[OAUTH-WG] Text Proposal for draft-ietf-oauth-spop-04
Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 19 November 2014 12:44 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 127311A1A01 for <oauth@ietfa.amsl.com>; Wed, 19 Nov 2014 04:44:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.494
X-Spam-Level:
X-Spam-Status: No, score=-2.494 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vVNe168icd9R for <oauth@ietfa.amsl.com>; Wed, 19 Nov 2014 04:44:48 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C0361A079A for <oauth@ietf.org>; Wed, 19 Nov 2014 04:44:48 -0800 (PST)
Received: from [192.168.131.129] ([80.92.115.84]) by mail.gmx.com (mrgmx002) with ESMTPSA (Nemesis) id 0LpL4H-1YThE33Bpd-00fA02 for <oauth@ietf.org>; Wed, 19 Nov 2014 13:44:46 +0100
Message-ID: <546C90BE.4040402@gmx.net>
Date: Wed, 19 Nov 2014 13:44:46 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: "oauth@ietf.org" <oauth@ietf.org>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="0MVoliIOpMUiOXRWNOQnEmCfFRFnxXoJH"
X-Provags-ID: V03:K0:WeW1fhAvDWtV255jhBcXX4Nn64Uhd6tsbqrDW+looILS8epDoRk cR+UdH021FX30q1XCA4khRZHfkRC+MB8NEDrynbGWfL1Y6nQHcDg7OPRnWZueiDi90P6ccY 2w1pYb3ABNke5i6HdzRDwIlAb2M8pwe6iVUWVAR1EKAgErFZAsXr0g1R9UPWvGipIqBG3Od miANIPpXGZ5MEhGhjUsCQ==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/Yo1o7rQKcHoRyeFvwSk24QqlQdU
Subject: [OAUTH-WG] Text Proposal for draft-ietf-oauth-spop-04
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Nov 2014 12:44:51 -0000
Hi Nat, I have a few text suggestions for the abstract and the intro. FROM: Abstract The OAuth 2.0 public client utilizing Authorization Code Grant (RFC 6749 - 4.1) is susceptible to the code interception attack. This specification describes a mechanism that acts as a control against this threat. TO: Abstract OAuth 2.0 public clients utilizing the Authorization Code Grant are susceptible to the authorization code interception attack. This specification describes the attack as well as a technique to mitigate against the threat. New text for the into: 1. Introduction OAuth 2.0 [RFC6749] public clients are susceptible to the authorization code interception attack. The attacker thereby intercepts the authorization code returned from the authorization endpoint within communication path not protected by TLS, such as inter-app communication within the operating system of the client. Once the attacker has gained access to the authorization code it can use it to obtain the access token. Figure 1 shows the attack graphically. In step (1) the native app running on the end device, such as a smart phone, issues an authorization request via the browser/operating system, which then gets forwarded to the OAuth 2.0 authorization server in step (2). The authorization server returns the authorization code in step (3). The malicious app is able to observe the authorization code in step (4) since it is registered to the custom URI scheme used by the legitimate app. This allows the attacker to reguest and obtain an access token in step (5) and step (6), respectively. +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ | End Device (e.g., Smart Phone) | | | | +-------------+ +----------+ | (6) Access Token +----------+ | |Legitimate | | Malicious|<--------------------| | | |OAuth 2.0 App| | App |-------------------->| | | +-------------+ +----------+ | (5) Authorization | | | | ^ ^ | Grant | | | | \ | | | | | | \ (4) | | | | | (1) | \ Authz| | | | | Authz| \ Code | | | Authz | | Request| \ | | | Server | | | \ | | | | | | \ | | | | | v \ | | | | | +----------------------------+ | | | | | | | (3) Authz Code | | | | Operating System/ |<--------------------| | | | Browser |-------------------->| | | | | | (2) Authz Request | | | +----------------------------+ | +----------+ +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ Figure 1: Authorization Code Interception Attack. A number of pre-conditions need to hold in order for this attack to work: 1) The attacker manages to register a malicious application on the client device and registers a custom URI scheme that is also used by another application. The operating systems must allow a custom URI schemes to be registered by multiple applications. 2) The OAuth 2.0 authorization code grant is used. 3) The attacker has access to the client id. All native app client-instances use the same client id. No client secret is used (since public clients cannot keep their secrets confidential.) 4) The attacker (via the installed app) is able to observe responses from the authorization endpoint. As a more sophisticated attack scenario the attacker is also able to observe requests (in addition to responses) to the authorization endpoint. The attacker is, however, not able to act as a man-in-the-middle. While this is a long list of pre-conditions the described attack has been observed in the wild and has to be considered in OAuth 2.0 deployments. While Section 4.4.1 of [RFC6819] describes mitigation techniques they are, unfortunately, not applicable since they rely on a per-client instance secret or aper client instance redirect URI. Ciao Hannes
- [OAUTH-WG] Text Proposal for draft-ietf-oauth-spo… Hannes Tschofenig
- Re: [OAUTH-WG] Text Proposal for draft-ietf-oauth… John Bradley
- Re: [OAUTH-WG] Text Proposal for draft-ietf-oauth… Nat Sakimura