IETF Logo Mail Archive

Re: [OAUTH-WG] DPoP: Threat Model

Neil Madden <neil.madden@forgerock.com> Mon, 04 May 2020 17:54 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EAEAA3A0B45 for <oauth@ietfa.amsl.com>; Mon, 4 May 2020 10:54:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BfaLbbXqy1wo for <oauth@ietfa.amsl.com>; Mon, 4 May 2020 10:54:44 -0700 (PDT)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 821F53A0A79 for <oauth@ietf.org>; Mon, 4 May 2020 10:54:25 -0700 (PDT)
Received: by mail-wm1-x334.google.com with SMTP id 188so477881wmc.2 for <oauth@ietf.org>; Mon, 04 May 2020 10:54:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=HLz/AyLzwtJ+CxViPhU1VbbNdBcElhndFLAnbsI+NA8=; b=P+WDVBMnvOX2vUeh7NecYfdYjIQ23YHtTxEnrAhaNkENf5n6yYVHU8KbrPUzWJ3LtJ bFs5GE88XHwwS9T2VpinJz7whQxPUHtlFddZuG9PDMYHnI26u9D1DA5Gu+IE/HttTBUe O7/05OAqDK4fY5gb4IzrPbi2i4n19nSIaUbkU=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=HLz/AyLzwtJ+CxViPhU1VbbNdBcElhndFLAnbsI+NA8=; b=PGQxP6CyzcYc6xbn4DsJnZIXFNBxsJzKIbCsOA8dpLU16uy+jMAlap/dsB1/Bq7ZfG nwC2iRUOnTTnznNGpIYnwqLfwNAIGmEEePxdJWTIcvpV/h1qoHsldJObyBechRmuWxY8 t7cKkHh8ht/CqKDwZ4IAquC4lgKFvDwNQlFihT8DqzMBGWGZCcOhNUC7NxkyDWdDRBdz YzFsA6W3JB7sKjWEevUguUU5tpALXlLj9IhfX/q6HpOGhXrd6jFqpChFQL7FhzsYq3A6 9lKqXQmWCIqH2RurDqgEwjp+LZrJJttOyO5RAiq2C7SUWuMWK9+rOH28Fiqyk/LtVQig UJcw==
X-Gm-Message-State: AGi0PuamD9dKfMwK1tmozBRmNFw8cE4j1quvPu/nEgHJ8Y6PbDiTWZc7 eRrUFPOFAIon1/rArmnp5a0AGTsYxsM=
X-Google-Smtp-Source: APiQypIUA0eWZ1I6eufRTsXB/CgZ5hhbxLzy+g6rEdINcY7H3PA0MGecrZGpi/iTQTpn0MwI3yF3vg==
X-Received: by 2002:a1c:4989:: with SMTP id w131mr16767034wma.137.1588614863556; Mon, 04 May 2020 10:54:23 -0700 (PDT)
Received: from [10.0.0.2] (193.207.159.143.dyn.plus.net. [143.159.207.193]) by smtp.gmail.com with ESMTPSA id s8sm16596738wrt.69.2020.05.04.10.54.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 04 May 2020 10:54:22 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Message-Id: <1427A993-02B5-4444-9FD5-0E62A32D2AF4@forgerock.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_555F1817-8491-4854-B692-2808E93225DF"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 04 May 2020 18:54:21 +0100
In-Reply-To: <9ee75fc4-c134-1a36-1fa3-4c42887dc438@danielfett.de>
Cc: oauth@ietf.org
To: Daniel Fett <fett@danielfett.de>
References: <9ee75fc4-c134-1a36-1fa3-4c42887dc438@danielfett.de>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NYxUphAJvaym69iufszPSnZqJiQ>
Subject: Re: [OAUTH-WG] DPoP: Threat Model
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2020 17:54:46 -0000

I mentioned another one in my recent email - BREACH attacks against HTTP compression being used to steal access tokens in transit.

There’s a variant of the online XSS attacks in which the attacker just proxies requests through the victim’s browser (https://beefproject.com <https://beefproject.com/>) rather than exfiltrating tokens/proofs. You can protect against exfiltration attacks by e.g. token binding the DPoP proofs and/or access token, or storing the access token in a HttpOnly cookie (gasp!). You can protect against exfiltrating post-dated DPoP proofs by storing the private key in a separate origin loaded in an iframe that you use postMessage to ask for proof tokens so the attacker is not in control of those claims. Nothing really protects against an attacker proxying requests through your browser, so this is purely post-compromise recovery rather than an actual defence against XSS.

— Neil

> On 4 May 2020, at 18:24, Daniel Fett <fett@danielfett.de> wrote:
> 
> Hi all,
> 
> as mentioned in the WG interim meeting, there are several ideas floating around of what DPoP actually does.
> 
> In an attempt to clarify this, if have unfolded the use cases that I see and written them down in the form of attacks that DPoP defends against: 
> https://danielfett.github.io/notes/oauth/DPoP%20Attacker%20Model.html <https://danielfett.github.io/notes/oauth/DPoP%20Attacker%20Model.html>
> Can you come up with other attacks? Are the attacks shown relevant?
> 
> Cheers,
> Daniel
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email