Re: [OAUTH-WG] [jose] preventing confusion of one kind of JWT for another in JWT BCP

Jim Schaad <ietf@augustcellars.com> Thu, 27 July 2017 22:56 UTC

Return-Path: <ietf@augustcellars.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09D4A1321F6; Thu, 27 Jul 2017 15:56:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[AC_DIV_BONANZA=0.001, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=augustcellars.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5fCVa4EUm6Y3; Thu, 27 Jul 2017 15:56:53 -0700 (PDT)
Received: from mail4.augustcellars.com (augustcellars.com [50.45.239.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E1CA1321F3; Thu, 27 Jul 2017 15:56:53 -0700 (PDT)
Content-Type: multipart/alternative; boundary="----=_NextPart_000_022F_01D306F0.ED22B9B0"
Content-Language: en-us
DKIM-Signature: v=1; a=rsa-sha256; d=augustcellars.com; s=winery; c=simple/simple; t=1501196183; h=from:subject:to:date:message-id; bh=PhfY0UlwMtbO14uZbH5xY1zDC3lAf3oSHjYmbwGP5Uc=; b=EaVaYdrUZUjVo+38y8NHqO2pCpPT/1GI5oPWOonlS5+40zbyWTS9XpRSffJ2hfL4NBRhsLyBgaz 9i+UQOBt7Vz5i/PJwqV3gP1pZqGYAbNV22x59fdGAf7joYkeT+yJgO6BktEMjp4JKrJO7klZKCMEC op2r6cbJtiU3p4+NBJZ7dW6FGBQfHRx8qgvGQsIieWH4xwK0pARiGFF+5+NqueE06ZYoVgVV0Z/LO oqxgV31lDE/8HVC1AFENsLEdB5cULP0AYR84qn8jPIiFHCkZEmmrzCFZk4NllNtc4uQc3STVWkL+P 7whX31V8l1c6qIYSmRc6WodGvvWNpiIZv69g==
Received: from mail2.augustcellars.com (192.168.1.201) by mail4.augustcellars.com (192.168.1.153) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 27 Jul 2017 15:56:22 -0700
Received: from Hebrews (24.21.96.37) by mail2.augustcellars.com (192.168.0.56) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Thu, 27 Jul 2017 15:56:16 -0700
From: Jim Schaad <ietf@augustcellars.com>
To: 'John Bradley' <ve7jtb@ve7jtb.com>, 'Brian Campbell' <bcampbell@pingidentity.com>
CC: 'Nathaniel McCallum' <npmccallum@redhat.com>, 'oauth' <oauth@ietf.org>, <jose@ietf.org>, 'Phil Hunt' <phil.hunt@oracle.com>
References: <CA+k3eCRT_iuLHYrLxz+tf1MT9L9XG2jV0D0anC0h5w7A_ujEdQ@mail.gmail.com> <CAOASepOjYBYoKYEVvCLMzZgsdyGhr2LOB-dNqekxsKFm_gxixg@mail.gmail.com> <CA+k3eCS-Va2AvzRhWia_ETqSDYUMBOoi=sY3jg7TbJFhhuVnZA@mail.gmail.com> <CAOASepMaeS8WrCMb+WHV0FC2_w3f0KnY5XuDsuWJhAW2ayfryQ@mail.gmail.com> <91B882A0-48A0-4F08-8ADB-B675D9F1C08F@oracle.com> <7041D358-E4C8-4D8C-BD94-0D65C238B449@ve7jtb.com> <CA+k3eCSnj=3a9OiUSy=_5D4K-Er75FKxhcmPgzV6BhjcUaLERA@mail.gmail.com> <81AD4E5B-BBC7-4E7A-8075-EB43BC3962F8@ve7jtb.com>
In-Reply-To: <81AD4E5B-BBC7-4E7A-8075-EB43BC3962F8@ve7jtb.com>
Date: Thu, 27 Jul 2017 15:56:31 -0700
Message-ID: <022e01d3072b$997eab80$cc7c0280$@augustcellars.com>
MIME-Version: 1.0
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQKHH2VI+OeMwPc+ZUkxtnVaGSt4zgKKIEysAp0kgMUCgqvlGAE7vSrFAkDebrACu261lgGhbu7joIP805A=
X-Originating-IP: [24.21.96.37]
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/C7tOuaPIj_OH0HGCX52Kcu1WU-8>
Subject: Re: [OAUTH-WG] [jose] preventing confusion of one kind of JWT for another in JWT BCP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jul 2017 22:56:58 -0000

One simple way to implement it would be to have an call which says “I will deal with the following items if they exist”.  This means that all the application needs to do is to say that it will process p and not what values are acceptable.

 

Jim

 

 

From: jose [mailto:jose-bounces@ietf.org] On Behalf Of John Bradley
Sent: Thursday, July 27, 2017 3:24 PM
To: Brian Campbell <bcampbell@pingidentity.com>
Cc: Nathaniel McCallum <npmccallum@redhat.com>om>; oauth <oauth@ietf.org>rg>; jose@ietf.org; Phil Hunt <phil.hunt@oracle.com>
Subject: Re: [jose] [OAUTH-WG] preventing confusion of one kind of JWT for another in JWT BCP

 

My only concern with a crit header is that it is potentially another layering violation.

 

It really should be the application and not JWS/JWE that determines if the content of the JWT is correct at a application layer.

 

To get your idea to work the application would need to push down to the JWT layer some value/s of p that it was willing to accept.   Without crit the application could just pass along typ or p to the application layer for matching.

 

I don’t hate the idea but it seems like it is likely to work against having generic JOSE libs separate from JWT. Perhaps that is the reality anyway.

 

How would you implement it?

 

John B.

 

On Jul 27, 2017, at 6:10 PM, Brian Campbell <bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com> > wrote:

 

I wouldn't disagree that the issue with Connect is overstated sometimes. And it's a non-issue with sec event due to the "nonce" claim (as you point out) as well as the omission of the "exp" claim. Assuming correct validation anyway. 

The BCP draft suggests explicit typing to prevent Cross-JWT Confusion more generally (not just sec events and id tokens). I was wondering if some use of "crit" might accomplish the same thing but also cover the case of existing JWT implementations being confused with new JWT profiles. 

 

On Thu, Jul 27, 2017 at 3:40 PM, John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com> > wrote:

Not that I am against the general desire for JWT not to be confused, but the attack surface for someone to take a sec event from one context and replay it as a id_token to login is very small and if the client is correctly configured would not work as it is now.

 

The only way you could replay the sec event JWT is via the implicit flow.   The other flows would require a malicious AS and at that point you have bigger problems with a compromised token endpoint.

 

If you were to create a implicit response with the sec event token that has the correct issuer and aud, connect requires that nonce value from the request be present in the id_token.   This would require that the attacker somehow get the AS to put not only the claim but the correct value from the request into the token.

 

All in all I think that it is more likely (not 100% I admit) that a client will do that rather than checking the typ or a new crit JWT header parameter.

 

I am all for a general solution for this but I think the issue with Connect is overstated sometimes.

 

John B.

 

On Jul 27, 2017, at 5:19 PM, Phil Hunt <phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> > wrote:

 

We have the use case in SECEVENTS where a logout event (e.g. OIDF backchannel logout) is extremely close to an ID_TOKEN. 

 

Older relying parties who are do not yet support logout could be tricked into accepting a logout assertion as an ID_TOKEN since they are too similar, and  because a valid ID_TOKEN parser is in theory allowed to ignore claims it does not understand (e.g. “events”) - leading to a possible erroneous acceptance of the logout event AS and ID_TOKEN.

 

Because of this the issue of distinguishing classes or types of JWTs emerged.

 

We discussed a number of differentiators like “aud”, “typ”, “crit", etc that would help.  But that really lead to the idea there there should be some best practices in the JWT BCP covering the issue(s).

 

Phil

 

Oracle Corporation, Identity Cloud Services Architect & Standards

@independentid

www.independentid.com <http://www.independentid.com/> 

phil.hunt@oracle.com <mailto:phil.hunt@oracle.com> 

 

On Jul 27, 2017, at 2:00 PM, Nathaniel McCallum <npmccallum@redhat.com <mailto:npmccallum@redhat.com> > wrote:

 

Even after reading the whole section, I still don't understand the
problem. Yes, a class of attack could exist where an attacker
substitutes a valid JWT from one security context into another
context. But isn't this resolved by audience validation?

On Thu, Jul 27, 2017 at 3:34 PM, Brian Campbell
<bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com> > wrote:



The draft describes it in
https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dsheffer-2Doauth-2Djwt-2Dbcp-2D01-23section-2D2.7 <https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dsheffer-2Doauth-2Djwt-2Dbcp-2D01-23section-2D2.7&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=02yWnzzFGNlefgVregxSncXu0b9sbh5pTrtBfQsC52A&s=9GmPCouCMXE4enC48gfq0l0yc7ZlIxvEBAnQCVja_kY&e=> &d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=02yWnzzFGNlefgVregxSncXu0b9sbh5pTrtBfQsC52A&s=9GmPCouCMXE4enC48gfq0l0yc7ZlIxvEBAnQCVja_kY&e= 

On Thu, Jul 27, 2017 at 1:30 PM, Nathaniel McCallum <npmccallum@redhat.com <mailto:npmccallum@redhat.com> >
wrote:




What class of attacks is this trying to prevent? I frankly don't see a
problem with confusing different types of JWT. But I may just be
ignorant.

On Thu, Jul 27, 2017 at 2:49 PM, Brian Campbell
<bcampbell@pingidentity.com <mailto:bcampbell@pingidentity.com> > wrote:



During the first WG meeting last week I asked if use of the JOSE "crit"
(Critical) Header Parameter had been considered as a recommendation for
preventing confusion of one kind of JWT for another. Time was running
short
in the meeting so there wasn't much discussion and it was requested that
I
take the question to the list. And so here on the list is that.

Section 3.9 of the JWT BCP draft now recommends explicit typing using
the
"typ" JWS/JWE header parameter but does concede that 'the use of
explicit
typing may not achieve disambiguation from existing kinds of JWTs, as
the
validation rules for existing kinds JWTs often do not use the "typ"
header
parameter value.'  And the recommendations for how to use the Type
Header
Parameter in JWT strongly suggest that it's not currently being used for
any
validation.

Alternatively using the JWS/JWE "crit" (Critical) Header Parameter to
signal
the type/intent/profile/application of a JWT could achieve
disambiguation
even in validation of existing kinds of JWTs. The critical header lists
other headers which must be understood and processed by the receiver and
that the JWS/JWE is invalid if those listed aren't understood. So a new
type/profile of JWT that uses the "crit" header would produce JWTs that
would be rejected even by existing applications of JWT validation (that
actually implement "crit" properly anyway).

The JWT BCP could suggest the use of "crit" in conjunction with a
profile/application/type specific header. Or it could provide a bit more
of
a framework like defining a registering a new JOSE header "p" (strawman
of p
as a very short name for profile) and create a registry for its values.
A
JWT header using that approach might look like the following where the
value
1 is registered as some cool new JWT profile/application. The consumer
of
such a JWT would have to understand and process the "p" header, which
would
mean checking that it had the value expected.

    {
     "alg":"ES256",
     "crit":["p"],
     "p":1
    }

A JOSE compliant JWT validator would reject such a JWT even for an OAuth
access token or OIDC id_token because the "p" header isn't known or
understood but is marked as critical.

To me, that seems like an approach to preventing confusion that has more
teeth than the "typ" header. Which is why I asked about it last week and
am
now bringing it to the list.










CONFIDENTIALITY NOTICE: This email may contain confidential and
privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited.  If you
have
received this communication in error, please notify the sender
immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you.
_______________________________________________
jose mailing list
jose@ietf.org <mailto:jose@ietf.org> 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_jose <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_jose&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=02yWnzzFGNlefgVregxSncXu0b9sbh5pTrtBfQsC52A&s=eJ8QZBwe5AO-RDl_E16U1q_KpobaeSRUP4Cp2W-_jJU&e=> &d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=02yWnzzFGNlefgVregxSncXu0b9sbh5pTrtBfQsC52A&s=eJ8QZBwe5AO-RDl_E16U1q_KpobaeSRUP4Cp2W-_jJU&e= 




CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited.  If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you.


_______________________________________________
jose mailing list
jose@ietf.org <mailto:jose@ietf.org> 
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_jose <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_jose&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=02yWnzzFGNlefgVregxSncXu0b9sbh5pTrtBfQsC52A&s=eJ8QZBwe5AO-RDl_E16U1q_KpobaeSRUP4Cp2W-_jJU&e=> &d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=02yWnzzFGNlefgVregxSncXu0b9sbh5pTrtBfQsC52A&s=eJ8QZBwe5AO-RDl_E16U1q_KpobaeSRUP4Cp2W-_jJU&e= 

 

_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org> 
https://www.ietf.org/mailman/listinfo/oauth

 


_______________________________________________
OAuth mailing list
OAuth@ietf.org <mailto:OAuth@ietf.org> 
https://www.ietf.org/mailman/listinfo/oauth

 


CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.