Re: Why You Don't Want Javascript Object Signing and Encryption

On 2018-01-21 14:45, Manu Sporny wrote:
> Thanks to Melvin for spotting this article, which underscores the
> decision we made long ago to avoid some of the hairier bits of JOSE.
> 
> Summary:
> 
> * Don't use JWT for session management

I agree with the article.  Unfortunately a recent customer of mine claimed that using cookies for session state management indicated that I am wasn't up to date on standards for building Web applications where you use JWTs on the client side.  Yeah!  Right on :-)


> * The JWS standard is completely broken, and total RFC compliance
>    renders your applications vulnerable

This is greatly exaggerated, real (deployed) systems typically support a single algorithm like RS256 and if the received object using something else, most systems will abort on *application level*.  If you don't *always* verify input data (signed or not), you simply do not understand how to write software. Remember "SQL injection"?


> * The JWE standard is a minefield that non-cryptographers shouldn't be
>    forced to navigate

This is only partially right. The issue is that *using* cryptography to secure something is a bigger deal than selecting an algorithm.  The continued problems with TLS and WPA are [almost] all based on flaws above the crypto level.


> * JOSE is a needlessly complex suite of standards with security deficits
>    baked in

It is indeed a little bit of a committee product but OTOH I doubt that there is a single library out there that supports everything including: https://tools.ietf.org/html/rfc7515#appendix-D
Well, if you actually depend on such complex and impossible to test schemes, you probably *deserve* getting toasted :-)


> 
> More here:
> 
> https://paragonie.com/blog/2017/03/jwt-json-web-tokens-is-bad-standard-that-everyone-should-avoid
> 
> We wrote about some of these issues (and a few more) over four years ago:
> 
> http://manu.sporny.org/2013/lds-vs-jose/
> 
> ... which is why Linked Data Signatures exists:
> 
> https://w3c-dvcg.github.io/ld-signatures/
> 
> Just a few data points for those new to the community.

FWIW: There is a growing interest creating an "add-on" to JWS/JWE which would reuse the current JOSE algorithms and attributes, but for "canonicalization" rely on the by ECMA standardized processing rules for JSON.parse() and JSON.stringify(), with the aim getting away from the Base64Url requirement:

{
     "@context": "https://example.com/paymentStandard/pay",
     "amount": "255.00",
     "currency": "USD",
     "signature": {
         "alg": "ES256",
         "jwk": {
             "kty": "EC",
             "crv": "P-256",
             "x": "PxlJQu9Q6dOvM4LKoZUh2XIe9-pdcLkvKfBfQk11Sb0",
             "y": "6IDquxrbdq5ABe4-HQ78_dhM6eEBUbvDtdqK31YfRP8"
         },
         "val": "RSLmFihg8QmXxM1JDHiKS25CaOow23oLFH7WQ0tYcQQWdqT-vXGlEwwDGDNJN0lGIdSEYvMMLTL8hEaYV9kW6A"
     }
}

Since the rules mentioned are already supported by BILLIONS of shipped devices, this seems like a fairly reasonable "shortcut".

Anders

> 
> -- manu
> 

Received on Sunday, 21 January 2018 15:15:41 UTC