Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme
"William J. Mills" <wmills@yahoo-inc.com> Wed, 08 June 2011 02:40 UTC
Return-Path: <wmills@yahoo-inc.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E25FA11E8093 for <apps-discuss@ietfa.amsl.com>; Tue, 7 Jun 2011 19:40:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.598
X-Spam-Level:
X-Spam-Status: No, score=-17.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_DEF_WHITELIST=-15]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BdFgMC+-SL-D for <apps-discuss@ietfa.amsl.com>; Tue, 7 Jun 2011 19:40:06 -0700 (PDT)
Received: from nm22-vm0.bullet.mail.bf1.yahoo.com (nm22-vm0.bullet.mail.bf1.yahoo.com [98.139.212.126]) by ietfa.amsl.com (Postfix) with SMTP id 8AC4921F8482 for <apps-discuss@ietf.org>; Tue, 7 Jun 2011 19:40:04 -0700 (PDT)
Received: from [98.139.212.153] by nm22.bullet.mail.bf1.yahoo.com with NNFMP; 08 Jun 2011 02:40:01 -0000
Received: from [98.139.212.193] by tm10.bullet.mail.bf1.yahoo.com with NNFMP; 08 Jun 2011 02:40:01 -0000
Received: from [127.0.0.1] by omp1002.mail.bf1.yahoo.com with NNFMP; 08 Jun 2011 02:40:01 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 536884.85481.bm@omp1002.mail.bf1.yahoo.com
Received: (qmail 30367 invoked by uid 60001); 8 Jun 2011 02:40:00 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo-inc.com; s=ginc1024; t=1307500800; bh=igtgdMlafKNXXXgX0IJWz0qWyJjefq/o4nz+eZJ8Njs=; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=QMbedK2JX62LFEbS+zWvILP2CdIoynZPpV3H35GlUjcLPeNnX19h04w/zc5kVkroL5wZQkUZKcDWlVv+epC96q8ZaB7vFdmtxpeoMkb4Ir/88EUQLigwNjGeQC+oBBza4qHZWhYgIpvg6psw+FxP5J1r0hnsa2ZYEEZmPTy1m+U=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=ginc1024; d=yahoo-inc.com; h=X-YMail-OSG:Received:X-RocketYMMF:X-Mailer:References:Message-ID:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=gDxobXeIAY7NJCP6JKQT14sMq9ajpYx29amaX8rr8ETR2T5OORe22Xd7Ki5VZe2/RlrgQfIWxBQor6vRTmM2UJIdViq9hK97+IezI1gDlsqaCdI4x5vFmjy35ZrQeLAwuzmUi2voyHtUto+C2ZEeXCPoORDT7pgnElJJ5jl+10Y=;
X-YMail-OSG: Pq_6HkcVM1ktF0rmBX3uAidfzEbiW6Mq.rhQCYHB2.OReUV ya.C2GO76l6OqwvPIkhCZqlsV_6nmZQPO.QUVeYjt.Re4vjAoNsuHtqMbqLg nD.VbM05Y7ezyBs1hHwONQJVqoel3gmPoKv9Erj1itzhyA.552kZ.ReoTG5t aCIZD5KT6NVIpzPGhZpEI3.UwvISIVLxPetiOnfxRvjpwBzPTlTgyPLyyzYE Iyf12Zdk2hm1CKlVzrQIjv3gJF8bYl3dL7VTkpCjf5TAgckz8yIltuyaB8uL 1GSFXMG_1iab2aZzwf7EQ.vazYPl6xWIZ_qRcf766ceZ75XfvbY177TpKKvH Bb5d_L3.fwAh9oC738M6OC19IxiDbPTmQBbUV
Received: from [209.131.62.115] by web31810.mail.mud.yahoo.com via HTTP; Tue, 07 Jun 2011 19:40:00 PDT
X-RocketYMMF: william_john_mills
X-Mailer: YahooMailWebService/0.8.112.307740
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BANLkTikpQNyQdr9oWHhtJ7a7d-4ri0CNdA@mail.gmail.com> <09c801cc24c2$a05bae00$e1130a00$@packetizer.com> <BANLkTin30NVzYVV1m4gmyh42DWs-nSQpAg@mail.gmail.com> <00f101cc255e$2d426020$87c72060$@packetizer.com> <BANLkTimn8c72p5bjwHNapW9kVCVBmNbC4w@mail.gmail.com> <1307486600.48324.YahooMailNeo@web31808.mail.mud.yahoo.com> <BANLkTi==5LjD7vW74tqB_sbSHrLjsJE6+A@mail.gmail.com> <4DEEAD76.2090800@adida.net> <BANLkTik7LyPWssAb0EBmx11hK53hiwgmrA@mail.gmail.com> <20110607234131.GI1565@sentinelchicken.org>
Message-ID: <1307500800.70339.YahooMailNeo@web31810.mail.mud.yahoo.com>
Date: Tue, 07 Jun 2011 19:40:00 -0700
From: "William J. Mills" <wmills@yahoo-inc.com>
To: Tim <tim-projects@sentinelchicken.org>, Nico Williams <nico@cryptonector.com>
In-Reply-To: <20110607234131.GI1565@sentinelchicken.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="0-787661544-1307500800=:70339"
X-Mailman-Approved-At: Wed, 08 Jun 2011 08:39:52 -0700
Cc: "http-state@ietf.org" <http-state@ietf.org>, OAuth WG <oauth@ietf.org>, "apps-discuss@ietf.org" <apps-discuss@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: "William J. Mills" <wmills@yahoo-inc.com>
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Jun 2011 02:40:07 -0000
It is possible to implement decent security with MAC, it is also possible to screw it up. It is far more difficult (impossible?) to implement decent security with cookies over HTTP. ________________________________ From: Tim <tim-projects@sentinelchicken.org> To: Nico Williams <nico@cryptonector.com> Cc: OAuth WG <oauth@ietf.org>; HTTP Working Group <ietf-http-wg@w3.org>; "apps-discuss@ietf.org" <apps-discuss@ietf.org>; "http-state@ietf.org" <http-state@ietf.org> Sent: Tuesday, June 7, 2011 4:41 PM Subject: Re: [OAUTH-WG] [http-state] [apps-discuss] HTTP MAC Authentication Scheme > > A passive attacker can sniff your cookie and thus hijack your session. All > > you need to accomplish that attack is connect to any open wifi network and > > use Firesheep. It's a good bit harder to be an active attacker, even on an > > open wireless network. > > Yes, but only for resources that you've already stated you don't care about. > > If you cared about those resources you'd protect more of the request > _and_ response, or you'd use TLS. But you don't want to protect the > response and you don't want to use TLS and you don't even want to > protect the request body. What you're proposing adds a very marginal > degree of security that will be trivial to defeat on open wifi > (particularly once the toolset for doing it gets published). > > Are we serious about security? Or it this just for show? > > Or am I missing something? I have to agree with Nico here. In almost all cases I assert that, on typical modern networks: let P = difficulty of passive attack let M = difficulty of active (man-in-the-middle) attack O(P) = O(M) . This isn't to say the "real world" difficulty of an active attack is just as easy, but it is within a constant factor. If someone has published a tool that conducts MitM attacks for the specific protocol you're dealing with, the difference in difficulty clearly becomes marginal. Consider the complexity of the attacks implemented by sslstrip and yet the relative ease with which you can use it to MitM all SSL connections. I didn't bring this up before because I didn't understand any of the context behind the MAC proposal, but I will now, at risk of sounding ignorant: What is the MAC Authentication proposal intended to accomplish, in a security sense, above and beyond HTTP Digest? Yes, the HTTP Digest spec is, shall we say, a little rough around the edges, but would it make more sense to simply *fix* the minor problems with it and slightly extend it to integrate with OAuth? Note that it already does allow for arbitrary encrypted blob values to be attached to the digest... Ignoring the integration details for a minute though, how does MAC improve on Digest from a security persepctive? tim _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Nico Williams
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Chris Bentzel
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Chris Bentzel
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Nico Williams
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Eran Hammer-Lahav
- Re: [apps-discuss] [saag] Fwd: HTTP MAC Authentic… Nico Williams
- Re: [apps-discuss] HTTP MAC Authentication Scheme Nico Williams
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Nico Williams
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Stephen Farrell
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Adam Barth
- Re: [apps-discuss] HTTP MAC Authentication Scheme Eran Hammer-Lahav
- Re: [apps-discuss] HTTP MAC Authentication Scheme Dzonatas Sol
- Re: [apps-discuss] HTTP MAC Authentication Scheme Dave CROCKER
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Adam Barth
- Re: [apps-discuss] HTTP MAC Authentication Scheme Mark Nottingham
- Re: [apps-discuss] HTTP MAC Authentication Scheme Stephen Farrell
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Adam Barth
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Mark Nottingham
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… William J. Mills
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Randy Fischer
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Igor Faynberg
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… William J. Mills
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Dzonatas Sol
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Eran Hammer-Lahav
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Breno de Medeiros
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Nico Williams
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Bjartur Thorlacius
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Robert Sayre
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Nico Williams
- Re: [apps-discuss] [http-state] HTTP MAC Authenti… Paul E. Jones
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Eran Hammer-Lahav
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Tim
- Re: [apps-discuss] [OAUTH-WG] [http-state] HTTP M… Bjartur Thorlacius