azure-activedirectory-identitymodel-extensions-for-dotnet icon indicating copy to clipboard operation
azure-activedirectory-identitymodel-extensions-for-dotnet copied to clipboard

Published 20 hours ago verified publisher icon AzureAD

Increase the minimum size of SymmetricSecurityKey for HS256

Open ackh opened this issue 2 years ago • 3 comments

SymmetricSecurityKey instances with a length of at least 16 bytes (128 bit) that are used together with SecurityAlgorithms.HmacSha256Signature are accepted when creating new JWTs using JwtSecurityTokenHandler. An example of such a valid key is as follows:

SymmetricSecurityKey key = new(new byte[] { 16, 172, 97, 77, 34, 201, 23, 99, 198, 56, 241, 0, 23, 97, 79, 14 });

Keys with less than 16 bytes result in the following exception

System.ArgumentOutOfRangeException: IDX10653: The encryption algorithm 'System.String' requires a key size of at least 'System.Int32' bits. Key 'Microsoft.IdentityModel.Tokens.SymmetricSecurityKey', is of size: 'System.Int32'. (Parameter 'key')

However, RFC 7518 states the following about the key length:

A key of the same size as the hash output (for instance, 256 bits for "HS256") or larger MUST be used with this algorithm.

As far as i understand, the current implementation violates that statement because the statement requires at least 32 bytes, not just 16.

Am I missing something or is that a potential security issue?

As a side note: the exception message does not print the actual size of the key but simply System.Int32 which isn't helpful

ackh avatar Oct 27 '21 12:10 ackh

@ackh thanks for noticing this, we will look into this. About the error message, when PII is on, we hid all variables in the message. We are working on relaxing this for some messages that don't contain any pii.

brentschmaltz avatar Oct 29 '21 21:10 brentschmaltz

Just a further note on this, HMAC signing keys should right pad out to the block size with /0 bytes, as per RFC 2104. The following issue, raised against the JwtBearerHandler demonstrates this point: https://github.com/dotnet/aspnetcore/issues/41024

aussieklutz avatar Apr 05 '22 03:04 aussieklutz

@cesarpayan can you please look into this.

brentschmaltz avatar Apr 07 '22 15:04 brentschmaltz

An update. The StackTrace for this error points to LogMessages.IDX10653 being thrown in the constructor for SymmetricSignatureProvider, where an explicit check is made whether the key is atleast the _minimumSymmetricKeySizeInBits. At this point, there should probably be some check whether the algorithm supports key padding, and then perform padding with /0 null characters up to the _minimumSymmetricKeySizeInBits.

if (key.KeySize < MinimumSymmetricKeySizeInBits) throw LogHelper.LogExceptionMessage(new ArgumentOutOfRangeException(nameof(key), LogHelper.FormatInvariant(LogMessages.IDX10653, LogHelper.MarkAsNonPII((algorithm)), LogHelper.MarkAsNonPII(MinimumSymmetricKeySizeInBits), key, LogHelper.MarkAsNonPII(key.KeySize))));

aussieklutz avatar Oct 20 '22 02:10 aussieklutz

@brentschmaltz I created a draft : https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/blob/Xiao/SymmetricKeySize/src/Microsoft.IdentityModel.Tokens/SymmetricSignatureProvider.cs

ciaozhang avatar May 01 '23 20:05 ciaozhang

#2072 resolves this issue.

TimHannMSFT avatar May 26 '23 23:05 TimHannMSFT