Re: [OAUTH-WG] WGLC for DPoP Document
Denis <denis.ietf@free.fr> Tue, 29 March 2022 15:39 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 89A9B3A1A4B for <oauth@ietfa.amsl.com>; Tue, 29 Mar 2022 08:39:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.943
X-Spam-Level:
X-Spam-Status: No, score=-0.943 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.186, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vnPTLyMc2RQs for <oauth@ietfa.amsl.com>; Tue, 29 Mar 2022 08:39:43 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp03.smtpout.orange.fr [80.12.242.125]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B76DF3A1A48 for <oauth@ietf.org>; Tue, 29 Mar 2022 08:39:42 -0700 (PDT)
Received: from [192.168.1.11] ([90.26.93.96]) by smtp.orange.fr with ESMTPA id ZDwUnwQVqhTNkZDwUnEMIm; Tue, 29 Mar 2022 17:39:38 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: OWU3ZmVkYWM0M2UwZWM1YifxM2Q3ZDk1YiUzNWJiZTM2MiliMTI0N2YxZmQ=
X-ME-Date: Tue, 29 Mar 2022 17:39:38 +0200
X-ME-IP: 90.26.93.96
Content-Type: multipart/alternative; boundary="------------la1l0eT0f9VimvC2nWmfAbt3"
Message-ID: <3c82ae34-41d8-9fc8-3490-5c11d7f29a2c@free.fr>
Date: Tue, 29 Mar 2022 17:39:34 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-GB
To: oauth@ietf.org
References: <CADNypP-_WxX62=LrieDEZYOFec3UAd2FMmnWsfiNu1Zmots+Pg@mail.gmail.com> <73015e12-337d-5853-91cc-455b39c97921@free.fr> <CAHsNOKdh5UN333CkQFLZVkOpWeyPYjr8JTmU9XBzk6EgiCEWOQ@mail.gmail.com> <F455136A-2961-4043-8CA2-786AE91D5C10@mit.edu> <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> <df84d8e2-5503-2fbe-f484-edd0629d2f4d@free.fr> <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu>
From: Denis <denis.ietf@free.fr>
In-Reply-To: <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CMjx4_mGNwAGWXrBEcTjz9_zNXQ>
Subject: Re: [OAUTH-WG] WGLC for DPoP Document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2022 15:39:48 -0000
Hi Justin, In this scenario, the “legitimate” client _never_ gives away its secrets (if it is using a secure platform, it can't). It never give away its credentials either. When using key bound access tokens, a RS can't know whether the access token is presented by the “legitimate” client or by an“illegitimate” client. One of the goals is also to prevent a client to monetize the selling of "key bound access tokens" to other end-users. As I have already indicated, there exists a solution able to prevent such scenario in some specific cases (i.e. in the case of RS long-term user accounts). Denis > If the “legitimate” client willingly gives away its secrets and tokens > to the “illegitimate” client, then the latter isn’t actually > “illegitimate” anymore. > > What I was saying is that the “attack" is not even necessary if the > clients are in fact working together. > If the “legitimate” client knowing gives away its credentials, it is > accepting that the receiver of those credentials can do anything it > wants with those credentials. That’s why they are credentials. > > — Justin > > PS: I did not “break” the thread, I replied to a message in the > thread. That’s how email lists work. > >> On Mar 29, 2022, at 9:19 AM, Denis <denis.ietf@free.fr> wrote: >> >> Hi Justin, >> >> You broke the thread since you have not re-used the last message >> which was: >> >> Steinar, >> >> As you have guessed, no data (except the token and some crypto >> checksums) is passing through the clients. >> >> Once the legitimate client has allowed the illegitimate client to >> use the token, the illegitimate client can do anything it wants >> with it. >> The legitimate client can be kept fully ignorant of what >> illegitimate client is doing. >> >> The data flow is minimum: if the token allows to view a 4 Gb >> movie, that data flow does not flow between the clients. >> >> Furthermore, the content of the token may allow the illegitimate >> client to use it during days or months. >> Suppose that the token indicates "over 18". If the user is over >> 18 now, he will certainly be "over 18" the next days, months or >> years. >> There is no need to refresh the token as it would be the case if >> the token included a home address. >> >> This message explains why this collaborative attack is very different >> from simply forwarding messages between clients. >> >> The illegitimate client can do anything it wants without disclosing >> what it is doing to the legitimate client. >> The traffic between the clients is kept to the very minimum. >> >> Denis >> >>> +1 >>> >>> Am 29.03.22 um 15:10 schrieb Justin Richer: >>>> And this is exactly the problem with the “collaborating clients” >>>> attack, as has been pointed out any number of times it’s been >>>> brought up before. If two clients are willingly collaborating in >>>> this way, they do not need to share any cryptographic material and >>>> impersonate each other. >>>> >>>> You don’t need to steal my license if I’m willing to just go buy >>>> you beer. >>>> >>>> The DPoP draft does address signed request re-use, which some see >>>> as a feature to be carefully applied. >>>> >>>> — Justin >>>> >>>>> On Mar 28, 2022, at 1:04 PM, Steinar Noem <steinar@udelt.no> wrote: >>>>> >>>>> Interesting, but won't two collaborating clients just pass any >>>>> data they want to each other? Why would these collaborating >>>>> clients go through the trouble of exchanging private keys, dpop >>>>> proofs or tokens? Could you elaborate some more on the scenario? >>>>> >>>>> S >>>>> >>>>> man. 28. mar. 2022 kl. 16:29 skrev Denis <denis.ietf@free.fr>: >>>>> >>>>> Rifaat & Hannes, >>>>> >>>>> Hereafter are my comments: >>>>> >>>>> The introduction states : >>>>> >>>>> Recipients of such tokens are then able to verify the binding >>>>> of the token to the key pair thatthe client has demonstrated >>>>> that it holds via the DPoP header, thereby providing >>>>> some assurance that the client presenting the token also >>>>> possesses the private key. >>>>> >>>>> In other words, the legitimate presenter of the token >>>>> is constrained to be the sender that holds and can prove >>>>> possession of the private part of the key pair. >>>>> >>>>> The client presenting the token *does not necessarily possess >>>>> the private key*. The client presenting the token has been >>>>> able to use >>>>> the results of some cryptographic functions using the private >>>>> part of the key pair. >>>>> >>>>> These results may be communicated by one client to another >>>>> client, if the two clients agree to collaborate. This >>>>> statement will be added later on. >>>>> >>>>> Proposed rewording: >>>>> >>>>> Recipients of such tokens are then able to verify the >>>>> binding of the token to the key pair thatthe client has >>>>> demonstrated >>>>> that it holds via the DPoP header, thereby providing >>>>> some assurance that the client presenting the token *either >>>>> *also possesses >>>>> the private key *or* has been able to use the result of >>>>> cryptographic computations from another client that possesses >>>>> the private key. >>>>> >>>>> In other words, the presenter of the token can prove >>>>> that it has been able to use the results of cryptographic >>>>> computations performed >>>>> by using the private part of the key pair. >>>>> >>>>> The objectives states >>>>> >>>>> The primary aim of DPoP is to prevent unauthorized or >>>>> illegitimate parties from using leaked or stolen access tokens, >>>>> by binding a token to a public key upon issuance and >>>>> requiring that the client proves possession of the corresponding >>>>> private key when using the token. >>>>> >>>>> DPoP does not prevent unauthorized or illegitimate parties >>>>> from using access tokens, as soon as two clients agree to >>>>> collaborate. >>>>> >>>>> Proposed rewording: >>>>> >>>>> The primary aim of DPoP is to bind a token to a public >>>>> key upon issuance and requiring that the client proves possession >>>>> of the corresponding private key when using the >>>>> token.This does not demonstrate that the client presenting the >>>>> token is >>>>> necessarily the legitimate client. In the case of >>>>> non-collaborating clients, DPoP prevents unauthorized or >>>>> illegitimate parties >>>>> from using leaked or stolen access tokens. In the case >>>>> of collaborating clients, the security of DPoP is ineffective >>>>> (see section 11.X). >>>>> >>>>> Section 11 is about "Security Considerations" and addresses >>>>> the following topics: >>>>> >>>>> 11.1.DPoP Proof Replay >>>>> 11.2.DPoP Proof Pre-Generation >>>>> 11.3.DPoP Nonce Downgrade >>>>> 11.4.Untrusted Code in the Client Context >>>>> 11.5.Signed JWT Swapping >>>>> 11.6.Signature Algorithms >>>>> 11.7.Message Integrity >>>>> 11.8.Access Token and Public Key Binding >>>>> 11.9.Authorization Code and Public Key Binding >>>>> >>>>> The case of collaborative clients should be addressed within >>>>> section 11. >>>>> >>>>> Text proposal. >>>>> >>>>> 11.X. Collaborative clients >>>>> >>>>> DPoP demonstrates that the client presenting the >>>>> token has been able to use the results of some cryptographic >>>>> functions >>>>> using the private part of the key pair. >>>>> >>>>> If a client agrees to collaborate with another client, the >>>>> security of DPoP is no longer effective.When two clients agree >>>>> to collaborate, >>>>> these results of the cryptographic computations performed by >>>>> one client may be communicated to another client. >>>>> >>>>> Even if the private key used for DPoP is stored in such a way >>>>> that it cannot be exported, e.g., in a hardware or software >>>>> security module, >>>>> the client can perform all the cryptographic computations >>>>> needed by the other client to create DPoP proofs. >>>>> >>>>> The client can easily create new DPoP proofs as long as the >>>>> other client is online. >>>>> >>>>> Note: There exist other techniques able to limit, in some >>>>> cases, the use of a token transmitted voluntarily by a >>>>> legitimate client >>>>> to an illegitimate client. >>>>> >>>>> Denis >>>>> >>>>> >>>>>> All, >>>>>> >>>>>> As discussed during the IETF meeting in *Vienna* last week, >>>>>> this is a *WG Last Call *for the *DPoP* document: >>>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ >>>>>> >>>>>> Please, provide your feedback on the mailing list by April 11th. >>>>>> >>>>>> Regards, >>>>>> Rifaat & Hannes >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> OAuth mailing list >>>>>> OAuth@ietf.org >>>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>>> >>>>> >>>>> >>>>> -- >>>>> Vennlig hilsen >>>>> >>>>> Steinar Noem >>>>> Partner Udelt AS >>>>> Systemutvikler >>>>> | steinar@udelt.no <mailto:steinar@udelt.no> | hei@udelt.no | +47 >>>>> 955 21 620 | www.udelt.no <http://www.udelt.no/> | >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> -- >>> https://danielfett.de >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] WGLC for DPoP Document Rifaat Shekh-Yusef
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document Steinar Noem
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document David Waite
- Re: [OAUTH-WG] WGLC for DPoP Document Justin Richer
- Re: [OAUTH-WG] WGLC for DPoP Document Daniel Fett
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document Roberto Polli
- Re: [OAUTH-WG] WGLC for DPoP Document Justin Richer
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document Justin Richer
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document Hans Zandbelt
- [OAUTH-WG] WGLC for DPoP Document: new thread abo… Denis
- Re: [OAUTH-WG] WGLC for DPoP Document: new thread… Hans Zandbelt
- Re: [OAUTH-WG] WGLC for DPoP Document Mike Jones
- Re: [OAUTH-WG] WGLC for DPoP Document: new thread… Denis
- Re: [OAUTH-WG] WGLC for DPoP Document David Waite
- Re: [OAUTH-WG] WGLC for DPoP Document Steinar Noem
- Re: [OAUTH-WG] WGLC for DPoP Document Daniel Fett
- Re: [OAUTH-WG] WGLC for DPoP Document Dave Tonge
- Re: [OAUTH-WG] WGLC for DPoP Document Steinar Noem
- Re: [OAUTH-WG] WGLC for DPoP Document Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC for DPoP Document Warren Parad
- Re: [OAUTH-WG] WGLC for DPoP Document Pieter Kasselman
- [OAUTH-WG] Fwd: WGLC for DPoP Document Neil Madden
- Re: [OAUTH-WG] WGLC for DPoP Document Vladimir Dzhuvinov
- Re: [OAUTH-WG] WGLC for DPoP Document Nat Sakimura
- Re: [OAUTH-WG] WGLC for DPoP Document John Bradley
- Re: [OAUTH-WG] WGLC for DPoP Document Brian Campbell
- Re: [OAUTH-WG] WGLC for DPoP Document Brian Campbell