IETF Logo Mail Archive

Re: [jose] Towards a More Secure JOSE Standard

Paragon Initiative Enterprises Security Team <security@paragonie.com> Thu, 30 March 2017 17:52 UTC

Return-Path: <scott@paragonie.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFA271299EE for <jose@ietfa.amsl.com>; Thu, 30 Mar 2017 10:52:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=paragonie-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1lzL1IS4geHV for <jose@ietfa.amsl.com>; Thu, 30 Mar 2017 10:52:48 -0700 (PDT)
Received: from mail-oi0-x234.google.com (mail-oi0-x234.google.com [IPv6:2607:f8b0:4003:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 12948129639 for <jose@ietf.org>; Thu, 30 Mar 2017 10:52:48 -0700 (PDT)
Received: by mail-oi0-x234.google.com with SMTP id r203so38583046oib.3 for <jose@ietf.org>; Thu, 30 Mar 2017 10:52:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=TbdPj+yF13zq6y7EPW18dS0S+TTMLTwAytFPWM1ycnE=; b=X4YTa7X7cqbH1xVO8nRL/YvpV6Yabz6o5bMKBKE7MDXaNSslz1k/P1HsKfM1/oPSWO x1MtLb5m6pDjnhfscI1Kl1WhNK8JfjXSYRNSa4ZoaTr9MieKIPhY7RGagc8Q+f2DILxD rm6SF9Yi2YIjFv8eyHx8aF7p7RkQgIF21HexeB41RJXbh06cyS7r2PdaFSY6ZAxyybnN zWuLeRzjqI+1r3Iyulo4p43IwDtvDPRCiliyZPY74/S0DFLKjo/oSHcyoHkF1cRZ/m5B I/eKWYD0l0lRG9Mx3SWqrHzo22bwTuGh0dPn+TG8zI0NHJLVdgmcI37dK8MNMWxihpQa +f0A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=TbdPj+yF13zq6y7EPW18dS0S+TTMLTwAytFPWM1ycnE=; b=iWY93rLfSWnZ0wK7+0jx0VUKRmr1D20hpPk5X3pfc3bl6bZiflwWucoKi691Etj32B TjBSGpo8sCrqVmmYUvaEA4FfD0/f+HBygwr/8PrcdE3kBIgylKR/X5LvXuFWlkbb3eAQ 0fHi33i/jKZ+9BTFGYQduEQvQAqvJ+blRv7raToNCJ6Vy9UUg53YQxcmyUkNOC0oJ8u6 sR0LaFsUO8FSZ8m+TSyVNbq5I/HbulpXPxBdzCWFab8p5BQ4nRWWbKy2avMBGupMOCsy uR0y4GhiYYkf97oHk0WqKeXs2dcGMtdqN3pUgfGyqDW6+Oz5b6AfqvNmS8vQDTHWvN8f nCRQ==
X-Gm-Message-State: AFeK/H3zp7LRs4Yx8DY357RlhTq4GCv7gbelj2ledeAUWkFdKlDTasTXMCUunVPc9lTHyPciYh92tBlcZCI+zg==
X-Received: by 10.157.38.229 with SMTP id i34mr574751otd.97.1490896367249; Thu, 30 Mar 2017 10:52:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.46.198 with HTTP; Thu, 30 Mar 2017 10:52:46 -0700 (PDT)
In-Reply-To: <CAOASepN8Q5aZEfkc6buoTpBo_Xpoavxt1e5qruX6Cg24K3Ec2g@mail.gmail.com>
References: <CAKws9z0UxAFynhW1jf34VARyV82VHVEwhg4E4rcyMMtSGeHj4w@mail.gmail.com> <FCF428D5-9FF5-460D-8C54-D148177A38F9@mit.edu> <CAKws9z1jhYfE4fJBSn9Yp+ETKRgsiH6ZsW5J76AfytWSAY-85w@mail.gmail.com> <CAOASepN8Q5aZEfkc6buoTpBo_Xpoavxt1e5qruX6Cg24K3Ec2g@mail.gmail.com>
From: Paragon Initiative Enterprises Security Team <security@paragonie.com>
Date: Thu, 30 Mar 2017 13:52:46 -0400
Message-ID: <CAKws9z1_H0+YXa-DLPEKKnTdZYQU7U4bvB9iRcDoGiLhcas+wA@mail.gmail.com>
To: Nathaniel McCallum <npmccallum@redhat.com>
Cc: Justin Richer <jricher@mit.edu>, jose@ietf.org
Content-Type: multipart/alternative; boundary="001a11393f365e006e054bf65cb0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/nc7qsxrRZLfhcBVOwQDiIBtKaEY>
Subject: Re: [jose] Towards a More Secure JOSE Standard
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Mar 2017 17:52:52 -0000

On Wed, Mar 29, 2017 at 3:29 PM, Nathaniel McCallum <npmccallum@redhat.com>
wrote:

> On Wed, Mar 29, 2017 at 2:36 PM, Paragon Initiative Enterprises
> Security Team <security@paragonie.com> wrote:
> > On Wed, Mar 29, 2017 at 2:22 PM, Justin Richer <jricher@mit.edu> wrote:
> >>
> >> If the problem is substituting “alg: RS256” with “alg: HS256” or the
> like,
> >> how is that any different from substituting “mode: ps” with “mode: sa”?
> >> There have been some reasonable arguments for removing the algorithm
> >> selection from the JOSE package, but this proposal doesn’t do that.
> Instead,
> >> it simply defines *new* headers for algorithm selection. Ergo, unless
> I’m
> >> missing a key point here, this is just kicking things down the road a
> little
> >> bit.
> >>
> >>  — Justin
> >>
> >> On Mar 29, 2017, at 11:19 AM, Paragon Initiative Enterprises Security
> Team
> >> <security@paragonie.com> wrote:
> >>
> >> Hello,
> >>
> >> We've outlined some suggestions to make a JOSE replacement/upgrade more
> >> secure. Our suggestions are outlined at
> >> https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c
> 03,
> >> but I have mirrored them below.
> >>
> >> Changes to JOSE that will prevent insecurity
> >>
> >> Deletions
> >>
> >> JWS and JWE
> >>
> >> Drop the alg header
> >>
> >> Neither JOSE users nor JOSE library designers should be required to
> >> understand cryptography primitives. At a lower level, this can lead to
> badly
> >> implemented primitives. On a higher level, this can lead to reasoning by
> >> lego.
> >>
> >> For all the reasons outlined here and here, the alg header (and
> algorithm
> >> agility in its entirety) should be considered harmful.
> >>
> >> JWE
> >>
> >> Drop the enc header
> >>
> >> For the same reason we're dropping the alg header, we should drop the
> enc
> >> header.
> >>
> >> Consider dropping the zip header
> >>
> >> As we've seen with CRIME and BREACH, as well as this error oracle attack
> >> against iMessage, compression can introduce side-channels that totally
> >> undermine confidentiality.
> >>
> >> This one is less of a hard-and-fast requirement to make JOSE secure,
> but I
> >> still strongly recommend it.
> >>
> >> Additions
> >>
> >> JWS and JWE
> >>
> >> New header: ver (version)
> >>
> >> Instead of letting library developers and users mix-and-match
> cryptography
> >> algorithms, the only choice they should be given is, "Which version are
> we
> >> using?" Versions can look like this:
> >>
> >> Version 1:
> >>
> >> HMAC-SHA256 for shared-key authentication
> >> AES-128-CBC + HMAC-SHA256 in Encrypt-then-MAC mode for shared-key
> >> encryption
> >> RSA-OAEP with MGF1-SHA256 and e=65537 + AES-128-CBC in KEM+DEM for
> >> public-key encryption, min. key size: 2048-bit
> >> RSASSA-PSS with MGF1-SHA256 and e=65537 for public-key digital
> signatures,
> >> min. key size: 2048-bit
> >>
> >> Version 2:
> >>
> >> HMAC-SHA256 for shared-key authentication
> >> AES-256-GCM for shared-key encryption
> >> ECDH over secp256r1 (NIST P-256) + AES-256-GCM for public-key encryption
> >>
> >> Libraries must verify that the point is on the curve
> >>
> >> ECDSA over secp256r1 (NIST P-256), adhering to RFC 6979 (deterministic
> >> ECDSA), for public-key digital signatures
> >>
> >> Version 3:
> >>
> >> HMAC-SHA512-256 for shared-key authentication
> >>
> >> As per NaCl, this is HMAC-SHA-512 truncated to 256 bits, not
> >> HMAC-SHA-512/256.
> >>
> >> Xsalsa20poly1305 for shared-key encryption
> >> X25519 + Xsalsa20poly1305 for public-key encryption
> >> Ed25519 for public-key digital signatures
> >>
> >> Libraries that support version 3 SHOULD NOT support version 1.
> >>
> >> New header: mode
> >>
> >> Only four options (case-insensitive):
> >>
> >> se = Shared-key Encryption
> >> sa = Shared-key Authentication
> >> pe = Public-key Encryption
> >> ps = Public-key digital Signatures
> >>
> >>
> >> Kind regards,
> >>
> >> Security Team
> >> Paragon Initiative Enterprises
> >> _______________________________________________
> >> jose mailing list
> >> jose@ietf.org
> >> https://www.ietf.org/mailman/listinfo/jose
> >>
> >>
> >
> > Hi,
> >
> >> If the problem is substituting “alg: RS256” with “alg: HS256” or the
> like,
> >> how is that any different from substituting “mode: ps” with “mode: sa”?
> >
> >
> > There are more problems than the RS256/HS256 critical vulnerability from
> > 2015, but nonetheless, you raise a good point:
> >
> > The mode should be decided out-of-band, not supplied by the attacker.
> >
> > Therefore, the mode header must be made optional (i.e. it's purely
> > informational) and implementations should be encouraged to only operate
> in
> > one mode at a time (i.e. not decided by the message they receive).
> >
> >> There have been some reasonable arguments for removing the algorithm
> >> selection from the JOSE package, but this proposal doesn’t do that.
> Instead,
> >> it simply defines *new* headers for algorithm selection. Ergo, unless
> I’m
> >> missing a key point here, this is just kicking things down the road a
> little
> >> bit.
> >
> >
> > The previous standard allowed people to choose which hash function,
> which of
> > the NIST P-curves, etc. to use. The new proposal only allows for one
> > cipher/algorithm per use-case. These algorithm decisions should be made
> by
> > experts and given as non-tweakable, hard-coded configuration options.
> There
> > is no "a little of column A, a little of column B", you either use
> version 2
> > or version 3.
> ​​
>
> But the attacker still gets to choose what version to lie about.
> Implementers will still have to verify that the expected algorithm (as
> defined implicitly by the version) matches the inputs. Failure to
> check inputs has been the cause of all the major vulnerabilities. This
> plan adds precisely no additional security but comes with great cost
> for implementers.
>
> The bottom line is that implementers of JOSE need to know what they're
> doing. The expectation that someone can write a JOSE library without
> understanding cryptographic primitives is unrealistic.
>

​Nathaniel,

​
> ​But the attacker still gets to choose what version to lie about.

Implementers will still have to verify that the expected algorithm (as

defined implicitly by the version) matches the inputs.
> ​​
> ​​
> Failure to
> check inputs has been the cause of all the major vulnerabilities.
> ​​
> This
> plan adds precisely no additional security but comes with great cost

for implementers.​
> ​


​I'd like to unpack your claims here.

​
> ​
> ​
> ​But the attacker still gets to choose what version to lie about.

Implementers will still have to verify that the expected algorithm (as

defined implicitly by the version) matches the inputs.


​Let's look at version 3 of the original email:

   - HMAC-SHA-512-256: 32 byte signature
   - Ed25519: 64 byte signature (RFC 8032 for reference)​
   - XSalsa20Poly1305: [ciphertext] + [16 byte authentication tag]
   - X25519 + XSalsa20Poly1305: [32 byte ephemeral X25519 public key] +
   [Ciphertext] + [16 byte authentication tag]

The respective libsodium functions here would be: crypto_auth(),
crypto_sign(), crypto_secretbox(), and crypto_box_seal() if you'd like a
reference implementation.

The analogous ​attacks on RS256/HS256 confusion do not apply: If you
attempt to crypto_auth_verify(signature, message, pk) instead of
crypto_sign_verify_detached(signature, message, pk), it will fail in
constant time (i.e. the signature is not long enough).

In fact, in *all* cases the preferred underlying library will fail closed
without leaking useful timing information. Can the same be said of the JOSE
standards?

​
> Failure to check inputs has been the cause of all the major
> vulnerabilities.
>

​No, a badly-written standard that maximizes the joinery between different
cryptography protocols, encourages users to mix-and-match primitives, and
has weird key encapsulation schemes (n.b. AES-GCM does not belong in the
same category as public-key cryptography), while placing all the blame on
libraries and users, and furthermore has not been designed with the
assistance of a professional cryptographer, has been the root cause of all
the major vulnerabilities.

As an industry, we've grown past the point to where we can just blame users
for mistakes enabled by our error-prone cryptographic designs. Has the IETF
lagged behind here?

​
> ​
> This
> ​
> plan adds precisely no additional security ​


​That's an interesting claim, and easily debunked:

By getting rid of RSA PKCS1v1.5 encryption and signing, we eliminate any
chance of Daniel Bleichenbacher's 1998 or 2006 attacks against RSA +
PKCS1v1.5 padding, which increases the security of implementations by a
nonzero amount.

If anyoune would like to argue that PKCS1v1.5 is just fine (insert dog
drinking coffee in a house fire here), be sure to CC some of the TLSWG and
CFRG members; they could use a laugh.

Security Team
Paragon Initiative Enterprises <https://paragonie.com/security>​

v2.23.0 | Report a Bug | By Email