Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Suggestions for a Secure JOSE Alternative (or Protocol Upgrade)

Changes to JOSE that will prevent insecurity



Drop the alg header

Neither JOSE users nor JOSE library designers should be required to understand cryptography primitives. At a lower level, this can lead to badly implemented primitives. On a higher level, this can lead to reasoning by lego.

For all the reasons outlined here and here, the alg header (and algorithm agility in its entirety) should be considered harmful.


Drop the enc header

For the same reason we're dropping the alg header, we should drop the enc header.

Consider dropping the zip header

As we've seen with CRIME and BREACH, as well as this error oracle attack against iMessage, compression can introduce side-channels that totally undermine confidentiality.

This one is less of a hard-and-fast requirement to make JOSE secure, but I still strongly recommend it.



New header: ver (version)

Instead of letting library developers and users mix-and-match cryptography algorithms, the only choice they should be given is, "Which version are we using?" Versions can look like this:

  • Version 1:
    • HMAC-SHA256 for shared-key authentication
    • AES-128-CBC + HMAC-SHA256 in Encrypt-then-MAC mode for shared-key encryption
    • RSA-OAEP with MGF1-SHA256 and e=65537 + AES-128-CBC in KEM+DEM for public-key encryption, min. key size: 2048-bit
    • RSASSA-PSS with MGF1-SHA256 and e=65537 for public-key digital signatures, min. key size: 2048-bit
  • Version 2:
    • HMAC-SHA256 for shared-key authentication
    • AES-256-GCM for shared-key encryption
    • ECDH over secp256r1 (NIST P-256) + AES-256-GCM for public-key encryption
      • Libraries must verify that the point is on the curve
    • ECDSA over secp256r1 (NIST P-256), adhering to RFC 6979 (deterministic ECDSA), for public-key digital signatures
  • Version 3:
    • HMAC-SHA512-256 for shared-key authentication
      • As per NaCl, this is HMAC-SHA-512 truncated to 256 bits, not HMAC-SHA-512/256.
    • Xsalsa20poly1305 for shared-key encryption
    • X25519 + Xsalsa20poly1305 for public-key encryption
    • Ed25519 for public-key digital signatures

Libraries that support version 3 SHOULD NOT support version 1.

New header: mode

Only four options (case-insensitive):

  • se = Shared-key Encryption
  • sa = Shared-key Authentication
  • pe = Public-key Encryption
  • ps = Public-key digital Signatures
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment