Re: [OAUTH-WG] regarding nested JWTs and security
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 15 March 2013 17:11 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC70121F8548 for <oauth@ietfa.amsl.com>; Fri, 15 Mar 2013 10:11:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.11
X-Spam-Level:
X-Spam-Status: No, score=-103.11 tagged_above=-999 required=5 tests=[AWL=0.489, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M8HSQIq18uRf for <oauth@ietfa.amsl.com>; Fri, 15 Mar 2013 10:11:32 -0700 (PDT)
Received: from oproxy12-pub.bluehost.com (oproxy12-pub.bluehost.com [50.87.16.10]) by ietfa.amsl.com (Postfix) with SMTP id 48D6B21F874F for <oauth@ietf.org>; Fri, 15 Mar 2013 10:11:27 -0700 (PDT)
Received: (qmail 1546 invoked by uid 0); 15 Mar 2013 17:11:03 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy12.bluehost.com with SMTP; 15 Mar 2013 17:11:03 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=MCpISSoLg9qs8t8Ia/cWjLojosvlM5QwUvB0YV81FAs=; b=8H7F/Fw4XIDgW2TqmRE5zvTDRvFlAdZXF37L2/Fr0JqTKnNtZuw8ThnJx4oqnbpcgyGeK4VdTqI5kQHIs6x+s3dg0BcmE1fZIJGRBwCoxeGd3MrQr+70KNpHHlEyCZok;
Received: from [130.129.19.55] (port=43444) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.80) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1UGY9m-0006pX-76 for oauth@ietf.org; Fri, 15 Mar 2013 11:11:02 -0600
Message-ID: <51435624.40904@KingsMountain.com>
Date: Fri, 15 Mar 2013 10:11:00 -0700
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130221 Thunderbird/17.0.3
MIME-Version: 1.0
To: IETF oauth WG <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.19.55 authed with jeff.hodges+kingsmountain.com}
Subject: Re: [OAUTH-WG] regarding nested JWTs and security
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Mar 2013 17:11:34 -0000
During the OAuth 2nd session at IETF-86 orlando, after I mentioned the sign-then-encrypt considerations at the mic, Brad Hill pointed out that the below paper is perhaps an even more fundamental reference for the sigh-then-encrypt composition than the Davis paper I pointed to in the below attached message back in Dec-2012.. Authenticated Encryption: Relations among notions and analysis of the generic composition paradigm (2007) Bellare & Namprempre http://eprint.iacr.org/2000/025.pdf After having talked with Mike Jones f2f earlier in the week about this stuff, during which he indicated he believed that these issues are addressed in the JWT spec, I looked at draft-ietf-oauth-json-web-token-06 and note that the last paragraph of the security considerations says.. While syntactically, the signing and encryption operations for Nested JWTs may be applied in any order, normally senders should sign the message and then encrypt the result (thus encrypting the signature). This prevents attacks in which the signature is stripped, leaving just an encrypted message, as well as providing privacy for the signer. Furthermore, signatures over encrypted text are not considered valid in many jurisdictions. ..which certainly touches upon the issue(s), but could arguably contain more rationale. Though, if you wish the spec to be terse (as above) you should probably at least reference Davis (which is resonably approachable) and Bellare & Namprempre (which is a formal proof). Also, in terms of linkages between signing and encrypting wrappers, it seems that if one includes at least an audience claim in the JWT Claims Set, in a signed & encrypted JWT (aka "Nested JWT"), and the receiver of the JWT checks the audience and does not rely on the JWT if it does not identify them, then you are arguably in ok shape. If the JWT includes both subject and audience claims, that would be best. It may be a good idea to note this, since in the JWT spec all claims are optional, and incorporation of (and reliance on) JWT claims is left to JWT profiles. I.e., there arguably should be advice to JWT profile authors regarding security properties resulting from incorporation (or not) of various JWT claims. HTH, =JeffH ------ https://www.ietf.org/mail-archive/web/oauth/current/msg10326.html [OAUTH-WG] regarding nested JWTs and security From: =JeffH <Jeff.Hodges@KingsMountain.com> Date: Fri, 21 Dec 2012 15:07:35 -0800 To: IETF oauth WG <oauth@ietf.org> "nested JWTs" are only nominally defined in draft-ietf-oauth-json-web-token-05 (and the term is missing from the terminology section). the JWT spec implies that "signing and then encrypting" and "encrypting and then signing" are equivalent. however they aren't in various ways. Axel already raised this point in.. Re: [jose] encrypting AND signing a token https://www.ietf.org/mail-archive/web/jose/current/msg01269.html ..and cited this paper (worth citing again).. Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML Don Davis http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.28.7379&rep=rep1&type=pdf One has to carefully compose signing and encryption in order to avoid various vulnerabilities detailed in the latter. I agree with Axel that there should be one carefully designed way to craft a signed and encrypted JW*. Note that in the JSMS draft (draft-rescorla-jsms-00; an early input into what became the JOSE WG), sign & encrypt composition is declared.. > 4.6. Composition > > This document does not specify a combination signed and encrypted > mode. However, because the contents of a message can be arbitrary, > and encryption and data origin authentication can be provided by > recursively encapsulating multiple JSMS messages. In general, > senders SHOULD sign the message and then encrypt the result (thus > encrypting the signature). This prevents attacks in which the > signature is stripped, leaving just an encrypted message, as well as > providing privacy for the signer. ..tho that's a drafty draft and I didn't review carefully enough to determine whether it addresses the need for sign and encrypt to cross-refer (see S4.3 in the paper). HTH, =JeffH