IETF Logo Mail Archive

Re: [OAUTH-WG] Cryptographic hygiene and the limits of jwks_uri

Mike Jones <Michael.Jones@microsoft.com> Thu, 09 January 2020 19:33 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 884EC120144 for <oauth@ietfa.amsl.com>; Thu, 9 Jan 2020 11:33:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iiCwFe5OvAgs for <oauth@ietfa.amsl.com>; Thu, 9 Jan 2020 11:33:24 -0800 (PST)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640118.outbound.protection.outlook.com [40.107.64.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 710D2120123 for <oauth@ietf.org>; Thu, 9 Jan 2020 11:33:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ShYg4MY/UBs1gdS6B1VuPSzkZDO3s058W8JCuin5yL5DZI2qkfiHZhUOlNXcMHVmYI5GQHtmMn+Et3vy43ujxTgXdrZf5YdRIS9EQiyIiwTUlmZDZlfyXt40aV/rpy2VuWVTPixGpKDF/pC03c6E8iona3lZj12PgwV7+gKYCJ/xketuQooLOibTjIUhX2Vn+XAVhJIFRrIKdboMysGfCxxSayH9GR24/Qpn4lJ2CRYz6TE2uoljk1DK7KSHpQ9Ke7rGo3vSu5VJeWCJALx9k5qMpSbLG+QI09YzdETvXuOHGh/u6tc381xy1+gcs7nno5cdPlyKuUsupj9uAk9zKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EXGhuiMFFwJIDCnk+eN/VqcaZ1VCG/5WqsspjTV7yzQ=; b=STLvaisXNxt0aakXTl5y6pgo8+s//HivqhgXUEDHFUveQ/tzD03WmEbCHsZFFm8wUgrFyPhqS7Pv07BOjgW4cjnHDCaCGmLJ/avRggTa0t2bteigYKUotqDSNjy6FNvhHB2Yr0w66H4XmJeIyW9JUO8nsu1142Fw0kYVg/TSRKB7+KMEEMqcwhWnCEN2n1zGRFVhI8firZDmsWpHXUUuT9os0FodapOcPm/GmRHdSRDkbay8kUup3mHKkQBjXYHfn3+FZZtTt0+bKPOaJ+dwR3oZgmsypkMpJbQllmRuDfA1nhUB2Be8s3y+tWvJlNGisF15o97ShFWVoOlHxtsovA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=EXGhuiMFFwJIDCnk+eN/VqcaZ1VCG/5WqsspjTV7yzQ=; b=iHYyiOyL+O2R7iauan02+NRLNVu3QpPmpJoY4l4hfMIh3bxpGd3VI+oH+GM7XgnNMKVNNE1xs5V0rsFGUPXyhn54uA3dwZA3Y4Hqcvs6wCpHe0kREBtBISk0sxj1n/kIXobjHeKdKeIdU9g/lxksm7FQfc//MFTNJMLPkDoUX+s=
Received: from DM6PR00MB0847.namprd00.prod.outlook.com (20.179.227.78) by DM6PR00MB0474.namprd00.prod.outlook.com (20.178.29.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2660.0; Thu, 9 Jan 2020 19:33:22 +0000
Received: from DM6PR00MB0847.namprd00.prod.outlook.com ([fe80::2d56:644f:3f3e:8c62]) by DM6PR00MB0847.namprd00.prod.outlook.com ([fe80::2d56:644f:3f3e:8c62%4]) with mapi id 15.20.2665.000; Thu, 9 Jan 2020 19:33:22 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "Richard Backman, Annabelle" <richanna=40amazon.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Thread-Topic: Cryptographic hygiene and the limits of jwks_uri
Thread-Index: AQHVxn32ZMKwQrnvkUO4GZSyw84VLqfit3ng
Date: Thu, 09 Jan 2020 19:33:22 +0000
Message-ID: <DM6PR00MB0847C099541F89C9A476B4D6F5390@DM6PR00MB0847.namprd00.prod.outlook.com>
References: <A936D8D0-D8D7-4B58-AFF0-AE16E4C7A660@amazon.com>
In-Reply-To: <A936D8D0-D8D7-4B58-AFF0-AE16E4C7A660@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=b5b9fcc8-7583-4a6f-ba7a-0000b35e6f1a; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-01-09T19:23:11Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Michael.Jones@microsoft.com;
x-originating-ip: [50.47.92.57]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 49d34014-529a-48e6-46ae-08d7953ac9ee
x-ms-traffictypediagnostic: DM6PR00MB0474:
x-microsoft-antispam-prvs: <DM6PR00MB0474CB6700FDF81644F638C7F5390@DM6PR00MB0474.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02778BF158
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(376002)(346002)(366004)(136003)(396003)(189003)(199004)(52314003)(33656002)(76116006)(86362001)(7696005)(6506007)(478600001)(53546011)(8990500004)(8676002)(2906002)(26005)(316002)(81166006)(81156014)(5660300002)(186003)(66946007)(52536014)(8936002)(10290500003)(66574012)(110136005)(66556008)(64756008)(71200400001)(66446008)(55016002)(9686003)(66476007); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR00MB0474; H:DM6PR00MB0847.namprd00.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DtG1z1oks31hxRZjmHgS5Mh6VsP+QlkPZbz1oTaDirpqgfekly7cUl0nPe0IQRpgezHF6HCcNki0+E6qGdNBelrZgSjKzZg92id3sYZ82tUyE8Df1lU5h4N0Eju4WcofSuxXp0gBFAgiidp9RXpDeJgT8trPvNzvDdeDY4rMJNsvTJZcKFg2I2b+GqGuFwyV4eG08s2vOTozHvifSxu2Kolgz9ePGroVqi/jRqi/SeHp++4cHsdNZkjtY2fDxubAzCQWPe77afOAGgMpqqQRAxiClItvUU+rc7gPB/0sBkD6RNtlAWo9cIDQ6MXh/QOK90AG6Dy6CJl0ui4PmFV7thxj+1F/LEIMBQltK1qEW77x2AmL32x4gKc487hhIcX9VlCGJ5mty0mATMrC5Wmx1VEL+8E13VR1RwEkzteG4BwWW0MefHOjIkfCfRzJBpsTHwbTpjCRgT1bUKoH3nDXfYS9ssz2nNHkLxZUk68eRI2qnBfwqkeRLRkIfnxKOEQpB/d/HA+dmmha5Vth5NEk97LB9HrRgrUlJe230R+PDtxI87IceVmRPkIzzXwS35oi
x-ms-exchange-antispam-messagedata: /mM7oMoDMPOv5YH20suJZ44jygdR6f0qVREHCLnE5Nyc9BI/yTtvzGCxsyzHvNmvSZqAYw05rwQnZm84zydlLGvEJx9EheEJ4BujyoQyFQBpAdNTTMvYaQK6GgimW4tluetWyO4l1iDIP8Nx+zvOhA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DM6PR00MB0847C099541F89C9A476B4D6F5390DM6PR00MB0847namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 49d34014-529a-48e6-46ae-08d7953ac9ee
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jan 2020 19:33:22.3656 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: UuNDwx6mvJlB/hjCesWM6ic0D+LArGjiodK8YVHnpsZmvjqVTSD0fL1KGUfgjuNtc64/bNwAXM6yTkz1jTbY9Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR00MB0474
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/iHGoiEUQU4ztO7-4JFZhptwFaLs>
Subject: Re: [OAUTH-WG] Cryptographic hygiene and the limits of jwks_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2020 19:33:26 -0000

This a good thing to think about.  Thanks for bringing this up, Annabelle.

One thing that partially mitigates this is that the “use” and/or “key_ops” attributes can be provided.  This can allow signing keys to be differentiated from encryption keys, for instance.

I’m not as worried about encryption keys as signing keys.  If multiple kinds of applications encrypt content to a party using the same public per-party key, and the encryption is being used only to ensure confidentiality of the messages, the confidentiality is still achieved.

One mitigation for signing keys is use of the “typ” field, as described in the JWT BCP.  Even if the same key was used and you receive an unexpected JWT type, you will still reject it.

I believe there’s also cases where it’s fine to use the same signing key for related operations.  For instance, signing a Pushed Authorization Request and a Request Object with the same key seems both logical and safe to me.  (If others can think of an attack that this enables, however, please do point it out.)

Which I believe leaves us with this case to worry about – shared signing keys by unrelated applications when “typ” is not used.  One way to mitigate this would be to use per-application key sets.  For instance, using values other than “jwks_uri” to reference key sets for particular applications.

Anyway, for PAR, I believe that it’s fine to use the same keys as used for Request Objects, so no new fields are needed for it.

I look forward to further discussion on the topic.

                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Richard Backman, Annabelle
Sent: Wednesday, January 8, 2020 3:47 PM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] Cryptographic hygiene and the limits of jwks_uri

I originally brought up this issue in the context of the PAR draft, but since it broadly applies to the OAuth space I’m starting a new thread…

Section 3.12 of the JWT BCP<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-jwt-bcp-07%23section-3.12&data=02%7C01%7CMichael.Jones%40microsoft.com%7C73d547c7681f4ea59a4808d7949529e6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637141240697295445&sdata=AeQLxCao2ZT661ZK2fE4a6QKyh8IzO%2Bq%2Fqzbt7Vld0s%3D&reserved=0> says: “Use different keys for different kinds of JWTs.” Section 4 of the JWT Profile for OAuth 2.0 Access Tokens<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-access-token-jwt-03%23section-4&data=02%7C01%7CMichael.Jones%40microsoft.com%7C73d547c7681f4ea59a4808d7949529e6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637141240697305402&sdata=ISszTxlHTbALInjK%2FKggH9seZdW8kGXTDHZEWCyfAzc%3D&reserved=0> says: “An authorization server MAY elect to use different keys to sign id_tokens and JWT access tokens.” These statements are consistent with good cryptographic hygiene. And we’ve made it difficult to impossible for an AS to follow them.

The AS has a single metadata document containing a single URI referencing a single JWK Set. But the AS has no way of indicating to clients which keys to use for which purposes. For example, an AS cannot say that *only these* keys are to be used to encrypt id_token_hint JWTs, and *only these* keys are to be used to encrypt JAR request object JWTs. For encryption, the AS could enforce that logic internally, but there is no way for the client to discover this. And while the AS may be built to only use certain keys for signing ID Tokens and other keys for signing JWT access tokens, it has no way to indicate this to the client. So even if ID Token generation and access token generation are isolated in different microservices within the AS, each microservice is capable of forging the other’s tokens, because consumers can’t be told to distinguish between different keys for the AS.

This seems like a ticking time bomb to me, as it’s a non-obvious side effect of combining various OAuth 2.0 extensions, and it can undermine a lot of sophisticated effort to follow security best practices. I can see a couple of ways to address this (e.g., more sophisticated AS key metadata, tagging or similar use case indication on JWKs), but before trying to propose something I’d like to get people’s opinions on the problem. Is this already mitigated in other ways? Has the ship sailed on this for OAuth, and now we have to live with it? Should this be left to the deployments that care to solve with non-interoperable solutions? Are there other clever ways we could approach this? Are there other angles that we need to consider?

–
Annabelle Richard Backman
AWS Identity

v2.23.0 | Report a Bug | By Email