Re: [OAUTH-WG] vulnerability in OAuth 2.0/ 1.0/ WRAP leading to DDOS attacks
Oleg Gryb <oleg_gryb@yahoo.com> Wed, 17 November 2010 17:31 UTC
Return-Path: <oleg_gryb@yahoo.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B72DA3A6940 for <oauth@core3.amsl.com>; Wed, 17 Nov 2010 09:31:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_42=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AlTFj5wA3YFM for <oauth@core3.amsl.com>; Wed, 17 Nov 2010 09:31:58 -0800 (PST)
Received: from web37604.mail.mud.yahoo.com (web37604.mail.mud.yahoo.com [209.191.87.87]) by core3.amsl.com (Postfix) with SMTP id 67FA53A694A for <oauth@ietf.org>; Wed, 17 Nov 2010 09:31:58 -0800 (PST)
Received: (qmail 18772 invoked by uid 60001); 17 Nov 2010 17:32:41 -0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1290015161; bh=QxGZi9e7K7hHxedg+aYHT921lxD8yTB8/Lr5SJjlkE0=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=wZYyXO5a5uXp70LOYXaxtd+OdAo/QSY1yMe3ixEbjBe/QxbESVH0IAjnwe/sR6bkgRMQoVoKUIe1OHU90HEABexSsSGj++pnXnu6T7gQpqzsxS1rik+EruIYb+gV8QaVgocbggXEQoHkJgTXjffple0nitZC8qCXYWrY6nFMJYQ=
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:References:Date:From:Reply-To:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type; b=1u97YLByImUF/eVwpLu7imcdWen4E4zrdf/+xTA99x35qBYTM5VzXZ9a/Ykg4xP2btMxLY3Ruysvirv1WRXiZ/CEIyeDBhNilcT+AzWzT+YKqAYCf1n8pAq5LePzWMXkj4dfEiujf/fdRCho/uEqFAlVGqQCdwpFqyGNjUKQTe4=;
Message-ID: <537202.18396.qm@web37604.mail.mud.yahoo.com>
X-YMail-OSG: kVOjsksVM1kcCzJzH1PGsx3r4DFZHylXCsSPKJFUU5baO7W LtEbBEjXI0NpQgzevP.EYuFIihhj6yFKJH3sygJuEiKha3sYp3cpyo5SDkaB cwDDUNyPdhV6xpcu3nQh0lcQOZ998cvPqS9RYB_R7BE958W6_t8KnVFcF2j. 4t1Dgf_o3JJhQgmYdN1UYYGaDZWadWpj8eU1263twGKqOWeoOADxbwqGoNV1 cArvvBiKR0HEtJgplerZczH5Ax5y9J866RftJuUtdhsg4l1jSRhnCV.GGCPL yf4Qb28n1mYm5b8n3zNUd_nWmj9YcR1OEdiUey5YA4pQf6k0Q2KTQopqJV4f SL_wDqsF9YdiomhI9
Received: from [208.240.243.170] by web37604.mail.mud.yahoo.com via HTTP; Wed, 17 Nov 2010 09:32:41 PST
X-Mailer: YahooMailRC/504.5 YahooMailWebService/0.8.107.285259
References: <10670.222.166.181.166.1289612855.squirrel@xenon.stanford.edu>
Date: Wed, 17 Nov 2010 09:32:41 -0800
From: Oleg Gryb <oleg_gryb@yahoo.com>
To: pflam@cs.stanford.edu, oauth@ietf.org
In-Reply-To: <10670.222.166.181.166.1289612855.squirrel@xenon.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: Dawn Song <dawnsong@cs.berkeley.edu>, John Mitchell <mitchell@cs.stanford.edu>, Devdatta Akhawe <devdatta@eecs.berkeley.edu>, Peifung Eric Lam <pflam@cs.stanford.edu>, Adam Barth <abarth@gmail.com>
Subject: Re: [OAUTH-WG] vulnerability in OAuth 2.0/ 1.0/ WRAP leading to DDOS attacks
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Oleg Gryb <oleg@gryb.info>
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Nov 2010 17:31:59 -0000
The concern is valid, but proposed solution would be hard to implement: everybody who has implemented at least one crypto system where symmetric keys need to be distributed between external parties would tell you that, let alone OAuth use cases where you can have many web server clients dynamically added to existing service providers. If you add a requirement of periodic key rotation that is very common nowadays then implementation will become even more difficult. PKI would be a better approach in my view: Authz Server would need to sign using a a private key and web client will use a public key to verify the signature, but again in case of key rotation, an automatic key exchange mechanism would need to be involved. I think there is some kind of automatic client registration protocol under way. It will handle new clients registration and initial key distribution, but AFAIK it's not governed by IETF's OAuth group. ----- Original Message ---- > From: "pflam@cs.stanford.edu" <pflam@cs.stanford.edu> > To: oauth@ietf.org > Cc: Dawn Song <dawnsong@cs.berkeley.edu>; John Mitchell ><mitchell@cs.stanford.edu>; Peifung Eric Lam <pflam@cs.stanford.edu>; Devdatta >Akhawe <devdatta@eecs.berkeley.edu>; Adam Barth <abarth@gmail.com> > Sent: Fri, November 12, 2010 5:47:35 PM > Subject: Re: [OAUTH-WG] vulnerability in OAuth 2.0/ 1.0/ WRAP leading to DDOS >attacks > > Hi, > > We are a group of university researchers and have been applying a formal > approach to analyze web security protocols. Devdatta gave a talk at IIW at > Mountain View last week about our work, and a summary of our earlier > results can be found at > http://theory.stanford.edu/~jcm/papers/browsermodel-csf-2010.pdf . > > While analyzing OAuth specifications (2.0/1.0/WRAP), we found that a > vulnerability exists that can be exploited to carry out DDOS > attacks. Under the current specifications, such attacks are difficult to > differentiate from legitimate and non-malicious connections, so > rate-limiting based on user identities or machine fingerprinting are > likely to be ineffective. A tentative solution is proposed at the end of > this email. Any feedback is welcome! > > Best, > > Peifung Eric Lam > > ===== > > In the OAuth 2.0 and the OAuth WRAP specifications, we found that in the > Web Server/Web App profile, an attacker can send an HTTP request to the > redirect URI of a client web application (with an arbitrary authorization > code), causing the client to issue an HTTPS request to the OAuth > Authorization Server. The revelant sections in OAuth 2.0 Draft 10 are > 1.4.1(C), and sections 3 and 4. A slightly modified attack can be mounted > against OAuth 1.0 as specified in RFC 5849. > > From our initial analysis, this feature of OAuth can be exploited by > attackers to launder requests through trusted OAuth clients and launch a > DDOS attack on the Authorization Server. Under the current specifications > such attacks are difficult to differentiate from legitimate and > non-malicious connections, so rate-limiting based on user identities or > machine fingerprinting are likely to be ineffective. > > Specifically, an attacker can bombard the redirect URIs of the web > application clients, causing a flood of HTTPS connections to the OAuth > Authz Server. This can lead to depletion of resources on the Authz Server > and prevent HTTPS connections carrying legitimate payload from reaching > the Authz Server. During such an attack, all that the Authz Server learns > (based on the 1.0, 2.0, and WRAP specs), is that a) each request comes > from a registered web site which may have legitimate business making such > a request, and b) the tokens conveyed in each request. However, as the > attacker can issue authorization codes that are just (pseudo-) random bit > strings not tied to any end-user identity, the Authz Server has learned > little information regarding the attacker or its machines causing such > frivolous connections. > > A large number of web application clients integrated with the Authz Server > can help the attacker obfuscate its sources of attack and make information > collection for DDOS defense more difficult. From statistics released by > popular websites (such as Facebook), we expect the number of clients can > be as high as a million. > > It seems that if we require the authorization code to be signed by the > Authz Server (or HMAC'ed using a shared key between the Authz Server and > the Client), and the client verifies the signature or HMAC code first > before connecting to the Authz Server, then the above DDOS attack can be > largely foiled. > > Please let us know if you would like to discuss this issue further so that > we can devise a clean solution to this problem. > > > Eran Hammer-Lahav <eran@hueniverse.com> wrote: > > > > The right place to bring this up for discussion is the IETF OAuth > mailing list: oauth@ietf.org. > > > > Thanks! > > > > EHL > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >