IETF Logo Mail Archive

Re: [Ace] draft-ietf-ace-oauth-authz-35 - unauthorized AS address, DoS, and privacy

Stefanie Gerdes <gerdes@tzi.de> Thu, 10 September 2020 12:10 UTC

Return-Path: <gerdes@tzi.de>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 152933A09C4 for <ace@ietfa.amsl.com>; Thu, 10 Sep 2020 05:10:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.845
X-Spam-Level:
X-Spam-Status: No, score=-2.845 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.948, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IqG7A1Vew917 for <ace@ietfa.amsl.com>; Thu, 10 Sep 2020 05:10:49 -0700 (PDT)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D641B3A09A6 for <ace@ietf.org>; Thu, 10 Sep 2020 05:10:48 -0700 (PDT)
Received: from [192.168.0.57] (p508a4e5d.dip0.t-ipconnect.de [80.138.78.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4BnHlq29NjzyY5 for <ace@ietf.org>; Thu, 10 Sep 2020 14:10:47 +0200 (CEST)
To: ace@ietf.org
References: <8CF8DD8C-895F-489D-8D21-FE2048B550EA@ericsson.com> <877dt3l5u1.fsf@wangari> <C3C52EBE-CD20-4201-9E93-F7FB4D92D77C@ericsson.com> <04f797cb-ec58-a8f8-a9d6-6cdbf8878376@tzi.de> <000201d686f6$2c4aba60$84e02f20$@augustcellars.com> <a3b290cd909f487690e718dee4b94ab0@combitech.se>
From: Stefanie Gerdes <gerdes@tzi.de>
Message-ID: <1fc88f97-dc69-54f0-bde1-6ddd37b7aad0@tzi.de>
Date: Thu, 10 Sep 2020 14:10:46 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <a3b290cd909f487690e718dee4b94ab0@combitech.se>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/Ce47eKYpDuQ_5VMtomOphvpKOGo>
Subject: Re: [Ace] draft-ietf-ace-oauth-authz-35 - unauthorized AS address, DoS, and privacy
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 12:10:52 -0000

Hi Ludwig,

comments inline.

On 09/10/2020 08:49 AM, Seitz Ludwig wrote:
> Seeing that the mechanism was introduced to bootstrap a client that doesn't know which AS to talk to for a specific RS and given the issues raised by John,  what other options do we have that are more secure?

The mechanism in itself does not have a security problem. If C would
communicate with an AS that is not authorized for this RS that would be
a problem, but as section 6.5 states, C must be able to validate that.
This point is really important for the security of the solution,
regardless of the discovery mechanism. The privacy problem that AS URIs
may pose should be mentioned in the privacy considerations. I made a
text proposal in my response to John [1].

> 
> a.) A resource directory lookup? I'm not knowledgeable enough on RD to answer whether that is more secure, but Steffi or Olaf or Carsten should have more insight on this.
> 
> b.) A callback to a trusted entity (say the client owner). The issue here is that we have not defined any interactions for that entity yet.
> 
> c.) John suggested something with DNS in the first mail. I have no idea how this would work, John what did you have in mind there?
> 
> For the draft I see two ways forward:
> 
> 1.) Remove the whole discovery mechanism and just state that at this point we assume that the knowledge of the right AS is pre-configured/supplied out-of-band to the client. This leaves room for future work that specifies an in-band method.
> 
> 2.) Try to fix this (e.g. by specifying one of the methods a-c above).
> 
> I do not have the time to do 2 so I clearly prefer option 1, but if any of my co-authors can put in the work I'd be very glad.

I already made text proposals that hopefully clarify the problems that
John brought up [1]. I think it is really important to address these
problems in sections 6.4 and 6.5 in the draft and not just ignore them
or leave them for later. That would leave the framework open for
attacks. Developers will have difficulties to close this gap on their own.

We also should decouple the AS request creation hints from the
explanation of the AS discovery mechanism. The hints have the additional
purpose that they may contain the resource server's cnonce that the
resource server can later use to validate the access token.
Therefore, the AS URI should be optional in the AS request creation
hints, and we should make section 5.1.1 section 5.2.

Viele Grüße
Steffi

[1] https://mailarchive.ietf.org/arch/msg/ace/0639BdkMvJZdUjLBJIX21EiSvbw/

v2.23.0 | Report a Bug | By Email