Re: [OAUTH-WG] PKCE: SHA256(WAT?)

Mike Jones <Michael.Jones@microsoft.com> Fri, 30 January 2015 19:38 UTC

Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4A4CB1A1B77 for <oauth@ietfa.amsl.com>; Fri, 30 Jan 2015 11:38:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.395
X-Spam-Level:
X-Spam-Status: No, score=-0.395 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, SUBJ_ALL_CAPS=1.506] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Mo4VS9njooa5 for <oauth@ietfa.amsl.com>; Fri, 30 Jan 2015 11:38:54 -0800 (PST)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2on0113.outbound.protection.outlook.com [207.46.100.113]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34F291A1B9C for <oauth@ietf.org>; Fri, 30 Jan 2015 11:38:54 -0800 (PST)
Received: from CH1PR03CA010.namprd03.prod.outlook.com (10.255.156.155) by DM2PR0301MB1312.namprd03.prod.outlook.com (25.160.222.17) with Microsoft SMTP Server (TLS) id 15.1.65.19; Fri, 30 Jan 2015 19:38:51 +0000
Received: from BN1BFFO11FD038.protection.gbl (10.255.156.132) by CH1PR03CA010.outlook.office365.com (10.255.156.155) with Microsoft SMTP Server (TLS) id 15.1.75.20 via Frontend Transport; Fri, 30 Jan 2015 19:38:51 +0000
Received: from mail.microsoft.com (131.107.125.37) by BN1BFFO11FD038.mail.protection.outlook.com (10.58.144.101) with Microsoft SMTP Server (TLS) id 15.1.75.11 via Frontend Transport; Fri, 30 Jan 2015 19:38:51 +0000
Received: from TK5EX14MBXC291.redmond.corp.microsoft.com ([169.254.2.242]) by TK5EX14HUBC105.redmond.corp.microsoft.com ([157.54.80.48]) with mapi id 14.03.0224.003; Fri, 30 Jan 2015 19:38:07 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [OAUTH-WG] PKCE: SHA256(WAT?)
Thread-Index: AQHQPBmnAv7fsfHclEyYI3e5SN6eHpzYr9IXgAAGSgCAAC02gIAAK5GAgAAAPbA=
Date: Fri, 30 Jan 2015 19:38:05 +0000
Message-ID: <4E1F6AAD24975D4BA5B1680429673943A2201928@TK5EX14MBXC291.redmond.corp.microsoft.com>
References: <CA+k3eCQHZJYJ3mMfdGTdO=S3VVQdU+qhjVz+QsEeobJokNSHEA@mail.gmail.com> <FD9F9F2A-8B32-4A26-95CC-59C8C465A202@sakimura.org> <CA+k3eCRn0xT+_fA0G3Q3OjjH9Lq-2AfC+Mv7Gq8bYnHqH5TFDw@mail.gmail.com> <CABzCy2CWnjmeBGT8hgQY-R9Z6u=UFM8AAvHDr1MV81kJXST9WQ@mail.gmail.com> <CA+k3eCTp3xyRuLdCtd3CK_uaACEOYvwYFb4DBs6Cy7UvVMX_ZA@mail.gmail.com> <EE51DE36-7566-4713-8AE3-9F815FA1EE77@ve7jtb.com>
In-Reply-To: <EE51DE36-7566-4713-8AE3-9F815FA1EE77@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [157.54.51.74]
Content-Type: multipart/alternative; boundary="_000_4E1F6AAD24975D4BA5B1680429673943A2201928TK5EX14MBXC291r_"
MIME-Version: 1.0
X-EOPAttributedMessage: 0
Received-SPF: Pass (protection.outlook.com: domain of microsoft.com designates 131.107.125.37 as permitted sender) receiver=protection.outlook.com; client-ip=131.107.125.37; helo=mail.microsoft.com;
Authentication-Results: spf=pass (sender IP is 131.107.125.37) smtp.mailfrom=Michael.Jones@microsoft.com; ve7jtb.com; dkim=none (message not signed) header.d=none;
X-Forefront-Antispam-Report: CIP:131.107.125.37; CTRY:US; IPV:CAL; IPV:NLI; IPV:NLI; EFV:NLI; SFV:NSPM; SFS:(10019020)(76104003)(24454002)(377454003)(52314003)(377424004)(77156002)(86612001)(50986999)(102836002)(15975445007)(62966003)(54356999)(76176999)(55846006)(512874002)(86362001)(2900100001)(46102003)(16236675004)(106116001)(92566002)(33656002)(19617315012)(2950100001)(2920100001)(19580405001)(6806004)(84326002)(87936001)(106466001)(66066001)(2656002)(104016003)(93886004)(19625215002)(19580395003)(19300405004); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB1312; H:mail.microsoft.com; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DM2PR0301MB1312;
X-O365ENT-EOP-Header: Message processed by - O365_ENT: Allow from ranges (Engineering ONLY)
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004); SRVR:DM2PR0301MB1312;
X-Forefront-PRVS: 04724A515E
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB1312;
X-OriginatorOrg: microsoft.onmicrosoft.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 30 Jan 2015 19:38:51.0921 (UTC)
X-MS-Exchange-CrossTenant-Id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=72f988bf-86f1-41af-91ab-2d7cd011db47; Ip=[131.107.125.37]
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB1312
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Okfqr8_Ykt7Zn_bUPLe7SZGr2lA>
Cc: oauth <oauth@ietf.org>, Naveen Agarwal <naa@google.com>
Subject: Re: [OAUTH-WG] PKCE: SHA256(WAT?)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Jan 2015 19:38:57 -0000

http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-1.1 uses this notation:

   UTF8(STRING) denotes the octets of the UTF-8 [RFC3629<http://tools.ietf.org/html/rfc3629>] representation
   of STRING, where STRING is a sequence of zero or more Unicode
   [UNICODE<http://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#ref-UNICODE>] characters.

   ASCII(STRING) denotes the octets of the ASCII [RFC20<http://tools.ietf.org/html/rfc20>] representation
   of STRING, where STRING is a sequence of zero or more ASCII
   characters.

This is unambiguous and has already been vetted by the IESG and SecDir, so I would use exactly this wording.

OCTETS(STRING) is ambiguous, since for the same string there are many possible representations as octets, including ASCII, UTF-8, UTF-16, UTF-32, and EBCDIC.

                                                                -- Mike

From: OAuth [mailto:oauth-bounces@ietf.org] On Behalf Of John Bradley
Sent: Friday, January 30, 2015 11:33 AM
To: Brian Campbell
Cc: oauth; Naveen Agarwal
Subject: Re: [OAUTH-WG] PKCE: SHA256(WAT?)

Have a look at the latest version I added OCTETS(STRING) to show the conversion.   ASCII(STRING) seemed more confusing by drawing character encoding back in.

I was tempted to call it a octet array without the terminating NULL of STRING but didn’t want to introduce array.

Let me know what you think.

On Jan 30, 2015, at 1:56 PM, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:

But, while it may be clear to you, what I'm saying here is that it's not clear to a reader/implementer.

Somehow the conversion from a character string to an octet string needs to be clearly and unambiguously stated. It doesn't have to be the text I suggested but it's not sufficient as it is now.

Something like this might work, if you don't want to touch the parts in 4.2 and 4.6: "SHA256(STRING) denotes a SHA2 256bit hash [RFC6234] of the octets of the ASCII [RFC0020] representation of STRING."

An "octet sequence using the url and filename safe Alphabet [...], with length less than 128 characters." is ambiguous. Octets and characters are intermixed with no mention of encoding. But they're not interchangeable.


On Fri, Jan 30, 2015 at 7:15 AM, Nat Sakimura <sakimura@gmail.com<mailto:sakimura@gmail.com>> wrote:
I do not think we need ASCII(). It is quite clear without it, I suppose.

In 4.1, I would rather do like:

 code_verifier = high entropy cryptographic random
   octet sequence using the url and filename safe Alphabet [A-Z] / [a-z]
   / [0-9] / "-" / "_" from Sec 5 of RFC 4648 [RFC4648], with length
   less than 128 characters.

Nat

2015-01-30 22:51 GMT+09:00 Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>>:
That's definitely an improvement (to me anyway).
Checking that the rest of the document uses those notations appropriately, I think, yields a few other changes. And probably begs for the "ASCII(STRING) denotes the octets of the ASCII representation of STRING" notation/function, or something like it, to be put back in. Those changes might look like the following:

In 4.1.:

OLD:
   code_verifier = high entropy cryptographic random ASCII [RFC0020]
   octet sequence using the url and filename safe Alphabet [A-Z] / [a-z]
   / [0-9] / "-" / "_" from Sec 5 of RFC 4648 [RFC4648], with length
   less than 128 characters.

NEW (maybe):
  code_verifier = high entropy cryptographically strong random STRING
  using the url and filename safe Alphabet [A-Z] / [a-z]
   / [0-9] / "-" / "_" from Sec 5 of RFC 4648 [RFC4648], with length
   less than 128 characters.

In 4.2.:

OLD:
   S256  "code_challenge" = BASE64URL(SHA256("code_verifier"))

NEW (maybe):
   S256  "code_challenge" = BASE64URL(SHA256(ASCII("code_verifier")))

In 4.6.:

OLD:
   SHA256("code_verifier" ) == BASE64URL-DECODE("code_challenge").

NEW (maybe):
   SHA256(ASCII("code_verifier")) == BASE64URL-DECODE("code_challenge").



On Thu, Jan 29, 2015 at 8:37 PM, Nat Sakimura (=nat) <nat@sakimura.org<mailto:nat@sakimura.org>> wrote:
I take your point, Brian.

In our most recent manuscript, STRING is defined inside ASCII(STRING) as

STRING is a sequence of zero or more ASCII characters

but it is kind of circular, and we do not seem to use ASCII().

What about re-writing the section like below?

STRING denotes a sequence of zero or more ASCII  [RFC0020]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#RFC0020> characters.
OCTETS denotes a sequence of zero or more octets.
BASE64URL(OCTETS) denotes the base64url encoding of OCTETS, per Section 3<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#Terminology> producing a ASCII[RFC0020]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#RFC0020> STRING.
BASE64URL-DECODE(STRING) denotes the base64url decoding of STRING, per Section 3<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#Terminology>gy>, producing a sequence of octets.
SHA256(OCTETS) denotes a SHA2 256bit hash [RFC6234]<http://xml2rfc.ietf.org/cgi-bin/xml2rfc.cgi#RFC6234> of OCTETS.





On Jan 30, 2015, at 08:15, Brian Campbell <bcampbell@pingidentity.com<mailto:bcampbell@pingidentity.com>> wrote:

In §2 [1] we've got "SHA256(STRING) denotes a SHA2 256bit hash [RFC6234] of STRING."
But, in the little cow town where I come from anyway, you hash bits/octets not character strings (BTW, "STRING" isn't defined anywhere but it's kind of implied that it's a string of characters).
Should it say something more like "SHA256(STRING) denotes a SHA2 256bit hash [RFC6234] of the octets of the ASCII [RFC0020] representation of STRING."?
I know it's kind of pedantic but I find it kind of confusing because the code_verifier uses the url and filename safe alphabet, which has me second guessing if SHA256(STRING) actually means a hash of the octet produced by base64url decoding the string.
Maybe it's just me but, when reading the text, I find the transform process to be much more confusing than I think it needs to be. Removing and clarifying some things will help. I hate to suggest this but maybe an example showing the computation steps on both ends would be helpful?

Also "UTF8(STRING)" and "ASCII(STRING)" notations are defined in §2 but not used anywhere.

And §2 also says, "BASE64URL-DECODE(STRING) denotes the base64url decoding of STRING, per Section 3, producing a UTF-8 sequence of octets." But what is a UTF-8 sequence of octets? Isn't it just a sequence octets? The [RFC3629] reference, I think, could be removed.

[1] https://tools.ietf.org/html/draft-ietf-oauth-spop-06#section-2

Nat Sakimura
nat@sakimura.org<mailto:nat@sakimura.org>








--
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en