No Way JOSE: Lessons for authors and implementers of open standards

Transcript

1. No way, JOSE! Lessons for authors and implementers of open

   standards Fraser Tweedale @hackuador July 3, 2018
2. None

3. A journey. . .

4. JOSE JSON Object Signing and Encryption IETF WG formed 2011,

   RFCs 2015 used in OpenID Connect, ACME

5. JOSE & me I wrote a JOSE library for Haskell

   I participated in IETF discussions JOSE has lots of problems (sorry. . . )

6. What is a standard?

7. Do you need a new standard?

8. CC BY-NC 2.5 https://xkcd.com/927/

9. JOSE—rationale With the increased usage of JSON in protocols in

   the IETF and elsewhere, there is now a desire to offer security services, which use encryption, digital signatures, message authentication codes (MACs) algorithms, that carry their data in JSON format.1 1https://tools.ietf.org/wg/jose/charters

10. JOSE—rationale Many current applications thus have much more robust support

    for processing objects in these text-based formats than ASN.1 objects; indeed, many lack the ability to process ASN.1 objects at all. To simplify the addition of object-based security features to these applications, the working group has been chartered to develop a secure object format based on JSON.2 2https://tools.ietf.org/html/rfc7165

11. JOSE—assumptions ASN.1 libraries don’t exist It’s better to define new

    standard than write a library JSON is suitable for security/cryptographic objects ASN.1 is bad

12. JOSE—irony 4.7. "x5c" (X.509 Certificate Chain) Parameter The "x5c" (X.509

    certificate chain) parameter contains a chain of one or more PKIX certificates [RFC5280]. The certificate chain is represented as a JSON array of certificate value strings. Each string in the array is a base64-encoded (Section 4 of [RFC4648] -- not base64url-encoded) DER [ITU.X690.1994] PKIX certificate value.

13. Takeaway: write libraries, not standards

14. Is JSON the right choice?

15. Falsehoods programmers believe about JSON. . .

16. JSON support is universal.

17. C Rust C++ Scala Haskell . . .

18. JSON is human readable.

19. {" signature ":" M3oVLXrbeFRT9Ef9d3WzR -D7dGtI eYoPBYmiCdtYqus "," protected ":" eyJhbGciOiJI

    UzI1NiIsImtpZCI6ImthcmF0ZSJ9 "," payload ":"e yJzdWJqZWN0IjoiZnJhc2VAZnJhc2UuaWQuYXUiLCJ pc3MiOiJocy1qb3NlIiwiYXVkIjpbImFsaWNlIiwiY m9iIl19Cg "}

20. JSON is unambiguously specified.

21. JSON—ambiguities invalid code points data size limits

22. JSON objects are maps.

23. JSON—objects names within an object SHOULD be unique—RFC 8259 Is

    a JSON object a map? What kind of map? How should duplicate keys be treated?

24. JSON will be parsed the same way by different parsers.

25. http://seriot.ch/parsing_json.php

26. CVE-2017-12635

27. { "type": "user", "name": "alice", "roles": ["_admin"], "roles": [] }

28. JSON—other problems Numbers Binary data? No canonical serialisation

29. {"signature":"M3oVLXrbeFRT9Ef9d3WzR-D7dGtI eYoPBYmiCdtYqus","protected":"eyJhbGciOiJI UzI1NiIsImtpZCI6ImthcmF0ZSJ9","payload":"e yJzdWJqZWN0IjoiZnJhc2VAZnJhc2UuaWQuYXUiLCJ pc3MiOiJocy1qb3NlIiwiYXVkIjpbImFsaWNlIiwiY m9iIl19Cg"}

30. {"subject":"[email protected]", "iss":"hs-jose", "aud":["alice","bob"]}

31. None

32. JSON—alternatives ASN.1 CBOR

33. Takeaway: don’t automatically reach for JSON

34. Cryptography in JOSE

35. JOSE cryptography—issues PKCS #1 v1.5 padding Weierstrass curves "none" signature

    algorithm AES Key Wrap

36. Algorithmic agility more complex protocol more ways to mess up

    end up using insecure crypto anyway

37. JOSE cryptography—common vulnerabilities "none" downgrade attack invalid curve attack algorithm

    substitution attack

38. Takeaway: don’t cut corners with crypto

39. Ambiguities and Interoperability

40. { "payload":"<payload contents>", "signatures":[ {"protected":"<integrity-protected header 1 contents>", "header":<non-integrity-protected header

    1 contents>, "signature":"<signature 1 contents>"}, ... {"protected":"<integrity-protected header N contents>", "header":<non-integrity-protected header N contents>, "signature":"<signature N contents>"}] }

41. { "payload":"<payload contents>", "protected":"<integrity-protected header contents>", "header":<non-integrity-protected header contents>, "signature":"<signature

    contents>" }

42. http://github.com/frasertweedale/hs-jose/issues/26

43. JOSE flattened serialisation—drawbacks more work for library authors incompatible libraries

    and programs more work for downstream standard authors

44. JOSE flattened serialisation—benefits saved a few bytes

45. Takeaway: use case “optimisations” belong in libraries, not standards.

46. hs-jose—dealing with ambiguity data List a = Nil | a

    : (List a) data Identity a = Identity a

47. hs-jose—dealing with ambiguity data JWS t = JWS ByteString (t

    Signature) type GeneralJWS = JWS List Protection type FlattenedJWS = JWS Identity Protection

48. Dealing with ambiguity—abstraction abstract over ambiguities let the user decide

    what they want provide simple API for the common use cases

49. Takeaway: use abstraction to deal with ambiguities in standards

50. Writing safe APIs

51. verifyJWSWithPayload :: ( MonadError Error m , VerificationKeyStore m payload

    k , Foldable t ) => ValidationSettings -> (ByteString -> m payload) -- ^ decoder -> k -- ^ key store -> JWS t -> m payload

52. Static type systems—benefits abstraction avoid type confusion attacks readability &

    maintainability enable advanced techniques for security3,4,5 3Two Can Keep a Secret, If One of Them Uses Haskell 4FaCT: A Flexible, Constant-Time Programming Language 5HOWTO: Static access control using phantom types

53. Takeaway: static type systems enable safe, ergonomic APIs

54. So you’re going to write a new standard. . .

55. Advice for standards authors avoid ambiguity & special cases exclude

    esoteric use cases get cryptographers to review write multiple implementations

56. Recap write libraries, not standards don’t automatically reach for JSON

    don’t cut corners with crypto special cases belong in libraries abstract over ambiguities use statically typed languages write multiple implementations

57. Questions? Except where otherwise noted this work is licensed under

    http://creativecommons.org/licenses/by/4.0/ https://speakerdeck.com/frasertweedale @hackuador hackage.haskell.org/package/jose