Re: [OAUTH-WG] OAuth 2.0 Security Best Current Practice | Issue in Mix-Up Countermeasure

Christian Mainka <Christian.Mainka@rub.de> Mon, 02 December 2019 09:05 UTC

Return-Path: <Christian.Mainka@rub.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B575120013 for <oauth@ietfa.amsl.com>; Mon, 2 Dec 2019 01:05:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=rub.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6Frt9YsKgGCw for <oauth@ietfa.amsl.com>; Mon, 2 Dec 2019 01:05:13 -0800 (PST)
Received: from out3.mail.ruhr-uni-bochum.de (out3.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:8:1001::8693:359b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47985120041 for <oauth@ietf.org>; Mon, 2 Dec 2019 01:05:13 -0800 (PST)
Received: from mx3.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by out3.mail.ruhr-uni-bochum.de (Postfix mo-ext) with ESMTP id 47RK2D3Hw9z8SB9; Mon, 2 Dec 2019 10:05:08 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=rub.de; s=mail-2017; t=1575277508; bh=00ZrNJS5g9A6Az5DBq4WZJ4wSb9o25LORNZjjWGpkbo=; h=Subject:To:References:From:Date:In-Reply-To:From; b=Z8YYojC+hGOnzPeULrC67y1XO4uWRg9G8FrZ+njebB6tdKHZE9wo1cFubQGCmzObW QpDHMDk2lUIMyJWrJvvMfpSETQzcSiYM8iTYKNFxaQk35u6JMEDtZ74n+L5XfUkPa0 0h7nwojdjNPhHO22WIcWgYWGZ9zt1SFk3QGBT8VQ=
Received: from out3.mail.ruhr-uni-bochum.de (localhost [127.0.0.1]) by mx3.mail.ruhr-uni-bochum.de (Postfix idis) with ESMTP id 47RK2D1sgfz8S9f; Mon, 2 Dec 2019 10:05:08 +0100 (CET)
X-RUB-Notes: Internal origin=IPv6:2a05:3e00:c:1001:5054:ff:fe37:b9e4
X-Envelope-Sender: <Christian.Mainka@rub.de>
Received: from mail1.mail.ruhr-uni-bochum.de (mail1.mail.ruhr-uni-bochum.de [IPv6:2a05:3e00:c:1001:5054:ff:fe37:b9e4]) by out3.mail.ruhr-uni-bochum.de (Postfix mi-int) with ESMTP id 47RK2C37Nyz8SJ9; Mon, 2 Dec 2019 10:05:07 +0100 (CET)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.102.0 at mx3.mail.ruhr-uni-bochum.de
Received: from [192.168.93.131] (sky.nds.ruhr-uni-bochum.de [134.147.40.41]) by mail1.mail.ruhr-uni-bochum.de (Postfix) with ESMTPSA id 47RK2C43KRzytW; Mon, 2 Dec 2019 10:05:07 +0100 (CET)
To: fett@danielfett.de, oauth@ietf.org
References: <35143dd1-edeb-e0fd-6f36-a39d9b7f7008@hackmanit.de> <4f1d1215-aa23-93ab-ae5b-75426d7f07cc@danielfett.de>
From: Christian Mainka <Christian.Mainka@rub.de>
Autocrypt: addr=Christian.Mainka@rub.de; keydata= mQINBEefF5YBEADa0W+FyzUZStHhp8YmnjPZm4Bws4sKmwXRxfSJp89Z5r79kxaXdLErifPS w4uyQuhosugg65KlNwFgtMprtGeEvQpqnsGFz1ZJFnMDZnMho48NDXdFA8KWUUTFHZTlv8fy NOH3EQ/jcWfq2VizuIewJNqyrVpbUimosQmLsBB9xLeiT6u8B0zh0hCYhnX77Y87MnPYlW1T fxT7mjGe2SJnGdm85CH2Q/9aIj7OTA5vZhrCdrbddo0c5h6WMqeYSbxUYrJ0/zBHFpfbWmFD OIEtvYLjKhEtjIpvKL6U7fJaJNPqTFp+Y0T+folxRMYIxWPMtacnvMa9YqBiEmdK8VyFBMmi gkhVqdrTKLtsxQrutKaRxJ+ACbEdNuGpjnK5ON+sNmPTmqs816x+JJGLu1ci03gbCIXXvwXF /pV2tX/dBGbTgYWZ4DAIdIJoHKgAjC0r64409nDwb4BKWtEDTAxbP+2mPVqH0uthGBz8J29Q zWUDztfy3AK7nZjhg0NRabBUYe6PPGaV81tluH5nEMvvcXSstbwAcg8BPmuSGp3G6VE4BxS6 bnRIbL9XQP24xn3TFiAus79Wmzz3yBangmUCo616qWJqpqie6arce+Zce8szwMIJD753gEo8 L+GXJ8H/jQWS8C9qPvmD9GlW+RaWoTRb4BkTds305e0HPyl9aQARAQABtDVDaHJpc3RpYW4g TWFpbmthIChSdWItTWFpbCkgPENocmlzdGlhbi5NYWlua2FAcnViLmRlPokCNgQTAQIAIAUC R58XlgIbIwYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEBxg1ZHbyZM9FjIP/3AHN9PRFg3n ld0DQCCGJzu1owT4b1is1pjHC+cpoJE0KqGiYBsPb1x3p/K8+E82ZENXP0s1KMZWEz+6dm+i 5ekb10jlSXppnkoeVBh9ITBjqurRkzSHRAkKtcLLIjYXyLKCQtnMJNCYU4OLA0xqlqcqa6U3 gRHW8mFNRjNkXjxSwGD0+vEeZ1WnfUkuvHYSWAUBn8f3Xn/KP0jlwzi8xZUxZgMcrPhV3s/X dNhQMvkzXUJd61AOCRAU2ZpxTIa57bIwahJ/RLdVzumTJHEMcRJpU6MMgfYnUUHRiiIUkhhB jWrzeSaoFpoHzYwKVflh+T2u/s909sQY17eT4IeVrjT3GZfXO4PnRC85gKqJMUuEE5dYrc/f iwzZdDX1y0zl2j6URITNXKu8s5x89PUzpg/ex22iArRDS8FfQGQXx600OpSWYUYSp4CrmNKK 1M42+caUwS2TysGoH3ebqtQ0Bu4WFxArmbMc9pkgsSuCwRKphBahT0U8JnLOXyqvhVC1A5sU 8HMAPhIg9mKd8swNh+ONGW97KwHONfcJhJ2lDwr8jZYh/6dg0J/wXdnl+naht+oiVnG2dHIQ 95iGFjiILW7OC0laYS0BCFSGJiG/wYr/heGNf+IgIXs1MJUE+AbiwGYE2FZRRA3oonLzQcQ4 xYLG3WKhlG6cUg2tYAKiY7hjtCpDaHJpc3RpYW4gTWFpbmthIDxDaHJpc3RpYW4uTWFpbmth QHJ1Yi5kZT6JAjsEEwECACUCGyMGCwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJRCCWaAhkB AAoJEBxg1ZHbyZM9PuYP/3a/1kPLhy11Hjqz12SJoQi10JlTpRILcWXAoUOFmOQlPkMzwp+j vyg0XMW7VHfRpNyFDhMofAsibVFj6OvWRmg6Mrpsz0IwbH6k7ukcb0Uvv/EWhBHvqDpkGdIo 0iAkoyuygTIVsLRjJmU0QrnaS9J/QQTQSzpMG0Y/NXmt8a6j0aR92hYllhTdWbHGgQlcMa6R JBBR9fExoOlc9LZM3gyFI89STpWZcvFviO6VYlIKTqCFiH8W4u/yzP3fvjz2JLSS3SAAyd4z oaqMGSDqb97iJI39jja2BrJCkHDGpb0god0IMz+LMSXFc5faewBy5HfIsOj2tt4J9gUoKOwp fIDccOMirO5qywo5w79ofzx4AWDl+O1q4SXJmFUQWdnanM9TwR0wRmFa2q5ZugHlQbIdGMqR py5XrcTBcSoQRxGiFdjchJAYeNNQnOIMdHtolcSHpwKUc0CLIjrzMMnAui1WIr8jcdxiuqrU EJDZWiVZhxetq1An8lDX8q5IDmq1ZnS5PfmlOpMmL3QduEEqQQ40St2pbfCyCMz19jK/d6Kb lVoG4MhGq1ofIKu6KfWZmIEsiLGidNPByL84AB+8B9VArlS5pG4esIF5c5nyv1InlNCz5aNZ XzRxvJVqYEcTnM6f+29BDNGCPGfIVCyiocYCE2Z6TSA//VyQXMGdxB1UuQINBEefF9IBEACa oaSOVrtoEx+1FFoFHro9mI2rViLcHY44EyPBSlgUQgNeyMBnV9yrFf2awpZimXkXYOJ39dtD KOleiJ+XpM7n0tEDJ+tPz4Avc2iQ4RMyIndrM4okmfmTHuWZkV5ZJAERF59hMRDp8dRBzFDB XDEVhFsOZGFaf5qJE78774Jb/I0Sh6wn4FY2Pr/ZdEA5FOlzHNa8LlMv2Qeh8t+HdL/ySTDG JAI2qTeszqWtDSnMT+ExYH+zWCiYYw0/2/U01L/Qn5wNiEihAv4XYkkQsMecMw9H8zZ7Ob1h rSwWR1pYJIiJ94cHDTeLIq2bY0yHuxiQLbUMyCkPQhTXvz1mdkzVHlhMZefHkeo25dvbnCot 6JoWOyyCghEixtMeRpYReKOmkHDVMRLqo1VJSxYhyrmmdZUfJjTBqqpl4nvYPj5cLvogI2Cp GeKFgkfzZ3/OIMamipJOLQHoX80Y04Ug9k5BxUHJPPX054g+GB6YT1xYncPDj+J+aP1EvOSM h4DyAspB9gZoI5Xx8swL3UvQySpakgHoGeOfz0wsYOijoGW9UCkwqIWbrQ44Y+SgjxKEp3rk Z0a5PCcOSNPynIIxyWukbIDk6nhqp/Ni3vzpoAjGHs05w+YqP/sv8wykeK/2JejNkpZIDVop nvXFDc5QLc+cn70X1Ny9sYYj1+/KmS7d4QARAQABiQIfBBgBAgAJBQJHnxfSAhsMAAoJEBxg 1ZHbyZM9DIIP/iBxx1yb3Iy7m23GcNsfWRUnSmkAdkLf9VoEESvxtuC1l8AEUCeoTiQ0LSas Z2asV6yoMQOStv3eW6/WL6ZUL0jTm7x3Ki0/Ej+obnKpCKV3E45ku7unilXI4+TSPXxmwQOi 0ZVa+MwZn7jhwQuk60EgBUW0VyPmpgYnxtcb2HGGRj3V06A+T2963AyrM6gFBDSm5ulSwKyd LBDsbOpD9JXCvVrAFwCs8isa0snhhuipQZR3fKYhQ8pbCGSFYJ+BAgZuj02eeEQZP8J04LAY ItcsuO01B27svDJRF6BcoYljfO6Cat625mxsjYvITTsq0iCTx0d/OOee7nPhChB7bsRm9/F/ /N0STfbQVRyt0RZS0uGzo5lESk+TnlteNx6oJUpWTgO7FXr4j2ZpSGznjV57Sjgh8QttUubI DPrjFSGiY8z0DxZrIdWVtgDj2LeVnjql5eZpOn2BCe/+dRg581t5vZvCaIlpu+YBxWmJHU7V PyAY6Sq4xY6JW6B3yqkqTmOPE/ARUIYRzHPmv15kCINS/Jpw6fWTzsD1HPaRVVEwDuFRSxaK toDFOB7DktTf2NsyKDC0GN3w6x+I9VUHjJePK3wXqjQs0g/DXc7OBJV+1nBkj0ZlHqtuiNom fhycC18ZvUs6re/gu2jSSK3ME5Tll/qYGq5DcuzSTSnNS1Q3
Message-ID: <277a3bc8-32fc-8c7c-85dc-5030d2d07728@rub.de>
Date: Mon, 2 Dec 2019 10:05:08 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2
MIME-Version: 1.0
In-Reply-To: <4f1d1215-aa23-93ab-ae5b-75426d7f07cc@danielfett.de>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
X-Virus-Scanned: clamav-milter 0.99.4 at mail1.mail.ruhr-uni-bochum.de
X-Virus-Status: Clean
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/I3OVg-s9g7Fi7WLRSDe0PFiOnjQ>
Subject: Re: [OAUTH-WG] OAuth 2.0 Security Best Current Practice | Issue in Mix-Up Countermeasure
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Dec 2019 09:05:15 -0000

Hi Daniel,

I think this problem is not only restricted to the redirect_uri.
Regarding countermeasure (1), also the A-AS can return the same
client_id as the client uses on the H-AS.

TL;DR: In countermeasure (1), only the issuer prevents MixUp, the
client_id parameter can be faked as well during the registration of the
client (especially if Dynamic Client Registration is used).

Regards
Christian

On 26.11.19 15:20, Daniel Fett wrote:
> Hi Karsten,
>
> Very interesting observation!
>
> My gut feeling is that this is the real problem here:
>
> Am 26.11.19 um 14:24 schrieb Karsten Meyer zu Selhausen:
>> Depending on its implementation the client might simply extract all data
>> contained in the Client Information Response and use it for
>> authorizations with the specific AS.
>> We were able to confirm that one popular open-source library behaves in
>> this exact way. It stores the redirect URI contained in the Client
>> Information Response and uses it for Authorization Requests with the
>> A-AS although it differs from the redirect URI in the Client
>> Registration Request.
> The client uses untrusted, unverified data to make its decision on what
> redirect URI to use.
>
> Nonetheless, we should definitely mention this in the BCP!
>
>> In our opinion this makes the countermeasure "AS-specific redirect URIs"
>> obsolete and we believe the other countermeasure described in the BCP
>> (adding an AS identifier and the client_id of the intended recipient to
>> AS's responses) should be used to prevent Mix-Up attacks. If the
>> involved entities use the OIDC hybrid flow this countermeasure is
>> automatically applied.
> These are more intrusive changes than the per-AS redirect URI and may
> require new parameters.
>
> Daniel
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Dr.-Ing. Christian Mainka
Horst Görtz Institute for IT-Security 
Chair for Network and Data Security 
Ruhr-University Bochum, Germany

Universitätsstr. 150, ID 2/463
D-44801 Bochum, Germany

Telefon: +49 (0) 234 / 32-26796
Fax: +49 (0) 234 / 32-14347
http://nds.rub.de/chair/people/cmainka/
@CheariX