IETF Logo Mail Archive

Re: [OAUTH-WG] BCP: Client collaborative attacks

Daniel Fett <fett@danielfett.de> Tue, 27 October 2020 13:17 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D27273A09C9 for <oauth@ietfa.amsl.com>; Tue, 27 Oct 2020 06:17:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_NONE=0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D5xEgbZLw1a7 for <oauth@ietfa.amsl.com>; Tue, 27 Oct 2020 06:17:31 -0700 (PDT)
Received: from d3f.me (redstone.d3f.me [5.9.29.41]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AFBD73A0994 for <oauth@ietf.org>; Tue, 27 Oct 2020 06:17:30 -0700 (PDT)
Received: from authenticated-user (PRIMARY_HOSTNAME [PUBLIC_IP]) by d3f.me (Postfix) with ESMTPA id 7406514624 for <oauth@ietf.org>; Tue, 27 Oct 2020 13:17:27 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1603804647; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=dCZbQgfeAsa0BKN8G4PfqLW7KeMRrz8hTOYHcAHElew=; b=XocyzmCWsSXQcbkqvdFkFrzBkJORDez7jw3oq4BpnzEjkNF6HaAykE29lXZBHvgdCbVn+n zo+EF91pfgf1RmwXq3mLPrYX3RE81oViKfbhtoNPUcULbIFX6m88OnDnS7jRdF6al7zDHm TLq+aQ3lrGQjwjs7IvikTPI4Y2lpqUc=
To: oauth@ietf.org
References: <ME2PR01MB3011145F49559C4996B7E1E0E5160@ME2PR01MB3011.ausprd01.prod.outlook.com> <BD7EE048-1BBC-48D8-831A-6BA02CE01F40@forgerock.com>
From: Daniel Fett <fett@danielfett.de>
Message-ID: <0e7842c8-5939-a0ce-0e24-2f7c776a3d44@danielfett.de>
Date: Tue, 27 Oct 2020 14:17:26 +0100
MIME-Version: 1.0
In-Reply-To: <BD7EE048-1BBC-48D8-831A-6BA02CE01F40@forgerock.com>
Content-Type: multipart/alternative; boundary="------------DF742223277A178F05F6832C"
Content-Language: de-DE
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=dkim; t=1603804647; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=dCZbQgfeAsa0BKN8G4PfqLW7KeMRrz8hTOYHcAHElew=; b=gpjXmP5SEaLXI5fjkjpTULam5/WoWWrpW3oqcOirmzCD2fShCKZGmxwbjRPoCslep7jkLR Z0wEpD/vMR57bivs05mPrAQxDDBNHVRn9BOuQGjr0jcEjbmxK0gEYGNAB4obtV43P1a4Gs ORpRhVG/WcLE71MwtAw0hsPYtnFCIWs=
ARC-Seal: i=1; s=dkim; d=danielfett.de; t=1603804647; a=rsa-sha256; cv=none; b=iaOWsPqbvB+k+GvOvdBsP8Oc2Xe8cBWkRbtd2gcpq3mJscgCG8Wsg+Z3501eXfM80J/Nwu k3JJt0v/h+lvS5zkIJwgFGNgDVNDBSdqKsOMEZ+4bBDIoXsbBq5llh/lxg7frBy64dxibD ZgUPSDIIUsjYiKb2Lpf3VAMkukGoqVI=
ARC-Authentication-Results: i=1; d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
Authentication-Results: d3f.me; auth=pass smtp.auth=fett@danielfett.de smtp.mailfrom=fett@danielfett.de
X-Spamd-Bar: /
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bTBGfQVJEKA3Nmj81dPCp56bFEk>
Subject: Re: [OAUTH-WG] BCP: Client collaborative attacks
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 Oct 2020 13:17:33 -0000

Thanks Neil, this very much sums up my thoughts on this topic.

Since this has been mentioned in yesterday's call, I'll be happy to
clarify in the attacker model that web attackers can collaborate to
reach a common goal. I think we can also mention that
sender-constraining does not prevent collaborating entities to share
their tokens with each other.

-Daniel

Am 27.10.20 um 07:26 schrieb Neil Madden:
> It sounds like we’re trying to redefine cooperation/delegation as an
> “attack”. People delegate and you can’t generally prevent it without
> incarceration. Anything Bob could do with Alice’s access token he
> could also do by asking Alice to do it on his behalf. In other words,
> any credential/token sharing can be replaced by proxying: If Alice
> wants to help underage Bob buy liquor she doesn’t have to share her
> access token, she can just buy it herself and give it to him. 
>
> If the RS cares about accountability then the token (or some other
> means) should identify the user - perhaps pseudonymously like OIDC
> pairwise identifiers - and this should be logged for audit. But this
> can only discourage, not prevent, delegation. OAuth is after all a
> delegation protocol. 
>
> (In the post-shame world we now live in, the idea that you can enforce
> norms through identification seems almost quaint, but I’m not sure I’m
> ready to be that cynical).
>
> If the RS allows anonymous requests then there is obviously no
> accountability. Does that need to be explicitly mentioned?
>
> — Neil
>
>> On 27 Oct 2020, at 01:04, Manger, James
>> <James.H.Manger@team.telstra.com> wrote:
>>
>> 
>>
>> It is worth mentioning “client collaborative attacks” or
>> “authorization sharing attacks” because OAuth can make them easier
>> (by packaging authority into an access token), compared to the
>> alternative of user’s signing-in to an RS directly. But it is tricky
>> to describe; none of the suggestions are quite right; and the “right”
>> solution heavily depends on the context.
>>
>>  
>>
>> >> If access tokens are used to identify individuals, and such
>> identifying information (ideally user IDs) is stored with access logs
>> for auditing purposes, then this reduces this attack to an
>> authentication sharing attack.
>>
>>  
>>
>> While this text from Seán may be true, it is bad advice. It implies
>> we should make access tokens as dangerous as possible (conveying all
>> a person’s authority) just to discourage sharing.
>>
>>  
>>
>> > Since OAuth 2.0 does not mandate the use of cryptographic devices,
>> this kind of attack cannot be countered in the general case.
>>
>>  
>>
>> Even crypto devices aren’t a full solution. Alice can share her
>> authorization with Bob & Chris by signing-in with their crypto devices.
>>
>>  
>>
>> > an access token … only stating that the holder … is over 21 … should
>> not be accepted by the RS
>>
>>  
>>
>> While this may generally be true for an “over 21” claim, it will not
>> always be true for other claims. In some situations the privacy risk
>> of being personally identified is far more important than any risk of
>> client collaboration. Staff accessing a company’s whistle-blower
>> service could be an example: need a {staff:true} claim to combat
>> spam/gossip; but definitely don’t want to include a staff id.
>>
>>  
>>
>>  
>>
>> A handful of partial strategies appropriate in various circumstances
>> (but all with downsides) could include:
>>
>> 1. The AS ensures there is only 1 valid access token (or just a few)
>> at any point in time for a specific claim of a given user.
>>
>> 2. Access token bound to a crypto key locked to one device.
>>
>> 3. Each access token is unique (eg includes a "jti" claim) so an RS
>> can notice if the same token is presented in different contexts.
>>
>> 4. Access token with "sub" (or provides "sub" via token
>> introspection) to aid accountability (even if only in a later
>> audit/investigation).
>>
>> 5. Frequent token replacement.
>>
>> 6. Nothing (beyond minimal necessary claims) – to maximize privacy.
>>
>>  
>>
>> What is applicable widely enough to mention in a BCP?
>>
>>  
>>
>> --
>>
>> James Manger
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
> ForgeRock values your Privacy <https://www.forgerock.com/your-privacy>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth


-- 
https://danielfett.de

v2.23.0 | Report a Bug | By Email