Re: [OAUTH-WG] WGLC review of draft-ietf-oauth-security-topics-13
Benjamin Kaduk <kaduk@mit.edu> Tue, 26 November 2019 18:31 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 76E27120A96 for <oauth@ietfa.amsl.com>; Tue, 26 Nov 2019 10:31:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5W4fska9nDVS for <oauth@ietfa.amsl.com>; Tue, 26 Nov 2019 10:31:23 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6604120AA1 for <oauth@ietf.org>; Tue, 26 Nov 2019 10:31:15 -0800 (PST)
Received: from mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id xAQIV94m032466 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Nov 2019 13:31:13 -0500
Date: Tue, 26 Nov 2019 10:31:09 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Pedram Hosseyni <pedram.hosseyni@sec.uni-stuttgart.de>
Cc: oauth@ietf.org
Message-ID: <20191126183109.GZ32847@mit.edu>
References: <fc5c22c1-7459-0337-4a27-5f666bd271ad@sec.uni-stuttgart.de> <20191126155116.GW32847@mit.edu> <2ad7e9d7-ac6f-aef2-afa8-36ce4b30fac2@sec.uni-stuttgart.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <2ad7e9d7-ac6f-aef2-afa8-36ce4b30fac2@sec.uni-stuttgart.de>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3ZvOa45bo8j3fc5dyd1HFS5hGmY>
Subject: Re: [OAUTH-WG] WGLC review of draft-ietf-oauth-security-topics-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 18:31:26 -0000
Hi Pedram, Thanks for confirming that the scenario is as I was trying to understand it. I don't think it's universal that all clients will give transitive access from the user to the accessed resource, though it's certainly common; the lack of exposition on that point is what I had been stumbling on. -Ben On Tue, Nov 26, 2019 at 06:33:04PM +0100, Pedram Hosseyni wrote: > Hi Ben, > > The attacker uses the (honest) client shown in Figure 4 as a regular > user. For example, the client might provide access to a cloud storage > via its website, i.e., by using the clients' website, a user can access > her files stored at the resource server. > > I'll try to clarify the attack with a simplified example. > > Let's assume that the client supports two authorization servers > AS_honest and AS_attacker. Intuitively, if the attacker phishes an > access token created by AS_honest for an honest user (Alice), one would > expect that sender-constraining the access token (e.g., via mTLS) > prevents the attacker from using this access token. > > The overall goal of the attacker is to use the sender-constrained access > token (which he cannot use directly at the resource server) to access > Alices cloud storage. > > The attack works as follows: > > First, the attacker visits the website of the client. Usually, the > attacker would now choose an AS, and after successful authentication, > access his files stored in the cloud. When selecting the AS, the > attacker chooses AS_attacker. In Step 5 of Figure 4, AS_attacker now > provides the phished access token. As this token is bound to this > client, the client can use it at the resource server for getting access > to the cloud storage of Alice. As the attacker is using the client > (through the clients' website), he now gets access to these files > (stored at the RS). > > Please let me know if you have any other questions. > > Best regards, > Pedram > > > On 26.11.19 16:51, Benjamin Kaduk wrote: > > Hi Pedram, > > > > On Thu, Nov 21, 2019 at 02:50:52PM +0100, Pedram Hosseyni wrote: > >> Also, for this or the next version of this document, the Cuckoo's Token > >> attack (see Section IV-A of http://arxiv.org/abs/1901.11520/ ), should > >> be addressed. We also discussed this issue extensively at the last OSW > >> in Stuttgart. > > I took a look at the paper, and I'm not sure I'm properly understanding the > > "Cuckoo's Token" attack. Looking at Figure 4 of the paper to have > > something concrete to refer to, I assume that the client, as a white box, > > is presumed to be honest. Since the access token is bound to the client, I > > assume that the attacker has to return the phished access token to the same > > client that originally (honestly) got it, as otherwise the token will not > > be usable at the RS. The paper concludes that in step 6, the client gets > > access to the honest resource owner's resources, and furthermore that the > > attacker has access to those resources through the client. It's that last > > part that I'm not sure I understand -- if the client is honest, why would > > it return resource information to the attacker? The best I can come up > > with is that there's some sense of a "session" between the user and client, > > such that the client links its resource accesses with the "session" on > > behalf of which the access occurs, and is willing to return such > > information back to the user only on the "linked session". (The > > countermeasure makes sense and is a good practice, of course.) > > > > Thanks, > > > > Ben > > -- > Pedram Hosseyni, M.Sc. > Room V38 2.438 > Institute of Information Security - SEC > Universität Stuttgart > Universitätsstraße 38 > D-70569 Stuttgart > Germany > Phone: +49 711 685 88454 > https://sec.uni-stuttgart.de >
- [OAUTH-WG] WGLC review of draft-ietf-oauth-securi… Pedram Hosseyni
- Re: [OAUTH-WG] WGLC review of draft-ietf-oauth-se… Benjamin Kaduk
- Re: [OAUTH-WG] WGLC review of draft-ietf-oauth-se… Pedram Hosseyni
- Re: [OAUTH-WG] WGLC review of draft-ietf-oauth-se… Benjamin Kaduk
- Re: [OAUTH-WG] [EXT] Re: WGLC review of draft-iet… Peck, Michael A
- Re: [OAUTH-WG] [EXT] Re: WGLC review of draft-iet… Pedram Hosseyni
- Re: [OAUTH-WG] [EXT] Re: WGLC review of draft-iet… Torsten Lodderstedt