[jose] [Technical Errata Reported] RFC8037 (5329)

RFC Errata System <rfc-editor@rfc-editor.org> Tue, 17 April 2018 20:30 UTC

Return-Path: <wwwrun@rfc-editor.org>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F8BE126D05 for <jose@ietfa.amsl.com>; Tue, 17 Apr 2018 13:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9NC67v2jIWhz for <jose@ietfa.amsl.com>; Tue, 17 Apr 2018 13:30:52 -0700 (PDT)
Received: from rfc-editor.org (rfc-editor.org [4.31.198.49]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 83D1B120725 for <jose@ietf.org>; Tue, 17 Apr 2018 13:30:52 -0700 (PDT)
Received: by rfc-editor.org (Postfix, from userid 30) id 414FCB8358A; Tue, 17 Apr 2018 13:30:44 -0700 (PDT)
To: ilariliusvaara@welho.com, kaduk@mit.edu, ekr@rtfm.com, odonoghue@isoc.org, ietf@augustcellars.com
X-PHP-Originating-Script: 30:errata_mail_lib.php
From: RFC Errata System <rfc-editor@rfc-editor.org>
Cc: neil.madden@forgerock.com, jose@ietf.org, rfc-editor@rfc-editor.org
Content-Type: text/plain; charset=UTF-8
Message-Id: <20180417203044.414FCB8358A@rfc-editor.org>
Date: Tue, 17 Apr 2018 13:30:44 -0700 (PDT)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/wfnqQUG3JbLtO3_l-vPkOlkuIOs>
Subject: [jose] [Technical Errata Reported] RFC8037 (5329)
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Apr 2018 20:30:54 -0000

The following errata report has been submitted for RFC8037,
"CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)".

--------------------------------------
You may review the report below and at:
http://www.rfc-editor.org/errata/eid5329

--------------------------------------
Type: Technical
Reported by: Neil Madden <neil.madden@forgerock.com>

Section: 4

Original Text
-------------
The JSON Web Algorithm (JWA) ECDH-ES KDF construction does not mix
keys into the final shared secret.  In key exchange, such mixing
could be a bad mistake; whereas here either the receiver public key
has to be chosen maliciously or the sender has to be malicious in
order to cause problems.  In either case, all security evaporates.

Corrected Text
--------------
The JSON Web Algorithm (JWA) ECDH-ES KDF construction does not mix
keys into the final shared secret unless they are included in the 
"apu" or "apv" claims. It is recommended to include the public keys 
of both parties in the key derivation. 

Notes
-----
There are two technical errors here. 

Firstly, the JWA ECDH-ES KDF does allow for mixing keys into the final shared secret via the "apu" and "apv" claims. RFC 7518 (JWA) normatively references NIST SP.800-56A, which explicitly recommends doing this.

Secondly, it is not clear what the security issue is here, as there are known security issues in some cases from *not* mixing in public keys and other identifiers, as described in SP.800-56Ar3 Appendix B, and in the Security Considerations of RFC 7748 (another normative reference), which states:

"Thus
   using a public key as an identifier and knowledge of a shared secret
   as proof of ownership (without including the public keys in the key
   derivation) might lead to subtle vulnerabilities."

Instructions:
-------------
This erratum is currently posted as "Reported". If necessary, please
use "Reply All" to discuss whether it should be verified or
rejected. When a decision is reached, the verifying party  
can log in to change the status and edit the report, if necessary. 

--------------------------------------
RFC8037 (draft-ietf-jose-cfrg-curves-06)
--------------------------------------
Title               : CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)
Publication Date    : January 2017
Author(s)           : I. Liusvaara
Category            : PROPOSED STANDARD
Source              : Javascript Object Signing and Encryption
Area                : Security
Stream              : IETF
Verifying Party     : IESG