[OAUTH-WG] OAuth 2.0 Security Best Current Practice | Issue in Mix-Up Countermeasure

Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de> Tue, 26 November 2019 13:24 UTC

Return-Path: <karsten.meyerzuselhausen@hackmanit.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD7A212012A for <oauth@ietfa.amsl.com>; Tue, 26 Nov 2019 05:24:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hackmanit-de.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vODurwM4SB0v for <oauth@ietfa.amsl.com>; Tue, 26 Nov 2019 05:24:17 -0800 (PST)
Received: from mail-wr1-x42c.google.com (mail-wr1-x42c.google.com [IPv6:2a00:1450:4864:20::42c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8D3C120115 for <oauth@ietf.org>; Tue, 26 Nov 2019 05:24:17 -0800 (PST)
Received: by mail-wr1-x42c.google.com with SMTP id g7so1752376wrw.4 for <oauth@ietf.org>; Tue, 26 Nov 2019 05:24:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hackmanit-de.20150623.gappssmtp.com; s=20150623; h=from:to:cc:subject:autocrypt:message-id:date:user-agent :mime-version:content-transfer-encoding:content-language; bh=BrcjHOJysEjwQoBSbApTovZsOUTyxIH8+5cdXD7o3BM=; b=cxmESn65w/pMczj90iwvVfU1npoMCvf1Lag+F9PdpxSNj7sRAC8KqU9l629d+xMf05 c9hdrh5G01+Wteugo9GotMv2pI3bfqZyuLOQoxEVogV+DLdzjDPLRzKDF/jaI4OS85Bg vqg3Iqif41K5gp9HNmftxeMvblZgPgKaIJvmu2buTWZNWfrNyb3Rafq9B6o+MsLkD3+y wgP7xGmd2HikmyhLdKXD/PFOFzhmX2IiONb7L5k3MYgjytHOc37umgskjbKSROcYibpI Ce+adCka6o+Jt56rCZFhMt6Ise+ehBz/Z9GTGfqGya2RYYyA5ipH20CWpYb4cCyzMtxe QHOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:autocrypt:message-id:date :user-agent:mime-version:content-transfer-encoding:content-language; bh=BrcjHOJysEjwQoBSbApTovZsOUTyxIH8+5cdXD7o3BM=; b=LbaHvfQ2kEBVeu+FRAKb/2BL+RRi9jjSWr6bSGaT9K2gBnpkQyi7fzq23nQoiG/EXC STbIPR3glICBWHJkr/xNAsjMOZ7S3v2LbH5y2+f/VE3cGCZBqBGhd/j9xQrT8K/l9n4P R5s0yeElYMrq1Ae6PJethbYjOsXTr7+q6xu1OIuMDN9brTFoH2SCfnPGulhiIn/FMJqE zL/0xxkURTtoawFdwbX3VWoxnM5eyhUimTWDyuyJLgVzXN5TFIV+jQnEvQPQQ0lRgO1E 5HyiBGBgJ5zZ3/YRoreQOB9akRjxVEGY+6zekCUI3d1COeHgOc5s1GVNvbWxb30yWT7/ aJQg==
X-Gm-Message-State: APjAAAWcVn9gEr89v4wTaRkw9GrLkYwvl7YbkopgUYwaoUi2lJ2mVyKw zCPWxmp9jjF234QmXFUwQky62hNox2I=
X-Google-Smtp-Source: APXvYqzb+siHybGcmAMieLjrCzCkC+oIcZdKuJ29SQQgsXLjjDiwJCZnWDFWnrNNrOTb7bMBsOVROQ==
X-Received: by 2002:adf:c00a:: with SMTP id z10mr36988294wre.81.1574774655841; Tue, 26 Nov 2019 05:24:15 -0800 (PST)
Received: from [192.168.0.253] (daedalus.nds.ruhr-uni-bochum.de. [134.147.40.33]) by smtp.gmail.com with ESMTPSA id z6sm1403961wrw.36.2019.11.26.05.24.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 26 Nov 2019 05:24:14 -0800 (PST)
From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
X-Google-Original-From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen+ietf@hackmanit.de>
To: oauth@ietf.org
Cc: Vladislav Mladenov <vladislav.mladenov@hackmanit.de>
Autocrypt: addr=karsten.meyerzuselhausen+ietf@hackmanit.de; keydata= mQINBFh1IBMBEADV73c10lB7zeFy6/ezLFzOBp8z6Zy1zUyIrf6RoBk1GQWREcGEGeaL90Pj F5plZeASVJdsEYnYXdgcIPE0tlBq6al6OYoWtH/VbFPWEPLVhA3rL1iXVJveD3J40OzSYP8N G7bla3zQ2+TXOB3iDPPsHZUdHCLASkIIWQK6+fE1C2epAdPtnsLsb++1d080jfXXwgyUUh4y bimcy9Jg5oZ4QMwnSq3Y+x38PNb+nTgjDi1X/89/WsNd7Bdh4Zvw3CAuc/W58CFaDjb7liUD YRoAp6ysnjPKEUSnAnMpgaiXJc1gFoL+ahdKJ3D9XTn28NTjUrvOkVidsuKbyxnXP9I6BO6i 2jzjrH6TEAfIYMjZlYTyPZTt271SW5iAHYwvPZWlqQTBT2P/d4gHl0To5b4e+UXxjQgxqUyi QIcxh3Ris21Kx4lKQKDXYWiwNTZzx8AdqrcxCWfK+MRpFyk0B+4uDMm7Apm5ZWwDKN/JnVsJ yokkkrrHs/elRCUGtN9NyhJQf3VnE87862Pej8PVvQJr3uVnoNX2yieTvJZftIOBG1b9ta6Z BcYyn3un1rSn7lBPg+RSnPemposVorQpjGwT+Dhg13Bpv5q0JfSc//js/nB6A4iq5YssdtQ7 35QBWLLaF1oCxalvrQVDD4Sh06eAUQsga9xeE0yv7sxqdsozdwARAQABtEJLYXJzdGVuIE1l eWVyIHp1IFNlbGhhdXNlbiA8a2Fyc3Rlbi5tZXllcnp1c2VsaGF1c2VuQGhhY2ttYW5pdC5k ZT6JAj8EEwEIACkFAlh1IBMCGyMFCQlmAYAHCwkIBwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAK CRBFNcDn2xbxSK7sEAC5hk0VQHo2+fMV3b4TgSt4qSPLz6EnWwoqcEzUGYHErQXy7tCENpqS rsZsFphpgvWo1tcQdpyQTFm0dry4ASJD78lEiYC/8Hedp0fIaJTGwxrSLpRxV/Wb+iqkbgz8 /Qydl3QyupSqznSHQMd0uhvzHLxoYvHAIKy52gCK0T9gmxcCIh7UEjDfm+kqHp+oU4sbNe+2 ZEtJLuCKW+amNyqnHXr7ehAIaYmTdKOEcUb2UM7Yzp9g4kSkg1GbPlAn6yjyAqJ96sobKFXX S3rkXksRTxkGKW278Nrs4UBO+OIu32kIXCM2m3fKaUK777jAQu1e8sdj2nL0sPWQvMikZRx6 0dy+wVuH8gGHZsd7rW201Sv5pAhSAK4l58GS3xSLId6smXCend9Vu+tcYA+Bb+45943LmoPA PrdIUeI+zC9pjGwm+x+jFiCxbChqAiJF7RyYv9crziEYnTQ70gHGNOTOTIS5t0ufc9D4wD4O IkkrPQYg3KcAqP2Kyj1uHcqdk7XEhV1fdTXdeEt1e7auWPh0d3Fo+BTtiGXfNMuORArE0El6 ky8eUOqZEJ8rYpEGDLt0JFkJM5AhX4PrQWekjaMhQ5yl/+M+Ss0V0JkImagSgWdvUn1+eAs0 zEuVxTc6ON69mIyMalQ5d4ofvPnKr3GNVmEiXAVDMGUZHoeabfgSBbkCDQRYdSATARAAsp2V mr3N7iNND8+M/OyA/OwcDQ6utZh+m4TnKsOVdiNLGpu2U3/2Qg3yrbjic2dWx1CsS6VH2/oO 1e/a4FlxA93wFv/OZjiUjHtEvdIJeHWlCvWOUlMsqyGDc3Q75fNjFw6DGKkiOu9lZaBs6naS BmkvAMGjV5bNKLyIL5j7Im1pCdZ2lCjD7eVwR3RQQKobTmu916htX8g1cB9yFmquu37X+ZBl A4GLJi63Kw0L2r8i8iO1NqDLOfT8IeNkOroEm3SDAuEApGAubKLSPBJ1khQ7kDhpdfzSYKUF tiIHpGWVOImDjqf4JIcF7OIdRPQfFPlwoPnsyBAS8znQJvmqbbMowgFZe3UMLAN78CETZHGM OLBPB873oWyZ07Ar4v/SL5/aD+FRj2VnYEcGwt0HMmMyaN6ed8Udj4OTNZ7ceZA1Tw8/lZuI KCamj0XfJIK6376RCGnqjsEfS65P1KWZXfWphCKWp2c7uWKtau1q8pgiVRoBSAmjvfXRrIvK LhhQyNOiCUDKrvEWpoeq9y5GTrY27ncLov8nSR/SUPOw5HwJmzdFjhOF9XAOtiND/QRH886O IohdlnUu668mwLCmL2ROe7XWcTkFQWLDg+5b0bC9dgfL+HHpWGUdQPG3CCyPG5LfDmnmuXkE eU1kSD27kFe1kM6pfqpCydJW66DuwoMAEQEAAYkCJQQYAQgADwUCWHUgEwIbDAUJCWYBgAAK CRBFNcDn2xbxSAAbEACeIsfrsq2tlyigZv+bwkiVP1oKtWfXN1e3K3lDOBqPJaPXWFOopq/1 9osk58PFtVEaDlYPlN/NP6Jq5nTTC8QyLG3swAdo4ZJXWEg1NTRu8ddYUvZWuRHWRghaq7qh eW5lVPqilCndSG7bkDPU/Vyd93nPKnKTKKs/Nd7ePneWA0JQohEg5gO/GU0v5SN3YfTxG1LV Cxu3HHHFodDLK4KITSYmt1+g0WCADeclwm5+L5lIvgKQvcIpjpMGNK1wj2E3exsLlgo/ZEyS AslOPXyQw2yfYLrcfGpvWa3e+AvU7eLVBgihskpibJg53yw31B0CXAJBbjg7AsxR8UE5pl6h 2gTjN2t++GvqefGtw/bPvx2RzFsorh1/RYaFgcaFyefghmpi55iiIhgEOiSIct0LoYl3cmH8 DGYKhSskpSDgfE41Esk/P2odeax9SmJuv4mnqkiGFPpTwCfUka2k0mCpBDpfTdECWUFhreGS qFbrvJDZRBiyaVyCjOvOc0v6Z0/iIRgHWTjITpqaQh69kqAtt9GQWV6i3THnpHFlIC2ecvdc YCagneZdoLEHCS8Nois/uDbp5qZwZcF5zKMI+T7u6Qf8EGdvxCB1fp0Sdlmeto0c6/gnFUix 4J/tozBwSXSg7JCxTrUdnJtcQAJzosOUZTVO/ZZR/n0+904kud6o3w==
Message-ID: <35143dd1-edeb-e0fd-6f36-a39d9b7f7008@hackmanit.de>
Date: Tue, 26 Nov 2019 14:24:14 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/A7F5xSEa8DdfxHKWHW3Mqol_a4A>
X-Mailman-Approved-At: Tue, 26 Nov 2019 05:37:39 -0800
Subject: [OAUTH-WG] OAuth 2.0 Security Best Current Practice | Issue in Mix-Up Countermeasure
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 13:33:04 -0000

Hi,

we identified a possible issue regarding the Mix-Up attack
countermeasures described in the Security Best Current Practices.

Section 4.4.2 of the latest version of the BCP lists "AS-specific
redirect URIs" as a countermeasure for Mix-Up attacks.

This countermeasure can be bypassed if Dynamic Client Registration is
used by the client.
The bypass works as follows:

The client will use a unique redirect URI in the Client Registration
Request when it registers at the authorization server operated by the
attacker (A-AS).
However, the A-AS can replace this redirect URI with the same redirect
URI the client uses for the "honest" authorization server (H-AS).
According to RFC7591, the AS is explicitly allowed to replace the
client's requested metadata values and must return all registered
metadata to the client in the Client Information Response. The same
applies to the Client Information Response defined in RFC7592.

For example the client sends the following request:

POST /register HTTP/1.1
{
"redirect_uris": [
"https://client.example.org/attacker-as"],
...
}

The A-AS responds as follows:

HTTP/1.1 201 Created
{
"client_id": "s6BhdRkqt3",
"redirect_uris": [
"https://client.example.org/honest-as"],    <-- redirect URI for H-AS
returned by A-AS
...
}

Neither RFC7591/RFC7592 nor the BCP state that the client should
validate the metadata contained in the Client Information Response in
any way.

Depending on its implementation the client might simply extract all data
contained in the Client Information Response and use it for
authorizations with the specific AS.
We were able to confirm that one popular open-source library behaves in
this exact way. It stores the redirect URI contained in the Client
Information Response and uses it for Authorization Requests with the
A-AS although it differs from the redirect URI in the Client
Registration Request.

In our opinion this makes the countermeasure "AS-specific redirect URIs"
obsolete and we believe the other countermeasure described in the BCP
(adding an AS identifier and the client_id of the intended recipient to
AS's responses) should be used to prevent Mix-Up attacks. If the
involved entities use the OIDC hybrid flow this countermeasure is
automatically applied.

Do we miss anything? Or what is your opinion about this?

Best regards,
Karsten Meyer zu Selhausen

-- 
Phone:	(+49)(0)234 / 45930961
Fax:	(+49)(0)234 / 45930960
Mail:	karsten.meyerzuselhausen@hackmanit.de
PGP:    0EDA AAC6 01DE 3D7F 2123 70F8 4535 C0E7 DB16 F148
Web:	www.hackmanit.de

Hackmanit GmbH
Universitätsstraße 150 (ID 2/411)
44801 Bochum, Germany

Vertreten durch: Prof. Dr. Jörg Schwenk, Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
Registergericht: Bochum