Re: [OAUTH-WG] regarding nested JWTs and security
Mike Jones <Michael.Jones@microsoft.com> Wed, 17 April 2013 21:40 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55B0621E80E0 for <oauth@ietfa.amsl.com>; Wed, 17 Apr 2013 14:40:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.516
X-Spam-Level:
X-Spam-Status: No, score=-2.516 tagged_above=-999 required=5 tests=[AWL=0.082, BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uIW840pfW0rh for <oauth@ietfa.amsl.com>; Wed, 17 Apr 2013 14:40:12 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0241.outbound.protection.outlook.com [207.46.163.241]) by ietfa.amsl.com (Postfix) with ESMTP id D66B021E80A9 for <oauth@ietf.org>; Wed, 17 Apr 2013 14:40:11 -0700 (PDT)
Received: from BL2FFO11FD024.protection.gbl (10.173.161.201) by BL2FFO11HUB013.protection.gbl (10.173.160.105) with Microsoft SMTP Server (TLS) id 15.0.675.0; Wed, 17 Apr 2013 21:40:09 +0000
Received: from TK5EX14HUBC105.redmond.corp.microsoft.com (131.107.125.37) by BL2FFO11FD024.mail.protection.outlook.com (10.173.161.103) with Microsoft SMTP Server (TLS) id 15.0.675.0 via Frontend Transport; Wed, 17 Apr 2013 21:40:09 +0000
Received: from TK5EX14MBXC283.redmond.corp.microsoft.com ([169.254.2.224]) by TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id 14.02.0318.003; Wed, 17 Apr 2013 21:39:42 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: =JeffH <Jeff.Hodges@KingsMountain.com>, IETF oauth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] regarding nested JWTs and security
Thread-Index: AQHN39AM+YNehY3ElEmhqPClRQUvSZjbp5Hw
Date: Wed, 17 Apr 2013 21:39:42 +0000
Message-ID: <4E1F6AAD24975D4BA5B16804296739436764BC54@TK5EX14MBXC283.redmond.corp.microsoft.com>
References: <50D4EBB7.6070508@KingsMountain.com>
In-Reply-To: <50D4EBB7.6070508@KingsMountain.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.75]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B16804296739436764BC54TK5EX14MBXC283r_"
MIME-Version: 1.0
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(43784002)(199002)(189002)(377454001)(51704004)(13464002)(71186001)(5343635001)(80022001)(65816001)(56816002)(66066001)(5343655001)(59766001)(77982001)(564824004)(18276755001)(18277545001)(81542001)(79102001)(51856001)(76482001)(33656001)(81342001)(69226001)(53806001)(44976003)(512954001)(15202345002)(16406001)(54356001)(55846006)(16236675002)(56776001)(74502001)(54316002)(74662001)(49866001)(46102001)(4396001)(63696002)(47976001)(47736001)(20776003)(6806003)(31966008)(50986001)(47446002); DIR:OUT; SFP:; SCL:1; SRVR:BL2FFO11HUB013; H:TK5EX14HUBC105.redmond.corp.microsoft.com; RD:InfoDomainNonexistent; A:1; MX:1; LANG:en;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-Forefront-PRVS: 081904387B
Subject: Re: [OAUTH-WG] regarding nested JWTs and security
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Apr 2013 21:40:14 -0000
Jeff - following up on one aspect of our conversation in Orlando, I'd been thinking about what additional guidance needed to be added to the JWT spec about the order of signing and encryption operations. I've come to the conclusion that this is already handled by the JOSE layer, and so is not a JWT concern, per se. Nonetheless, I've added the following text to my working draft of the JWT specification after the current Security Considerations about Nested JWTs:
Note that potential concerns about security issues related to the order of signing and encryption operations are already addressed by the underlying JWS and JWE specifications; in particular, because JWE only supports the use of authenticated encryption algorithms, cryptographic concerns about the potential need to sign after encryption that apply in many contexts do not apply to this specification.
Please let me know if you agree with that statement or if you'd like to see any changes to it or additional statements made.
Thanks again for your diligence!
-- Mike
-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of =JeffH
Sent: Friday, December 21, 2012 3:08 PM
To: IETF oauth WG
Subject: [OAUTH-WG] regarding nested JWTs and security
"nested JWTs" are only nominally defined in draft-ietf-oauth-json-web-token-05
(and the term is missing from the terminology section).
the JWT spec implies that "signing and then encrypting" and "encrypting and then signing" are equivalent. however they aren't in various ways.
Axel already raised this point in..
Re: [jose] encrypting AND signing a token
https://www.ietf.org/mail-archive/web/jose/current/msg01269.html
..and cited this paper (worth citing again)..
Defective Sign & Encrypt in S/MIME, PKCS#7, MOSS, PEM, PGP, and XML
Don Davis
http://world.std.com/~dtd/sign_encrypt/sign_encrypt7.html
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.28.7379&rep=rep1&type=pdf
One has to carefully compose signing and encryption in order to avoid various vulnerabilities detailed in the latter.
I agree with Axel that there should be one carefully designed way to craft a signed and encrypted JW*.
Note that in the JSMS draft (draft-rescorla-jsms-00; an early input into what became the JOSE WG), sign & encrypt composition is declared..
> 4.6. Composition
>
> This document does not specify a combination signed and encrypted
> mode. However, because the contents of a message can be arbitrary,
> and encryption and data origin authentication can be provided by
> recursively encapsulating multiple JSMS messages. In general,
> senders SHOULD sign the message and then encrypt the result (thus
> encrypting the signature). This prevents attacks in which the
> signature is stripped, leaving just an encrypted message, as well as
> providing privacy for the signer.
..tho that's a drafty draft and I didn't review carefully enough to determine whether it addresses the need for sign and encrypt to cross-refer (see S4.3 in the paper).
HTH,
=JeffH
_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth