Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption

Brian Campbell <bcampbell@pingidentity.com> Fri, 26 February 2016 22:28 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A0281B31D4 for <oauth@ietfa.amsl.com>; Fri, 26 Feb 2016 14:28:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.378
X-Spam-Level:
X-Spam-Status: No, score=-1.378 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FIwNe4G4a6ry for <oauth@ietfa.amsl.com>; Fri, 26 Feb 2016 14:28:24 -0800 (PST)
Received: from mail-ig0-x234.google.com (mail-ig0-x234.google.com [IPv6:2607:f8b0:4001:c05::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E4471B31D2 for <oauth@ietf.org>; Fri, 26 Feb 2016 14:28:24 -0800 (PST)
Received: by mail-ig0-x234.google.com with SMTP id xg9so43785034igb.1 for <oauth@ietf.org>; Fri, 26 Feb 2016 14:28:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=/BrVn0RrUfReeCnU14zRcCieYBJ6tJMYiQkWPzkwt+c=; b=oLzTCzNFUMVXbW+JosoWzffoXTeQl1rhngqB6zOlH9OrhTjpeXvTu6Z5/NqVYnPYgo MHEfFFRoU+1d9EWGC6gM7JI4KdkFyuTJi/bfk1KxmkbazCELs2R0MEq4SdrCIbyftMQ5 W3udWfnMQSY43i2/iVmXKhaFAMGaKOkKyrvUs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=/BrVn0RrUfReeCnU14zRcCieYBJ6tJMYiQkWPzkwt+c=; b=blExTtEUgQ+JDhcVZfIN14HJ/HibWpnIjEzJ4kQM1ZS/I+ei13Y5O9eo5koFd/fkQt m6VZUcez9OtCyM4IDSV1sns9oxAfavECAhanPi706tIFdLOyWFewQmvqAD4M6KF2G82N zD3k8/YBboxQSwMEEacRmA56ldz4LQ/klqQrL2q8+jnm1qYsEUoxzUzCdAzAO03bMtLA /+uC9stQFuUhVhxdOFTl3zXUqv7jNXZR4OgMNWYTk4cU2upbfKUHEkHFFKDjoA1/qWI9 kzY7P9gv+2LCdPBzw/m4Oxym+sYIYxR/xlKYz2ia5NzaVvvtJNG28h5ryyJh5rt0V2My wfbw==
X-Gm-Message-State: AD7BkJJxk5ZPe55I3W2rPiX+K8URzRVUppjchpgJLqGqiuADNN1rl/4IDZ+0Uz0SeftskbOh9HBSO+Hf1q/6Jsj7
X-Received: by 10.50.60.34 with SMTP id e2mr249742igr.77.1456525703643; Fri, 26 Feb 2016 14:28:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.64.28.196 with HTTP; Fri, 26 Feb 2016 14:27:54 -0800 (PST)
In-Reply-To: <56CEB0A6.4050500@gmx.net>
References: <56C7702B.2000401@gmx.net> <BY2PR03MB442E9BF84AFA890378C5116F5A00@BY2PR03MB442.namprd03.prod.outlook.com> <56C77D92.5050203@pingidentity.com> <88DE9988-2CDB-4206-86CE-E7EFF93FB27A@oracle.com> <CAAP42hD96u0Nepdo8YcHeXEo2v1Mo=a_Zo4OcS9ppu7rU-=8Ag@mail.gmail.com> <56C8360C.8010203@gmx.net> <BY2PR03MB44257DFC0BD58DC443A5BB3F5A10@BY2PR03MB442.namprd03.prod.outlook.com> <56C83EEA.8000306@gmx.net> <BY2PR03MB442B1EFAAB9911D5569A833F5A10@BY2PR03MB442.namprd03.prod.outlook.com> <56CC21CB.7070404@connect2id.com> <56CEB0A6.4050500@gmx.net>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 26 Feb 2016 15:27:54 -0700
Message-ID: <CA+k3eCTeAULzW+JQ0P2i8sx=+uxMKjgemaPwKKSmr0_F7MXE6w@mail.gmail.com>
To: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary=047d7b10ce3b2c298a052cb3d130
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/HKbUSy51i6YlMTSO2iFv4I4jE4A>
Cc: oauth <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call for Adoption
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2016 22:28:27 -0000

My preference is for Option A.

The mix-up attack, in all it's variations, relies on there being no means
in OAuth for the AS to identify itself to the client when it returns the
user's browser to the client's redirect_uri. 'OAuth 2.0 Mix-Up Mitigation'
addresses that fundamental missing piece by including the 'iss'
authorization response parameter.

During the course of the discussions in Darmstadt Hans and I independently
implemented and successfully interop tested the 'iss' and 'client_id'
authorization response parameters, which is what was anticipated to be in
the mitigation draft. Doing so was very simple and straightforward. And it
addresses the vulnerability. We decided, unfortunately, to pull that
functionality out of a looming a product release due to the churn in this
WG and the perceived risk of changes in what would eventually become the
standard solution. Of course, that kind of risk is always present with
draft standards but it's been very frustrating in this case to have worked
towards a simple solution to a known problem only to have progress get hung
up in lack of agreement in this WG.

I'll also say that in many/most cases the AS doesn't explicitly know all of
the resources that tokens it issues can or will be used at (and there are
often more than one). So the ruri/Resource URI parameter isn't really a
workable option.



On Thu, Feb 25, 2016 at 12:43 AM, Hannes Tschofenig <
hannes.tschofenig@gmx.net> wrote:

> Vladimir,
>
> yes, we could do a formal analysis and it would be a very good idea.
> It would even go faster if a few of us work together on it. Anyone
> interested?
>
> This would be a good contribution for the workshop in July, btw.
>
> Ciao
> Hannes
>
> On 02/23/2016 10:09 AM, Vladimir Dzhuvinov wrote:
> > Hi Mike,
> >
> > You mention that you spent considerable time in research. I wonder if
> > there is existing theory, in communications or information theory, that
> > can be used to formally establish and prove (or disprove) the security
> > of the proposed OAuth measures? Perhaps some work that is totally
> > unrelated to identity and the web protocols, but could well apply here?
> >
> > My reasoning is that we have a closed system that is fairly simple, so
> > formal analysis must be entirely possible.
> >
> > 1. We have 5 parties (client, AS, RS, user, user agent).
> >
> > 2. The OAuth protocol follows a simple and well-defined pattern of
> > messages between the parties.
> >
> > 3. The points and the number of ways by which an adversary may break
> > into OAuth must therefore be finite.
> >
> > 4. The security requirement is essentially to guarantee the precedence
> > and authenticity of the messages from discovery endpoint to RS, and the
> > preferred way to do that is by establishing a binding between the
> > messages, which can be forward or backward binding.
> >
> >
> > Right now the WG concern is whether all possible attacks have been
> > recognised, and then taken care of. If we can have a formal model that
> > can reliably reveal and prove that, this will be a huge breakthrough.
> >
> > Cheers,
> >
> > Vladimir
> >
> >
> >
> > On 20/02/16 12:41, Mike Jones wrote:
> >> Suggesting that they be read is of course, the right long-term
> approach.  But as someone who spent 20+ years as a researcher before
> switching to digital identity, I was sensitive to not wanting to upstage
> their work by copying too much of their material into our draft before
> their publications were widely known.  I'll of course commit to working the
> researchers and the working group to create a self-contained concise
> description of the threats and mitigations in the working group document.
> >>
> >>                              Cheers,
> >>                              -- Mike
> >>
> >> -----Original Message-----
> >> From: Hannes Tschofenig [mailto:hannes.tschofenig@gmx.net]
> >> Sent: Saturday, February 20, 2016 2:25 AM
> >> To: Mike Jones <Michael.Jones@microsoft.com>om>; William Denniss <
> wdenniss@google.com>gt;; Phil Hunt (IDM) <phil.hunt@oracle.com>
> >> Cc: oauth@ietf.org
> >> Subject: Re: [OAUTH-WG] Fixing the Authorization Server Mix-Up: Call
> for Adoption
> >>
> >> Hi Mike,
> >>
> >> On 02/20/2016 10:52 AM, Mike Jones wrote:
> >>> Have you read both of their publications?  If not, do yourself a favor
> >>> and do.  They're actually both very readable and quite informative.
> >> I have read both documents. In context of this discussion the question
> is whether we
> >>
> >> (a) require them to be read (in which case they should be a normative
> reference), or
> >> (b) suggest them to be read (since they provide additional background
> information). In this case they are an informative reference.
> >>
> >> I believe believe we want (b) for the OAuth WG document. While I
> encourage everyone to read the publications I also believe that there is
> lots of material in there that goes beyond the information our audience
> typically reads (such as the text about the formal analysis).
> >>
> >> There is probably also a middle-ground where we either copy relevant
> text from the papers into the draft or reference specific sections that are
> "must-read".
> >>
> >> One other issue: I actually thought that the threat that is outlined in
> the research paper is sufficiently well described but the second threat,
> which is called 'cut-and-paste attack', requires more work.
> >> I noted this in my summary mail to the list, see
> http://www.ietf.org/mail-archive/web/oauth/current/msg15697.html
> >>
> >> Ciao
> >> Hannes
> >>
> >>
> >> _______________________________________________
> >> OAuth mailing list
> >> OAuth@ietf.org
> >> https://www.ietf.org/mailman/listinfo/oauth
> >
> >
> >
> > _______________________________________________
> > OAuth mailing list
> > OAuth@ietf.org
> > https://www.ietf.org/mailman/listinfo/oauth
> >
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>