IETF Logo Mail Archive

Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft

George Fletcher <gffletch@aol.com> Fri, 22 January 2016 17:02 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A8C51B2A23 for <oauth@ietfa.amsl.com>; Fri, 22 Jan 2016 09:02:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JreOdWwrVTFE for <oauth@ietfa.amsl.com>; Fri, 22 Jan 2016 09:02:50 -0800 (PST)
Received: from omr-a013e.mx.aol.com (omr-a013e.mx.aol.com [204.29.186.60]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AF611B2A0F for <oauth@ietf.org>; Fri, 22 Jan 2016 09:02:50 -0800 (PST)
Received: from mtaout-aaj02.mx.aol.com (mtaout-aaj02.mx.aol.com [172.27.3.206]) by omr-a013e.mx.aol.com (Outbound Mail Relay) with ESMTP id B013A380008B; Fri, 22 Jan 2016 12:02:49 -0500 (EST)
Received: from [10.172.102.124] (unknown [10.172.102.124]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-aaj02.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 4E6AB380000A8; Fri, 22 Jan 2016 12:02:48 -0500 (EST)
To: William Denniss <wdenniss@google.com>, John Bradley <ve7jtb@ve7jtb.com>, David Waite <david@alkaline-solutions.com>
References: <BY2PR03MB442662C73E3904E73D9B9EFF5C30@BY2PR03MB442.namprd03.prod.outlook.com> <2EB9855D-BAB2-4B90-B649-F1B24B8834EC@alkaline-solutions.com> <DC542E43-8D0B-4728-AB46-AC70F190D8AD@ve7jtb.com> <80218A07-9D37-42A3-B90A-56AEDBC3A86C@alkaline-solutions.com> <CAANoGhJT8j0ZO09kBJHpg+QVkFi-RuoA42Rb+zd698aC9AmLUw@mail.gmail.com> <CAAP42hCzVtXiECAZzaU-YEQe01BPbOc6OTL-u=PLQkxdsYeSfQ@mail.gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <56A260B6.4060302@aol.com>
Date: Fri, 22 Jan 2016 12:02:46 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <CAAP42hCzVtXiECAZzaU-YEQe01BPbOc6OTL-u=PLQkxdsYeSfQ@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------090606080907030607060904"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1453482169; bh=AC4x39l/J4ZZCqiPl93lw217eHL5tMBOAyYSKmREQeY=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=hlINPlFPhC6uyJQbn1T+jN4cs5y5R4HLFu/wWNt81koMyYydkyw9+x5JZ+jqzZgD1 jveC3ZJGcPzOcQVFbkHG5jVaadMuV4o2lfGnp/nhglRUXlAxmC7bjKkPLI2YKk1T2p K1TCY3mxpViAEcZf2NWesarEvWFHXIsuBo8Gr2Qk=
x-aol-sid: 3039ac1b03ce56a260b84119
X-AOL-IP: 10.172.102.124
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/3zXCeNvTmyIOu2XZ7AWNnlBqbx4>
Cc: IETF oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2016 17:02:53 -0000

"Frankensteinian Amalgamation" -- David Waite

I like it! :)

On 1/22/16 8:11 AM, William Denniss wrote:
> +1 ;)
> On Fri, Jan 22, 2016 at 8:45 PM John Bradley <ve7jtb@ve7jtb.com 
> <mailto:ve7jtb@ve7jtb.com>> wrote:
>
>     Perhaps Frankenstein response is a better name than cut and paste
>     attack.
>
>     John B.
>
>     On Jan 22, 2016 1:22 AM, "David Waite"
>     <david@alkaline-solutions.com
>     <mailto:david@alkaline-solutions.com>> wrote:
>
>>         On Jan 21, 2016, at 2:50 PM, John Bradley <ve7jtb@ve7jtb.com
>>         <mailto:ve7jtb@ve7jtb.com>> wrote:
>>
>>         In that case you probably would put a hash of the state in
>>         the code to manage size.  The alg would be up to the AS, as
>>         long as it used the same hash both places it would work.
>         Yes, true.
>>
>>         Sending the state to the token endpoint is like having nonce
>>         and c_hash in the id_token, it binds the issued code to the
>>         browser instance.
>         I think I understand what you are saying. Someone won’t be
>         able to frankenstein up a state and a token from two different
>         responses from an AS, and have a client successfully fetch an
>         access token based on the amalgamation.
>>         This protects against codes that leak via redirect uri
>>         pattern matching. failures etc.  It prevents an attacker from
>>         being able to replay a code from a different browser.
>         Yes, if a party intercepts the redirect_url, or the AS fails
>         to enforce one time use (which even for a compliant
>         implementation could just mean the attacker was faster than
>         the state propagated within the AS)
>
>         Makes sense. Thanks John.
>
>         -DW
>
>>         If the client implements the other mitigations on the
>>         authorization endpoint, then it wouldn't be leaking the code
>>         via the token endpoint.
>>
>>         The two mitigations are for different attacks, however some
>>         of the attacks combined both vulnerabilities.
>>
>>         Sending the iss and client_id is enough to stop the confused
>>         client attacks, but sending state on its own would not have
>>         stopped all of them.
>>
>>         We discussed having them in separate drafts, and may still do
>>         that.   However for discussion having them in one document is
>>         I think better in the short run.
>>
>>         John B.
>>
>>>         On Jan 21, 2016, at 4:48 PM, David Waite
>>>         <david@alkaline-solutions.com
>>>         <mailto:david@alkaline-solutions.com>> wrote:
>>>
>>>         Question:
>>>
>>>         I understand how “iss" helps mitigate this attack (client
>>>         knows response was from the appropriate issuer and not an
>>>         attack where the request was answered by another issuer).
>>>
>>>         However, how does passing “state” on the authorization_code
>>>         grant token request help once you have the above in place?
>>>         Is this against some alternate flow of this attack I don’t
>>>         see, or is it meant to mitigate some entirely separate attack?
>>>
>>>         If one is attempting to work statelessly (e.g. your “state”
>>>         parameter is actual state and not just a randomly generated
>>>         value), a client would have always needed some way to
>>>         differentiate which issuer the authorization_code grant
>>>         token request would be sent to.
>>>
>>>         However, if an AS was treating “code” as a token (for
>>>         instance, encoding: client, user, consent time and approved
>>>         scopes), the AS now has to include the client’s state as
>>>         well. This would effectively double (likely more with
>>>         encoding) the state sent in the authorization response back
>>>         to the client redirect URL, adding more pressure against
>>>         maximum URL sizes.
>>>
>>>         -DW
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Chief Architect
Identity Services Engineering     Work: george.fletcher@teamaol.com
AOL Inc.                          AIM:  gffletch
Mobile: +1-703-462-3494           Twitter: http://twitter.com/gffletch
Office: +1-703-265-2544           Photos: http://georgefletcher.photography

v2.30.2 | Report a Bug | By Email | System Status