Re: [secdir] Secdir review of draft-ietf-jose-json-web-signature-31

Tero Kivinen <kivinen@iki.fi> Mon, 22 September 2014 13:59 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F3BEB1A1AD4; Mon, 22 Sep 2014 06:59:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.786, SPF_NEUTRAL=0.779] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3KstAjHsbE9f; Mon, 22 Sep 2014 06:59:10 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68C431A1B54; Mon, 22 Sep 2014 06:42:04 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id s8MDg2Hg014435 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 22 Sep 2014 16:42:02 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id s8MDg2Jl004278; Mon, 22 Sep 2014 16:42:02 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <21536.10026.506235.155913@fireball.kivinen.iki.fi>
Date: Mon, 22 Sep 2014 16:42:02 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Mike Jones <Michael.Jones@microsoft.com>
In-Reply-To: <4E1F6AAD24975D4BA5B16804296739439BA5A04D@TK5EX14MBXC286.redmond.corp.microsoft.com>
References: <21512.21725.209461.976375@fireball.kivinen.iki.fi> <4E1F6AAD24975D4BA5B16804296739439AEABA21@TK5EX14MBXC292.redmond.corp.microsoft.com> <21528.638.485017.482257@fireball.kivinen.iki.fi> <4E1F6AAD24975D4BA5B16804296739439BA5A04D@TK5EX14MBXC286.redmond.corp.microsoft.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 7 min
X-Total-Time: 7 min
Archived-At: http://mailarchive.ietf.org/arch/msg/secdir/ZYY8B-ugf3TVjUouI43snn_chB4
Cc: "jose@ietf.org" <jose@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-jose-json-web-signature.all@tools.ietf.org" <draft-ietf-jose-json-web-signature.all@tools.ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-jose-json-web-signature-31
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Sep 2014 13:59:13 -0000

Mike Jones writes:
> Tero - for your point "2) Hash inside "alg" and inside the
> signature", could you please write proposed security considerations
> text addressing this issue?  I'd think it should describe the need
> for implementations to ensure that signature verification is done
> for the exact algorithm specified in the "alg" header parameter, no
> matter what algorithm information may (or may not) have been encoded
> into the signature value in an algorithm-specific manner. 

Something like this:

  In case of algorithms where there is algorithm parameters specified
  also inside the actual signature, the implementations MUST verify
  that the parameters inside the signature and the parameters
  specified by the "alg" Header Parameter match. This includes for
  example the RSASSA-PKCS-v1_5 algorithms ("RS*") where the signature
  contains the hash algorithm and most libraries actually use the hash
  algorithm specified inside the signature when verifying the
  signature. This test is required as the steps in the section 5.2
  verify that algorithms specified by the "alg" Header Parameter are
  acceptable, and if those algorithms could be different the attacker
  could be able to claim to use strong hash algorithm while actually
  using weak one inside the signature. 

> For your point "3) There is no explicit warning about the "alg"
> "none"", I plan to add the additional step that you suggested.

In my text above I assumed you had already added step in section 5.2
to verify that "alg" is acceptable. 

> For your point "4) Thumbprint formats" if you or someone else wants
> to define an additional thumbprint format for use in IoT contexts
> (or any other contexts), I encourage you to write an Internet Draft
> that does so, registering the new header parameter defined in the
> JSON Web Signature and Encryption Header Parameters registry.

That can of course be done, but I would have hoped the initial version
of the specification would also be usable in the IoT context, where
the use of raw public keys will most likely arise.
-- 
kivinen@iki.fi