Re: [OAUTH-WG] [EXTERNAL] Re: Mix-Up Revisited

Mike Jones <Michael.Jones@microsoft.com> Thu, 18 June 2020 20:49 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0B403A0F65 for <oauth@ietfa.amsl.com>; Thu, 18 Jun 2020 13:49:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YBrT_hKI1Afv for <oauth@ietfa.amsl.com>; Thu, 18 Jun 2020 13:49:52 -0700 (PDT)
Received: from NAM06-DM3-obe.outbound.protection.outlook.com (mail-eopbgr640124.outbound.protection.outlook.com [40.107.64.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9D2853A080F for <oauth@ietf.org>; Thu, 18 Jun 2020 13:49:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=L7N3UqYhMqWMQCiwifvhorW8fxwLY0+0BRUlFTVCN/6QubdBB64/sEFkBrRnb8ZHHwlkfMGD76NnMn010s/P5VuBGG5e+8O6mFtTZqwQv/+gR29qMo0Wo4CAfbvggBXYkbaAX1LjFIQfcEer7hayN5Nyghq6Gm0YdjITBF9G4XnRsB83B4Qo18spOSOCcLmxri1X678f+cHHiyGYzpxT6nv7lMJwh4UUbVlHhjq2spoKcDxKVo+YiZ6Iq6AvF21E2XgONDmfq5GciaIEgIkBGETdCgVi1yr9mLs3/WSbJyTwfiDkul3PB1wGsQgifyvGwLVlxWOJtaGNfMPMx+W4Zg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LZg2reeAUmOgQpQNg48TZ16dLmYh9UNUUTE3+jCq0h4=; b=ErZ+QRnVCiqxpQKAULLVzTz6LJUcgGeQMUxk9qLyKNgUInu+UFmrwF2/7Q8I14IAAESQ3gjNwh2hm77Lsdl0Eg8cIeazx9bm7xqJBFp6ZpyqrSt8CIurjeLU3sE4OpyRR//ND2NGbSST7c0MvYeuZ4w0kid5AMPdokq3qp3iwlZ6gkaAtL3z6mJcI4CXISGIy+rpT3gTxTaovTYNXhljvkXjYR9MuNAG7O18CR7z91DPNl+4OGePEV4Q6xMKPHAfBVrSRILKgHqWjdh9jS0fdxPGyQDJM0RxkWW3aeqQxV25EJ8bryAG/VOstLM/yzsXpdImjw5M6LnPP2aLVTtW6Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LZg2reeAUmOgQpQNg48TZ16dLmYh9UNUUTE3+jCq0h4=; b=OPV3JcN4+FqxvRYzdYNdIspPXErj6G6POxlHr6Zu6tu75KOipUkYWDK0Oirn7yboGyhqFc3+dYvZuST5J2Cq1+eByfSuFJfgZEtJkh92TJu/qqDB8Q8MuejSZsvJgu5V5XuYk3idfUpSocYOwcg0wZ2rdKRBXoSZuS1rwy9kmc4=
Received: from MN2PR00MB0686.namprd00.prod.outlook.com (2603:10b6:208:15f::13) by BL0PR00MB0803.namprd00.prod.outlook.com (2603:10b6:208:1ce::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3151.0; Thu, 18 Jun 2020 20:49:50 +0000
Received: from MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::b816:9dfb:f80d:3b9f]) by MN2PR00MB0686.namprd00.prod.outlook.com ([fe80::b816:9dfb:f80d:3b9f%8]) with mapi id 15.20.3154.000; Thu, 18 Jun 2020 20:49:50 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>, Daniel Fett <fett@danielfett.de>
CC: oauth <oauth@ietf.org>
Thread-Topic: [EXTERNAL] Re: [OAUTH-WG] Mix-Up Revisited
Thread-Index: AQHWPNMMfyvqnY9dGEW9M+tsywie66je5WaAgAAD2pA=
Date: Thu, 18 Jun 2020 20:49:50 +0000
Message-ID: <MN2PR00MB06866084FF95C4956A76B472F59B0@MN2PR00MB0686.namprd00.prod.outlook.com>
References: <101390f1-0d6e-e5fe-861b-4d7e9b7816dd@danielfett.de> <7877fdc2-eeb0-18dd-5a89-ecb30800eacf@danielfett.de> <CA+k3eCQg33wXpe+vo7by6fPJsBmdJnd378RSEGwApCBxCgPnPw@mail.gmail.com>
In-Reply-To: <CA+k3eCQg33wXpe+vo7by6fPJsBmdJnd378RSEGwApCBxCgPnPw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=23c95061-b448-4f18-a9ab-453efb6d0879; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2020-06-18T20:45:56Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47;
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [50.47.87.252]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: c699dda8-61b8-4906-7b8a-08d813c9253b
x-ms-traffictypediagnostic: BL0PR00MB0803:
x-microsoft-antispam-prvs: <BL0PR00MB0803AD2191D689FF6038DC4AF59B0@BL0PR00MB0803.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0438F90F17
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: USb0IlrhFzZ2E+/eEoOUazCeNykRFEosBwPvEGCSU80peqIVkKDl0CWOk1su4zfjkUjuBc/NAJiXvYY5ZeZR6x2PTYbx/wiexrfgEU6Jz8KQQevL9wrUdUteJySI/gQzfjbPn+S8VqB+jAvAbAsxDXFNzZMtz4gp414ByuiEK3A++etRdPLmGj8o0AJb3gflcN3RkeVx5WYfYZBeEsPjyhkNbQ1g5tlXIQi4QCUieuTxSdIJBEi36FvxvnmqZVo4+CNQXXxq8ioDcz0UzXvkQGJDc8OFmVWS3/tz5QgygoKQja7JirVsSezd3F58AnU+GFoJJIneV9uNqYlYrh5nTsvUiTyedG8fpMw21dwzmKEq2vdZ4BuHJVVq1PnbTjaC+Gequ9DXFP19t68Mcrlyfg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0686.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(366004)(376002)(136003)(346002)(39860400002)(396003)(166002)(478600001)(8676002)(64756008)(71200400001)(66446008)(86362001)(10290500003)(66476007)(66946007)(66556008)(76116006)(8936002)(8990500004)(9686003)(966005)(110136005)(83080400001)(4326008)(33656002)(83380400001)(55016002)(82960400001)(82950400001)(186003)(26005)(7696005)(2906002)(53546011)(6506007)(5660300002)(316002)(21615005)(52536014); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: i9cE+zcm1JGNGSYwc4rjJbXUYwT3+LYQROXlRuZ6t9knwsik8pflSnwBA+BD84LfivS4vQqj1/jQLN9jOmkIW1Zur1Ut5popIAHadhBMCfWJXn31O4LIP9kcXJU+Lc/stMgHLJ1T352JB04DrHw0MMyVl3eU5Xa2LhR5pqSKiU2aotM6RPks4LzsPw/NmzM5spc5MBb+AlGkxIYLWVyYcZIGIfsb5V2wRRKBLrqW9SSbvqDwQpuNdM8idspD7Cf7+RjLFldXprAsTJbDpV6/Evhhu2s6jK12OwuR9nXeD7QlGlWri5qGjYuyKPjlaR/jGQAqB0OElUnJuVGKhT12QYHkXaIRq3IvqwDRXsIJHhLuVozXgpDQ5swp1oqGeE1XZn6DXpcBzAG3o5DMOH/N7yAQkIAlZaphpdlFQtdX0MUCL5lOrO1zlFqP9k8REc+1V4MCBp2WqJZQFIz3A0AjZYoyMWjKbP37L4kjeZeXfps=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB06866084FF95C4956A76B472F59B0MN2PR00MB0686namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR00MB0686.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c699dda8-61b8-4906-7b8a-08d813c9253b
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Jun 2020 20:49:50.5670 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7iDnTL4mGtJnl+KvLLf1HzASKVbYjJcL/k+MVh/EYTUEFi/nqZcLKlZIQYHXA6uy82cjbhEFZo9ZuXQl/fTinw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR00MB0803
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/fqKwDUn8pBUTsMdZaE3aCK42UUY>
Subject: Re: [OAUTH-WG] [EXTERNAL] Re: Mix-Up Revisited
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2020 20:49:55 -0000

I support documenting the use of the issuer to mitigate mix-up attacks.  Note that while issuer was first defined by OpenID Connect, it became art of OAuth 2.0 in RFC 8414 - OAuth 2.0 Authorization Server Metadata.

                                                       -- Mike

From: OAuth <oauth-bounces@ietf.org> On Behalf Of Brian Campbell
Sent: Thursday, June 18, 2020 1:32 PM
To: Daniel Fett <fett@danielfett.de>
Cc: oauth <oauth@ietf.org>
Subject: [EXTERNAL] Re: [OAUTH-WG] Mix-Up Revisited

In my (probably simplistic) understanding of things, the root underlying issue that allows for mix-up in its variations is the lack of anything identifying the AS in the authorization response. Following from that, introducing and using an `iss` authorization response parameter has always seemed like the most straightforward approach for mitigating the issue (which was part of the draft-ietf-oauth-mix-up-mitigation but other parameters were also included and, for reasons I'm not sure about, interest in that work faded in favor of telling clients to use per AS redirect URIs) . Though for the `iss` authorization response parameter to be effective, all parties involved need to know about it and act on it. So I think it'd need to be something more than a passing recommendation in the BCP. It should be defined, registered, explained, etc.. Actually introducing a new parameter is maybe going beyond the expected scope of the BCP (or 2.1). But maybe that's ok, if we're at least more intentional about it.

On Sun, Jun 7, 2020 at 7:53 AM Daniel Fett <fett@danielfett.de<mailto:fett@danielfett.de>> wrote:
Hi all,
I was wondering if we should move towards introducing and (more explicitly) recommending the iss parameter in the security BCP, for the reasons laid out below and in the article (which is now at https://danielfett.de/2020/05/04/mix-up-revisited/).

Any thoughts on this?

-Daniel

Am 04.05.20 um 19:34 schrieb Daniel Fett:

Hi all,

to make substantiated recommendations for FAPI 2.0, the security considerations for PAR, and the security BCP, I did another analysis on the threats that arise from mix-up attacks. I was interested in particular in two questions:

  *   Does PAR help preventing mix-up attacks?
  *   Do we need JARM to prevent mix-up attacks?

I wrote down several attack variants and configurations in the following document: https://danielfett.github.io/notes/oauth/Mix-Up%20Revisited.html

The key takeaways are:

  1.  The security BCP needs to make clear that per-AS redirect URIs are only sufficient if OAuth Metadata is not used to resolve multiple issuers. Otherwise, per-Issuer redirect URIs or the iss parameter MUST be used.
  2.  PAR-enabled authorization servers can protect the integrity better and protect against Mix-Up Attacks better if they ONLY accept PAR requests.
  3.  We should emphasize the importance of the iss parameter (or issuer) in the authorization response. Maybe introduce this parameter in the security BCP or another document?
  4.  Sender-constrained access tokens help against mix-up attacks when the access token is targeted.
  5.  Sender-constraining the authorization code (PAR + PAR-DPoP?) might be worth looking into.

I would like to hear your thoughts!

-Daniel


_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org<mailto:OAuth@ietf.org>
https://www.ietf.org/mailman/listinfo/oauth

CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited..  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.