Move MACs to Project Goals #2

New Issue

Open

opened 2021-12-06 16:31:00 +00:00 by jaiden · 0 comments

jaiden commented 2021-12-06 16:31:00 +00:00

Owner

Rationale

Unfortunately MACs in JWTs are used enough to justify supporting them. This is particularly tricky due to the fundamental problems with JWTs.

Avoiding Type Confusion

alg, kid, and other distinguishing and/or specifying fields cannot be trusted in a token. No matter what, it is very likely to cough-up a type confusion vulnerability. While the mismatches are obviously errors, matches don't mean anything useful.

I have thought of several mitigations:

• Not allowing MACs and signatures in the same keyset.
  • You should know whether you will be dealing with a signature or MAC beforehand.
  • Having to support both from the same source is a fundamental failure of a system.
• Deny every key type by default and make the developer build a profile. The profile will also not allow mixing MACs and signatures.
  • Keep in mind that that this shouldn't be the only interface. Otherwise people will develop a mindset for enabling lots of types by default. However, this codepath should still be the simplest and recommended way.

## Rationale Unfortunately MACs in JWTs are used enough to justify supporting them. This is particularly tricky due to the fundamental problems with JWTs. ## Avoiding Type Confusion `alg`, `kid`, and other distinguishing and/or specifying fields cannot be trusted in a token. No matter what, it is very likely to cough-up a type confusion vulnerability. While the mismatches are obviously errors, matches don't mean *anything useful*. I have thought of several mitigations: * Not allowing MACs and signatures in the same keyset. - You **should** know whether you will be dealing with a signature or MAC beforehand. - Having to support both from the same source is a fundamental failure of a system. * Deny every key type by default and make the developer build a profile. The profile will also not allow mixing MACs and signatures. - Keep in mind that that this shouldn't be the only interface. Otherwise people will develop a mindset for enabling lots of types by default. However, this codepath should still be the simplest and recommended way.

jaiden added the

feature

label 2021-12-06 16:31:00 +00:00

jaiden added this to the v0.0.1 milestone 2021-12-06 16:33:30 +00:00

jaiden added a new dependency 2021-12-06 16:34:14 +00:00

#1 Unmarshalling with encoding/json doesn't handle duplicates

jaiden removed a dependency 2021-12-06 16:34:20 +00:00

#1 Unmarshalling with encoding/json doesn't handle duplicates

jaiden self-assigned this 2021-12-06 16:35:46 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

Labels

Clear labels   

bug

Non-security bugs and unexpected behavior   

feature

Features that must be unfortunately supported   

question

Further information is requested   

security

Any issue that has any tangible security ramifications   

unclear behavior

Observed behavior that don't act clearly and/or consistently

No Label

bug

feature

question

security

unclear behavior

Milestone

Clear milestone

No items

No Milestone

v0.0.1

Projects

Clear projects

No project

Assignees

Clear assignees

No Assignees

jaiden

1 Participants

Notifications

Subscribe

Due Date

The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: jaiden/dumb-jose#2

There is no content yet.