Re: [jose] Use of ECDH-ES in JWE

Brian Campbell <bcampbell@pingidentity.com> Tue, 21 February 2017 20:23 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46004129537 for <jose@ietfa.amsl.com>; Tue, 21 Feb 2017 12:23:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lbjTryk3iAvI for <jose@ietfa.amsl.com>; Tue, 21 Feb 2017 12:23:45 -0800 (PST)
Received: from mail-yw0-x22b.google.com (mail-yw0-x22b.google.com [IPv6:2607:f8b0:4002:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03E4E129705 for <jose@ietf.org>; Tue, 21 Feb 2017 12:23:45 -0800 (PST)
Received: by mail-yw0-x22b.google.com with SMTP id l19so69926901ywc.2 for <jose@ietf.org>; Tue, 21 Feb 2017 12:23:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=0KFCgEZCnbYLkSD9vm3eE7u4RgX5zRoHvm6MKkIhKGk=; b=lB18Sf4cAxA2Y0NuKUfhGho4/makj5jPRjR+njZRt32tJTaLXonEgFNq9bem1ks0rG bA6RJxhzXWbOCw67Ienl5YtKKSeem2h0UskBSQk1hDuJ9wTJNceOudwaWBA7rJsURlUB KEufHhjHc1OOWxk4CVu8xlELGSpWZC41uMqRM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=0KFCgEZCnbYLkSD9vm3eE7u4RgX5zRoHvm6MKkIhKGk=; b=llThQhq51re3FyV+byuWLBlFU+RoW3DojKpaHskQdOA/pTk4zOzNQMpPc3Z3L1H2HV BKGkNljV1kkhd10ICU8PUADh1y28Z8+brWmfCNFmmVdiWX1krt5WI14/ZP3LVy9pJhG4 wMtyZiHooHWhLPy94W5AEKv3NGBI4Hve8DkcqeNPL+c7wDzF8rIREFKYtkUIv8Jy4OWO +mJAFVPbnuBsBcPoTMCCVTgSrpR8HpIpv5DwuyjbyO409OvFxm2yfTORg6lVrONkarxt 0XBh5Zo2IKMjyeeHrnEucCJq2r6tqqUlyJfnb9w2s7HgYupbbJPbRWyAV7cIr5PMwjLw Fxjg==
X-Gm-Message-State: AMke39lbFMGKK4QHKd+i56/HUOHY5n1q44/yqwEh8mB9nrIR2D4+BSdQfuAHhehMMMEscsJaJ0VUPpTCvZ7TqJEA
X-Received: by 10.129.98.70 with SMTP id w67mr21276074ywb.184.1487708624117; Tue, 21 Feb 2017 12:23:44 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.126.131 with HTTP; Tue, 21 Feb 2017 12:23:13 -0800 (PST)
In-Reply-To: <9DD23B00-17B0-4364-A9E5-FD4AA21F3648@ve7jtb.com>
References: <7465DFB4-1F4E-4C8C-9BF9-6534EEC0AB1D@adobe.com> <9f370d1c-8258-7fbe-fd46-f8a7c4786900@connect2id.com> <24F1FEB8-5416-431A-AB7B-AC5C4B1D6CD1@adobe.com> <9DD23B00-17B0-4364-A9E5-FD4AA21F3648@ve7jtb.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 21 Feb 2017 13:23:13 -0700
Message-ID: <CA+k3eCRVzLHhKfrgdDBgCFs_Q9Lt4-6cKXA-eU3wMzaa4O7QBw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: multipart/alternative; boundary=001a11471bae128079054910289c
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/rBvoBBzw161tcSUqa6h5Q_tKm-Q>
Cc: Antonio Sanso <asanso@adobe.com>, "jose@ietf.org" <jose@ietf.org>, Vladimir Dzhuvinov <vladimir@connect2id.com>
Subject: Re: [jose] Use of ECDH-ES in JWE
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Feb 2017 20:23:47 -0000

This seems similar in nature to some of the security consideration advice
in JWE https://tools.ietf.org/html/rfc7516#section-11.4 and
https://tools.ietf.org/html/rfc7516#section-11.5 and JWA
https://tools.ietf.org/html/rfc7518#section-8.3 and
https://tools.ietf.org/html/rfc7518#section-8.4 that an average implementer
(like myself) would very likely not be aware of unless some attention is
called to it.

The point about people missing the errata is totally legit. But in the
absence of some other way to convey it, perhaps it'd be better to have it
written down as errata than not at all? Maybe Antonio would be the one to
submit an errata for RFC 7518 https://www.rfc-editor.org/errata.php ?

Certification for JOSE/JWT libraries sounds interesting. Having an errata
for this would serve as a reminder for at least one negative test that
should be done in that, if/when it comes to pass.

On Mon, Feb 13, 2017 at 8:34 AM, John Bradley <ve7jtb@ve7jtb.com> wrote:

> An errata is possible.   There is no way to update the original RFC.
>
> The problem tends to be that most developers miss the errata when reading
> specs if they ever look at the specs at all.
>
> We probably also need a more direct way to communicate this to library
> developers as well.
>
> In the OIDF we are talking about developing a certification for JOSE/JWT
> libraries like we have for overall server implementations.
>
> John B.
>
>
> > On Feb 13, 2017, at 7:57 AM, Antonio Sanso <asanso@adobe.com> wrote:
> >
> > hi Vladimir,
> >
> > thanks a lot for taking the time and verifying.
> > I really think it should be mentioned somewhere.
> > The problem is that Elliptic Curves are over the head of many
> people/developer and it should be at least
> > some reference on the JOSE spec about defending against this attack.
> > Said that I have so far reviewed 3 implementations and all 3 were
> somehow vulnerable. And counting….
> >
> > regards
> >
> > antonio
> >
> > On Feb 13, 2017, at 7:41 AM, Vladimir Dzhuvinov <vladimir@connect2id.com>
> wrote:
> >
> >> Hi Antonio,
> >>
> >> Thank you for making us aware of this.
> >>
> >> I just checked the ECDH-ES section in JWA, and the curve check
> >> apparently hasn't been mentioned:
> >>
> >> https://tools.ietf.org/html/rfc7518#section-4.6
> >>
> >> It's not in the security considerations either:
> >>
> >> https://tools.ietf.org/html/rfc7518#section-8
> >>
> >>
> >> Vladimir
> >>
> >> On 09/02/17 12:39, Antonio Sanso wrote:
> >>> hi all,
> >>>
> >>> this mail is highly inspired from a research done by Quan Nguyen [0].
> >>>
> >>> As he discovered and mention in his talk there is an high chance the
> JOSE libraries implementing ECDH-ES in JWE are vulnerable to invalid curve
> attack.
> >>> Now I read the JWA spec and I did not find any mention that the
> ephemeral public key contained in the message should be validate in order
> to be on the curve.
> >>> Did I miss this advice in the spec or is it just missing? If it is not
> clear enough the outcome of the attack will be the attacker completely
> recover the private static key of the receiver.
> >>> Quan already found a pretty well known JOSE library vulnerable to it.
> So did I.
> >>>
> >>> WDYT?
> >>>
> >>> regards
> >>>
> >>> antonio
> >>>
> >>> [0] https://research.google.com/pubs/pub45790.html
> >>> [1] https://tools.ietf.org/html/rfc7518
> >>> _______________________________________________
> >>> jose mailing list
> >>> jose@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/jose
> >>
> >>
> >> _______________________________________________
> >> jose mailing list
> >> jose@ietf.org
> >> https://www.ietf.org/mailman/listinfo/jose
> >
> > _______________________________________________
> > jose mailing list
> > jose@ietf.org
> > https://www.ietf.org/mailman/listinfo/jose
>
>
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose
>
>