aAD7FVo m4M24icVV4uwQ8hEEv0NgtzEoH4+BHHLPOshkYDkM/DShtdoUeCtyuqO/1IWJCLnkXXb n+M7hE4Y03sZVRyvDr2XVhr7NygNdSqEVw6R4qACi+OnTq1PCBMXSUkd7Ba7PHI9Z4wD FT1KjUmaWYCnfDnZAl2MnjX6T5RlAYgbD3jMKZXbpOIDY+Ghy0TbANxt4BOZM7YW1ypU 3f3oTXWjhuXr/7AAxiJNURp59N4fNLvuiBbaVrTam6ZQPCCVG4kAw1HHY/mEGZg0Vaq+ gp0g==
X-Gm-Message-State: AE9vXwMyT9/Rrb6ijLnIMGRSPmPYF1oRi3aaesw+PYeZ8hQewS/vUG9eNCdrWxYHl1VxVPdfb0USAY+hdC0AieE0
X-Received: by 10.157.40.86 with SMTP id h22mr2854610otd.66.1473867313100; Wed, 14 Sep 2016 08:35:13 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.202.52.11 with HTTP; Wed, 14 Sep 2016 08:34:52 -0700 (PDT)
In-Reply-To: <CAKkgqz3GdMG2Q=5jcuLnccWTs4jOjjR_8DzBdoiRE2uEkTLr1g@mail.gmail.com>
References: <CAKkgqz3GdMG2Q=5jcuLnccWTs4jOjjR_8DzBdoiRE2uEkTLr1g@mail.gmail.com>
From: Quan Nguyen <quannguyen@google.com>
Date: Wed, 14 Sep 2016 08:34:52 -0700
Message-ID: <CAKkgqz2s8GKSYQ4_LGgupahrkyhmb0e9jWYenLR3X7bMePFy5w@mail.gmail.com>
To: Michael Jones <mbj@microsoft.com>, John Bradley <ve7jtb@ve7jtb.com>, =?UTF-8?B?5bSO5p2R5aSP5b2m?= <n-sakimura@nri.co.jp>, Thai Duong <thaidn@google.com>, jose@ietf.org
Content-Type: multipart/alternative; boundary=001a11392fbea50555053c7979b7
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/gQU_C_QURVuwmy-Q2qyVwPLQlcg>
Subject: Re: [jose] High risk vulnerability in RFC 7515
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2016 15:55:54 -0000

On Tue, Sep 13, 2016 at 8:43 PM, Quan Nguyen <quannguyen@google.com>; wrote:

> Hi,
>
> I'm Quan Nguyen, a Google Information Security Engineer.
>
> RFC 7515, https://tools.ietf.org/html/rfc7515#section-4.1.3  "jwk" (JSON
> Web Key) Header Parameter allows the signature to include the public key
> that corresponds to the key used to digitally sign the JWS. This is a
> really dangerous option [1]
>
> This option allows any attacker to just generate private key /public key
> pair, send the public key together with the signature and and signature
> will be valid. It means that the signature is meaningless and easily
> bypassed. Note that even if it's OPTIONAL, the attacker or MITM can always
> include that field.
>
> I'm aware that you have a section 6 and Appendix D talking about key trust
> decision. However:
>      1.  There is no reason to trust this key
>      2.  There is no way to verify public key's truthfulness to make trust
> decision, unless the receiver already knows the public key in advance (in
> that case, "kid" is enough).
>
> I've seen library making this mistake, but they just followed the RFC, so
> it's hard to convince them to fix the issue. In the end of the day, users
> are vulnerable. Furthermore, I believe this is RFC's vulnerability, not the
> library.
>
> Regards,
>
> -Quan
>
> [1] I'm aware that there may be a rare use-case that needs to send the
> public key, e.g., certificate signing request, but even in that case, the
> user can send the public key, e.g, in opaque field in JWT.
>