[Openid-specs-fapi] Question regarding JWS alg in FAPI part 2, read and write security profile

Preibisch, Sascha H Sascha.Preibisch at ca.com
Tue Jul 25 21:50:22 UTC 2017


Thank you all for your responses!

I am getting a better understanding now as I am also doing some reading up on it.

Regards,
Sascha

From: Openid-specs-fapi <openid-specs-fapi-bounces at lists.openid.net<mailto:openid-specs-fapi-bounces at lists.openid.net>> on behalf of Nat Sakimura via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Reply-To: Nat Sakimura <nat at sakimura.org<mailto:nat at sakimura.org>>, Financial API Working Group List <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Date: Thursday, July 20, 2017 at 2:48 AM
To: Brian Campbell <bcampbell at pingidentity.com<mailto:bcampbell at pingidentity.com>>
Cc: Financial API Working Group List <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>>
Subject: Re: [Openid-specs-fapi] Question regarding JWS alg in FAPI part 2, read and write security profile

CAUTION: This email originated from outside of CA. Do not click links or open attachments unless you recognize the sender and know the content is safe.


There are a couple of attacks identified by now such as a side-channel attack[1] and the one uses the implementation errors [2] on the signing that uses PKCS-v1_5. The attacks being identified and whether it is practical now is not the same though and I am hoping that it is still "safe" in practice. One of the problems with the padding is that it is not proved to be secure while PSS padding is: i.e., there might emerge a practical attack in a near future. So, it probably is a good idea to move to PSS if you can.

[1] http://users.sec.t-labs.tu-berlin.de/~nedos/icisc2011.pdf<https://urldefense.proofpoint.com/v2/url?u=http-3A__users.sec.t-2Dlabs.tu-2Dberlin.de_-7Enedos_icisc2011.pdf&d=DwQFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=gEf-X7S2whQR5kfm_Ao4ZIXKA_itJcoFNgBzRwLqCfk&s=bEZRr2Ly7D-qU7zhzs_CQ8x7RH6-SBgh3oYnJ4JHgKI&e=>

[2] http://www.intelsecurity.com/resources/wp-berserk-analysis-part-1.pdf<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.intelsecurity.com_resources_wp-2Dberserk-2Danalysis-2Dpart-2D1.pdf&d=DwQFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=gEf-X7S2whQR5kfm_Ao4ZIXKA_itJcoFNgBzRwLqCfk&s=cSDAkw-COvSsbaylVftzCTGXPWNg6r1gksVHBJ816qg&e=>

---
Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation

On 2017-07-20 18:28, Brian Campbell wrote:

I know that there's a general push to move away from RSASSA-PKCS1-v1_5 but is it accurate to say it's unsafe? I see things like this, for example, https://crypto.stackexchange.com/questions/34558/is-ssl-sign-safe-as-it-is-using-openssl-pkcs1-padding<https://urldefense.proofpoint.com/v2/url?u=https-3A__crypto.stackexchange.com_questions_34558_is-2Dssl-2Dsign-2Dsafe-2Das-2Dit-2Dis-2Dusing-2Dopenssl-2Dpkcs1-2Dpadding&d=DwMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=gEf-X7S2whQR5kfm_Ao4ZIXKA_itJcoFNgBzRwLqCfk&s=a9FWAOUCfMbufPWpNi7AR9NuSpsMGYXyWbuc6aBl0IM&e=>

On Thu, Jul 20, 2017 at 10:47 AM, Nat Sakimura via Openid-specs-fapi <openid-specs-fapi at lists.openid.net<mailto:openid-specs-fapi at lists.openid.net>> wrote:
Hi Sascha,

This came up during the WG calls as well.

The short answer is that there are several attacks identified for RSASSA-PKCS1-v1_5 while PSS padding is safe. Cryptographer's opinion is that RSASSA-PKCS1-v1_5 should be retired.

We agreed in the WG call to add RS256 as a permissible algorithm when HSM is used and the HSM in place does not support PS256 or ES256 in the final but has to be done in the way that it does not raise a red flag from the cryptographers. Please see https://bitbucket.org/openid/fapi/issues/101/jws-signature-algorithms-for-rw<https://urldefense.proofpoint.com/v2/url?u=https-3A__bitbucket.org_openid_fapi_issues_101_jws-2Dsignature-2Dalgorithms-2Dfor-2Drw&d=DwMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=gEf-X7S2whQR5kfm_Ao4ZIXKA_itJcoFNgBzRwLqCfk&s=WvnHCYfQRfCcRK_6K12ozLENJwDM8nKm6z-Uvdx_fyA&e=>.

Best,

---
Nat Sakimura
Research Fellow, Nomura Research Institute
Chairman of the Board, OpenID Foundation


On 2017-07-20 15:20, Preibisch, Sascha H via Openid-specs-fapi wrote:
Hi all!

I just read through the spec. and in section 8.6
(http://openid.net/specs/openid-financial-api-part-2.html#jws-algorithm-con<https://urldefense.proofpoint.com/v2/url?u=http-3A__openid.net_specs_openid-2Dfinancial-2Dapi-2Dpart-2D2.html-23jws-2Dalgorithm-2Dcon&d=DwMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=gEf-X7S2whQR5kfm_Ao4ZIXKA_itJcoFNgBzRwLqCfk&s=I-scfSiCcmeFa8ZMPHUw24XvL8hI0wjLbMBn-bbZP_s&e=>
siderations) we recommend to use PS256 or ES256 as signing algorithms.

Here
"https://tools.ietf.org/html/draft-ietf-jose-json-web-algorithms-14#section<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Djose-2Djson-2Dweb-2Dalgorithms-2D14-23section&d=DwMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=gEf-X7S2whQR5kfm_Ao4ZIXKA_itJcoFNgBzRwLqCfk&s=5vAR01BAdqS253Tf16CWhFn8JHOt_vz4qql_KfDp72k&e=>
-3.1" PS256 is marked as OPTIONAL.

I would like to understand why we recommend PS256 rather than RS256, which
is RECOMMENDED and widely used.

I saw that issue #92 spoke about this topic but I did not really
understood it I believe.


Thanks,
Sascha


_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-fapi<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DwMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=gEf-X7S2whQR5kfm_Ao4ZIXKA_itJcoFNgBzRwLqCfk&s=JXIITqVXu2MXqBK7x-AL89E8vLb5nwP8uJ5pK52iV28&e=>
_______________________________________________
Openid-specs-fapi mailing list
Openid-specs-fapi at lists.openid.net<mailto:Openid-specs-fapi at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-fapi<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfapi&d=DwMFaQ&c=_hRq4mqlUmqpqlyQ5hkoDXIVh6I6pxfkkNxQuL0p-Z0&r=BjnOFeRZMwPBZLm00SguJm4i4lt0O13oAeF-9EZheL8&m=gEf-X7S2whQR5kfm_Ao4ZIXKA_itJcoFNgBzRwLqCfk&s=JXIITqVXu2MXqBK7x-AL89E8vLb5nwP8uJ5pK52iV28&e=>

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fapi/attachments/20170725/2486267c/attachment.html>


More information about the Openid-specs-fapi mailing list