IETF Logo Mail Archive

[OAUTH-WG] Authorization Code Log File Attack (was DPoP Interim Meeting Minutes)

Pieter Kasselman <pieter.kasselman@microsoft.com> Mon, 29 November 2021 14:29 UTC

Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 414B63A0A1C for <oauth@ietfa.amsl.com>; Mon, 29 Nov 2021 06:29:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.701, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xBGOJmIYUCr4 for <oauth@ietfa.amsl.com>; Mon, 29 Nov 2021 06:29:48 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05lp20209.outbound.protection.outlook.com [IPv6:2a01:111:f400:7e1b::209]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A50C93A0A1E for <oauth@ietf.org>; Mon, 29 Nov 2021 06:29:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dOmh5qQvTorgqDnqDKEqIm0GsGOqlsE5Bu4+3XhKLoLfOoMP86T2+epilmRr2zBw6tmsEiruX+CO+oBQQgJhrnP83QFYfflmn+Jjhbw6vRzkPoD8pvKCd5b39SQ15MUN2ktHrVDcEOCkCFbiLuU64DWTA+ngIn10OqQUBoPHx30sPMIbi7hlNZplo2Ny2folGqyjy+sdZYt8RGaJms2y+/cZ/t99FkebpUgpP1Co7eKQt2RXps+UZhsHpdz/gJ/ccU9fTW0yJ3WoL8wgZYdr+cJpH+PyClbvn8JV/fJaVojE7qFEnDJE8S+GbKjAwbYrrA68Yf2oKGVGGUyUaoLSNQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=aKwWdFu9FSCdhlNBzoJxRLNaADCo1XCrIYVlVBr53eQ=; b=jeUb+1iQCH3iyHKog6W8b7GfN5uFwgee1NNS6YQA2NBOLW6+E/sJb3mFKyoR2DzMlfP7C/HZkW95hECr75g84aBzMxCq6xduK+9vXFX46TgLFHxDZY4lr9pynbYWM8vybdP4LuZmJxP3fBilarMBx3igtOvYGbDu3J3Afw8lWtJoBMHouyLoe1rcCXO32FJ6BhfAXCwUmXZ5UHpWYlSlPsQhRQ3F4UKTEQHWfHnQbuCWmoDmiXVl5P4zPt7SfD1U/kZow2lzh546C004kMKn74auEHRPJ3YHHpG0Q//uN2Kabk29mxg6VstvHFWhgajpeqqDUJjIKlEyuKqGy8iYYQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aKwWdFu9FSCdhlNBzoJxRLNaADCo1XCrIYVlVBr53eQ=; b=ZUnv9R+bHmgw99HZrgRQFv8smKxrSCkVVeiu8ko5b3HlCoRip4Z5GyINBOFcwANelO4zsgR9xPJGsva0qLms1hDfnKzJYWmEwxxRf3qiBZ+0FbTwKfEoDOH3a/Z1KLoYZ3i8QfWXPELpyxvE/Qhmt2uyc6ak57Cg0Ha77bogPwM=
Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com (2603:10a6:20b:1b6::10) by AS8PR83MB0504.EURPRD83.prod.outlook.com (2603:10a6:20b:291::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4778.2; Mon, 29 Nov 2021 14:29:39 +0000
Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::3993:dd36:4660:fe6e]) by AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::3993:dd36:4660:fe6e%6]) with mapi id 15.20.4778.001; Mon, 29 Nov 2021 14:29:39 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>, Mike Jones <Michael.Jones@microsoft.com>
Thread-Topic: Authorization Code Log File Attack (was DPoP Interim Meeting Minutes)
Thread-Index: AdflLCLqeAzRWKlMSRmyfGXQcUJ94g==
Date: Mon, 29 Nov 2021 14:29:39 +0000
Message-ID: <AM7PR83MB0452723453B3FBB32CA0BAD191669@AM7PR83MB0452.EURPRD83.prod.outlook.com>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d0015434-dc65-4261-18e8-08d9b344ad0e
x-ms-traffictypediagnostic: AS8PR83MB0504:
x-microsoft-antispam-prvs: <AS8PR83MB0504F19C70130E60CF059CCD91669@AS8PR83MB0504.EURPRD83.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PYLBPQ5Spx+kpTp0R55DoJcCaUDKJIbVtsIkGsRUqD7+gFGCF6pkUTEM5T0R2TWawulE0Sz3VZsih3vmEWm06CHUSMO/uus7xu10QUK3eTSbgBaGb37ioqNbf3h5npwOOTXiY145RgcfSKlJeUldKRsG9h2LJ+vEVsqynTq92lBqBiAUwIwwloQ9wtu+Wceq/+vUQPq/4wfTCgRtoAAoeI1USCiLaKZUl+XqkfPk/XkFb9lYudJg4/WgIqtwhBvyt9YHAG21pq9IdEI8kUzYmQiuOPhuasl7WodT7bbmeAII1UzN/lWqglXlJPuZ8dwrM7TpIUY7W4SPTYvhyufzAUA/1tKvBdd66e4idJOUqzT141IwruUmV+dCMx+kuwiNgHXgCAnwFKjBm3i/0kW0VhJfvXES1o0MU/rkwVevBNTheO4mMk7rybi1GUxRpeBzdA0X5Qt2dNeDPSztcQrDCD/zImX4ZQWQvnHgr7+aACmW9cST1kPGxtOFodv3Rt1bidolo7/Vjet/te8OXJGZ+pyWzp2v6PTqcF/xNqIgPNK8OR2G8fX2VKySVMOpyaC8vFfXIEjFIhjdS1hKZz7qNff6FwzfLI0Kuczvi9HR1E8Q+GQD5KuARo8uDe7Xq3GbN54q727EDdze4xaPBhZ0fcVT85p2GorE2swdxXxqAE+aSPv/ybTEzm/188NuhiHeFQNA2vpEy2m+C7uNc8VnH3BkJuC4T5+Zk1sxcxWunb/iUQmSyAFoyN/KXqA/uPSNJJt1VdOik9tAFhPCYTwO0DzwLlWiasTPTIVqiKRPcqvCBaeqowV50f8Yqj7JFhvpTf311f3Ax1Bi50ZyJGgVog==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR83MB0452.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(44832011)(166002)(9686003)(122000001)(99936003)(66946007)(53546011)(6506007)(86362001)(7696005)(4744005)(55016003)(966005)(38070700005)(38100700002)(10290500003)(82960400001)(82950400001)(508600001)(52536014)(5660300002)(71200400001)(66476007)(66556008)(186003)(2906002)(6636002)(8936002)(76116006)(8676002)(110136005)(83380400001)(33656002)(316002)(64756008)(8990500004)(66446008)(20210929001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: FcVMCYvNP7lhkvPq9O7F/su+632bbg7mO0r7+1xbXnIqz4xpwasbJoC0XA2vjXmSTFV2SrRitH84dxv9hIMqWE6CV5+itHwnX2JA0Je+2sqgLGzmriBzRhQMrd3G68t+StDFcevb2n6CqrBgcFe/FGAx/eHlTOszAVCE++UHuC0Hgw4VWIZWvIJLAdwsO/ydX7Vi2KHb4vBvY1yApAcd2WxYhyvNhdCMD9G8XD7ju1aUW6aT4DOIxyWKFnHfFNdpKMHe5CeWn5JW7D3DY6J0MC1LManFbg88WcGuZk72dqxviTOFsjOEeOO3UaBSx0SUyP3H6fg86IK/ZpeU1HQgxnJdw/4w1aDjwWFO7x3l8oGyulZbRCfHK2UM5FC0i+SuEvOpqlc08ygdq+P8oqJ4iDfSoVETfcXrXVZER9JCMxYqIK1wAoYVPH55h8iQHAypaLzyxj1o3PRCnof4wdh0prWzf5ue/1bYzw362IaiLM3JApyW3rKF+1vCnFgZmKHMeU1AGqiNipY6OzbbS8aWe9GSw81o+mwNsOXDxjz52yXYnQ6++On7tPYEeLHgDpiKam2O0yyEwL47Tg0iVHmV+g73K9VRRdBmdpwPPZ1yAjMjgXZH9YseCt2UPFkFnMC9naQ9s++QbcHO75OGRcFM3qszPm9qiU9biSHZ0EPuZplnmSH/Br9buaX+hwopEC4gZNdWkVvqmvvrsc7CVtP4iM/SfPn9/JDELUwhtZ+q/XR0uymrtxvBA18nuXCz4YZqG+WgLy7fV2UUQN879cTzLXWwq9rruEWJtOeqXPj9TU2YNlpE1vrur8JJh2773xCA8Irqu7p8Ft43exYB030K0oxtBS+2k3JE3+MYSYoT6BwBu3LqgFueBpV0uryKzThh2QAl7jOxPepJ7AcgHcgft6mBKTbMTsxSvvBkHQwJ++jxYgNU9fIZSgMdqPNuFMkh7peJFR/tVU0LDwBpwebD1TOmN8WjZ7jdIgEx02/VGzgK/Ux7WlgzfeSOLWE1VpJTgpiQQnfXGM6wuSXWbdMSMAGP7CsRqd0FfPsqt8doy0h+CN+8XH3GCzoR3OHQcfdSj/2sngVOfo7dtJUt168KMa3PZkX86PRAMFtQF5qXywx/Df2FgbzRuyRZODSCLsofc0V/y6iTM2dWzBkgHH7vvRhLnu3BH5oCgd7z8bpAY+MB1Voc8GjomFqfxIz0EAMQ3HCoajSXvSykVHuzuZMqygGY/O+NhL3c2QYUkQmC6xHJrJDVotjeNzWf9AzJN4Zuhm7Ee4nEKGaBZi5csWTWSIhP83xRYAHR2b5lAi0VW+mEFtzNdZg0faqBEr3VAxpzTQvguYcYGB+rp5ycsDRZMLn+iddiAf3xO1I3XYnZEWU8HiXqXeyyxocDKaiJTvRLzl/cMsidyuL58hJI9EzegTg/kAaVh+lX2VBEakPuTd2i6ibPl0BFOldjgzbcLL+SbgZ2zDJjEwE+FjGDLTiaifkWTC1nhge+iwywMAw5ncNBtKAu2mCi1OnrNevBpE9QqV1srZqRxt1Ia4FaZHWOfFOagwAi95CMIbGIoduCqqsLRkYKLhXFgXhlSKYqJizZp4EPnSFaTx6cfbJ/eXqr1L1K0mIC1RnYWLhWrxvkL1HwRHuFhrxdqvKCe0w55ID8SnhDcCBxCDD7lcJlLpPabw==
Content-Type: multipart/mixed; boundary="_004_AM7PR83MB0452723453B3FBB32CA0BAD191669AM7PR83MB0452EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR83MB0452.EURPRD83.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d0015434-dc65-4261-18e8-08d9b344ad0e
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Nov 2021 14:29:39.0416 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ethCjvceh958AkKfhqcmRL/nhfiPcZu6xbjt+I4/ciMpyB1AGnbyuqXRUEvWjd1umwo+kVYYefvWGMQtlVMprUD7TYv6qApR3bDhGXRNQe8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR83MB0504
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/92kGQ50G33j52t11QafLXM0yGK4>
Subject: [OAUTH-WG] Authorization Code Log File Attack (was DPoP Interim Meeting Minutes)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Nov 2021 14:29:53 -0000

All

There was an action item from the meeting on 27 October to document the log file attack and how binding the DPoP key to the authorization code mitigates against it.

Please find attached a short (2-page) write-up of the attack and mitigation.

We also hope to discuss this in the OAUTH Security Workshop session on DPoP (OAuth Security Workshop 2021 (barcamps.eu)<https://barcamps.eu/osw2021/>).

Please let me or Mike Jones know if you have any questions or concerns.

Cheers

Pieter

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Rifaat Shekh-Yusef
Sent: Wednesday 27 October 2021 18:43
To: oauth <oauth@ietf.org>
Subject: [EXTERNAL] [OAUTH-WG] DPoP Interim Meeting Minutes

All,

Thanks to Hannes and Dick for taking the following notes during the DPoP Interim meeting today.
https://notes.ietf.org/s/notes-ietf-interim-2021-oauth-14-oauth<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fnotes.ietf.org%2Fs%2Fnotes-ietf-interim-2021-oauth-14-oauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cd58049044e5944e8144f08d999714bfe%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637709534217052392%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=ca9oUifPAjTkfdSAIFFWrt1v2ufeBQ6VN0v2tm1f6VE%3D&reserved=0>

Regards,
 Rifaat

v2.23.0 | Report a Bug | By Email