Re: [OAUTH-WG] Secdir last call review of draft-ietf-oauth-jwsreq-30
Watson Ladd <watsonbladd@gmail.com> Mon, 01 March 2021 06:21 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9C763A1624; Sun, 28 Feb 2021 22:21:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.198
X-Spam-Level:
X-Spam-Status: No, score=-0.198 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZSzKFHAOmoKo; Sun, 28 Feb 2021 22:21:48 -0800 (PST)
Received: from mail-ed1-x533.google.com (mail-ed1-x533.google.com [IPv6:2a00:1450:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D5DE3A161F; Sun, 28 Feb 2021 22:21:48 -0800 (PST)
Received: by mail-ed1-x533.google.com with SMTP id p1so14618250edy.2; Sun, 28 Feb 2021 22:21:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=gcL3+LUYTQuq67Xmhai6446kW8AtUV4CuqPfzNkoJIE=; b=e4yZeRxv8n0IWK53DLYSpBsYHxTzbddpTIHGoRdmByupLnZn6e6Cll07WQ40DhMiht LxeoIQk6JawY2hxUaRvSD5pNc7IZfKeLvx9BmZ8I20crF82HD9L2hpI4wY01C0obS5CS uSyBpqMAxhhYlcU5LKNw+7PsD8nHd6INKVsFDSW+hkc7gye2Fer5+vH91SxBxp68T3MD rjhFwRLDELAvyjovTBiKa0ed38bFxhNUEz0PR2nKHMesx/lHxV7aPVZ8OmPvouQSzGdH bbJgs9kOIz2sMJZnktdZcd+krFj3jAARng2ywoM/eNoxH/jLdpcZ+2MeXTLgk2F8dFau +gvw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=gcL3+LUYTQuq67Xmhai6446kW8AtUV4CuqPfzNkoJIE=; b=MzuLbq2aQ9jU8X0hQI3zcKXzSPYcSzwolvHP8Ae2mMYufeh+EW0wSHvY9ScKY5iDhg RcU+siqpQDQBn51tta6FlZaNqY35XFS0rQmK1FxYoipTjXriNihGwpeFggyUcSUFz88I /g8ywArD5/dksIW8MGmjlah2wNWpngCxVMcAXDETIpJNZy+/vVu9tAB7+hSoet6iBYZa ZlAa+AZ/vsJMZr/3w7/x5HSLrr3DLtpLbff+XBusMclaN+m7ANTv/kPsgSc0LICx4Xfw 2la+IeOxuqKXyMuN4rvdCbrEdgRpCBUs/FQVZPHp1udg5pwvvdDc2DK5wFsHmd3QpVnF KyAQ==
X-Gm-Message-State: AOAM530039Vj+AtBjY15ueo0i6hJxYyXE688Wx48COUvBtStQ+kHntzZ 2l5MsK3U1zDTHpcMt/6R1fKtCe72DtMtTCbU2/9g3k5iqGw=
X-Google-Smtp-Source: ABdhPJxeYoFF/ezYPcoRyJeb5fYIGs0hfEQLwTOh4No/c32ZylunZ3nWPlhqnKt7wTj2A8t3/qUFpWoRlShE3u74FYE=
X-Received: by 2002:a05:6402:84b:: with SMTP id b11mr5905815edz.56.1614579705450; Sun, 28 Feb 2021 22:21:45 -0800 (PST)
MIME-Version: 1.0
References: <SN6PR00MB042990C1C9C0DAE300E79A48F59D9@SN6PR00MB0429.namprd00.prod.outlook.com>
In-Reply-To: <SN6PR00MB042990C1C9C0DAE300E79A48F59D9@SN6PR00MB0429.namprd00.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Sun, 28 Feb 2021 22:21:33 -0800
Message-ID: <CACsn0c=+=f2DHuz2WDw1e=JyuCSG0eKJKqEMnnhCh-gsUosjqQ@mail.gmail.com>
To: Mike Jones <Michael.Jones@microsoft.com>
Cc: nat <nat@nat.consulting>, "rdd@cert.org" <rdd@cert.org>, "secdir@ietf.org" <secdir@ietf.org>, "oauth@ietf.org" <oauth@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-oauth-jwsreq.all@ietf.org" <draft-ietf-oauth-jwsreq.all@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bdxFhC5UqGBzOzK4Q1nouwN8nXA>
Subject: Re: [OAUTH-WG] Secdir last call review of draft-ietf-oauth-jwsreq-30
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Mar 2021 06:21:51 -0000
On Fri, Feb 26, 2021 at 12:54 PM Mike Jones <Michael.Jones@microsoft.com> wrote: > > Thanks again for your review, Watson. My replies to your comments below are prefixed by "Mike>". Thank you for the work on the draft. I've removed places where we agree in the interest of readability, so the result may be more contentious than it ought to be. > > > > > > And now for the thorny issues with this draft. Signatures and > > > > encryption are different. And encrypting a signed blob doesn't mean the signer encrypted it. > > > > Then there are a plethora of methods specified in the draft to > > > > authenticate the blob, which will give different results in > > > > maliciously constructed examples. The security considerations > > > > section should discuss what the encrypted vs signed choices give in > > > > the way of security, and it doesn't. This makes me worry. > > > > > > We don’t expect the encryption to ensure authenticity, that’s what the > > > signatures are used for. > > > > This needs to be very clearly spelled out in the text. Lots of people will not understand this. The wording of section 10.2 is at best ambivalent, with multiple alternatives presented as acceptable. > > > > Mike> After the sentence at 10.2 (b) about symmetric encryption, I propose that we add the following sentence to emphasize the point you're raising: "Note however, that if public key encryption is used, no source authentication is enabled by the encryption, as any party can encrypt content to the public key." 10.2(b) relies on assumptions about key handling that I don't think are necessarily true. 10.2(a) is more foolproof. Can everyone just use that? > > > > <chop> > > > > > > I didn't quite get what is meant by "plethora of methods specified in > > > the draft to authenticate the blob ... " > > > There is a bit of text about authenticating the source (=client) but > > > not much on the blob itself. > > > The discussion around the signature and/or encryption is covered in > > > RFC7519 (JWT), the format that the request object assumes. > > > This is required reading when implementing this spec, so WG thought it > > > is not worth repeating here. > > > Attacks etc. on the signature and encryption are covered in RFC7515 > > > and RFC7516 respectively. > > > > Well, the draft happens to include the following text: > > "The Authorization Server MUST validate the signature of the JSON Web > > Signature [RFC7515] signed Request Object. The signature MUST be > > validated using the key for that "client_id" and the algorithm > > specified in the "alg" Header Parameter." > > > > Shouldn't the key be associated with a single algorithm? How do we ensure that the common attack of telling the server to use hmac to verify the signature doesn't work here? > > > > Mike> Good point. This attack is described in Section 2.1 of RFC 8725 and mitigated by the practices in Sections 3.1 and 3.2 of the same. I propose that we replace the sentence: > > "The signature MUST be validated using the key for that "client_id" and the algorithm specified in the "alg" Header Parameter." > > with: > > "The signature MUST be validated using a key associated with the client and the algorithm specified in the "alg" Header Parameter. If a "kid" Header Parameter is present, the key identified MUST be the key used, and MUST be a key associated with the client. Algorithm verification MUST be performed, as specified in Sections 3.1 and 3.2 of RFC 8725." So I think 3.2 of RFC 8725 imposes requirements on the storage of keys and association with algorithms that have implications for the whole system. Leaving that to a reference is going to be surprising. > > > > > Key management is ignored. This is a very important issue, > > > > especially > > > > > > A lot of ground is covered by RFC 7515, 7516, 7517, 7518, 7519, 7591, > > > and 8414 so this document is not specifically restating them. The problem with pointing to very generic drafts that don't use ths > > > > > > > > > > > considering the potential problems with the reuse of JWT. I'd like > > > > to see a > > > > > > Are you talking about the reuse of the request object by an adversary > > > trying to act as an honest client? > > > Even if it happens, the malicious client does not have the proper > > > client credential so it cannot redeem the code it obtained with the > > > token. It is no different than RFC6749 code grant. Protocols that > > > extend it, such as OpenID Connect, have introduced nonce to prevent > > > the reuse and used JAR (it is called request object there) to further > > > protect tampering and achieve client authentication even in the front > > > channel. > > > > > > > recommendation that keys be separated by intended uses, rather than > > > > limiting particular fields in an ad-hoc manner. > > > > > > Could you kindly elaborate on the "ad-hoc manner" part so that I can > > > understand it more fully? > > > > 10.8, Cross-JWT Confusion discusses avoiding signing certain fields, rather than suggesting good key usage as a solution. > > > > Mike> I propose to add this new paragraph at the end of Section 10.8 to implement your suggestion: > > "Finally, another way to prevent cross-JWT confusion is to use a key management regime in which keys used to sign Request Objects are identifiably distinct from those used for other purposes. Then, if an adversary attempts to repurpose the Request Object in another context, a key mismatch will occur, thwarting the attack." This should be the only way to do it. It's far safer than assuming symmetric key hygiene (in particular, are you sure your own encryptions can't come back). > > > > > > My biggest concern is that these issues are signs that the problem > > > > this draft is trying to solve and the mechanisms to solve it haven't > > > > been analyzed as thoroughly as they should have been. Without that > > > > sort of thorough analysis it's not certain that the mechanisms > > > > actually solve the problem and it's not clear what the > > > > recommendations to implementers have to be to preserve those properties. > > > > > > OAuth JAR, as the name "The OAuth 2.0 Authorization Framework: JWT > > > Secured Authorization Request (JAR)" suggests, is a framework and not > > > a house itself. One such example is FAPI [1] which was formally > > > verified [2]. > > > > "It's possible to use this draft security" I don't think should be enough anymore. Rather it should be impossible to use insecurely. > > > > Mike> The draft describes how to use the mechanism securely. Yes, if portions of the draft (and those it depends upon) are not followed, insecure usage can result. That's true of any security draft. If there are additional specific requirements and/or recommendations needed, we'd be glad to add them. If so, please identify them. (Indeed, we're already doing so in response to your existing specific feedback.) Are all possible choices implementors have when complying with this draft going to end up with secure results? That should mean that there aren't additional requirements or recommendations needed. What sorts of analysis informed this draft? The goal should be that any conforming implementation not be subject to any attack, no matter the combination of options selected. Pointing to a particular secure subset of the draft doesn't help justify the elements not in that subset. > > > > Mike> As for past JWT problems, the JWT BCP [RFC 8725] was written at the request of the IESG to identify and mitigate them - especially in light of JWTs being used for additional use cases, such as STIR secured telephony and securing first-responder services. If you believe that additional generic JWT issues should be discussed and addressed, we could always revise this BCP. But doing so is beyond the scope of this RFC. > > > > > [1] > > > https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md > > > [2] https://arxiv.org/abs/1901.11520 > > > > > > > > > > > Obviously this draft has had a long and tortured history with > > > > multiple reviews, and what I'm suggesting needs to happen is a lot > > > > of work. But it's essential in any security protocol to do this > > > > analysis and be clear about what is, and what is not, protected by the protocol. > > > > > > OAuth JAR is nothing but just another binding to OAuth 2.0. Where > > > RFC6749 binds it to form encoding, it provides two additional bindings: > > > 1) binding to JWT, and > > > 2) binding to the pushed authorization request that is referenced by a URI. > > > It is this simple. As such, it would also inherit some of the > > > shortcomings in RFC6749. However, it is not this document to address > > > them. It should be done by other documents so that the result can be > > > encoded using the mechanisms provided in this document. > > > > This is not a simple matter. JWT has a long and twisted history with some pervasive errors in common libraries, and is a fairly large standard. OAuth 2.0 is also large. Ensuring that the mapping has the right properties is going to be a mess. If the encoding does not respect the semantics we have a serious security issue. If implementors assume the encoding provides properties it does not, we again have a security issue. > > > > Mike> See my previous comments on past JWT implementation errors and the writing of the JWT BCP [RFC 8725] to address these. JWT provides certain properties. OAUTH 2.0 assumes certain properties. Are the properties required by OAUTH 2.0 those provided by this draft's use of JWT? That's independent of generic problems of JWT but very specific. By way of analogy if you use HMAC as a signature scheme you're going to have a bad time, even though HMAC is secure, because its properties are not those of a signature scheme. That's true no matter how much you insist your HMAC implementation is correct. > > > > > It is quite surprising that this fact is not getting appreciated and > > > is taking such a long time to complete. > > > Maybe I should delete all the explanation text and leave it with just > > > the core text. Explanation and justification text for defining > > > additional bindings probably are just distractions now as it is now > > > appreciated and used all over the world unlike when the project was > > > started. > > > > Mike> I would propose that we make only necessary changes to the draft at this point. Let's finish this long-overdue specification! > > > > > > > > > > > > > Sincerely, > > > > Watson Ladd > > > > > > > > > > Thanks again for your detailed comments. > > > > > > Best wishes, > > > > > > -- > > > Nat Sakimura > > > NAT.Consulting LLC > > > > Mike> I now plan to create edits incorporating the proposed resolutions above for review. > > > > Best wishes, > > -- Mike > > > > -- > > Astra mortemque praestare gradatim -- Astra mortemque praestare gradatim
- [OAUTH-WG] Secdir last call review of draft-ietf-… Watson Ladd via Datatracker
- Re: [OAUTH-WG] Secdir last call review of draft-i… Takahiko Kawasaki
- Re: [OAUTH-WG] Secdir last call review of draft-i… Watson Ladd
- Re: [OAUTH-WG] Secdir last call review of draft-i… Mike Jones
- Re: [OAUTH-WG] Secdir last call review of draft-i… Watson Ladd
- Re: [OAUTH-WG] Secdir last call review of draft-i… Mike Jones
- Re: [OAUTH-WG] Secdir last call review of draft-i… Watson Ladd
- Re: [OAUTH-WG] Secdir last call review of draft-i… Mike Jones
- Re: [OAUTH-WG] Secdir last call review of draft-i… Deepak Tiwari