Re: [http-auth] Review of draft-ietf-httpauth-hoba-05
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 05 December 2014 19:18 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: http-auth@ietfa.amsl.com
Delivered-To: http-auth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 074701AD5F6 for <http-auth@ietfa.amsl.com>; Fri, 5 Dec 2014 11:18:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DTlM6zmRns1f for <http-auth@ietfa.amsl.com>; Fri, 5 Dec 2014 11:18:45 -0800 (PST)
Received: from mail-la0-x22f.google.com (mail-la0-x22f.google.com [IPv6:2a00:1450:4010:c03::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B08E1AD5F9 for <http-auth@ietf.org>; Fri, 5 Dec 2014 11:18:45 -0800 (PST)
Received: by mail-la0-f47.google.com with SMTP id hz20so1230034lab.34 for <http-auth@ietf.org>; Fri, 05 Dec 2014 11:18:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=NEP8tzlfe4hQ9PmxgZ2PmNEAtmbTO/Em75yrve/VSCo=; b=WU89//XlMSBEi8ttRNXKfwO8sYqr4Qils+L+Pr9ldtw2cHKt8z/QQz2M6YkPAEDTrH dY95JJU/bDc9likk4THzHsHO4csvmEtyyR9ab6L6oiZYdQf73r8iWozM7qLQ68Utmssv xKvncj3ZhlpCSiDnL/ooq/JVH93wpK7+YIzRBWR9LN2UKzscT+rm0+vF1HuBfIkXpAdf rhFgQ9/+gr+a3vkoSSEWhfkgfmt4fH6Cq69+xNL5j2mEHgpx0B6AdDpJY1Si8+0P42+U ndfa05faV54FQ6nS2xdYzi8YgR8gXZbiEL4AGMEIA1RLAALejUOcX/1WF2c7OZXNcpj6 2L+A==
MIME-Version: 1.0
X-Received: by 10.112.73.102 with SMTP id k6mr4402915lbv.75.1417807123375; Fri, 05 Dec 2014 11:18:43 -0800 (PST)
Received: by 10.112.49.52 with HTTP; Fri, 5 Dec 2014 11:18:43 -0800 (PST)
In-Reply-To: <5481DCCA.3080308@cs.tcd.ie>
References: <CAHbuEH73PbDyidewf1eMakAz0BWJY3DFNb5hLPsKsaX5H8RinA@mail.gmail.com> <547D0D59.5070104@cs.tcd.ie> <78620582-D88B-4B58-9E98-15941A96809C@gmail.com> <CAHbuEH6qHHFzx3D=WF+TY=Wq+pr1RjeSV0DQAsjCTpStwqjcVw@mail.gmail.com> <5481DCCA.3080308@cs.tcd.ie>
Date: Fri, 05 Dec 2014 14:18:43 -0500
Message-ID: <CAHbuEH5XOVnYv1cr3pLVL7xCW0mOaq-opf=8bRdLDyK2exzrYA@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/http-auth/Q329rGruOn9xYg3fjN4DU-_M-Zo
Cc: "http-auth@ietf.org" <http-auth@ietf.org>
Subject: Re: [http-auth] Review of draft-ietf-httpauth-hoba-05
X-BeenThere: http-auth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: HTTP authentication methods <http-auth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/http-auth>, <mailto:http-auth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-auth/>
List-Post: <mailto:http-auth@ietf.org>
List-Help: <mailto:http-auth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-auth>, <mailto:http-auth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Dec 2014 19:18:50 -0000
Hi, On Fri, Dec 5, 2014 at 11:26 AM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Sorry for being slow, travel and all that... No worries. > > On 02/12/14 16:28, Kathleen Moriarty wrote: >> Hello, >> >> As promised, I put together some additional information on phishing >> attacks and feel strongly that their mention should not be included. >> I'll answer a few other questions in line as well to clarify things >> where I can. Stephen is tied up in meetings today, so we may or may >> not get a response until later in the day. >> >> On Mon, Dec 1, 2014 at 8:24 PM, Kathleen Moriarty >> <kathleen.moriarty.ietf@gmail.com> wrote: >>> Hi, >>> >>> Sent from my iPhone >>> >>>> On Dec 1, 2014, at 7:52 PM, Stephen Farrell >>>> <stephen.farrell@cs.tcd.ie> wrote: >>>> >>>> >>>> Hiya, >>>> >>>>> On 01/12/14 22:42, Kathleen Moriarty wrote: Hi Stephen, Paul, & >>>>> Michael, >>>>> >>>>> I reviewed the latest version of the HOBA draft and it is much >>>>> improved from earlier versions, thanks for your work on this >>>>> draft. Hopefully it will help mitigate threats to end users >>>>> with reduced use of passwords and associated attacks. >>>>> >>>>> Here are comments for you to consider: >>>> >>>> Cool. Thanks for the reivew. I'm not clear if you regard these as >>>> things that need fixing before IETF LC or as things to handle >>>> during/after IETF LC. I'm guessing the latter but not sure but >>>> it'll be clear as we argue or you start the IETF LC I guess:-) >>> >>> Either is fine. Nothing is too drastic in my review. >> >> It's simple enough to update with a few fixes and publish, so an -06 >> is appreciated prior to triggering last call. It's better to avoid >> the same discussions if possible and save some time. > > Okey dokey. I've put out a -06 with the changes described > below. Thank you. > >> >>>> >>>> (So far, I made one change below in my local copy that'd go into >>>> a -06 whenever needed.) >>>> >>>>> >>>>> Abstract - I'd remove the bit about phishing attacks and just >>>>> state that it prevents password theft since there are no >>>>> passwords to steal, which is covered nicely in the >>>>> introduction. Phishing is a bit more complicated, involves >>>>> several steps that include social engineering to get users to >>>>> click on links, down;pad of malware/trojans, which are >>>>> difficult to defeat and may or may not be targeting >>>>> credentials. Spear phishing attacks that install trojans have >>>>> been around for >>>> >>>> Not all trojan installs are phishing though. >>> No, but they are commonly part of the phishing and spear phishing >>> attacks that has the financial sector worried. I think you should >>> just say what you mean instead if lumping in phishing >>> unnecessarily. > > "lumping in" is purely rhetorical. > >>>> >>>>> several years and are able to steal all types of credentials >>>>> including PKI X.509 stored in PKCS#11 containers (Sykipot, >>>>> Zeus, etc.). >>>>> http://it.slashdot.org/story/12/01/13/2216218/sykipot-trojan-variant-stealing-dod-smartcard-credentials >>>>> >>>>> > http://www.secureworks.com/cyber-threat-intelligence/threats/zeus/ >>>> >>>> Hm. I don't consider theft of a private key via trojan to be a >>>> phish. It is an attack of course, and with similar impact but not >>>> a phish according to my definition. Happy to be corrected but I >>>> believe my definition is ok tbh. >> >> I put together some information to help with an understanding on >> current definitions of phishing that include really any method of >> stealing credentials including crimeware, malware, and trojans. As >> such, my strong preference would be to remove mention of phishing >> and directly state the attack description that HOBA protects a user >> from and include what attacks to which it may be vulnerable. It >> adds unnecessary confusion and is not in line with current > > Fully disagree. I find nothing whatsoever confusing about the > abstract and its mention of phishing. > >> terminology to keep the term phishing. Attacks against HOBA are >> inevitable and will be used in the phishing world (whatever those >> attacks are - XXS, etc.), but in general, HOBA does provide improved >> protection against password theft and reuse. Stating that instead >> would be clearer to the reader and accurate. >> >> Phishing attacks are broad and cover lots of ground. They all start >> with a social engineering aspect, tricking a user to click on a >> link. The link may be a simple attack (not really the case anymore) >> or a complex web site pretending to be your financial institution in >> order to gather your credentials. While HOBA may help in that >> instance, the more common phishing attacks today include >> malware/Trojan (or crimeware that includes malware, trojans, etc., >> per the APWG) installs from the link the user is tricked into >> clicking on. The link could just as easily include a XXS attack. >> Phishing attacks will evolve to encompass attacks against HOBA. Even >> PKI stored via a PKSC#11 interface is vulnerable to phishing attacks >> - just not the same attack that steals your password, a variation >> that uses a trojan. >> >> As promised, I went through several sites to get updated definitions >> to help clear this up: > > Thanks. So let's see, since this is the source of our different > opinions. > >> >> Definitions in RFCs: The definition of phishing from RFC4949 captures > > That one is certainly a bit odd, but isn't of much use. It does > only mention credentials a user can type though. > >> the basic concept of phishing as a social engineering attack, but >> doesn't get into variations that have evolved over time. The first >> paragraph of the introduction in RFC5901 (2010 - but was really from >> 2007) explains the variations better n that malware can be part of >> the phishing attack. > > Right, that says: " The terms "phishing" and "fraud" are used > interchangeably in this document..." which is odd as clearly not > all fraud is phishing. However that also goes on to only talk > about user-entered credentials saying: > > The terms "phishing" and > "fraud" are used interchangeably in this document to characterize > broadly-launched social engineering attacks in which an electronic > identity is misrepresented in an attempt to trick individuals into > revealing their personal credentials (e.g., passwords, account > numbers, personal information, ATM PINs, etc.). A successful > phishing attack on an individual allows the phisher (i.e., the > attacker) to exploit the individual's credentials for financial or > other gain. Phishing attacks have morphed from directed email > messages from alleged financial institutions to more sophisticated > lures that may also include malware. > > So far, only human-entered credentials are mentioned. > >> There's nothing to prevent Cross site scripting >> from being part of a phishing attack either. > > Well, one could extend a definition to include elephants > too but that'd also not be very useful:-) > >> Wikipedia: https://en.wikipedia.org/wiki/Phishing The third sentence >> of wikipedia's definition includes mention of malware as well: >> "Phishing emails may contain links to websites that are infected with >> malware." > > That also says "...directs users to enter details at a fake website > whose look and feel are almost identical to the legitimate one" which > matches my idea of phishing. > >> >> It case it helps to see examples of phishing attacks that are common >> today, here are a few more links: >> >> APWG: The APWG posts a Phishing Attack Trend report regularly so you >> can see the evolution: http://apwg.org/resources/apwg-reports/ They >> include an updated definition in the latest report that basically >> says techniques continue to evolve to steal credentials and include >> malware and other attack vectors. See the description of >> 'crimeware' (used in their definition) on page 9 as it includes >> multiple types. (My opinion - HOBA would only work against phishing >> attacks for a short period of time): > > You are assuming your definition of phishing there, not mine. > It is of course correct to say that implementations of HOBA > can be attacked. That clearly does not mean all attacks are > called phishing though. > >> http://docs.apwg.org/reports/apwg_trends_report_q2_2014.pdf > > And that says: > > "trick recipients into divulging financial data such as > usernames and passwords" > > However, I grant you that it then goes on to say that any malware > is covered too which is pretty meaningless IMO and makes for a > quite odd definition. (However, one might easily expect something > called the APWG to extend that definition more and more over time > of course:-) You might not like it, but this is how the term is used today. I've been on 3 conference committees this year around incident handling. The term is a moving target with the only part that is universal is the social engineering to get a user to click on a link. > >> RSA: Anatomy of an attack (phishing is a typical first step with >> malware installed to gain access) >> https://blogs.rsa.com/anatomy-of-an-attack/ > > That seems to use the term to mean anything delivered via > an email that's crafted to look like something else. Again > a uselessly broad (non-)definition IMO. That's why I didn't think you should use phishing in the draft. ;-) > >>> You may not, but the incident response world does. I can get you >>> some links to show why I think this is a problem. I've been deeply >>> embedded in the incident response world for several years and the >>> folks that work on phishing attacks include the download of >>> malware/Trojans that result when a user clicks on a link in a >>> phishing email as part of a phishing attack. The malware/Trojans >>> frequently steal credentials among other data of interest. The >>> APWG helps with the takedown of malware distribution servers as >>> part of their response to the phishing use case they support (they >>> do a few other attack types now too). >>>>> >>>>> There would just be a short window until HOBA was defeat-able >>>>> in spear phishing related attacks using trojans installed on >>>>> the client. >>>> >>>> Yes, but that would not be a phishing attack. HOBA is, as the >>>> abstract correctly states "not vulnerable to phishing attacks." >>> >>> See above, I disagree as the common usage includes the download of >>> malware as part of a phishing attack. >> >> See above updated definitions from good sources. > > Again, we disagree - I think those are not good definitions > at all. > > However, this is boring and disputing a non-normative word or > two is a really bad use of our time so I've changed the abstract > to say: > > HTTP Origin-Bound Authentication (HOBA) is a digital signature based > design for an HTTP authentication method. The design can also be > used in Javascript-based authentication embedded in HTML. HOBA is an > alternative to HTTP authentication schemes that require passwords and > therefore avoids all problems related to passwords, such as leakage > of server-side password databases. Thanks for that, I do think this is much more clear. > >>>>> By simply stating the password theft, you are covering more >>>>> attack types that steal passwords on the client side than just >>>>> those used as part of phishing attacks and lower the complexity >>>>> from using a full blown PKI. This is what I think you need to >>>>> target HOBA's use toward. >>>>> >>>>> Section 1 Curious as to how it scales since it seems >>>>> private/public keys pairs would have to be stored, but I guess >>>>> that's no different than passwords. Maybe it doesn't matter >>>>> with that assumption. >>>> >>>> Yep. Scaling isn't a differentiator, it's linear in the size of >>>> the user population basically. I've used the same nosql DB as is >>>> used on hoba.ie with millions of entries on a standard server >>>> with no issues at all. >>> >>> Thanks. >>>> >>>>> >>>>> In the third paragraph possible attacks on the server side are >>>>> mentioned when passwords are used, you should also mention >>>>> client side issues like password theft and re-use (on same site >>>>> or others) will be prevented. >>>> >>>> I'm not clear that that's worth adding but don't object. I do >>>> think the password verifier DB theft issue is the main >>>> distinction between HOBA and password based schemes though so >>>> would prefer keep that front and centre. (And as you say later, >>>> that issue is called out eventually.) >>> >>> It was a way to get away from the phishing comment to what it >>> actually helps prevent. >>> >>>> >>>>> You may or may not want to include this, but it does have >>>>> traction/interest in industry to improve password >>>>> authentication: Other mechanisms with Basic could combine with >>>>> other factors to use 'risk-based' authentication systems >>>>> (geo-location, system properties, etc.). HOBA could do this >>>>> too. This may include browser information (make sure it's the >>>>> same one each time or prompt with some other auth if it >>>>> changes), IP layer information to get geo-location (can't >>>>> travel somewhere in less than x hours - doesn't make sense). >>>> >>>> I don't think it'd be a good idea to start to describe other >>>> mechanisms here, nor to try cover multi-factor authentication. >>>> There is a fine RFC to be written on that, but this ain't it:-) >>>> If we tried that, we'd face potentially endless comment from all >>>> sides which I don't think would be worthwhile. And it'd also >>>> cause issues for other WG drafts too maybe if some do, and some >>>> don't try describe multi-factor auth issues. >>> >>> It's used in industry to help prevent attacks that involve >>> credentials, like reuse of credentials stolen in phishing attacks >>> ;-). I'm not sure there is interest to standardize, but wanted to >>> point this out since it's commonly used (pretty ubiquitous in the >>> financial sector). >>>> >>>>> Section 5 If this is describing both HTTP HOBA and HOBA-js, it >>>>> would be good to state that explicitly and differences that >>>>> should be noted. The intro reads as if it is just for HTTP, if >>>>> that's the case, then leave it alone. >>>> >>>> Well, we only use the -http and -js when necessary (i.e. when >>>> there's a difference) and leave it implicit when its obvious or >>>> doesn't matter. Does it matter here? (I've no problem adding that >>>> this covers both if that helps, but I'm not clear it does help.) >>> >>> If you could just state what's intended for section 5 so it's clear >>> to the reader, that will help. Thanks. >> >> This one is left as a request, just calling it out so it doesn't get >> lost. Thanks. >> >>> >>>> >>>>> Section 5.3 Second to last paragraph, first time you use the >>>>> term join (I think), you should provide a reference or explain >>>>> what it means as this will likely be asked in subsequent >>>>> reviews. You describe it in section 6.1, I think it would be >>>>> better to have the explanation in this section. >>>> >>>> Good point. I think the following para of 5.3 addresses the issue >>>> though. Probably good to not say "already joined" as the first >>>> occurrence mind you. >>>> >>>> I guess s/already-joined/another/ would be a good change, as it's >>>> clarified in the next para. (Did that in our author's svn copy.) >>> >>> Thanks. >>>> >>>>> >>>>> Section 6 What do you mean by "All additional services MUST be >>>>> performed in TLS-protected sessions"? If you are referring to >>>>> HOBA and HOBA-js or the authentication process as the >>>>> additional service, it would be better to state that >>>>> explicitly. >>>> >>>> All meaning all:-) We didn't see any point in being selective so >>>> the all-TLS thing seems easier. You need TLS at least to ensure >>>> there's no MITM handing off challenges or new public keys being >>>> submitted etc. So I'm not sure what's not clear tbh. >>> >>> The use of the word additional is what raised the question for me. >>> Can you remove it? >> >> This one too - just trying to not get it lost in a reply to myself >> :-) > > Actually before I did this I decided that that's not the right > change. We only RECOMMEND TLS for the actual authentication > step which is correct as HOBA ought be usable to replace any > old cleartext uses of basic or digest, even if it's ridiculous > that such things still exist. Since the other bits are all new, > it's ok to have a MUST for TLS for section 6 I reckon. So I > got rid of "additional" and replaced it with a ref to section > 5. Thank you. > > Please take a look at the just-posted -06 and then hopefully > press that "request ietf LC" button:-) > Thanks for posting a new version & sure, but it will need a shepherd report first. I clicked through a bunch of the buttons, but the draft shepherd will need to write the report and the chairs can kick it over to me when ready. Thank you, Kathleen > Ta, > S. > > PS: I didn't check these changes with Paul or Mike as they're > basically tweaks so it's slightly possible I might have mucked > up a little but I'm fairly sure they could let us know during > IETF LC and that'd be fine. > > > > >> >>> >>>> >>>>> >>>>> Section 8.2 >>>>> >>>>> Second paragraph: current text: Again it's not clear that we >>>>> are worse in this regard because the same attacker could get at >>>>> browser password files, etc too. One possible mitigation is to >>>>> encrypt the keystore with a password/pin the user supplies. >>>>> This may sound counter intuitive, but the object here is to >>>>> keep passwords off of servers to mitigate the multiplier effect >>>>> of a large scale compromise ala LinkedIn because of shared >>>>> passwords across sites. >>>>> >>>>> Proposed update: Again it's not clear that we are worse in this >>>>> regard because the same attacker could get at browser password >>>>> files, stored PKI credentials (even via PKCS#11 interface), etc >>>>> too. One possible mitigation is to encrypt the keystore with a >>>>> password/pin the user supplies. This may sound counter >>>>> intuitive, but the object here is to keep passwords off of >>>>> servers to mitigate the multiplier effect of a large scale >>>>> compromise ala LinkedIn because of shared passwords across >>>>> sites. This recommendation does not help against possible >>>>> client side attacks, which are inevitable with the use of >>>>> phishing/spear phishing related malware and trojans. >>>>> >>>>> Explanation: All forms of keys stored on a computer have been >>>>> subject to attacks, including attacks that automate this theft >>>>> of passwords and even PKI credentials in malware. The last >>>>> sentence of paragraph 2 could be stronger to reflect this >>>>> inevitability. Storing the credentials in an external secure >>>>> container does help, but those have been successfully attacked >>>>> too. >>>> >>>> I agree with your last but the section here is specific to HTPM5 >>>> localStorage as a private key store so pkcs#11 isn't relevant at >>>> this point. >>> >>> Is just the point that this will be broken, it's pretty much >>> inevitable. >> >> Here and the Abstract are the places that may need some adjustment >> once agreed. >> >>> >>>> And I think we've hit that difference in our definitions of >>>> phishing again too:-) >>> >>> I'll get some links to show the common usage and use case >>> descriptions of phishing and spear phishing attacks tomorrow. >>>> >>>> So I'd suggest no change there. >>>> >>>> >>>>> I'm glad to see the password re-use problem mentioned in the >>>>> last paragraph, so you don't need that in the intro, but I'll >>>>> leave my comment there as it is part of the overview as to why >>>>> it might be a good idea to use HOBA. You may want to emphasize >>>>> the difficulty of PKI and the advantage of preventing server >>>>> side password database attacks since the credentials can be >>>>> stolen on the client side (or will be once deployed). This has >>>>> a niche and we should be clear on that IMO. >>>> >>>> Fair points but I think the audience for this are probably aware >>>> of all that. I don't think we should try sell HOBA in the RFC, >>>> but just define it - the sales pitch that is absolutely required >>>> is for elsewhere/others. But maybe others think differently. >>> >>> I was just trying to get you away from the phishing angle as it >>> won't work for long. >> >> Thanks, Kathleen >> >>> >>> Have a good night. Kathleen >>>> >>>> Cheers, S. >>>> >>>> >>>>> >>>>> >> >> >> -- Best regards, Kathleen
- [http-auth] Review of draft-ietf-httpauth-hoba-05 Kathleen Moriarty
- Re: [http-auth] Review of draft-ietf-httpauth-hob… Stephen Farrell
- Re: [http-auth] Review of draft-ietf-httpauth-hob… Kathleen Moriarty
- Re: [http-auth] Review of draft-ietf-httpauth-hob… Kathleen Moriarty
- Re: [http-auth] Review of draft-ietf-httpauth-hob… Stephen Farrell
- Re: [http-auth] Review of draft-ietf-httpauth-hob… Kathleen Moriarty