Re: [OAUTH-WG] BCP: Client collaborative attacks

Seán Kelleher <sean@trustap.com> Mon, 26 October 2020 21:19 UTC

Return-Path: <sean@trustap.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50A933A0F3D for <oauth@ietfa.amsl.com>; Mon, 26 Oct 2020 14:19:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=trustap-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZpiWT-7QP-7v for <oauth@ietfa.amsl.com>; Mon, 26 Oct 2020 14:19:03 -0700 (PDT)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E2233A0F0C for <oauth@ietf.org>; Mon, 26 Oct 2020 14:18:57 -0700 (PDT)
Received: by mail-ed1-x533.google.com with SMTP id v19so11124158edx.9 for <oauth@ietf.org>; Mon, 26 Oct 2020 14:18:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=trustap-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=5UN972V4S7ZHeOijXNLDrihgSHZ+fiIAOuERiGmNVn8=; b=NJc5gdyvVgDCDJ7jUsJ8O+sIepQ6wLb/ei/kHEu3sAlcxwpQH99MH9Jopiqa5m+40k nqpsVFw6GVn+LdG7ncTnOYvRlC1st18dc6/UdWuWdBjEZSyGoiAp1kBqTXMwD9grOWKf 4MTp6MLRoRYSU5Gug05np9iFUn/aDmM0Wb6LrVTs9itmP4c4Gt25tpnM050yXuidpebF rZUjdS47cs7NCLvGhS2FZeirnWIaYvyPZ+2PeTPCRVS8UxbkpkKZ43FtuFnlkh7ZLvvQ S23kFxCzUBCUbDb5Jj/TnGxUOHkyEbEaI1NWpnwlGTQsuhEbesQTLppkgT9tkGDq0nL7 l0HA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=5UN972V4S7ZHeOijXNLDrihgSHZ+fiIAOuERiGmNVn8=; b=qH6TLsPqBfYRkBfE3jrsKxV7ZbG8h7vaCdKNP6GgOjWkdhhIatSWKeU0aXgdzfzv1S ap82CUktU/59/gVc8Nmycv4mNMgNQLGqJJPBW1JAov2EAIgbWmJd7WSc81mTMblBEin6 hCmupcGqnnv5HqLxtl+huFDIUnZqbuGFuq0XXQiRbEBPZcPvAEyT+cFYs9BLmKqaja6u RjzS/66cXQ0bqFLL2ECHn8/ylx1gox/H8byP+RaAIZt/37c61GeUw6cGhY3CxQExlQxO +rnWPmuZ5F4IjxFckcoOd6lQB6QAVGYT3MJjHVYhXF+bP662Ymd6B0zVn7PpwmLXsIQ2 fLqA==
X-Gm-Message-State: AOAM530aJBhQRIo52JwWOw6e4idu4/sAz0sP+iGPSueVuF3FrLzuqAXX NUn4vnsrdFeZ/QI/F4OvY+vhv7JJycto9XQCDPG1wA==
X-Google-Smtp-Source: ABdhPJzQ4e/2rKt6JqJXjVu2J3yVJB+47sBjfaFLanlxDUbl2qGVwgdfmAETrSwvRsSuAGYEuA2DbBnpVmE4F8kcKmY=
X-Received: by 2002:a05:6402:1c04:: with SMTP id ck4mr18036751edb.274.1603747135341; Mon, 26 Oct 2020 14:18:55 -0700 (PDT)
MIME-Version: 1.0
References: <8244f38a-710b-e95c-c61a-1b8df541c73e@free.fr>
In-Reply-To: <8244f38a-710b-e95c-c61a-1b8df541c73e@free.fr>
From: =?UTF-8?Q?Se=C3=A1n_Kelleher?= <sean@trustap.com>
Date: Mon, 26 Oct 2020 21:18:44 +0000
Message-ID: <CAPLh0AOqegW07_6vSPsmmp9YtPTh6G71=v_tUqA2GjhwZ6iKSw@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: Daniel Fett <fett@danielfett.de>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000004fe36305b2997a8e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RkX905MhsI4I7LnTf7fuuKEs6wo>
Subject: Re: [OAUTH-WG] BCP: Client collaborative attacks
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Oct 2020 21:19:05 -0000

I hadn't come across this idea before, it's an interesting angle and for me
it's a nice new example to help highlight the difference between authZ and
authN. It reminds me of sharing access cards to get into computer labs in
college. Some thoughts:

   - It took me a while to figure out the agent, victim, intent and impact
   for the attack based on its name and description. The presented term may
   already be accepted, but if not, would you consider the term "authorization
   sharing attack"? I feel that this conveys the intent and impact of the
   attack a bit more clearly.

However, if the access token contains claims that allow the RS to uniquely
> identify the legitimate holder of the access token
> and if the RS only accepts access tokens that are able to uniquely
> identify the legitimate holder of the access token, then
> this attack can be mitigated since the client collaborative attack becomes
> an impersonation attack.


   - Being pedantic, I don't think this mitigates the attack so much as it
   reduces it to the mentioned impersonation attack. However, I'm not sure
   that "impersonation attack" is the right term to use here, as this scenario
   seems to imply that the subject consents to the impersonation, which is in
   contrast to the standard impersonation attack where the subject is the
   victim.

For mitigating the collaborative attack, either a "sub" claim must be
> present or any combination of other claims allowing for the RS
> to uniquely identify the holder of the access token must be present inside
> an access token
>

   - A more general phrasing of this could be that "it should be possible
   to use an access token to uniquely identify an individual". I say this
   because this kind of identification can also be done using opaque tokens,
   in which case the claims are not necessarily "inside" the access token.

Under these conditions, it should be observed that the first user might be
> unlikely to be willing to collaborate since the other user would be able
> to perform actions on behalf of the first user and the first user would be
> held responsible of the actions of the second user.


   - This seems to be the main justification as to why the above
   mitigations are considered as such. I don't agree with the conclusion
   because I feel it's based on debateable assumptions, the main one being
   that the "first user might be unlikely to be willing to collaborate" if
   they know that their access token identifies them, which tries to predict
   human behaviour. It also depends on the user knowing whether access tokens
   can be used to identify them.
   - I'm again being pedantic, but I would also note that just being able
   to identify a user from an access token is unlikely to be a sufficient
   deterrent, it would need to be coupled with logging of all access token
   usages for auditing purposes. Again though, this assumes that we can
   predict human behaviour.
   - Following on from one of my above points, I would remove the user
   element from this section, and avoid calling it a mitigation. I'd instead
   outline that if access tokens can be used to identify individuals then it
   reduces possible authZ sharing attacks to authN sharing attacks.

I think this is an interesting attack vector, particularly because it
requires the authZ sharer to have internal knowledge of how the RS
operates, and so has relatively niche applications. It also seems to assume
that the RS in question doesn't store user IDs with access logs, at which
point, is it simpler to just recommend that authN'd requests to an RS
should be logged with user IDs?

I've written up an alternative for consideration:

Authorization sharing attack
>
> If access tokens are not used to identify individuals, and if this
> information is known to an individual, then such an individual may use
> knowledge of this to share the authorization granted to them by access
> tokens. This may be done by sharing access tokens across clients and
> individuals, at which point the RS will not be able to distinguish between
> different subjects and clients using the same access token.
>
> If access tokens are used to identify individuals, and such identifying
> information (ideally user IDs) is stored with access logs for auditing
> purposes, then this reduces this attack to an authentication sharing attack.
>

I think it's a bit too general for a BCP, and too vague around the notion
of an "individual", but it might give some food for further thought.

Kind regards,

Seán.

>
On Mon, 26 Oct 2020 at 18:19, Denis <denis.ietf@free.fr> wrote:

> Hi Daniel,
>
> Following the conversation we had today, hereafter is a proposal for
> addressing client collaborative attacks.
> I propose to add a new section 4.16.
>
>
> 4.16 Client collaborative attacks
>
> Two clients may agree to collaborate. In such a situation, one client
> transmits to another client an access token
> that it legitimately got and also accepts to perform all the cryptographic
> computations that the other client needs
> to use the access token, including when the access token is
> cryptographically bound to a key.
>
> Since OAuth 2.0 does not mandate the use of cryptographic devices, this
> kind of attack cannot be countered in the general case.
>
> However, if the access token contains claims that allow the RS to uniquely
> identify the legitimate holder of the access token
> and if the RS only accepts access tokens that are able to uniquely
> identify the legitimate holder of the access token, then
> this attack can be mitigated since the client collaborative attack becomes
> an impersonation attack.
>
> For mitigating the collaborative attack, either a "sub" claim must be
> present or any combination of other claims allowing for the RS
> to uniquely identify the holder of the access token must be present inside
> an access token, for example OpenID claims like: name,
> family_name, given_name, middle_name, nickname, preferred_username,
> gender, birthdate, email, email_verified, phone_number,
> phone_number_verified or address.
>
> On the contrary, for example, an access token that would only contain a
> claim stating that the holder of the access token is over 21
> or a birthdate without any claim allowing the RS to uniquely identify the
> legitimate holder of the access token, should not be accepted by the RS.
>
> Under these conditions, it should be observed that the first user might be
> unlikely to be willing to collaborate since the other user would be able
> to perform actions on behalf of the first user and the first user would be
> held responsible of the actions of the second user.
>
>
>
> *Comment on section 4: "Validating JWT Access Tokens" *
> The JWT profile for OAuth 2.0 access tokens
> [draft-ietf-oauth-access-token-jwt] mandates to include a "sub" claim into
> an access token.
> However, this section does not mandate the RS to verify that claims
> allowing for the RS to uniquely identify the holder of the access token
> are indeed be present inside an access token.
>
> It might be useful to add it, so that the above text can refer to it.
>
> Denis
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>