Re: [OAUTH-WG] WGLC for DPoP Document
Justin Richer <jricher@mit.edu> Tue, 29 March 2022 15:21 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31E583A1A38 for <oauth@ietfa.amsl.com>; Tue, 29 Mar 2022 08:21:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.72
X-Spam-Level:
X-Spam-Status: No, score=-1.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, KHOP_HELO_FCRDNS=0.186, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rGo109u_Bbn3 for <oauth@ietfa.amsl.com>; Tue, 29 Mar 2022 08:21:11 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FFC93A1A3C for <oauth@ietf.org>; Tue, 29 Mar 2022 08:21:10 -0700 (PDT)
Received: from smtpclient.apple (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 22TFL5rW026985 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 29 Mar 2022 11:21:06 -0400
From: Justin Richer <jricher@mit.edu>
Message-Id: <02A4AE71-05D0-497C-BF77-FC449256E20C@mit.edu>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BCBC6932-7C64-4217-8320-2B700B72A5A9"
Mime-Version: 1.0 (Mac OS X Mail 15.0 \(3693.60.0.1.1\))
Date: Tue, 29 Mar 2022 11:21:05 -0400
In-Reply-To: <df84d8e2-5503-2fbe-f484-edd0629d2f4d@free.fr>
Cc: oauth@ietf.org
To: Denis <denis.ietf@free.fr>
References: <CADNypP-_WxX62=LrieDEZYOFec3UAd2FMmnWsfiNu1Zmots+Pg@mail.gmail.com> <73015e12-337d-5853-91cc-455b39c97921@free.fr> <CAHsNOKdh5UN333CkQFLZVkOpWeyPYjr8JTmU9XBzk6EgiCEWOQ@mail.gmail.com> <F455136A-2961-4043-8CA2-786AE91D5C10@mit.edu> <3b0fbfe6-f043-5c93-ace5-ad448c4cdb55@danielfett.de> <df84d8e2-5503-2fbe-f484-edd0629d2f4d@free.fr>
X-Mailer: Apple Mail (2.3693.60.0.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/PIx4aFvRiB-wItjaRsSaJ31NCWQ>
Subject: Re: [OAUTH-WG] WGLC for DPoP Document
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 29 Mar 2022 15:21:15 -0000
If the “legitimate” client willingly gives away its secrets and tokens to the “illegitimate” client, then the latter isn’t actually “illegitimate” anymore. What I was saying is that the “attack" is not even necessary if the clients are in fact working together. If the “legitimate” client knowing gives away its credentials, it is accepting that the receiver of those credentials can do anything it wants with those credentials. That’s why they are credentials. — Justin PS: I did not “break” the thread, I replied to a message in the thread. That’s how email lists work. > On Mar 29, 2022, at 9:19 AM, Denis <denis.ietf@free.fr> wrote: > > Hi Justin, > > You broke the thread since you have not re-used the last message which was: > Steinar, > > As you have guessed, no data (except the token and some crypto checksums) is passing through the clients. > > Once the legitimate client has allowed the illegitimate client to use the token, the illegitimate client can do anything it wants with it. > The legitimate client can be kept fully ignorant of what illegitimate client is doing. > > The data flow is minimum: if the token allows to view a 4 Gb movie, that data flow does not flow between the clients. > > Furthermore, the content of the token may allow the illegitimate client to use it during days or months. > Suppose that the token indicates "over 18". If the user is over 18 now, he will certainly be "over 18" the next days, months or years. > There is no need to refresh the token as it would be the case if the token included a home address. > This message explains why this collaborative attack is very different from simply forwarding messages between clients. > > The illegitimate client can do anything it wants without disclosing what it is doing to the legitimate client. > The traffic between the clients is kept to the very minimum. > > Denis > >> +1 >> >> Am 29.03.22 um 15:10 schrieb Justin Richer: >>> And this is exactly the problem with the “collaborating clients” attack, as has been pointed out any number of times it’s been brought up before. If two clients are willingly collaborating in this way, they do not need to share any cryptographic material and impersonate each other. >>> >>> You don’t need to steal my license if I’m willing to just go buy you beer. >>> >>> The DPoP draft does address signed request re-use, which some see as a feature to be carefully applied. >>> >>> — Justin >>> >>>> On Mar 28, 2022, at 1:04 PM, Steinar Noem <steinar@udelt.no <mailto:steinar@udelt.no>> wrote: >>>> >>>> Interesting, but won't two collaborating clients just pass any data they want to each other? Why would these collaborating clients go through the trouble of exchanging private keys, dpop proofs or tokens? Could you elaborate some more on the scenario? >>>> >>>> S >>>> >>>> man. 28. mar. 2022 kl. 16:29 skrev Denis <denis.ietf@free.fr <mailto:denis.ietf@free.fr>>: >>>> Rifaat & Hannes, >>>> Hereafter are my comments: >>>> >>>> The introduction states : >>>> >>>> Recipients of such tokens are then able to verify the binding of the token to the key pair that the client has demonstrated >>>> that it holds via the DPoP header, thereby providing some assurance that the client presenting the token also possesses the private key. >>>> >>>> In other words, the legitimate presenter of the token is constrained to be the sender that holds and can prove possession of the private part of the key pair. >>>> >>>> The client presenting the token does not necessarily possess the private key. The client presenting the token has been able to use >>>> the results of some cryptographic functions using the private part of the key pair. >>>> >>>> These results may be communicated by one client to another client, if the two clients agree to collaborate. This statement will be added later on. >>>> >>>> Proposed rewording: >>>> >>>> Recipients of such tokens are then able to verify the binding of the token to the key pair that the client has demonstrated >>>> that it holds via the DPoP header, thereby providing some assurance that the client presenting the token either also possesses >>>> the private key or has been able to use the result of cryptographic computations from another client that possesses the private key. >>>> >>>> In other words, the presenter of the token can prove that it has been able to use the results of cryptographic computations performed >>>> by using the private part of the key pair. >>>> >>>> The objectives states >>>> >>>> The primary aim of DPoP is to prevent unauthorized or illegitimate parties from using leaked or stolen access tokens, >>>> by binding a token to a public key upon issuance and requiring that the client proves possession of the corresponding >>>> private key when using the token. >>>> >>>> DPoP does not prevent unauthorized or illegitimate parties from using access tokens, as soon as two clients agree to collaborate. >>>> >>>> Proposed rewording: >>>> >>>> The primary aim of DPoP is to bind a token to a public key upon issuance and requiring that the client proves possession >>>> of the corresponding private key when using the token. This does not demonstrate that the client presenting the token is >>>> necessarily the legitimate client. In the case of non-collaborating clients, DPoP prevents unauthorized or illegitimate parties >>>> from using leaked or stolen access tokens. In the case of collaborating clients, the security of DPoP is ineffective >>>> (see section 11.X). >>>> >>>> Section 11 is about "Security Considerations" and addresses the following topics: >>>> >>>> 11.1. DPoP Proof Replay >>>> 11.2. DPoP Proof Pre-Generation >>>> 11.3. DPoP Nonce Downgrade >>>> 11.4. Untrusted Code in the Client Context >>>> 11.5. Signed JWT Swapping >>>> 11.6. Signature Algorithms >>>> 11.7. Message Integrity >>>> 11.8. Access Token and Public Key Binding >>>> 11.9. Authorization Code and Public Key Binding >>>> >>>> The case of collaborative clients should be addressed within section 11. >>>> >>>> Text proposal. >>>> >>>> 11.X. Collaborative clients >>>> >>>> DPoP demonstrates that the client presenting the token has been able to use the results of some cryptographic functions >>>> using the private part of the key pair. >>>> >>>> If a client agrees to collaborate with another client, the security of DPoP is no longer effective. When two clients agree to collaborate, >>>> these results of the cryptographic computations performed by one client may be communicated to another client. >>>> >>>> Even if the private key used for DPoP is stored in such a way that it cannot be exported, e.g., in a hardware or software security module, >>>> the client can perform all the cryptographic computations needed by the other client to create DPoP proofs. >>>> >>>> The client can easily create new DPoP proofs as long as the other client is online. >>>> >>>> Note: There exist other techniques able to limit, in some cases, the use of a token transmitted voluntarily by a legitimate client >>>> to an illegitimate client. >>>> >>>> Denis >>>> >>>> >>>>> All, >>>>> >>>>> As discussed during the IETF meeting in Vienna last week, this is a WG Last Call for the DPoP document: >>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/ <https://datatracker.ietf.org/doc/draft-ietf-oauth-dpop/> >>>>> >>>>> Please, provide your feedback on the mailing list by April 11th. >>>>> >>>>> Regards, >>>>> Rifaat & Hannes >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >>>> >>>> >>>> -- >>>> Vennlig hilsen >>>> >>>> Steinar Noem >>>> Partner Udelt AS >>>> Systemutvikler >>>> >>>> | steinar@udelt.no <mailto:steinar@udelt.no> | hei@udelt.no <mailto:hei@udelt.no> | +47 955 21 620 <> | www.udelt.no <http://www.udelt.no/> | >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org <mailto:OAuth@ietf.org> >>> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> >> -- >> https://danielfett.de <https://danielfett.de/> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] WGLC for DPoP Document Rifaat Shekh-Yusef
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document Steinar Noem
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document David Waite
- Re: [OAUTH-WG] WGLC for DPoP Document Justin Richer
- Re: [OAUTH-WG] WGLC for DPoP Document Daniel Fett
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document Roberto Polli
- Re: [OAUTH-WG] WGLC for DPoP Document Justin Richer
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document Justin Richer
- Re: [OAUTH-WG] WGLC for DPoP Document Denis
- Re: [OAUTH-WG] WGLC for DPoP Document Hans Zandbelt
- [OAUTH-WG] WGLC for DPoP Document: new thread abo… Denis
- Re: [OAUTH-WG] WGLC for DPoP Document: new thread… Hans Zandbelt
- Re: [OAUTH-WG] WGLC for DPoP Document Mike Jones
- Re: [OAUTH-WG] WGLC for DPoP Document: new thread… Denis
- Re: [OAUTH-WG] WGLC for DPoP Document David Waite
- Re: [OAUTH-WG] WGLC for DPoP Document Steinar Noem
- Re: [OAUTH-WG] WGLC for DPoP Document Daniel Fett
- Re: [OAUTH-WG] WGLC for DPoP Document Dave Tonge
- Re: [OAUTH-WG] WGLC for DPoP Document Steinar Noem
- Re: [OAUTH-WG] WGLC for DPoP Document Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC for DPoP Document Warren Parad
- Re: [OAUTH-WG] WGLC for DPoP Document Pieter Kasselman
- [OAUTH-WG] Fwd: WGLC for DPoP Document Neil Madden
- Re: [OAUTH-WG] WGLC for DPoP Document Vladimir Dzhuvinov
- Re: [OAUTH-WG] WGLC for DPoP Document Nat Sakimura
- Re: [OAUTH-WG] WGLC for DPoP Document John Bradley
- Re: [OAUTH-WG] WGLC for DPoP Document Brian Campbell
- Re: [OAUTH-WG] WGLC for DPoP Document Brian Campbell