IETF Logo Mail Archive

Re: [OAUTH-WG] Mix-Up and CnP/ Code injection

Dominick Baier <dbaier@leastprivilege.com> Mon, 02 May 2016 06:11 UTC

Return-Path: <dbaier@leastprivilege.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B9F512D0F5 for <oauth@ietfa.amsl.com>; Sun, 1 May 2016 23:11:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=leastprivilege-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wpBn9r_cQ4RS for <oauth@ietfa.amsl.com>; Sun, 1 May 2016 23:11:48 -0700 (PDT)
Received: from mail-wm0-x22e.google.com (mail-wm0-x22e.google.com [IPv6:2a00:1450:400c:c09::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8FF4412B062 for <oauth@ietf.org>; Sun, 1 May 2016 23:11:47 -0700 (PDT)
Received: by mail-wm0-x22e.google.com with SMTP id a17so125796147wme.0 for <oauth@ietf.org>; Sun, 01 May 2016 23:11:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=leastprivilege-com.20150623.gappssmtp.com; s=20150623; h=date:from:to:cc:message-id:in-reply-to:references:subject :mime-version; bh=Qy1QE6Mc/0bqaVBdYV5fmEVJ4jlctEuRRMW/CaB22hU=; b=fFmkT04dn649o/YbyDb+tDkdHJ0/pa0ShcZHZXrzwm/hc9iRzj2FImSNAV2H9+72mD MnQ0Rv/4aazHUyd8nctZAt8bsQjP23esV3q113d+Y2RtfJBVWSVAi6u+0uyC3fNqS+w7 PYoXqrUM21rXsDCvLN9KzNgwHcNDLN1v22JrVRQM6fGgLjO30X08xxy2enJCcVhyIhls WvNtJoX7yPOe9VE6YsBO4ZXPM6U/xL6bg5pGJlW9vBYvV+si71QsK3nrWOn5Dy/Pv6xB OSEGlQrily+8P9UFoMb1qglCICvlrrcNIAG6pIhJVP5cJKMHQeXXNcRBuPzJO32nYuyE UHMg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:message-id:in-reply-to :references:subject:mime-version; bh=Qy1QE6Mc/0bqaVBdYV5fmEVJ4jlctEuRRMW/CaB22hU=; b=YQVbFuSNQTr0l5ErMNXthxgbYuBBN9La4Jr08h09jnncwhmvqylA8LQ1MnLzJ67X4s sNJfjcDhG882x7nzvjZs26E22heqUaIM0PyY8oAQkpBNPwBaphRtBR8JaC3Rb+9Z64km mZQxNtFp/nbW36CX7B1eNJS83XB9I/603Czfyukq5nMC9bw7uHUDfK/qfcSO319b7Um7 zwxUmc3HaMdMFebMaNDOIYm0cMqegrp/P1UlUxFoQd9Qxlg5p98/WK+5Lk6ci2YcsMaM HSn95+PKFCe0PH/WtikjzcvUwZ0x79KE0+q+1bS3jAX5+tM7D0cc04v2CA96Lanc1aOC grUw==
X-Gm-Message-State: AOPr4FUX0NdFlTN2C45YFrr2TRr3uEABGoZS4LEFkDe3r8vvpTmKHuX1vPWGBfCclnB+pw==
X-Received: by 10.194.63.226 with SMTP id j2mr34314696wjs.27.1462169506102; Sun, 01 May 2016 23:11:46 -0700 (PDT)
Received: from dombp.fritz.box (HSI-KBW-078-042-013-158.hsi3.kabel-badenwuerttemberg.de. [78.42.13.158]) by smtp.gmail.com with ESMTPSA id us3sm28465057wjc.41.2016.05.01.23.11.44 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 01 May 2016 23:11:44 -0700 (PDT)
Date: Mon, 02 May 2016 08:11:45 +0200
From: Dominick Baier <dbaier@leastprivilege.com>
To: William Denniss <wdenniss@google.com>, Nat Sakimura <sakimura@gmail.com>
Message-ID: <etPan.5726efa1.41c78acc.2bb@dombp.fritz.box>
In-Reply-To: <CAAP42hBTMP=j7O5uCsaux0NmKdwEZF7Mt3DOzPNYYvsd8R+z4w@mail.gmail.com>
References: <571B60BA.8090301@lodderstedt.net> <CABzCy2DeMSGc_yjKi=NWJjh7RLoVsb+KyD9S_MuiQ_gJNg5+fw@mail.gmail.com> <49355f12-ef58-0637-47e0-7acd54e882d9@lodderstedt.net> <DA464416-4C42-4A3A-B829-70E14B6C1149@mit.edu> <CABzCy2DD+E4CNUHL3Bh_sZW+UF2Ea4tBA6am+LkJbrisepxMgQ@mail.gmail.com> <CAAP42hBTMP=j7O5uCsaux0NmKdwEZF7Mt3DOzPNYYvsd8R+z4w@mail.gmail.com>
X-Mailer: Airmail (351)
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="5726efa1_6f5db174_2bb"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/P0J7M4jmk6U6UO4P2v-vfeung2U>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Mix-Up and CnP/ Code injection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2016 06:11:50 -0000

The id_token is a validatable protocol response - OAuth on its own cannot provide this and i doubt it is worth teaching teaching it new tricks. 

I personally have moved on to always add id_token as a response type - together with OIDC discovery, in my mind OIDC is a superset of OAuth and I always use them together - or put differently - I recommend against using OAuth on its own without OIDC (besides client_creds/extension grants scenarios of course).

— 
cheers
Dominick Baier

On 2 May 2016 at 04:08:25, William Denniss (wdenniss@google.com) wrote:

I'm inclined to think that Nat's comment is right: "As I look at it more and more, it started to look like the problem of accepting tainted values without message authentication. To fix the root cause, we would have to authenticate response. ID Token was designed to also serve as a solution anticipating it."

Even if we workaround the current issue with more unbound plain text params, will it solve the next issue?  Personally I'm not convinced.

I also wonder at what level of risk is the right solution "code id_token", which the researchers note will mitigate the attacks (when implemented correctly).

If we absolutely must solve this without "id_token", I know John has a few ideas for lightweight binding of the request & response by hashing the request URL and some config. I wonder if a "lightweight crypto" approach is superior to "more unbound params" as the best non-id_token option.

On Sat, Apr 30, 2016 at 10:36 PM, Nat Sakimura <sakimura@gmail.com> wrote:
It actually depends on what risk level the transaction is at. For low risk transactions, just having separate redirection endpoint may be adequate. On the other hand, I can easily think of an attack that replaces iss on the authz response making the control invalid posing questions on whether it is worth introducing it.
On Sun, May 1, 2016 at 14:21 Justin Richer <jricher@mit.edu> wrote:
I agree that we’re getting dangerously close to recommending signed assertions at every step of the process, thereby bypassing HTTP. This was the same mistake that WS-* and SOAP made, let’s not repeat it if we can.

 — Justin

On Apr 30, 2016, at 10:57 AM, Torsten Lodderstedt <torsten@lodderstedt.net> wrote:

Hi Nat,

sure, one could also authenticate and cryptographically protect the redirect response. Leveraging OIDC concepts is an idea worth considering but they should be adopted to the OAuth philosophy. The id token as used in the hybrid flows mixes an identity assertion with elements of transport security measures. A OAuth AS does not provide identity data to clients, so we only need the transport security part.

I personally would prefer a OAuth response object (similar to request object you have proposed) over the id token. Such a response object could contain (and directly protect) state, code and other response values. I consider this the more elegant design and it is easier to implement then having detached signatures over hash values of codes or access tokens. Moreover, it would allow to encrypt the response as well.

Generally, our threat analysis so far does not have provided justification for cryptographically protected redirect responses. All proposals currently on the table stop mix up and code injection using simpler mechanisms.

I think OAuth 2.0 is a huge success due to its balance of versatility, security and _simplicity_. We definitely need to keep it secure, but we should also keep it as simple as possible.

kind regards,
Torsten.

Am 29.04.2016 um 10:08 schrieb Nat Sakimura:
As I look at it more and more, it started to look like the problem of accepting tainted values without message authentication. To fix the root cause, we would have to authenticate response. ID Token was designed to also serve as a solution anticipating it.

Any concrete ideas?

On Sat, Apr 23, 2016 at 04:47 Torsten Lodderstedt <torsten@lodderstedt.net> wrote:
Hi all,

discussion about Mix-Up and CnP seems to have stopped after the session
in BA - at least in the OAuth WG. There is a discussion about
mitigations in OpenId Connect going on at the OpenId Connect mailing list.

I'm very much interested to find a solution within the OAuth realm as
I'm not interested to either implement two solutions (for OpenId Connect
and OAuth) or adopt a OpenId-specific solution to OAuth (use id! tokens
in the front channel). I therefore would like to see progress and
propose to continue the discussion regarding mitigations for both threats.

https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-00
proposes reasonable mitigations for both attacks. There are alternatives
as well:
- mix up:
-- AS specific redirect uris
-- Meta data/turi
(https://tools.ietf.org/html/draft-sakimura-oauth-meta-07#section-5)
- CnP:
-- use of the nonce parameter (as a distinct mitigation beside state for
counter XSRF)

Anyone having an opinion?

best regards,
Torsten.

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth


_______________________________________________  
OAuth mailing list  
OAuth@ietf.org  
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email