IETF Logo Mail Archive

Re: [Ace] Token (In)Security

Ludwig Seitz <ludwig.seitz@ri.se> Fri, 11 January 2019 13:09 UTC

Return-Path: <ludwig.seitz@ri.se>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB0641228B7 for <ace@ietfa.amsl.com>; Fri, 11 Jan 2019 05:09:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.701
X-Spam-Level:
X-Spam-Status: No, score=-1.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=risecloud.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w89rqV0r9Fhx for <ace@ietfa.amsl.com>; Fri, 11 Jan 2019 05:09:29 -0800 (PST)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10057.outbound.protection.outlook.com [40.107.1.57]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 707A412426E for <ace@ietf.org>; Fri, 11 Jan 2019 05:09:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=RISEcloud.onmicrosoft.com; s=selector1-ri-se; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ni5/pKTx1J943cqFuVNoQbjHNOIeZoSM/vKAke1zVuA=; b=j2yTSX4tm330S/V9LOBvVHPQfic0cPVN5+uQ/dzCj3ReLZ2FMWqPRy52ZDlJsgNSiK1LFEaQj8v/zsckio4D0t9xovj41jo1q5Stw/OLo6nonIDwmPvx0fXCib+eMjItoL+0vhg2aghBm/1h4TeDHpOqd7fnaT2UAx3dtOfn0ug=
Received: from AM5P189CA0035.EURP189.PROD.OUTLOOK.COM (2603:10a6:206:15::48) by VI1P189MB0478.EURP189.PROD.OUTLOOK.COM (2603:10a6:802:36::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1516.18; Fri, 11 Jan 2019 13:09:26 +0000
Received: from AM5EUR02FT030.eop-EUR02.prod.protection.outlook.com (2a01:111:f400:7e1e::206) by AM5P189CA0035.outlook.office365.com (2603:10a6:206:15::48) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id 15.20.1516.13 via Frontend Transport; Fri, 11 Jan 2019 13:09:26 +0000
Authentication-Results: spf=pass (sender IP is 194.218.146.197) smtp.mailfrom=ri.se; ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=bestguesspass action=none header.from=ri.se;
Received-SPF: Pass (protection.outlook.com: domain of ri.se designates 194.218.146.197 as permitted sender) receiver=protection.outlook.com; client-ip=194.218.146.197; helo=mail.ri.se;
Received: from mail.ri.se (194.218.146.197) by AM5EUR02FT030.mail.protection.outlook.com (10.152.8.180) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.20.1471.13 via Frontend Transport; Fri, 11 Jan 2019 13:09:25 +0000
Received: from [10.112.134.122] (10.100.0.158) by sp-mail-2.sp.se (10.100.0.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1531.3; Fri, 11 Jan 2019 14:09:25 +0100
To: Stefanie Gerdes <gerdes@tzi.de>, Hannes Tschofenig <Hannes.Tschofenig@arm.com>, Jim Schaad <ietf@augustcellars.com>, "ace@ietf.org" <ace@ietf.org>
References: <154322421294.8323.8505315870685563404.idtracker@ietfa.amsl.com> <cbd083d1-cb95-0732-aa8b-7c7de3f480d1@ri.se> <a0cdd836-7fe3-339e-0c48-961503857447@tzi.de> <03b601d49191$7d1bb400$77531c00$@augustcellars.com> <945fbebe-659f-ac72-3ab6-8e05447e7c92@ri.se> <1c5b81f3-50ce-be68-bec3-68ce2ff15b43@tzi.de> <4ae4eccd-68bf-18ef-f909-142f8172eca1@ri.se> <b0d3ff24-5842-62ca-3d16-1dd7b4875c66@tzi.de> <VI1PR0801MB2112CE85678921B892FA7C09FAA10@VI1PR0801MB2112.eurprd08.prod.outlook.com> <VI1PR0801MB21129CED50E760A28AD9A38AFAA20@VI1PR0801MB2112.eurprd08.prod.outlook.com> <637abc12-9c8d-be8a-9d27-ee645cd8a290@tzi.de>
From: Ludwig Seitz <ludwig.seitz@ri.se>
Message-ID: <5b054bc3-10c3-6885-e8df-c7edbcbfac55@ri.se>
Date: Fri, 11 Jan 2019 14:09:25 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.2.1
MIME-Version: 1.0
In-Reply-To: <637abc12-9c8d-be8a-9d27-ee645cd8a290@tzi.de>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [10.100.0.158]
X-ClientProxiedBy: sp-mail-3.sp.se (10.100.0.163) To sp-mail-2.sp.se (10.100.0.162)
X-EOPAttributedMessage: 0
X-Forefront-Antispam-Report: CIP:194.218.146.197; IPV:NLI; CTRY:SE; EFV:NLI; SFV:NSPM; SFS:(10009020)(39860400002)(136003)(396003)(346002)(376002)(2980300002)(199004)(189003)(7736002)(93886005)(305945005)(229853002)(47776003)(65956001)(126002)(476003)(106466001)(31696002)(15650500001)(86362001)(356004)(5660300001)(65806001)(65826007)(22756006)(68736007)(104016004)(8676002)(81156014)(81166006)(40036005)(8936002)(478600001)(64126003)(2501003)(69596002)(23746002)(77096007)(486006)(2870700001)(336012)(3846002)(74482002)(44832011)(386003)(53546011)(26005)(186003)(33896004)(16526019)(14444005)(6116002)(50466002)(110136005)(97736004)(58126008)(106002)(76176011)(16576012)(446003)(6246003)(316002)(11346002)(67846002)(2616005)(2906002)(31686004)(53936002)(36756003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1P189MB0478; H:mail.ri.se; FPR:; SPF:Pass; LANG:en; PTR:InfoDomainNonexistent; A:1; MX:1;
X-Microsoft-Exchange-Diagnostics: 1; AM5EUR02FT030; 1:ZcPmhDyrgyxxQnjGTKj4t/M9UlzclVbLHNhyppOSy8xGvp4mVE9DO5IjjnNkq0naJujxZYTusDNPcuDVuZd0pcrJKMaintYAw09IbMs8rJrL3r4cbVYSMGvrKsHTM7Sm
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: ae87c229-9240-44a5-779a-08d677c6031c
X-Microsoft-Antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(4608076)(4709027)(2017052603328)(7153060)(7193020); SRVR:VI1P189MB0478;
X-Microsoft-Exchange-Diagnostics: 1; VI1P189MB0478; 3:WLvo4Sk51tnr01UZ/BQxWCfwEhTKRcO9d30Iy9PUb5mq016RCWVLnPlURdWzUQqDa5ZzpDcFFfIshnpbIlP473i7oITtNK4d6Z4JcoPBtNo4GzXpi7BvoJLiJrHAL6xcI26Axb8f+1W6coHYFAHWayBmYaSX9yghyGLm0hokhU4ZSqHPw5ayiv6dlS+57X50Vlfif/WABEXeyx5tpLvvWmX7KJGH6USrLkbDkEAmrKwnlUcSgUB2hEwwhAzkzABeV7XSLccFGUFw8XMdpxki6WEppEdqfUajmKCl6kiTil2B4gJe/VgfVahaq8kaA3qqtEJdEqeFPrDJ3bJFC4pz4RjSVsKFOx2EsyZHjMUkkTYMcdmYBwZBm/FxPtWpku6P; 25:muvflXj23dfbiGROEfso7KeMOlDEsnh4oZgU7jn2mkkDq4eL609uKMfLXtjU5SNuo0gISoPAxEuLRc4ckJY2OxiqHYyzHSUWWX76EraaVV0yPZ66fvwSXyVUr+4XHSa1FTCbghAfg4hCLhTDxqM6WNswD+6FGUlXpFEEdFbEiJg4fTBJ0vBrWKHXiBD6oHJpE6z7gzurok3XHhxO6dtKjzpJ8HrXxMb0/EqBTPFv25Dv9M4q+4jlDvwVeCq0hXbllz5t+/HaIkH8ctA/9B75NAwqVrisS/5CHQfN7Z/UN5BKaCOyZ30rN+o7VlamIYTNeqBV1WP2ibWp85p7h4IThA==
X-MS-TrafficTypeDiagnostic: VI1P189MB0478:
X-Microsoft-Exchange-Diagnostics: 1; VI1P189MB0478; 31:mgse7ykP7qPlLsC2x/V3kKN7xlSr5XGb9y40Upcc+v0jR2fjMiayBBIZ9m0zQO8kI/L3uhblvK8Mz/agyaSg236WqLJxcs/NAaumDH7auMfs5lOEj/uW8pMO83cXjFFeJJGh0qKKbtOT0Sn/vMz+ezFTF35lPegFBJ/LNXeqLCBOaL4hcTtQuGfNPosckfeIFIS96+n9C5WTmqLqcdgiwqp/LqIevYPGEh9UzIGYMqQ=; 20:TFds2wAA7DNGoaYTTyRSdGAj5pYl2qGN4el7o5C/lBNqXaRhm6kj09B3KqHF6PlZM9KRpmTb4dD29k5CyNnGy2vvxrKZHrtjE5udsZIjUgxcgf1qux86yXESNN/S6Hxv3x8WtOZLPLy/VQ4XtCY18jDOhxA8fNZU/cV1D166/DpRaluJI8Hfr5NEfQBc8Lw8uIGNU9s4OvbJrwIu6TttOBlr8tjw3WMrnbO4cD9nRSQ6ehF7t0E956n9b2Gdp+fT; 4:wIH5Dg683Q18g3dwJ97tb6nXItkD2sUwPkrv84+Gyg7VjFMgl38t+CVUu+drVjhjmbSe5BIB2aV+GfQoxJpVobgGgDrgvd5EQsktK5NKWK+yfzvsL+aJIjF18WXuXF3azYHpcmJaasgB7Q0l9lx1PWJjsuk+16gFLxfimj9Qgmd8fNlR/oxoEXFA3FnyRWY80w4ac1p7nTCX5OF7n43FqnF8Qlm40kqcgyi2xYRF8h/p3yWJoKnokmOanWflVVI/Y2gJWbgJZB8e8NqCnDA8BOdm91/0DBH3yZc1Lct/RuE=
X-Microsoft-Antispam-PRVS: <VI1P189MB0478D7D20A79A8A5E3B132AF82850@VI1P189MB0478.EURP189.PROD.OUTLOOK.COM>
X-Forefront-PRVS: 09144DB0F7
X-Microsoft-Exchange-Diagnostics: 1; VI1P189MB0478; 23:zSPRtAETApJCPHOHEbdXp7KoX6Q4MC0hx7A3RrsQCi11tEdqHwmj1YNi5wxhsRhVfWAyHVR4O80B95ZSCFP2AH6w4FJ7FqFCTlmUbVVG8IVXxngy+DY855N7Sbo45BiFJD3ZBPuwskuwBjVDBJLplhFVcezbwcO9VSNajxeMP+hoJbTKV8oALM0xvFOSOITjmfHJA0sWSfaHMncCRDGeNsjVu45N4BIJPhSiyFymuny3CaJ3WPcRdws8PHBhapuD/0nNojljq5o2kr40GmsipDAkYUM+QEEqNgYYgg8ucU1QLMJ5csLo/LaacWCOj4S5o46yT/+XQrwFXuPXUSd9uRzBjl8Qrx3XLeFoz9ispIzDmHug01cQla82PA3z6mAgaETnTFvaHMpiFwNmD4YGxgp7gHzcIiQ6GQBViwLCB7cFAG26eEwccM0leYkYyocMtMc2xwQjpZiJgc3RcaOnlQFHexlIeWLqnbR/YezBWwUaUtgCwWiTkcYEBKITjvtOLjIlnGa4fsQ2ugjGIaArv3zMwFg9uZ48d5d51IjvGJObeOQIvYGUYD+ekU44cMnC9PN3F9Z+Mxpr+JsnScZ9yfWkf92UctxK0AfbAMAqatgoJal35hVpKVCGz25NzqqzUm4dwwdY78N26ap8NnaloqCUWOS3W0cd/eRoQhIpeGzo2/ZMMUnC9XPm8wDaA5ybVuuaMUS8O4zG+kaYByjDpHkIxM8613Ef0uLSL78FmtO9yN7ese7M8SEF/But/S+3MNyqe6lXLzF/IaSTQHppuv0c+3MqpbWJtEV8uBiJoC04wfRVva4K8VC7+Eg+EG95CAucvt2as7ZFAtcROElMyL7PdzvBqfD7X81BAG4HdSOwb5/2WWjBLahlauna+X1nuiqT6e+G4pyzVm+tRJ6LJ9i7ZxHNOGVoGlduyLnfT0JBBRY6YocBijDSBKJOhd8preWq8CAkU2E2dlw/bB29QQmFKUeNsrhkJq21C6FzfNpFEWu9qDpAuMZRYhHJbBysW05neU9luU26qQH/zKS9Oq02tCR56dDNSi2eRhgXyEz7IqP7PBHxUAEDYtppQ6R8R9axOoS+QflAJb7xnFQbvm+iPqA8/+0xxGq5P31W042M6qZq5AtfeeFaxwaYiGQIwuZE5PFrGXBDoOlpr/f356h/+3hMDRKyxsgy2hBu5+qZiy8wKfRmsejOZTA43W4XPKCn3NV3A+7wzkPIDduGxS3kAUCSgF9IgllLS3lGgrLtfh3EahnbbIAWtB0DHRH3MXHXWKd9ddr3uhpF0jbQqf9OG4qSziiWngTz0lQDt2in33AZ+hpJIW/xxVXJDymY9KmJfyHaYcn6jXmEs4iesjwWz0veZWA2FEaZOAhUFvp+I+MgMOQTGtydGdS2E8Ij4vlMEE2Tvl2173uMHBFVVUm9Sdxo28cloRnHt9NY2o5zEVrOD3xQOG5fWV3JsXfMgV63WaUIkvkbBFF3BW7xWChA/5ygIu+Pi5b8vc3drAhU+6zzywTCdpiYO1ILJnzH
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam-Message-Info: ekvCFVz7orVDtEUsNQC2X77FNG0ry12AXEW3uI1svGRuPqhtHhwbhjDeSlaFfWzxn8J2gL6fhnlqdAGAgMf2Hi/wtAg/Lw4CSPJkUSKpH6Ng9HjClQoAfxw1BCD7jI88bwuBBKQPApedkuji30t9csihRETZJp02K5zPg8Kq6TSH0MZG3rz/9ekMQaBqEUSEn8GZU0292cHmRnOf+cRZY7uUj7/dTXle5Bhie85+tNVBXg3pkBnYTk77HUCKcTuGSradFsfymifNKNgvkQ+03u/iWWki39jBW69enNEyEE/86ZxM1V4a2EINeyCmhzZs39Eiq54KLOLM1c+v4HEDMY2clYRqLyfYaaLnH8Rmnr+228x0MDCxhhz8wiQWc72UM5eJT6eJAjeUUzS6K1l4QkiqjalV4m6op8zMtJYoOY0=
X-Microsoft-Exchange-Diagnostics: 1; VI1P189MB0478; 6:B4HrHnJcxQ1iBiY9lOePbwLxHxzuA/vcTQnXlTJ4YwF89BmXHIHuGfF2tt1yHjM+v8Eu1IO6fQfQizmp9E9lW8hwjsTKrXsWUlukzvSa8sXjmpJLKT99G7QLmB/ZBWg/l0e4BNoLdU03mGB+f8i0ScM+D72v3KGjcxv8CneW8FGGhm+wNxJlWBYJWBBzvBwuRPEEJvdqG13Dxazd8krwVd9WfH17vv1x/YE6XfYWewG9LSYHLI8fC5BW/GIY2qdcDpWiF9K/FlzeUHYoGUK2OFbeqf5GT+FoQ8XM8EFMMUOk9qMeiYWrTL08qrUTSSKEHtttLd37eJtrLukBHnqmXen2BH6G+z7TfYocrMbrqKj84oFJgCOQVlckQICHQq1RsUJzm8HQuwVpLqOUcY5Und48QJiDu3a4TL37fszsKRgJslCf9ZWllwhmnI2mi54J/AgGpfTDmJcjA3mNrhLRBg==; 5:ebPgeZDXMUxVySI2sRPNuqiELpDUciPbo1kYFpS5emFh3tum2nca3quN+O20wA9CAFYXAhQjvzzDjDZ6eKpcMS0L4wej/w+1/rtIgevemzSWGxTODJfwoQliNcGdVpp/HW9wmpUAJLSmhAoM/izdZI3tuK1FV9/SI4ohiw0q72pKIeeC3jJy5NYw1BRVwny9n4AWivTKctdnXlBVsoXyxw==; 7:g8qHEnM2LPR0G5PITfQjXLxvzJhOs2AhlmSEe969qf+SFTk0M1lNQu1wIvJEdlWc2OTYLLcwliGi5Ac5+nqCDSFeaEpajyUMp11GxTLMTz+ieSfTNeIK6d03I87haDckLN13U9fgGdONf2Otycxv0Q==
SpamDiagnosticOutput: 1:99
SpamDiagnosticMetadata: NSPM
X-OriginatorOrg: ri.se
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 Jan 2019 13:09:25.7681 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id: ae87c229-9240-44a5-779a-08d677c6031c
X-MS-Exchange-CrossTenant-Id: 5a9809cf-0bcb-413a-838a-09ecc40cc9e8
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=5a9809cf-0bcb-413a-838a-09ecc40cc9e8; Ip=[194.218.146.197]; Helo=[mail.ri.se]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P189MB0478
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/yQXqmzm1YJl7Ns2IDnUPIqyhTMc>
Subject: Re: [Ace] Token (In)Security
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Jan 2019 13:09:33 -0000

On 18/12/2018 15:48, Stefanie Gerdes wrote:
> Hi Hannes,
> 
> I think the text is much better now. Protecting the integrity of
> self-contained tokens is not sufficient, however. The RS must not only
> ascertain that the token is integrity-protected but also validate its
> authenticity, i.e., that it stems from an authorized AS.
> 
> Viele Grüße
> Steffi
> 

Hi,

I've merged Hannes' PR, fixed a typo and added a sentence as follows:
=====================================================================
For self-contained tokens the RS MUST process the security protection of 
the token first, as specified by the respective token format. ~snip~ 
This MUST include a verification that security protection (and thus the 
token) was generated by an AS that has the right to issue access tokens 
for this RS.
=====================================================================

I have not extended this requirement to tokens passed as a reference, 
since in that case the RS needs to do introspection at an authorized AS 
anyways. It would thus not get the claims of a token issued by an 
unauthorized AS, which would in turn lead to the token being discarded.

Does that sound correct to you all?

/Ludwig

-- 
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51

v2.23.0 | Report a Bug | By Email