Re: [Ace] Token (In)Security

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Fri, 14 December 2018 16:18 UTC

Return-Path: <Hannes.Tschofenig@arm.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A0280128D09 for <ace@ietfa.amsl.com>; Fri, 14 Dec 2018 08:18:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.359
X-Spam-Level:
X-Spam-Status: No, score=-3.359 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hOSftRoTxnEb for <ace@ietfa.amsl.com>; Fri, 14 Dec 2018 08:18:21 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130071.outbound.protection.outlook.com [40.107.13.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3E391277BB for <ace@ietf.org>; Fri, 14 Dec 2018 08:18:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vXdTppHkDYV47F8gksBeS9dkQxuafee9hfzNcTzeTLg=; b=ouKzZuEuQih9mSOyG2K7VWFuZrM9VwPBzMSaHCpB73zy9ZeiNoyOnCCYxafDTkjGi74IeZukEpJyRhVxZv9mlSQmJSoAYp6MuDsLzqBYf0DObbLcx+hSIH9IMq2mrNipr3kT6hGqHOg8iDeiyDxfUeV5OQIak533BCCqce4I8Rw=
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com (10.173.75.16) by VI1PR0801MB2063.eurprd08.prod.outlook.com (10.173.74.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1425.19; Fri, 14 Dec 2018 16:18:17 +0000
Received: from VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::e8de:6a41:cbf4:89d8]) by VI1PR0801MB2112.eurprd08.prod.outlook.com ([fe80::e8de:6a41:cbf4:89d8%3]) with mapi id 15.20.1425.016; Fri, 14 Dec 2018 16:18:16 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: Stefanie Gerdes <gerdes@tzi.de>, Ludwig Seitz <ludwig.seitz@ri.se>, Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
Thread-Topic: [Ace] Token (In)Security
Thread-Index: AQHUk7/NUFqtp94dNE+cccrNg+vP4aV+aKYA
Date: Fri, 14 Dec 2018 16:18:16 +0000
Message-ID: <VI1PR0801MB2112CE85678921B892FA7C09FAA10@VI1PR0801MB2112.eurprd08.prod.outlook.com>
References: <154322421294.8323.8505315870685563404.idtracker@ietfa.amsl.com> <cbd083d1-cb95-0732-aa8b-7c7de3f480d1@ri.se> <a0cdd836-7fe3-339e-0c48-961503857447@tzi.de> <03b601d49191$7d1bb400$77531c00$@augustcellars.com> <945fbebe-659f-ac72-3ab6-8e05447e7c92@ri.se> <1c5b81f3-50ce-be68-bec3-68ce2ff15b43@tzi.de> <4ae4eccd-68bf-18ef-f909-142f8172eca1@ri.se> <b0d3ff24-5842-62ca-3d16-1dd7b4875c66@tzi.de>
In-Reply-To: <b0d3ff24-5842-62ca-3d16-1dd7b4875c66@tzi.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Hannes.Tschofenig@arm.com;
x-originating-ip: [80.92.115.19]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0801MB2063; 6:LXtMKVl1bEV5Af5OL3DIL41X3vGoLfVtcirMrtPbpkNN2IHklEE1N9hYgsl5fq2yYu3YlZ9Vy9lwxwiUyB2tIZbCCxf/8jPobwlQsXeNsypZczNL45Ohs/dxGmV2+4sdF+ToOXSQAwXMEpF4EhMFDnjczR8EqLF6gXNP9BNNBax4RasWDXvCWMW2uwiu5wbCD8ktsxug7ueMNUCYRNRetdGqkkhJVsKZGy4nj+Usq+cmmDaiLh5WxUcrlHXP7VPGSnbcBCRemTyri/q2ydT/PixZs5FFiZjEVeIj6Be8f0PImATLt0jZtGuaw5etNZzC9A/jxr3lTyQ2w2HmNLwCXlTaYnvi4LkJERx2qUIh/c7w24fEIUGrwNZwU9pOTri3LgtXlzu9Nkb0E4EfFXcvCWXZsqB4LcFWUVlC0PeVGlGiRWT1xqaqHkLAmMuP58kpg8jNg781/8Z0HOZXpAr8jQ==; 5:NFctrUfBC/QESJLycIqdXTqtkALUChtZ+nNY/JgjB4jFaqeLnbKkhij0k2uf23GQXizwDZLwC6kc6e/70IfDZ+TFeylDYtmF7XTdRDehnUunafQh74p8P5JLtAG2Q+inVr/6VwOnERhlbmorQI60CSHS7Y0IzOz4W1VCkd7p/Nc=; 7:9sSBNOXi2lce7Gv89UNYn2bES2egDimBkvg8Zd7hWrLYMJkjNOs9y9e1tlbdkW0GVHOxquqtA7HuxwUbIt60K0xkH3aELcv4ednSbkiAlVlTol+kOOWN+Uigc0ybmguPOPI0OWSzF+6Uc5OKsSN7xw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 7677fa54-e031-4d16-e501-08d661dfc152
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:VI1PR0801MB2063;
x-ms-traffictypediagnostic: VI1PR0801MB2063:
x-microsoft-antispam-prvs: <VI1PR0801MB20633BD2BBC2DE0FF15087D2FAA10@VI1PR0801MB2063.eurprd08.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(3230021)(999002)(6040522)(2401047)(8121501046)(5005006)(3002001)(3231475)(944501520)(52105112)(10201501046)(93006095)(93001095)(6055026)(148016)(149066)(150057)(6041310)(20161123558120)(20161123564045)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991095); SRVR:VI1PR0801MB2063; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0801MB2063;
x-forefront-prvs: 08864C38AC
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(136003)(346002)(376002)(396003)(39860400002)(366004)(13464003)(189003)(53754006)(199004)(40434004)(2501003)(33656002)(97736004)(5660300001)(966005)(66066001)(6306002)(9686003)(55016002)(71190400001)(53936002)(74316002)(2906002)(6246003)(71200400001)(86362001)(3846002)(6116002)(99286004)(14454004)(72206003)(25786009)(478600001)(305945005)(110136005)(6436002)(256004)(5024004)(14444005)(8936002)(105586002)(106356001)(229853002)(486006)(15650500001)(11346002)(316002)(81166006)(81156014)(8676002)(561944003)(68736007)(93886005)(26005)(102836004)(6506007)(7696005)(446003)(476003)(76176011)(7736002)(53546011)(186003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0801MB2063; H:VI1PR0801MB2112.eurprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: arm.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: GLMSEUfVOObdKREfOMzvfuKP/xY7j1o7tWSCfgoqvn8x7jQUBxjHyvwQVYezCoFxZmkk3dYWk6MmNnASd4k5tY6CvfIjqfP9uZI2aqGekbaAyxU1RggbI+etOoYXHTY6rvztdnWorpxo2+wtaMw6aAHPdestyk57QhNkqwlCG/hPgIAD65TmWeuDqbyuKtHOA2pRTw9IFe4gGR8CFE8nD32wrzlFEQ6g3VfmBLwaE8eNE8o3Mi+NRFIV7zRi2E1utaC6LD47wAvM84XwKj+IHz1iBhZCLPYMJSj42/DDiUijk9cfwuUzGeMg41h0NCUH
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7677fa54-e031-4d16-e501-08d661dfc152
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Dec 2018 16:18:16.6196 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB2063
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/O-ZyE4KzTMoAdHY3AeDr9OudSOo>
Subject: Re: [Ace] Token (In)Security
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Dec 2018 16:18:24 -0000

Hi Steffi,

I anticipate that the use of tokens with IoT devices works similar to OAuth deployments today. As such, if you distribute self-contained tokens then you sign or mac them.
We have registered the necessary claims already, which includes the expiry. As such, I expect it to be used as well.

If we forgot to mention explicitly that we follow the best current practices in OAuth then we should add that reference. I will check the text...

Ciao
Hannes

-----Original Message-----
From: Ace <ace-bounces@ietf.org> On Behalf Of Stefanie Gerdes
Sent: Freitag, 14. Dezember 2018 16:15
To: Ludwig Seitz <ludwig.seitz@ri.se>se>; Jim Schaad <ietf@augustcellars.com>om>; ace@ietf.org
Subject: [Ace] Token (In)Security

Hi all,

as I understand the current proposal of the ACE framework, an attacker can send an access token to the RS that only contains a scope and is not signed or otherwise protected. Section 5.8.1.1 (titled verifying an access token) does not state that RS must check the authenticity of the token, therefore RS can accept it. Since the token does not contain an exp field, it is infinitely valid. The attacker thus gains infinite unconditional access. Is this really what we want from a security framework?

I would expect section 5.8.1.1 to provide information if and when RS must check that the token stems from an authorized AS to prevent this scenario.

Viele Grüße
Steffi

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.