Re: [OAUTH-WG] Text Proposal for draft-ietf-oauth-spop-04
Nat Sakimura <sakimura@gmail.com> Thu, 20 November 2014 10:53 UTC
Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE86E1A0174 for <oauth@ietfa.amsl.com>; Thu, 20 Nov 2014 02:53:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Xq0U8Tm1vbL3 for <oauth@ietfa.amsl.com>; Thu, 20 Nov 2014 02:53:43 -0800 (PST)
Received: from mail-ig0-x231.google.com (mail-ig0-x231.google.com [IPv6:2607:f8b0:4001:c05::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF1611A016C for <oauth@ietf.org>; Thu, 20 Nov 2014 02:53:42 -0800 (PST)
Received: by mail-ig0-f177.google.com with SMTP id uq10so2596478igb.4 for <oauth@ietf.org>; Thu, 20 Nov 2014 02:53:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:from:date:message-id:subject:to:cc :content-type; bh=R6zCeafgcO5WXgac90+DyqqCG+mBLDOXqq7nQz78NXY=; b=zPmIPacYBjp2jR2GKhh6/4IaIHMsKayNyRAUX0QKwsvT3q8Us78bNmckl5xLuGvwXS X1sy1cnXHkTMUZnxwvF8k6+wiOMu5e70SRj5nQ20/hsDto/BDm+FEOy2pb7m9+vACIo7 Ucc+Q4e5s1IR97Sn6GLTnQsyH+39yj4Qv36yI+EnjWD8CYrz8M3t5sNp+2A0M9leJe1/ f/2RTafMhLK0dLqghhxo5qCgkvjPn1k6t9zj13YER8mf/hubZeA0uhTa/bsPhsoIy4/u gofrUWl5U9+YEHGGImDTbHVhEKd7kBm7GpoaFHZV+5sR9gmI9B8D+Clx0QaZJLENANfM 9RVg==
X-Received: by 10.107.3.157 with SMTP id e29mr37380765ioi.44.1416480820980; Thu, 20 Nov 2014 02:53:40 -0800 (PST)
MIME-Version: 1.0
References: <546C90BE.4040402@gmx.net> <F0E78FC4-5ADE-4C09-98DB-339A8791CD84@ve7jtb.com>
From: Nat Sakimura <sakimura@gmail.com>
Date: Thu, 20 Nov 2014 10:53:40 +0000
Message-ID: <CABzCy2B_4cM6ER+Lwsjp6OthwMdwMjUAWd+JF9-N_QTDqjKtyw@mail.gmail.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Content-Type: multipart/alternative; boundary="001a113eb40a2a735305084824ca"
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/K3j7hfYLMm-Nh0MmLTztfhEPZeE
Cc: "oauth@ietf.org" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Text Proposal for draft-ietf-oauth-spop-04
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 10:53:47 -0000
Thanks Hannes! Nat On Wed Nov 19 2014 at 21:49:07 John Bradley <ve7jtb@ve7jtb.com> wrote: > Hannes, > > Thanks for the feedback. I will go over it today. > > > > On Nov 19, 2014, at 7:44 AM, Hannes Tschofenig < > hannes.tschofenig@gmx.net> wrote: > > > > Hi Nat, > > > > I have a few text suggestions for the abstract and the intro. > > > > > > FROM: > > > > Abstract > > > > The OAuth 2.0 public client utilizing Authorization Code Grant (RFC > > 6749 - 4.1) is susceptible to the code interception attack. This > > specification describes a mechanism that acts as a control against > > this threat. > > > > > > TO: > > > > Abstract > > > > OAuth 2.0 public clients utilizing the Authorization Code Grant are > > susceptible to the authorization code interception attack. This > > specification > > describes the attack as well as a technique to mitigate against the > > threat. > > > > New text for the into: > > > > > > 1. Introduction > > > > OAuth 2.0 [RFC6749] public clients are susceptible to the > > authorization code interception attack. > > > > The attacker thereby intercepts the authorization code returned > > from the authorization endpoint within communication path not > > protected by TLS, such as inter-app communication within the > > operating system of the client. > > > > Once the attacker has gained access to the authorization code it > > can use it to obtain the access token. > > > > Figure 1 shows the attack graphically. In step (1) the native > > app running on the end device, such as a smart phone, issues > > an authorization request via the browser/operating system, which > > then gets forwarded to the OAuth 2.0 authorization server in > > step (2). The authorization server returns the authorization code > > in step (3). The malicious app is able to observe the > > authorization code in step (4) since it is registered to the > > custom URI scheme used by the legitimate app. This allows the > > attacker to reguest and obtain an access token in step (5) > > and step (6), respectively. > > > > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ > > | End Device (e.g., Smart Phone) | > > | | > > | +-------------+ +----------+ | (6) Access Token +----------+ > > | |Legitimate | | Malicious|<--------------------| | > > | |OAuth 2.0 App| | App |-------------------->| | > > | +-------------+ +----------+ | (5) Authorization | | > > | | ^ ^ | Grant | | > > | | \ | | | | > > | | \ (4) | | | | > > | (1) | \ Authz| | | | > > | Authz| \ Code | | | Authz | > > | Request| \ | | | Server | > > | | \ | | | | > > | | \ | | | | > > | v \ | | | | > > | +----------------------------+ | | | > > | | | | (3) Authz Code | | > > | | Operating System/ |<--------------------| | > > | | Browser |-------------------->| | > > | | | | (2) Authz Request | | > > | +----------------------------+ | +----------+ > > +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ > > > > Figure 1: Authorization Code Interception Attack. > > > > A number of pre-conditions need to hold in order for this attack > > to work: > > > > 1) The attacker manages to register a malicious application on > > the client device and registers a custom URI scheme that is > > also used by another application. > > > > The operating systems must allow a custom URI schemes to > > be registered by multiple applications. > > > > 2) The OAuth 2.0 authorization code grant is used. > > > > 3) The attacker has access to the client id. All native app > > client-instances use the same client id. No client secret is > > used (since public clients cannot keep their secrets > > confidential.) > > > > 4) The attacker (via the installed app) is able to observe > > responses from the authorization endpoint. As a more > > sophisticated attack scenario the attacker is also able > > to observe requests (in addition to responses) to the > > authorization endpoint. The attacker is, however, not > > able to act as a man-in-the-middle. > > > > While this is a long list of pre-conditions the described attack > > has been observed in the wild and has to be considered in > > OAuth 2.0 deployments. While Section 4.4.1 of [RFC6819] describes > > mitigation techniques they are, unfortunately, not applicable > > since they rely on a per-client instance secret or aper client > > instance redirect URI. > > > > Ciao > > Hannes > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Text Proposal for draft-ietf-oauth-spo… Hannes Tschofenig
- Re: [OAUTH-WG] Text Proposal for draft-ietf-oauth… John Bradley
- Re: [OAUTH-WG] Text Proposal for draft-ietf-oauth… Nat Sakimura