IETF Logo Mail Archive

[OAUTH-WG] Text Proposal for draft-ietf-oauth-spop-04

Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 19 November 2014 12:44 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 127311A1A01 for <oauth@ietfa.amsl.com>; Wed, 19 Nov 2014 04:44:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.494
X-Spam-Level:
X-Spam-Status: No, score=-2.494 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vVNe168icd9R for <oauth@ietfa.amsl.com>; Wed, 19 Nov 2014 04:44:48 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C0361A079A for <oauth@ietf.org>; Wed, 19 Nov 2014 04:44:48 -0800 (PST)
Received: from [192.168.131.129] ([80.92.115.84]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0LpL4H-1YThE33Bpd-00fA02 for <oauth@ietf.org>; Wed, 19 Nov 2014 13:44:46 +0100
Message-ID: <546C90BE.4040402@gmx.net>
Date: Wed, 19 Nov 2014 13:44:46 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="0MVoliIOpMUiOXRWNOQnEmCfFRFnxXoJH"
X-Provags-ID: V03:K0:WeW1fhAvDWtV255jhBcXX4Nn64Uhd6tsbqrDW+looILS8epDoRk cR+UdH021FX30q1XCA4khRZHfkRC+MB8NEDrynbGWfL1Y6nQHcDg7OPRnWZueiDi90P6ccY 2w1pYb3ABNke5i6HdzRDwIlAb2M8pwe6iVUWVAR1EKAgErFZAsXr0g1R9UPWvGipIqBG3Od miANIPpXGZ5MEhGhjUsCQ==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Yo1o7rQKcHoRyeFvwSk24QqlQdU
Subject: [OAUTH-WG] Text Proposal for draft-ietf-oauth-spop-04
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Nov 2014 12:44:51 -0000

Hi Nat,

I have a few text suggestions for the abstract and the intro.


FROM:

Abstract

   The OAuth 2.0 public client utilizing Authorization Code Grant (RFC
   6749 - 4.1) is susceptible to the code interception attack.  This
   specification describes a mechanism that acts as a control against
   this threat.


TO:

Abstract

   OAuth 2.0 public clients utilizing the Authorization Code Grant are
   susceptible to the authorization code interception attack.  This
specification
   describes the attack as well as a technique to mitigate against the
   threat.

New text for the into:


1.  Introduction

   OAuth 2.0 [RFC6749] public clients are susceptible to the
   authorization code interception attack.

   The attacker thereby intercepts the authorization code returned
   from the authorization endpoint within communication path not
   protected by TLS, such as inter-app communication within the
   operating system of the client.

   Once the attacker has gained access to the authorization code it
   can use it to obtain the access token.

   Figure 1 shows the attack graphically. In step (1) the native
   app running on the end device, such as a smart phone, issues
   an authorization request via the browser/operating system, which
   then gets forwarded to the OAuth 2.0 authorization server in
   step (2). The authorization server returns the authorization code
   in step (3). The malicious app is able to observe the
   authorization code in step (4) since it is registered to the
   custom URI scheme used by the legitimate app. This allows the
   attacker to reguest and obtain an access token in step (5)
   and step (6), respectively.

 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+
 | End Device (e.g., Smart Phone) |
 |                                |
 | +-------------+   +----------+ | (6) Access Token  +----------+
 | |Legitimate   |   | Malicious|<--------------------|          |
 | |OAuth 2.0 App|   | App      |-------------------->|          |
 | +-------------+   +----------+ | (5) Authorization |          |
 |        |    ^          ^       |        Grant      |          |
 |        |     \         |       |                   |          |
 |        |      \   (4)  |       |                   |          |
 |    (1) |       \  Authz|       |                   |          |
 |   Authz|        \ Code |       |                   |  Authz   |
 | Request|         \     |       |                   |  Server  |
 |        |          \    |       |                   |          |
 |        |           \   |       |                   |          |
 |        v            \  |       |                   |          |
 | +----------------------------+ |                   |          |
 | |                            | | (3) Authz Code    |          |
 | |     Operating System/      |<--------------------|          |
 | |         Browser            |-------------------->|          |
 | |                            | | (2) Authz Request |          |
 | +----------------------------+ |                   +----------+
 +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+

   Figure 1: Authorization Code Interception Attack.

   A number of pre-conditions need to hold in order for this attack
   to work:

   1) The attacker manages to register a malicious application on
      the client device and registers a custom URI scheme that is
      also used by another application.

      The operating systems must allow a custom URI schemes to
      be registered by multiple applications.

   2) The OAuth 2.0 authorization code grant is used.

   3) The attacker has access to the client id. All native app
      client-instances use the same client id. No client secret is
      used (since public clients cannot keep their secrets
      confidential.)

   4) The attacker (via the installed app) is able to observe
      responses from the authorization endpoint. As a more
      sophisticated attack scenario the attacker is also able
      to observe requests (in addition to responses) to the
      authorization endpoint. The attacker is, however, not
      able to act as a man-in-the-middle.

   While this is a long list of pre-conditions the described attack
   has been observed in the wild and has to be considered in
   OAuth 2.0 deployments. While Section 4.4.1 of [RFC6819] describes
   mitigation techniques they are, unfortunately, not applicable
   since they rely on a per-client instance secret or aper client
   instance redirect URI.

Ciao
Hannes

v2.23.0 | Report a Bug | By Email