Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
"Richard L. Barnes" <rbarnes@bbn.com> Fri, 24 September 2010 16:58 UTC
Return-Path: <rbarnes@bbn.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6D0E83A6AD9 for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 09:58:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.412
X-Spam-Level:
X-Spam-Status: No, score=-102.412 tagged_above=-999 required=5 tests=[AWL=0.187, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 03MTmVEPOxXb for <oauth@core3.amsl.com>; Fri, 24 Sep 2010 09:58:56 -0700 (PDT)
Received: from smtp.bbn.com (smtp.bbn.com [128.33.1.81]) by core3.amsl.com (Postfix) with ESMTP id 760243A6A1D for <oauth@ietf.org>; Fri, 24 Sep 2010 09:58:56 -0700 (PDT)
Received: from ros-dhcp192-1-51-60.bbn.com ([192.1.51.60]:63687) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from <rbarnes@bbn.com>) id 1OzBcO-000J7A-Cw; Fri, 24 Sep 2010 12:59:28 -0400
Message-Id: <2FAAE083-321F-4841-B4A8-E880CF534779@bbn.com>
From: "Richard L. Barnes" <rbarnes@bbn.com>
To: John Panzer <jpanzer@google.com>
In-Reply-To: <AANLkTimciAaUKAiQh62=Nv3s9OwOZULur-P+wGjCpXp+@mail.gmail.com>
Content-Type: text/plain; charset="US-ASCII"; format="flowed"; delsp="yes"
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v936)
Date: Fri, 24 Sep 2010 12:59:27 -0400
References: <C8C16037.3AC75%eran@hueniverse.com> <1285335868.15179.98.camel@localhost.localdomain> <440E4C9A-41A2-4203-80B8-B6967D886A80@bbn.com> <1285339868.15179.139.camel@localhost.localdomain> <BFF19F03-2B06-4C93-8CE0-2C9A6A267CE4@bbn.com> <AANLkTimVM7VaU=Y3wyVnT=LMOP1uVtAeHZNCV7DPNr2w@mail.gmail.com> <64B7C801-DAC2-4155-AB9D-88DFF709A689@bbn.com> <AANLkTimciAaUKAiQh62=Nv3s9OwOZULur-P+wGjCpXp+@mail.gmail.com>
X-Mailer: Apple Mail (2.936)
Cc: OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Google's view on signatures in the core OAuth2 spec
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Sep 2010 16:58:57 -0000
> Then there's the question of checking to see if the data in the
> envelope is consistent with data outside the envelope. A good way
> to do this is to ignore the data outside the envelope and only use
> the verified, enveloped data.
This is precisely the problem. But think about what "only using the
data inside the envelope" means in the context of OAuth -- stuffing
all the relevant parts of the HTTP request inside the envelope. I
admit that I'm not up to speed on the latest OAuth specs, but in
earlier versions, there were several parts of the HTTP request that
were included under the OAuth signature, so this would amount to a lot
of duplication.
The alternative is to somehow ensure that the data outside the
envelope are the same as the data inside the envelope. Which brings
us back to the two mechanisms we were talking about before for doing
that:
1. Send the enveloped data and checking that the inside matches the
outside
2. Just send the envelope (not the data) and reconstruct the data from
the request based on the outside information.
Just using a JSON token / Magic Signature object that includes all the
relevant fields requires that you do (1), which has the risk that the
recipient can skip the check. You can do (2) with a "meta-MagicSig"
where the content is included by reference (e.g., to field names) and
the actual enveloped data structure is built and verified by the
recipient.
As far as a specific attack vector, I think the idea is that a
recipient could get a request like the following (again, with made-up
syntax)...
POST /malevolent.php HTTP/1.1
Authorization: oauth { method: "GET", path: "innocuous.jpg", sig:
valid_sig }
... and based on the validity of the signature, go ahead and grant the
request.
--Richard
- [OAUTH-WG] Google's view on signatures in the cor… Eric Sachs
- Re: [OAUTH-WG] Google's view on signatures in the… Anthony Nadalin
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… Anthony Nadalin
- Re: [OAUTH-WG] Google's view on signatures in the… Eric Sachs
- Re: [OAUTH-WG] Google's view on signatures in the… Dick Hardt
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… Justin Richer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Justin Richer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… Eran Hammer-Lahav
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… John Panzer
- Re: [OAUTH-WG] Google's view on signatures in the… Richard L. Barnes