Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
Denis <denis.ietf@free.fr> Tue, 12 November 2019 09:19 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB2701201E3 for <oauth@ietfa.amsl.com>; Tue, 12 Nov 2019 01:19:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 74lQMGZOIGMu for <oauth@ietfa.amsl.com>; Tue, 12 Nov 2019 01:19:25 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp04.smtpout.orange.fr [80.12.242.126]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62CE9120046 for <oauth@ietf.org>; Tue, 12 Nov 2019 01:19:24 -0800 (PST)
Received: from [192.168.1.11] ([90.79.49.31]) by mwinf5d07 with ME id QxKM2100E0gNo7u03xKMJ0; Tue, 12 Nov 2019 10:19:22 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Tue, 12 Nov 2019 10:19:22 +0100
X-ME-IP: 90.79.49.31
From: Denis <denis.ietf@free.fr>
To: oauth@ietf.org
References: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com> <CAMVRk++o2MdndK37FfADzEZJx988o=PvPWN_mhdgDK=OU1dtow@mail.gmail.com> <3ECDBBC5-F183-4227-857A-A95C53C74274@mit.edu> <d021c84a-36f3-f371-2903-2b6051ee654f@free.fr> <8324a1d3-2fe8-430c-facc-1f3c5d7db260@danielfett.de> <21a36a19-1f24-25d9-9478-1e282a1bea19@free.fr> <CA+iA6uhqVf9B2VxzS7cFx_ATSymB9gsAk0ebpjdv99ymW6RjXA@mail.gmail.com> <ff668a74-52f9-3ac9-acf0-ad3e27e98ea9@free.fr> <9927a0d5-6202-3375-4ff3-2ee510beb814@danielfett.de>
Message-ID: <91777738-cbac-ad52-8226-01712f336952@free.fr>
Date: Tue, 12 Nov 2019 10:19:22 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <9927a0d5-6202-3375-4ff3-2ee510beb814@danielfett.de>
Content-Type: multipart/alternative; boundary="------------D8FCC4A2B0B9830F6459F117"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Gc8T8mRkF5vJT7fV3uSc66B_9Fs>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2019 09:19:28 -0000
Daniel, > I have the feeling that this attack aims at breaking a security > property that OAuth does not claim to fulfill (and that nobody expects > OAuth to fulfill): The first comment sent to the list was to ask whether the list of attacks was complete. IMO, the list should not be limited to the attacks that can be mitigated using best current practices, but should include all /known /kinds of attacks. At the moment a reader might get the impression that all /known /types of attacks have been analyzed and considered. The document even refers to formal methods (which might impress some readers), but when looking at the perimeter of the model that has been used, it is obvious that the ABC attack could not be discovered and thus considered. > "Given two colluding clients A and B, where A has obtained an access > token T, B cannot use T to access protected resources." > (analogously for two users U_A and U_B of the clients, where the users > have some session with a backend client.) > > And there are good reasons why this is not captured by the security > property (Hans' screenshot, for example). ??? > As far as I know, this property is neither achieved by classical > first-party session-based authentication/authorization nor by any > other web-based mechanism, or is it? Please refer back to what I said, i.e."Whatever kind of cryptographic is being used, when two users collaborate, a software-only solution will be unable to prevent the transmission of an attribute of a user that possess it to another user that does not possess it"and you will get the response. Since OAuth is a software based solution, it is unable to counter clients collusion attacks. Adding a secure element to only protect private/secret keys is ineffective to counter clients collusion attacks. For potential implementers, it is important to know the limitations of a protocol before implementing it. Denis > -Daniel > > Am 08.11.19 um 14:13 schrieb Denis: >> Hello Hans, >> >> You wrote: >> >>> one client can always share the protected data with another client >>> once retrieved, regardless of pop or secure elements >> >> No, there exist means that prevent a client to share the protected >> data with another client , simply because the client cannot access to it. >> The protected data is placed inside the secure element and thus a >> client has no way to extract it for the benefit of another client. >> >> The protected data is used by the secure element in such a way so >> that it cannot be used for the benefit of another user. >> >> But we are already in the field of the solutions and no more in the >> field of the requirements. >> >> Denis >> >>> >>> Hans. >>> >>> On Fri, Nov 8, 2019 at 8:38 AM Denis <denis.ietf@free.fr >>> <mailto:denis.ietf@free.fr>> wrote: >>> >>> Daniel, >>> >>> No. It is not a correct summary. One client can allow another >>> client to get an access token that belongs to it. >>> The key point is that a software only solution can't prevent >>> this collaborative attack and since, at this time, >>> the OAuth WG is not considering the use of secure elements, the >>> attack cannot be countered. >>> >>> Please have a look at: >>> https://www.ietf.org/mail-archive/web/oauth/current/msg16767.html >>> >>> Denis >>> >>>> Hi Denis, >>>> >>>> Am 07.11.19 um 09:16 schrieb Denis: >>>>> >>>>> *Whatever kind of cryptographic is being used, when two users >>>>> collaborate, a software-only solution will be unable to >>>>> prevent the transmission * >>>>> *of an attribute of a user that possess it to another user >>>>> that does not possess it. * >>>>> >>>> To stay in OAuth lingo, what you are saying is: Two >>>> collaborating clients can exchange their access tokens and use >>>> them. >>>> >>>> Is that a correct summary of your attack? >>>> >>>> -Daniel >>>> >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> -- >>> hans.zandbelt@zmartzone.eu <mailto:hans.zandbelt@zmartzone.eu> >>> ZmartZone IAM - www.zmartzone.eu <http://www.zmartzone.eu> >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Curr… Hannes Tschofenig
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Jared Jennings
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Justin Richer
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Denis
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Daniel Fett
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Denis
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Hans Zandbelt
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Daniel Roesler
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Denis
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Hans Zandbelt
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Daniel Fett
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … David Waite
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Daniel Roesler
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … David Waite
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Lee McGovern
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … David Waite
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Denis
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Vineet Banga
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Vineet Banga
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Vineet Banga
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … n-sakimura