FYI. Perhaps worth mentioning in the spec under security considerations. ---------- Forwarded message ---------- From: Jack <[email protected]> Date: Thu, Jun 7, 2012 at 8:34 PM Subject: JWT library timing attack vulnerability To: [email protected], [email protected], [email protected], [email protected]
I noticed a timing attack vulnerability in your code for JWT hmac verification. When comparing the hmac signature of a foreign JWT with the calculated signature, the computation shortcircuits depending on how many bytes of the signatures match. This timing leak allows attackers to gain information about the secret signing key by sending specially crafted signatures. Here are some blogs posts describing the problem and fix in more detail: http://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/ http://rdist.root.org/2010/01/07/timing-independent-array-comparison/ I found this vulnerability because I made the same mistake while implementing a JWT library in Lua. The solution requires making the string comparison always loop over the length of the signatures. Another potential pitfall is that the char by char checks should be performed with bitwise OR's as opposed to logical comparisons because the latter also leaks timing information. I've sent this email to the authors of all the libraries that google references in the in-app payment docs affected by this vulnerability. Thanks, Jack <http://rdist.root.org/2009/05/28/timing-attack-in-google-keyczar-library/> -- Jeff Lindsay http://progrium.com
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
