Re: [OAUTH-WG] [EXT] Re: Token substitution in DPoP

Brian Campbell <bcampbell@pingidentity.com> Mon, 23 November 2020 18:50 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78F8C3A048B for <oauth@ietfa.amsl.com>; Mon, 23 Nov 2020 10:50:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 28H3yzbKVnid for <oauth@ietfa.amsl.com>; Mon, 23 Nov 2020 10:50:50 -0800 (PST)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 399343A0418 for <oauth@ietf.org>; Mon, 23 Nov 2020 10:50:50 -0800 (PST)
Received: by mail-lf1-x12e.google.com with SMTP id l11so25305938lfg.0 for <oauth@ietf.org>; Mon, 23 Nov 2020 10:50:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=b1TCMx74n3Lq89NrMnW/wxQl6D/dkWraUyFvcnTqyrI=; b=Ujnv3c+1/xDk2MsiyyJ7hC6IQ0Sc/tT3pP4BC9V/HpAYshyEngJbrLOs6rSFqC5eI2 p3xMPmXzn3ThIYYuPHHy1vqAGvJz9DuKGo4n4bOy+/yOtmnm2FUAnLwZ9LC/56PQO7yy 3iC/Yb+k/Gdg0QOVlfcF0nO1XEydjBPmKqf3kaajAbhOFEE6sXlGG2qxfa5j644lsmGq I05PjJA2BVEvSpAMJlM6aSNnnhNFJ5g2sIqIfHjtHdKoRfqpksb+yv+ag/J8CycmIsqO UnB7E5qbXvtq6IdYwsRmEpxSXNZAtWLLLA3tKme3b+qqgbc8a9JNSf/v2V845jBrjcWH vzZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=b1TCMx74n3Lq89NrMnW/wxQl6D/dkWraUyFvcnTqyrI=; b=fP3jUHuv4x0da3E5GjuDR5EvhQTe4WcJhvmRSUKqr5/r87c89n3Ofvo2QVJdoRWXiP xL/66mC0qP58DOeF900l0rN6/ezgsiKBFCVJWBvEnclqI1c4Rdi5iLq7pubNGJFEda0q iqXYzrTbOGk54hTAlTe+BNuf5Q3NSVnzR0px5ws5p7aSYyEU+OIxrVQ3Ky5pirSeKcwG STYGFGlrqOjUMxIQ+7vAJOq2s+O35pQaLJKbSbZej5GS0GI4CbgEPsSLI/r9kwSv/3X5 15/DsH96LqJEAhgxJSJ+abLz0npBG6aZTZa20kwM3omatfBEwuGShnWnHB8+JLu8i3Ja 9BvQ==
X-Gm-Message-State: AOAM530geMF5a+XbZMK9qLeGfXMSroAFA7hIivZ/vjGeAg6WhCnW4Qsn i9NYfGCd2KMrpiflcFEQrkzha7Bj4Fa5acCajqFGCKhYRG7jTpZoZquYXyCcyBw3/33vRZMSBLC AgKJihYku9MPQYw==
X-Google-Smtp-Source: ABdhPJylU3kyg8hHnCPYqJFtn1Cry0fdQZPwIOTdMLhpPp0vBI/UCTW5JEYATEgWwhvXmKEnwzWSzFsawvtVSTjrFIg=
X-Received: by 2002:a19:c658:: with SMTP id w85mr201083lff.560.1606157448085; Mon, 23 Nov 2020 10:50:48 -0800 (PST)
MIME-Version: 1.0
References: <92113933-D3F6-494B-A697-9C0D77F2808B@mit.edu> <016f01d6bfae$407e6bd0$c17b4370$@aueb.gr> <15245_1606132326_5FBBA25D_15245_296_1_0352818D-4793-44E2-832B-3FD7B7BF7507@mit.edu> <2B99664F-C236-422D-BBA1-BCF99485DBDC@mitre.org>
In-Reply-To: <2B99664F-C236-422D-BBA1-BCF99485DBDC@mitre.org>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 23 Nov 2020 11:50:21 -0700
Message-ID: <CA+k3eCT8qFyGD8m84UDMSp37cw87v4AcYMfs5_E1aJV_Ho9d8w@mail.gmail.com>
To: Michael A Peck <mpeck@mitre.org>
Cc: Justin Richer <jricher@mit.edu>, Nikos Fotiou <fotiou@aueb.gr>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000025a56a05b4caac59"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Kx-tit_b3T61F8q_7ONkLQOmbzs>
Subject: Re: [OAUTH-WG] [EXT] Re: Token substitution in DPoP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 18:50:53 -0000

It's not a huge burden but does add some non-zero complexity to the
protocol as well as size to the proof. And in my mind anyway, doing so
would sort of beg the question as to having some similar treatment for
authz codes and refresh tokens. Which can, of course, also be done. But
adds more complexity. And then there are other grant types to consider
(even not doing anything with them demands some consideration of them). I
question if the benefit is sufficient to account for the cost in added
complexity etc.. But anyway, with all that rambling said, I do plan to have
this as a general item for discussion in the upcoming interim meeting.
Which I hope will be an easier forum to better hash it out.

On Mon, Nov 23, 2020 at 6:03 AM Michael A Peck <mpeck@mitre.org> wrote:

> I agree with having the DPoP proof cover the access token (unless there's
> some burden on the clients doing so that I'm unaware of).
>
> That would also limit the ability to pre-compute DPoP proofs with future
> timestamps (I sent an email to the list about this on 1 April) if an
> attacker can perform some kind of attack (XSS?) that temporarily allows
> executing code in the context of the client - as it would prevent
> generating DPoP proofs for access tokens that have not yet been issued.
>
> DPoP key rotation (e.g. "generating and using a new DPoP key for each new
> authorization code grant" as suggested in section 2 of the DPoP draft) is a
> good idea but as Justin says depends on the clients actually doing it, with
> no real enforcement mechanism.
>
> Mike
>
> On 11/23/20, 6:52 AM, "OAuth on behalf of Justin Richer" <
> oauth-bounces@ietf.org on behalf of jricher@mit.edu> wrote:
>
>     Correct, but the choice of using different keys is entirely in the
> hands of the client, as the AS accepts whatever key the client presents in
> its initial DPoP proof to bind to the token. If it’s on the client to
> prevent this kind of thing, we should at least mention it in the security
> considerations. If it’s something we want to prevent wholesale, we should
> expand the signature coverage to the access token, or at least a hash of
> the token.
>
>      — Justin
>
>     > On Nov 20, 2020, at 9:30 PM, Nikos Fotiou <fotiou@aueb.gr> wrote:
>     >
>     > Hi,
>     > The token is granted to a client based on the authorization grant
> and not the client's key. Therefore, a client may use a different key per
> token. At least this is an approach we are following.
>     >
>     > Best,
>     > Nikos
>     >
>     > -----Original Message-----
>     > From: OAuth <oauth-bounces@ietf.org> On Behalf Of Justin Richer
>     > Sent: Friday, November 20, 2020 9:26 PM
>     > To: oauth <oauth@ietf.org>
>     > Subject: [OAUTH-WG] Token substitution in DPoP
>     >
>     > While working on an implementation of DPoP recently, I realized that
> the value of the access token itself is not covered by the DPoP signature
> at all. What I’m wondering is whether or not this constitutes an attack
> surface that we care about here. Here’s how it works:
>     >
>     >
>     > Let’s say that a client creates a DPoP key and uses that key to
> request two tokens, T1 and T2, for different users, Alice and Bob,
> respectively. Alice is malicious and wants to get Bob’s stuff. Alice
> manages to get a hold of Bob’s token value, T2, through some means.
> Normally DPoP wouldn’t let Alice create a new request using T2 since Alice
> doesn’t have the client’s key. However, if Alice gets the client to create
> a request for her using T1, she can copy the signature from that request
> onto a new request using T2. Since the signature doesn’t cover the token
> value and the key is the same, the RS should accept both requests, right?
>     >
>     > An important aspect is that the parts needed to make this attack
> work are a little weird: you’d need access to a valid signed request from
> the client with T1 as well as access to a valid T2 attached to the same key
> in order to make this substitution. However, this is effectively the same
> attack area that bearer tokens have in a lot of ways, since it doesn’t
> require the attacker gaining access to the singing key to generate or
> modify a signature, nor does it require the attacker to generate or modify
> an access token (merely obtain one).
>     >
>     >
>     > I’d like to understand if this is an actual attack against DPoP. If
> it isn’t, how is it countered by DPoP today? If it is, do we discuss in the
> DPoP draft? I didn’t see a mention of it there. If it’s not, should we
> discuss it there?
>     >
>     >
>     > The old OAuth PoP draft mitigates this attack by putting the access
> token itself inside the signature body instead of a second header. Another
> option would be to include a hash of the token value (such as OIDC’s
> “at_hash” method used in ID Tokens) in the DPoP payload. With either of
> these approaches, Alice having access to T1, T2, and a signed message for
> T1 does not allow her to use T2 effectively.
>     >
>     > — Justin
>     > _______________________________________________
>     > OAuth mailing list
>     > OAuth@ietf.org
>     > https://www.ietf.org/mailman/listinfo/oauth
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org
>     https://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._