Question: Should the kid footer claim be used to signal the id of the wrapping key for pie?

paragonie / paserk-php

PHP Implementation of PASERK

Other

12 stars 1 forks source link

Question: Should the kid footer claim be used to signal the id of the wrapping key for pie? #15

Closed justinruggles closed 9 months ago

justinruggles commented 9 months ago

It's unclear to me whether the id of the wrapping key (kek) should be signalled out-of-band or as the kid claim in the token.

paragonie-security commented 9 months ago

Can you describe your use-case in a little more detail?

This is secure:

Key ID (e.g. k4.lid.xxxxxxx) in the footer
Wrapped Local Key (e.g. k4.local-wrap.pie.xxxxxx) in the footer
- Other wrapping modes (e.g. k3.seal.) are also safe.

This is insecure:

The actual key itself in the footer (e.g. k4.public.xxxxx)
- What happens if an attacker substitutes this for their own key in the PASETO payload?

paragonie-security commented 9 months ago

For prior art on combining PASERK and PASETO, see

https://github.com/pie-frost/client-auth-php/blob/abf2b4c56e616379ea9c8fc5984b033dceea6d60/src/Client.php#L78-L104

justinruggles commented 9 months ago

basically it's not clear to me whether it's an intended or appropriate use to put the id of the kek in kid rather than an id for the full wrapped key. So the footer would have kid and wpk, where kid would refer to the kek rather than the wrapped key.