[secdir] Re: Secdir last call review of draft-ietf-jose-fully-specified-algorithms-08
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Mon, 31 March 2025 18:56 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: secdir@mail2.ietf.org
Delivered-To: secdir@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id B51C4155C276; Mon, 31 Mar 2025 11:56:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gv90DH1rfQJj; Mon, 31 Mar 2025 11:56:41 -0700 (PDT)
Received: from mail-qv1-xf31.google.com (mail-qv1-xf31.google.com [IPv6:2607:f8b0:4864:20::f31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4B94E155C271; Mon, 31 Mar 2025 11:56:41 -0700 (PDT)
Received: by mail-qv1-xf31.google.com with SMTP id 6a1803df08f44-6ecfbf8fa76so54619496d6.0; Mon, 31 Mar 2025 11:56:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1743447399; x=1744052199; darn=ietf.org; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:from:to:cc:subject:date:message-id :reply-to; bh=Q5q0KAtBj+c2qGyiQ7bX4PVqXkONxKB2LK8i+ZdpO50=; b=SZD+c9JPg6LqKEsOowieWyo2yF0t2B0CD59+OJhxdjEQec+RkOmK5ZUTfylqgBqLGy ds+ZMc9LH+e6js8Aedzy7FD5ZaGeH4OqACwGzsW1TQGGv1sMNxweuR/g5a3J9ElOAPEN MAdrpshcZYqTb5Cm8R7HgQ73zIZxVdEYOPxzh4ss8kuIkJTWkwMgRIUlPsLvAaKn9rCS tt/Vc8Dvdc6GqiZj50aY366aBb9ZRL781OGer4784mHuoLelMNFlTvZAXDE/CWvNZAGN 0ypku7k6IBNtUK+S3SwO8tS61EEzu85ZDFrekO1gYnRKz43sApp3gpfhp+yTA+tOV5/l wU2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1743447399; x=1744052199; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :content-transfer-encoding:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Q5q0KAtBj+c2qGyiQ7bX4PVqXkONxKB2LK8i+ZdpO50=; b=nHlOusc/vCPmD4qYnZD7MENb+C7C6k+GSjNiYA4tvDYmR0Iy/ww/KqA9Iln5QAq3A8 sbFQ59exeHS0tscQDcoHMFs9Lo4CDeSZvr79Lsb9RuiKtJZZUILh3qOZGSLSETol8Hde QryF295/z21Ie35Ox5/Vy8I0Ih2JnLLjYxq6lfdEipMeyiz51Mhn1TwZFEKURv9tq7xy MJ0g4shPT07mirT+XvcVayut96EL69C4n9VbCz23Ndsk+ch7Cpw6Dw+BXFlcY+e7diOB FPW9jWEK/yUj5SCIHHhR/AwhdoM5oKoDCqETT+IC+u8n8nLwdBEsb6H12RC69H2W7iPu t1UQ==
X-Forwarded-Encrypted: i=1; AJvYcCU1REeIajyTsWilGuyuEtzSsUK77P1635ooS4phtLLboUEgDnEcOm5KkSlZ0cDk/hHC7ZMntSJUmiBhA4ypRbKF60SwvV+PR8XgBndx2WYnZqZYLbC/jLL50tXZKUY/@ietf.org, AJvYcCX+hpefM3t9MI4g14QyLIT1BpEPtdt2jA5jZucistZMJjdUlpqjV8cog6S28f0vE6jHCN4YCg==@ietf.org, AJvYcCXx5foJQaBARIbQGY1I7NX2oorCOUpwCrrN4IBsqpBOe8omDFplqGPJH56cmEUaFvXYzgVkgJ1Cm0Wh@ietf.org
X-Gm-Message-State: AOJu0YwPVjQEqtS4F/o1GK89evH8Iyn7Qdhc+RnByZf09nIPkRkHr335 BL4O1OiOcSNCoRModm7BxvxJ5ViMKNtg7vcytVDK/4Z+A/W6xpsVDTZW01P5
X-Gm-Gg: ASbGnctX+lA+fQ4BMCb/Dv/uOw7mYoBMs9liDsWqHjQ9o7nxuszRJsQChpaS5p3qjlu HfdQ5A7fOci1GBWjZ1EaX4pY7YtBkBoNtz45sUdB8ISDXL3Jupx21CBHcgNxm2weoSQ7SmMq/bz +VGRWBH4vVaq1L1faCay7h5+WP1+oo2JBdID+z+Z+SbEdu0kxyLBY2niSugynvpRghDUkV+86WL j3mZWkhj7Pfoz/u8P/+f1U0I6M/ZxTtlaldAIQ6QgsKuMBMSD1k/9hSIVNA0PFz9Y7tMiSJWlP/ 9ZLR5IEgG1+No7Ef0BcV5xT0uMFSO8GlfYe9enTYZ2UTE3KpD3QtmXHpn3X8J1lfZucySmxHmp+ DuB9gLdH8fHY5AnQz+fr0nN/IbNWr4Xo8DzYMOYjXVZN+oYuG8KaiAdB44rHlgQQLRQaUTrj6jI Rl15YC3GNHSHQIofV0qgk=
X-Google-Smtp-Source: AGHT+IERnP8XnOu0muoVfYheIt2KFeDt+iJ6gIktjkJ72aoQelD73xxzKPnVQf/01ThSAPiRydKKxA==
X-Received: by 2002:a05:6214:1bc9:b0:6e8:f133:3795 with SMTP id 6a1803df08f44-6eed627194bmr194891486d6.32.1743447399068; Mon, 31 Mar 2025 11:56:39 -0700 (PDT)
Received: from smtpclient.apple (146-115-101-80.s7246.c3-0.arl-cbr1.sbo-arl.ma.cable.rcncustomer.com. [146.115.101.80]) by smtp.gmail.com with ESMTPSA id af79cd13be357-7c5f76a6ee8sm530244085a.50.2025.03.31.11.56.37 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 31 Mar 2025 11:56:38 -0700 (PDT)
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Google-Original-From: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Date: Mon, 31 Mar 2025 14:56:26 -0400
Message-Id: <6B3198D7-2D08-4341-A1AA-A8BE759E1A91@gmail.com>
References: <PH7PR02MB92923B44693DC2AFB6DB632CB7AD2@PH7PR02MB9292.namprd02.prod.outlook.com>
In-Reply-To: <PH7PR02MB92923B44693DC2AFB6DB632CB7AD2@PH7PR02MB9292.namprd02.prod.outlook.com>
To: Michael Jones <michael_b_jones@hotmail.com>
X-Mailer: iPhone Mail (22D82)
Message-ID-Hash: MODMJ5T4ME4TF7ZUDUKTY5EM4P3RMROU
X-Message-ID-Hash: MODMJ5T4ME4TF7ZUDUKTY5EM4P3RMROU
X-MailFrom: kathleen.moriarty.ietf@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, draft-ietf-jose-fully-specified-algorithms.all@ietf.org, jose@ietf.org, last-call@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [secdir] Re: Secdir last call review of draft-ietf-jose-fully-specified-algorithms-08
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/GNlJg2Evp9e4xbJgWcsJnm_oLMw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Hello Mike! Sent from my mobile device > On Mar 31, 2025, at 1:15 PM, Michael Jones <michael_b_jones@hotmail.com> wrote: > > Any thoughts, Kathleen? We'd like to update the draft to incorporate your feedback before the telechat. > > Thanks, > -- Mike > > -----Original Message----- > From: Michael Jones <michael_b_jones@hotmail.com> > Sent: Wednesday, March 26, 2025 5:46 PM > To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>; secdir@ietf.org > Cc: draft-ietf-jose-fully-specified-algorithms.all@ietf.org; jose@ietf.org; last-call@ietf.org > Subject: RE: Secdir last call review of draft-ietf-jose-fully-specified-algorithms-08 > > Hi Kathleen, > > Thanks for your review. We have a mitigation for your first issue. But before we add it to the draft, I wanted to better understand your second issue. Thank you for your considerations on the comments. I’ll respond in line to shed a bit more light. > > Are you saying that an attacker could vary the algorithms used when signing content? That's of course true, but the attack scenario is not clear to me. Are you saying that an attacker might be identifiable from the algorithm it chooses to use and that by changing algorithms, they could somewhat obscure their identity? Can you describe an example of a scenario where this could occur in practice, so I can better understand it? Yes, this attack would apply to any polymorphic changeable set of algorithms. I’m only stating that you should acknowledge it in the security considerations, but I don’t think that there’s a way that you can fully address it. This is more to raise awareness and then someone like OWASP can help more. If the signature on the content sent changes any signature based detection methods would fail. One suggestion to put in the security considerations would be to suggest a focused on allow listing as opposed to deny listing where you might highlight any indicators of compromise that have been seen before in other attacks. In using an allow list if an organization we’re going to screen on content, they would be permitting what they expect to see. It’s usually a much shorter list and more effective. I’m not asking for a lot here just a couple of statements really to highlight a potential concern. Does that make sense and help? Thank you, Kathleen > > Also, as you wrote, this consideration applies whether the algorithms are fully-specified or polymorphic. So it seems like it may have broader application than the specific algorithms defined in this document and this documents advice to avoid polymorphic algorithms. Does it, for instance, apply to all of JOSE and all of COSE and all of X.509? Without understanding the attack better, I can't tell. > > Thanks, > -- Mike > > -----Original Message----- > From: Kathleen Moriarty via Datatracker <noreply@ietf.org> > Sent: Tuesday, March 25, 2025 5:33 AM > To: secdir@ietf.org > Cc: draft-ietf-jose-fully-specified-algorithms.all@ietf.org; jose@ietf.org; last-call@ietf.org > Subject: Secdir last call review of draft-ietf-jose-fully-specified-algorithms-08 > > Reviewer: Kathleen Moriarty > Review result: Has Issues > > Greetings! > > Sorry for my late review. In reviewing the draft, there are 2 easily resolvable findings. The first is that the term "cross mode" is used and never defined. > Tracing back to the reference provided, the closest I could find to "cross mode" was the following text in RFC 9459: > "To avoid cross-protocol concerns, implementations MUST NOT use the > same keying material with more than one mode. For example, the same > keying material must not be used with AES-CTR and AES-CBC." > Matching the language or proving a definition would help to resolve this concern. > > Second, as I was reading the draft, anther security consideration became clear and should be added. An attacker can easily avoid fingerprinting detection or signature detection by rotating the ciphersuite whether it be defined or polymorphic. If programmed to rotate, then the results will look different. > Awareness of flexibility in protocols to conduct attacks should be explicitly stated so that OWASP can write up mitigations sooner rather than later when attacks become prevalent. > > Thank you for addressing the concerns! I did check the has issues, but do think these are very easily addressed. > > Best regards, > Kathleen > > >
- [secdir] Secdir last call review of draft-ietf-jo… Kathleen Moriarty via Datatracker
- [secdir] Re: Secdir last call review of draft-iet… Michael Jones
- [secdir] Re: Secdir last call review of draft-iet… Michael Jones
- [secdir] Re: Secdir last call review of draft-iet… Kathleen Moriarty
- [secdir] Re: [jose] Re: Secdir last call review o… Orie