IETF Logo Mail Archive

Re: [jose] JWS Unencoded Payload Option spec addressing WGLC comments

Mike Jones <Michael.Jones@microsoft.com> Wed, 11 November 2015 15:38 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3DAD61B2A56 for <jose@ietfa.amsl.com>; Wed, 11 Nov 2015 07:38:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VtvK0RJC98mO for <jose@ietfa.amsl.com>; Wed, 11 Nov 2015 07:37:54 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0142.outbound.protection.outlook.com [207.46.100.142]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1717F1B2A4D for <jose@ietf.org>; Wed, 11 Nov 2015 07:37:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=zSYnLiKxA+C0v60PlQ8pmNhXsRMDfMRjFobH4796qYA=; b=FLzI/+vEGOWnlWPhwphGDAN7axP+iyepKsy3yIpXwecFnmkl7OfUufUqBEXmvm88WQmWvFO3uTrSXefJcUNtvrVs8JE3abCcU3lk25DXJVdyqXRYITEvkObDYFPaI+B8Kyaa0JNcs96Di8nEIT59X8awil4pN0b2alqBLPp0c9s=
Received: from BY2PR03MB442.namprd03.prod.outlook.com (10.141.141.145) by BY2PR03MB444.namprd03.prod.outlook.com (10.141.141.154) with Microsoft SMTP Server (TLS) id 15.1.318.15; Wed, 11 Nov 2015 15:37:51 +0000
Received: from BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) by BY2PR03MB442.namprd03.prod.outlook.com ([10.141.141.145]) with mapi id 15.01.0325.003; Wed, 11 Nov 2015 15:37:51 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Manger, James" <James.H.Manger@team.telstra.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] JWS Unencoded Payload Option spec addressing WGLC comments
Thread-Index: AQHRDGEPOGzc1W/4LECnZk7v4fbxZJ6IeVSggAAzKQCAANpKQIAB54cggAubHkA=
Date: Wed, 11 Nov 2015 15:37:50 +0000
Message-ID: <BY2PR03MB4420852E0435FFCA6E42B7AF5130@BY2PR03MB442.namprd03.prod.outlook.com>
References: <BY2PR03MB4425B29243487BC32294D1AF5300@BY2PR03MB442.namprd03.prod.outlook.com> <255B9BB34FB7D647A506DC292726F6E13BB0623AFD@WSMSG3153V.srv.dir.telstra.com> <BY2PR03MB442B7AF9F413BDB8626EC06F5380@BY2PR03MB442.namprd03.prod.outlook.com> <06ac01d10c53$338a3710$9a9ea530$@augustcellars.com> <255B9BB34FB7D647A506DC292726F6E13BB0F62ECD@WSMSG3153V.srv.dir.telstra.com> <BL2PR03MB4331F00810C3B6367D7E81BF52C0@BL2PR03MB433.namprd03.prod.outlook.com> <04b901d11562$a1cfbf20$e56f3d60$@augustcellars.com> <BL2PR03MB4339801A35F0AF205E5C9AFF52B0@BL2PR03MB433.namprd03.prod.outlook.com> <255B9BB34FB7D647A506DC292726F6E13BB184B38C@WSMSG3153V.srv.dir.telstra.com>
In-Reply-To: <255B9BB34FB7D647A506DC292726F6E13BB184B38C@WSMSG3153V.srv.dir.telstra.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [12.130.119.129]
x-microsoft-exchange-diagnostics: 1; BY2PR03MB444; 5:NWO0CRCIxvUNX6gkftUdKsATq4HK+mbX6k30Fe2raVc3tEIc1nczcVVIUIt5qZGPlOJlSt4uYrKjLvReQhi/rxL7yGIYFs2b/kFQ1Ij1mV0dvrVgooLOQbiG/sdEl3VkMpTeOXD94uz69vZ+qWkTAw==; 24:FeQw/b2+9uzmv9T3lvX8PZVmZC6xKrTBoPZj0p4MLi6qN18qXqLLtrIBaePZ8pomO7yILcXK3khntK4bVXwIJiw68e74qdFUXCR4tBenjUY=; 20:g01PmTDivJher7TCOxUZw9LH3mBiUT5xa7vZrHUfFI7/1pkEPvWmH8VkS2/MuWxVdVv3wkP/Y5Ccp17TOa5FcQ==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BY2PR03MB444;
x-microsoft-antispam-prvs: <BY2PR03MB4448F7D9B9CD3346E5E014FF5130@BY2PR03MB444.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(108003899814671);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425024)(601004)(2401047)(5005006)(8121501046)(520078)(3002001)(10201501046)(61426024)(61427024); SRVR:BY2PR03MB444; BCL:0; PCL:0; RULEID:; SRVR:BY2PR03MB444;
x-forefront-prvs: 0757EEBDCA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(43784003)(377454003)(199003)(189002)(99286002)(10400500002)(54356999)(122556002)(5005710100001)(76176999)(10290500002)(2950100001)(10090500001)(106356001)(101416001)(106116001)(105586002)(107886002)(93886004)(19300405004)(76576001)(189998001)(2501003)(5001960100002)(19580405001)(50986999)(81156007)(5003600100002)(77096005)(5001770100001)(97736004)(19580395003)(92566002)(74316001)(11100500001)(102836002)(8990500004)(86362001)(66066001)(2900100001)(86612001)(87936001)(40100003)(5004730100002)(33656002)(19617315012)(5007970100001)(19625215002)(5002640100001)(15975445007)(5008740100001)(16236675004)(7059030); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR03MB444; H:BY2PR03MB442.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BY2PR03MB4420852E0435FFCA6E42B7AF5130BY2PR03MB442namprd_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Nov 2015 15:37:50.9116 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BY2PR03MB444
Archived-At: <http://mailarchive.ietf.org/arch/msg/jose/kbLKVuf2CrQffW7kcLe-AZZJry4>
Subject: Re: [jose] JWS Unencoded Payload Option spec addressing WGLC comments
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 15:38:01 -0000

Draft -04 now contains security considerations text addressing the confusion about whether the payload is encoded or not that can be created by an attacker under some circumstances, as well as calling out cases in which there is no security problem.

Thanks again for your thoughtful reading of the draft.

                                                            -- Mike

From: Manger, James [mailto:James.H.Manger@team.telstra.com]
Sent: Wednesday, November 04, 2015 4:20 PM
To: Mike Jones; Jim Schaad; jose@ietf.org
Subject: RE: [jose] JWS Unencoded Payload Option spec addressing WGLC comments

Mike,

draft-ietf-jose-jws-signing-input-options section 6 "Intended Use by Applications" feels a bit silly. If "b64" is "not intended to be dynamically varied with different payloads" then why are we making it a per-message field?
If an "application context" needs to pick either JWS-without-b64 or JWS-with-b64-false, but never both, then don't let "JWS" be a name than encompasses both - because that is the name apps will use.
"Application context" is itself a dodgy concept here. The point of standardizing JWS is that it works the same regardless of context (so a common library can be used in many contexts). Of course a new feature (like unencoded payloads) can break old apps, but the new feature mustn't silently succeed with the wrong semantics.

The very least (and it isn't nearly enough) there need to be another Security Considerations paragraph:

  A JWS using these signing options can be successfully verified but give the wrong payload if it is ever consumed by a JWS implementation that does not understand these options. Consequently, these options MUST only be used when the signer can guarantee that every possible legitimate verifier has implemented this specification.

--
James Manger




From: Mike Jones [mailto:Michael.Jones@microsoft.com]
Sent: Tuesday, 3 November 2015 11:39 AM
To: Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>>; Manger, James <James.H.Manger@team.telstra.com<mailto:James.H.Manger@team.telstra.com>>; jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: [jose] JWS Unencoded Payload Option spec addressing WGLC comments

You're right Jim, that my "prohibited" language below was too strong.  The proposed language on when "crit" is needed below will handle the case where the application decides to ignore the intended usage and dynamically switch between JWS objects with both "b64":true and "b64":false.

                                                            -- Mike

From: Jim Schaad [mailto:ietf@augustcellars.com]
Sent: Monday, November 02, 2015 8:36 PM
To: Mike Jones; 'Manger, James'; jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: [jose] JWS Unencoded Payload Option spec addressing WGLC comments



From: Mike Jones [mailto:Michael.Jones@microsoft.com]
Sent: Monday, November 02, 2015 6:23 PM
To: Manger, James <James.H.Manger@team.telstra.com<mailto:James.H.Manger@team.telstra.com>>; Jim Schaad <ietf@augustcellars.com<mailto:ietf@augustcellars.com>>; jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: [jose] JWS Unencoded Payload Option spec addressing WGLC comments

Thanks for your note and for thinking this through, James.  Your comments were useful and made me think, as always.  As I see it, there are several cases to consider.

If the producer implements the extension correctly, then as I wrote on the 21st, if the consumer doesn't understand it, then the signature will fail.  That's the case I was writing about earlier

So the case you're describing has to instead be one in which the producer is an attacker and intentionally not implementing the extension correctly.  In that case, example you give is possible if the receiver doesn't understand the extension.  I used to be concerned about this but now I'm not.  Here are two reasons why:

1.  The recipient is implementing an application that uses JWS - one property of which is a specification by the application of whether the extension is used or not.  If the application uses the extension, then a correctly implemented application client will implement the extension.  In that case, if the attacker uses "b64":false but signs as if "b64" were true (your described attack), then the signature verification will fail.  Whereas, if you start with the premise that the recipient incorrectly implements the application, which your attack requires, then all bets are off in the first place.

2.  The recipient is already making a trust decision dictated by the application's rules for using JWS about whether to trust the sender based on verifying its signature and therefore its identity within the application context.  If the sender is actually an attacker and yet trusted by the recipient once its signature is verified, the recipient has bigger problems than the possibility of the sender being able to generate the same signature for both encoded and unencoded values.  If the sender is an attacker trusted by the recipient, there are likely much worse ways for the sender to trick the recipient, for instance, by signing maliciously generated content, which the recipient then uses.

Only if the application dynamically switches between b64:false and b64:true (something prohibited in https://tools.ietf.org/html/draft-ietf-jose-jws-signing-input-options-03#section-6), would it be necessary for the application to require the use of "crit":["b64"].  That would cause incorrectly implemented application clients to nonetheless reject content signed with b64:false when it doesn't implement "b64".

[JLS] I would disagree that this is prohibited in the section referred to.  The text says "it is intended" this is not that say as saying you MUST only use one.

I will add the thoughts above to the Security Considerations section.

And similarly to argument 1 above, if the application specifies the use of b46:false with the compact serialization *and* the application will use non-baseurl-safe payload characters such as comma, then it already has to be prepared to accurately communicate those characters within the application context.  There is no backwards compatibility problem for existing applications - only new options for new applications, if they choose to use the option.  If the existence of the extension would break any existing applications or require any actions upon their part, then I would agree that this spec should be marked as updating RFC 7515.  But as it is, it's just a spec using the IANA registry to register a new header parameter value.  We certainly don't want to set the precedent that every new header parameter registration will also require updating RFC 7515.

Jim, I believe that the thoughts above also address the two questions in your October 18th note in the same thread.  Please let me know if you disagree.

                                                            -- Mike

From: Manger, James [mailto:James.H.Manger@team.telstra.com]
Sent: Thursday, October 22, 2015 9:32 AM
To: Jim Schaad; Mike Jones; jose@ietf.org<mailto:jose@ietf.org>
Subject: RE: [jose] JWS Unencoded Payload Option spec addressing WGLC comments

Unfortunately Mike, the signature validation will not fail. By design draft-ietf-jose-jws-signing-input-options mimics RFC7515 in using "bytes before the 2nd dot" as the bytes to sign/verify. Consider a signer choosing the b64=false option from draft-ietf-jose-jws-signing-input-options to sign the 12-byte message "IOU_5000_USD". The header is {"alg":"HS256","b64":false} giving the JWS:
  eyJhbGciOiJIUzI1NiIsImI2NCI6ZmFsc2V9.IOU_5000_USD.xxxxxxxxxxxxxxxxxxxxxxxx

A verifier that only understands RFC7515 JWS interprets this as a normal JWS with an unknown but ignorable header member. The signature is still over eyJ..USD so it still verifies. The verifier then base64url-decodes the IOU.. part to get the validly-signed 9-byte content (in hex) 20 E5 3F E7 4D 34 FD 44  83.
Ouch! One JWS can be interpreted as a signed 12-byte or 9-byte message.

One fix might be to make the b64=false signing input:
  BASE64URL(UTF8(JWS Protected Header)) || '..' || JWS Payload
The two dots ensure the bytes signed when b64=false can never look like bytes signed according to RFC7515.
draft-ietf-jose-jws-signing-input-options should probably do this in addition to setting the crit field (so you can get a meaningful error message of "unsupported variety of JWS", instead of "signature failure" that could have all sorts of causes).


>From RFC7515 JWS, it would be perfectly reasonable to store a collection of compact-serialized-JWSs as comma-separated values - since a RFC7515 compact-serialized-JWS cannot contain a comma. draft-ietf-jose-jws-signing-input-options breaks that perfectly reasonable choice as now an unencoded non-detached JWS can have any bytes and still be called a compact-serialized-JWS. Saying draft-ietf-jose-jws-signing-input-options updates RFC7515 is the minimum required to note this, though that isn't really adequate. A better solution is to not allow an unencoded non-detached message to be called a compact-serialized-JWS: either don't define this combination, or call it something else (eg JWS raw serialization).

--
James Manger

v2.23.0 | Report a Bug | By Email