IETF Logo Mail Archive

[OAUTH-WG] Reuse of "state" across different AS in draft-bradley-oauth-jwt-encoded-state-08

Daniel Fett <daniel.fett@sec.uni-stuttgart.de> Fri, 18 May 2018 13:46 UTC

Return-Path: <daniel.fett@sec.uni-stuttgart.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD56112D95F for <oauth@ietfa.amsl.com>; Fri, 18 May 2018 06:46:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=uni-stuttgart.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G-uh6Wrp0TdT for <oauth@ietfa.amsl.com>; Fri, 18 May 2018 06:46:07 -0700 (PDT)
Received: from mxex1.tik.uni-stuttgart.de (mxex1.tik.uni-stuttgart.de [IPv6:2001:7c0:2041:24::a:1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9146B12D7F8 for <oauth@ietf.org>; Fri, 18 May 2018 06:46:07 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mxex1.tik.uni-stuttgart.de (Postfix) with ESMTP id C64DB7CD56 for <oauth@ietf.org>; Fri, 18 May 2018 15:46:05 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=uni-stuttgart.de; h=content-language:content-type:content-type:mime-version :user-agent:date:date:message-id:subject:subject:from:from :received:received; s=dkim; i=@sec.uni-stuttgart.de; t= 1526651163; x=1528389964; bh=TpslNmvx4lajsadwp3sJjOIYHOmOWqUNDEV G0ANJDB8=; b=J+KkwgV8lEBgATcnG5zMfZRyYd2g/xG2P7S0hjhA9rayrPpkmb9 vbhn1Du/GiM2Wlw4pJITgm+jt8AMWwLNPGhGbX2OYO7qztl41cbiTGDJ6fDNcu2k s9E19OFOxqhm+hSpkdtmvg+n/egeIRiXo9XjJgUwuFSnsIoqOZa06HvK47T74Luw 3KfaIlPb2bLEzMh4d9fDFWl6m3aZy9ObcbLIrRL27gVEcA/jX8hQq4RZsEOOtmTn 9WitqypyiaoAR8BCPklCcjNjo5bTacAUqVmkN3KIAILtUoLALTek/+BBIG5jdExD fbCjY0oHVZBaVI+nrOJ0IxSeey/yswJ/fTA==
X-Virus-Scanned: USTUTT mailrelay AV services at mxex1.tik.uni-stuttgart.de
Received: from mxex1.tik.uni-stuttgart.de ([127.0.0.1]) by localhost (mxex1.tik.uni-stuttgart.de [127.0.0.1]) (amavisd-new, port 10031) with ESMTP id zBPyjyn4xDiV for <oauth@ietf.org>; Fri, 18 May 2018 15:46:03 +0200 (CEST)
Received: from [IPv6:2001:7c0:2015:182::1:32] (unknown [IPv6:2001:7c0:2015:182::1:32]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mxex1.tik.uni-stuttgart.de (Postfix) with ESMTPSA for <oauth@ietf.org>; Fri, 18 May 2018 15:46:02 +0200 (CEST)
To: oauth@ietf.org
From: Daniel Fett <daniel.fett@sec.uni-stuttgart.de>
Openpgp: preference=signencrypt
Autocrypt: addr=daniel.fett@sec.uni-stuttgart.de; prefer-encrypt=mutual; keydata= xsFNBFbu2RUBEAC3F5+IMjFcXSj46xS8QQe6d/FAb+7IkkOdFKrINhgCialH4enWB2V3ykOX xESdrchRBCLoePyNmoJdFTijGxBMGNqSKU9rrppF5uvPFv/qIvCaBDAjFXR+qshsHjsMxTNH 67kuhkFQczKQHs4KVICG/gnssC3iejrk6Mav0MIJKXXdz6bUQPDyUTD+LsyHJ7vNfkfitnO4 rbD+kEZ0n14dQqp+c91b7X5KZVTt1c3d/N1kbruS29SlIDUJSHV0AdDZmP6wuH5a9XUIlDkP mM2bncIry3xiXWolYf3BJigxYg1XwVMYBdsrVg4kID5WY1RCHns07cDGluERcurjj3QHjToL T7VemcnFVzSphjjisi9a1QfRYCPf5xw5L8IjsAuNTBLv2DXKtL6Mf5Tv9BAZPD2em0rNS5n/ M7S6D2AAxIt9BQQ4aS16faI0gfUspj09RLdHANwOcLUPu+OE+O2IdgglBQLkadwLj9aY0ncE 8GhqFWcQ9xbtvHAljYaz5VmsOnjsadfGD8xW+QtWeFc8mfq7PncRjrc0Ywtb8TKeXkLHUQoT 4v2ilXisfOhryVj6/GuQvDjKKyUBW1tQPxei4n/W0zBC4LWehmwCH+WrFt+mTh3uHSyy9VbR FYmY6MBBMUpHHVQ3AVLgxoldu/yX/ery+fdE8MeScAWg+WE5rQARAQABzSBEYW5pZWwgRmV0 dCA8ZmV0dEBkYW5pZWxmZXR0LmRlPsLBgAQTAQgAKgIbAwUJC0c1AAULCQgHAwUVCgkICwUW AgMBAAIeAQIXgAUCVu7cmAIZAQAKCRBYD1kOlZ2qqXCPD/wLpgL6j51OUlGzLaA+Xt+QzX/v qUiHJsvv1mEnyofk/3pGr7ce/1UNp7e8/W2JnnHvz4RBaNkn07DFyOvrVNXiMyU6mKWvG6xw Ri5Qc2t1Cup+mXlNc5fxlZGnwOYXZJErYVTPodkFlbb6LKUMyg6v2P7ZEvw4YyPh7WpV5ujF VVkYBSLviNCjVwKr8WlJJlVI4uvHZshnX85lVpRNcF+Hqf7IhnJzCQ5bUNnV7aKc4WPNw7L6 EquuCAl6JGKdeV2M+S5UVN9Eaa/CQxJf8X9I3SVgWCGQ/gLt0x1oKt6oFMECJcH2LDFOJyWv 61AUIzqCdRiTUagdc+7sn2OFbbjhKin9x+Qq6pyoXa6ZcpEuyBoAy+hNU8RAXcPgvEBy4Bwx BYQ9S3uQmBx/TcYgSUbBwBhvIYRVM5DfBefolj3HyUlvHx8JO8scbdcVl+v1+f9d5x4YS16t bWNe7awE6UWM2I02+uv7SI2ieJ2zQsOulDTEYVYjWcu0hBH24K53wniyh3JHzu6RVCgewx4P 6H2WHOSVf2p9ppuIrbWh7J6pp9nFdDXESKxH3GO5LooLamGugSlRwdgsqxY0O4BbCpKIpfe8 31peA+7qbh1f4TXHo/ZQE8fZ2s4VN5XR5J5/yjfqY2pWDy1XocixzXboLAcuzGmZNutS46eH Azjo2CxTa87BTQRW7tkVARAA1cAIBWNxYj/QE7RcOHGgr8xXcKWk/wwTWgLvjEbp5tqMl3Jk EwD1Iajz1s+Qp7U+U4UqyI+ZSfm03bYFYlTyKaS2esiM+Incutg18N943xwGNc6csyNoW5/f xbDQ4hoMKsod9zjfvxpA8xLg8gjuPKi5Y698K7qDCCfGvo6e67qwFWIvrB7cv/NAoaVd1OPI 79nt2H5yWo0PE2Kd2yAMnWJ/3clLR6X4jqkmpoc2uEPE6aM7iQ6SCx7rMFP9W9OvovnzVksS dh65JRkiA3DTUWBxZM6h/oEERBTr9Q/JYXXugO300loterwBVu0ymBHdAjIlxpetFwZu/Wlb nymC4VSxGPS/+mJ9Lnh3WWjVEcP5F9WgqmfJ49BNqOjmgZ9u9VYV8R9fOaYvtPFTdGTYT9iw JYic/0xt9NcW/hRkff0UHdiN/BrTxbHVI7Qf4MLBK/+VtqVi0MLs7U80/2fPRebTq4yQ6aoY 7hErExrJ7TgTmZghsBJTd2cmau26Kb7stLJ4ySADcyrsADl03MNoj8QqVuO8HXx2InM18sHP xldjovv8dhmj7uiKmMPAqq5f8pA5bcA/EQ6S+ItjjohSLiYQtq6UgDPlt4tIA9nCfx+cGi6f o4sJE0InaQLinm0USp0zE+slpqXGwjzeFSTioL81cDGhN3dcCK94VsntblsAEQEAAcLBZQQY AQgADwUCVu7ZFQIbDAUJC0c1AAAKCRBYD1kOlZ2qqdnTD/9fOyWwdhOv4ehtR8ShfhM1FAc8 bWMfCrxTpI4baPM4fqIFgMAJ9iQ0FF6cB0zQjDwsWNC+3t+2JdiNeM8FB7s4bbJlhjaavzKK 77Kbf4WpVs7ge0+Zghc2qHRg/SQeC1G26GzSZDDWzDHFZX0va8H0KmT/tHJYD263CIcff/E9 WXT/22rrgYvuQXPIOBzON9WqUkCAvPA19xuBsDQSbXkXwiPsZRqmyktjc8GQn1iemQ/dzlU/ e6ORNrPcK15kUyPyJMaZf+6QJ8EivUyg+pTXicEcghWNYHXxop4k0y+bsay0cBN2lmNu7UEF qhO8HQmp2jrwZXFZD/fbZukXFHNWvNsvQ55flUfajPZhUokXHskkerbq6ZCS58HkWl0tqSIb 5TxNfP0zjcrlDBc8sF6UHXgNR1oUXypGOAq4iHeJNVpI4aQm/PufmeGExx6lPtJxJ9jOs5gD rYRuBfa1cJznEPNbIe0/eCv5qDpf95csdGJhM418x2xeg58PbmBByS9MXOGFtli0K9sxIej/ YdA94hlk/R9ViIPDuqDxz0PP+IRFVVOQhOprSnG8cV31oOe00e1bIBH3ttdsgp3AHqz/zlfF kZt27s1VH+aRF4STntrU97dNmxrgjq8zUZ7VgYjq8KqLg0BsDRIy4b/AnptYh6E4oE74gKCo Qoim4V9DGw==
Message-ID: <e0077693-0c77-fe8e-e603-33dbc38a2b63@sec.uni-stuttgart.de>
Date: Fri, 18 May 2018 15:46:05 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Thunderbird/57.0
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="------------D30F3DCDAC229642B48BE32B"
Content-Language: de-DE
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/_aA6lsljqW7I3CSjCBSgVK7jK2k>
Subject: [OAUTH-WG] Reuse of "state" across different AS in draft-bradley-oauth-jwt-encoded-state-08
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 May 2018 13:46:11 -0000

Hi all,

Looking at draft-bradley-oauth-jwt-encoded-state-08, I see in Section 2
(https://tools.ietf.org/html/draft-bradley-oauth-jwt-encoded-state-08#section-2)
that all contents of the JWT that would bind the specific state value to
the AS are optional. This means that the following attack is possible
(we described this attack in our OAuth paper [0], Section 5.1, albeit
very briefly):

Precondition: A client that supports multiple AS (with one being an
attacker-controlled AS, let's call it A-AS).

1. An honest user tries to authorize using A-AS, the attacker receives
the value of "state" which is bound to the honest user's session with
the client.

2. A-AS aborts the authorization (e.g., by redirecting the user back to
the client's web site without any parameters).

3. The user starts a new authorization flow with an honest AS (H-AS).

Since the state JWT is not bound to the AS selected by the user, the
state value generated in (1.) will likely be valid for the login flow
started in (3.). The attacker therefore knows a valid state value and
can mount a CSRF attack (which was supposed to be prevented by using state).

Solution: Always bind state to the chosen AS, i.e., make the "as" part
of the JWT mandatory

-or- use some other mechanism on the client (if the client is stateful)
to invalidate the old state value.


If we agree that this is problematic, I think this should be changed in
draft-bradley-oauth-jwt-encoded-state and should at least briefly be
discussed in the security topics document (I will be happy to write a
section for the latter).

- Daniel

[0]
https://sec.uni-stuttgart.de/_media/publications/FettKuestersSchmitz-TR-OAuth-2016.pdf

-- 
SEC - Institute of Information Security
University of Stuttgart
Phone +49 711 685 88468
Universitätsstraße 38 - 70569 Stuttgart - Room 2.434

v2.23.0 | Report a Bug | By Email