[OAUTH-WG] Motivation for plain transform method in PKCE, and encrypted code_challenge in code

Adam Lewis <adam.lewis@motorolasolutions.com> Wed, 24 June 2015 15:20 UTC

Return-Path: <adam.lewis@motorolasolutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DCA71A00DB for <oauth@ietfa.amsl.com>; Wed, 24 Jun 2015 08:20:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.456
X-Spam-Level:
X-Spam-Status: No, score=0.456 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, IP_NOT_FRIENDLY=0.334, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23UCKbXcwtVL for <oauth@ietfa.amsl.com>; Wed, 24 Jun 2015 08:20:11 -0700 (PDT)
Received: from mx0b-0019e102.pphosted.com (mx0b-0019e102.pphosted.com [67.231.157.237]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AE7B1A8ADA for <oauth@ietf.org>; Wed, 24 Jun 2015 08:20:11 -0700 (PDT)
Received: from pps.filterd (m0074414.ppops.net [127.0.0.1]) by mx0b-0019e102.pphosted.com (8.14.7/8.14.7) with SMTP id t5OFGJvr009032 for <oauth@ietf.org>; Wed, 24 Jun 2015 10:20:10 -0500
Received: from mail-yk0-f171.google.com (mail-yk0-f171.google.com [209.85.160.171]) by mx0b-0019e102.pphosted.com with ESMTP id 1v7x9m03fd-1 (version=TLSv1/SSLv3 cipher=AES128-GCM-SHA256 bits=128 verify=NOT) for <oauth@ietf.org>; Wed, 24 Jun 2015 10:20:10 -0500
Received: by ykdy1 with SMTP id y1so25521701ykd.2 for <oauth@ietf.org>; Wed, 24 Jun 2015 08:20:09 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to :content-type; bh=GL9S+BZhywS4eOewP7Uyy9R+Ez9mKh/W04l9l0EyB4c=; b=mzKgnwMdMenDlX04ULgkjbQvQG899wCCPNkHDzdRtB+Y6lY2xO62NFNqLLBnmHPgtx 7yAOETgb2s9LFWD0llqXdOkX+AsiW3uzT3E1L62hmbk9QMl66rA8xylSX1iuI2JlYjWK Qcnp3/vYkJhDRCMC8KFWdmVhYebZ6OQKL3dt7ooftxFu2kwlrJJ6XXIRyDAXLtgtdnWp oTUHHSKzJepFicy3y2oAtqvXzE7fPn1mGuzS7tKmkDj3VNlKdA2W5FXE6nrN35YC6NsJ skWC9Bfm2ieLNna0hz87bgfi5C26zqgLXbBEIXpOGWxfTUHkkVuv7TzetK1YDK2ICS9x UWIg==
X-Gm-Message-State: ALoCoQkdwhOvLtPkmAUQhkuZl47cSy5l6S4SDJsAfZ3gjO/UI0misVi6FRIRtEPamVtB/XrvJNDqssKiZCdp/Ll8z+Q8EuoFpg1zR4zTOIJy5hIqicxoJcixRJUaVCFjQpF15PqBradT
X-Received: by 10.13.193.198 with SMTP id c189mr46577000ywd.122.1435159209866; Wed, 24 Jun 2015 08:20:09 -0700 (PDT)
X-Received: by 10.13.193.198 with SMTP id c189mr46576993ywd.122.1435159209802; Wed, 24 Jun 2015 08:20:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.37.73.70 with HTTP; Wed, 24 Jun 2015 08:19:50 -0700 (PDT)
From: Adam Lewis <adam.lewis@motorolasolutions.com>
Date: Wed, 24 Jun 2015 10:19:50 -0500
Message-ID: <CAOahYUzo_6EWqhDKnKJsY0p+V1M56ufysEVTDy1dvT0P66EzAQ@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary=001a114e837ae58ef10519450a64
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 kscore.is_bulkscore=1.11022302462516e-15 kscore.compositescore=0 circleOfTrustscore=0 compositescore=0.664759139856529 suspectscore=3 recipient_domain_to_sender_totalscore=0 phishscore=0 bulkscore=0 kscore.is_spamscore=0 rbsscore=0.664759139856529 recipient_to_sender_totalscore=0 recipient_domain_to_sender_domain_totalscore=0 spamscore=0 recipient_to_sender_domain_totalscore=0 urlsuspectscore=0.664759139856529 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=7.0.1-1402240000 definitions=main-1506240250
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/1Z1Vr9t-_jyWr5nGn_OIEf2oJeE>
Subject: [OAUTH-WG] Motivation for plain transform method in PKCE, and encrypted code_challenge in code
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2015 15:20:12 -0000

Hi,

I'm probably missing something here, but what is the use case for allowing
the plain transform method in PKCE?  It seems to me the entire point of
sending the hash of the code_verifier (code_challenge) rather than the
code_verifier itself is to avoid leaking the code_verifier through
the browser during the authorization request.  It seems using the plain
type would enable an attacker to intercept the code verifier and use it to
exchange the code for the AT.  If a client is really unable to compute a
S256 hash, wouldn't it just fall back to vanilla OAuth?

Also, under security considerations, it mentions that if the code challenge
is returned as part of the code, it needs to be encrypted. Not sure why
since it was sent un-encrypted, where the attacker would have already had
the opportunity to intercept/obtain it. Plus 7.3 re-enforces the point that
the code verifier has sufficient entropy to prevent brute force attacks.  I
suppose the motivation then for encrypting the code_challenge is to address
the scenario whereby 1) the plain transform method is used, and 2) a
malicious app fails to intercept the code_challenge, but then 3) gets the
code?

Just looking for some background understanding of what went into these
designs.


tx!
adam