On the (in-)security of JavaScript Object Signing and Encryption. Dennis Detering

Size: px

Start display at page:

Download "On the (in-)security of JavaScript Object Signing and Encryption. Dennis Detering"

Jade Daniels
6 years ago
Views:

2 On the (in-)security of JavaScript Object Signing and Encryption Dennis Detering 2

3 Introduction Dennis Detering IT Security Consultant @Merenon Christian Mainka Vladislav Mladenov Juraj Somorovsky 3

4 Table of Contents What is JOSE? Practical Attacks and Vulnerabilities Signature Exclusion Key Confusion Bleichenbacher MMA Timing Attack JOSEPH Our Burp Suite Extension What s Next? 4

5 WHAT IS JOSE? JavaScript Object Signing and Encryption 5

6 What is JOSE? Proposed Standard since May 2015 Simple, URL-safe, space-constrained environments (e.g. HTTP Authorization headers, URI query parameters), self-contained People from big companies working on it: Already implemented in widely deployed protocols / software: 6

7 JSON Web Algorithm JSON Web Key JSON Web Algorithm RFC 7518 This specification registers cryptographic algorithms and identifiers to be used with the JWS, JWE, JWK specifications. { "keys": [{ "kty":"ec", "crv":"p 256", "x":"mkbctnickusdii11yss3526idz8aito7tu6kpaqv7d4", "y":"4etl6srw2yilurn5vfvvhuhp7x8pxltmwwlbbm4ifym", "use":"enc", "kid":"1" }, { "kty":"rsa", "n":"0vx7agoebgcqsuupiljxzptn9nndrqmbxeps2aiafbwhm78lhwx 4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiF V4n3oknjhMstn64tZ_2W 5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf 0h4QyQ5v 65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7 d0zgdazhzu6qmqvrl5hajrn1n91cbopbisd08qnlyrdkt bftwhai 4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ G_xBniIqbw0Ls1jF44 csfcur kegu8awapjzknqdkgw", "e":"aqab", "alg":"rs256", "kid":" " }] JSON Web Key RFC 7517 A JSON Web Key (JWK) is a JavaScript Object Notation (JSON) data structure that represents a cryptographic key. } 7

8 JSON Web Signature JSON Web Signature RFC 7515 JSON Web Signature (JWS) represents content secured with digital signatures or Message Authentication Codes (MACs) using JSON-based data structures eyjhbgcioijsuzi1nij9. eyjpc3mioijqb2uila0kicjlehaiojezmda4mtkzodasdqogimh0dha6ly9legft cgxllmnvbs9pc19yb290ijp0cnvlfq. cc4hiupoj9eetdgtv3hf80egrhub dzerat0xf9g2vtqgr9pjbu3xoizj5rzmh7 AAuHIm4Bh 0Qc_lF5YKt_O8W2Fp5jujGbds9uJdbF9CUAr7t1dnZcAcQjbKBYNX4 BAynRFdiuB f_nzlgrnbytywzo75vrk5h6xbarliarnpvksjtqbmhlb1l07qe7k 0GarZRmB_eSN9383LcOLn6_dO xi12jzdwusc eokhwesqtfzesc6bfi7noopqv hj1phcnvwh6ieyi2w9qoyeuiputi8np6lbggy9fs98rqvt5axlihwkwywlvmtvrb p0igcn_ioypglupqge77rw Header Payload Signature 8

9 JSON Web Signature 9

10 JSON Web Signature 10

11 JSON Web Signature 11

12 JSON Web Signature 12

13 JSON Web Signature 13

14 JSON Web Encryption JSON Web Encryption RFC 7516 JSON Web Encryption (JWE) represents encrypted content using JSON-based data structures. eyjhbgcioijsu0exxzuilcjlbmmioijbmti4q0jdluhtmju2in0. UGhIOguC7IuEvf_NPVaXsGMoLOmwvc1GyqlIKOK1nN94nHPoltGRhWhw7Zx0 kfm 1NJn8LE9XShH59_i8J0PH5ZZyNfGy2xGdULU7sHNF6Gp2vPLgNZ delkxghz7pc HALUzoOegEI 8E66jX2E4zyJKx YxzZIItRzC5hlRirb6Y5Cl_p ko3yvkkyszif NPccxRU7qve1WYPxqbb2Yw8kZqa2rMWI5ng8OtvzlV7elprCbuPhcCdZ6XDP0_F8 rkxds2ve4x ncoim8hayhhi29nx0mckirad0 D ljqtp cfpgwcp6x nzzd9ohbv B3oWh2TbqmScqXMR4gp_A. AxY8DCtDaGlsbGljb3RoZQ. KDlTtXchhZTGufMYmOYGS4HffxPSUrfmqCHXaI9wOGY. 9hH0vgRfYgPnAHOd8stkvw Header Encrypted Key IV Ciphertext Auth Tag 14

15 JSON Web Encryption 15

16 JSON Web Encryption 16

17 JSON Web Encryption 17

18 JSON Web Encryption 18

19 JSON Web Encryption 19

20 JSON Web Encryption 20

21 JSON Web Encryption 21

22 JSON Web Token JSON Web Token RFC 7519 claims to be transferred between two parties [ ] used as the payload of a JWS structure or as the plaintext of a JWE structure... { "iss": rub.de", "iat": , "nbf": , "exp": , "username": "ddety", "is_admin": true } 22

23 ATTACKS Practical Attacks and Vulnerabilities 23

24 Signature Exclusion The none algorithm 24

25 Signature Exclusion The none algorithm eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9.eyjzb21lijoicgf5bg9hzcj9. F0HwqXQV68cvLFzW8MFA42LxKpp_fawaCa9XSLzL2yM {"alg":"hs256","typ":"jwt"}. {"some":"payload"}. SIGNATURE 25

26 Signature Exclusion The none algorithm eyjhbgcioijiuzi1niisinr5cci6ikpxvcj9.eyjzb21lijoicgf5bg9hzcj9. F0HwqXQV68cvLFzW8MFA42LxKpp_fawaCa9XSLzL2yM {"alg":"hs256","typ":"jwt"}. {"some":"payload"}. SIGNATURE eyjhbgcioijub25liiwidhlwijoislduin0.eyjzb21lijoicgf5bg9hzcj9. {"alg":"none","typ":"jwt"}. {"some":"payload"}. 26

27 Signature Exclusion The none algorithm 27

28 Signature Exclusion The none algorithm 28

29 Signature Exclusion The none algorithm {"alg": none } {"alg": NONE } {"alg": none } {"alg": NoNe } {"alg": NonE }????? 29

30 Key Confusion RSA or HMAC? Verification function of many libraries: verify(string token, string verificationkey) In systems using symmetric HMAC signatures: verify(clienttoken, serverhmacsecretkey) In systems using asymmetric RSA signatures: verify(clienttoken, serverrsapublickey) 30

31 Key Confusion RSA or HMAC? Problem: How does system determine the algorithm? JOSE Header: User controlled {"alg":"hs256","typ":"jwt"} The attack: If system expects token signed with RSA, but receives token signed with HMAC, it will think the public key is actually an HMAC secret key! 31

32 Key Confusion RSA or HMAC? 32

33 Key Confusion RSA or HMAC? verify(clienttoken, serverrsapublickey) 33

34 Key Confusion RSA or HMAC? verify(clienttoken, serverrsapublickey) {"alg":"hs256","typ":"jwt"} 34

35 Bleichenbacher MMA PKCS#1 v1.5 Described in 1998 by Daniel Bleichenbacher Used to break: SSL (1998) XML Encryption (2012) PKCS#11 (2012) TLS (2016) Recommended algorithm in JSON Web Encryption 35

36 Bleichenbacher MMA PKCS#1 v1.5 Adaptive Chosen-Ciphertext Attack Differences in error messages or timing behavior 36

37 Bleichenbacher MMA PKCS#1 v1.5 Adaptive Chosen-Ciphertext Attack Differences in error messages or timing behavior Padding Oracle (PKCS#1 v1.5 validity) 37

38 Bleichenbacher MMA PKCS#1 v1.5 Adaptive Chosen-Ciphertext Attack Differences in error messages or timing behavior Padding Oracle (PKCS#1 v1.5 validity) Exploits malleability of RSA encryption scheme (binding) 38

39 Bleichenbacher MMA PKCS#1 v1.5 Source: Bleichenbacher D. (1998) Chosen ciphertext attacks against protocols based on the RSA encryption standard PKCS #1. In: Krawczyk H. (eds) Advances in Cryptology CRYPTO '98. CRYPTO

40 Bleichenbacher MMA PKCS#1 v1.5 Error- and time-based padding oracle Attack scenario 40

41 Timing Attack HMAC Native String Comparison Vulnerability Underlying C implementation 41

42 Timing Attack HMAC Native String Comparison (Original) ca3cf26f97b69d6891bff8f93a06d0bcc a b c d e f

43 The Burp Suite Extension 43

44 DEMO TIME! Let s do some hands-on! 44

45 WHAT S NEXT? Conclusion and Future Work 45

46 Our Contribution Open Source Libraries All in all 6 libraries (PHP, Python, Ruby, C) were fixed CVE (PHP Timing Attack) CVE (PHP Bleichenbacher MMA) CVE (PHP Key Confusion) CVE (Python Bleichenbacher MMA) CVE (Python Timing Attack) CVE (PHP Timing Attack) + 2 additional libraries (Ruby & C, Bleichenbacher MMA) without CVE 46

47 What s next? Conclusion and Future Work Standard not perfect More problematic: implementations Use and improve JOSEPH e.g. Invalid Curve Attack 47

48 Dennis Detering THANK YOU! Any Questions? @Merenon

What is JOSE. Jim Schaad Co-chair JOSE August Cellars. Friday, March 15, 13

What is JOSE. Jim Schaad Co-chair JOSE August Cellars. Friday, March 15, 13 What is JOSE Jim Schaad Co-chair JOSE August Cellars 1 Overview Use JSON for data structure representations Try and meet the goal of easy to implement and use Allow for complex uses Allow for arbitrary