IETF Logo Mail Archive

Re: [OAUTH-WG] [EXTERNAL] Re: dpop_jkt Authorization Request Parameter

Warren Parad <wparad@rhosys.ch> Thu, 02 December 2021 18:37 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FAFF3A13B1 for <oauth@ietfa.amsl.com>; Thu, 2 Dec 2021 10:37:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.988
X-Spam-Level:
X-Spam-Status: No, score=-1.988 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khnxsZ3EICyr for <oauth@ietfa.amsl.com>; Thu, 2 Dec 2021 10:37:45 -0800 (PST)
Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D1E093A0834 for <oauth@ietf.org>; Thu, 2 Dec 2021 10:37:44 -0800 (PST)
Received: by mail-yb1-xb2f.google.com with SMTP id f9so2072919ybq.10 for <oauth@ietf.org>; Thu, 02 Dec 2021 10:37:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+o52p57yhz0TqWixL3xDOKgSse6VVKGHgb81VEd930g=; b=E1iu77D1do4VEhtdzHwSX9m2izONjoIyory7KK4PjBJZHVlMtA90RAcpkWsm6EchQk rVCu9X3fU6T1hKiE6WyZyRJh9kv645+TT6IsLblLI183nRERu1qiWp2Kyrshb9r3DKEI q0bMAKXsWsGRhzLIsZOz4Kf0C12FCv14ohjFEjsl6AOnIRMWhAOJqFfijj96CewXzbws +HdwO4BvgQAD/SM31y3va10AIdp2XigleWfX53ZKprq+nGzA/5DLo1JMQ/uI8g+gJ3GQ IW1dJ9y7Tc16wRbYWmNvjZ1YmhQg4I11Z0IMUPS+DHntK4/xvonL5CxKQLqyHUTRxCKi JgAw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+o52p57yhz0TqWixL3xDOKgSse6VVKGHgb81VEd930g=; b=QRMC207+eMxVo9rphLedkUudoALyulfthPhH5X5LigyJu1m5ZAQayglJ8a34mRWgpp nCrvkKA+NjaeOUXdhE7yrKI9Vx0uJFsVPWhU0vOp0/FtyiTxqkW0loJGjUUonFt90NBq /jIQHzIAK/MoQP9C+7uiRPsWytCokcT4aWULCMT0vfVIHwmpx1t576oOk2DcZHRRK7P2 BnmkaNahendNeD1pRuJP6UGFsvaOLd/0ftN/2MGzBQEw6+AwSxb1bvn7VkVEKYeKAzxk FUe2XOAYAZqWl/n2C+XBKlLPGz3FhZsO4+UQTRC87O90ANySdbnJlhFhmykcZH3QIXMj 3SLA==
X-Gm-Message-State: AOAM530EyB7jTZMfkqf+gU7XoJPfCPrRtYLPNVD3QEdNJn2Uv1G87N3W cmrWnZB13pEsc2Gj6zVBIrhwIAx6ldSLQv+MQBpL
X-Google-Smtp-Source: ABdhPJwAHvHzT2j3YblfuMZ1e6udDZAaLYDH7KGPGaLvuskUDVLMCNUT+y8cJfE4IhNjaRoQ4yOfdB2YBJUArRGsmQk=
X-Received: by 2002:a05:6902:1503:: with SMTP id q3mr16659059ybu.385.1638470262887; Thu, 02 Dec 2021 10:37:42 -0800 (PST)
MIME-Version: 1.0
References: <PH0PR00MB09979174CD87DF0DB226D334F5679@PH0PR00MB0997.namprd00.prod.outlook.com> <DBABEEFF-3FD5-4048-A90A-C16D0E695E07@forgerock.com> <CAGBSGjr8WE2i3wDe_fQmoBbhwWBPwouJViNGSyBjRh4hR4pCZQ@mail.gmail.com> <AM7PR83MB0452688B1FCB18070639291F91689@AM7PR83MB0452.EURPRD83.prod.outlook.com> <CAJot-L3Gf0Ok1AoQAAgaG_G4QQxa5CrKh+N-HVZwRQDJtdc2+w@mail.gmail.com> <AM7PR83MB0452184E6C67477BF073FB6591699@AM7PR83MB0452.EURPRD83.prod.outlook.com>
In-Reply-To: <AM7PR83MB0452184E6C67477BF073FB6591699@AM7PR83MB0452.EURPRD83.prod.outlook.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Thu, 02 Dec 2021 19:37:31 +0100
Message-ID: <CAJot-L0-RzkZ3uXc+=ARTWtpFLH3EpLF1mv0d0k8ogq7fOzw_A@mail.gmail.com>
To: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>
Cc: Pieter Kasselman <pieter.kasselman@microsoft.com>, Mike Jones <Michael.Jones@microsoft.com>, "oauth@ietf.org" <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000feb0ac05d22e15fa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/DyfgDJXAo0R-w08gm6lqqpBtD4M>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: dpop_jkt Authorization Request Parameter
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Dec 2021 18:37:50 -0000

The only mention of sophistication is this logical fallacy:
>
>  If this leading security company had been penetrated, it almost certainly
> took an incredibly sophisticated attack.


But it leaves out exactly what that was. And it doesn't give any insight
into how this attack at MS would have been prevented despite the supply
chain vulnerability based on the second point that Aaron made. If they are
able to get the auth code, why aren't they able to get the DPoP signature?
And then send both of these?

Further in this case, it doesn't even matter if the attacker gets the
access token if that access token is bound to the client, because it's
worthless without the DPoP key. That's a much more secure solution than
issuing non-bound Bearer tokens as a response to the bound authorization
code. And if Bearer tokens are being used instead of bound tokens, then
those could still end up in the logs, and be exfiltrated.

In OAuth, the client already needs to authenticate with the AS, the spec is
SHOULD, and options the client_secret already. Adding in the DPoP signature
into the request is duplicating auth. If we don't like the client auth
mechanisms to the AS, we should directly provide an auth RFC recommending
better alternatives than sending a symmetric client_secret back to the AS.

Warren Parad

Founder, CTO
Secure your user data with IAM authorization as a service. Implement
Authress <https://authress.io/>.


On Thu, Dec 2, 2021 at 4:42 PM Pieter Kasselman <pieter.kasselman=
40microsoft.com@dmarc.ietf.org> wrote:

> Thanks for the comments and engagement Warren.
>
>
>
> The attacks we described and the ideas on mitigations are born out of
> attack vectors we are observing in the wild. They are not negligible. We
> are seeing a new class of very sophisticated attackers, and if you’re
> interested, this article provides good context on capability and
> sophistication of the attackers Brad Smith: Inside Microsoft during the
> SolarWinds hack (fastcompany.com)
> <https://www.fastcompany.com/90672384/microsoft-president-brad-smith-solarwinds-exclusive>.
> We are sharing this with the hope that the industry will benefit from our
> experiences and incorporate it into standards and products. Attacks that
> seemed impossibly complex are not only possible, but have become probable.
>
>
>
> The proposed changes for DPoP are not meant to replace the need for
> one-time use tokens (single use tokens are preferable and we should
> continue to expect them), but instead address the limitations around
> implementing one-time use, especially at scale. The 60s window you mention
> below is sufficiently long to be exploited by these sophisticated attackers.
>
>
>
> Cheers
>
>
>
> Pieter
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Warren Parad
> *Sent:* Wednesday 1 December 2021 15:29
> *To:* Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>
> *Cc:* Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>;
> oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] [EXTERNAL] Re: dpop_jkt Authorization Request
> Parameter
>
>
>
> (e.g. one-time use in a certain timeframe etc).
>
>
>
> Sure but couldn't we just reduce the lifetime? Even if the token isn't one
> time use, surely the reuse time is trivially short which would prevent
> against exfiltration of the necessary security tokens to issue the attack?
>
>
>
> I feel like the simpler solution will always win, which in this case is
> one-time use tokens, then the problem is moot, right? So this only comes
> into play if you want to allow token reuse in a time window. The previously
> suggested max allowed time window from OAuth 2.1 was 60s for auth codes. So
> we are saying that the attack surface is still too large, for the .01% of
> implementations that have multi-use tokens, and the .01% of implementations
> that use the maximum 60s reuse, and then the subset of those that aren't
> correctly scrubing their logs, and then the subset of those that have a
> vulnerability which allows for exfiltration of both those logged tokens and
> the logged PKCE verifier?
>
>
>
> Why are we making this more complicated for a majority of cases, which:
>
>    - Only have single use tokens
>    - Or Only have a very short lifetime
>    - Or Are already correctly sanitizing their logs
>    - Or Have defense in depth for their deployments.
>
> If the implementation is so insecure that none of those are happening,
> wouldn't the implementation for this functionality also be suspect for an
> opportunity for attack?
>
>
>
> I feel like we are justifying here that multi-use tokens are wrong, but
> still want a solution to use them. Once we've proven that an deployment is
> not okay with using multi-use tokens, then the conclusion should be "don't
> have multi-use tokens", not: "let's still have multi-use tokens, but come
> up with a complex way to prevent their multi-use from accidentally being
> abused".
>
>
>
> Or am I missing something that would actually make this a
> non-negligible attack vector?
>
>
>
> - Warren
>
>
>
> *Warren Parad*
>
> Founder, CTO
>
> Secure your user data with IAM authorization as a service. Implement
> Authress
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fauthress.io%2F&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cb5c71bfcbfbb48fd641508d9b4df5fcf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637739693847580905%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=%2FBkvuWZ3FVTcdTtfe%2FoLurIGxcsJHCz6zXmW1PROTSc%3D&reserved=0>
> .
>
>
>
>
>
> On Wed, Dec 1, 2021 at 4:14 PM Pieter Kasselman <pieter.kasselman=
> 40microsoft.com@dmarc.ietf.org> wrote:
>
> Hi Aaron, Neil
>
>
>
> Thanks for the questions.
>
>
>
> We agree that ideally authorization codes and PKCE proofs would never end
> up in log files and one-time use would be perfectly implemented.
>
>
>
> However, in practice these artefacts do find their way into log files in
> various places and one-time use may not always be practical (e.g. one-time
> use in a certain timeframe etc).
>
>
>
> The addition of these mitigations is not meant to replace the need for
> one-time use or good logging hygiene. Instead they provide pragmatic
> defence in depth against real attacks rather than assuming perfect
> implementations. We are deploying these mitigations and are sharing them
> for inclusion in DPoP to enable others to do the same.
>
>
>
> Regarding the question about interrupting/intercepting the HTTPS
> connection, the attacker don’t need to intercept the HTTPS connection or
> modify the content in the TLS tunnel, rather they just need to prevent the
> authorization code from being presented to the Authorization Server. It may
> even happen due to a poor network connection. The poor connection may be
> engineered by an attacker, or they may opportunistically benefit from it.
> The networks are not perfect either.
>
>
>
> Cheers
>
>
>
> Pieter
>
>
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Aaron Parecki
> *Sent:* Wednesday 1 December 2021 00:05
> *To:* Neil Madden <neil.madden@forgerock.com>
> *Cc:* Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>;
> oauth@ietf.org
> *Subject:* [EXTERNAL] Re: [OAUTH-WG] dpop_jkt Authorization Request
> Parameter
>
>
>
> I tend to agree with Neil here. I'm struggling to see the relevance of
> this attack.
>
>
>
> It seems like the PDF writeup describes two possible reasons an attacker
> could get access to the authorization code and PKCE code verifier.
>
>
>
> 1. The attacker has access to the logs of the token endpoint.
>
> 2. The attacker can intercept HTTPS connections between the client and AS
> (VPN, corporate network proxy, etc)
>
>
>
> For 1, the solution is to stop logging the contents of the POST body, and
> secure your infrastructure. I don't think making the client jump through
> extra hoops is a good solution if you are already logging more than you
> should be or you don't trust the people who have access to the
> infrastructure. If this really is a concern, I suspect there are a lot more
> places in the flow that would need to be patched up if you don't trust your
> own token endpoint.
>
>
>
> For 2, if the attacker can intercept the HTTPS connection, then the
> proposed solution doesn't add anything because the attacker could modify
> the requests before it hits the authorization server anyway, and change
> which DPoP key the token gets bound to in the first place. Plus, the
> attacker would also have access to anything else the client is sending to
> the AS, such as the user's password when they authenticate at the AS.
>
>
>
> Are there other attack vectors I'm missing that might actually be solved
> by this mechanism?
>
>
>
> Aaron
>
>
>
>
>
> On Tue, Nov 30, 2021 at 12:40 PM Neil Madden <neil.madden@forgerock.com>
> wrote:
>
> Sadly I couldn’t make the DPoP session, but I’m not convinced the attack
> described in the earlier message really needs to be prevented at all. The
> attack largely hinges on auth codes not being one-time use, which is not a
> good idea, or otherwise on poor network security on the token endpoint. I’m
> not convinced DPoP needs to protect against these things. Is there more to
> this?
>
>
>
> The proposed solutions also seem susceptible to the same problems they
> attempt to solve - if an attacker is somehow able to interrupt the client’s
> (TLS-protected) token request, why are they somehow not able to
> interrupt/modify the (far less protected) redirect to the authorization
> endpoint?
>
>
>
> — Neil
>
>
>
> On 30 Nov 2021, at 20:15, Mike Jones <
> Michael.Jones=40microsoft.com@dmarc.ietf.org> wrote:
>
>
>
> As described during the OAuth Security Workshop session on DPoP, I created
> a pull request adding the dpop_jkt authorization request parameter to use
> for binding the authorization code to the client’s DPoP key.  See
> https://github.com/danielfett/draft-dpop/pull/89
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdanielfett%2Fdraft-dpop%2Fpull%2F89&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cb5c71bfcbfbb48fd641508d9b4df5fcf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637739693847580905%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ASCRFFPMA7qIItkxpVTrVaJtC53R2niWOzB0l0GQKrw%3D&reserved=0>
> .
>
>
>
> This is an alternative to https://github.com/danielfett/draft-dpop/pull/86
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fdanielfett%2Fdraft-dpop%2Fpull%2F86&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cb5c71bfcbfbb48fd641508d9b4df5fcf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637739693847580905%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=lgb9WmnOwWVtNIFsZ1mQG4jSBQYLZv%2BETe6HIKFeerg%3D&reserved=0>,
> which achieved this binding using a new DPoP PKCE method.  Using this
> alternative allows PKCE implementations to be unmodified, while adding DPoP
> in new code, which may be an advantage in some deployments.
>
>
>
> Please review and comment.  Note that I plan to add more of the attack
> description written by Pieter Kasselman to the security considerations in a
> future commit.  This attack description was sent by Pieter yesterday in a
> message with the subject “Authorization Code Log File Attack (was DPoP
> Interim Meeting Minutes)”.
>
>
>
>                                                        -- Mike
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cb5c71bfcbfbb48fd641508d9b4df5fcf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637739693847580905%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vuBY0pdcSiMXQF213ZVLm4yNMFhRqM1jWlrWSzn%2FS%2FE%3D&reserved=0>
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cb5c71bfcbfbb48fd641508d9b4df5fcf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637739693847580905%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vuBY0pdcSiMXQF213ZVLm4yNMFhRqM1jWlrWSzn%2FS%2FE%3D&reserved=0>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cb5c71bfcbfbb48fd641508d9b4df5fcf%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637739693847580905%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=vuBY0pdcSiMXQF213ZVLm4yNMFhRqM1jWlrWSzn%2FS%2FE%3D&reserved=0>
>
>

v2.23.0 | Report a Bug | By Email