Re: [Ace] Token (In)Security

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Sat, 15 December 2018 14:58 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A546123FFD for <ace@ietfa.amsl.com>; Sat, 15 Dec 2018 06:58:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.36
X-Spam-Level:
X-Spam-Status: No, score=-3.36 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YNhBT22LuoyU for <ace@ietfa.amsl.com>; Sat, 15 Dec 2018 06:58:23 -0800 (PST)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10078.outbound.protection.outlook.com [40.107.1.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22754124408 for <ace@ietf.org>; Sat, 15 Dec 2018 06:58:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zGcjeD6f2skLWPUHNo7GOSzvODLgHJyvvDzkwV1M+X8=; b=hdwaCYkBVrtyiuHacSszjX+TryTro76ZVKSSW6kiuPEgAEBquJ450gaWakPyoI+XjAi+0rqFnqO3OGx8eZsjMiIbc7cIbHy9c7+y/SquPvti95YyYc9UQ70+i2HohexcJhwftxN89me18pIUMI+O5z/57xQU6++MQH+0CLPQ7kc=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB2718.eurprd08.prod.outlook.com (10.166.198.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1425.20; Sat, 15 Dec 2018 14:58:19 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::e8de:6a41:cbf4:89d8]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::e8de:6a41:cbf4:89d8%3]) with mapi id 15.20.1425.021; Sat, 15 Dec 2018 14:58:18 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Stefanie Gerdes <gerdes@tzi.de>, Ludwig Seitz <ludwig.seitz@ri.se>, Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Token (In)Security
Thread-Index: AQHUk7/NUFqtp94dNE+cccrNg+vP4aV+aKYAgAF81rA=
Date: Sat, 15 Dec 2018 14:58:18 +0000
Message-ID: <VI1PR0801MB21129CED50E760A28AD9A38AFAA20@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <154322421294.8323.8505315870685563404.idtracker@ietfa.amsl.com> <cbd083d1-cb95-0732-aa8b-7c7de3f480d1@ri.se> <a0cdd836-7fe3-339e-0c48-961503857447@tzi.de> <03b601d49191$7d1bb400$77531c00$@augustcellars.com> <945fbebe-659f-ac72-3ab6-8e05447e7c92@ri.se> <1c5b81f3-50ce-be68-bec3-68ce2ff15b43@tzi.de> <4ae4eccd-68bf-18ef-f909-142f8172eca1@ri.se> <b0d3ff24-5842-62ca-3d16-1dd7b4875c66@tzi.de> <VI1PR0801MB2112CE85678921B892FA7C09FAA10@VI1PR0801MB2112.eurprd08.prod.outlook.com>
In-Reply-To: <VI1PR0801MB2112CE85678921B892FA7C09FAA10@VI1PR0801MB2112.eurprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.114.221]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB2718; 6:Nlyv0KP+Xvl/95nOEAUqaVMPD5CNP+RSquyILmcBKvZjyqdQyuykfJ7CZ4gjZDAm8ejAK11AZFXP2tPPLahO+Mrn5RnoLuScyXkRSsUM3At51PTuFKF7oVSgd5BZMQ8pBRO/JBAgEGBNXdVvODuhTvmdhkHXnapuf2wUnOiPBnk0tnhRyPiH/3F+TqW8EavML7hpWphb44lhVj25IMDHn1V/CnhWQ6yt+uBVvKyCn0XhWmqQD1E9W87oruCYPjHHJP38A3aBIv9bcIrSY2fweNrHbwalo7yvfmiJ4KppEMfS42PmFkBn+1leEhU7xhLPrrE7lO3ikkikzGsusGJsMAAS/jLF6ZHM3mNeZhuS3ZvfGffjB8OClTpvXyyAwAXimWEU6s7rwhRf4aRqtIffqNDe4pPc/g095TBuF/b1yftk4qgvQzkCVyYOIxjbxMZFg7q3VyZQ+LYxkPltt1P5Vw==; 5:LaQqnx+HDT5mG1mB1PG0lN2Nr1o3VzndJAmV17lWWJqMIzMlLwABfhuvd54f7R5X8mNSvlB8EJun5IvOevsnix7OG4iADLD1HhnmrM8sQijO44213rRCVo18BFOEo11nmHDc8vihC98iLvgjb5qvhBn/Eb/xIaMkhotfa9io1yY=; 7:QrlyZTu2g3PWXaGvHpwn47KTBXfLYEgOi7QPAhnUGrbmgcmjWJookJwMwJ2iu8PDV68Wa95XOorDceB6poDtEVdyw+FCx+kmOTZxSnZCFM+nkIi3ZUo6ldAMdZV2NYTCh26NJAItHZTvAz6KQvfrsQ==
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-ms-office365-filtering-correlation-id: 385ee452-3098-4d43-876a-08d6629dbfdc
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600074)(711020)(4618075)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB2718;
x-ms-traffictypediagnostic: VI1PR0801MB2718:
x-microsoft-antispam-prvs: <VI1PR0801MB2718C008C93104D46C927F22FAA20@VI1PR0801MB2718.eurprd08.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(999002)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3002001)(3231475)(944501520)(52105112)(93006095)(93001095)(6055026)(148016)(149066)(150057)(6041310)(20161123560045)(20161123564045)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991095); SRVR:VI1PR0801MB2718; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB2718;
x-forefront-prvs: 088751B4D4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(346002)(376002)(39860400002)(136003)(366004)(40434004)(53754006)(189003)(199004)(13464003)(2906002)(14454004)(25786009)(76176011)(74316002)(229853002)(3846002)(55016002)(6116002)(7696005)(7736002)(305945005)(26005)(105586002)(72206003)(15650500001)(102836004)(68736007)(106356001)(8676002)(81166006)(478600001)(6436002)(5660300001)(110136005)(53546011)(97736004)(6506007)(966005)(8936002)(66066001)(186003)(316002)(86362001)(81156014)(71190400001)(71200400001)(446003)(53936002)(476003)(99286004)(11346002)(93886005)(486006)(6306002)(2501003)(14444005)(5024004)(6246003)(9686003)(33656002)(561944003)(256004); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB2718; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: wP28G0fOY54dCnEwGxJX5rv1ppgvU8keGdK6Rr5x26DNdEPynuUrj2U5NBWyYELXc2w6VgO5jOXGqdS+s4tEpOtsytioiBIN3qrKNeYtwvkGiRAXLohHH0bF0R4AWzo33hrC1jir7mR8cTfMMu/eJoCvIPB5pXtoRkOE1UUyg05z3o1bsUGNQ57qA6YlV0wYIXvalyr/Q5pZYAa0GPbLVN6FfGQZI33/iY3Tlw76097p0He6kvFDuEeyFhtj7uNYYBWdO6FwqsuGU1XqaUS9N/8Dw+jxMXjgvN3Lryj9zawDDbbWxzr/m6FWTSSPQ08E
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 385ee452-3098-4d43-876a-08d6629dbfdc
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Dec 2018 14:58:18.6698 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB2718
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/8ddXL7Acsbxjs_BkLQ7CEqD4fTc>
Subject: Re: [Ace] Token (In)Security
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Dec 2018 14:58:26 -0000

Hi Steffi

I checked the text and the text is indeed confusing.

I have made an attempt to update it to address your comment. Here is the pull request:
https://github.com/ace-wg/ace-oauth/pull/168

Let me know if you think I captured everything properly.

Ciao
Hannes

-----Original Message-----
From: Ace <ace-bounces@ietf.org> On Behalf Of Hannes Tschofenig
Sent: Freitag, 14. Dezember 2018 17:18
To: Stefanie Gerdes <gerdes@tzi.de>de>; Ludwig Seitz <ludwig.seitz@ri.se>se>; Jim Schaad <ietf@augustcellars.com>om>; ace@ietf.org
Subject: Re: [Ace] Token (In)Security

Hi Steffi,

I anticipate that the use of tokens with IoT devices works similar to OAuth deployments today. As such, if you distribute self-contained tokens then you sign or mac them.
We have registered the necessary claims already, which includes the expiry. As such, I expect it to be used as well.

If we forgot to mention explicitly that we follow the best current practices in OAuth then we should add that reference. I will check the text...

Ciao
Hannes

-----Original Message-----
From: Ace <ace-bounces@ietf.org> On Behalf Of Stefanie Gerdes
Sent: Freitag, 14. Dezember 2018 16:15
To: Ludwig Seitz <ludwig.seitz@ri.se>se>; Jim Schaad <ietf@augustcellars.com>om>; ace@ietf.org
Subject: [Ace] Token (In)Security

Hi all,

as I understand the current proposal of the ACE framework, an attacker can send an access token to the RS that only contains a scope and is not signed or otherwise protected. Section 5.8.1.1 (titled verifying an access token) does not state that RS must check the authenticity of the token, therefore RS can accept it. Since the token does not contain an exp field, it is infinitely valid. The attacker thus gains infinite unconditional access. Is this really what we want from a security framework?

I would expect section 5.8.1.1 to provide information if and when RS must check that the token stems from an authorized AS to prevent this scenario.

Viele Grüße
Steffi

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.