Re: [OAUTH-WG] DPoP followup I: freshness and coverage of signature

Filip Skokan <> Thu, 03 December 2020 12:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3C70E3A0AC5 for <>; Thu, 3 Dec 2020 04:20:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id AgSBMIjDaxsa for <>; Thu, 3 Dec 2020 04:20:03 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 587963A0983 for <>; Thu, 3 Dec 2020 04:20:03 -0800 (PST)
Received: by with SMTP id x2so1810458ybt.11 for <>; Thu, 03 Dec 2020 04:20:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=EzEPL0eQxINwJDDtlMoNKoyokk2VhLvH1zuBUAJZUGk=; b=DBcN7seKZ2ccZer5YOId9l5qetsZX9vYlMkB/e0oaFBIyoyZ3xMwvc3MoFj345DgUy 6fuDSaCC92A78F2eHo8P3oic9gja+nCmj800/MO+S5/7IAkh3yfBciwHsXzqrI4Wzthc yIJfBmL7zFvpcBsNMGaCMtSk/u+8FGbNV4nZpkR25JYg9ogoPAULrDnsMtYDB65RGbT1 qFSYgCg2sVqSPPwgZzfHKS92DE9Zup+VSNr3KOOrM2KautsqmDx5x3Gm1vry2iAzQcTL c8yoQRyMwcnpjAafiQ/+noUAJAX/IYBVAZx2Ti+I+Wd3QxRK5sTMZzvXhOunuhenH+D+ 8rqA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=EzEPL0eQxINwJDDtlMoNKoyokk2VhLvH1zuBUAJZUGk=; b=NdEZw23gsMS6PfeUq4TLuBEjmdegldL10CZRDH+9E0SGLKIAeGSyqsdk4whWRJJxAz 4Vu+skkaKs2NDmdMZmikZetdIyKePE8gvlyzSzedQwv45LXuc16eOaTNdl5gE5zle547 mhS2heFUYkCiVvAG2Qvrq/pKvwq1EZdDnNw/SwB6MuQPgkpr42sXsgEsdIo5CbyBTFHb JA+brb2qLkaOX6WDDQO0xeQg4+OFLaKljIu/b1gQ5YBiqFZz5rO/GT7GoqlBjnBT0OL4 qZKTbX1vSnfSyaulCZaMW9gKq07EuPOe4+oevpERYvTvQjRgMcjawVvamaJXaUQam5VD XEjw==
X-Gm-Message-State: AOAM531oUYOG28erg8I4l9PvdOZCykv2+xwhnp4V3uB+Br5QP1m7b73/ dLGGAmiZhsinuMlMXkocB//rQbO26iKv5lRLfCq29jJabg==
X-Google-Smtp-Source: ABdhPJyY4BnDLY5asR1I+VnQMc7QRDqqWpmiZ+AtoLHxndNErWvz0nFPM3VCrTspP4GFPTJDKl9B+7IVOO7c+U56PLA=
X-Received: by 2002:a25:f623:: with SMTP id t35mr4187242ybd.399.1606998002232; Thu, 03 Dec 2020 04:20:02 -0800 (PST)
MIME-Version: 1.0
References: <> <> <>
In-Reply-To: <>
From: Filip Skokan <>
Date: Thu, 03 Dec 2020 13:19:25 +0100
Message-ID: <>
To: Torsten Lodderstedt <>
Cc: Brian Campbell <>, oauth <>
Content-Type: multipart/alternative; boundary="00000000000013f1b205b58e6152"
Archived-At: <>
Subject: Re: [OAUTH-WG] DPoP followup I: freshness and coverage of signature
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 03 Dec 2020 12:20:15 -0000

> I'm failing to understand why binding the proof to the access token
> ensures freshness of the proof.

Because when access tokens issued to public browser based clients have a
short duration you need continued access to the private key to issue new
proofs. When I exfiltrate the RT and pre-generate tons of proofs while the
user is active on the page through XSS I can then use the RT and my
prepared proofs to talk to the AS to keep on refreshing the AT and use it
against the RS. When the value of the token is part of the proof, i cannot
pre-generate them for future issued access tokens. Short `iat` based
windows don't help here.

S pozdravem,
*Filip Skokan*

On Thu, 3 Dec 2020 at 12:59, Torsten Lodderstedt <>

> Hi,
> I'm failing to understand why binding the proof to the access token
> ensures freshness of the proof. I would rather think if the client is
> forced to create proofs with a reasonable short lifetime, chances for
> replay could be reduced.
> Beside that as far as I remember the primary replay counter measure is the
> inclusion of the endpoint URL and HTTP method in the proof, since it
> reduces the attack surface to a particular URL. So in the context of
> freshness, we are talking about using the same proof with the same URL
> again.
> best regards,
> Torsten.
> > Am 03.12.2020 um 10:20 schrieb Filip Skokan <>:
> >
> > Hi Brian, everyone,
> >
> > While the attack vector allows direct use, there is the option where a
> smarter attacker will not abuse the gained artifacts straight away. Think
> public client browser scenario with the non-extractable private key stored
> in IndexedDB (the only place to persist them really), they wouldn't use the
> tokens but instead, exfiltrate them, together with a bunch of pre-generated
> DPoP proofs. They'll get the refresh token and a bunch of DPoP proofs for
> both the RS and AS. With those they'll be able to get a fresh AT and use it
> with pre-generated Proofs after the end-user leaves the site. No available
> protection (e.g. RT already rotated) will be able to kick in until the
> end-user opens the page again.
> >
> > OTOH with a hash of the AT in the Proof only direct use remains.
> >
> > If what I describe above is something we don't want to deal with because
> of direct use already allowing access to protected resources, it's
> sufficiently okay as is (option #1). However, if this scenario, one
> allowing prolonged access to protected resources, is not acceptable, it's
> option #2.
> >
> > Ad #2a vs #2b vs #2c. My pre-emptive answer is #2a, simply because we
> already have the tools needed to generate and validate these hashes. But
> further thinking about it, it would feel awkward if this JWS algorithm
> driven at_hash digest selection wouldn't get stretched to the
> confirmations, when this are placed in a JWT access token, cool - we can do
> that, but when these are put in a basic token introspection response it's
> unfortunately not an option. So, #2b (just use sha-256 just like the
> confirmations do).
> >
> > Best,
> > Filip
> >
> >
> > On Wed, 2 Dec 2020 at 21:50, Brian Campbell <bcampbell=
>> wrote:
> > There were a few items discussed somewhat during the recent interim that
> I committed to bringing back to the list. The slide below (also available
> as slide #17 from the interim presentation) is the first one of them, which
> is difficult to summarize but kinda boils down to how much assurance there
> is that the DPoP proof was 'freshly' created and that can dovetail into the
> question of whether the token is covered by the signature of the proof.
> > There are many directions a "resolution" here could go but my sense of
> the room during the meeting was that the contending options were:
> >       •  It's sufficiently okay as it is
> >       •  Include a hash of the access token in the DPoP proof (when an
> access token is present)
> >
> > Going with #2 would mean the draft would also have to define how the
> hashing is done and deal with or at least speak to algorithm agility.
> Options (that I can think of) include:
> >       • 2a) Use the at_hash claim defined in OIDC core
> Using
> something that already exists is appealing. But its hash alg selection
> routine can be a bit of a pain. And the algorithm agility based on the
> signature that it's supposed to provide hasn't worked out as well as hoped
> in practice for "new" JWS signatures
> >       • 2b) Define a new claim ("ah", "ath", "atd", "ad" or something
> like that maybe) and just use SHA-256. Explain why it's good enough for now
> and the foreseeable future. Also include some text about introducing a new
> claim in the future if/when SHA-256 proves to be insufficient. Note that
> this is effectively the same as how the confirmation claim value is
> currently defined in this document and in RFC8705.
> >       • 2c) Define a new claim with its own hash algorithm agility
> scheme (likely similar to how the Digest header value or Subresource
> Integrity string is done).
> >
> > I'm requesting that interested WG participants indicate their preference
> for #1 or #2. And among a, b, and c, if the latter.
> >
> > I also acknowledge that an ECDH approach could/would ameliorate the
> issues in a fundamentally different way. But that would be a distinct
> protocol. If there's interest in pursuing the ECDH idea, I'm certainly open
> to it and even willing to work on it. But as a separate effort and not at
> the expense of derailing DPoP in its general current form.
> > <Slide17.jpeg>
> >
> >
> > CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you._______________________________________________
> > OAuth mailing list
> >
> >
> > _______________________________________________
> > OAuth mailing list
> >
> >