Re: [OAUTH-WG] JWT BCP on Compression in JWE

Yaron Sheffer <yaronf.ietf@gmail.com> Sat, 29 July 2017 05:57 UTC

Return-Path: <yaronf.ietf@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5E16712EC05 for <oauth@ietfa.amsl.com>; Fri, 28 Jul 2017 22:57:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DdS2HR2qCG8G for <oauth@ietfa.amsl.com>; Fri, 28 Jul 2017 22:57:58 -0700 (PDT)
Received: from mail-wr0-x234.google.com (mail-wr0-x234.google.com [IPv6:2a00:1450:400c:c0c::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6D3B127735 for <oauth@ietf.org>; Fri, 28 Jul 2017 22:57:57 -0700 (PDT)
Received: by mail-wr0-x234.google.com with SMTP id 33so104911334wrz.4 for <oauth@ietf.org>; Fri, 28 Jul 2017 22:57:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-transfer-encoding:content-language; bh=KRnMEVZcv9PJVwkifIEeR7jIoOXGO9VNllZBNi9H0E8=; b=rbvW/qxX2gR6B8m9PGUdtSybNT6JjeHED0Cfaw+4n3O+foL1FGp3G9hUzh3uMukxG4 bcRlksnyYmsnCrTzKVWL5uPiuaDs9+i1lluXnwn76VxqFZ38s2C5h71VN8DSe9foOTDg 5d5aSwBFndGR6XaCL4WJR72vvTT6qHXKf47Ayg53KuMZSsMIQwur68d9B7+792IG3WyM XelRuNtjRBckE+we0Tk2IQSM3soqfaqy9WoHSn2UKSE8yc4TYff/p+/et7TQCszmoqu2 XZHShd9OVxNFCmbs/ayEwQ6c6qQ+Y8qd2no2DjPkkhjEvHm8BZLXAVQ3uZYjOooig5ym GpXQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding :content-language; bh=KRnMEVZcv9PJVwkifIEeR7jIoOXGO9VNllZBNi9H0E8=; b=bkkmsGgoErM9V2FC1UMiObMaaqXEHXTLuDzATIZyfGUgTOGNCGoGq2160jAcSne7ob GJRuGCHTgc8oHb/T2PTyci9dPlam36lYLbhS74ZGz7nj0Xp5v2uXBg2GqakC4OEFxwF0 FRbB/SV9m9ZnGZiRZ7G8e+Vw43fzfQSC+9hDeuV2NDY0Olq3ogE1QVA0vu2mypWCKAkB kfvhxoAVhrZt4XeYcufaK9krhr+ghGVWIzKEfF16te7HsHuqs9q6ifGtcRFGNQNcPZE0 dAoV1XXwjTxK8YV0oLSopUcoSZgKJ3v5ygniiRdiJ/uiTS4yuTKTfXFPfo67ut2AdTrr W6Yg==
X-Gm-Message-State: AIVw113k4rssSWOYx6Y18F42NvrBYj33Dn5kN8SqcaQactAudE7M8Hcb goRa1xrQisFl+Oz/1b4=
X-Received: by 10.223.130.137 with SMTP id 9mr7750201wrc.0.1501307875962; Fri, 28 Jul 2017 22:57:55 -0700 (PDT)
Received: from [10.0.0.9] (bzq-109-65-176-114.red.bezeqint.net. [109.65.176.114]) by smtp.gmail.com with ESMTPSA id u11sm5708495wma.22.2017.07.28.22.57.54 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 28 Jul 2017 22:57:54 -0700 (PDT)
To: oauth@ietf.org
References: <mailman.4424.1501277231.4234.oauth@ietf.org>
From: Yaron Sheffer <yaronf.ietf@gmail.com>
Message-ID: <08197d4f-7512-d877-f99c-fe0ca03d3e19@gmail.com>
Date: Sat, 29 Jul 2017 08:57:53 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <mailman.4424.1501277231.4234.oauth@ietf.org>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OnpC4zgjFUU_ocBaBH8GFsMCGvA>
Subject: Re: [OAUTH-WG] JWT BCP on Compression in JWE
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 Jul 2017 05:57:59 -0000

Hi Brian,

These two attacks on TLS are only examples of the breakage that can 
occur when the adversary can control the plaintext to some degree (even 
a small piece of the plaintext, e.g. a malleable HTTP cookie can result 
in decryption of the whole message). Similar attacks were demonstrated 
in IPsec. Can you please add details on why typical use of JWT would not 
be susceptible to these attacks?

Thanks,
     Yaron

> On critique of JWT I've seen a few times can be paraphrased as "JWT
> supports compressed plaintext so, because of CRIME and BREACH, it is
> dangerous and stupid."  It's very possible that I am stupid (many on this
> list will likely attest to it) but I don't see the applicability of those
> kinds of chosen plaintext attacks aimed at recovering sensitive data to how
> JWT/JWE are typically used.
>
> I think it would be useful, if during the development of the JWT BCP, the
> authors or chairs or WG could somehow engage some experts (CFRG?) to
> understand if there's any real practical advice that can be given about
> using compression with JWE and the risks involved.
>