JOSE: Deprecate 'none' and 'RSA1_5'
draft-madden-jose-deprecate-none-rsa15-00
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Author | Neil Madden | ||
| Last updated | 2024-03-18 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-madden-jose-deprecate-none-rsa15-00
Javascript Object Signing and Encryption N. Madden
Internet-Draft Illuminated Security Ltd
Updates: 7518 (if approved) 18 March 2024
Intended status: Standards Track
Expires: 19 September 2024
JOSE: Deprecate 'none' and 'RSA1_5'
draft-madden-jose-deprecate-none-rsa15-00
Abstract
This draft updates [RFC7518] to deprecate the JWS algorithm "none"
and the JWE algorithm "RSA1_5".
About This Document
This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at
https://NeilMadden.github.io/jose-deprecate-none-rsa1_5/draft-madden-
jose-deprecate-none-rsa15.html. Status information for this document
may be found at https://datatracker.ietf.org/doc/draft-madden-jose-
deprecate-none-rsa15/.
Discussion of this document takes place on the Javascript Object
Signing and Encryption Working Group mailing list
(mailto:jose@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/jose/. Subscribe at
https://www.ietf.org/mailman/listinfo/jose/.
Source for this draft and an issue tracker can be found at
https://github.com/NeilMadden/jose-deprecate-none-rsa1_5.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
Madden Expires 19 September 2024 [Page 1]
Internet-Draft JOSE: Deprecate 'none' and 'RSA1_5' March 2024
This Internet-Draft will expire on 19 September 2024.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. The 'none' algorithm . . . . . . . . . . . . . . . . . . 3
1.2. The 'RSA1_5' algorithm . . . . . . . . . . . . . . . . . 3
1.3. Guidance on deprecation . . . . . . . . . . . . . . . . . 3
2. Conventions and Definitions . . . . . . . . . . . . . . . . . 4
3. Security Considerations . . . . . . . . . . . . . . . . . . . 4
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 4
5. References . . . . . . . . . . . . . . . . . . . . . . . . . 4
5.1. Normative References . . . . . . . . . . . . . . . . . . 4
5.2. Informative References . . . . . . . . . . . . . . . . . 4
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 5
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 5
1. Introduction
JSON Web Algorithms (JWA, [RFC7518]) introduced several standard
algorithms for both JSON Web Signature (JWS) and JSON Web Encryption
(JWE). Many of these algorithms have stood the test of time and are
still in widespread use. However, some algorithms have proved to be
difficult to implement correctly leading to exploitable
vulnerabilities. This draft deprecates two such algorithms:
* The JWS "none" algorithm, which indicates that no security is
applied to the message at all.
* The JWE "RSA1_5" algorithm, which indicates RSA encryption with
PKCS#1 version 1.5 padding.
Madden Expires 19 September 2024 [Page 2]
Internet-Draft JOSE: Deprecate 'none' and 'RSA1_5' March 2024
1.1. The 'none' algorithm
The "none" algorithm creates an Unsecured JWS, whose contents are
completely unsecured as the name implies. Despite strong guidance in
the original RFC around not accepting Unsecured JWS by default, many
implementations have had serious bugs due to accepting this
algorithm. In some cases, this has led to a complete loss of
security as authenticity and integrity checking can be disabled by an
adversary simply by changing the algorithm ("alg") header in the JWS.
The website [howmanydays] tracks public vulnerabilities due to
implementations mistakenly accepting the "none" algorithm. It
currently lists 12 reports, many of which have high impact ratings.
Although there are some legitimate use-cases for Unsecured JWS, these
are relatively few in number and can easily be satisfied by simply
base64url-encoding some JSON instead. The small risk of breaking
some of these use-cases is far outweighed by the improvement in
security for the majority of JWS users who may be impacted by
accidental acceptance of the "none" algorithm.
1.2. The 'RSA1_5' algorithm
The "RSA1_5" algorithm implements RSA encryption using PKCS#1 version
1.5 padding [RFC8017]. This padding mode has long been known to have
security issues, since at least Bleichenbacher's attack in 1998. It
was supported in JWE due to the wide deployment of this algorithm,
especially in legacy hardware. However, more secure replacements
such as OAEP [RFC8017] or elliptic curve encryption algorithms are
now widely available. NIST has disallowed the use of this encryption
mode for federal use since the end of 2023 [NIST.SP800-131r2] and a
CFRG draft [I-D.kario-rsa-guidance] also deprecates this encryption
mode for IETF protocols. This document therefore also deprecates
this algorithm for JWE.
1.3. Guidance on deprecation
Both of the algorithms listed above are deprecated for use in JWS and
JWE. JOSE library developers SHOULD deprecate support for these
algorithms and commit to a timeline for removal. Application
developers SHOULD disable support for these algorithms by default.
New specifications building on top of JOSE MUST NOT allow the use of
either algorithm.
Madden Expires 19 September 2024 [Page 3]
Internet-Draft JOSE: Deprecate 'none' and 'RSA1_5' March 2024
2. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Security Considerations
No security issues are introduced by this specification.
4. IANA Considerations
The following changes are to be made to the IANA JOSE Web Signature
and Encryption Algorithms registry:
* For the entry with Algorithm Name "none", update the JOSE
Implementation Requirements to "Deprecated".
* For the entry with Algorithm Name "RSA1_5", update the JOSE
Implementation Requirements to "Deprecated".
5. References
5.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/rfc/rfc2119>.
[RFC7518] Jones, M., "JSON Web Algorithms (JWA)", RFC 7518,
DOI 10.17487/RFC7518, May 2015,
<https://www.rfc-editor.org/rfc/rfc7518>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.
5.2. Informative References
[howmanydays]
Sanderson, J., "How Many Days Has It Been Since a JWT
alg:none Vulnerability?", 25 September 2023, <https://gith
ub.com/zofrex/howmanydayssinceajwtalgnonevuln/blob/deploy/
data/vulns.yml>.
Madden Expires 19 September 2024 [Page 4]
Internet-Draft JOSE: Deprecate 'none' and 'RSA1_5' March 2024
[I-D.kario-rsa-guidance]
Kario, H., "Implementation Guidance for the PKCS #1 RSA
Cryptography Specification", Work in Progress, Internet-
Draft, draft-kario-rsa-guidance-02, 22 November 2023,
<https://datatracker.ietf.org/doc/html/draft-kario-rsa-
guidance-02>.
[NIST.SP800-131r2]
Barker, E. and A. Roginsky, "NIST SP 800-131A Rev. 2:
Transitioning the Use of Cryptographic Algorithms and Key
Lengths", 21 March 2019,
<https://csrc.nist.gov/pubs/sp/800/131/a/r2/final>.
[RFC8017] Moriarty, K., Ed., Kaliski, B., Jonsson, J., and A. Rusch,
"PKCS #1: RSA Cryptography Specifications Version 2.2",
RFC 8017, DOI 10.17487/RFC8017, November 2016,
<https://www.rfc-editor.org/rfc/rfc8017>.
Acknowledgments
Author's Address
Neil Madden
Illuminated Security Ltd
Email: neil@illuminated-security.com
Madden Expires 19 September 2024 [Page 5]