Re: [jose] JOSE dependence on "Key Guessing"
Neil Madden <neil.madden@forgerock.com> Wed, 07 February 2018 10:16 UTC
Return-Path: <neil.madden@forgerock.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9D0C1243F3 for <jose@ietfa.amsl.com>; Wed, 7 Feb 2018 02:16:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.989
X-Spam-Level:
X-Spam-Status: No, score=-1.989 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Nrg4BsRqIWJ8 for <jose@ietfa.amsl.com>; Wed, 7 Feb 2018 02:16:10 -0800 (PST)
Received: from mail-wr0-x244.google.com (mail-wr0-x244.google.com [IPv6:2a00:1450:400c:c0c::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62F9D120727 for <jose@ietf.org>; Wed, 7 Feb 2018 02:16:10 -0800 (PST)
Received: by mail-wr0-x244.google.com with SMTP id y3so377637wrh.3 for <jose@ietf.org>; Wed, 07 Feb 2018 02:16:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=rVgRMlx40bXG1X58/y1rrC7kZOHmxv0Rcx9L2oaLD0I=; b=ZPIlA+nydleeWwcwKYWIU/OzDRtBO9cUexgsMJNiaG1QAwjLGaRKofRUgzOIc7NaJU k4/qs/yAcR7M4fbfQHyPN18whZey/nw7dPTKeUMeEs4A0bL8tmEjSQmtJrdq0oCRMbyn sosH9TggH1IVj5vWbiZ47t8SBuKRavKk/s5r8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=rVgRMlx40bXG1X58/y1rrC7kZOHmxv0Rcx9L2oaLD0I=; b=nqcJhL1VCsfkdik3o4D4Pjk7ucU3OvUfDFp0grJOcSO2LBrIIa9XtqDK8GEJ+MthfF fcB/ZCmWzTM5EmNGPou93IIam15pRQuEKdjTwTNUwa065iayhn10+KNI/3EXF89sGkc1 3/lQjqnOpIs8XAJcJwB6dgY5M5tzqVAH6T8hM8yZVfjiYBS6AdoNK3ZZ3ceNImq4et1d /dxh1rJEPUaaAWfg3af4ltAttFptQoMlHxT+BbuDrGpAp/5mVkwPOBqj8l3Ub9CF+Qx8 lKLFkWjr+oh42sgeEJFe1xlbVPrOcPeI/j7Cho8IWtKg2CJnaNFZcrSRfmF20JdIs8ZS rIJw==
X-Gm-Message-State: APf1xPB7wsurkawUet4yp2Op6Iv5+B6Mp1/X/2UhWMIIjNr0SpYbyk/s bcBMt6rgO3FB528bt3GJQfcIMg==
X-Google-Smtp-Source: AH8x227pBIS++J2Cg7siAU9DdV03nFrFbpWbaIZge1Vp5IcHbFzpWJDxJP4imXH/lNCjPs0RrwIqfA==
X-Received: by 10.223.139.93 with SMTP id v29mr4915361wra.247.1517998568833; Wed, 07 Feb 2018 02:16:08 -0800 (PST)
Received: from guest2s-mbp.home (52.33.198.146.dyn.plus.net. [146.198.33.52]) by smtp.gmail.com with ESMTPSA id h194sm4893400wma.8.2018.02.07.02.16.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 07 Feb 2018 02:16:08 -0800 (PST)
From: Neil Madden <neil.madden@forgerock.com>
Message-Id: <12D5D90B-3162-4B57-8FD5-907DFCB76549@forgerock.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_528BF799-395F-48C8-B0CA-191F98477D42"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
Date: Wed, 07 Feb 2018 10:16:07 +0000
In-Reply-To: <bb45b889-9fab-4e62-b00a-b131f64bfafd@gmail.com>
Cc: "jose@ietf.org" <jose@ietf.org>
To: Anders Rundgren <anders.rundgren.net@gmail.com>
References: <6b3f854d-f370-8f94-12ca-0f8ae0051362@gmail.com> <SN6PR2101MB09437284FC84E3154BC8C64EF5FC0@SN6PR2101MB0943.namprd21.prod.outlook.com> <e3c7e41b-ad42-828f-86d4-ef77c2c26292@gmail.com> <C1F11BB2-F135-483C-B8CB-E8724DD7737C@forgerock.com> <bb45b889-9fab-4e62-b00a-b131f64bfafd@gmail.com>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/y-fMK6EW_R3XqkOChnngDjPGAa0>
Subject: Re: [jose] JOSE dependence on "Key Guessing"
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Feb 2018 10:16:14 -0000
> On 7 Feb 2018, at 09:44, Anders Rundgren <anders.rundgren.net@gmail.com> wrote: > > On 2018-02-07 09:06, Neil Madden wrote: >> On 7 Feb 2018, at 07:18, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote: >>> On 2018-02-07 07:22, Mike Jones wrote: >>>> Anders, you misunderstand the feature and its purpose. The ability to reference a set of keys is essential to performing key roll-over - a critical security function. The "kid" (key ID) value is typically used to indicate which member of the key set was employed. There is no "key guessing". >>>> For an example of how JWK sets are used for key roll-over in a production system, see http://openid.net/specs/openid-connect-core-1_0.html#Signing. >>> >>> "If there are multiple keys in the referenced JWK Set document, >>> a kid value MUST be provided in the JOSE Header" >>> >>> This is what I was referring to. JKU as a standalone property is useless unless the set of keys is restricted to 1. >> Can you clarify why? You can just try each applicable key. > > This is what the posting referred to as "Key Guessing" which I consider an invalid concept. That the OpenID folks do not utilize this either indirectly supports this stance. But why do you consider it invalid? > >>> This is not mentioned in the JOSE specifications but fundamental for interoperabiity and testing. >>> The OpenID scheme does not only presume that there's an additional "kid" in the header, but that the referred key set also contains matching "kid"s. >>> >>> Maybe the "right" solution is providing an interoperability section with a reference to JKU as well? >>> >>> My (strong) wish is getting away from any kind of key guessing as a part of a test suite and reference implementation. Yes, the are indeed JOSE implementations that support key guessing. >> Remember that the “kid” parameter is only integrity protected by the same signature that you are verifying so it should only be a hint. If an attacker can forge a signature for any key in the set then they can almost certainly also forge a kid value to go with it. > > If an attacker has access to the genuine user's private keys it is usually game over. Indeed. My point is that adding a “kid” hint does nothing either way. There is no added security from trusting the sender to tell you which key they used before you can actually verify that the message really was from that sender. > >> A bigger problem with “jku” would be the potential for SSRF (https://cwe.mitre.org/data/definitions/918.html <https://cwe.mitre.org/data/definitions/918.html>) and similar attacks based on getting the server to access arbitrary URLs before it has validated the signature. > > My reference implementation barfs at URLs that: > - Do not use the "https://" scheme > - Do not return HTTP 200 > - Do not point to trusted servers > - Do not return properly formatted JWK key sets And now an attacker can probe your internal network by seeing what kind of error response they get to different jku URLs, and can potentially cause unwanted side-effects on trusted servers. Unless your trusted server list is strongly unguessable (and you compare against that list in constant time), then this is a huge risk. — Neil
- [jose] JOSE dependence on "Key Guessing" Anders Rundgren
- Re: [jose] JOSE dependence on "Key Guessing" Mike Jones
- Re: [jose] JOSE dependence on "Key Guessing" Anders Rundgren
- Re: [jose] JOSE dependence on "Key Guessing" Neil Madden
- Re: [jose] JOSE dependence on "Key Guessing" Anders Rundgren
- Re: [jose] JOSE dependence on "Key Guessing" Neil Madden
- Re: [jose] JOSE dependence on "Key Guessing" Manger, James