IETF Logo Mail Archive

Re: [OAUTH-WG] WGLC for DPoP Document

Denis <denis.ietf@free.fr> Tue, 29 March 2022 15:39 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89A9B3A1A4B for <oauth@ietfa.amsl.com>; Tue, 29 Mar 2022 08:39:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.943
X-Spam-Level:
X-Spam-Status: No, score=-0.943 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.186, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vnPTLyMc2RQs for <oauth@ietfa.amsl.com>; Tue, 29 Mar 2022 08:39:43 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp03.smtpout.orange.fr [80.12.242.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B76DF3A1A48 for <oauth@ietf.org>; Tue, 29 Mar 2022 08:39:42 -0700 (PDT)
Received: from [192.168.1.11] ([90.26.93.96]) by smtp.orange.fr with ESMTPA id ZDwUnwQVqhTNkZDwUnEMIm; Tue, 29 Mar 2022 17:39:38 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: OWU3ZmVkYWM0M2UwZWM1YifxM2Q3ZDk1YiUzNWJiZTM2MiliMTI0N2YxZmQ=
X-ME-Date: Tue, 29 Mar 2022 17:39:38 +0200
X-ME-IP: 90.26.93.96
Content-Type: multipart/alternative; boundary="------------la1l0eT0f9VimvC2nWmfAbt3"
Message-ID: <3c82ae34-41d8-9fc8-3490-5c11d7f29a2c@free.fr>
Date: Tue, 29 Mar 2022 17:39:34 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-GB
To: oauth@ietf.org
References: <CADNypP-_WxX62=LrieDEZYOFec3UAd2FMmnWsfiNu1Zmots+Pg@mail.gmail.com> <73015e12-337d-5853-91cc-455b39c97921@free.fr> <CAHsNOKdh5UN333CkQFLZVkOpWeyPYjr8JTmU9XBzk6EgiCEWOQ@mail.gmail.com> <F455136A-2961-4043-8CA2-786AE91D5C10@mit.edu> <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> <df84d8e2-5503-2fbe-f484-edd0629d2f4d@free.fr> <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu>
From: Denis <denis.ietf@free.fr>
In-Reply-To: <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CMjx4_mGNwAGWXrBEcTjz9_zNXQ>
Subject: Re: [OAUTH-WG] WGLC for DPoP Document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2022 15:39:48 -0000

Hi  Justin,

In this scenario, the “legitimate” client _never_ gives away its secrets 
(if it is using a secure platform, it can't). It never give away its 
credentials either.

When using key bound access tokens, a RS can't know whether the access 
token is presented by the “legitimate” client  or by an“illegitimate” 
client.

One of the goals is also to prevent a client to monetize the selling of 
"key bound access tokens" to other end-users.

As I have already indicated, there exists a solution able to prevent 
such scenario in some specific cases (i.e. in the case of RS long-term 
user accounts).

Denis


> If the “legitimate” client willingly gives away its secrets and tokens 
> to the “illegitimate” client, then the latter isn’t actually 
> “illegitimate” anymore.
>
> What I was saying is that the “attack" is not even necessary if the 
> clients are in fact working together.
> If the “legitimate” client knowing gives away its credentials, it is 
> accepting that the receiver of those credentials can do anything it 
> wants with those credentials. That’s why they are credentials.
>
>  — Justin
>
> PS: I did not “break” the thread, I replied to a message in the 
> thread. That’s how email lists work.
>
>> On Mar 29, 2022, at 9:19 AM, Denis <denis.ietf@free.fr> wrote:
>>
>> Hi  Justin,
>>
>> You broke the thread since you have not re-used the last message 
>> which was:
>>
>>     Steinar,
>>
>>     As you have guessed, no data (except the token and some crypto
>>     checksums) is passing through the clients.
>>
>>     Once the legitimate client has allowed the illegitimate client to
>>     use the token, the illegitimate client can do anything it wants
>>     with it.
>>     The legitimate client can be kept fully ignorant of what
>>     illegitimate client is doing.
>>
>>     The data flow is minimum: if the token allows to view a 4 Gb
>>     movie, that data flow does not flow between the clients.
>>
>>     Furthermore, the content of the token may allow the illegitimate
>>     client to use it during days or months.
>>     Suppose that the token indicates "over 18". If the user is over
>>     18 now, he will certainly be "over 18" the next days, months or
>>     years.
>>     There is no need to refresh the token as it would be the case if
>>     the token included a home address.
>>
>> This message explains why this collaborative attack is very different 
>> from simply forwarding messages between clients.
>>
>> The illegitimate client can do anything it wants without disclosing 
>> what it is doing to the legitimate client.
>> The traffic between the clients is kept to the very minimum.
>>
>> Denis
>>
>>> +1
>>>
>>> Am 29.03.22 um 15:10 schrieb Justin Richer:
>>>> And this is exactly the problem with the “collaborating clients” 
>>>> attack, as has been pointed out any number of times it’s been 
>>>> brought up before. If two clients are willingly collaborating in 
>>>> this way, they do not need to share any cryptographic material and 
>>>> impersonate each other.
>>>>
>>>> You don’t need to steal my license if I’m willing to just go buy 
>>>> you beer.
>>>>
>>>> The DPoP draft does address signed request re-use, which some see 
>>>> as a feature to be carefully applied.
>>>>
>>>>  — Justin
>>>>
>>>>> On Mar 28, 2022, at 1:04 PM, Steinar Noem <steinar@udelt.no> wrote:
>>>>>
>>>>> Interesting, but won't two collaborating clients just pass any 
>>>>> data they want to each other? Why would these collaborating 
>>>>> clients go through the trouble of exchanging private keys, dpop 
>>>>> proofs or tokens? Could you elaborate some more on the scenario?
>>>>>
>>>>> S
>>>>>
>>>>> man. 28. mar. 2022 kl. 16:29 skrev Denis <denis.ietf@free.fr>:
>>>>>
>>>>>     Rifaat & Hannes,
>>>>>
>>>>>     Hereafter are my comments:
>>>>>
>>>>>     The introduction states :
>>>>>
>>>>>     Recipients of such tokens are then able to verify the binding
>>>>>     of the token to the key pair thatthe client has demonstrated
>>>>>            that it holds via the DPoP header, thereby providing
>>>>>     some assurance that the client presenting the token also
>>>>>     possesses the private key.
>>>>>
>>>>>            In other words, the legitimate presenter of the token
>>>>>     is constrained to be the sender that holds and can prove
>>>>>     possession of the private part of the key pair.
>>>>>
>>>>>     The client presenting the token *does not necessarily possess
>>>>>     the private key*. The client presenting the token has been
>>>>>     able to use
>>>>>     the results of some cryptographic functions using the private
>>>>>     part of the key pair.
>>>>>
>>>>>     These results may be communicated by one client to another
>>>>>     client, if the two clients agree to collaborate. This
>>>>>     statement will be added later on.
>>>>>
>>>>>     Proposed rewording:
>>>>>
>>>>>            Recipients of such tokens are then able to verify the
>>>>>     binding of the token to the key pair thatthe client has
>>>>>     demonstrated
>>>>>            that it holds via the DPoP header, thereby providing
>>>>>     some assurance that the client presenting the token *either
>>>>>     *also possesses
>>>>>            the private key *or* has been able to use the result of
>>>>>     cryptographic computations from another client that possesses
>>>>>     the private key.
>>>>>
>>>>>            In other words, the presenter of the token can prove
>>>>>     that it has been able to use the results of cryptographic
>>>>>     computations performed
>>>>>            by using the private part of the key pair.
>>>>>
>>>>>     The objectives states
>>>>>
>>>>>            The primary aim of DPoP is to prevent unauthorized or
>>>>>     illegitimate parties from using leaked or stolen access tokens,
>>>>>            by binding a token to a public key upon issuance and
>>>>>     requiring that the client proves possession of the corresponding
>>>>>            private key when using the token.
>>>>>
>>>>>     DPoP does not prevent unauthorized or illegitimate parties
>>>>>     from using access tokens, as soon as two clients agree to
>>>>>     collaborate.
>>>>>
>>>>>     Proposed rewording:
>>>>>
>>>>>            The primary aim of DPoP is to bind a token to a public
>>>>>     key upon issuance and requiring that the client proves possession
>>>>>            of the corresponding private key when using the
>>>>>     token.This does not demonstrate that the client presenting the
>>>>>     token is
>>>>>            necessarily the legitimate client. In the case of
>>>>>     non-collaborating clients, DPoP prevents unauthorized or
>>>>>     illegitimate parties
>>>>>            from using leaked or stolen access tokens. In the case
>>>>>     of collaborating clients, the security of DPoP is ineffective
>>>>>            (see section 11.X).
>>>>>
>>>>>     Section 11 is about "Security Considerations" and addresses
>>>>>     the following topics:
>>>>>
>>>>>     11.1.DPoP Proof Replay
>>>>>     11.2.DPoP Proof Pre-Generation
>>>>>     11.3.DPoP Nonce Downgrade
>>>>>     11.4.Untrusted Code in the Client Context
>>>>>     11.5.Signed JWT Swapping
>>>>>     11.6.Signature Algorithms
>>>>>     11.7.Message Integrity
>>>>>     11.8.Access Token and Public Key Binding
>>>>>     11.9.Authorization Code and Public Key Binding
>>>>>
>>>>>     The case of collaborative clients should be addressed within
>>>>>     section 11.
>>>>>
>>>>>     Text proposal.
>>>>>
>>>>>     11.X. Collaborative clients
>>>>>
>>>>>                 DPoP demonstrates that the client presenting the
>>>>>     token has been able to use the results of some cryptographic
>>>>>     functions
>>>>>     using the private part of the key pair.
>>>>>
>>>>>     If a client agrees to collaborate with another client, the
>>>>>     security of DPoP is no longer effective.When two clients agree
>>>>>     to collaborate,
>>>>>     these results of the cryptographic computations performed by
>>>>>     one client may be communicated to another client.
>>>>>
>>>>>     Even if the private key used for DPoP is stored in such a way
>>>>>     that it cannot be exported, e.g., in a hardware or software
>>>>>     security module,
>>>>>     the client can perform all the cryptographic computations
>>>>>     needed by the other client to create DPoP proofs.
>>>>>
>>>>>     The client can easily create new DPoP proofs as long as the
>>>>>     other client is online.
>>>>>
>>>>>     Note: There exist other techniques able to limit, in some
>>>>>     cases, the use of a token transmitted voluntarily by a
>>>>>     legitimate client
>>>>>                           to an illegitimate client.
>>>>>
>>>>>     Denis
>>>>>
>>>>>
>>>>>>     All,
>>>>>>
>>>>>>     As discussed during the IETF meeting in *Vienna* last week,
>>>>>>     this is a *WG Last Call *for the *DPoP* document:
>>>>>>     https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/
>>>>>>
>>>>>>     Please, provide your feedback on the mailing list by April 11th.
>>>>>>
>>>>>>     Regards,
>>>>>>      Rifaat & Hannes
>>>>>>
>>>>>>
>>>>>>     _______________________________________________
>>>>>>     OAuth mailing list
>>>>>>     OAuth@ietf.org
>>>>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>>     _______________________________________________
>>>>>     OAuth mailing list
>>>>>     OAuth@ietf.org
>>>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>>
>>>>> -- 
>>>>> Vennlig hilsen
>>>>>
>>>>> Steinar Noem
>>>>> Partner Udelt AS
>>>>> Systemutvikler
>>>>> | steinar@udelt.no <mailto:steinar@udelt.no> | hei@udelt.no  | +47 
>>>>> 955 21 620 | www.udelt.no <http://www.udelt.no/> |
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> -- 
>>> https://danielfett.de
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email