IETF Logo Mail Archive

Re: [OAUTH-WG] Auth Code Swap Attack

Anthony Nadalin <tonynad@microsoft.com> Thu, 25 August 2011 16:59 UTC

Return-Path: <tonynad@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FE8321F8B02 for <oauth@ietfa.amsl.com>; Thu, 25 Aug 2011 09:59:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.466
X-Spam-Level:
X-Spam-Status: No, score=-7.466 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7unH7EURpNR9 for <oauth@ietfa.amsl.com>; Thu, 25 Aug 2011 09:59:15 -0700 (PDT)
Received: from smtp.microsoft.com (mailc.microsoft.com [131.107.115.214]) by ietfa.amsl.com (Postfix) with ESMTP id 43B4521F8AFA for <oauth@ietf.org>; Thu, 25 Aug 2011 09:59:15 -0700 (PDT)
Received: from TK5EX14HUBC103.redmond.corp.microsoft.com (157.54.86.9) by TK5-EXGWY-E803.partners.extranet.microsoft.com (10.251.56.169) with Microsoft SMTP Server (TLS) id 8.2.176.0; Thu, 25 Aug 2011 10:00:29 -0700
Received: from ch1outboundpool.messaging.microsoft.com (157.54.51.114) by mail.microsoft.com (157.54.86.9) with Microsoft SMTP Server (TLS) id 14.1.323.7; Thu, 25 Aug 2011 10:00:28 -0700
Received: from mail80-ch1-R.bigfish.com (216.32.181.170) by CH1EHSOBE009.bigfish.com (10.43.70.59) with Microsoft SMTP Server id 14.1.225.22; Thu, 25 Aug 2011 17:00:18 +0000
Received: from mail80-ch1 (localhost.localdomain [127.0.0.1]) by mail80-ch1-R.bigfish.com (Postfix) with ESMTP id 477B51A01B0 for <oauth@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Thu, 25 Aug 2011 17:00:18 +0000 (UTC)
X-SpamScore: -20
X-BigFish: PS-20(zz9371Kc85fhzz1202h1082kzz8275ch1033IL8275bh8275dhz31h2a8h668h839h61h)
X-Spam-TCS-SCL: 0:0
X-Forefront-Antispam-Report: CIP:207.46.4.139; KIP:(null); UIP:(null); IPV:SKI; H:SN2PRD0302HT001.namprd03.prod.outlook.com; R:internal; EFV:INT
Received-SPF: softfail (mail80-ch1: transitioning domain of microsoft.com does not designate 207.46.4.139 as permitted sender) client-ip=207.46.4.139; envelope-from=tonynad@microsoft.com; helo=SN2PRD0302HT001.namprd03.prod.outlook.com ; .outlook.com ;
Received: from mail80-ch1 (localhost.localdomain [127.0.0.1]) by mail80-ch1 (MessageSwitch) id 1314291617406200_20773; Thu, 25 Aug 2011 17:00:17 +0000 (UTC)
Received: from CH1EHSMHS012.bigfish.com (snatpool1.int.messaging.microsoft.com [10.43.68.244]) by mail80-ch1.bigfish.com (Postfix) with ESMTP id 5FEA01498050; Thu, 25 Aug 2011 17:00:17 +0000 (UTC)
Received: from SN2PRD0302HT001.namprd03.prod.outlook.com (207.46.4.139) by CH1EHSMHS012.bigfish.com (10.43.70.12) with Microsoft SMTP Server (TLS) id 14.1.225.22; Thu, 25 Aug 2011 17:00:15 +0000
Received: from SN2PRD0302MB137.namprd03.prod.outlook.com ([169.254.2.234]) by SN2PRD0302HT001.namprd03.prod.outlook.com ([10.27.50.84]) with mapi id 14.01.0225.064; Thu, 25 Aug 2011 17:00:15 +0000
From: Anthony Nadalin <tonynad@microsoft.com>
To: Eran Hammer-Lahav <eran@hueniverse.com>, Torsten Lodderstedt <torsten@lodderstedt.net>
Thread-Topic: [OAUTH-WG] Auth Code Swap Attack
Thread-Index: AcxZImYoC2iZvOhxR/+zEXUukLHDogAF8TGAAIvI14AAgNyjAACwAFgAAAIJGIAAe8GCAAAScGQAADLTUAAAA6PagAAAL7bw
Date: Thu, 25 Aug 2011 17:00:13 +0000
Message-ID: <B26C1EF377CB694EAB6BDDC8E624B6E7263E7820@SN2PRD0302MB137.namprd03.prod.outlook.com>
References: <B26C1EF377CB694EAB6BDDC8E624B6E7263E772F@SN2PRD0302MB137.namprd03.prod.outlook.com> <CA7BCB91.18B65%eran@hueniverse.com>
In-Reply-To: <CA7BCB91.18B65%eran@hueniverse.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.28.29.69]
Content-Type: multipart/alternative; boundary="_000_B26C1EF377CB694EAB6BDDC8E624B6E7263E7820SN2PRD0302MB137_"
MIME-Version: 1.0
X-OrganizationHeadersPreserved: SN2PRD0302HT001.namprd03.prod.outlook.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%HUENIVERSE.COM$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%LODDERSTEDT.NET$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-FOPE-CONNECTOR: Id%59$Dn%IETF.ORG$RO%2$TLS%6$FQDN%131.107.125.5$TlsDn%
X-OriginatorOrg: microsoft.com
X-CrossPremisesHeadersPromoted: TK5EX14HUBC103.redmond.corp.microsoft.com
X-CrossPremisesHeadersFiltered: TK5EX14HUBC103.redmond.corp.microsoft.com
Cc: "OAuth WG (oauth@ietf.org)" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Auth Code Swap Attack
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 25 Aug 2011 16:59:20 -0000

No that is not what I said; you seemed to have interpreted it that way,

From: Eran Hammer-Lahav [mailto:eran@hueniverse.com]
Sent: Thursday, August 25, 2011 9:54 AM
To: Anthony Nadalin; Torsten Lodderstedt
Cc: OAuth WG (oauth@ietf.org)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack

Everyone yourself included indicated that the combination of MUST prevent CSRF and SHOULD use 'state' is the way to go. Yes, we still need to agree on text but the normative language part is settled.

If you still insist on making 'state' required, I will defer to the chairs to decide how to move forward.

EHL

From: Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>
Date: Thu, 25 Aug 2011 08:11:01 -0700
To: Eran Hammer-lahav <eran@hueniverse.com<mailto:eran@hueniverse.com>>, Torsten Lodderstedt <torsten@lodderstedt.net<mailto:torsten@lodderstedt.net>>
Cc: "OAuth WG (oauth@ietf.org<mailto:oauth@ietf.org>)" <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: RE: [OAUTH-WG] Auth Code Swap Attack

I have not seen any updated text, so I don't believe we have consensus. Also we have a flawed protocol and we are not providing a fix, suggest that MUST be on the state also unless someone has a better fix

From: oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer-Lahav
Sent: Wednesday, August 24, 2011 7:54 AM
To: Torsten Lodderstedt
Cc: OAuth WG (oauth@ietf.org<mailto:oauth@ietf.org>)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack

I believe we have full consensus on this approach.

EHL

From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]<mailto:[mailto:torsten@lodderstedt.net]>
Sent: Tuesday, August 23, 2011 11:06 PM
To: Eran Hammer-Lahav
Cc: OAuth WG (oauth@ietf.org<mailto:oauth@ietf.org>)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack

making CSRF prevention a MUST and recommending the state parameter as implementation pattern is ok with me.

regards,
Torsten.

Am 21.08.2011 21:02, schrieb Eran Hammer-Lahav:
I light to the recent discussion, do you still feel that changing 'state' from optional to required is the best approach?

EHL

From: Torsten Lodderstedt [mailto:torsten@lodderstedt.net]
Sent: Sunday, August 21, 2011 11:04 AM
To: Eran Hammer-Lahav
Cc: OAuth WG (oauth@ietf.org<mailto:oauth@ietf.org>)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack

My intention is to require clients to implement CSRF prevention. I thought making the state parameter mandatory would be the straightforward way.

regards,
Torsten.

Am 18.08.2011 08:04, schrieb Eran Hammer-Lahav:
I would like to hear from the other 3 authors of the proposed change about their reasons for changing the use of 'state' from recommended to required for CSRF prevention. It would also help moving this issue forward if the 4 authors can provide answers or clarifications on the issues raised below.

Assuming we can count all 4 authors are in favor of making the change, I believe we have a tie (4:4) and therefore no consensus for making it (as of this point). However, we did identify issues with the section's language and clarity which we should address either way.

To clarify - I am not proposing we close this issue just yet.

EHL

From:oauth-bounces@ietf.org<mailto:oauth-bounces@ietf.org> [mailto:oauth-bounces@ietf.org] On Behalf Of Eran Hammer-Lahav
Sent: Monday, August 15, 2011 9:35 AM
To: OAuth WG (oauth@ietf.org<mailto:oauth@ietf.org>)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack

To demonstrate why making state required as proposed isn't very helpful, here is an incomplete list of other requirements needed to make an effective CSRF:

* State value must not be empty (a common bug in many implementations using simple value comparison).

* 'Non-guessable' isn't sufficient as most developers will simply use a hash of the session cookie, with or without salt which isn't sufficient. We use "cannot be generated, modified, or guessed to produce valid values" elsewhere in the document, but this is much easier to get right for access tokens and refresh tokens than CSRF tokens which are often just some algorithm on top of the session cookie.

* State CSRF value should be short-lived or based on a short-lived session cookie to prevent the use of a leaked state value in multiple attacks on the same user session once the leak is no longer viable.

In addition, this is not what "state" was originally intended for. If the working group decides to mandate a CSRF parameter, it should probably be a new parameter with a more appropriate name (e.g. 'csrf'). By forcing clients to use "state" for this purpose, developers will need to use dynamic queries for other state information which further reduces the security of the protocol (as the draft recommends not using dynamic callback query components). Encoding both CSRF tokens and other state information can be non-intuitive or complicated for some developers/platforms.

EHL




From: Eran Hammer-Lahav
Sent: Friday, August 12, 2011 2:53 PM
To: Anthony Nadalin; OAuth WG (oauth@ietf.org<mailto:oauth@ietf.org>)
Subject: Re: [OAUTH-WG] Auth Code Swap Attack

This is really just a flavor of CSRF attacks. I have no objections to better documenting it (though I feel the current text is already sufficient), but we can't realistically expect to identify and close every possible browser-based attack. A new one is invented every other week.

The problem with this text is that developers who do no understand CSRF attacks are not likely to implement it correctly with this information. Those who understand it do not need the extra verbiage which is more confusing than helpful.

As for the new requirements, they are insufficient to actually accomplish what the authors propose without additional requirements on state local storage and verification to complete the flow. Also, the proposed text needs clarifications as noted below.


From: Anthony Nadalin <tonynad@microsoft.com<mailto:tonynad@microsoft.com>>
Date: Fri, 12 Aug 2011 12:06:36 -0700
To: "OAuth WG (oauth@ietf.org<mailto:oauth@ietf.org>)" <oauth@ietf.org<mailto:oauth@ietf.org>>
Subject: [OAUTH-WG] Auth Code Swap Attack



Recommended Changes to draft-ietf-oauth-v2

In section 4, request options (e.g. 4.1.1) featuring "state" should change from:

state
OPTIONAL. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client.

to:

state
REQUIRED. An opaque value used by the client to maintain state between the request and callback. The authorization server includes this value when redirecting the user-agent back to the client. The encoded value SHOULD enable the client application to determine the user-context that was active at the time of the  request (see section 10.12). The value MUST NOT be guessable or predictable, and MUST be kept confidential.


Making the parameter required without making its usage required (I.e. "value SHOULD enable") accomplishes nothing. Also, what does "MUST be kept confidential" mean? Confidential from what? Why specify an "encoded value"?


Section 10.12 Cross-Site Request Forgery

Change to:

Cross-site request forgery (CSRF) is a web-based attack whereby HTTP requests are transmitted from the user-agent of an end-user the server trusts or has authenticated. CSRF attacks enable the attacker to intermix the attacker's security context with that of the resource owner resulting in a compromise of either the resource server or of the client application itself. In the OAuth context, such attacks allow an attacker to inject their own authorization code or access token into a client, which can result in the client using an access token associated with the attacker's account rather than the victim's. Depending on the nature of the client and the protected resources, this can have undesirable and damaging effects.

In order to prevent such attacks, the client application MUST encode a non-guessable, confidential end-user artifact and submit as the "state" parameter to authorization and access token requests to the authorization server. The client MUST keep the state value in a location accessible only by the client or the user-agent (i.e., protected by same-origin policy), for example, using a DOM variable, HTTP cookie, or HTML5 client-side storage.

The authorization server includes the value of the "state" parameter when redirecting the user-agent back to the client. Upon receiving a redirect, the client application MUST confirm that returned value of "state" corresponds to the state value of the user-agent's user session. If the end-user session represents an authenticated user-identity, the client MUST ensure that the user-identity has NOT changed.


The above text uses 'user-context' and this 'user-identity'. Neither term is defined.

EHL





_______________________________________________

OAuth mailing list

OAuth@ietf.org<mailto:OAuth@ietf.org>

https://www.ietf.org/mailman/listinfo/oauth

v2.14.0 | Report a Bug | By Email