New CS proposal: Javascript Object Signing and Encryption (JOSE) #1225
Comments
craigjbass
added
ACK_WAITING
|
Can you please provide some example topics that you'd like to have added, that aren't already covered in the JWT cheat sheet? |
|
|
Cool, seems like a good idea. Any input from the other maintainers? |
|
I think this is a great idea!!
|
|
Alright then! @craigjbass do you want to take this on? |
mackowski
added
ACK_OBTAINED
|
@craigjbass do you want to work on this? |
|
I think I would be able to write something, but I would need some help! Some of the topics I want to cover, I'm not sure I know the answer to. |
|
The existing JWT Cheat Sheet primarily covers token security but does not address JWE in detail. While it discusses risks like weak secrets, revocation strategies, and hashing vulnerabilities, but it lacks: Encryption Methods: No guidance on encrypting JWTs using JWE. |
|
When using a JWT for session management I suggest not placing sensitive data in a JWT and therefor you do not need to encrypt it. If you want to talk about JWE, I would suggest a second concise cheatsheet. I see a lot of JWE used in the health industry. |
|
Yes new cheatsheet on JWE would be awesome! |
|
I’ve put together a detailed JWE Cheat Sheet, covering JWE structure, secure algorithm choices (AES-GCM, RSA-OAEP, ECDH-ES), key management best practices, implementation in Python & Java, hardening techniques, and common pitfalls. It also includes a JWE vs. PASETO comparison. Before raising a PR, I’d appreciate any technical feedback or improvements to ensure it aligns with OWASP standards. If everything looks good, I’m ready to submit the PR. Here’s the latest version: JWE Cheat Sheet Looking forward to your thoughts! 🚀 |
|
Please also take a look at https://github.com/OWASP/ASVS/blob/master/5.0/en/0x14-V6-Cryptography.md to make sure your work is in sync with ASVS |
|
Yes, JWE provides many very different key management methods. It is not easy to understand all the cases and know which combinations are interesting/safe to use. |
Wouldn't it be easier to use public key cryptography for internal services as well? It avoids the n×(n-1) key distribution problem if I have many services. Moreover it reduces the risk of the encryption secret (and therefore the JWT plaintext) being leaked. On the other hand, ECDH-ES might be vulnerable to quantum computers. Why would I use RSA-OAEP instead of ECDH-ES? The latter is faster at equivalent security level. If I use AES-256-GCM as a key management solution, should I use "direct" AES-256-GCM instead? If I use ECDH-ES, should I use ECDH-ES+A128KW and friends? (I think it is only useful if I want to support multi-recipient JWT). Also, why would I want to use PBES2?
This one is weird as all JWE encryption mechanisms ("enc") are actually AEADs.
The JWE is encrypted. Is it bad if I am storing it client-side? (Does this only apply to JWE which are actually JWTs?)
Why kind of nonce are we talking about? I don't think we want to do what I understand is said here.
These are more JWT concerns as well.
These ones are not complete at all :)
They should be base64urlencoded. Some missing bits:
|
|
What is missing is that |
|
I have carefully analyzed all the comments and taken them into account. Before making a draft PR, I will ensure that the sheet is refined to align with the highest standards, covering all necessary aspects comprehensively. |
I like your attitude! +100 |
This PR closes OWASP#1225 . This is the draft of the JSON Web Encryption (JWE) Cheat Sheet for the OWASP Cheat Sheet Series. ### 🔹 Key Highlights: - 📌 **Introduction to JWE**: Explains its structure, use cases, and differences from JWT. - 🔐 **Choosing Secure Encryption Algorithms**: Covers AES-GCM, ECDH-ES, RSA-OAEP, and PBES2 with best practices. - 🛡 **Implementation Guidelines**: Provides secure encryption and decryption examples in Python & Java. - ⚠ **Security Best Practices**: - Validation of `alg` and `enc` headers to prevent header manipulation. - Proper key management, avoiding nonce/IV reuse, and ensuring AEAD encryption. - Secure storage recommendations (avoid localStorage/sessionStorage). - Protection against replay attacks, token expiration policies, and TLS/SSL enforcement. - ⚡ **Common Pitfalls to Avoid**: Covers weak algorithm risks, improper key handling, and compression vulnerabilities. - 🔄 **JWE vs JWS & JWT**: Explains when to use each and how to combine JWE with JWS for integrity & confidentiality. This draft follows OWASP ASVS cryptography best practices and aims to provide developers with a structured guide for securely implementing JWE. Looking forward to feedback and improvements! 🚀
|
I appreciate all the valuable feedback and guidance provided on the initial draft of the JSON Web Encryption (JWE) Cheat Sheet. Based on your insights, I have carefully addressed each suggestion and incorporated the necessary improvements in my Draft PR 🔹 Key Enhancements Implemented in the Updated Cheat Sheet: ✔ alg and enc Header Validation → Ensured all consumers validate both values to prevent attacker-controlled downgrades. With these updates, the cheat sheet now provides a structured, security-first approach to implementing JWE effectively. I would love your final review and feedback on the PR to ensure that all improvements align with best practices. Please let me know if there are any additional refinements required before we finalize the contribution. Looking forward to your insights! 🚀 |
What is the proposed Cheat Sheet about?
Javascript Object Signing and Encryption. In particular JWE.
What security issues are commonly encountered related to this area?
What is the objective of the Cheat Sheet?
To help people implement secure JWE implementations.
What other resources exist in this area?
Writing this because there seems to be very little guidance online, and some of it is contradictory.
The owasp cheatsheet has some guidance on best use of JWT (object signing) but no guidance on the usage of JWE.
The text was updated successfully, but these errors were encountered: