IETF Logo Mail Archive

Re: [OAUTH-WG] Token substitution in DPoP

Nikos Fotiou <fotiou@aueb.gr> Sat, 21 November 2020 02:30 UTC

Return-Path: <fotiou@aueb.gr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59E393A0FD9 for <oauth@ietfa.amsl.com>; Fri, 20 Nov 2020 18:30:23 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=aueb.gr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8wXz-s-_GP1q for <oauth@ietfa.amsl.com>; Fri, 20 Nov 2020 18:30:21 -0800 (PST)
Received: from blade-b3-vm-relay.servers.aueb.gr (blade-b3-vm-relay.servers.aueb.gr [195.251.255.106]) by ietfa.amsl.com (Postfix) with ESMTP id C25523A0FD8 for <oauth@ietf.org>; Fri, 20 Nov 2020 18:30:19 -0800 (PST)
Received: from blade-a1-vm-smtp.servers.aueb.gr (blade-a1-vm-smtp.servers.aueb.gr [195.251.255.217]) by blade-b3-vm-relay.servers.aueb.gr (Postfix) with ESMTP id 49C68DDD; Sat, 21 Nov 2020 04:30:18 +0200 (EET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=aueb.gr; s=201901; t=1605925818; bh=h0Rg2gXfv/h+rmZGYGu3UwP0ku4gem9vfExqqkn18n0=; h=From:To:References:In-Reply-To:Subject:Date:From; b=GfKPb3LmfxE3ex3OsiwkxZ1yaS2GOyxR/S4HARdy2s5Je5+V1/E6sr//w3l9x2SXO Owxj0QZA1/2fso6zu/oHc01xROcWIFOUIC/6vuOTiE+Q8PlNTF9w2+PNn0nP9HxyIm ZDPt6Hh2UCeAJqryxeN4a4IU9tGKxSZ4w+azzJFWgRKrVLmAhaPKL/m4RjlkTCK8cK +s2wvT1jU9XlyXnKzzdoMz8dlQzdacYuovyEHN6FeT6TXGGGRfN8mCAVbFiTF4jBaC GimxuVnTXdNazPZgUiK/f0hMnV5a3/ssZXL6SzDrH0X7RnBVnw1p3MQX35W00RDFPV buHJcg/bwO0jw==
Received: from DESKTOP7VDSLBL (athedsl-4546155.home.otenet.gr [94.70.42.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: fotiou@aueb.gr) by blade-a1-vm-smtp.servers.aueb.gr (Postfix) with ESMTPSA id DC3E35DE; Sat, 21 Nov 2020 04:30:17 +0200 (EET)
From: Nikos Fotiou <fotiou@aueb.gr>
To: 'Justin Richer' <jricher@mit.edu>, 'oauth' <oauth@ietf.org>
References: <92113933-D3F6-494B-A697-9C0D77F2808B@mit.edu>
In-Reply-To: <92113933-D3F6-494B-A697-9C0D77F2808B@mit.edu>
Date: Sat, 21 Nov 2020 04:30:17 +0200
Message-ID: <016f01d6bfae$407e6bd0$c17b4370$@aueb.gr>
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQFsNp1WzMQLqWr/LSN3K9lSN/t1H6qm7huQ
Content-Language: el
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="----=_NextPart_000_016B_01D6BFBF.0343C4C0"; protocol="application/x-pkcs7-signature"; micalg="2.16.840.1.101.3.4.2.1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YnoBs0b8_WqR3Add5YTf9U90LFw>
Subject: Re: [OAUTH-WG] Token substitution in DPoP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Nov 2020 02:30:23 -0000

Hi,
The token is granted to a client based on the authorization grant and not the client's key. Therefore, a client may use a different key per token. At least this is an approach we are following. 

Best,
Nikos

-----Original Message-----
From: OAuth <oauth-bounces@ietf.org> On Behalf Of Justin Richer
Sent: Friday, November 20, 2020 9:26 PM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] Token substitution in DPoP

While working on an implementation of DPoP recently, I realized that the value of the access token itself is not covered by the DPoP signature at all. What I’m wondering is whether or not this constitutes an attack surface that we care about here. Here’s how it works:


Let’s say that a client creates a DPoP key and uses that key to request two tokens, T1 and T2, for different users, Alice and Bob, respectively. Alice is malicious and wants to get Bob’s stuff. Alice manages to get a hold of Bob’s token value, T2, through some means. Normally DPoP wouldn’t let Alice create a new request using T2 since Alice doesn’t have the client’s key. However, if Alice gets the client to create a request for her using T1, she can copy the signature from that request onto a new request using T2. Since the signature doesn’t cover the token value and the key is the same, the RS should accept both requests, right?

An important aspect is that the parts needed to make this attack work are a little weird: you’d need access to a valid signed request from the client with T1 as well as access to a valid T2 attached to the same key in order to make this substitution. However, this is effectively the same attack area that bearer tokens have in a lot of ways, since it doesn’t require the attacker gaining access to the singing key to generate or modify a signature, nor does it require the attacker to generate or modify an access token (merely obtain one).


I’d like to understand if this is an actual attack against DPoP. If it isn’t, how is it countered by DPoP today? If it is, do we discuss in the DPoP draft? I didn’t see a mention of it there. If it’s not, should we discuss it there?


The old OAuth PoP draft mitigates this attack by putting the access token itself inside the signature body instead of a second header. Another option would be to include a hash of the token value (such as OIDC’s “at_hash” method used in ID Tokens) in the DPoP payload. With either of these approaches, Alice having access to T1, T2, and a signed message for T1 does not allow her to use T2 effectively.

 — Justin
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email