Skip to content

Instantly share code, notes, and snippets.

@paragonie-scott

paragonie-scott/jose-security.md

Last active June 12, 2020 11:32
Show Gist options
  • Save paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03 to your computer and use it in GitHub Desktop.
Save paragonie-scott/c88290347c2589b0cd38d8bb6ac27c03 to your computer and use it in GitHub Desktop.
Download ZIP
Suggestions for a Secure JOSE Alternative (or Protocol Upgrade)
Raw
jose-security.md

Changes to JOSE that will prevent insecurity

Deletions

JWS and JWE

Drop the alg header

Neither JOSE users nor JOSE library designers should be required to understand cryptography primitives. At a lower level, this can lead to badly implemented primitives. On a higher level, this can lead to reasoning by lego.

For all the reasons outlined here and here, the alg header (and algorithm agility in its entirety) should be considered harmful.

JWE

Drop the enc header

For the same reason we're dropping the alg header, we should drop the enc header.

Consider dropping the zip header

As we've seen with CRIME and BREACH, as well as this error oracle attack against iMessage, compression can introduce side-channels that totally undermine confidentiality.

This one is less of a hard-and-fast requirement to make JOSE secure, but I still strongly recommend it.

Additions

JWS and JWE

New header: ver (version)

Instead of letting library developers and users mix-and-match cryptography algorithms, the only choice they should be given is, "Which version are we using?" Versions can look like this:

  • Version 1:
    • HMAC-SHA256 for shared-key authentication
    • AES-128-CBC + HMAC-SHA256 in Encrypt-then-MAC mode for shared-key encryption
    • RSA-OAEP with MGF1-SHA256 and e=65537 + AES-128-CBC in KEM+DEM for public-key encryption, min. key size: 2048-bit
    • RSASSA-PSS with MGF1-SHA256 and e=65537 for public-key digital signatures, min. key size: 2048-bit
  • Version 2:
    • HMAC-SHA256 for shared-key authentication
    • AES-256-GCM for shared-key encryption
    • ECDH over secp256r1 (NIST P-256) + AES-256-GCM for public-key encryption
      • Libraries must verify that the point is on the curve
    • ECDSA over secp256r1 (NIST P-256), adhering to RFC 6979 (deterministic ECDSA), for public-key digital signatures
  • Version 3:
    • HMAC-SHA512-256 for shared-key authentication
      • As per NaCl, this is HMAC-SHA-512 truncated to 256 bits, not HMAC-SHA-512/256.
    • Xsalsa20poly1305 for shared-key encryption
    • X25519 + Xsalsa20poly1305 for public-key encryption
    • Ed25519 for public-key digital signatures

Libraries that support version 3 SHOULD NOT support version 1.

New header: mode

Only four options (case-insensitive):

  • se = Shared-key Encryption
  • sa = Shared-key Authentication
  • pe = Public-key Encryption
  • ps = Public-key digital Signatures
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment