Re: [jose] Towards a More Secure JOSE Standard
Paragon Initiative Enterprises Security Team <security@paragonie.com> Wed, 29 March 2017 18:36 UTC
Return-Path: <scott@paragonie.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E113412946F for <jose@ietfa.amsl.com>; Wed, 29 Mar 2017 11:36:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=paragonie-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QIg6tmXQkNtb for <jose@ietfa.amsl.com>; Wed, 29 Mar 2017 11:36:12 -0700 (PDT)
Received: from mail-ot0-x229.google.com (mail-ot0-x229.google.com [IPv6:2607:f8b0:4003:c0f::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4DA71120046 for <jose@ietf.org>; Wed, 29 Mar 2017 11:36:12 -0700 (PDT)
Received: by mail-ot0-x229.google.com with SMTP id a5so16374171oth.1 for <jose@ietf.org>; Wed, 29 Mar 2017 11:36:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wlMwCtOh5L0Kqmw9sQMQkf7CWMvXbsfL+ZP01XZRlcI=; b=qMgeevG33HFahGte39xQ8TFo2Cm1SSs5O0D5nw9TmcuU6sK7v8hpG2KIrFac90jYaV mfv1WtAagFQ9DBIADfrP9Rb+L2AhaPifbOZB2gaTwvEeb77VZrjSZJu/bVJaqtwwctsl rqyGIaNV1NmiY9YP/8Gp+fNdubSy3z+pRdiQSJiLFs/TOU4qnFQ04khKdPzoJnhSl7Ha rV1bQCZ0q5L2B7KHNHs3BqyDh7OzWnvwagzyv30lh+N5OgErSKMvziPJuoRKZiNBXQmN ZTlfZqSX7XIoOZZ5PeTt236L4GliqjqJtipDzpnZ2X7AuCyp4pAnbwAU6PTZZiIr9AkH dWiQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wlMwCtOh5L0Kqmw9sQMQkf7CWMvXbsfL+ZP01XZRlcI=; b=VSVQm6KENsXKjDjqjI5EU0IbIHO1w55v59ndFjwOp7C3BjY745FsQZc2z5rtwzbzEv POLOQMOvaX486I1Pd1YKQoX4VD90l6/Osq3iGMUjl86lCxTY6yq9eMFZ3oS13KvBU5gQ b9/Wm4ldIGUaDP7ebj1NxF90ZVlH15anXVPTN52wmY78u/1gQoHSZ0OvUiC95ysxnJBC A/gt031oJG90YXJqZFfsuY9wi5lW1MI3o5LyVAXhUSqAezMUB/FsI1/r15UVmRZDtmeT MiSRzNZgjhFuBAM22jLQIq9uRuKSqzkpvSsuE/CmMTKXQt8a7c+QkHRyzMKc9+7JqsGQ +/sw==
X-Gm-Message-State: AFeK/H0wI49w4yggKRACPYgYXB/2xVMKnxceVekQqGuR+zqEkt3R5habAoMRcliMCOeP7r0Rgf2+yoyUQtDSPA==
X-Received: by 10.157.28.142 with SMTP id l14mr945547ota.199.1490812571465; Wed, 29 Mar 2017 11:36:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.157.46.198 with HTTP; Wed, 29 Mar 2017 11:36:11 -0700 (PDT)
In-Reply-To: <FCF428D5-9FF5-460D-8C54-D148177A38F9@mit.edu>
References: <CAKws9z0UxAFynhW1jf34VARyV82VHVEwhg4E4rcyMMtSGeHj4w@mail.gmail.com> <FCF428D5-9FF5-460D-8C54-D148177A38F9@mit.edu>
From: Paragon Initiative Enterprises Security Team <security@paragonie.com>
Date: Wed, 29 Mar 2017 14:36:11 -0400
Message-ID: <CAKws9z1jhYfE4fJBSn9Yp+ETKRgsiH6ZsW5J76AfytWSAY-85w@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: jose@ietf.org
Content-Type: multipart/alternative; boundary="f40304354d84bff663054be2d9af"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/u4vxoRzY9xcQeoDzLEA-bf6F8Bk>
Subject: Re: [jose] Towards a More Secure JOSE Standard
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 18:36:16 -0000
On Wed, Mar 29, 2017 at 2:22 PM, Justin Richer <jricher@mit.edu> wrote: > If the problem is substituting “alg: RS256” with “alg: HS256” or the like, > how is that any different from substituting “mode: ps” with “mode: sa”? > > > There have been some reasonable arguments for removing the algorithm > selection from the JOSE package, but this proposal doesn’t do that. > Instead, it simply defines *new* headers for algorithm selection. Ergo, > unless I’m missing a key point here, this is just kicking things down the > road a little bit. > > — Justin > > On Mar 29, 2017, at 11:19 AM, Paragon Initiative Enterprises Security Team > <security@paragonie.com> wrote: > > Hello, > > We've outlined some suggestions to make a JOSE replacement/upgrade more > secure. Our suggestions are outlined at https://gist.github.com/ > paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03, but I have mirrored > them below. > > Changes to JOSE that will prevent insecurity > <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#deletions> > Deletions > <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#jws-and-jwe>JWS > and JWE > <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#drop-the-alg-header>Drop > the alg header > > Neither JOSE users nor JOSE library designers should be required to > understand cryptography primitives. At a lower level, this can lead to badly > implemented primitives > <http://www.cryptofails.com/post/70059600123/saltstack-rsa-e-d-1>. On a > higher level, this can lead to reasoning by lego > <http://www.cryptofails.com/post/121201011592/reasoning-by-lego-the-wrong-way-to-think-about> > . > > For all the reasons outlined here > <https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid> > and here > <https://storify.com/jcuid/thomas-h-ptacek-don-t-use-json-web-tokens>, > the alg header (and algorithm agility in its entirety) should be > considered harmful. > > <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#jwe> > JWE > <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#drop-the-enc-header>Drop > the enc header > > For the same reason we're dropping the alg header, we should drop the enc > header. > > <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#consider-dropping-the-zip-header>Consider > dropping the zip header > > As we've seen with CRIME <https://en.wikipedia.org/wiki/CRIME> and BREACH > <http://breachattack.com/>, as well as this error oracle attack against > iMessage > <https://blog.cryptographyengineering.com/2016/03/21/attack-of-week-apple-imessage/>, > compression can introduce side-channels that totally undermine > confidentiality. > > This one is less of a hard-and-fast requirement to make JOSE secure, but I > still strongly recommend it. > > <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#additions> > Additions > <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#jws-and-jwe-1>JWS > and JWE > <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#new-header-ver-version>New > header: ver (version) > > Instead of letting library developers and users mix-and-match cryptography > algorithms, the only choice they should be given is, "Which version are we > using?" Versions can look like this: > > - Version 1: > - HMAC-SHA256 for shared-key authentication > - AES-128-CBC + HMAC-SHA256 in Encrypt-then-MAC mode for shared-key > encryption > - RSA-OAEP with MGF1-SHA256 and e=65537 + AES-128-CBC in KEM+DEM > for public-key encryption, min. key size: 2048-bit > - RSASSA-PSS with MGF1-SHA256 and e=65537 for public-key digital > signatures, min. key size: 2048-bit > - Version 2: > - HMAC-SHA256 for shared-key authentication > - AES-256-GCM for shared-key encryption > - ECDH over secp256r1 (NIST P-256) + AES-256-GCM for public-key > encryption > - Libraries must verify that the point is on the curve > - ECDSA over secp256r1 (NIST P-256), adhering to RFC 6979 > (deterministic ECDSA), for public-key digital signatures > - Version 3: > - HMAC-SHA512-256 for shared-key authentication > - As per NaCl, this is HMAC-SHA-512 truncated to 256 bits, not > HMAC-SHA-512/256. > - Xsalsa20poly1305 for shared-key encryption > - X25519 + Xsalsa20poly1305 for public-key encryption > - Ed25519 for public-key digital signatures > > Libraries that support version 3 SHOULD NOT support version 1. > > <https://gist.github.com/paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03#new-header-mode>New > header: mode > > Only four options (case-insensitive): > > - se = Shared-key Encryption > - sa = Shared-key Authentication > - pe = Public-key Encryption > - ps = Public-key digital Signatures > > > Kind regards, > > Security Team > Paragon Initiative Enterprises <https://paragonie.com/security> > _______________________________________________ > jose mailing list > jose@ietf.org > https://www.ietf.org/mailman/listinfo/jose > > > Hi, > If the problem is substituting “alg: RS256” with “alg: HS256” or the like, > how is that any different from substituting “mode: ps” with “mode: sa”? > > There are more problems than the RS256/HS256 critical vulnerability from 2015, but nonetheless, you raise a good point: The mode should be decided out-of-band, not supplied by the attacker. Therefore, the mode header must be made optional (i.e. it's purely informational) and implementations should be encouraged to only operate in one mode at a time (i.e. not decided by the message they receive). > > There have been some reasonable arguments for removing the algorithm > selection from the JOSE package, but this proposal doesn’t do that. > Instead, it simply defines *new* headers for algorithm selection. Ergo, > unless I’m missing a key point here, this is just kicking things down the > road a little bit. The previous standard allowed people to choose which hash function, which of the NIST P-curves, etc. to use. The new proposal only allows for one cipher/algorithm per use-case. These algorithm decisions should be made by experts and given as non-tweakable, hard-coded configuration options. There is no "a little of column A, a little of column B", you either use version 2 or version 3. Security Team Paragon Initiative Enterprises <https://paragonie.com/security>
- [jose] Towards a More Secure JOSE Standard Paragon Initiative Enterprises Security Team
- Re: [jose] Towards a More Secure JOSE Standard Justin Richer
- Re: [jose] Towards a More Secure JOSE Standard Paragon Initiative Enterprises Security Team
- Re: [jose] Towards a More Secure JOSE Standard Nathaniel McCallum
- Re: [jose] Towards a More Secure JOSE Standard Paragon Initiative Enterprises Security Team
- Re: [jose] Towards a More Secure JOSE Standard Nathaniel McCallum
- Re: [jose] Towards a More Secure JOSE Standard Paragon Initiative Enterprises Security Team
- Re: [jose] Towards a More Secure JOSE Standard Nathaniel McCallum