IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Interim Meeting - April 12 - Security BCP

Daniel Fett <fett@danielfett.de> Mon, 12 April 2021 14:00 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 866763A1F54 for <oauth@ietfa.amsl.com>; Mon, 12 Apr 2021 07:00:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vivO7RrdULkT for <oauth@ietfa.amsl.com>; Mon, 12 Apr 2021 07:00:50 -0700 (PDT)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAE603A1F51 for <oauth@ietf.org>; Mon, 12 Apr 2021 07:00:49 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id 86FEB24817; Mon, 12 Apr 2021 14:00:44 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1618236044; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=EuXfzD+TgVxNa80/LDwklJl25W05qQS7sovsYXOqswM=; b=kPkpdwB6QTSzpxkTOmAq7I0V4XJR9na+REZ4J80XbJeTEVR+YtsjsHgMH70G+QS3PIaWmd D30lQuDgBCPYY0HcSegW99HZggequwHV5oK3U7C11G1m6P8F0wGn6S+aTKXtAyswVQR176 MDYHMrmCqkawHFK1Vya3BSVTQuvotfg=
To: Denis <denis.ietf@free.fr>, oauth@ietf.org
References: <CADNypP80KicBYDjOHkZQMrowM1WgrtpCr1Ywt88RrTRbZ_Ctrw@mail.gmail.com> <1990805d-e9c5-969a-9c62-a3ddd21e2180@free.fr> <2e1af244-91cd-1d08-8bf6-97cc82e3f862@danielfett.de> <065f2559-d14b-5ddc-ba33-8ce14fa2d622@free.fr>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <9913e316-ab20-b9fa-bb59-15241d943622@danielfett.de>
Date: Mon, 12 Apr 2021 16:00:43 +0200
MIME-Version: 1.0
In-Reply-To: <065f2559-d14b-5ddc-ba33-8ce14fa2d622@free.fr>
Content-Type: multipart/alternative; boundary="------------086EC9AE37B7AEAC2C998E1C"
Content-Language: de-DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1618236044; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=EuXfzD+TgVxNa80/LDwklJl25W05qQS7sovsYXOqswM=; b=P7i/SHGQrSw22jKJ/YewC1ikrwN1m7Nn5HJsUKD5jh1j67tNs4DY6+Lur5xIjQPtd4jd4f C8HVDN7cBFE873hGuM4aZdYo9KLZ+P+XFgMIBRgcfPeBN1WaCyYvHWmaXLTS5et0hbDT6y J2XzSrOeugVpWPFSdj0AmFdoh5fXSeM=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1618236044; a=rsa-sha256; cv=none; b=Rk5hc5ZZypBlg7KegI6Q5BzKhlnP5fAV7my4ecz9bsq2/Q2SWcDNK67lXc1/6zr0FXfQGT NYLV71uCmxeCNE9LyRc5hXNjrWzTl3qQ7o/RslQGhcRBGmlueX7F6g8Kjjgb4TnamHWN07 sbtWQVrIyCsDUtljDCoCIYyaRYeksio=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: --
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TGxtTCroD7X0hJ30vn_kPoW_FII>
Subject: Re: [OAUTH-WG] OAuth Interim Meeting - April 12 - Security BCP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 14:00:55 -0000

Hi Denis,

Am 12.04.21 um 14:57 schrieb Denis:
>>
>>> The first sentence of section 3 (The Updated OAuth 2.0 Attacker
>>> Model) clearly states:
>>>
>>>     " In the following, this attacker model is updated (...) to
>>> include new types of attackers and to define the attacker model more
>>> clearly".
>>>
>>> Section 3 should include the case of a collusion or a collaboration
>>> attack between clients against a RS, where one of them is a
>>> legitimate client
>>> voluntarily "helping" another client to use or to request access
>>> tokens that would normally "belong" to the legitimate client.
>>>
>>
>> As I'm sure you have noticed, we have updated Section 3 following
>> your last input. It now explicitly says:
>>
>>     Attackers can collaborate to reach a common goal.
>>
>> It also says
>>
>>    Note that in this attacker model, an attacker (see A1) can be a RO or
>>    act as one.  For example, an attacker can use his own browser to
>>    replay tokens or authorization codes obtained by any of the attacks
>>    described above at the client or RS.
>>
>> Your scenario is therefore covered. It was already before, but that
>> was obviously too implicit, so we made it more clear with the recent
>> update.
>>
> [Denis] I don't believe that the scenario is covered with the above
> sentences.
>
I don't understand. This is not about believing, it is written very
clearly and conclusively in the text of the current draft.

We've had this discussion before, and, although irrelevant for the
meaning of the BCP itself, I would like to refer you again to the formal
model in our research paper, which the BCP attacker model is based on.
It has a *very* precise definition of the attacker model that does not
leave room for interpretation. The natural-language description in the
BCP, as usual, is more fuzzy than the formal definition, but both
attacker models include clients cooperating.


>
>>> Finally, section 4 (Attacks and Mitigations) should include an
>>> additional subsection, e.g. section 4.16, addressing the case of a
>>> collaboration attack
>>> between clients against a RS.
>>>
>> If I remember correctly, you first presented this attack at the OAuth
>> Security Workshop in 2017.
>> Since then, it has been brought up countless times on this mailing
>> list, both with regards to the Security BCP as well as for the JWT
>> Token draft.
>>
>> There has been practically no positive resonance at the meeting 2017
>> or here on the mailing list as to including this in either of the
>> drafts.
>>
>> A number of reasons come to mind, but first and foremost, I think
>> that what you describe is not perceived as an attack, or, worded
>> differently,
>> it is obvious that what you describe in the "attack" is possible.
>>
> [Denis] Here after comes the important sentence which is wrong:
>
>
>> *There is no expectation that OAuth would defend against this kind of
>> thin**g*,
>> just as there is no mitigation against password sharing in
>> password-based authentication.
>>
> [Denis] In the section 4.16.2 there is a clear proposal that explains
> how *"OAuth can successfully defend against this kind of thin**g"*.
> *So* *there **IS **a solution*.
>
I did not say that there is no solution.
>
> Currently, when reading the text, an implementer might consider to
> deliver an access token that contains a claim such as "older the 18"
> without any "sub" or equivalent claim.
> Such an access token would be transferable to anyone and the RS would
> not be able to identify the attack.
>
Your proposed solution does not enable an RS to identify the attack
unless used together with some form of authentication way outside the
scope of OAuth.

Again, this also goes deeply into OIDC territory.

> I therefore propose to proceed with the Security BCP *with the
> inclusion of this attack*.
>
>> Even though the Security BCP attacker model includes the general
>> setting required for the attack, the attack does not violate an
>> expected security property.
>>
>> I therefore propose to proceed with the Security BCP without
>> including this attack.
>>
>> -Daniel
>>
> [Denis] Since you have deleted the remaining of my email, I copy it
> again. If you respond to this email, please DO NOT delete it.
>
I deleted the remainder of the mail as it was not relevant to my answer
(see RFC1855, Section 3.1.1). Everybody can access your original mail on
the mailing list.

-Daniel

-- 
https://danielfett.de

v2.19.0 | Report a Bug | By Email