IETF Logo Mail Archive

Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri

"Richard Backman, Annabelle" <richanna@amazon.com> Fri, 10 January 2020 00:25 UTC

Return-Path: <prvs=27136b9e3=richanna@amazon.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0843112022A for <oauth@ietfa.amsl.com>; Thu, 9 Jan 2020 16:25:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d6A3xV1xoIdc for <oauth@ietfa.amsl.com>; Thu, 9 Jan 2020 16:25:19 -0800 (PST)
Received: from smtp-fw-9101.amazon.com (smtp-fw-9101.amazon.com [207.171.184.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 888F21200B3 for <oauth@ietf.org>; Thu, 9 Jan 2020 16:25:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1578615920; x=1610151920; h=from:to:subject:date:message-id:mime-version; bh=1mYinadEay+jOEIvA6f1QvkccnIWc9es8ICRsvuOqsI=; b=ox4dtjf3kb8t/naDBJZ76wpnOxjgxLC2yMOZyz7eB2amiV5AyVItPB8N FRFz4iHfOCj/F0Lea/qezGn9NLL7M7G7/4fZzWFdsvePEKQYGGMxA8VMO 2FVgZt2p7lShUCvgNg3BGO6qhMpOyli0d+Mxkt/Bk+XH0GM/aAbrlLL3R s=;
IronPort-SDR: ucti/Tj1PjBAMmoD4anrLo/4M7khrBz0v5ll6Wv6570xHuobRM/JiuVnIeW4qLJXvs/z8j981G pdSFVvVjTkrw==
X-IronPort-AV: E=Sophos;i="5.69,414,1571702400"; d="scan'208,217";a="9459605"
Received: from sea32-co-svc-lb4-vlan3.sea.corp.amazon.com (HELO email-inbound-relay-2a-c5104f52.us-west-2.amazon.com) ([10.47.23.38]) by smtp-border-fw-out-9101.sea19.amazon.com with ESMTP; 10 Jan 2020 00:25:09 +0000
Received: from EX13MTAUWC001.ant.amazon.com (pdx4-ws-svc-p6-lb7-vlan3.pdx.amazon.com [10.170.41.166]) by email-inbound-relay-2a-c5104f52.us-west-2.amazon.com (Postfix) with ESMTPS id EFB19A1BA7; Fri, 10 Jan 2020 00:25:08 +0000 (UTC)
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 10 Jan 2020 00:25:08 +0000
Received: from EX13D11UWC004.ant.amazon.com (10.43.162.101) by EX13D11UWC004.ant.amazon.com (10.43.162.101) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Fri, 10 Jan 2020 00:25:08 +0000
Received: from EX13D11UWC004.ant.amazon.com ([10.43.162.101]) by EX13D11UWC004.ant.amazon.com ([10.43.162.101]) with mapi id 15.00.1367.000; Fri, 10 Jan 2020 00:25:08 +0000
From: "Richard Backman, Annabelle" <richanna@amazon.com>
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, oauth <oauth@ietf.org>
Thread-Topic: [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri
Thread-Index: AQHVx0xpDyUIRyiBT0+iDXwQ2PYV6A==
Date: Fri, 10 Jan 2020 00:25:08 +0000
Message-ID: <CDAB3728-0FB0-49A5-9A6C-6F3794A6E1DB@amazon.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.43.162.252]
Content-Type: multipart/alternative; boundary="_000_CDAB37280FB049A59A6C6F3794A6E1DBamazoncom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/taYnCuPePvSArwgmLAptJCvpilw>
Subject: Re: [OAUTH-WG] [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2020 00:25:22 -0000

The “typ” field helps prevent misrepresentation of a legitimately issued JWT, but it doesn’t address the issue I am trying to draw attention to, which is that the current model forces broader distribution and reuse of keys than is necessary, resulting in a greater blast radius for compromised keys or systems.

For many cases, this is not a significant concern, as the AS is a monolithic system with no internal trust boundaries. However, in cases where the AS is composed of multiple microservices performing different tasks, the need to share keys between different microservices undermines efforts to create trust boundaries between them. I gave one example of this in my original email, where ID Token generation and access token generation are relegated to independent systems, each with separate private keys for signing tokens. Suppose a malicious party compromised the ID Token generator, or gained access to its private key, and issued fraudulent access tokens signed using that key. Since verifiers of both token types will look to the same metadata file and thus the same JWK set, they have no way to recognize that these access tokens are fraudulent.

Note that while “typ” would help a verifier distinguish between an ID Token and an access token, it does not help in this case because the malicious party is generating well-formed access token JWTs, signed with a key that is legitimate for the AS but not for this purpose.

The case for this being a concern on the encryption side is fuzzier, primarily because we simply don’t have many use cases where different kinds of content gets encrypted and sent to the AS in different contexts. However, I gave one example on the PAR thread<https://mailarchive.ietf.org/arch/msg/oauth/iVXk3EusmV4Bh9-r58bebgZ6888>, where a PAR endpoint that decrypts request object JWTs will also be able to decrypt id_token_hint JWTs.

–
Annabelle Richard Backman
AWS Identity


From: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>
Date: Thursday, January 9, 2020 at 11:34 AM
To: "Richard Backman, Annabelle" <richanna@amazon.com>, oauth <oauth@ietf.org>
Subject: [UNVERIFIED SENDER] RE: Cryptographic hygiene and the limits of jwks_uri

This a good thing to think about.  Thanks for bringing this up, Annabelle.

One thing that partially mitigates this is that the “use” and/or “key_ops” attributes can be provided.  This can allow signing keys to be differentiated from encryption keys, for instance.

I’m not as worried about encryption keys as signing keys.  If multiple kinds of applications encrypt content to a party using the same public per-party key, and the encryption is being used only to ensure confidentiality of the messages, the confidentiality is still achieved.

One mitigation for signing keys is use of the “typ” field, as described in the JWT BCP.  Even if the same key was used and you receive an unexpected JWT type, you will still reject it.

I believe there’s also cases where it’s fine to use the same signing key for related operations.  For instance, signing a Pushed Authorization Request and a Request Object with the same key seems both logical and safe to me.  (If others can think of an attack that this enables, however, please do point it out.)

Which I believe leaves us with this case to worry about – shared signing keys by unrelated applications when “typ” is not used.  One way to mitigate this would be to use per-application key sets.  For instance, using values other than “jwks_uri” to reference key sets for particular applications.

Anyway, for PAR, I believe that it’s fine to use the same keys as used for Request Objects, so no new fields are needed for it.

I look forward to further discussion on the topic.

                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Richard Backman, Annabelle
Sent: Wednesday, January 8, 2020 3:47 PM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] Cryptographic hygiene and the limits of jwks_uri

I originally brought up this issue in the context of the PAR draft, but since it broadly applies to the OAuth space I’m starting a new thread…

Section 3.12 of the JWT BCP<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-jwt-bcp-07%23section-3.12&data=02%7C01%7CMichael.Jones%40microsoft.com%7C73d547c7681f4ea59a4808d7949529e6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637141240697295445&sdata=AeQLxCao2ZT661ZK2fE4a6QKyh8IzO%2Bq%2Fqzbt7Vld0s%3D&reserved=0> says: “Use different keys for different kinds of JWTs.” Section 4 of the JWT Profile for OAuth 2.0 Access Tokens<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftools.ietf.org%2Fhtml%2Fdraft-ietf-oauth-access-token-jwt-03%23section-4&data=02%7C01%7CMichael.Jones%40microsoft.com%7C73d547c7681f4ea59a4808d7949529e6%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637141240697305402&sdata=ISszTxlHTbALInjK%2FKggH9seZdW8kGXTDHZEWCyfAzc%3D&reserved=0> says: “An authorization server MAY elect to use different keys to sign id_tokens and JWT access tokens.” These statements are consistent with good cryptographic hygiene. And we’ve made it difficult to impossible for an AS to follow them.

The AS has a single metadata document containing a single URI referencing a single JWK Set. But the AS has no way of indicating to clients which keys to use for which purposes. For example, an AS cannot say that *only these* keys are to be used to encrypt id_token_hint JWTs, and *only these* keys are to be used to encrypt JAR request object JWTs. For encryption, the AS could enforce that logic internally, but there is no way for the client to discover this. And while the AS may be built to only use certain keys for signing ID Tokens and other keys for signing JWT access tokens, it has no way to indicate this to the client. So even if ID Token generation and access token generation are isolated in different microservices within the AS, each microservice is capable of forging the other’s tokens, because consumers can’t be told to distinguish between different keys for the AS.

This seems like a ticking time bomb to me, as it’s a non-obvious side effect of combining various OAuth 2.0 extensions, and it can undermine a lot of sophisticated effort to follow security best practices. I can see a couple of ways to address this (e.g., more sophisticated AS key metadata, tagging or similar use case indication on JWKs), but before trying to propose something I’d like to get people’s opinions on the problem. Is this already mitigated in other ways? Has the ship sailed on this for OAuth, and now we have to live with it? Should this be left to the deployments that care to solve with non-interoperable solutions? Are there other clever ways we could approach this? Are there other angles that we need to consider?

–
Annabelle Richard Backman
AWS Identity

v2.23.0 | Report a Bug | By Email