Upgrade to Pro — share decks privately, control downloads, hide ads and more …

No Way JOSE: Lessons for authors and implementers of open standards

Fraser Tweedale
July 03, 2018
Programming
1
67

No Way JOSE: Lessons for authors and implementers of open standards

Protocol and data format specifications can be ambiguous, insecure or have other problems. Programmers and users bear the brunt of these issues. Using JOSE as a case study, I’ll discuss mistakes for standards authors to avoid, and demonstrate programming techniques for mitigating some kinds of problems.

JOSE (JSON Object Signing and Encryption) is a set of IETF standards for JSON-based cryptographic objects. You might know it as JWT or JWS. It is used in OpenID Connect, ACME, and other protocols. JOSE emerged a few years ago and has been causing headaches for the presenter ever since.

Using JOSE as a case study, this presentation looks at mistakes to avoid when specifying a data format or cryptographic protocol. We’ll also explore programming techniques for mitigating some kinds of problems in specifications. In particular, we will cover:

- the flawed rationale for the JOSE working group
- why JSON is a poor wire format for cryptographic objects
- cryptography issues in the JOSE specifications
- ambiguities and interoperability problems in the specifications
- common vulnerabilities in JOSE libraries
- how library authors can encourage or enforce safe use
- advice for standards authors or working groups

Each topic will culminate in one simple, actionable takeaway.

Programming principles and techniques will be demonstrated using Haskell and its jose library, which is maintained by the presenter.

Fraser Tweedale

July 03, 2018
Tweet

More Decks by Fraser Tweedale

See All by Fraser Tweedale
A tax combinator library could be useful for Rules-as-Code [lightning talk]
frasertweedale
0
23
Kerberos PKINIT: what, why, and how (to break it) [Everything Open 2023]
frasertweedale
0
18
Kerberos PKINIT: what, why, and how (to break it) [FOSDEM 2023]
frasertweedale
0
49
Send in the chown()s - systemd containers in user namespaces
frasertweedale
0
22
systemd containers on OpenShift
frasertweedale
0
150
Clevis and Tang: Securing your Secrets at Rest
frasertweedale
0
880
Lazy lists in the Brick TUI library
frasertweedale
1
160
Defect to Doctrine: Security Bug Case Studies
frasertweedale
0
110
Taming the C Monster: Haskell FFI Techniques
frasertweedale
2
670

Other Decks in Programming

See All in Programming
How does the Relay connect Android app development and Design?
horie1024
1
310
SwiftSyntaxが面白い
ryu_hu03
1
380
フロントエンドエンジニアの友人と“型”で話がすれ違った原因 YUMEMI.grow合同LT会in横浜 @Kaito-Dogi
doggy
1
360
読みやすいコードの書き方 第 1 回 / Code readability: Session 1 (ver. 2, Ja)
munetoshi
1
590
The Resurrection of 
the Fast Parallel Test Runner
koic
1
3.2k
Code readability: Session 1 (ver. 2, En)
munetoshi
0
150
Github CopilotとChatGPTを使って感じた使い分けの糸口 / JavaDo #22
gishi_yama
0
170
NotionのURLをWorkersで綺麗にしよう!
totto2727
0
210
サイト信頼性を高める前に開発チームからの信頼性を高めよう
syossan27
8
2.1k
Implementing "++" operator, stepping into parse.y
coe401_
3
6k
これだけは知っておきたいクラス設計の基礎知識
masuda220
PRO
12
8k
sync.Mutexの仕組みを理解する
ffjlabo
1
470

Featured

See All Featured
It's Worth the Effort
3n
179
26k
Making the Leap to Tech Lead
cromwellryan
118
7.8k
A Tale of Four Properties
chriscoyier
149
21k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
226
16k
Six Lessons from altMBA
skipperchong
16
2.5k
Happy Clients
brianwarren
90
6k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
7
1k
Visualization
eitanlees
130
12k
How To Stay Up To Date on Web Technology
chriscoyier
779
250k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
110
17k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
39
3.7k

Transcript

  1. No way, JOSE!
    Lessons for authors and implementers of open standards
    Fraser Tweedale
    @hackuador
    July 3, 2018

    View Slide

  2. View Slide

  3. A journey. . .

    View Slide

  4. JOSE
    JSON Object Signing and Encryption
    IETF WG formed 2011, RFCs 2015
    used in OpenID Connect, ACME

    View Slide

  5. JOSE & me
    I wrote a JOSE library for Haskell
    I participated in IETF discussions
    JOSE has lots of problems (sorry. . . )

    View Slide

  6. What is a standard?

    View Slide

  7. Do you need a new standard?

    View Slide

  8. CC BY-NC 2.5 https://xkcd.com/927/

    View Slide

  9. JOSE—rationale
    With the increased usage of JSON in
    protocols in the IETF and elsewhere, there is
    now a desire to offer security services, which
    use encryption, digital signatures, message
    authentication codes (MACs) algorithms,
    that carry their data in JSON format.1
    1https://tools.ietf.org/wg/jose/charters

    View Slide

  10. JOSE—rationale
    Many current applications thus have
    much more robust support for processing
    objects in these text-based formats than
    ASN.1 objects; indeed, many lack the
    ability to process ASN.1 objects at all.
    To simplify the addition of object-based
    security features to these applications, the
    working group has been chartered to develop
    a secure object format based on JSON.2
    2https://tools.ietf.org/html/rfc7165

    View Slide

  11. JOSE—assumptions
    ASN.1 libraries don’t exist
    It’s better to define new standard than write a library
    JSON is suitable for security/cryptographic objects
    ASN.1 is bad

    View Slide

  12. JOSE—irony
    4.7. "x5c" (X.509 Certificate Chain) Parameter
    The "x5c" (X.509 certificate chain) parameter
    contains a chain of one or more PKIX certificates
    [RFC5280]. The certificate chain is represented
    as a JSON array of certificate value strings.
    Each string in the array is a base64-encoded
    (Section 4 of [RFC4648] -- not base64url-encoded)
    DER [ITU.X690.1994] PKIX certificate value.

    View Slide

  13. Takeaway: write libraries, not
    standards

    View Slide

  14. Is JSON the right choice?

    View Slide

  15. Falsehoods programmers believe
    about JSON. . .

    View Slide

  16. JSON support is universal.

    View Slide

  17. C
    Rust
    C++
    Scala
    Haskell
    . . .

    View Slide

  18. JSON is human readable.

    View Slide

  19. {" signature ":" M3oVLXrbeFRT9Ef9d3WzR -D7dGtI
    eYoPBYmiCdtYqus "," protected ":" eyJhbGciOiJI
    UzI1NiIsImtpZCI6ImthcmF0ZSJ9 "," payload ":"e
    yJzdWJqZWN0IjoiZnJhc2VAZnJhc2UuaWQuYXUiLCJ
    pc3MiOiJocy1qb3NlIiwiYXVkIjpbImFsaWNlIiwiY
    m9iIl19Cg "}

    View Slide

  20. JSON is unambiguously specified.

    View Slide

  21. JSON—ambiguities
    invalid code points
    data size limits

    View Slide

  22. JSON objects are maps.

    View Slide

  23. JSON—objects
    names within an object SHOULD be unique—RFC 8259
    Is a JSON object a map?
    What kind of map?
    How should duplicate keys be treated?

    View Slide

  24. JSON will be parsed the same way by
    different parsers.

    View Slide

  25. http://seriot.ch/parsing_json.php

    View Slide

  26. CVE-2017-12635

    View Slide

  27. {
    "type": "user",
    "name": "alice",
    "roles": ["_admin"],
    "roles": []
    }

    View Slide

  28. JSON—other problems
    Numbers
    Binary data?
    No canonical serialisation

    View Slide

  29. {"signature":"M3oVLXrbeFRT9Ef9d3WzR-D7dGtI
    eYoPBYmiCdtYqus","protected":"eyJhbGciOiJI
    UzI1NiIsImtpZCI6ImthcmF0ZSJ9","payload":"e
    yJzdWJqZWN0IjoiZnJhc2VAZnJhc2UuaWQuYXUiLCJ
    pc3MiOiJocy1qb3NlIiwiYXVkIjpbImFsaWNlIiwiY
    m9iIl19Cg"}

    View Slide

  30. {"subject":"[email protected]",
    "iss":"hs-jose",
    "aud":["alice","bob"]}

    View Slide

  31. View Slide

  32. JSON—alternatives
    ASN.1
    CBOR

    View Slide

  33. Takeaway: don’t automatically reach
    for JSON

    View Slide

  34. Cryptography in JOSE

    View Slide

  35. JOSE cryptography—issues
    PKCS #1 v1.5 padding
    Weierstrass curves
    "none" signature algorithm
    AES Key Wrap

    View Slide

  36. Algorithmic agility
    more complex protocol
    more ways to mess up
    end up using insecure crypto anyway

    View Slide

  37. JOSE cryptography—common vulnerabilities
    "none" downgrade attack
    invalid curve attack
    algorithm substitution attack

    View Slide

  38. Takeaway: don’t cut corners with
    crypto

    View Slide

  39. Ambiguities and Interoperability

    View Slide

  40. {
    "payload":"",
    "signatures":[
    {"protected":"",
    "header":,
    "signature":""},
    ...
    {"protected":"",
    "header":,
    "signature":""}]
    }

    View Slide

  41. {
    "payload":"",
    "protected":"",
    "header":,
    "signature":""
    }

    View Slide

  42. http://github.com/frasertweedale/hs-jose/issues/26

    View Slide

  43. JOSE flattened serialisation—drawbacks
    more work for library authors
    incompatible libraries and programs
    more work for downstream standard authors

    View Slide

  44. JOSE flattened serialisation—benefits
    saved a few bytes

    View Slide

  45. Takeaway: use case “optimisations”
    belong in libraries, not standards.

    View Slide

  46. hs-jose—dealing with ambiguity
    data List a = Nil
    | a : (List a)
    data Identity a = Identity a

    View Slide

  47. hs-jose—dealing with ambiguity
    data JWS t = JWS ByteString (t Signature)
    type GeneralJWS = JWS List Protection
    type FlattenedJWS = JWS Identity Protection

    View Slide

  48. Dealing with ambiguity—abstraction
    abstract over ambiguities
    let the user decide what they want
    provide simple API for the common use cases

    View Slide

  49. Takeaway: use abstraction to deal
    with ambiguities in standards

    View Slide

  50. Writing safe APIs

    View Slide

  51. verifyJWSWithPayload
    :: ( MonadError Error m
    , VerificationKeyStore m payload k
    , Foldable t
    )
    => ValidationSettings
    -> (ByteString -> m payload) -- ^ decoder
    -> k -- ^ key store
    -> JWS t
    -> m payload

    View Slide

  52. Static type systems—benefits
    abstraction
    avoid type confusion attacks
    readability & maintainability
    enable advanced techniques for security3,4,5
    3Two Can Keep a Secret, If One of Them Uses Haskell
    4FaCT: A Flexible, Constant-Time Programming Language
    5HOWTO: Static access control using phantom types

    View Slide

  53. Takeaway: static type systems enable safe,
    ergonomic APIs

    View Slide

  54. So you’re going to write a new standard. . .

    View Slide

  55. Advice for standards authors
    avoid ambiguity & special cases
    exclude esoteric use cases
    get cryptographers to review
    write multiple implementations

    View Slide

  56. Recap
    write libraries, not standards
    don’t automatically reach for JSON
    don’t cut corners with crypto
    special cases belong in libraries
    abstract over ambiguities
    use statically typed languages
    write multiple implementations

    View Slide

  57. Questions?
    Except where otherwise noted this work is licensed under
    http://creativecommons.org/licenses/by/4.0/
    https://speakerdeck.com/frasertweedale
    @hackuador
    hackage.haskell.org/package/jose

    View Slide