Re: [OAUTH-WG] JWT: Algorithm choice as an attack vector
Vladimir Dzhuvinov <vladimir@connect2id.com> Thu, 06 October 2016 05:11 UTC
Return-Path: <vladimir@connect2id.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D27DA1293F5 for <oauth@ietfa.amsl.com>; Wed, 5 Oct 2016 22:11:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8hTOoQi_L1n4 for <oauth@ietfa.amsl.com>; Wed, 5 Oct 2016 22:11:46 -0700 (PDT)
Received: from p3plsmtpa11-04.prod.phx3.secureserver.net (p3plsmtpa11-04.prod.phx3.secureserver.net [68.178.252.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AED3128874 for <oauth@ietf.org>; Wed, 5 Oct 2016 22:11:46 -0700 (PDT)
Received: from [192.168.1.10] ([79.100.136.247]) by :SMTPAUTH: with SMTP id s0xdbFfCt01SHs0xebPsh1; Wed, 05 Oct 2016 22:11:15 -0700
To: oauth@ietf.org
References: <CAObXGQzoRXC2TSA3Dk8fRF=hB=fuzRamZOPvHDzp7cQcjHR8Yg@mail.gmail.com>
From: Vladimir Dzhuvinov <vladimir@connect2id.com>
Organization: Connect2id Ltd.
Message-ID: <d959b93a-d7a7-94c2-f4fb-29e49b58ce5c@connect2id.com>
Date: Thu, 06 Oct 2016 08:11:12 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
MIME-Version: 1.0
In-Reply-To: <CAObXGQzoRXC2TSA3Dk8fRF=hB=fuzRamZOPvHDzp7cQcjHR8Yg@mail.gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="------------ms060407080107060201080408"
X-CMAE-Envelope: MS4wfOgB36ak8iOh6wwL1Rw9mWOxVlaEbPzH1gk+mQj/ceuQTYSV8WeK7JWSuXwVih8ar1sxu6+y+RUzobsh8J78i+0CaoLfrTi4yXWKkbP//PC3jdQcq7cU wQAgeycWVKuRZQyq+lONI//tfbj6gXok4iRAs70OmI239gx+6qYjpZmX
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/xnPwkHnMcDuuHPyMH42IDp9sM4w>
Subject: Re: [OAUTH-WG] JWT: Algorithm choice as an attack vector
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 05:11:48 -0000
Hi Maciej, Apps must not accept arbitrary JWTs, neither let the JWT header alone drive the JWT validation process. A good app contract will specify which algs and header parameters are accepted, and discard all JWTs that don't match these rules, before passing the JWTs for validation to the library. On 03/10/16 18:46, Maciej Kwidzinski wrote: > Hi, > > Tim McLean describes an attack vector on JWT-protected services in his > blog post: https://auth0.com/blog/critical-vulnerabilities-in-json-web-token-libraries/ > > The culprit is relying on the algorithm in the JWT header. The > workaround/recommendation is to ignore the algorithm from the header > and use a predefined one. > > The current RFC 7519 does not address this vulnerability. > Will this problem be addressed in the standard? > > Best regards, > Maciej Kwidziński > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] JWT: Algorithm choice as an attack vec… Maciej Kwidzinski
- Re: [OAUTH-WG] JWT: Algorithm choice as an attack… Vladimir Dzhuvinov
- Re: [OAUTH-WG] JWT: Algorithm choice as an attack… Jim Manico