[Openid-specs-ab] Issue #920: Attack identified against self-issued "sub" values (openid/connect)
Michael Jones
issues-reply at bitbucket.org
Mon Mar 3 11:09:33 UTC 2014
New issue 920: Attack identified against self-issued "sub" values
https://bitbucket.org/openid/connect/issue/920/attack-identified-against-self-issued-sub
Michael Jones:
James Manger identified an attack against self-issued "sub" values in the OpenID Security mailing list thread http://lists.openid.net/pipermail/openid-security/2014-February/001251.html.
The gist of the issue is that parts of the JWK are concatenated together without a separator, as described at http://openid.net/specs/openid-connect-core-1_0.html#SelfIssuedResponse, meaning that an attacker might be able to shift content between the key parts, resulting in the same "sub" value with different keys.
I propose that we change the computation of the self-issued "sub" value to use an agreed-upon legal JWK representation of the key as the value to be hashed. So, for instance, for an RSA key the "sub" value would be:
BASE64URL(SHA-256('{"kty":"' || sub_jwk.kty || '","n":"' || sub_jwk.n || '","e":"' || sub_jwk.e || '"}')) and the "sub" for an EC key would be:
BASE64URL(SHA-256('{"kty":"' || sub_jwk.kty || '","crv":"' || sub_jwk.crv || '","x":"' || sub_jwk.x || '","y":"' || sub_jwk.y || '"}'))
More information about the Openid-specs-ab
mailing list