Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
Denis <denis.ietf@free.fr> Thu, 07 November 2019 08:16 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74193120800 for <oauth@ietfa.amsl.com>; Thu, 7 Nov 2019 00:16:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.895
X-Spam-Level:
X-Spam-Status: No, score=-0.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w818v-0z78PK for <oauth@ietfa.amsl.com>; Thu, 7 Nov 2019 00:16:32 -0800 (PST)
Received: from smtp.smtpout.orange.fr (smtp11.smtpout.orange.fr [80.12.242.133]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30E1F120123 for <oauth@ietf.org>; Thu, 7 Nov 2019 00:16:31 -0800 (PST)
Received: from [192.168.1.11] ([90.79.49.31]) by mwinf5d90 with ME id NwGT2100M0gNo7u03wGTqP; Thu, 07 Nov 2019 09:16:29 +0100
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Thu, 07 Nov 2019 09:16:29 +0100
X-ME-IP: 90.79.49.31
To: oauth@ietf.org
References: <VI1PR08MB5360FBBAF0D3A38BDBED618BFA790@VI1PR08MB5360.eurprd08.prod.outlook.com> <CAMVRk++o2MdndK37FfADzEZJx988o=PvPWN_mhdgDK=OU1dtow@mail.gmail.com> <3ECDBBC5-F183-4227-857A-A95C53C74274@mit.edu>
From: Denis <denis.ietf@free.fr>
Message-ID: <d021c84a-36f3-f371-2903-2b6051ee654f@free.fr>
Date: Thu, 07 Nov 2019 09:16:29 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <3ECDBBC5-F183-4227-857A-A95C53C74274@mit.edu>
Content-Type: multipart/alternative; boundary="------------C6B714A198F958BE4E2A0210"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/R6UuQY9kgvKEPLmQaTJeRKfSSKw>
Subject: Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Current Practice"
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Nov 2019 08:16:34 -0000
Hello Jared, You raised the following question : * **Should other possible threats and vulnerabilities be included? Meaning, is the list the definitive known list?* This list is certainly not a "definitive /known /list" since there exists an additional /known /threat that has been advertised to this list for the fist time *exactly* 3 years ago. It is the right time to blow three candles ! This is not either "the best list of things that we have at this time", as Justin mentioned. The current document only addresses external "attackers". The case of collusion between users is not mentioned. The first description of such a kind of attack, named the "*Alice and Bob Collusion*" attack, was mentioned on this list *on November the 7 th, 2016*. It is available at: https://www.ietf.org/mail-archive/web/oauth/current/msg16767.html Considering collaborative users is critical when considering age verification. If a user legitimately obtains one attribute demonstrating that he is over 18 and if that user voluntarily transmits such an attribute to another user that is below 18, the RP should be in a position to detect that the attribute does not belong to that other user and should thus be in a position to reject it. It is often believed that protecting secret keys or private keys in a secure element is an efficient and sufficient way to prevent such a collusion attack between users against a RP. However, this is not true. There have been some implementations using OAuth and smart cards, but the simple addition of these two elements does not necessarily provide a secure solution. The first user is in a position to perform all the cryptographic computations that the other user needs since it can perform any cryptographic computation that the other user needs using secret or private key stored in his secure element. *Whatever kind of cryptographic is being used, when two users collaborate, a software-only solution will be unable to prevent the transmission * * of an attribute of a user that possess it to another user that does not possess it. * ** Additional functional properties are required for the secure element and the presence of those properties needs to be verified both by the RP and the Authorization Server. There are six roles to be considered in order to be able to counter the Alice and Bob Collusion attack, namely: * Users (usually human users), * Clients, * Secure Elements (SE), * Authorization Servers (AS), * Relying Parties (RP), and * Secure Element Providers (SEP). Note: Since RFC 6819 (OAuth 2.0 Threat Model and Security Considerations*) *does not include any figure, a figure illustrating these roles would be really helpful for the readers. As a consequence, the protocols SHALL support exchanges where computations performed by the secure elements are part of the protocols. I understand that it may be embarrassing to describe in this document an attack that cannot be countered using any of the OAuth 2.0 Security Best Current Practices ... but this is not a reason to conceal user's collaborative attacks in this document. The fact is that any (secure) solution to the ABC attack SHALL be based on the use of secure elements and hence CANNOT be based on the use of a software only solution, whatever kind of cryptographic algorithms would be used. I believe that some of the material provided both in this email and in the email from November the 7 th, 2016 should be incorporated into this document in order to address this missing threat. Denis > 1. Normative MUST/REQUIRED is fine in a BCP. > > 2. This is not the definitive list, but instead the best list of > things that we have at this time. There will be more attacks, and more > mitigations for those attacks. > > — Justin > >> On Nov 6, 2019, at 3:16 PM, Jared Jennings <jaredljennings@gmail.com >> <mailto:jaredljennings@gmail.com>> wrote: >> >> Hi, >> >> This is my first time reviewing a document or responding to the >> group. So, with that introduction feel free to guide me along the way. >> >> Reading through the document, I had a few high-level questions first. >> I will have more detailed comments later, once I know I'm on the >> right track and I assume those comments I should just share with the >> mailing list? >> >> 1. Since the document is a "Best Practices" document, are the words >> "MUST" and "REQUIRED" and other definitive terms? Would instead >> SHOULD and RECOMMENDED be used? >> >> 2. Should other possible threats and vulnerabilities be included? >> Meaning, is the list the definitive known list? >> >> Thanks! >> -Jared >> Skype:jaredljennings >> Signal:+1 816.730.9540 >> WhatsApp: +1 816.678.4152 >> >> >> >> On Wed, Nov 6, 2019 at 2:27 AM Hannes Tschofenig >> <Hannes.Tschofenig@arm.com <mailto:Hannes.Tschofenig@arm.com>> wrote: >> >> Hi all, >> >> this is a working group last call for "OAuth 2.0 Security Best >> Current Practice". >> >> Here is the document: >> https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13 >> >> Please send you comments to the OAuth mailing list by Nov. 27, 2019. >> (We use a three week WGLC because of the IETF meeting.) >> >> Ciao >> Hannes & Rifaat >> >> IMPORTANT NOTICE: The contents of this email and any attachments >> are confidential and may also be privileged. If you are not the >> intended recipient, please notify the sender immediately and do >> not disclose the contents to any other person, use it for any >> purpose, or store or copy the information in any medium. Thank you. >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] WGLC for "OAuth 2.0 Security Best Curr… Hannes Tschofenig
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Jared Jennings
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Justin Richer
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Denis
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Daniel Fett
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Denis
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Hans Zandbelt
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Daniel Roesler
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Denis
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Hans Zandbelt
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Daniel Fett
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … David Waite
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Daniel Roesler
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … David Waite
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Lee McGovern
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … David Waite
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Denis
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Vineet Banga
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Vineet Banga
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Vineet Banga
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … Torsten Lodderstedt
- Re: [OAUTH-WG] WGLC for "OAuth 2.0 Security Best … n-sakimura