[OAUTH-WG] Adding the option to use server-supplied nonces to DPoP
Mike Jones <Michael.Jones@microsoft.com> Fri, 17 September 2021 17:04 UTC
Return-Path: <Michael.Jones@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7ABD53A0857 for <oauth@ietfa.amsl.com>; Fri, 17 Sep 2021 10:04:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.552
X-Spam-Level:
X-Spam-Status: No, score=-2.552 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UuNBzN4lYn6f for <oauth@ietfa.amsl.com>; Fri, 17 Sep 2021 10:04:01 -0700 (PDT)
Received: from na01-obe.outbound.protection.outlook.com (mail-oln040093003001.outbound.protection.outlook.com [40.93.3.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D692C3A0856 for <oauth@ietf.org>; Fri, 17 Sep 2021 10:04:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=dsEnXY285rCOURSkV9LPuI8lZTk4R0kjdGZGMIzvaNFnsVEKKUsaDLGLbi2abvJiNJ2G39oJR7JvST6qX3r2BUKifLa3BVbAKlRAqKH2zM8zcw9SPjcT6LWjGbNB31KFNuSgGQEBraf6Gy8J9G6Z6IBni63u5E6V+Ynw9AGbRtCTF5UJwYHuEHcNSJ/45PbNFtR+9wltmkMX9YUYZ2p3B8NlBoRcMyX4X0vh/jIbIWyqDDL0kkWA9fq+DjLwk/mEe6A/W6gzA50yX40CmJ8D9PY1OE3GhN57fjaMI4oBZqmleteqQZhmtLjdZSXh0TopiH/XEZQkfNApcJnxbUT+6w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=sM9sEizcJbqO9dGNBp9qg3HPFTtrTwevO3aezvDd83s=; b=dzEqk391AtXTv5jKLQjlli5qF3rAINEG0Wx0GHO+zOcZHtB4mfek/ReqKlnDU/kv3HreYArY48Mfy9Ug2a9IYjmArpzyJSOYb/xhqq8bXySnFyOBldEcdVsTm28r6WXraS4w9TR1bumJFkQNoB2DjAUzyv7WIyXG+AGgEYnVxwCn2+FZNNiCHlzb9s3ZZyZ0PX1Wzz0aJ3iVDX4MJjqbbfYDmDlZsmdQbKj2EFXOVmkdzWyM80F1AvSpsGavx6/thEVpbRJrtGyNVxnyLAmMzFPTrAz3732Zq3UdLczF5dZEdzenOMoWyb4kw8Y4TvVNAm7OZMrIh4oNtspW2QVPYw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sM9sEizcJbqO9dGNBp9qg3HPFTtrTwevO3aezvDd83s=; b=baMDpeJa5jzuRrVHbzWku4dqfrdQNADcb5yAE1sgL3eBuJa/vgVYjZsNXDsA6e1NOx49ovCXmW/mGQGI+pUdS7frqCOsi/3JH6OICkpmg1y1WfJp4JpTzG1pv4RRqX7whODbqafF1iYZndHHb1QULFKaqjEuB58S373YXjJY8Zc=
Received: from PH0PR00MB0997.namprd00.prod.outlook.com (2603:10b6:510:33::14) by PH0PR00MB1229.namprd00.prod.outlook.com (2603:10b6:510:9d::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4564.0; Fri, 17 Sep 2021 17:03:58 +0000
Received: from PH0PR00MB0997.namprd00.prod.outlook.com ([fe80::e87e:40eb:e11c:73aa]) by PH0PR00MB0997.namprd00.prod.outlook.com ([fe80::e87e:40eb:e11c:73aa%3]) with mapi id 15.20.4568.000; Fri, 17 Sep 2021 17:03:58 +0000
From: Mike Jones <Michael.Jones@microsoft.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Adding the option to use server-supplied nonces to DPoP
Thread-Index: Adeq9U243kUYMdc0TkujRKK/z5P5mQ==
Date: Fri, 17 Sep 2021 17:03:58 +0000
Message-ID: <PH0PR00MB099738694FBE4FAFCA0E5C2DF5DD9@PH0PR00MB0997.namprd00.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2021-09-16T12:18:42Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=834c9701-4771-442b-b693-468383c13578; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cdfe3884-0803-411f-778d-08d979fd23ae
x-ms-traffictypediagnostic: PH0PR00MB1229:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <PH0PR00MB12298964DB331D5CACCD6CB6F5DD9@PH0PR00MB1229.namprd00.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: a7V25k/UjkfD/WBG73Q+bPfl+km8VzCVVyGfuW2vNAiUh976u6G1/ikDxgLaJ3Ve6G8SPaSif0TVX0yiqdy3gLhVCl878AdhZXcLVNJVdqHW1OdksZ310P2QzwI8JiXZYlxXcSn5HpVE7/BQDKnD/8G7LL7ikJnfcmA1U9JuqMt5wZ9w3rRjKxT2DAB1K148V0PZAyD5Q3XBx8/RbbaJkW9eNN1uTFCzdivesCeH/hF4ZAik5LgPFAn5yJX4R8hxk+Y5jii3dYytYmQS+l3rnc849ev/hA2ZoD79xWAmABh8SxFE09USfcg0b1FW8w9PyomW8MOAXb2yWHKf0XTAU4ro4UZ0H8gEfqTT2Q+pqjhv+d11TkxlmOjGgBEju76RA6h0FCs8MInB20T63n9ClxvdPYBMz8xpbLbBz6yuTpJ6IGwG8V3EWDxvzQkIuqllLvcgGADftgVqWPC3n7oofUd8ULsu+8LFZ53tK+5J93Jm9xr5dKGKAmqhzuNH/esFxtRZfhYmy9nU8VZd5/z4zlXyDsbRBpLLNlmILJillVT3n4Q0IahnwPIpn+qIPLyFHZgiN1tZxPKvQdhkRtfM8Aui4OE1fHgSbhcMD2o/5Psb8Z9eiCQJBTpaDlElaSz7l9RnedRtfYevY1E+vLsy5u3v44l8qZQWVn8BCtgKRSi+AJ9nioZn5zinfakBsmDK8VfCEz7ldei2uLAy0lXlFBPw3q4AadxZA/atewkDGLGdEMDf2cYQETt8g7aiaDgVEE5R/03VmFhV4UqLQnl/nGewnUOseV1UDpag9LB9iQLaHgY8t2M7ldf80fUrnvslc+LI7XgL7WWmwAP/v5lrnQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PH0PR00MB0997.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(66946007)(76116006)(186003)(7696005)(508600001)(82950400001)(10290500003)(71200400001)(166002)(6506007)(66556008)(66574015)(107886003)(9686003)(52536014)(66476007)(122000001)(8936002)(8676002)(66446008)(64756008)(38070700005)(2906002)(83380400001)(6916009)(38100700002)(33656002)(5660300002)(8990500004)(316002)(26005)(966005)(86362001)(82960400001)(4326008)(55016002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: okFOLYJJbRsb5j3r3jEqSySL/Jb60GN8yZtRsZVyojNWXHe4kjlmmaBNyetiK7hyoUgZYt9i1WnRLPFPGCiJbyYT6bHPW/6LI9tvppGLKXVaKh9bUrMjP4FAbM0OKwn3pMmR1rE3l7HJUO21uRxric589+FwV9ZvQi4Ik8rLCW8TdqZpBOTGzEfVy1YSTS64XOFquEay0BWctBCOzlpE2WmitNhJZhjNqwCDtmbZglAK4KPtljnii9zNAiHwa7bSqu7a+A6Nkiiis5kG/h0gcUJ96v+7C+m14P8/epppvHf02d/9PSHyULxgut+7uw1fKCGnP9qz5dYHshUeLVN+vfYiA/n8DIkkBeZT8UODgyCf7GshVmPuAvOMOdr1tWKhgk0XYanI/taA48jQJ7AtP5XLl8K4+4JzMvAIq2RmnaQTj8d5vKE168Zo1DZs41TFrLK4eAGDVHGnSfdGC6xMohLRlCG9VSe1EEVKkWWyw4JsqpUqQrK+7wBQitd7Bgc2scq4JWknpHXm69GLG37HeeMYAf6HqXFFBEnKl64lpWv7m40qSnwFhiWvB3q+V0hKDOfOhVWXZUucrZj2HwAMV+NJS1PrY2DsEEL8Yjx0wQL269U7VZC19fPhhp2uQp0WR1aIOX6SD13AHWcn3iR48Jq/XN+6938sy+pgR4ffSIljWVG8x+9As0tWzPCmz0lqjW1L+u/Mu3AEHvWGcOc7V5Oh2lYNEuhLcxKvmIjWymWexvRsNTLpxmtRrgmWdSLaz2RiWBbYfJGw5i0ufzJxoa0zk/W8vj5tnByHVvVZp2D88B8BhmQfjoue/zxmgkIzwHK1VO1HLUuT3KSXqeD9CbwjP1xX63o6xtDZiPk+A2oMWH9Bv9QIW1j49ytMB/+N+8BXLo4k4LFxlj9RCaMlqnQID6freTluvJ5V5JhzKaJnUY/bcz8KRid1EBBs3DVfHgRNJyVvmUI2fEeQhufNh81CDI8lNnWR7tN6BlOG07nKJFhpBo0xV8W1K06NWF+Pk4qrEPmG4R6CDad3V/VGhJEt1L8xnQbqAbFdUza+bQXnR4lTFY5omz7BGgCVgo5pumJQK/ua4vy6T1hAX/e7G1Fi70beI0DS5zNP3PKXii2gtNGetA6rxaj6JHGSHgugHuofRx8htbBjOcKyvubH9adeuNLxIQ/3DNAEebg1jkYuRSXXOcHskdP2WaaWEuu8od5HY2sve/JFxCp1/LaVCnJ0tkKZwXdGzrN+H24a7Z0y1yHzHgskK3MWfDTwGaiIF3gCDz1j10Un6l9cPgA7Fmt6Vq2fFAvL0gQYh2/5aAY=
Content-Type: multipart/alternative; boundary="_000_PH0PR00MB099738694FBE4FAFCA0E5C2DF5DD9PH0PR00MB0997namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: PH0PR00MB0997.namprd00.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: cdfe3884-0803-411f-778d-08d979fd23ae
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2021 17:03:58.1272 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: bTzVe6bDyFpB6s++gxG8lea1r+sKS/CLy7FfjaCq7Gr+KivHb+6U71g5IEwFO54cVxq2ScRx69+Jlv4l2zRs/A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR00MB1229
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Xcw_VVfdobyoXTrAb9TS08RxW_0>
Subject: [OAUTH-WG] Adding the option to use server-supplied nonces to DPoP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Sep 2021 17:04:07 -0000
We all know that using proof-of-possession with issued tokens is a means of rendering exfiltrated tokens useless to attackers. The DPoP was created as one of the tools to prevent this. There's a huge amount of evidence of successful token exfiltration attacks in the wild, some of which is referenced at the end of this message. For instance, sometimes the legitimate user of a client is the attacker. Once instance of this is that some banks have cited employees stealing legitimate tokens issued on bank computers and taking them to non-bank computers, thereby bypassing audit controls. When reviewing DPoP with Microsoft's identity architects, they pointed out that DPoP as written today can still enable exfiltrated DPoP tokens to be used by some kinds of attackers; doing so also requires that the attackers exfiltrate DPoP proofs. This is possible when the legitimate user of a client is the attacker. Preventing exfiltrated pre-generated DPoP proofs from being used in the future requires the server being able to limit their lifetime. An effective means of doing this is to include a server-provided nonce in the DPoP proof. That puts the lifetime of DPoP proofs in control of the server, because when a new nonce value is provided, older, possibly pre-generated DPoP proofs become invalid at the server. The Microsoft identity server team is already internally using this technique with the stale OAuth HTTP Signing draft. They want to be able to use it with DPoP for the same reasons. DPoP without this won't mitigate the real security attacks that our systems are encountering. Note that unless a server-provided nonce is used, what is actually being proved is possession of a DPoP proof - not possession of the proof-of-possession key. Having discussed this with some of the editors, I have created a pull request adding the optional use of server-provided nonces to DPoP. This will break no existing deployments. But it will enable new deployments to choose to use server-contributed nonces to limit DPoP proof lifetimes, both for authorization servers and resource servers. The pull request is at https://github.com/danielfett/draft-dpop/pull/81/. Reviews of the PR are welcomed. I propose that we merge it and publish draft -04 sometime next week, pending review feedback. ==== My colleague Pieter Kasselman assembled some examples of successful token exfiltration attacks in the public domain (and helped review the PR). Those follow, for your reading pleasure. 1. Introducing a new phishing technique for compromising Office 365 accounts (o365blog.com)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fo365blog.com%2Fpost%2Fphishing%2F&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cd16075338fd34e6065fa08d96f18c785%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637662974517021183%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Nwnf6O67xIXO2u0cYFkZBnJrnOl0P6JR1MrXdNLgrr8%3D&reserved=0> * It describes a phishing attack that allows the attacker to obtain an Access Token and a Refresh Token (which is then used to obtain additional Access Tokens). * Operationalised with the AADInternals Tool 2. The Art of the Device Code Phish - Boku (0xboku.com)<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2F0xboku.com%2F2021%2F07%2F12%2FArtOfDeviceCodePhish.html&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cd16075338fd34e6065fa08d96f18c785%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637662974517021183%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=wlEfBuS%2FnIl9qIf51hpQcU2UmFCsnuC0ksSVE%2FXdEKw%3D&reserved=0> * It extends the above attack and shows step-by-step how to exfiltrate a Access Token and a Refresh Token with a similar phishing attack and then obtain additional tokens. * Operationalised with AADInternals and TokenTactics 1. DEF CON 29 - Jenko Hwong - New Phishing Attacks Exploiting OAuth Authentication Flows - YouTube<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D9slRYvpKHp4&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cd16075338fd34e6065fa08d96f18c785%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637662974517031142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=9rMI1ay6eJ4RmTRTmHglAunMiQuLfxzZUpdk%2F012Z9Q%3D&reserved=0> * It shows another attack to exfiltrate tokens using phishing techniques that exploit Device Code Flow. * It includes a demo of the attack that shows how it bypasses MFA and anti-Phishing controls and then uses the PRT to get tokens and pivot to other services. * Tools available as open source. 1. Requesting Azure AD Request Tokens on Azure-AD-joined Machines for Browser SSO | by Lee Christensen | Posts By SpecterOps Team Members<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fposts.specterops.io%2Frequesting-azure-ad-request-tokens-on-azure-ad-joined-machines-for-browser-sso-2b0409caad30&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cd16075338fd34e6065fa08d96f18c785%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637662974517031142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=OLHm5HkOAQZs0uE95OtlvUxRQlk06ylecU09%2B2hacOw%3D&reserved=0> * Outlines how a Refresh Token can be exfiltrated from a Chrome browser * Operationalised with a tool called RequestAADRefreshToken 1. Abusing Azure AD SSO with the Primary Refresh Token - dirkjanm.io<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdirkjanm.io%2Fabusing-azure-ad-sso-with-the-primary-refresh-token%2F&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cd16075338fd34e6065fa08d96f18c785%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637662974517031142%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=J8rcX59vjyaVlvhdzDBM%2FUELF38LEykzo84an9opNc4%3D&reserved=0> * Extracts the Primary Refresh Token through Chrome * Requires executing code on the users device to interact with the Chrome browser, executed in the user context, no elevated privileges needed * Operationalised through ROADtoken and ROADtools. 1. Digging further into the Primary Refresh Token - dirkjanm.io<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdirkjanm.io%2Fdigging-further-into-the-primary-refresh-token%2F&data=04%7C01%7Cpieter.kasselman%40microsoft.com%7Cd16075338fd34e6065fa08d96f18c785%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637662974517041097%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=zfgTacWTD38btnIwrPWEStjIIYNfw9tRzjjP95S8gwI%3D&reserved=0> * Describes how the PRT and session keys can be extracted from a device (requires local admin) * Operationalised through ROADtools -- Mike
- [OAUTH-WG] Adding the option to use server-suppli… Mike Jones
- Re: [OAUTH-WG] Adding the option to use server-su… Justin Richer
- Re: [OAUTH-WG] Adding the option to use server-su… Brian Campbell