Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-binding-05.txt

Denis <denis.ietf@free.fr> Sat, 18 November 2017 12:01 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5947412025C for <oauth@ietfa.amsl.com>; Sat, 18 Nov 2017 04:01:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.698
X-Spam-Level:
X-Spam-Status: No, score=-0.698 tagged_above=-999 required=5 tests=[FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HGo6SAqwWxu5 for <oauth@ietfa.amsl.com>; Sat, 18 Nov 2017 04:01:51 -0800 (PST)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4E03E1267BB for <oauth@ietf.org>; Sat, 18 Nov 2017 04:01:51 -0800 (PST)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id 02CBB7802D7; Sat, 18 Nov 2017 13:01:47 +0100 (CET)
To: oauth@ietf.org
References: <150906263563.22135.3314949761020043351@ietfa.amsl.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <233601c8-43c9-3674-cfb8-dd4f9e24c16c@free.fr>
Date: Sat, 18 Nov 2017 13:01:50 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <150906263563.22135.3314949761020043351@ietfa.amsl.com>
Content-Type: multipart/alternative; boundary="------------B709837B79EAB49A6532D61C"
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cHMTpMigE_BqLKkkLimEFdkb3nM>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-token-binding-05.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 18 Nov 2017 12:01:54 -0000

Comments on draft-ietf-oauth-token-binding-05

Comments have been posted on draft-ietf-oauth-token-binding-02 (OAuth 
2.0 Token Binding)
and as far as I know have not received any feedback.
See: https://www.ietf.org/mail-archive/web/unbearable/current/msg01316.html

Hereafter is an update of the same comments applied to 
draft-ietf-oauth-token-binding-05.

1) The abstract states:

This use of Token Binding protects these tokens from man-in-the-middle 
and token export and replay attacks.

The use of Token Binding does not protect these tokens from token export 
in case of collusion between clients
since this mechanism is not resistant to the ABC attack (Alice and Bob 
collusion attack).

Replace with:

This use of Token Binding protects these tokens from man-in-the-middle 
and token export and replay attacks
but does not protect against token export in case of collusion performed 
by clients.

2) The introduction states:

    This cryptographically binds these tokens to a client's Token
    Binding key pair, possession of which is proven
    on the TLS connections over which the tokens are intended to be
    used. This use of Token Binding protects
    these tokens from man-in-the-middle and token export and replay attacks.

The first sentence is correct while the second sentence is incorrect. 
The mechanism is not resistant to the ABC attack
(Alice and Bob collusion attack).See: 
https://www.ietf.org/mail-archive/web/oauth/current/msg16767.html

Replace with:

This cryptographically binds these tokens to a client's Token Binding 
key pair, possession of which is proven
on the TLS connections over which the tokens are intended to be used. 
This use of Token Binding protects these tokens
from man-in-the-middle attacks, token export and replay attacks but does 
not protect these tokens in case of collusion
performed by clients.

3) In section 4.2, the text states:

"This binding ensures that the authorization code cannot successfully be 
played or replayed to the web server client
from a different browser than the one that made the authorization request".

This is incorrect: the use of Token Binding does not protect these 
tokens in case of a collusion between web server clients,
e.g. the ABC attack (Alice and Bob collusion attack).

Add afterwards:

"However, in case of collusion between web server clients, the 
authorization code can successfully be played
to the web server client from a different browser than the one that made 
the authorization request ".

4) Section 7 (Security Considerations) includes the following two 
subsections:

7.1.Phasing in Token Binding

7.2.Binding of Refresh Tokens


It is important to mention that the mechanism is not resistant in case 
of a collusion between clients.
Add a subsection with the following text:

7.3.Collusion attacks performed by clients

This mechanism does not protect these bound tokens in case of a 
deliberate collusion between clients.
A client may intentionally export a bound token with the corresponding 
Token Binding private key or perform signatures
using this key on behalf of another client and then transmit both the 
bound token and the results to the other client.

Denis


> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Web Authorization Protocol WG of the IETF.
>
>          Title           : OAuth 2.0 Token Binding
>          Authors         : Michael B. Jones
>                            Brian Campbell
>                            John Bradley
>                            William Denniss
> 	Filename        : draft-ietf-oauth-token-binding-05.txt
> 	Pages           : 30
> 	Date            : 2017-10-26
>
> Abstract:
>     This specification enables OAuth 2.0 implementations to apply Token
>     Binding to Access Tokens, Authorization Codes, Refresh Tokens, JWT
>     Authorization Grants, and JWT Client Authentication.  This
>     cryptographically binds these tokens to a client's Token Binding key
>     pair, possession of which is proven on the TLS connections over which
>     the tokens are intended to be used.  This use of Token Binding
>     protects these tokens from man-in-the-middle and token export and
>     replay attacks.
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-oauth-token-binding/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-oauth-token-binding-05
> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-token-binding-05
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-oauth-token-binding-05
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth