IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Interim Meeting - April 12 - Security BCP

Denis <denis.ietf@free.fr> Mon, 12 April 2021 14:56 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FC293A211B for <oauth@ietfa.amsl.com>; Mon, 12 Apr 2021 07:56:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.119
X-Spam-Level:
X-Spam-Status: No, score=-1.119 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5VeoXNWwMdtl for <oauth@ietfa.amsl.com>; Mon, 12 Apr 2021 07:56:30 -0700 (PDT)
Received: from smtp.smtpout.orange.fr (smtp05.smtpout.orange.fr [80.12.242.127]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93D2F3A1904 for <oauth@ietf.org>; Mon, 12 Apr 2021 07:56:26 -0700 (PDT)
Received: from [192.168.1.11] ([90.26.9.133]) by mwinf5d52 with ME id rqwP240072sDAeJ03qwPy9; Mon, 12 Apr 2021 16:56:24 +0200
X-ME-Helo: [192.168.1.11]
X-ME-Auth: ZGVuaXMucGlua2FzQG9yYW5nZS5mcg==
X-ME-Date: Mon, 12 Apr 2021 16:56:24 +0200
X-ME-IP: 90.26.9.133
To: Daniel Fett <fett@danielfett.de>, oauth@ietf.org
References: <CADNypP80KicBYDjOHkZQMrowM1WgrtpCr1Ywt88RrTRbZ_Ctrw@mail.gmail.com> <1990805d-e9c5-969a-9c62-a3ddd21e2180@free.fr> <2e1af244-91cd-1d08-8bf6-97cc82e3f862@danielfett.de> <065f2559-d14b-5ddc-ba33-8ce14fa2d622@free.fr> <9913e316-ab20-b9fa-bb59-15241d943622@danielfett.de>
From: Denis <denis.ietf@free.fr>
Message-ID: <3362fd52-fcd2-7f80-f7e4-5dcc1cceff73@free.fr>
Date: Mon, 12 Apr 2021 16:56:23 +0200
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.9.0
MIME-Version: 1.0
In-Reply-To: <9913e316-ab20-b9fa-bb59-15241d943622@danielfett.de>
Content-Type: multipart/alternative; boundary="------------EB08CF4724D8CFEB1ACBD9F1"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/YqrtM3l18-EMs4eePQgA2hLbJgs>
Subject: Re: [OAUTH-WG] OAuth Interim Meeting - April 12 - Security BCP
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 14:56:34 -0000

Hi  Daniel,

> (...)
>>>
>>> As I'm sure you have noticed, we have updated Section 3 following 
>>> your last input. It now explicitly says:
>>>
>>>     Attackers can collaborate to reach a common goal.
>>>
>>> It also says
>>>
>>>    Note that in this attacker model, an attacker (see A1) can be a RO or
>>>    act as one.  For example, an attacker can use his own browser to
>>>    replay tokens or authorization codes obtained by any of the attacks
>>>    described above at the client or RS.
>>>
>>> Your scenario is therefore covered. It was already before, but that 
>>> was obviously too implicit, so we made it more clear with the recent 
>>> update.
>>>
>> [Denis] I don't believe that the scenario is covered with the above 
>> sentences.
>>
> I don't understand. This is not about believing, it is written very 
> clearly and conclusively in the text of the current draft.
>
> We've had this discussion before, and, although irrelevant for the 
> meaning of the BCP itself, I would like to refer you again to the 
> formal model in our research paper, which the BCP attacker model is 
> based on. It has a *very* precise definition of the attacker model 
> that does not leave room for interpretation. The natural-language 
> description in the BCP, as usual, is more fuzzy than the formal 
> definition, but both attacker models include clients cooperating.
>
[Denis]. Your very last sentence is finally using two magic words that 
are not present anywhere in the BCP: "*clients cooperating*".
However, *clients collusion* or *clients collaboration* would be more 
accurate.

>
>>>> Finally, section 4 (Attacks and Mitigations) should include an 
>>>> additional subsection, e.g. section 4.16, addressing the case of a 
>>>> collaboration attack
>>>> between clients against a RS.
>>>>
>>> If I remember correctly, you first presented this attack at the 
>>> OAuth Security Workshop in 2017.
>>> Since then, it has been brought up countless times on this mailing 
>>> list, both with regards to the Security BCP as well as for the JWT 
>>> Token draft.
>>>
>>> There has been practically no positive resonance at the meeting 2017 
>>> or here on the mailing list as to including this in either of the 
>>> drafts.
>>>
>>> A number of reasons come to mind, but first and foremost, I think 
>>> that what you describe is not perceived as an attack, or, worded 
>>> differently,
>>> it is obvious that what you describe in the "attack" is possible.
>>>
>> [Denis] Here after comes the important sentence which is wrong:
>>
>>
>>> *There is no expectation that OAuth would defend against this kind 
>>> of thin**g*,
>>> just as there is no mitigation against password sharing in 
>>> password-based authentication.
>>>
>> [Denis] In the section 4.16.2 there is a clear proposal that explains 
>> how *"OAuth can successfully defend against this kind of thin**g"*. 
>> *So* *there **IS **a solution*.
>>
> I did not say that there is no solution.

[Denis] Well, ... ask anybody else how he would interpret your statement.


>> Currently, when reading the text, an implementer might consider to 
>> deliver an access token that contains a claim such as "older the 18" 
>> without any "sub" or equivalent claim.
>> Such an access token would be transferable to anyone and the RS would 
>> not be able to identify the attack.
>>
> Your proposed solution does not enable an RS to identify the attack 
> unless used together with some form of authentication way outside the 
> scope of OAuth.
>
[Denis] I never said that there is "some form of authentication". The 
word "authentication" is not present in my text proposal.

At the moment (/and this is a topic of its own that could be discussed 
later on/), a "sub" claim present in an access token is unrelated to any 
identifier
used during an authentication exchange between an end-user and a RS.

This means that your statement is incorrect.

*"OAuth can successfully defend against this kind of thin**g" and, since 
countermeasures exist, they should be described.
*

> Again, this also goes deeply into OIDC territory.
>
>> I therefore propose to proceed with the Security BCP *with the 
>> inclusion of this attack*.
>>
>>> Even though the Security BCP attacker model includes the general 
>>> setting required for the attack, the attack does not violate an 
>>> expected security property.
>>>
>>> I therefore propose to proceed with the Security BCP without 
>>> including this attack.
>>>
>>> -Daniel
>>>
>> [Denis] Since you have deleted the remaining of my email, I copy it 
>> again. If you respond to this email, please DO NOT delete it.
>>
> I deleted the remainder of the mail as it was not relevant to my 
> answer (see RFC1855, Section 3.1.1). Everybody can access your 
> original mail on the mailing list.
>
> -Daniel
>
I re-established the remainder of the mail as it is relevant to *my 
*answer.

However, reading it again, the "Attack description" does not refer to a 
JWT access token whereas it is not the case for the two other sub-sections.
Nevertheless, these two sub-sections could be easily generalized to also 
address the case where JWT access tokens are not being used.

    Finally, section 4 (Attacks and Mitigations) should include an
    additional subsection, e.g. section 4.16, addressing the case of a
    collaboration attack
    between clients against a RS.

    This sub-section would need to include to other sub-sections:

    4.16.1Attack Description
    4.16.2Countermeasures

    The following text is a skeleton proposed for these subsections:

    *4.16****Collaboration attack between clients against a RS*

    The goal of the attack is for an illegitimate client to obtain an
    access token from an authorization server with the help of a client
    of the authorization server.

    *4.16.1****Attack Description*

    The legitimate client performs in real time all the cryptographic
    computations needed by the illegitimate client to get an access
    token and to present it to a RS.
    This attack is not a replay of a access token, but the use of a
    legitimate access token by an illegitimate client with the
    complicity of the legitimate client.

    It should be observed that protecting some private keys into a
    secure element is ineffective to counter this kind of attack, since
    the legitimate client can perform
    all the computations needed by the illegitimate client, without the
    need to know or to transfer the values of these private keys.

    *4.16.2****Countermeasures*

    This attack may be countered by using a "sub" claim into the access
    token. It should be observed that the "sub" claim is a REQUIRED
    claim in the JWT access token
    data structure. See section 2.2 from JSON Web Token (JWT) Profile
    for OAuth 2.0 Access Tokens.

    Section 5 (Security Considerations) from JSON Web Token (JWT)
    Profile for OAuth 2.0 Access Tokens states:

    Authorization servers should prevent scenarios where clients can
    affect the value of the "sub" claim in ways that could confuse
    resource servers.

    This statement is correct but insufficient, since it does not say
    how resources servers cannot get confused.

    Section 6(Privacy Considerations) states:

          This profile mandates the presence of the "sub" claim in every
    JWT access token, making it possible for resource servers to rely on
    that information
          for correlating incoming requests with data stored locally for
    the authenticated principal.

    This statement is correct but is unclear. To be more precise, in
    order to counter the collaboration attack between clients against a
    RS, the RS should manage
    user accounts associated either with a globally unique identifier or
    an identifier specific to an AS-RS pair while the "sub" claim shall
    contain either
    a globally unique identifier or an identifier specific to an AS-RS
    pair which shall be compared with the identifier of the user
    account. If there is no match,
    the access token shall be discarded.

Denis

PS. I re-read RFC1855, Section 3.1.1, but there is nothing in the 
Netiquette to delete or maintain some parts of a received message.


> -- 
> https://danielfett.de

v2.23.0 | Report a Bug | By Email