Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation
nov matake <matake@gmail.com> Fri, 22 January 2016 02:40 UTC
Return-Path: <matake@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05FC11B369B for <oauth@ietfa.amsl.com>; Thu, 21 Jan 2016 18:40:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tFTLf-OsE1Gd for <oauth@ietfa.amsl.com>; Thu, 21 Jan 2016 18:39:57 -0800 (PST)
Received: from mail-pa0-x22d.google.com (mail-pa0-x22d.google.com [IPv6:2607:f8b0:400e:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57E241B369A for <oauth@ietf.org>; Thu, 21 Jan 2016 18:39:57 -0800 (PST)
Received: by mail-pa0-x22d.google.com with SMTP id ho8so33175408pac.2 for <oauth@ietf.org>; Thu, 21 Jan 2016 18:39:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=content-type:mime-version:subject:from:in-reply-to:date:cc :message-id:references:to; bh=o1rUuk3Nmb2vcdsZUU23zSD+mNRuUO0SlM7xuvQXtX0=; b=ooXwq6zof1YTwBulxcLG4Ct9dsgwVBS/oQF3oyLwWOYBag2nH6O302n14LKUdLfFFc mHkmOHYCKmrzoLXixdW3iCnNitjagZCdL80Dxct3BEGdLbwNfqivpksHDDiqrxifEY72 AWzUtOje5v89fUgzwm3KZhtjpxh3WLLhISnmijxE7esf/7EspeoB9k4mZn6c14R62+dw FtzV5LKD8e9q2b3eUvtSrcswSMRcOIWG25EGXIbCrZmIw0F+9iE057qPtoFbJluM0XHL 1xrzT96SqxFytteY5NND+fTAPYTyPEgKT/RdW/1I5JnrpWNjLWa9KorkiqpydJ3dj/3Q 5NCw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=o1rUuk3Nmb2vcdsZUU23zSD+mNRuUO0SlM7xuvQXtX0=; b=liuG/c6daQSogc1C7nU7lr6K/IC4G/bp+1Vp8eUVWDJFhRNI7+yBMcRt/pXEDr+8pJ ovAnl94IWnM25grQK4a08y7PjRfJ0GJiEhvJYVUplo2caxBQB8SKKC2pO6pkSJQ01ga7 0wkj+hnkuPXmnHdQNQwcy4L03NjEtVZXq1gXthiMggVRoxRlbBvNPRzDyAMzS0hKvKmy 79aX8rSK7FLYZ9Myac/Oq0xaG293VUtMe7d1qXmviYQk1miPTDC17uXnuicY/TjNysSa RRBP16URsxCgZgEl4dsW4bm4l1woqEH5aBu8zCL1JRhtDlzo58r5CJx59d5hwQyyLGTs SN2Q==
X-Gm-Message-State: AG10YOTMLKeSXu6pcu1xSmapH2U8NSzuNibTJ1fPv9yItEjvfClCo2cPBm/BMn43Nk6l1Q==
X-Received: by 10.66.102.40 with SMTP id fl8mr937707pab.136.1453430397002; Thu, 21 Jan 2016 18:39:57 -0800 (PST)
Received: from tovan.intra.gree-office.net ([27.110.57.140]) by smtp.gmail.com with ESMTPSA id v2sm5407575pfi.93.2016.01.21.18.39.55 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 21 Jan 2016 18:39:56 -0800 (PST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_ED800867-02A0-4F12-A3B7-4F1FEDE1029D"
Mime-Version: 1.0 (Mac OS X Mail 9.2 \(3112\))
From: nov matake <matake@gmail.com>
In-Reply-To: <BY2PR03MB4425923CAC5A0B0A46BA1A6F5C40@BY2PR03MB442.namprd03.prod.outlook.com>
Date: Fri, 22 Jan 2016 11:39:54 +0900
Message-Id: <2A3855B0-022A-4D34-BEB8-C5E261CE72D7@gmail.com>
References: <569E22E1.5010402@gmx.net> <CANSMLKHjAHr6rUZny5EkX0KBHnOcLuUOZBL0Wwf6V8Y3tt_kNw@mail.gmail.com> <CABzCy2C-_57dO5n6GN6wazA9ozuPivrQd95g_XvdkPWx6zDwAA@mail.gmail.com> <CANSMLKE98FVdDV-7bwW3wZ=-ao5=oXkn9LO5s_M1KmMAt7Drcw@mail.gmail.com> <537B9D13-1159-4B2D-9E1A-A245C9B3659C@ve7jtb.com> <CABzCy2DD9K7hMV+AG8RaYJ5ESiiN+PCC-bXDSRHX-OVNf_VyFA@mail.gmail.com> <2019564A-9F00-4FDA-9AD8-420F9789DF44@ve7jtb.com> <BY2PR03MB4425923CAC5A0B0A46BA1A6F5C40@BY2PR03MB442.namprd03.prod.outlook.com>
To: Mike Jones <Michael.Jones@microsoft.com>
X-Mailer: Apple Mail (2.3112)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/N0_4Xb5sE-Z8unYZ_C7Lv3ZD5Lc>
Cc: "oauth@ietf.org WG" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2016 02:40:02 -0000
If the OAuth server supports discovery, “iss” can be used. If not, attacker’s OAuth server can describe honest OAuth server’s “iss” in its developer document. So returning “iss” would require discovery support NOW, not in the future. > On Jan 22, 2016, at 10:04, Mike Jones <Michael.Jones@microsoft.com> wrote: > > I believe that it’s simpler and more elegant to return an issuer, from which the discovery metadata document can be retrieved, which contains *all* the configuration information about the authorization server, than to return some of the configuration parameters but not most of them (which is what the oauth-meta proposal does). There’s lots more in a typical discovery document than just a few endpoint addresses. For instance, there are statements about what response types are supported, other configuration choices, keys, etc. > > I also think that returning the issuer is more future-proof than trying to decide now what all the configuration information is that might want to be verified by the client and hoping we get it right. With the issuer, assuming that discovery is supported, it can retrieve and check all of it, should the client want/need to do so. Even when discovery isn’t supported, the issuer still provides a concrete identifier for the authorization server that can be checked for equality. > > We talked about the value of that approach in the side meetings in Yokohama and people were supportive then. > > -- Mike > > From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley > Sent: Thursday, January 21, 2016 4:48 PM > To: Nat Sakimura <sakimura@gmail.com> > Cc: oauth@ietf.org WG <oauth@ietf.org> > Subject: Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mitigation > > I will point out for clarification that this would be like IdP discovery in openID 2 that everyone did. I think IdP not doing RP discovery in openID 2 is a weak argument. > There may be other evidence that RP will not do discovery, but if that is the case why are we doing a OAuth discovery spec? > Many people see your spec as discovery as well just in a different way. > > I think both ways can work, but doing both leaves too many options. > > John B. > > > On Jan 21, 2016, at 9:38 PM, Nat Sakimura <sakimura@gmail.com <mailto:sakimura@gmail.com>> wrote: > > Still doing the analysis. We spent 1.5 hours today with John, George, nov and me on the OpenID Connect WG call on this issue. John explained the mitigation, but none of us was convinced that it works. > > Then, after the call, I and nov went on with various scenarios. The interim conclusion is that: > client_id response parameter does not help. There are legitimate cases that client_id duplicates out there and we cannot ban that. > iss response parameter does not help unless the discovery is performed and the value of iss is checked against the value of OAuth issuer inside the document. (<- Discovery becomes mandatory. From our experience on RP discovery step in OpenID 2.0, chance of this being done properly seems to be rather slim.) > sending the state to the token endpoint helps in the case code was stollen, but code should not be stolen to start with. > Cheers, > > Nat > > > 2016年1月22日(金) 7:59 John Bradley <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>: > There have been a lot of discussions. I think Hannes posted some minutes of the F2F meeting we had with the security researchers. > > The problem can’t be mitigated without some action on the client side. It boils down to the client making a request to AS1 (From it’s perspective) and getting back a response from AS 2 (that it thinks is AS1) > > This can be done if AS1 is a good AS but has it’s logs compromised so that an attacker can read them. Hans Zandbelt built a proof of concept for the attack. > > In some cases the attacker gets the code and the credential to use it at the good AS token endpoint and in others it just gets the code and can replay that at the client to extract information from the API through the client by binding the api access to a new account. > > PKCE unfortunately mitigates a different attack, where the client is impersonated and trys to replay a intercepted code. It however assumes the token endpoint is good, and is no help in the case of a compromised token endpoint. > > The client in these attacks is vulnerable because it relies on some local state, or the value of the state parameter to know who the response is coming from. This allows a authorization request that is intercepted to be used to create a new request in that browser to a different AS, or trick the client into using a Authorization endpoint for a different authorization server. > > One problem is that OAuth doesn’t really have a unified concept of what a AS is. Traditionally it is a Authorization endpoint URI, token end point URI and resource server URI that some one gives the client in some documentation. > > As ling as a client only talks to one AS then there is no problem. However once a client is configured to talk to more than one AS, we have problems if one of those AS lies about it’s endpoints, or is compromised and used to attack another AS. As a design goal you don’t want the overall security to be limited by the weakest system. > > One approach as Nat promotes is to have the authorization endpoint return the next hop, token endpoint for code or RS URI for token. The token endpoint must also return the RS URI or the client must push the RS URI to the token endpoint or the attacker just replaces the RS URI in the config and captures the token that way. > > The other way is to provide a name for each AS as part of registration and the client not allow duplicate registrations with the same name. When the response comes back the client checks the name against the one it made the request to. If the name dereferences to a discovery document then the client can check that name at registration or runtime to validate the net hops. > > I think the two approaches mitigate the attack in similar ways. Nat’s is more REST friendly and returns the next hop as a parameter of header. > > The one Mike and I wrote up based on the meeting in Germany provides identifiers (iss and client_id) that can be checked for validity in the simple case and be dereferenced via .well-known to get the information Nat’s proposal is providing. > > Perhaps the main difference is Nat is using the token endpoint as the identifier for the AS and Mike’s is using location for a discovery document as the identifier. > > I don’t recall the reasons using the token endpoint as the identifier was rejected at the meeting. Perhaps others can post the reasons. > > We need to close on this quickly, otherwise if we are indecisive fixes will not go into products for another year or so until this is a RFC. > > That is my main concern. > > John B. > > > > > > On Jan 21, 2016, at 11:50 AM, Josh Mandel <jmandel@gmail.com <mailto:jmandel@gmail.com>> wrote: > > Thanks Nat - that's helpful. If both mitigations *can* work effectively, then I would like to see this group consider the decision between them carefully (if that hasn't happened yet). Again, don't hesitate to let me know if this is the wrong place/time for such discussion. > At a high level, I would rather ask server developers to do some "coding", for two reasons: > 1. Most OAuth servers talk to many, many clients. So consolidating the security critical work in one place (server) is a net savings of work (rather than asking each client to implement these checks. > 2. OAuth server developers are typically more sophisticated than client developers, and therefore more likely to understand the implications and more likely to get these critical details correct. Asking each client developer to do something right is likely to result in heterogenius implementation and persistent security holes. But if the server does the heavy lifting, and clients just have to pass along an extra parameter, this is more likely to see consistent implementation (for example, clients will fail to work if misconfigured, which will prompt developers to fix them). > On Jan 21, 2016 09:40, "Nat Sakimura" <sakimura@gmail.com <mailto:sakimura@gmail.com>> wrote: > Hi Josh, > > It is similar but slightly different IMHO. > > Section 4.6.4 of the RFC6819 is the access token phishing by a counterfeit resource server. > The mix-up attack described here is the code phishing by a counterfeit token endpoint. > > In my view, both can be mitigated by the server returning the next step: i.e., authorization endpoint returning the legitimate token endpoint uri, and token endpoint returning legitimate resource endpoint uris. This involves no discovery endpoint, which is good. > > Your way also works. It is just the reverse of my proposal. The difference being that my proposal does not need any coding on the server but just configuration, and it can return more metadata if needed. > > Cheers, > > Nat > > 2016年1月21日(木) 23:04 Josh Mandel <jmandel@gmail.com <mailto:jmandel@gmail.com>>: > Apologies if this is the wrong forum for my comment (and please direct me to the appropriate place in that case), but I have two questions about the propose mitigation (and the thinking behind it) that I think the write-up could address: > 1. Could the writeup clarify whether/how the primary "mixup" threat differs from what RFC6819 identifies as in section 4.6.4? > 2. Has the workgroup considered a mitigation that puts more responsibility on the authorization server, and less on the client? For example, if would be helpful for the writeup to clarify why having the client send an "audience field" (in the terminology of RFC6819) to the authorization endpoint would not mitigate the threat. (In that scenario, the authorization server can recognize that the audience does not correspond to a resource server it knows, rather than asking clients to make this check). I assume this approach has been considered and rejected as an incomplete mitigation, but I don't have visibility into where/how that discussion went. > Thanks, > Josh > Hi all, > > this is the call for adoption of OAuth 2.0 Mix-Up Mitigation, see > https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-00 <https://tools.ietf.org/html/draft-jones-oauth-mix-up-mitigation-00> > > Please let us know by Feb 9th whether you accept / object to the > adoption of this document as a starting point for work in the OAuth > working group. > > Note: This call is related to the announcement made on the list earlier > this month, see > http://www.ietf.org/mail-archive/web/oauth/current/msg15336.html <http://www.ietf.org/mail-archive/web/oauth/current/msg15336.html>. More > time for analysis is provided due to the complexity of the topic. > > Ciao > Hannes & Derek > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-Up Mi… Hannes Tschofenig
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… George Fletcher
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Brian Campbell
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Phil Hunt (IDM)
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… John Bradley
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… William Denniss
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Anthony Nadalin
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Antonio Sanso
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Roland Hedberg
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Josh Mandel
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Josh Mandel
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… George Fletcher
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… John Bradley
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… William Denniss
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… John Bradley
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… John Bradley
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Mike Jones
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… nov matake
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Hans Zandbelt
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… William Denniss
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… nov matake
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Vladimir Dzhuvinov
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… John Bradley
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… John Bradley
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… George Fletcher
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… John Bradley
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… John Bradley
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… George Fletcher
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Phil Hunt (IDM)
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Phil Hunt
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Justin Richer
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… nov matake
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Phil Hunt
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nov Matake
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Phil Hunt (IDM)
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Phil Hunt (IDM)
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… nov matake
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Phil Hunt (IDM)
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… George Fletcher
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… John Bradley
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… George Fletcher
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… George Fletcher
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Justin Richer
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Hans Zandbelt
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Hans Zandbelt
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… John Bradley
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Phil Hunt (IDM)
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Nat Sakimura
- Re: [OAUTH-WG] Call for Adoption: OAuth 2.0 Mix-U… Mike Jones