IETF Logo Mail Archive

Re: [OAUTH-WG] Mix-Up and CnP/ Code injection

Nat Sakimura <sakimura@gmail.com> Mon, 09 May 2016 03:45 UTC

Return-Path: <sakimura@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4994112D1CA for <oauth@ietfa.amsl.com>; Sun, 8 May 2016 20:45:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fa8Qhmh74izl for <oauth@ietfa.amsl.com>; Sun, 8 May 2016 20:45:11 -0700 (PDT)
Received: from mail-qg0-x233.google.com (mail-qg0-x233.google.com [IPv6:2607:f8b0:400d:c04::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 409FC12D1BC for <oauth@ietf.org>; Sun, 8 May 2016 20:45:11 -0700 (PDT)
Received: by mail-qg0-x233.google.com with SMTP id f74so82786541qge.2 for <oauth@ietf.org>; Sun, 08 May 2016 20:45:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Y0tbfp/+fDpxb5EogotSgM5p/A50fpL9HwFpRny6Fgc=; b=fFRqIKfjN2L1xFGcEMwDCy8p1GSje5MD6WDhiz/dlseBPTWF/0W4PFlalL3ixsZBgM WMltzgYCtZHQjV0qW5+3WQrc8KwE9Tvw1s6TkwLC8JNviDIlcFkyRuGEzK4MGDAMhMrl J/sQ16iWHiYYcAtnOdWNkuhL7d+nJ7vbpmlB+l5C3J8o4B246p3W3nQypF4IAf8TPLg0 JLmfwx13tiAw9R/ebGu2K6B/11o3Xj7B31ZJJ5BC1Cnfv737ZEJaPbvjJoAGG0lqfNqM R5h7gq0eiT1cd1wSQx+veyBLM4IH9uSaZzzwPLMfv/tsii4EQDg+KH+e2bzZImnHymZF jHsQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Y0tbfp/+fDpxb5EogotSgM5p/A50fpL9HwFpRny6Fgc=; b=QQVagUEf6R883jPtITwDm6OYW8fZy4tg11zeLBGIVDPVDL2dPWPZClqhKwxXUafY2J +ziETUN7r7pnGU8WxDX7xBoijFHcWqU1WYmCdgtxmYkQVegXutaI1lZDwHmmKD1uLTf4 LZiP03BB6g/giLGsBGLtm0noCTf9hFwhbZneiIf+12WoudQTGr9H0RrFSlrU9hzoBRqu H+cAiFF60+OhOqsAh/EezMC/jDhVCjQCRR2AmDIpmjCNc278eGBlujL5Su7yMTiiX1wI zJD2h3hYJbXSzU9Q/ocE/jY1jX3ASohUXlkrjtDlP4K8T0492HglzpA7DoGcqV1EO1kJ dj1g==
X-Gm-Message-State: AOPr4FV/bZvpzb6c/MkfYtul1lfd0/w2rdr1gvqBK0+KxPV06u1yy6XiOI/ZzeNrDysT2uoM6OeA4sEGHwzxRg==
X-Received: by 10.140.221.210 with SMTP id r201mr33706894qhb.16.1462765510355; Sun, 08 May 2016 20:45:10 -0700 (PDT)
MIME-Version: 1.0
References: <571B60BA.8090301@lodderstedt.net> <572B56BB.9080903@uni-trier.de>
In-Reply-To: <572B56BB.9080903@uni-trier.de>
From: Nat Sakimura <sakimura@gmail.com>
Date: Mon, 09 May 2016 03:45:00 +0000
Message-ID: <CABzCy2DB8yy9yJBzjEKmLu5gHf=ZPsnj20=iBV2JkbeY9VLu9A@mail.gmail.com>
To: Daniel Fett <fett@uni-trier.de>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="001a1136ffd8a2785e053260a202"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Pferx6rMWokyTu6Voy0ooA7KyLw>
Subject: Re: [OAUTH-WG] Mix-Up and CnP/ Code injection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 09 May 2016 03:45:14 -0000

Hi Daniel,

May I ask again why separate redirect uri would not work for mix-up?
(I know, it does not work for cut-n-paste.)

Thanks,

Nat

2016年5月5日(木) 23:28 Daniel Fett <fett@uni-trier.de>:

> Am 23.04.2016 um 13:47 schrieb Torsten Lodderstedt:
> > I'm very much interested to find a solution within the OAuth realm as
> > I'm not interested to either implement two solutions (for OpenId Connect
> > and OAuth) or adopt a OpenId-specific solution to OAuth (use id! tokens
> > in the front channel). I therefore would like to see progress and
> > propose to continue the discussion regarding mitigations for both
> threats.
> >
> > https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-00
> > proposes reasonable mitigations for both attacks. There are alternatives
> > as well:
> > - mix up:
> > -- AS specific redirect uris
> > -- Meta data/turi
> > (https://tools.ietf.org/html/draft-sakimura-oauth-meta-07#section-5)
> > - CnP:
> > -- use of the nonce parameter (as a distinct mitigation beside state for
> > counter XSRF)
>
> >From our formal analysis of OAuth we are pretty confident that the
> mitigation proposed in draft-ietf-oauth-mix-up-mitigation-00 should be
> sufficient against the Mix-Up attack.
>
> Cheers,
> Daniel
>
>
> --
> Informationssicherheit und Kryptografie
> Universität Trier - Tel. 0651 201 2847 - H436
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-- 
Nat Sakimura
Chairman of the Board, OpenID Foundation
Trustee, Kantara Initiative

v2.23.0 | Report a Bug | By Email