Re: [OAUTH-WG] draft-ietf-oauth-spop-10

John Bradley <ve7jtb@ve7jtb.com> Wed, 18 February 2015 14:39 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 966381A8833 for <oauth@ietfa.amsl.com>; Wed, 18 Feb 2015 06:39:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GapzRhL8DfeD for <oauth@ietfa.amsl.com>; Wed, 18 Feb 2015 06:38:57 -0800 (PST)
Received: from mail-pa0-f51.google.com (mail-pa0-f51.google.com [209.85.220.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 172C91A87F0 for <oauth@ietf.org>; Wed, 18 Feb 2015 06:38:57 -0800 (PST)
Received: by pabkx10 with SMTP id kx10so1558413pab.13 for <oauth@ietf.org>; Wed, 18 Feb 2015 06:38:56 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=CTUMfmRIh256sKlZbu/27cQ+OR/JW5EGXm6EKoeXobs=; b=F5Vap0W5tOypG75AAFYhxTga/7oERdhElCEzxI5OIsHGylVQaZromaxpVuqIbOBPNg OwypNc9HRQOkaeWJWI7n9BGt0+Jf2kCHkIOPt76PagFGMcRH3I8IjI6AsKtKeOM73vNP ZQtLFC3LDVTV5fm3Hj20nub+6v3tl4Ftute5ZTNEVlHzveyZa5WxA/Bq6iCOPYRFfruO 2kJpOmNPDWMPcpzbqObH7xxDqWWbgsdAdGlC1A26TelTOGezSOfcPoXvyTiIPvCIDppv qREDF3oLAdmKKmcrX902hADXihqRuLKGR2UpEYI8rEegczhdV6RlYXqPoXyvvRMSNPab fJSg==
X-Gm-Message-State: ALoCoQnDQt58TLzMRL0RMnkRyPvhm4yfZikKHdxWbuwXNLzwllX5/fyIM0rh+QAmtqhj4h3vW4L9
X-Received: by 10.68.132.103 with SMTP id ot7mr59755848pbb.0.1424270336708; Wed, 18 Feb 2015 06:38:56 -0800 (PST)
Received: from [10.1.1.16] (75-149-33-126-SFBA.hfc.comcastbusiness.net. [75.149.33.126]) by mx.google.com with ESMTPSA id oq4sm6981970pdb.73.2015.02.18.06.38.54 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 18 Feb 2015 06:38:55 -0800 (PST)
Content-Type: multipart/signed; boundary="Apple-Mail=_16492D11-A58A-4929-A841-BD91884E2F3A"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2070.6\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CABzCy2D1izfTA-ji28XX-rJg=BsSiXgnkNvCWn0Puz2_pCiG1A@mail.gmail.com>
Date: Wed, 18 Feb 2015 06:38:43 -0800
Message-Id: <175D5D8F-05C5-4926-A44C-D01E5398E49B@ve7jtb.com>
References: <54E372C1.8040204@gmx.net> <20150218131359.19dae026d3e459813e21dc55@nri.co.jp> <54E450B2.7020409@gmx.net> <20150218182653.b84a14b8c26c3a506579692e@nri.co.jp> <54E45F22.8060902@gmx.net> <CABzCy2D1izfTA-ji28XX-rJg=BsSiXgnkNvCWn0Puz2_pCiG1A@mail.gmail.com>
To: Nat Sakimura <n-sakimura@nri.co.jp>
X-Mailer: Apple Mail (2.2070.6)
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/iCpfqdKkcG5Z06u9OFA22vf7jSw>
Cc: "oauth@ietf.org" <oauth@ietf.org>, Naveen Agarwal <naa@google.com>
Subject: Re: [OAUTH-WG] draft-ietf-oauth-spop-10
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Feb 2015 14:39:00 -0000

As I stated in my message.  I think for plain having there be a MUST at 256 bits would be overkill.  

For plain given it is single use like the code is we should probably match it to the entropy required for code.

In RFC 6749 we say
The probability of an attacker guessing generated tokens (and other
   credentials not intended for handling by end-users) MUST be less than
   or equal to 2^(-128) and SHOULD be less than or equal to 2^(-160).

So to be consistent I would make plain "MUST be between 16 and 32 octets”

I don’t remember precisely , but I may be the one responsible for the for the 2^(-128) value for code.  
That was a bit higher than needed if people can really only use code once.   However the reality is that not all AS properly revoke code after it is used.
That is really hard in a clustered environment.  (There is more than one large one so I am not picking on anyone in particular) 

Knowing that in reality an attacker might be able to make a limited number attacks before a code time expires there is a fudge factor in the 128bit code to still make it plausibly unguessable even in that case.

The same factor would apply to code_verifier other wise I would say 8 octets would be sufficient.

 John B.

> On Feb 18, 2015, at 1:50 AM, Nat Sakimura <n-sakimura@nri.co.jp> wrote:
> 
> Is there anyone who has problems changing it to a MUST? 
> On 2015年2月18日(水) at 18:48 Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
> I think that the "controlled environment" is a risky idea. I believe we
> should definitely go for a MUST.
> 
> On 02/18/2015 10:26 AM, Nat Sakimura wrote:
> > Hi Hannes,
> >
> > The reason I have put SHOULD there instead of MUST is
> > that there may be a valid reason not to in a controlled
> > environment, and it does not interfere the interoperability.
> > The deployment may opt to use other control than entropy,
> > and SHOULD allows it while MUST does not.
> >
> > Having said that, if the WG is OK with a MUST there,
> > I am fine with incorporating the proposed change.
> >
> > Cheers,
> >
> > Nat
> >
> >
> > On Wed, 18 Feb 2015 09:43:30 +0100
> > Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
> >
> >> Hi Nat,
> >>
> >> thanks for the quick response.
> >>
> >> I was hoping to see a statement like "The code verifier MUST have
> >> enough entropy to make it impractical to guess the value." in the
> >> text rather than the SHOULD. Given all the other statements in the
> >> draft I am not sure what the should actually means. Under what
> >> conditions would an implementer not provide enough entropy to make
> >> guessing impractical?
> >>
> >> Ciao
> >> Hannes
> >>
> >> On 02/18/2015 05:13 AM, Nat Sakimura wrote:
> >>> Hi Hannes,
> >>>
> >>> I hereby confirm that I have submit the draft  in full conformance
> >>> with the  provisions of BCP 78 and BCP 79.
> >>>
> >>> Re: Security Consideration (7.1) and section 4.1
> >>>
> >>> The first part of the 7.1 is a non-normative prose explaining that
> >>> the implementers got to make sure that the code verifier is hard to
> >>> guessed or modeled. In a way, this is laying out the basic security
> >>> property requirment on the code verifier.
> >>>
> >>> Then, it goes onto the implementation guideance that one need to
> >>> use a cryptographic random number generator instead of relying on a
> >>> rand() in some language that are  not cryptographically random to
> >>> generate 32-octet sequence. The same text is in 4.1 as well.
> >>>
> >>> We did not copy "code verifier SHOULD have enough entropy to make
> >>> it impractical to guess the value" here because that looked
> >>> needlessly repeating, but if you want, I have no objection in
> >>> adding it to 7.1.
> >>>
> >>> Alternatively, in 7.1, after explaining the rationale, we can just
> >>> point to 4.1 for the control and implementation guidance.
> >>>
> >>> Re: 32-octet
> >>>
> >>> We chose it because we are using SHA256 in generating the code
> >>> challange. Having more entropy does not help us here, while having
> >>> less octets increases the risk.
> >>>
> >>> Best,
> >>>
> >>> Nat
> >>>
> >>>
> >>>
> >>> On Tue, 17 Feb 2015 17:56:33 +0100
> >>> Hannes Tschofenig <hannes.tschofenig@gmx.net <mailto:hannes.tschofenig@gmx.net>> wrote:
> >>>
> >>>> Hi Nat, John, Naveen,
> >>>>
> >>>> thanks a lot for your work on the document.
> >>>>
> >>>> I still need responses to this mail to complete the shepherd
> >>>> writeup:
> >>>> http://www.ietf.org/mail-archive/web/oauth/current/msg14100.html <http://www.ietf.org/mail-archive/web/oauth/current/msg14100.html>
> >>>>
> >>>> I definitely need the IPR confirmation.
> >>>>
> >>>> It would also be helpful to have someone who implemented the
> >>>> specification as it currently is. I asked Brian and Thorsten for
> >>>> clarification regarding their statements that they implemented
> >>>> earlier versions of the spec.
> >>>>
> >>>> As a final remark I still believe that the text regarding the
> >>>> randomness is still a bit inconsistent. Here are two examples:
> >>>>
> >>>> 1) In the Security Consideration you write that "The security model
> >>>> relies on the fact that the code verifier is not learned or
> >>>> guessed by the attacker.  It is vitally important to adhere to
> >>>> this principle. "
> >>>>
> >>>> 2) In Section 4.1 you, however, write: "NOTE: code verifier SHOULD
> >>>> have enough entropy to make it impractical to guess the value.  It
> >>>> is RECOMMENDED that the output of a suitable random number
> >>>> generator be used to create a 32-octet sequence."
> >>>>
> >>>> There is clearly a long way from a SHOULD have enough entropy to
> >>>> the text in the security consideration section where you ask for
> >>>> 32 bytes entropy.
> >>>>
> >>>> It is also not clear why you ask for 32 bytes of entropy in
> >>>> particular.
> >>>>
> >>>> Ciao
> >>>> Hannes
> >>>>
> >>>
> >>>
> >>
> >
> >
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth