Re: [Ace] Token (In)Security
Hannes Tschofenig <Hannes.Tschofenig@arm.com> Fri, 14 December 2018 16:18 UTC
Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0280128D09 for <ace@ietfa.amsl.com>; Fri, 14 Dec 2018 08:18:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hOSftRoTxnEb for <ace@ietfa.amsl.com>; Fri, 14 Dec 2018 08:18:21 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130071.outbound.protection.outlook.com [40.107.13.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3E391277BB for <ace@ietf.org>; Fri, 14 Dec 2018 08:18:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vXdTppHkDYV47F8gksBeS9dkQxuafee9hfzNcTzeTLg=; b=ouKzZuEuQih9mSOyG2K7VWFuZrM9VwPBzMSaHCpB73zy9ZeiNoyOnCCYxafDTkjGi74IeZukEpJyRhVxZv9mlSQmJSoAYp6MuDsLzqBYf0DObbLcx+hSIH9IMq2mrNipr3kT6hGqHOg8iDeiyDxfUeV5OQIak533BCCqce4I8Rw=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB2063.eurprd08.prod.outlook.com (10.173.74.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1425.19; Fri, 14 Dec 2018 16:18:17 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::e8de:6a41:cbf4:89d8]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::e8de:6a41:cbf4:89d8%3]) with mapi id 15.20.1425.016; Fri, 14 Dec 2018 16:18:16 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Stefanie Gerdes <gerdes@tzi.de>, Ludwig Seitz <ludwig.seitz@ri.se>, Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Token (In)Security
Thread-Index: AQHUk7/NUFqtp94dNE+cccrNg+vP4aV+aKYA
Date: Fri, 14 Dec 2018 16:18:16 +0000
Message-ID: <VI1PR0801MB2112CE85678921B892FA7C09FAA10@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <154322421294.8323.8505315870685563404.idtracker@ietfa.amsl.com> <cbd083d1-cb95-0732-aa8b-7c7de3f480d1@ri.se> <a0cdd836-7fe3-339e-0c48-961503857447@tzi.de> <03b601d49191$7d1bb400$77531c00$@augustcellars.com> <945fbebe-659f-ac72-3ab6-8e05447e7c92@ri.se> <1c5b81f3-50ce-be68-bec3-68ce2ff15b43@tzi.de> <4ae4eccd-68bf-18ef-f909-142f8172eca1@ri.se> <b0d3ff24-5842-62ca-3d16-1dd7b4875c66@tzi.de>
In-Reply-To: <b0d3ff24-5842-62ca-3d16-1dd7b4875c66@tzi.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.115.19]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB2063; 6:LXtMKVl1bEV5Af5OL3DIL41X3vGoLfVtcirMrtPbpkNN2IHklEE1N9hYgsl5fq2yYu3YlZ9Vy9lwxwiUyB2tIZbCCxf/8jPobwlQsXeNsypZczNL45Ohs/dxGmV2+4sdF+ToOXSQAwXMEpF4EhMFDnjczR8EqLF6gXNP9BNNBax4RasWDXvCWMW2uwiu5wbCD8ktsxug7ueMNUCYRNRetdGqkkhJVsKZGy4nj+Usq+cmmDaiLh5WxUcrlHXP7VPGSnbcBCRemTyri/q2ydT/PixZs5FFiZjEVeIj6Be8f0PImATLt0jZtGuaw5etNZzC9A/jxr3lTyQ2w2HmNLwCXlTaYnvi4LkJERx2qUIh/c7w24fEIUGrwNZwU9pOTri3LgtXlzu9Nkb0E4EfFXcvCWXZsqB4LcFWUVlC0PeVGlGiRWT1xqaqHkLAmMuP58kpg8jNg781/8Z0HOZXpAr8jQ==; 5:NFctrUfBC/QESJLycIqdXTqtkALUChtZ+nNY/JgjB4jFaqeLnbKkhij0k2uf23GQXizwDZLwC6kc6e/70IfDZ+TFeylDYtmF7XTdRDehnUunafQh74p8P5JLtAG2Q+inVr/6VwOnERhlbmorQI60CSHS7Y0IzOz4W1VCkd7p/Nc=; 7:9sSBNOXi2lce7Gv89UNYn2bES2egDimBkvg8Zd7hWrLYMJkjNOs9y9e1tlbdkW0GVHOxquqtA7HuxwUbIt60K0xkH3aELcv4ednSbkiAlVlTol+kOOWN+Uigc0ybmguPOPI0OWSzF+6Uc5OKsSN7xw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 7677fa54-e031-4d16-e501-08d661dfc152
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB2063;
x-ms-traffictypediagnostic: VI1PR0801MB2063:
x-microsoft-antispam-prvs: <VI1PR0801MB20633BD2BBC2DE0FF15087D2FAA10@VI1PR0801MB2063.eurprd08.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(999002)(6040522)(2401047)(8121501046)(5005006)(3002001)(3231475)(944501520)(52105112)(10201501046)(93006095)(93001095)(6055026)(148016)(149066)(150057)(6041310)(20161123558120)(20161123564045)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991095); SRVR:VI1PR0801MB2063; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB2063;
x-forefront-prvs: 08864C38AC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(346002)(376002)(396003)(39860400002)(366004)(13464003)(189003)(53754006)(199004)(40434004)(2501003)(33656002)(97736004)(5660300001)(966005)(66066001)(6306002)(9686003)(55016002)(71190400001)(53936002)(74316002)(2906002)(6246003)(71200400001)(86362001)(3846002)(6116002)(99286004)(14454004)(72206003)(25786009)(478600001)(305945005)(110136005)(6436002)(256004)(5024004)(14444005)(8936002)(105586002)(106356001)(229853002)(486006)(15650500001)(11346002)(316002)(81166006)(81156014)(8676002)(561944003)(68736007)(93886005)(26005)(102836004)(6506007)(7696005)(446003)(476003)(76176011)(7736002)(53546011)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB2063; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: GLMSEUfVOObdKREfOMzvfuKP/xY7j1o7tWSCfgoqvn8x7jQUBxjHyvwQVYezCoFxZmkk3dYWk6MmNnASd4k5tY6CvfIjqfP9uZI2aqGekbaAyxU1RggbI+etOoYXHTY6rvztdnWorpxo2+wtaMw6aAHPdestyk57QhNkqwlCG/hPgIAD65TmWeuDqbyuKtHOA2pRTw9IFe4gGR8CFE8nD32wrzlFEQ6g3VfmBLwaE8eNE8o3Mi+NRFIV7zRi2E1utaC6LD47wAvM84XwKj+IHz1iBhZCLPYMJSj42/DDiUijk9cfwuUzGeMg41h0NCUH
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7677fa54-e031-4d16-e501-08d661dfc152
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Dec 2018 16:18:16.6196 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB2063
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/O-ZyE4KzTMoAdHY3AeDr9OudSOo>
Subject: Re: [Ace] Token (In)Security
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Dec 2018 16:18:24 -0000
Hi Steffi, I anticipate that the use of tokens with IoT devices works similar to OAuth deployments today. As such, if you distribute self-contained tokens then you sign or mac them. We have registered the necessary claims already, which includes the expiry. As such, I expect it to be used as well. If we forgot to mention explicitly that we follow the best current practices in OAuth then we should add that reference. I will check the text... Ciao Hannes -----Original Message----- From: Ace <ace-bounces@ietf.org> On Behalf Of Stefanie Gerdes Sent: Freitag, 14. Dezember 2018 16:15 To: Ludwig Seitz <ludwig.seitz@ri.se>; Jim Schaad <ietf@augustcellars.com>; ace@ietf.org Subject: [Ace] Token (In)Security Hi all, as I understand the current proposal of the ACE framework, an attacker can send an access token to the RS that only contains a scope and is not signed or otherwise protected. Section 5.8.1.1 (titled verifying an access token) does not state that RS must check the authenticity of the token, therefore RS can accept it. Since the token does not contain an exp field, it is infinitely valid. The attacker thus gains infinite unconditional access. Is this really what we want from a security framework? I would expect section 5.8.1.1 to provide information if and when RS must check that the token stems from an authorized AS to prevent this scenario. Viele Grüße Steffi _______________________________________________ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
- [Ace] Fwd: New Version Notification for draft-iet… Ludwig Seitz
- Re: [Ace] Fwd: New Version Notification for draft… Jim Schaad
- Re: [Ace] Fwd: New Version Notification for draft… Stefanie Gerdes
- Re: [Ace] Fwd: New Version Notification for draft… Jim Schaad
- Re: [Ace] Fwd: New Version Notification for draft… Ludwig Seitz
- Re: [Ace] Fwd: New Version Notification for draft… Stefanie Gerdes
- [Ace] Overwriting Tokens Stefanie Gerdes
- Re: [Ace] Fwd: New Version Notification for draft… Ludwig Seitz
- Re: [Ace] Fwd: New Version Notification for draft… Ludwig Seitz
- Re: [Ace] Overwriting Tokens Ludwig Seitz
- Re: [Ace] Overwriting Tokens Stefanie Gerdes
- Re: [Ace] Overwriting Tokens Jim Schaad
- Re: [Ace] Fwd: New Version Notification for draft… Stefanie Gerdes
- Re: [Ace] Fwd: New Version Notification for draft… Ludwig Seitz
- [Ace] Token (In)Security Stefanie Gerdes
- [Ace] Security of the Communication Between C and… Stefanie Gerdes
- Re: [Ace] Token (In)Security Hannes Tschofenig
- Re: [Ace] Token (In)Security Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Token (In)Security Ludwig Seitz
- Re: [Ace] Security of the Communication Between C… Ludwig Seitz
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Ludwig Seitz
- Re: [Ace] Security of the Communication Between C… Stefanie Gerdes
- Re: [Ace] Security of the Communication Between C… Stefanie Gerdes
- Re: [Ace] Token (In)Security Stefanie Gerdes
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Stefanie Gerdes
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Stefanie Gerdes
- Re: [Ace] Security of the Communication Between C… Ludwig Seitz
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Ludwig Seitz
- Re: [Ace] Security of the Communication Between C… Jim Schaad
- Re: [Ace] Security of the Communication Between C… Ludwig Seitz
- Re: [Ace] Security of the Communication Between C… Hannes Tschofenig
- Re: [Ace] Security of the Communication Between C… Sebastian Echeverria
- Re: [Ace] Token (In)Security Ludwig Seitz
- Re: [Ace] Token (In)Security Stefanie Gerdes
- Re: [Ace] Security of the Communication Between C… Benjamin Kaduk