Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens

Neil Madden <> Fri, 20 April 2018 10:49 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 82FAB129C6E; Fri, 20 Apr 2018 03:49:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id JwBoQUOiqLgK; Fri, 20 Apr 2018 03:49:08 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:400c:c0c::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 38F6D12E8D4; Fri, 20 Apr 2018 03:49:07 -0700 (PDT)
Received: by with SMTP id o15-v6so21766804wro.11; Fri, 20 Apr 2018 03:49:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=QzFbOcRLSuO8SmN/OdKRhH4ffSnHIq8/fGzJ2jjK4E8=; b=Uk4gtVxSrk2ILhDOaEEsW2cOrFvQ4rUKoi77qccwX5KD5uZ2lZOc1GS3Ha7+L7vIOV Hj6JkfFruDbK9eaxyfqcMCoj/+bMekN8lS9AH/+hLakKI5rEB8dal6RuqYe7eIrqh4yc SD9HQOLcEzG5CoPrsXxjdUVBVvp1wkh3qd4L/Q3GXM4u3twp/IIYG7reyhLvSKYvxHUS eRGddwWwHpjerzHuZG5AErjLEWtpZ4g/ffPZzh2RCHAPGK1OarCuwV0ufFEXfwlW+nZi IIQ1ObEQHGQkIhpsVnaRDClPOwsj/1QLeDp3X6Vz7ivSbP9IR5w2gDX1ovEWkj3yWz6h Cprg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=QzFbOcRLSuO8SmN/OdKRhH4ffSnHIq8/fGzJ2jjK4E8=; b=oej4VI0+l/mlofQeY0pYN3Bj2kJ6MgaHM9oLSsP8p2IRGmvWfpKj8mSEIFK59Pss9+ zkEss+Kvj6Enina+oskrgK9ZBlitDhNraZDoRI0wYO1DNgmXjYTPmeHuUhJk6zo9gumc aPLCtYT20mcK3/UYQEEZoh1phVIzwX0TLzNrKa2O+doNO3PVvfcgBxFXlIzo1RVrw3AC 3ZvVuJ5tkT4WGbKuZ6oAyLx8W5vFy/SJhxAa2z4rp/+Y3XStfRNNG32/oCCnI65oZDnn h0JzS9bKFqb5r4jEKDuYQ57IJd8PDwsNUPgjVioNgeiZANjvGuxuTlwvLU6paV9wbp+x V+cg==
X-Gm-Message-State: ALQs6tDGnyXCtwjecoVRMv+NRea7XhzqpC7hnCiaHL3e/5EHYKruyOhr eN55cNCFSqfwroF0ZQv4B9U=
X-Google-Smtp-Source: AIpwx4+JhVWDRZg5geDneXQa8ZghGtcFdDtqL8ia6keiSlRDJei7HRuowcxJvGqAPFIrIdOvQnherQ==
X-Received: by with SMTP id w143mr1681482wmw.88.1524221345633; Fri, 20 Apr 2018 03:49:05 -0700 (PDT)
Received: from guest2s-mbp.home ( []) by with ESMTPSA id u8sm653842wmf.3.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 20 Apr 2018 03:49:04 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 11.3 \(3445.6.18\))
From: Neil Madden <>
In-Reply-To: <>
Date: Fri, 20 Apr 2018 11:49:02 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <> <>
To: Scott Arciszewski <>
X-Mailer: Apple Mail (2.3445.6.18)
Archived-At: <>
Subject: Re: [jose] [Cfrg] RFC Draft: PASETO - Platform-Agnotic SEcurity TOkens
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 20 Apr 2018 10:49:11 -0000

Comments inline below.

> On 20 Apr 2018, at 03:33, Scott Arciszewski <> wrote:
> Hi Neil,
> > Firstly, your blog post states that ECDH in JOSE is only defined for NIST curves. Actually, RFC 8037 [1] defined X25519/X448 for ECDH in JWE and EdDSA for JWS.
> That's great. This was not known to me when I wrote the blog post in March 2017.
> I'm curious: Which libraries implement RFC 8037 and eschew the foot-gun public key cryptography protocols?
> If RFC 8037 adoption has reached 100% of libraries and protocols that implement JOSE standards, and none of them speak RSA-PKCS1v1.5 or non-deterministic ECDSA with a NIST curve anymore, I'll need to reevaluate my position on JOSE at the ecosystem level. Otherwise, JOSE's legacy of being an error-prone cryptographic standard is still rather damning at the ecosystem level, and the only effective means of fixing that is to replace the entire standard with something not-broken.

I think you are overestimating the effectiveness of this strategy. Unfortunately, insecure implementations of old standards don’t go away because you introduce a new standard.

> >​ ​- The basic encryption construction [3] appears (to me at least) to be a novel design based on three passes over the message: once to generate a pseudorandom nonce in an SIV-like construction (but not actually authenticating the message), a second time to encrypt, and then a third time to authenticate the cipher text. Is this a well-studied design? What security goal is it designed to meet?
> The v1 construction is literally CTR+HMAC. It uses HKDF for key splitting (which is what HKDF was meant for). It uses SHA384 so only one hash function needs to be implemented. (SHA384 was chosen due to it being the best of the SHA2 variants available in e.g. PHP 7.0 that's immune to length-extension attacks.) Furthermore, v1 uses PSS instead of PKCS1v1.5 because PKCS1v1.5 is a terrible idea.
> What you're calling an SIV-like construction is just part of the nonce/HKDF-salt generation scheme for v1. Its purpose is to add a safeguard in case someone implements it against an insecure RNG such as OpenSSL's RAND_bytes() (which is not fork-safe and might repeat outputs, which would be catastrophic for CTR mode). If an implementation eschewed that and just did /dev/urandom here, it wouldn't affect much since the nonce provided in the actual token is what's used to decrypt. As long as HMAC-SHA384 is collision-resistant, it will serve its purpose of avoiding nonce-reuse conditions and otherwise isn't that important.

Don’t get me wrong, I think this is a nice idea, but it’s also sufficiently novel that I don’t feel comfortable saying that PASETO v1.local is “just” CTR+HMAC with a few minor tweaks. The HMAC key for the GetNonce() function is coming from the PRNG that you do not trust because it may be biased, poorly designed, etc. If you look at the design of HKDF, it puts potentially biased source key material in the (non-key) input to HMAC and uses either a fixed/empty constant or an (unbiased) random salt as the key. Part of the rationale is given on page 19 of [1]:

“[…] PRFs are specifically designed to remain secure even when the inputs (except for the key) are fully known and correlated, or even adversarially chosen.”

So what can we conclude about the pseudorandom collision resistance of the output of HMAC when the *key* comes from a potentially biased/untrusted source? I’m not a cryptographer, so maybe that is still fine, but I don’t know if you could prove it without making non-standard assumptions about HMAC.


> AES-CTR then HMAC-SHA2 is a pretty simple and well-studied construction, although AES-CBC is more common than AES-CTR. We find it simpler to implement CTR mode safely in real world systems that only give you ECB mode out of the box, without introducing e.g. padding-related bugs.
> ​> Why not just use SIV mode?
> Open up the crypto interfaces exposed in any three of the most used programming languages on the Internet today. You can be biased and pick your favorites, as long as they power >= 1% of the Internet and aren't something totally obscure. Then tell me which among them offer SIV mode.

From a quick survey:

 - OpenSSL is adding support for AES-SIV [2], apparently because it is planned to be mandatory to implement for NTP security [3].
 - BoringSSL supports AES-GCM-SIV [4] (admittedly this is not quite a straightforward application of SIV mode).
 - Google Tink supports AES-SIV [5] on Java (& Android) with Go, C++, Objective-C in development/planned (I believe), and Javascript and C# ports “in the works".


> Protocol v1 literally only exists for systems that use e.g. OpenSSL and cannot, for political or technical reasons, use something like NaCl, libsodium, HaCl, etc.

AES-SIV itself is a relatively straight-forward composition of AES-CMAC (or another MAC) and AES-CTR, which are widely available building blocks.

> > - PASETO still relies on the message to tell it the type of crypto algorithms in use: “v1.local” vs “v1.public” vs “v2.local” etc. Isn’t this “alg” again, but with a more restricted (and higher-level) set of algorithms? I don’t think this is necessary at all - see below for an alternative. ​
> There is one advantage to what we're doing here (v1.local vs v2.local) over what JOSE does: Instead of library designers or users being able to mix-and-match cryptography protocols, they choose their version and purpose and the rest of the details are decided for them.
> No knobs, no levers, no corner cases where someone accidentally deploys e=d=1 RSA [1]. Instead, they get one simple, misuse-resistant standard that solves their needs without any surprises.

Right, but you could write an RFC that proposes 4 new JOSE algorithms: “v1.local”, “v1.public”, “v2.local”, “v2.public” and marks all others (and associated headers) as prohibited. Wouldn’t that be pretty similar to the core of PASETO? The fundamental problem with “alg” in JOSE is that it requires you to trust the message to tell you what algorithm to use to validate that message. PASETO makes exactly the same mistake, it just has a much better (and much smaller) algorithm selection. 


I think the work you are doing on PASETO is valuable and has a lot of nice ideas. I would also say that is already better than JOSE as it currently is, but I’m not sure it is the best replacement.

Kind regards,