[OAUTH-WG] regarding nested JWTs and security
=JeffH <Jeff.Hodges@KingsMountain.com> Fri, 21 December 2012 23:07 UTC
Return-Path: <Jeff.Hodges@KingsMountain.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9260421F857C for <oauth@ietfa.amsl.com>; Fri, 21 Dec 2012 15:07:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.605
X-Spam-Level:
X-Spam-Status: No, score=-102.605 tagged_above=-999 required=5 tests=[AWL=-0.340, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rOAZW+Y06qHm for <oauth@ietfa.amsl.com>; Fri, 21 Dec 2012 15:07:57 -0800 (PST)
Received: from oproxy5-pub.bluehost.com (oproxy5-pub.bluehost.com [67.222.38.55]) by ietfa.amsl.com (Postfix) with SMTP id BF16621F8441 for <oauth@ietf.org>; Fri, 21 Dec 2012 15:07:57 -0800 (PST)
Received: (qmail 32092 invoked by uid 0); 21 Dec 2012 23:07:34 -0000
Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by cpoproxy2.bluehost.com with SMTP; 21 Dec 2012 23:07:34 -0000
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=s3TNBfs2dhphCkQuXancy4rS7oNET1I/ZQOmFsjc0vI=; b=hUv/NalhnskkSk6thczMhJC9qEUo1iYtNzJZkFdoKXt1laWDu0hotGkeIpm/nVTEV97iMeVPRLr1YoTPB7i7e8KfDy1Nt4QsrhFkxUTjc3NcmoSu+Yl6sN8/plo5n05p;
Received: from [216.113.168.128] (port=56998 helo=[10.244.137.242]) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from <Jeff.Hodges@KingsMountain.com>) id 1TmBgj-00041O-Gj for oauth@ietf.org; Fri, 21 Dec 2012 16:07:33 -0700
Message-ID: <50D4EBB7.6070508@KingsMountain.com>
Date: Fri, 21 Dec 2012 15:07:35 -0800
From: =JeffH <Jeff.Hodges@KingsMountain.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/17.0 Thunderbird/17.0
MIME-Version: 1.0
To: IETF oauth WG <oauth@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 216.113.168.128 authed with jeff.hodges+kingsmountain.com}
Subject: [OAUTH-WG] regarding nested JWTs and security
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Dec 2012 23:07:59 -0000
"nested JWTs" are only nominally defined in draft-ietf-oauth-json-web-token-05 (and the term is missing from the terminology section). the JWT spec implies that "signing and then encrypting" and "encrypting and then signing" are equivalent. however they aren't in various ways. Axel already raised this point in.. Re: [jose] encrypting AND signing a token https://www.ietf.org/mail-archive/web/jose/current/msg01269.html ..and cited this paper (worth citing again).. Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML Don Davis http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.28.7379&rep=rep1&type=pdf One has to carefully compose signing and encryption in order to avoid various vulnerabilities detailed in the latter. I agree with Axel that there should be one carefully designed way to craft a signed and encrypted JW*. Note that in the JSMS draft (draft-rescorla-jsms-00; an early input into what became the JOSE WG), sign & encrypt composition is declared.. > 4.6. Composition > > This document does not specify a combination signed and encrypted > mode. However, because the contents of a message can be arbitrary, > and encryption and data origin authentication can be provided by > recursively encapsulating multiple JSMS messages. In general, > senders SHOULD sign the message and then encrypt the result (thus > encrypting the signature). This prevents attacks in which the > signature is stripped, leaving just an encrypted message, as well as > providing privacy for the signer. ..tho that's a drafty draft and I didn't review carefully enough to determine whether it addresses the need for sign and encrypt to cross-refer (see S4.3 in the paper). HTH, =JeffH