IETF Logo Mail Archive

Re: [OAUTH-WG] [jose] Security research on JWT implementations

John Bradley <ve7jtb@ve7jtb.com> Thu, 02 April 2015 20:39 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B8ED1A1A69 for <oauth@ietfa.amsl.com>; Thu, 2 Apr 2015 13:39:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dA6SZeS6-iIB for <oauth@ietfa.amsl.com>; Thu, 2 Apr 2015 13:39:21 -0700 (PDT)
Received: from mail-qg0-f54.google.com (mail-qg0-f54.google.com [209.85.192.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A14E1A1A5A for <oauth@ietf.org>; Thu, 2 Apr 2015 13:39:21 -0700 (PDT)
Received: by qgh3 with SMTP id 3so79576467qgh.2 for <oauth@ietf.org>; Thu, 02 Apr 2015 13:39:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=lVcCVLCkArOkRu6kJ/7l7/l3abedctGex6Gup0S/63s=; b=EBfatQBRT+n80s1Uh0FtNk7P53JHT+tHpQKHzHftKMM7u9T/Mq1KiJF5RBwwOCUsTW JgIuZ0Fe3voMwyz4mbvhJQGD6AQbPBPqw3ia0oSyx2QYwM8pwEhLU8SmVNsNMyLeXA7K pZ8EwljNHVE88Ozbu8aADs35RQjRAb/QTzDA7L+H1djEKER9OeU9UDd1n/aeOLbSCFWp 2ntEdnJJA+fMFHbg7lZYWkauC2SeeV7JD0SzBFAcxY3j9WoPeHQLQ/AdciT3XV78worT XjN2uqe1k/Cfgye96cfHc5f7s8T5xEPeUaB+INy3zHv1MHzMWnHw11ZDuY0vr4Vb7tfl OJ9A==
X-Gm-Message-State: ALoCoQl5KTZszfTEg+FVnyvjwGLdgPbCjVTZfytW6GDafh2qUEszRm167peGwigDJrOmBFrq99nV
X-Received: by 10.140.41.213 with SMTP id z79mr61451624qgz.103.1428007160468; Thu, 02 Apr 2015 13:39:20 -0700 (PDT)
Received: from [192.168.8.100] ([181.202.169.108]) by mx.google.com with ESMTPSA id d36sm4213525qkh.45.2015.04.02.13.39.17 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Thu, 02 Apr 2015 13:39:19 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_C1F531E6-6569-4774-ABD8-19ACF856C012"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <BY2PR03MB442D97471309DA16C70C80CF5F20@BY2PR03MB442.namprd03.prod.outlook.com>
Date: Thu, 02 Apr 2015 17:39:13 -0300
Message-Id: <37B89CA4-0242-41B8-841D-A4C88A1B2B76@ve7jtb.com>
References: <CABZPcapJQu2dES0qjE73uzJoSs1RYDFOMyTXgkB5CtZ=a8JZ0w@mail.gmail.com> <551D6734.4010907@gmail.com> <CABZPcar2ryAFRFGRtT-GjTXj6mROBYxmjxmXZVMs93XzYnj0HQ@mail.gmail.com> <551D8A3C.1060300@gmx.net> <BY2PR03MB442D97471309DA16C70C80CF5F20@BY2PR03MB442.namprd03.prod.outlook.com>
To: Michael Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/EJ-524vVuf5G66zqbQLcoIEel9E>
Cc: "jose@ietf.org" <jose@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] [jose] Security research on JWT implementations
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Apr 2015 20:39:23 -0000

Sec 10.6 and 10.7 of JWS also touch on algorithm substitution.

Allowing keys to be used with multiple algorithms is a general problem, and almost always turns out unhappily.

I think that using a RSA key for HMAC is the most extreme case of that principal.

I do think that outside of the JOSE and JWT specs we need more implementer guidance encouraging the use of "alg" and "use" in JWK 
as well as propagating that information into local key stores so that the wrong key is not selected.

The problem applications in question simply took the "iss" and or the "kid" and retuned a key without looking at the "alg".

A given issuer may be allowed to sign using both ECDSA and RSA PKCS 1.5 and that would not be a problem until one of them is deprecated.  
Having libraries assume that there can only be one alg per issuer would not lead to useful crypto agility in my experience.

John B.

> On Apr 2, 2015, at 3:42 PM, Mike Jones <Michael.Jones@microsoft.com> wrote:
> 
> This warning is already in place in https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32#section-7.2.  It says:
> 
>   Finally, note that it is an application decision which algorithms may
>   be used in a given context.  Even if a JWT can be successfully
>   validated, unless the algorithm(s) used in the JWT are acceptable to
>   the application, it SHOULD reject the JWT.
> 
> 				-- Mike
> 
> -----Original Message-----
> From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of Hannes Tschofenig
> Sent: Thursday, April 02, 2015 11:28 AM
> To: Tim McLean
> Cc: oauth@ietf.org; jose@ietf.org
> Subject: Re: [OAUTH-WG] [jose] Security research on JWT implementations
> 
> [[adding oauth@ietf.org]]
> 
> On 04/02/2015 08:01 PM, Tim McLean wrote:
>> However, I do think one way of gauging the success of JWS/JOSE is to 
>> measure how many implementers actually get the security details right.
> 
> I agree with you.
> 
> If several people got this wrong then it is a good idea to write about it. Of course, it was a bit difficult to foresee this issue at the time of writing the specification.
> 
> At a minimum we should put a version of your article at oauth.net.
> 
> Since the JWT spec (which you reference in your article) is still in
> Auth48 state we can still add a warning remark to Section 7.2 of https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-32.
> 
> Ciao
> Hannes
> 
> _______________________________________________
> jose mailing list
> jose@ietf.org
> https://www.ietf.org/mailman/listinfo/jose

v2.23.0 | Report a Bug | By Email