Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC signatures
Sergey Beryozkin <sberyozkin@gmail.com> Wed, 14 May 2014 09:31 UTC
Return-Path: <sberyozkin@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D83AB1A0284 for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 02:31:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qQpAA78Y2x7E for <oauth@ietfa.amsl.com>; Wed, 14 May 2014 02:31:50 -0700 (PDT)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) by ietfa.amsl.com (Postfix) with ESMTP id D31901A0283 for <oauth@ietf.org>; Wed, 14 May 2014 02:31:49 -0700 (PDT)
Received: by mail-wi0-f174.google.com with SMTP id r20so7661943wiv.13 for <oauth@ietf.org>; Wed, 14 May 2014 02:31:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; bh=HWI/qQ66cBlkBIlwsuS9aui2mApgj3La4JYHqKjc1n4=; b=vOUehVQ4s1HxX4o4LWr4ifBLZGnQJHEVM+AVpViQTd5vaBU8ZWYYMyRqhQx53YdlBQ WzBxENguOLbOz1WH/+KUku1dn6t0qFUswh/hoBixkLi0p4U4Al/A1IDor/ukf/2ZygJW b5+N7ZQA72w6RSFM6H4OBEOoY3/lBwPSUNqhsZleJXLJFqSqiRbeHa9D35HBv2LVc5JV mtYStUronsHPAKRyS3Wc/DXHBG0cwiBWjkolWs0b7lQiOpz5lGE5qkG0NYlSq0YWAM4G AFXqHf53DFvwRLVbn4HeuaMO2bs2kU1c8i9g+NPGU/7FQrJAjutPUf48DC+WsVyhY0Kw inhA==
X-Received: by 10.180.105.72 with SMTP id gk8mr25147517wib.32.1400059902614; Wed, 14 May 2014 02:31:42 -0700 (PDT)
Received: from [192.168.2.7] ([89.100.139.33]) by mx.google.com with ESMTPSA id y20sm26716898wiv.14.2014.05.14.02.31.41 for <oauth@ietf.org> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 14 May 2014 02:31:41 -0700 (PDT)
Message-ID: <537337FC.40500@gmail.com>
Date: Wed, 14 May 2014 10:31:40 +0100
From: Sergey Beryozkin <sberyozkin@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: oauth@ietf.org
References: <CAOBb0SLV0iX3TREx0kOxvoiUUau3us6YW4jQwzFT8Vz1Aq6Miw@mail.gmail.com> <9378C75B-2146-4E8D-BDD6-B4F495C52B84@oracle.com> <53710CC9.2000600@gmx.net> <CAOBb0SJ2Du9UAfcVkj-yyOQjgScbnb0V6H1P874aYndzc58Jag@mail.gmail.com> <FD6BA47D-1E80-4DD3-B99F-F0B5E757644C@mit.edu>
In-Reply-To: <FD6BA47D-1E80-4DD3-B99F-F0B5E757644C@mit.edu>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/dUrZSGTWcGTJeuM79cgRt1F2YE4
Subject: Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC signatures
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 09:31:53 -0000
Hi On 13/05/14 16:27, Justin Richer wrote: > Blair, > > You’re right in that the MAC draft is effectively abandoned now as the > WG has moved on to other signed-token mechanisms. As part of that > effort, I’ve put together a JWS-based HTTP request signature mechanism > (referenced in Hannes’s presentation): > > http://tools.ietf.org/id/draft-richer-oauth-signed-http-request-01.html > +1 to building a JWS-based solution. IMHO though it is unfortunate that a MAC solution which can make better bearer tokens is not looked at right now and thus it is unavoidable that people will come up with several new approaches 'fragmenting' the MAC space. We actually implemented a HAWK scheme as part of the OAuth2 framework, it works, very simple, the session key is expected to be exchanged via a 2-way TLS as part of the grant to token exchange. I hope OAuth2 will have its own MAC solution ready too, leading to the better interoperability in the OAuth2 space Cheers, Sergey > This differs from the AWS spec (submitted as an HTTP Auth WG Draft, as I > understand it: > http://tools.ietf.org/id/draft-cavage-http-signatures-02.html) in that > it uses JWS as the signing mechanism (without a custom HTTP header > format). There’s still a fair amount of work that needs to be done in > order to get it in shape, but I think that these different methods can > definitely inform each other. > > — Justin > > > On May 13, 2014, at 2:34 AM, Blair Strang <blair.strang@covata.com > <mailto:blair.strang@covata.com>> wrote: > >> Hi Hannnes, >> >> Yes, so in terms of well-defined specs for HTTP request signing, there >> is basically AWS, OAuth 1.0a HMAC, and the OAuth 2.0 draft HMAC stuff >> which is looking a bit abandoned. >> >> The v2 and v4 signing processes for AWS are documented here. >> [1] http://docs.aws.amazon.com/general/latest/gr/signature-version-2.html >> [2] http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html >> >> Looking at the slides you sent, my colleague Scott and I have been >> working on something running along the same lines. This has largely >> been for internal use, but we have had our eye on a design with >> general utility. >> >> So far we have been working to clearly define *only* how HTTP requests >> can be authenticated using a JWT/JWS, independent of the issues of key >> distribution and sessions (an OAuth2 extension is one option for >> sessions / key agreement, but there are obviously other ways). >> >> We actually have a spec and proof of concept in progress for JWS based >> request signing. We do need some time to clean up the spec for public >> consumption, but would you be interested in seeing that? >> >> Thanks, >> >> Blair. >> >> ---- Long form details below here ----- >> >> Our view is that request authentication (mac/signature) and the >> session (or key agreement) mechanisms needed to support it are largely >> orthogonal. >> >> We have been working to specify a mechanism for authenticating HTTP >> requests using JWT/JWS. (The tokens look just like JWTs, but it is >> better to specify on top of JWS). >> >> Our approach was that the client computes a "signature base string" or >> "string to sign" in a fashion very similar to AWS v2, while adding >> header signing similar to that in AWS v4. This fixes a gap in the >> OAuth 1.0a HMAC token spec. >> >> The client then embeds a digest of the "signature base string" in a >> JWS signed by the client, along with several other required fields >> (e.g. a field identifying the requestor, optional key id, expiry, list >> of signed http headers, ...) to authenticate the request. >> >> The nice thing about embedding the request digest in a JWT/JWS signed >> payload is that you get all the flexibility of JWS in terms of >> algorithms. >> >> Also, the implementation also comes out very nice, since you need just >> string processing of the request to get a canonical version plus a >> digest operation - and the "hard crypto stuff" can be handled by a JWS >> library. >> >> However, there are some constraints in terms of practicality using the >> JWS standard (not insurmountable, but there): >> >> 1. RSA - A client with a private key can easily RSA-sign HTTP >> requests, but the Authorization: header will be several hundred bytes >> long due to the size of the RSA signature. Speed is high, but so is >> bandwidth required. >> >> 2. ECDSA - ECDSA produces much smaller payloads (few hundred bytes) >> but requires much more processing effort (order of milliseconds). >> >> 3. HMAC - A shared HMAC key will be the most efficient in terms of >> speed & storage, but requires additional session establishment dance >> which is slightly less elegant than a client using a private key directly. >> >> Request authorisation using a private key directly works well for >> server-to-server or "big client" to server, but not so well for mobile >> with power and bandwidth constraints. In this case, the approach we >> are taking for a client to bootstrap from possession of a private key >> is to send an RSA signed request to establish a shared HMAC key, then >> use HMAC signed requests. >> >> Thanks & regards, >> >> Blair. >> >> -- >> Blair Strang | Senior Security Engineer >> Covata | Own Your Data >> covata.com <http://covata.com/> >> >> Level 4 156 Clarence Street | Sydney NSW 2000 >> © 2014 CDHL parent company for all Covata entities >> >> >> >> >> >> >> >> >> >> On Tue, May 13, 2014 at 4:02 AM, Hannes Tschofenig >> <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote: >> >> Hi Phil, >> Hi Blair, >> >> this is a good point. I also don't see a reason why the HTTP protocol >> version should be included in the keyed message digest (from a >> security >> point of view). >> >> It might, however, be worthwhile to point out that we are exploring >> different solution directions, as described in this slide deck >> http://www.tschofenig.priv.at/oauth/IETF-OAuth-PoP.pptx >> >> For this reason it might be interesting to know what AWS >> implements. Do >> you guys have a reference? >> >> Ciao >> Hannes >> >> >> On 05/09/2014 05:47 AM, Phil Hunt wrote: >> > Fyi >> > >> > Phil >> > >> > Begin forwarded message: >> > >> >> *From:* Blair Strang <blair.strang@covata.com >> <mailto:blair.strang@covata.com> >> >> <mailto:blair.strang@covata.com <mailto:blair.strang@covata.com>>> >> >> *Date:* May 8, 2014 at 18:47:58 PDT >> >> *Resent-To:* hannes.tschofenig@gmx.net >> <mailto:hannes.tschofenig@gmx.net> >> >> <mailto:hannes.tschofenig@gmx.net >> <mailto:hannes.tschofenig@gmx.net>>, jricher@mitre.org >> <mailto:jricher@mitre.org> >> >> <mailto:jricher@mitre.org <mailto:jricher@mitre.org>>, >> phil.hunt@yahoo.com <mailto:phil.hunt@yahoo.com> >> >> <mailto:phil.hunt@yahoo.com <mailto:phil.hunt@yahoo.com>>, >> wmills@yahoo-inc.com <mailto:wmills@yahoo-inc.com> >> >> <mailto:wmills@yahoo-inc.com <mailto:wmills@yahoo-inc.com>> >> >> *To:* draft-ietf-oauth-v2-http-mac@tools.ietf.org >> <mailto:draft-ietf-oauth-v2-http-mac@tools.ietf.org> >> >> <mailto:draft-ietf-oauth-v2-http-mac@tools.ietf.org >> <mailto:draft-ietf-oauth-v2-http-mac@tools.ietf.org>> >> >> *Subject:* *HTTP protocol version in MAC signatures* >> >> >> >> Hi, >> >> >> >> [Not sure if this is the right address to submit this feedback to] >> >> >> >> Looking >> >> over http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05 >> section 5.2. >> >> "MAC Input String", it seems that the HTTP request line is used >> >> verbatim during the construction of MAC tokens. >> >> >> >> Since this includes the transport (HTTP/1.1 versus say HTTP/1.0) it >> >> seems that HTTP proxies which run different protocol versions >> on each >> >> leg will break signatures. >> >> >> >> I would recommend removing the HTTP version from the MAC. The >> >> transport is inherently a "per hop" type of thing, while request >> >> signatures are conceptually "end to end". >> >> >> >> I am not aware of any specific security benefits derived from >> >> including the HTTP protocol version in the MAC input string. >> This may >> >> be why AWS version 2 and AWS version 4 signatures do not >> include it. >> >> >> >> Thanks and regards, >> >> >> >> Blair. >> >> >> > >> > >> > _______________________________________________ >> > OAuth mailing list >> > OAuth@ietf.org <mailto:OAuth@ietf.org> >> > https://www.ietf.org/mailman/listinfo/oauth >> > >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org <mailto:OAuth@ietf.org> >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] Fwd: HTTP protocol version in MAC sign… Phil Hunt
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Blair Strang
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Justin Richer
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Bill Mills
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Prateek Mishra
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Sergey Beryozkin