IETF Logo Mail Archive

Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec

John Panzer <jpanzer@google.com> Fri, 24 September 2010 16:34 UTC

Return-Path: <jpanzer@google.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 3E4DE3A6A3F for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 09:34:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -105.936
X-Spam-Level:
X-Spam-Status: No, score=-105.936 tagged_above=-999 required=5 tests=[AWL=0.040, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pVAPQ1s+i-8w for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 09:34:47 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [216.239.44.51]) by core3.amsl.com (Postfix) with ESMTP id DB28E3A697F for <oauth@ietf.org>; Fri, 24 Sep 2010 09:34:46 -0700 (PDT)
Received: from wpaz5.hot.corp.google.com (wpaz5.hot.corp.google.com [172.24.198.69]) by smtp-out.google.com with ESMTP id o8OGZIHV014932 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:35:18 -0700
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1285346118; bh=pftytv/aZBPhI+A/zfmRtjnO5lk=; h=MIME-Version:In-Reply-To:References:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=Jlv6T3+xnoQp6+E3CIhOONlhPMn6Wv0o1rJdjzI3pK8Ztfbx83/k0eVIASY0SEivL ghEKF8NqdtgByHehfZWOQ==
Received: from pzk3 (pzk3.prod.google.com [10.243.19.131]) by wpaz5.hot.corp.google.com with ESMTP id o8OGYkSH029361 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:35:17 -0700
Received: by pzk3 with SMTP id 3so621558pzk.23 for <oauth@ietf.org>; Fri, 24 Sep 2010 09:35:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=beta; h=domainkey-signature:received:mime-version:received:in-reply-to :references:from:date:message-id:subject:to:cc:content-type; bh=rKI6gWlPoo6iwGrOecHut5KuZ+qksuAp8qORr/GpTAs=; b=qnGQ7vXu2Jhtkmy4iN3s6MFM4Hf0WVa1y+almdu4b4OC+Q3pt7QUeuoh1YuyOjDTSO bLc9ZpLQ3nuaYNRe+qvw==
DomainKey-Signature: a=rsa-sha1; c=nofws; d=google.com; s=beta; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; b=BlR67Tu4gUJUTczRKbvNI0TwG4o8W8iUOGd1uVC931nU9HlcCNRRtMBYJOzJXRtSvY SDl3KQrdmb4kBnstHeYA==
Received: by 10.142.122.9 with SMTP id u9mr2943385wfc.83.1285346116870; Fri, 24 Sep 2010 09:35:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.142.233.7 with HTTP; Fri, 24 Sep 2010 09:34:56 -0700 (PDT)
In-Reply-To: <64B7C801-DAC2-4155-AB9D-88DFF709A689@bbn.com>
References: <C8C16037.3AC75%eran@hueniverse.com> <1285335868.15179.98.camel@localhost.localdomain> <440E4C9A-41A2-4203-80B8-B6967D886A80@bbn.com> <1285339868.15179.139.camel@localhost.localdomain> <BFF19F03-2B06-4C93-8CE0-2C9A6A267CE4@bbn.com> <AANLkTimVM7VaU=Y3wyVnT=LMOP1uVtAeHZNCV7DPNr2w@mail.gmail.com> <64B7C801-DAC2-4155-AB9D-88DFF709A689@bbn.com>
From: John Panzer <jpanzer@google.com>
Date: Fri, 24 Sep 2010 09:34:56 -0700
Message-ID: <AANLkTimciAaUKAiQh62=Nv3s9OwOZULur-P+wGjCpXp+@mail.gmail.com>
To: "Richard L. Barnes" <rbarnes@bbn.com>
Content-Type: multipart/alternative; boundary="001636e0a638b5a2db049103f679"
X-System-Of-Record: true
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 16:34:49 -0000

Ah ok, I misread your field names as field values :).

Of course recipients can always choose to ignore the result of verifying
signatures (or not verify them at all) no matter what scheme you use.

Note that Magic Signatures is unabashedly an envelope, and well written
libraries make it hard to shoot yourself in the foot by opening an invalid
envelope.

Then there's the question of checking to see if the data in the envelope is
consistent with data outside the envelope.  A good way to do this is to
ignore the data outside the envelope and only use the verified, enveloped
data.  There are other ways if you have more complicated requirements; but
you only need to do complicated things if you have those complicated
requirements.

Of course, if some other part of your system is using data outside the
envelope to make important security decisions before your signature-aware
code gets to it, you may have issues.  But I think you have issues under ALL
these proposals in that case.

--
John Panzer / Google
jpanzer@google.com / abstractioneer.org <http://www.abstractioneer.org/> /
@jpanzer



On Fri, Sep 24, 2010 at 9:20 AM, Richard L. Barnes <rbarnes@bbn.com> wrote:

> Maybe I've misunderstood the Magic Signatures proposal.  I thought that the
> MagicSig blob actually contained the data that was signed, so that step (3)
> below would be unnecessary.  (Note that the object in Step 2 has only field
> *names*, not *values*.)  Including the data is the part of that scheme that
> causes some heartburn, since the recipient can choose not to verify the
> match against the original data (the HTTP request).
>
> Like I said earlier, though, Magic Signatures / JSON token could probably
> still be useful, as long as the signed data is reconstructed, not provided
> in the token.  The correspondence in my example was deliberate :)
>
> --Richard
>
>
>
>
> On Sep 24, 2010, at 12:11 PM, John Panzer wrote:
>
> Richard,
>
> I'm a bit confused because the made-up example you give below is,
> essentially, what Magic Signatures does.  The algorithm you present is
> basically the correct one IMHO.  Are you assuming that the recipient is
> _also_ using the HTTP-level method and URL path for some  important security
> decision?
>
> (Note:  I'm assuming it's fine to use this unverified host/path data for
> tentative routing to an intended recipient, because the worst thing a MITM
> attacker can possibly do is to route it to the wrong recipient.  As long as
> the recipient uses only signed information to decide whether it will
> actually ACCEPT the data, it will be fine.  MITM attackers can always
> mis-route even signed messages of course, given that firewalls etc. are not
> aware of signatures, so I don't see this as a distinction.)
>
> --
> John Panzer / Google
> jpanzer@google.com / abstractioneer.org <http://www.abstractioneer.org/> /
> @jpanzer
>
>
>
> On Fri, Sep 24, 2010 at 8:26 AM, Richard L. Barnes <rbarnes@bbn.com>wrote:
>
>>  Yes, there is certainly a risk if someone just checks the signature and
>>> does not verify the content of the message. This is a bad implementation
>>> of an authorization system, to be sure, and it's an issue that people
>>> need to be aware of. But simply signing metadata doesn't completely
>>> solve the problem, either. In both cases there can be parameters that
>>> are outside of the signed request that need to be checked and treated
>>> appropriately.
>>>
>>
>> Ah, perhaps I was unclear.  I didn't mean *signing* metadata, I meant
>> *sending* metadata.  Using a completely made-up syntax:
>>
>> 1. Signer computes signature sig_val over data object:
>>   { user_agent: "Mozilla", method: "GET" }
>> 2. Signer sends { signed_fields: ['user_agent', 'method'], sig: sig_val }
>> 3. Recipient reconstructs data object using signed_fields
>> 4. Recipient verifies sig_val == sign(reconstructed_object)
>>
>> --Richard
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
>
>

v2.23.0 | Report a Bug | By Email