IETF Logo Mail Archive

Re: [OAUTH-WG] Token substitution in DPoP

Brian Campbell <bcampbell@pingidentity.com> Mon, 23 November 2020 18:04 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4C753A0C73 for <oauth@ietfa.amsl.com>; Mon, 23 Nov 2020 10:04:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LsnPuALU3iTX for <oauth@ietfa.amsl.com>; Mon, 23 Nov 2020 10:04:00 -0800 (PST)
Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 883693A0C52 for <oauth@ietf.org>; Mon, 23 Nov 2020 10:04:00 -0800 (PST)
Received: by mail-lj1-x22a.google.com with SMTP id r18so4240874ljc.2 for <oauth@ietf.org>; Mon, 23 Nov 2020 10:04:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=P+xA0P8Hw72AvrsnfXnwuwCKvJUg48ZqltdDpcQ2QJ8=; b=Eurxz8aS+geHauIu/hhwbfREvpXoJ4Vx22C4fakl2cYNDD7uPZ73ksz4xuETSl0IR4 LFnsK+nk1w2RGFNh373EKo6C3AEupqiM1TAr1zKuGGFHw38WZ6XzzMKdzR6z341SfMzM glQcJqxNuoFprh4nlKbiFDv5E4GkJ/C4oncxJTMkYasfVBxX5v4950G+Y20gMDNrt+JH PV2++TNmVJcGaEXurHJkyiiOPWUNp+zlJ01fKbqzKZ3NaR040BVuk2HmCtnDLxaqcsqF Ycvw77nMp22Zyy95UtFeS37k2DP9H+zuIObL1F50zHGdwZF+ZHJwpsNCkew54md1PJRx t75Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=P+xA0P8Hw72AvrsnfXnwuwCKvJUg48ZqltdDpcQ2QJ8=; b=K3nQBb8206SfvpfQ8fnvVzSNOgMmAvU6barGABu2VgmVk6qb6i6FUOLHA9dmAPqME2 DL9zfwuMWP567HVRx/0RyGgtHkfNU83a/AfjXdgopzxCuguJFx9+grFOVbbvaVrMf4XT /K7eP55ms5vVspwBB5oGF8aelL8jQPk1YNjTPwUgAUtn1c2my9/oasLommKehTZi2uEh 78BeemswvEKinyDnlSjy5HhS281u5r0oidtStfL90nvzUlZJSt0HecLdLDivpD+5mn9p YeDhqS6aJPZYe1X7Jf49efyL4TWPqkIzElj5Lc/EPDHySb671zopJl/Jlk6x/srbbYgu myZQ==
X-Gm-Message-State: AOAM533Jlwy60lWqGMCNQUncdo1Rj8lfKLPU7V46dC6uCW5WgC/Zjh+w nxYti98TpPNBU69wKC85bxFdkhtDdEx4MdJtsGZ8jbtL5JrMq2UJOmV7C5iN+xKFQy7zcqpxRBe iKpJs5PQgJmRlQQ==
X-Google-Smtp-Source: ABdhPJx7tBwfTZVTFH415ulVQOErnP7+SMVie9Xuy5CRfG4t2WRAuqvUJZGR4aqLn+MV0CwKp3UwFKKooKu5+THT7KE=
X-Received: by 2002:a2e:2419:: with SMTP id k25mr234784ljk.422.1606154638512; Mon, 23 Nov 2020 10:03:58 -0800 (PST)
MIME-Version: 1.0
References: <92113933-D3F6-494B-A697-9C0D77F2808B@mit.edu>
In-Reply-To: <92113933-D3F6-494B-A697-9C0D77F2808B@mit.edu>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 23 Nov 2020 11:03:32 -0700
Message-ID: <CA+k3eCQX4+5LRmViztuDHM4Ad7zYcoZPXkO1pU-Vf8HeLnr0nA@mail.gmail.com>
To: Justin Richer <jricher@mit.edu>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000aef37405b4ca04b8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/LEvVLRZqR6SWTvc51s0jn34OVSI>
Subject: Re: [OAUTH-WG] Token substitution in DPoP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2020 18:04:10 -0000

The extent of the weirdness needed leads me to feel that it's not a threat
that's in scope. To copy the proof signature from a request with T1 onto a
new request using T2, Alice would need access to the first request, which
is made directly from client to RS. That's not possible for a web server
client so the client would need to be running on Alice's machine/device.
Such on device clients aren't typically going to be acting on behalf of
multiple users. Or if they are, will need to do a lot more to securely
segment the user execution environments from each other. Most of which is
outside what can be done at this protocol application level.



On Fri, Nov 20, 2020 at 12:26 PM Justin Richer <jricher@mit.edu> wrote:

> While working on an implementation of DPoP recently, I realized that the
> value of the access token itself is not covered by the DPoP signature at
> all. What I’m wondering is whether or not this constitutes an attack
> surface that we care about here. Here’s how it works:
>
>
> Let’s say that a client creates a DPoP key and uses that key to request
> two tokens, T1 and T2, for different users, Alice and Bob, respectively.
> Alice is malicious and wants to get Bob’s stuff. Alice manages to get a
> hold of Bob’s token value, T2, through some means. Normally DPoP wouldn’t
> let Alice create a new request using T2 since Alice doesn’t have the
> client’s key. However, if Alice gets the client to create a request for her
> using T1, she can copy the signature from that request onto a new request
> using T2. Since the signature doesn’t cover the token value and the key is
> the same, the RS should accept both requests, right?
>
> An important aspect is that the parts needed to make this attack work are
> a little weird: you’d need access to a valid signed request from the client
> with T1 as well as access to a valid T2 attached to the same key in order
> to make this substitution. However, this is effectively the same attack
> area that bearer tokens have in a lot of ways, since it doesn’t require the
> attacker gaining access to the singing key to generate or modify a
> signature, nor does it require the attacker to generate or modify an access
> token (merely obtain one).
>
>
> I’d like to understand if this is an actual attack against DPoP. If it
> isn’t, how is it countered by DPoP today? If it is, do we discuss in the
> DPoP draft? I didn’t see a mention of it there. If it’s not, should we
> discuss it there?
>
>
> The old OAuth PoP draft mitigates this attack by putting the access token
> itself inside the signature body instead of a second header. Another option
> would be to include a hash of the token value (such as OIDC’s “at_hash”
> method used in ID Tokens) in the DPoP payload. With either of these
> approaches, Alice having access to T1, T2, and a signed message for T1 does
> not allow her to use T2 effectively.
>
>  — Justin
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email