Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
navigation
PARAGON INITIATIVE
Info
About Us
Quick Answers
Technology Books
White Papers
Services
Consulting
Code Auditing
Business Intelligence
App Security
App Development
Web Development
Projects
Security
Advisories
Code Audits
Blog
Contact
Security Engineering
If you've already decided to implement JSON Web Tokens (JWT), whether you want JSON Web Encryption (JWE) or
JSON Web Signatures (JWS), you should question this decision. You're probably making a mistake.
Everything in this blog post was written to be accurate as of RFC 7519, RFC 7515, and RFC 7516. It's possible
that new RFCs in the future could supersede the flaws detailed within.
The two linked posts explain succinctly why this is a bad move, so I won't delve further into the systems
architecture issues. There are more pressing issues at stake: The standard itself is bad and leads to
insecurity.
The "alg" (algorithm) Header Parameter identifies the cryptographic algorithm used to secure the JWS.
The JWS Signature value is not valid if the "alg" value does not represent a supported algorithm or if
there is not a key for use with that algorithm associated with the party that digitally signed or MACed
the content. "alg" values should either be registered in the IANA "JSON Web Signature and Encryption
Algorithms" registry established by [JWA] or be a value that contains a Collision-Resistant Name. The
"alg" value is a case- sensitive ASCII string containing a StringOrURI value. This Header Parameter
MUST be present and MUST be understood and processed by implementations.
We've seen this bite JWT users before, in the from of critical vulnerabilities in most JWT libraries.
There were two ways to attack a standards-compliant JWT library to achieve trivial token forgery:
This isn't just an implementation bug, this is the result of a failed standard that shouldn't be relied on for security.
If you adhere to the standard, you must process and "understand" the header.
Let's look at some of the key encryption choices in detail. The message encryption part is OK (assuming you have
a solid GCM implementation and adequate hardware support).
If you're not familiar with cryptography, this is somewhat like pointing a gun with 5 out of 6 loaded chambers
directly at your foot and expecting to not end up with a bullet wound. Almost all of these options have one or
more security issues.
ECDH
JWT only allows Elliptic Curve Diffie-Hellman (ECDH) over one of the NIST curves (Weierstrass curves, which
introduce the risk of invalid-curve attacks that attackers to steal your secret keys).
If you attempt to go off-the-standard by using elliptic curves for security, you're no longer JWT standards-
compliant.
AES-GCM
Because no list of questionable public-key encryption modes could be complete without shoehorning a shared-
key encryption mode, the JWT standard also allows you to use AES-GCM to possibly exchange an AES-GCM key.
Cryptography algorithm selections should be made by professional cryptographers, not developers. Letting
developers mix-and-match protocols and algorithms is the hallmark of error-prone cryptographic designs.
Which version of the protocol to use, which defines "one true ciphersuite" for each version; what follows are
pure examples:
v1: Ed25519, X25519, XSalsa20poly1305, HMAC-SHA-512-256
v2: Ed25519, X25519, XChaCha20Poly1305, keyed BLAKE2b
v3: SPHINCS-256, SIDH, NORX64-4-1, keyed BLAKE2x
What operation to perform:
Authenticated encryption
Message authentication
Public-key authenticated encryption (for server-to-server communications only)
Public-key digital signatures (for server-to-server communications only)
For secure sessions: Just use cookies over HTTPS. Cookies should only store a random identifier which is
paired with a server-side persistent storage mechanism.
For signatures: Libsodium's crypto_sign() or crypto_auth() APIs (depending on use-case).
For encryption: Libsodium's crypto_secretbox() and crypto_box() APIs (depending on use-case).
1. That library added a None signer, which reintroduces the risk of one of the critical authentication bypass bugs
mentioned above.
2. The None signer was made the default option.
This code hadn't been released yet. The only reason I'm bringing it up is that JWT allows insecure defaults that a
well-designed standard wouldn't.
TL;DR
The JWT standards: Not even once.
This article was updated on March 14, 2017 at 3:30 PM Eastern Time to clarify a few important points.
Permalink
Discuss on Hacker News
License: Creative Commons Attribution-ShareAlike 4.0 International CC-BY-SA 4.0 Intl
Application Security
Cryptography
Encryption
Public Key Cryptography
Secret Key Cryptography
Security
Signatures
Scott Arciszewski
With over 13 years of software development, application security, and system administration experience, Scott
aspires to help others attain a happier work-life balance by solving difficult problems and automating trivial tasks.
He is mostly known in the community for his open source software security research and strong progressive
positions on providing tools and frameworks that are secure by default.
About
Archives
1. 2017
January 2017
February 2017
March 2017
2. 2016
January 2016
February 2016
March 2016
April 2016
May 2016
June 2016
July 2016
August 2016
September 2016
October 2016
November 2016
December 2016
3. 2015
April 2015
May 2015
June 2015
July 2015
August 2015
September 2015
October 2015
November 2015
December 2015
Blog Categories
1. Business
2. Paragon Initiative
1. Community
1. Open Source
2. Pharaoh
3. Security Advice
2. Our Products
1. Airship
2. ASGard
3. Technology
1. Cryptology
2. Databases
3. Hardware
4. Programming
5. Quality Assurance
6. Security Engineering
7. System Administration
4. Uncategorized
Tags
1. Access Controls
2. Application Security
3. Authentication
4. Authorization
5. Business
6. Central Florida
7. Cryptography
8. CSPRNG
9. Data Science
10. Encryption
11. HTTPS
12. Integrity
13. Libsodium
14. Login
15. Math
16. .NET
17. Networking
18. Node.js
19. Open Source
20. Orlando
21. OWASP
22. OWASP Top Ten
23. PHP
24. PostgreSQL
25. Public Key Cryptography
26. Python
27. Ruby
28. Secret Key Cryptography
29. Security
30. Signatures
31. SQL
32. SQL Injection
33. Statistics
34. Vulnerability
35. Web Development
36. XSS
Mailing Lists
Elsewhere
1. ParagonIE on Github
2. @ParagonIE
3. Paragonie on Facebook
Our team of technology consultants have extensive knowledge and experience with application security and
web/application development.
The first mails quarterly and often showcases our behind-the-scenes projects.
The other is unscheduled and gives you a direct feed into the findings of our open source security research
initiatives.
Copyright 2015 - 2017 Paragon Initiative Enterprises, LLC. All right reserved. Software security and
cryptography specialists.