IETF Logo Mail Archive

Re: [Ace] draft-ietf-ace-oauth-authz-35 - unauthorized AS address, DoS, and privacy

Stefanie Gerdes <gerdes@tzi.de> Thu, 10 September 2020 12:10 UTC

Return-Path: <gerdes@tzi.de>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32FE63A095F for <ace@ietfa.amsl.com>; Thu, 10 Sep 2020 05:10:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.845
X-Spam-Level:
X-Spam-Status: No, score=-2.845 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.948, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o7AzFouG0Rak for <ace@ietfa.amsl.com>; Thu, 10 Sep 2020 05:10:41 -0700 (PDT)
Received: from gabriel-vm-2.zfn.uni-bremen.de (gabriel-vm-2.zfn.uni-bremen.de [134.102.50.17]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30FDA3A095C for <ace@ietf.org>; Thu, 10 Sep 2020 05:10:40 -0700 (PDT)
Received: from [192.168.0.57] (p508a4e5d.dip0.t-ipconnect.de [80.138.78.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by gabriel-vm-2.zfn.uni-bremen.de (Postfix) with ESMTPSA id 4BnHlg0rchzyYP; Thu, 10 Sep 2020 14:10:39 +0200 (CEST)
To: Jim Schaad <ietf@augustcellars.com>, ace@ietf.org
References: <8CF8DD8C-895F-489D-8D21-FE2048B550EA@ericsson.com> <877dt3l5u1.fsf@wangari> <C3C52EBE-CD20-4201-9E93-F7FB4D92D77C@ericsson.com> <04f797cb-ec58-a8f8-a9d6-6cdbf8878376@tzi.de> <000201d686f6$2c4aba60$84e02f20$@augustcellars.com>
From: Stefanie Gerdes <gerdes@tzi.de>
Message-ID: <74257a98-0f9b-0e98-3070-6dfdbca628e5@tzi.de>
Date: Thu, 10 Sep 2020 14:10:25 +0200
User-Agent: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <000201d686f6$2c4aba60$84e02f20$@augustcellars.com>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/GpRWeQUunJTpJu7Q_2SW28CJnic>
Subject: Re: [Ace] draft-ietf-ace-oauth-authz-35 - unauthorized AS address, DoS, and privacy
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 12:10:44 -0000

Hi Jim,

comments inline.

On 09/10/2020 12:11 AM, Jim Schaad wrote:

> A compromised RS may use the hints for attempting to trick a client into contacting an AS that is not supposed to be in charge of that RS.
> Therefore, C must not communicate with an AS if it cannot determine that this AS has the authority to issue access tokens for this RS. Otherwise, a compromised RS may use this to perform a denial of service against a specific AS, by redirecting a large number of client requests to that AS.
> 
> [JLS] I do not know how C is supposed to be able to determine if AS has the authority to issue access tokens for a specific RS.  If it had the ability to do that then it can go directly to the AS in question without ever needing to use this mechanism.  This mechanism is designed to be used for the case where C does not have a priori knowledge about which AS it will talk to get the token for RS.

C may use the AS URI to determine if the AS is responsible for this
server, e.g., by looking it up in a secured resource directory that
contains the necessary information or by asking its own authorization
manager. As there may be large numbers of resource server that may
change a lot, it may be beneficial to also have the AS URI. That depends
on the client side authorization mechanism, of course. If C does not
require this information, it does not have to use it.

The unauthorized resource request mechanism has an additional purpose:
it also enables RS to specify a nonce that can later be reflected to it
in the access token and thereby enables RS to validate that the access
token is recent. It would be useful to make the AS address optional in
the AS request creation hints.

> 
>>
>>>> - That RS shares the AS address with anybody that asks can be a 
>>>> severe privacy problem. If RS is a medical device, the AS address 
>>>> can reveal sensitive information. If RS is a blood pressure sensor 
>>>> it could e.g. be “AS address = 
>>>> coaps://as.hopkinsmedicine.org/kimmel_cancer_center/”
> 
> [JLS] My first hope is that this RS would never return an AS address to a client.   Sending information which has secure privacy problems amounts to a case where the rule should be:  If C does not know what AS to talk to, it has no business talking to me (RS).
> 
> [JLS] This is the type of situation where that information itself is going to be information to which access is to be restricted and where you need to talk to an AS to get permissions to get that information.  In this type of situation I would expect that the information would only be available either throw an already secure channel or from a DS with the, not yet defined, AS attributes.

Wouldn't the client breach the privacy of its owner simply by
communicating with an AS with such a URI?

I send a proposal to address this problem in my answer to John [1].

Viele Grüße
Steffi

[1] https://mailarchive.ietf.org/arch/msg/ace/0639BdkMvJZdUjLBJIX21EiSvbw/

v2.23.0 | Report a Bug | By Email