IETF Logo Mail Archive

Re: [OAUTH-WG] vulnerability in OAuth 2.0/ 1.0/ WRAP leading to DDOS attacks

Oleg Gryb <oleg_gryb@yahoo.com> Fri, 19 November 2010 18:24 UTC

Return-Path: <oleg_gryb@yahoo.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 1601328C0F8 for <oauth@core3.amsl.com>; Fri, 19 Nov 2010 10:24:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_42=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EbgFKLka8S3Q for <oauth@core3.amsl.com>; Fri, 19 Nov 2010 10:24:00 -0800 (PST)
Received: from web37602.mail.mud.yahoo.com (web37602.mail.mud.yahoo.com [209.191.87.85]) by core3.amsl.com (Postfix) with SMTP id 263043A6863 for <oauth@ietf.org>; Fri, 19 Nov 2010 10:24:00 -0800 (PST)
Received: (qmail 7231 invoked by uid 60001); 19 Nov 2010 18:24:47 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1290191087; bh=bkUy9mPWmWivqfOQr4kn/VdK2YMuoz4LroDv+YnIxLU=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=Y28SQLjHuo+fscr6v45LDclUVrFbl+yq+dw8fSN4qs0dDx+DdqdV6wbvzwI/qJfSOf2gbmxLni0dvef5VutoctKDKwU4FlO+MAHZ6c7qPsWOn3kPwIqwEVXoTyGC4epBCQhe9nKTHTdCW4fUtvcraPC+RGtLJ4Ew7498x2cgC6k=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=oWilZ6CR8X6XquEP1qCOlnZB+TAohlgR2YDmnGDd8LrTlIO4lsCEM5/GD60SqNo6Osq+5XlDnKQZCfgk8NDh03SW3+iAQ3GUMhl1lWlBzk6uzVyEdWR2bnuhTqVQLcduo09kKkyF1i+grfUcVTWriHGoiHPk5jpSXdRBTUdZM5A=;
Message-ID: <431046.7158.qm@web37602.mail.mud.yahoo.com>
X-YMail-OSG: Vum33YwVM1nDTzu2B6TaW5zHz9lDmUf6ziPPblJi_C6qwjw GYbrAtFN9qPTvpewJAICVW5uEJzBoTgr_UEPFXq2eLzd2NxpBZD.3.CsFix0 SZmI1FiJ7jOxnLy47SXlVUe3.EmxL4jE4y5w8W_ROthvfH1YWxWjG._R4Zuz LxuVOPuggat4JBLIg1ocC_FCyvXKsl1WYxgu36EEOEpOLm_N9KlkHZt63PuE Knuk3TsFIYenxQ4wfh.kCEYZgpbfex3zl.oBbwo4Vf5xanKSbTlECv_TPGYV kpiler_jKV3AGpFzFDFSESu6ZEh.ryrKhCns6f892gdoB6t0IwsKsJ4o7har R9NJ5pOp.jC1CG9Bzl7_3XXtkRMOqrr956uzjVpPNepjckQY-
Received: from [208.240.243.170] by web37602.mail.mud.yahoo.com via HTTP; Fri, 19 Nov 2010 10:24:47 PST
X-Mailer: YahooMailRC/553 YahooMailWebService/0.8.107.285259
References: <45454.222.166.181.213.1290169657.squirrel@xenon.stanford.edu>
Date: Fri, 19 Nov 2010 10:24:47 -0800
From: Oleg Gryb <oleg_gryb@yahoo.com>
To: pflam@cs.stanford.edu
In-Reply-To: <45454.222.166.181.213.1290169657.squirrel@xenon.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: Dawn Song <dawnsong@cs.berkeley.edu>, John Mitchell <mitchell@cs.stanford.edu>, pflam@cs.stanford.edu, Devdatta Akhawe <devdatta@eecs.berkeley.edu>, oauth@ietf.org, Adam Barth <abarth@gmail.com>
Subject: Re: [OAUTH-WG] vulnerability in OAuth 2.0/ 1.0/ WRAP leading to DDOS attacks
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Oleg Gryb <oleg@gryb.info>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Nov 2010 18:24:03 -0000

I agree that there should be mitigation controls in place on web server clients: 
it would alleviate  Authz Server task of blocking fraudulent traffic and make 
the whole solution more scalable. Using signatures looks like a good idea, but 
key distribution needs to be automated in this case.

Here is a link to the protocol that I've mentioned before: 
https://github.com/mrtopf/UMA-Specifications/blob/master/draft-oauth-client-registration.txt

It looks like the ownership has moved from UMA to IETF. The main purpose is to 
dynamically register Authz Server clients (both resource servers and "enhanced" 
OAuth clients).

I'm not sure if "enhanced" clients include web server clients that we've 
discussed here. It would be great if somebody can clarify. It would be great 
also if somebody can comment on key distribution and key rotation: will it be 
covered by the protocol?

Is the secret that initially given to an enhanced OAuth client a key? What kind 
of key? I didn't see too many details in the current draft. Probably it was made 
this way on purpose to keep all options open.




----- Original Message ----
> From: "pflam@cs.stanford.edu" <pflam@cs.stanford.edu>
> To: Oleg Gryb <oleg@gryb.info>
> Cc: Dawn Song <dawnsong@cs.berkeley.edu>; John Mitchell 
><mitchell@cs.stanford.edu>; pflam@cs.stanford.edu; Devdatta Akhawe 
><devdatta@eecs.berkeley.edu>; oauth@ietf.org; Adam Barth <abarth@gmail.com>
> Sent: Fri, November 19, 2010 4:27:37 AM
> Subject: Re: [OAUTH-WG] vulnerability in OAuth 2.0/ 1.0/ WRAP leading to DDOS 
>attacks
> 
> Thanks, Oleg, for the note.
> 
> I agree that key distribution has been a  difficult problem. Since the
> OAuth draft 10 section 2.1 provides a mechanism  for the client to
> authenticate to the Authz Server using some shared  symmetric secret, I
> think the MAC scheme can be built on the presumably  available shared
> secret. It appears that the DDoS vulnerability stated below  could be
> addressed if we require the authorization code to be accompanied by  a MAC
> (using a key derived from some secret shared between the Authz Server  and
> the client), and the client validates the MAC and the freshness of  the
> authorization code before sending it to the Authz Server.
> 
> > I  think there is some kind of automatic client registration protocol
> > under  way. It will handle new clients registration and initial key
> >  distribution, but AFAIK it's not governed by IETF's OAuth group.
> 
> Do you  have a link to the current draft of the registration protocol? I
> would be  very interested to read it as this is a non-trivial problem.
> 
> As an aside,  I have received some very good critique in private from a few
> other people. I  will summarize the discussion in a separate  posting,
> later.
> 
> Best,
> 
> Eric
> 
> 
> 
> On Thu, Nov 18, 2010  at 1:32 AM, Oleg Gryb <oleg_gryb@yahoo.com> wrote:
> 
> The  concern is valid, but proposed solution would be hard to implement:
> everybody  who has implemented at least one crypto system where symmetric
> keys
> need  to be distributed between external parties would tell you that,  let
> alone
> OAuth use cases where you can have many web server clients  dynamically
> added to
> existing service providers. If you add a requirement  of periodic key 
> rotation
> that is very common nowadays then implementation  will become even more
> difficult.
> 
> 
> PKI would be a better approach in  my view: Authz Server would need to sign
> using
> a a private key and web  client will use a public key to verify the signature,
> but again in case of  key rotation, an automatic key exchange mechanism would
> need to be  involved.
> 
> I think there is some kind of automatic client registration  protocol under
> way.
> It will handle new clients registration and initial  key distribution, but
> AFAIK
> it's not governed by IETF's OAuth  group.
> 
> 
> 
> ----- Original Message ----
> > From: "pflam@cs.stanford.edu" <pflam@cs.stanford.edu>
> > To: oauth@ietf.org
> > Cc: Dawn Song <dawnsong@cs.berkeley.edu>; John  Mitchell
> ><mitchell@cs.stanford.edu>; Peifung  Eric Lam <pflam@cs.stanford.edu>;
> Devdatta
> >Akhawe  <devdatta@eecs.berkeley.edu>;  Adam Barth <abarth@gmail.com>
> > Sent: Fri,  November 12, 2010 5:47:35 PM
> > Subject: Re: [OAUTH-WG] vulnerability in  OAuth 2.0/ 1.0/ WRAP leading to
> DDOS
> >attacks
> > Hi,
> > We  are a group of university researchers and have been applying a
> formal
> >  approach to analyze web security protocols. Devdatta gave a talk at   IIW
> at
> > Mountain View last week about our work, and a summary of  our  earlier
> results can be found  at
> >  http://theory.stanford.edu/~jcm/papers/browsermodel-csf-2010.pdf   .
> While analyzing OAuth specifications (2.0/1.0/WRAP), we found that   a
> vulnerability exists that can be exploited to carry out DDOS
> >  attacks.  Under the current specifications, such attacks are  difficult
> to
> > differentiate  from legitimate and non-malicious  connections, so
> rate-limiting based on user  identities or machine  fingerprinting are
> likely to be ineffective. A  tentative solution is  proposed at the end
> of
> > this email. Any feedback is   welcome!
> > Best,
> > Peifung Eric Lam
> > =====
> > In the  OAuth  2.0 and the OAuth WRAP specifications, we found that  in
> the
> > Web Server/Web  App profile, an attacker can send an HTTP  request to the
> redirect URI of a  client web application (with an  arbitrary
> authorization
> > code), causing the  client to issue an  HTTPS request to the OAuth
> Authorization Server. The  revelant sections  in OAuth 2.0 Draft 10 are
> 1.4.1(C), and sections 3 and 4. A  slightly  modified attack can be
> mounted
> > against OAuth 1.0 as specified in  RFC  5849.
> > From our initial analysis, this feature of OAuth can be  exploited  by
> attackers to launder requests through trusted OAuth  clients and launch
> a
> > DDOS attack on the Authorization Server. Under  the current
> specifications
> > such attacks are difficult to  differentiate from legitimate  and
> non-malicious connections, so  rate-limiting based on user identities  or
> machine fingerprinting are  likely to be ineffective.
> > Specifically,  an attacker can bombard  the redirect URIs of the web
> application clients,  causing a flood of  HTTPS connections to the OAuth
> Authz Server. This can lead  to depletion  of resources on the Authz
> Server
> > and prevent HTTPS connections   carrying legitimate payload from reaching
> the Authz Server. During such  an  attack, all that the Authz Server
> learns
> > (based on the  1.0,  2.0, and  WRAP specs), is that a) each request comes
> from a  registered web site which  may have legitimate business  making
> such
> > a request, and b) the tokens  conveyed in each  request. However, as the
> attacker can issue authorization  codes that  are just (pseudo-) random
> bit
> > strings not tied to any end-user   identity, the Authz Server has learned
> little information regarding the   attacker or its machines causing such
> frivolous connections.
> > A  large  number of web application clients integrated with the  Authz
> Server
> > can help  the attacker obfuscate its sources of  attack and make
> information
> > collection  for DDOS defense more  difficult. From statistics released by
> popular websites  (such as  Facebook), we expect the number of clients
> can
> > be as high as a   million.
> > It seems that if we require the authorization code to be  signed  by the
> Authz Server (or HMAC'ed using a shared key between the  Authz Server
> and
> > the Client), and the client verifies the signature  or HMAC code  first
> before connecting to the Authz Server, then the  above DDOS attack can
> be
> > largely foiled.
> > Please let us know  if you would like to discuss  this issue further so
> that
> > we can  devise a clean solution to this  problem.
> > Eran Hammer-Lahav <eran@hueniverse.com>   wrote:
> > >
> > > The right place to bring this up for discussion  is the  IETF OAuth
> > mailing list: oauth@ietf.org.
> > >
> > >   Thanks!
> > >
> > >  EHL
> >  _______________________________________________
> > OAuth mailing   list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> 
> 
> 
> 
> 
> 
> _______________________________________________
> OAuth  mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email