Re: [jose] JWS Signing of HTTP attachments
Sergey Beryozkin <sberyozkin@gmail.com> Fri, 12 May 2017 19:19 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E553129C43 for <jose@ietfa.amsl.com>; Fri, 12 May 2017 12:19:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V-ztuum8Vwfe for <jose@ietfa.amsl.com>; Fri, 12 May 2017 12:19:42 -0700 (PDT)
Received: from mail-wr0-x242.google.com (mail-wr0-x242.google.com [IPv6:2a00:1450:400c:c0c::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCB4C129B2E for <jose@ietf.org>; Fri, 12 May 2017 12:15:13 -0700 (PDT)
Received: by mail-wr0-x242.google.com with SMTP id w50so8477623wrc.0 for <jose@ietf.org>; Fri, 12 May 2017 12:15:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=uQrXR1+hGb46ggV433NHjTyOEBTCScGAnTOOuUGyBYk=; b=l7OlqJRVAG27c6QY7sx8N8DStVKoha+NEEbAhem1zwfb2JVOIVxfIXU1ZyMLJFnLbz 4da5RM7UKwOGoWIxkYgsqiBvD8MyEUP7gStcgrISY+/5V/1gDp3YnIMxxs19vIGg9vDk oK5yMX9B4DqVuV+W5bPRPvVT4yxoRcxS8261t+5vj/X6Tqs5j+gmfzjb9pcJRjYTa9KQ B0opBC008hwoaAR8zQUbQTbkgTyhRLfLPADkRT4niqfs9/01tfBrzWpT8w0//QD91kmG xGz40j50ka1E3WdVBn1VoeXZQadi2hIRs+e6Q7Gg/DZ3a4dFL5+1iZ2sBF1RwmxbwhYR 8otg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=uQrXR1+hGb46ggV433NHjTyOEBTCScGAnTOOuUGyBYk=; b=dnUS4wOK7qN3KDPom/gzd1ndzurQnVE5kWQ3Jf3vcjWNG6ZViWOH7AyO+2r/xRkvQN P37YK99zWS3mwQLl8JfCyCP7IM8qLzt6WTpxsHntPvP+h4fBsB4wAde9nPU5bwIekLBo nC8lSZH5x5cIDMStMMxZULYwzLCTkh4glr0xHV/S4nmCaUiAmoFX+EWEgjfgeDvM7Dwz XASWFDnl/0AuKGSSP7ZqW492k+rcjxE0ljm9JJOvbT0aSGhC3nqiOR3UjmF6r/Ogo2kE nVAitWXewJ1s3p2RoJvP0qoiADIGOiUU/c6BjBRvZNwjNMrbxczeUVqAre6BvNk+/bYK t66A==
X-Gm-Message-State: AODbwcDdnpD9XV19qGgD7ApJi0Q95y+xh04OHnSs6RExjIHlOxDcN5v5 aoTFrgFD4vF8+g==
X-Received: by 10.223.165.94 with SMTP id j30mr4472655wrb.111.1494616512229; Fri, 12 May 2017 12:15:12 -0700 (PDT)
Received: from [192.168.2.5] ([46.7.75.128]) by smtp.googlemail.com with ESMTPSA id l7sm4885976wrc.52.2017.05.12.12.15.11 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 12 May 2017 12:15:11 -0700 (PDT)
To: Jim Schaad <ietf@augustcellars.com>, 'Ilari Liusvaara' <ilariliusvaara@welho.com>
References: <33ea6034-2e07-59dc-0561-58b45dfeefe7@gmail.com> <20170512155248.GA30318@LK-Perkele-V2.elisa-laajakaista.fi> <ee972cc0-3ada-1304-d62e-2e92f84629e4@gmail.com> <014001d2cb3f$3bbbfe80$b333fb80$@augustcellars.com>
Cc: jose@ietf.org
From: Sergey Beryozkin <sberyozkin@gmail.com>
Message-ID: <d7559110-28d5-74c1-065c-c1d2b60e173b@gmail.com>
Date: Fri, 12 May 2017 20:14:56 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <014001d2cb3f$3bbbfe80$b333fb80$@augustcellars.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/hL78264ZTdX8_7TIY_I4ad0ckXI>
Subject: Re: [jose] JWS Signing of HTTP attachments
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 May 2017 19:19:44 -0000
Hi, On 12/05/17 17:45, Jim Schaad wrote: > > > -----Original Message----- > From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Sergey Beryozkin > Sent: Friday, May 12, 2017 9:04 AM > To: Ilari Liusvaara <ilariliusvaara@welho.com> > Cc: jose@ietf.org > Subject: Re: [jose] JWS Signing of HTTP attachments > > Thanks for the initial feedback. I'm not following at the moment how any of > these attacks can affect it. Perhaps I'll need to work on making it more > obvious how it is all implemented. > > It is simply a concrete implementation of JWS with Detached Content. > The content is written out and by the time it's finished the JWS payload > will be finished and will accompany this content. > > On the receiving end the verification provider will be instantiated (with > the proper care, example, the server will not support the dynamic > verification provider selection process - i.e - will be expected to process > only RSA or HMAC etc signatures). Once this provider is available it will > then get all the data which is being read passing through the verification > process and finally compare the signatures > > [JLS] To be clear here, the question that is being asked is - are we going > to show content to the user, and perhaps start executing script, before we > have finished verifying the signature. This is normal for browsers as they > do incremental display as things are processed. And then, what happens to > the display if the signature fails to verify. Right, I understand what the concern is, thanks. I believe this is a general security issue to be considered for JWS With Detached Content - the secured data and their signature have reached the destinations via the different channels, where the data has already been obtained (possibly read completely), and now is passed to the JOSE library to verify the data are still OK. I guess it should be noted that JWS With Detached Content should be used with care when it is expected that the data will be made available to the user's display or similar. Perhaps I'll send another email to keep the issue tracked ? For my project I think I'll introduce an optional (possibly enabled by default) buffering of the attachments on the receiving end - so it will be 50% (sender-only) streaming friendly in this case :-). FYI my primary goal has been to ensure the client application, Java based or browser-based, can post the secured attachments to the HTTP service - say a service will need to copy InputStream to the disk - in this case, even though the code will access the stream immediately, the copy process will fail to complete, etc. I suspect it could be acceptable in some cases especially if the task is to protect 1MB.etc attachments. However I do understand that if such data are started immediately acted upon before the read process is even complete, either on the server, or especially on the UI-aware client side then there could be the side-effects and as I noted I'll optionally support the caching of the attachment parts before they are submitted to the service code. Thanks very much, Sergey > > > > Cheers, Sergey > > On 12/05/17 16:52, Ilari Liusvaara wrote: >> On Fri, May 12, 2017 at 01:59:21PM +0100, Sergey Beryozkin wrote: >>> Hi All, >>> >>> I've experimented in our project with having HTTP attachment parts >>> protected using JWS with Detached Content and Unencoded Payload options > [1]. >>> >>> This approach appears to be quite effective to me. It also appears to >>> me that the data as shown in the example at [1], can, in principle, >>> be produced and processed by any HTTP stack that can work with >>> multiparts, assuming a JOSE library supporting the detached and >>> unencoded content is also available. >>> >>> I'd appreciate if the experts could comment on 1) do you see some >>> weaknesses in the proposed approach and 2) can someone see a point in >>> drafting some text around it (I can contribute if it is of interest) ? >> >> It look from the text that the implementation can produce output >> before the entiere signature (or tag in case of encryption) has been > verified. >> This is very dangerous if so. >> >> >> Then there are the standard attacks against JOSE (the JOSE library >> must not be vulernable to these): >> >> - The JWS HMAC versus signature confusion >> - The JWE ECDH-ES invalid curve attack. >> >> >> -Ilari >> > > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose >
- [jose] JWS Signing of HTTP attachments Sergey Beryozkin
- Re: [jose] JWS Signing of HTTP attachments Ilari Liusvaara
- Re: [jose] JWS Signing of HTTP attachments Sergey Beryozkin
- Re: [jose] JWS Signing of HTTP attachments Ilari Liusvaara
- Re: [jose] JWS Signing of HTTP attachments Sergey Beryozkin
- Re: [jose] JWS Signing of HTTP attachments Jim Schaad
- Re: [jose] JWS Signing of HTTP attachments Sergey Beryozkin
- Re: [jose] JWS Signing of HTTP attachments Sergey Beryozkin