IETF Logo Mail Archive

Re: [jose] High risk vulnerability in RFC 7515

Jim Schaad <ietf@augustcellars.com> Wed, 14 September 2016 17:47 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 69B5F12B387 for <jose@ietfa.amsl.com>; Wed, 14 Sep 2016 10:47:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.409
X-Spam-Level:
X-Spam-Status: No, score=-3.409 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BvXeKmgCFt5w for <jose@ietfa.amsl.com>; Wed, 14 Sep 2016 10:47:51 -0700 (PDT)
Received: from mail2.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A14312B373 for <jose@ietf.org>; Wed, 14 Sep 2016 10:47:51 -0700 (PDT)
Received: from hebrews (192.168.1.152) by mail2.augustcellars.com (192.168.1.201) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 14 Sep 2016 11:01:02 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'Nathaniel McCallum' <npmccallum@redhat.com>, 'Quan Nguyen' <quannguyen@google.com>, 'Michael Jones' <mbj@microsoft.com>, 'John Bradley' <ve7jtb@ve7jtb.com>, '崎村夏彦' <n-sakimura@nri.co.jp>, 'Thai Duong' <thaidn@google.com>, jose@ietf.org
References: <CAKkgqz3GdMG2Q=5jcuLnccWTs4jOjjR_8DzBdoiRE2uEkTLr1g@mail.gmail.com> <CAKkgqz2s8GKSYQ4_LGgupahrkyhmb0e9jWYenLR3X7bMePFy5w@mail.gmail.com> <1473871534.10979.12.camel@redhat.com>
In-Reply-To: <1473871534.10979.12.camel@redhat.com>
Date: Wed, 14 Sep 2016 10:47:36 -0700
Message-ID: <009201d20eb0$16c11030$44433090$@augustcellars.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQJrFRz97mT1CUIRddnkgdqF/2P8gALypMnKAmu0Q0KfHELYkA==
Content-Language: en-us
X-Originating-IP: [192.168.1.152]
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/nlspsqFY8K1Dx71jWbS9wzOltHs>
Subject: Re: [jose] High risk vulnerability in RFC 7515
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 Sep 2016 17:47:53 -0000

The jwk parameter is required when doing ephermal-static ECDH as that is the only way to carry the ephemeral key from the sender to the recipient.

One always needs to validate the key no matter how it is obtained so I would have a hard time not saying that this is a library user problem.

Jim


> -----Original Message-----
> From: jose [mailto:jose-bounces@ietf.org] On Behalf Of Nathaniel McCallum
> Sent: Wednesday, September 14, 2016 9:46 AM
> To: Quan Nguyen <quannguyen@google.com>; Michael Jones
> <mbj@microsoft.com>; John Bradley <ve7jtb@ve7jtb.com>; 崎村夏彦 <n-
> sakimura@nri.co.jp>; Thai Duong <thaidn@google.com>; jose@ietf.org
> Subject: Re: [jose] High risk vulnerability in RFC 7515
> 
> OTOH, removing the 'jwk' parameter means that all attributes of keys need to be
> duplicated in the header namespace.
> 
> I concur that nobody should trust the contents of the jwk parameter without
> additional verification. And I would support language of this type in an errata.
> But I think the 'jwk' parameter does have real value.
> 
> On Wed, 2016-09-14 at 08:34 -0700, Quan Nguyen wrote:
> >
> >
> On Tue, Sep 13, 2016 at 8:43 PM, Quan Nguyen <quannguyen@google.com>
> > wrote:
> Hi,
> 
> I'm Quan Nguyen, a Google Information Security Engineer.
> 
> RFC 7515, https://tools.ietf.org/html/rfc7515#section-4.1.3  "jwk"
> > (JSON Web Key) Header Parameter allows the signature to include the
> > public key that corresponds to the key used to digitally sign the JWS.
> > This is a really dangerous option [1]
> 
> This option allows any attacker to just generate private key /public
> > key pair, send the public key together with the signature and and
> > signature will be valid. It means that the signature is meaningless
> > and easily bypassed. Note that even if it's OPTIONAL, the attacker or
> > MITM can always include that field.
> 
> I'm aware that you have a section 6 and Appendix D talking about key
> > trust decision. However:
>      1.  There is no reason to trust this key
>      2.  There is no way to verify public key's truthfulness to make
> > trust decision, unless the receiver already knows the public key in
> > advance (in that case, "kid" is enough).
> 
> I've seen library making this mistake, but they just followed the
> > RFC, so it's hard to convince them to fix the issue. In the end of the
> > day, users are vulnerable. Furthermore, I believe this is RFC's
> > vulnerability, not the library.
> 
> Regards,
> 
> -Quan
> 
> [1] I'm aware that there may be a rare use-case that needs to send
> > the public key, e.g., certificate signing request, but even in that
> > case, the user can send the public key, e.g, in opaque field in JWT.
> 
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email