IETF Logo Mail Archive

Re: [OAUTH-WG] Token substitution in DPoP

Brian Campbell <bcampbell@pingidentity.com> Tue, 24 November 2020 21:18 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 754133A0BD9 for <oauth@ietfa.amsl.com>; Tue, 24 Nov 2020 13:18:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bVIS_IohXFoV for <oauth@ietfa.amsl.com>; Tue, 24 Nov 2020 13:18:35 -0800 (PST)
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A79AA3A0BE2 for <oauth@ietf.org>; Tue, 24 Nov 2020 13:18:34 -0800 (PST)
Received: by mail-lf1-x133.google.com with SMTP id s27so107162lfp.5 for <oauth@ietf.org>; Tue, 24 Nov 2020 13:18:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=nZ9mrCHvzuAfkExbUXyZJ3K18jgXbN3G8p7p9x3fv7Y=; b=RM+XZq5l0LOdZRnA4io5O6jeqdnpdcF4Ez9rHCsskAYtOOrnrYGLJhwJ293SAghAYH 2vS5aMEFhGVOqVMwfHf1qjKKleHl2eAp84x3GVruUMb5X01L9Msu5crrhePtxtK2LdZC 4+aBJbV3DgMTRzPRWvfp0E2vAoyT0kPZXhz9Xw7LMsbwlrQJQDV3EN1J11weHE/EtoR8 W/+HOs/aLjC0YRMF/oLLqhsuFG/ZhN5ZyTVgdAwxeEt88K3Tqo4pMuiD/7Qm3qvqeCdt qZwrDaSqLmex01fzyd/Y3uGdwjkU6k3daxjluiHkxJGVcqkw17JUNk39bMC8eFSPt6Lx I2EA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=nZ9mrCHvzuAfkExbUXyZJ3K18jgXbN3G8p7p9x3fv7Y=; b=Fnq8Mk8lwsNcU/nJdCh+KfyRjlkFRDnrb2vScQs4A8Dsm8K2x05FltxTW+tZOVmcA3 6/3XpynqaEFtsQXX44N8k4lBih/yvCO5Pnl8em50yVPC7LfMz6SDbbI/uXW3xuJPudiP Y7F8Gl7ZS/LI4R8ZPOsgK399yIYT1fll/eSM3mhxgyRTZjM3f/MVqsPYFiDRy/2AKJol ROB/e1z6wfcz1SccCbkodrUxQPTc6kszuRjQ36XY9twIcLRGZyqhL3MzmEV3lIZlfkA7 cNy+/FICR3voAi6P5iA3qMjHCJTic8KvAAf6mjhPRNa+HqvjWp2WbgeNtmFXU4gkO5OF TflA==
X-Gm-Message-State: AOAM532uwEnbWUKdyRis2rCi0Xni5A2izWp384rN1rm01W8P9G/XIaTW NH+g6VfRiexS4tOBGKJ94qorBmlvDLgqu/+HPd0Qk3TwfyfsAlht5wKBGKqsfQmnCub719hegIN y3qZPF/lPeUtxsg==
X-Google-Smtp-Source: ABdhPJw+2nJOIbI9D2sKy4jqhpBd0MM2pSNN5ihFtbrc/PUo0UY8364w5x1/nY545MNaBW85ADDUL3i4WNmiFmvLxEA=
X-Received: by 2002:ac2:4349:: with SMTP id o9mr34214lfl.194.1606252710099; Tue, 24 Nov 2020 13:18:30 -0800 (PST)
MIME-Version: 1.0
References: <c3e0e841-0e30-872e-a56f-330c0b897da0@danielfett.de> <22D724F4-BF92-481F-A70C-E82B08D2017F@forgerock.com>
In-Reply-To: <22D724F4-BF92-481F-A70C-E82B08D2017F@forgerock.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 24 Nov 2020 14:18:03 -0700
Message-ID: <CA+k3eCQU4_VMSKQ41rpecQshq_4ox5YqEXOKEDAVWvXPXwz4ng@mail.gmail.com>
To: Neil Madden <neil.madden@forgerock.com>
Cc: Daniel Fett <fett@danielfett.de>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000034a4ab05b4e0dabe"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/X-Fy2R3RqkP5lLDBuR820s3H-uE>
Subject: Re: [OAUTH-WG] Token substitution in DPoP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Nov 2020 21:18:39 -0000

It took me some time to warm to the ECDH based idea but I do think it has a
lot of merit. For whatever it's worth, I put the idea forth as one
potential path forward during the general PoP interim meeting back in March
(
https://datatracker.ietf.org/meeting/interim-2020-oauth-02/materials/slides-interim-2020-oauth-02-sessa-oauth-20-proof-of-possession-00.pdf
slide 8) but the WG consensus was to pursue a signature style PoP for the
current efforts, which was followed not long after by WG adoption of DPoP.
I could potentially see an ECDH-style-POP effort making a resurgence in the
future. But it's fundamentally pretty different.




On Tue, Nov 24, 2020 at 4:03 AM Neil Madden <neil.madden@forgerock.com>
wrote:

> I agree with Daniel that I’d be a bit wary of assuming that this could
> never be exploited. For example, a server-side web app that signs DPoP
> proofs on behalf of client-side Javascript (to keep the key safe on the
> server) and reuses the key for different users could be a risk.
>
> IMO this is another symptom of the general issue of using signatures for
> authentication - they are too strong for the job. The fact that a signature
> is equally valid to all parties and at all times means you have to be very
> careful to include enough context in the signature calculation to ensure
> all these kinds of attacks are eliminated. And you have to ensure that all
> RSes check the context.
>
> Contrast that to my suggestion to use ECDH [1], which was already immune
> to such attacks by including the access token in the key derivation step.
> (And in such a way that requires no additional data on the wire and is
> almost impossible for the RS not to verify). Even without including the
> access token in the KDF, the attack could only happen if the client reused
> its key and the RS reused a challenge key pair.
>
> Macaroon access tokens [2] are also immune to this attack, as in that case
> the constraints that go in the DPoP proof are directly attached to the
> access token itself so there is no way to reuse them separately.
> (Interestingly, macaroons have a more direct analogue of DPoP in the form
> of discharge macaroons. Such discharge macaroons are required to be
> “prepared” before use, which cryptographically binds them to the equivalent
> of the access token - so this kind of attack was also considered and
> addressed there).
>
> [1]:
> https://mailarchive.ietf.org/arch/msg/oauth/1Zltt75p5taPw0DRmhoKLbavu9s/
> [2]:
> https://neilmadden.blog/2020/07/29/least-privilege-with-less-effort-macaroon-access-tokens-in-am-7-0/
>
> — Neil
>
> On 24 Nov 2020, at 09:38, Daniel Fett <fett@danielfett.de> wrote:
>
> 
> Thanks Justin for bringing this to our attention.
>
> Right now, I don't think that this is a big problem and I wasn't able to
> come up with a way to improve the attack. I hope that it doesn't come back
> to haunt us when somebody does a more in-depth analysis...
>
> That said, the lack of binding to the access token makes it easier to
> precompute proofs if somebody has a limited code execution opportunity in
> the client. We have this paragraph in the spec:
>
>    Malicious XSS code executed in the context of the browser-based
>    client application is also in a position to create DPoP proofs with
>    timestamp values in the future and exfiltrate them in conjunction
>    with a token.  These stolen artifacts can later be used together
>    independent of the client application to access protected resources.
>    The impact of such precomputed DPoP proofs can be limited somewhat by
>    a browser-based client generating and using a new DPoP key for each
>    new authorization code grant.
>
> The recommendation could be to use a fresh key pair for each token request.
>
> -Daniel
>
>
> Am 20.11.20 um 20:26 schrieb Justin Richer:
>
> While working on an implementation of DPoP recently, I realized that the value of the access token itself is not covered by the DPoP signature at all. What I’m wondering is whether or not this constitutes an attack surface that we care about here. Here’s how it works:
>
>
> Let’s say that a client creates a DPoP key and uses that key to request two tokens, T1 and T2, for different users, Alice and Bob, respectively. Alice is malicious and wants to get Bob’s stuff. Alice manages to get a hold of Bob’s token value, T2, through some means. Normally DPoP wouldn’t let Alice create a new request using T2 since Alice doesn’t have the client’s key. However, if Alice gets the client to create a request for her using T1, she can copy the signature from that request onto a new request using T2. Since the signature doesn’t cover the token value and the key is the same, the RS should accept both requests, right?
>
> An important aspect is that the parts needed to make this attack work are a little weird: you’d need access to a valid signed request from the client with T1 as well as access to a valid T2 attached to the same key in order to make this substitution. However, this is effectively the same attack area that bearer tokens have in a lot of ways, since it doesn’t require the attacker gaining access to the singing key to generate or modify a signature, nor does it require the attacker to generate or modify an access token (merely obtain one).
>
>
> I’d like to understand if this is an actual attack against DPoP. If it isn’t, how is it countered by DPoP today? If it is, do we discuss in the DPoP draft? I didn’t see a mention of it there. If it’s not, should we discuss it there?
>
>
> The old OAuth PoP draft mitigates this attack by putting the access token itself inside the signature body instead of a second header. Another option would be to include a hash of the token value (such as OIDC’s “at_hash” method used in ID Tokens) in the DPoP payload. With either of these approaches, Alice having access to T1, T2, and a signed message for T1 does not allow her to use T2 effectively.
>
>  — Justin
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
> -- https://danielfett.de
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.23.0 | Report a Bug | By Email