IETF Logo Mail Archive

Re: [jose] Deprecation of legacy algorithms

Ilari Liusvaara <ilariliusvaara@welho.com> Tue, 05 March 2024 16:39 UTC

Return-Path: <ilariliusvaara@welho.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BDD1C15199A for <jose@ietfa.amsl.com>; Tue, 5 Mar 2024 08:39:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IFfySdmMqeP2 for <jose@ietfa.amsl.com>; Tue, 5 Mar 2024 08:39:03 -0800 (PST)
Received: from welho-filter4.welho.com (welho-filter4b.welho.com [83.102.41.30]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F649C151989 for <jose@ietf.org>; Tue, 5 Mar 2024 08:39:02 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by welho-filter4.welho.com (Postfix) with ESMTP id ED06E67E1A for <jose@ietf.org>; Tue, 5 Mar 2024 18:38:59 +0200 (EET)
X-Virus-Scanned: Debian amavisd-new at pp.htv.fi
Received: from welho-smtp1.welho.com ([IPv6:::ffff:83.102.41.84]) by localhost (welho-filter4.welho.com [::ffff:83.102.41.26]) (amavisd-new, port 10024) with ESMTP id UUvqHd84tpyS for <jose@ietf.org>; Tue, 5 Mar 2024 18:38:59 +0200 (EET)
Received: from LK-Perkele-VII2 (78-27-96-203.bb.dnainternet.fi [78.27.96.203]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by welho-smtp1.welho.com (Postfix) with ESMTPSA id ABDD17A for <jose@ietf.org>; Tue, 5 Mar 2024 18:38:58 +0200 (EET)
Date: Tue, 05 Mar 2024 18:38:58 +0200
From: Ilari Liusvaara <ilariliusvaara@welho.com>
To: JOSE WG <jose@ietf.org>
Message-ID: <ZedKooBoibvm3V8m@LK-Perkele-VII2.locald>
References: <30D0C208-4543-48C0-952D-59B57633C1EA@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
In-Reply-To: <30D0C208-4543-48C0-952D-59B57633C1EA@gmail.com>
Sender: ilariliusvaara@welho.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/xIePB5dAQWYeVWI6LcWw02T6t_Q>
Subject: Re: [jose] Deprecation of legacy algorithms
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Mar 2024 16:39:07 -0000

On Tue, Mar 05, 2024 at 03:56:30PM +0000, Neil Madden wrote:
> 
> Leaving aside all the exciting work on shiny new algorithms to *add*
> to JOSE, I would like to raise the prospect of deprecating some
> existing algorithms that have passed their best. Before I start work
> on writing the drafts for these, I'd like to gauge if there is some
> support or this is likely to be wasted effort. The algorithms I think
> that should be deprecated are:
> 
> RSA1_5 - currently marked as Recommended- in the IANA registry.
> PKCS#1 v1.5 padding for encryption has been a source of repeated
> vulnerabilities over the years, and they keep cropping up. I believe
> the main reason this exists at all was to allow continued use of
> legacy hardware, in particular where FIPS approval was required.
> However, PKCS#1 v1.5 padding has been forbidden by FIPS (for
> encryption) since the end of this 2023 [1]. 

That algorithm is marked as recommended???

It is essentially impossible to safely decrypt RSA PKCS#1 v1.5 online
(as part of any realtime protocol). The only reason TLS 1.2 could get
away with it is very TLS-specific hacks (which make the problem much
easier). Still, there are very few if any implementations that have not
had vulnerability here.

 
> none - I know this one is more controversial in some quarters, but
> alg=none has been responsible for a steady stream of serious security
> vulnerabilities, and even spawned its own website: https://www.howmanydayssinceajwtalgnonevuln.com.
> I'm not sure there has actually been a year where this algorithm
> *hasn't* caused a vulnerability. I've yet to see a genuine use-case
> for it in the wild. The pain:gain ratio on this algorithm is extremely
> high.

Trying to verify alg=none signature MUST unconditionally fail.

Library doing anything else is a critical vulnerability. 


> I would also like to write a draft (either combined with the above or
> separate) that establishes some baseline security properties for
> future algorithm registrations:
> 
> * All signature algorithms MUST achieve unforgeability under chosen
>    message attack (EUF-CMA).
> * All encryption algorithms MUST achieve at least IND-CCA2.

Add all encryption algorithms in COSE MUST be authenticated (JOSE
already has stronger requirement of being AEAD).

And then change algorithms that are not (IIRC, there are six) to
"MUST NOT implement".




-Ilari

v2.23.0 | Report a Bug | By Email