Re: [apps-discuss] HTTP MAC Authentication Scheme

Adam Barth <ietf@adambarth.com> Thu, 02 June 2011 01:26 UTC

Return-Path: <ietf@adambarth.com>
X-Original-To: apps-discuss@ietfa.amsl.com
Delivered-To: apps-discuss@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F01C4E0796; Wed, 1 Jun 2011 18:26:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.944
X-Spam-Level:
X-Spam-Status: No, score=-2.944 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h4q+OLj2WaGw; Wed, 1 Jun 2011 18:26:26 -0700 (PDT)
Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 487D1E06A0; Wed, 1 Jun 2011 18:26:26 -0700 (PDT)
Received: by yxk30 with SMTP id 30so203231yxk.31 for <multiple recipients>; Wed, 01 Jun 2011 18:26:25 -0700 (PDT)
Received: by 10.151.5.14 with SMTP id h14mr168197ybi.182.1306977985636; Wed, 01 Jun 2011 18:26:25 -0700 (PDT)
Received: from mail-gy0-f172.google.com (mail-gy0-f172.google.com [209.85.160.172]) by mx.google.com with ESMTPS id p23sm81293ybc.29.2011.06.01.18.26.24 (version=SSLv3 cipher=OTHER); Wed, 01 Jun 2011 18:26:24 -0700 (PDT)
Received: by gyf3 with SMTP id 3so206066gyf.31 for <multiple recipients>; Wed, 01 Jun 2011 18:26:24 -0700 (PDT)
Received: by 10.91.103.14 with SMTP id f14mr155271agm.125.1306977984068; Wed, 01 Jun 2011 18:26:24 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.90.36.10 with HTTP; Wed, 1 Jun 2011 18:25:54 -0700 (PDT)
In-Reply-To: <BB837BE0-060E-4201-821A-4A7F5FFED3A4@mnot.net>
References: <90C41DD21FB7C64BB94121FBBC2E723447581DA8EA@P3PW5EX1MB01.EX1.SECURESERVER.NET> <EF1DF135-708B-4244-AA3A-020761EDB290@mnot.net> <90C41DD21FB7C64BB94121FBBC2E723447583CA4CC@P3PW5EX1MB01.EX1.SECURESERVER.NET> <BB837BE0-060E-4201-821A-4A7F5FFED3A4@mnot.net>
From: Adam Barth <ietf@adambarth.com>
Date: Wed, 1 Jun 2011 18:25:54 -0700
Message-ID: <BANLkTimnaYzyhkzkZJg2KBvx0R-Z-5QsFA@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Content-Type: text/plain; charset=ISO-8859-1
Cc: "apps-discuss@ietf.org" <apps-discuss@ietf.org>, Ben Adida <ben@adida.net>, "http-state@ietf.org" <http-state@ietf.org>, HTTP Working Group <ietf-http-wg@w3.org>, OAuth WG <oauth@ietf.org>
Subject: Re: [apps-discuss] HTTP MAC Authentication Scheme
X-BeenThere: apps-discuss@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: General discussion of application-layer protocols <apps-discuss.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/apps-discuss>
List-Post: <mailto:apps-discuss@ietf.org>
List-Help: <mailto:apps-discuss-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/apps-discuss>, <mailto:apps-discuss-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Jun 2011 01:26:27 -0000

On Wed, Jun 1, 2011 at 5:15 PM, Mark Nottingham <mnot@mnot.net> wrote:
> On 02/06/2011, at 1:00 AM, Eran Hammer-Lahav wrote:
>> This was suggested before, but are there really attack vectors for this?
>
> If not having a current, working attack to demonstrate is a valid way to shrug off a security concern, that's great; it'll be a useful approach to many of the discussions I have. :)
>
>
>> The problem is that content-type is a pretty flexible header, which means normalization of the header will be required (case, parameter order, white space, etc.).
>
> The media type is the important part, and it's much more constrained.
>
>
>> I would argue that if you are using MAC with body hash and an attacker changing the media type can cause harm, you should use additional methods to secure the content-type (such as making the body self-describing).
>
> That seems like a step backwards, considering all of the work that Adam has put into limiting the use of sniffing.

Yeah, I tried to twist Eran's arm into including the media type in the
body hash too.  It's probably more important for responses than
requests, however.

Adam