Re: [OAUTH-WG] TAuth
Justin Richer <jricher@mit.edu> Wed, 11 May 2016 00:05 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9A7112B02B for <oauth@ietfa.amsl.com>; Tue, 10 May 2016 17:05:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.196
X-Spam-Level:
X-Spam-Status: No, score=-5.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 26Xn5aGf0rqH for <oauth@ietfa.amsl.com>; Tue, 10 May 2016 17:05:47 -0700 (PDT)
Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A5E012B027 for <OAuth@ietf.org>; Tue, 10 May 2016 17:05:46 -0700 (PDT)
X-AuditID: 12074422-913ff7000000760a-cb-57327758889f
Received: from mailhub-auth-1.mit.edu ( [18.9.21.35]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by (Symantec Messaging Gateway) with SMTP id 8E.07.30218.85772375; Tue, 10 May 2016 20:05:44 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-1.mit.edu (8.13.8/8.9.2) with ESMTP id u4B05hPc011339; Tue, 10 May 2016 20:05:44 -0400
Received: from [IPv6:2607:fb90:6c4b:14ac:280b:7ee1:d991:c0d4] ([172.58.56.174]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id u4B05d9S009203 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NOT); Tue, 10 May 2016 20:05:41 -0400
Date: Tue, 10 May 2016 19:05:37 -0500
Message-ID: <pjn8ovq6db4enh1fmikoyi2p.1462925137123@email.android.com>
Importance: normal
From: Justin Richer <jricher@mit.edu>
To: Brock Allen <brockallen@gmail.com>, Dick Hardt <dick.hardt@gmail.com>, Oauth Wrap Wg <OAuth@ietf.org>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="--_com.samsung.android.email_353449515129040"
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrGIsWRmVeSWpSXmKPExsUixCmqrBtRbhRusHeHpsWMH0fZLR7PLLI4 +fYVmwOzx85Zd9k9liz5yRTAFMVlk5Kak1mWWqRvl8CVMfndVLaCvS+YKj6v9mhgbL3P1MXI ySEhYCLRcnI9cxcjF4eQQBuTxMv5IAkQZyOjxLvNi9khnDNMElfWTQFrYRFQlWhu2MsIYgsL yEo07drCCmLzCrhJnDw1naWLkYODU0BIomuXBEiYDah8+poWsFYRgSKJDTcmMUKUC0qcnPkE rJxZIEbiSl/8BEaeWUgysxAyIGFmAXWJP/MuMUPYihJTuh+yQ5SoSSxrVUIWXsDItopRNiW3 Sjc3MTOnODVZtzg5MS8vtUjXVC83s0QvNaV0EyMoKNldlHYwTvzndYhRgINRiYd3B5dhuBBr YllxZe4hRkkOJiVR3i35RuFCfEn5KZUZicUZ8UWlOanFhxglOJiVRHhzioFyvCmJlVWpRfkw KWkOFiVx3qDIY2FCAumJJanZqakFqUUwWRkODiUJXskyoEbBotT01Iq0zJwShDQTByfIcB6g 4VogNbzFBYm5xZnpEPlTjKZS4rzuIAkBkERGaR5cr5KQkIAa++8JOd4iazS46x7enHjgCii5 rLGyWPeKURzoPWHeDpBOHmBigpv4CmgZE9AyOTZ9kGUliQgpqQZGMbtHd3Qlt9oyiLYLqmcs U+KvbhOO/pXnum1W7ju+dNkDFlETzafvf858JFitbPJmZZ24fUbHCt2CZ9mG/bq/3fPQS9ui 1c0Sx/izlmzfHanAFL2Y/VCBZDHPMya213qRv/7XBGi9Y5M1kTqbYiRlFGr04pn4sZWLLYp7 5P2P2z3ffspQSkuJpTgj0VCLuag4EQA98qFKCQMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/jPHrwXh4RAEMxMKEePik3BRdBHE>
Subject: Re: [OAUTH-WG] TAuth
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 May 2016 00:05:52 -0000
I posted about this the other day. What I don't understand is that he's saying people disable TLS checks so he's going to solve it with mutual TLS? I need to email this guy and learn more about what he's doing. --Justin Sent from my phone -------- Original message --------From: Brock Allen <brockallen@gmail.com> Date: 5/10/16 6:44 PM (GMT-06:00) To: Dick Hardt <dick.hardt@gmail.com>, Oauth Wrap Wg <OAuth@ietf.org> Subject: Re: [OAUTH-WG] TAuth Doesn’t the recent PoP work address many of these concerns? Also, as for developers disabling SSL — does anyone still do this and think it’s safe? Or are people just being lazy? Or are there certain contexts that I’m unaware of where this is valid? -Brock From: OAuth <oauth-bounces@ietf.org> on behalf of Dick Hardt <dick.hardt@gmail.com> Date: Tuesday, May 10, 2016 at 7:24 PM To: Oauth Wrap Wg <OAuth@ietf.org> Subject: [OAUTH-WG] TAuth Does anyone think there are useful lessons here? Does adding TOKBIND resolve the issues? https://blog.teller.io/2016/04/26/tauth.html TellerJoin waiting listIntroducing TAuth: Why OAuth 2.0 is bad for banking APIs and how we're fixing itThis week we released our authorisation flow making it possible for you to go from building apps that talk to your bank account, to building apps that can talk to any bank account. This is huge. Check out this SMS bot (how on trend) I hacked up yesterday morning. (and don't forget to join the beta wait list). Getting to this point took longer than we expected. This is because there wasn't a good story for delegating authorisation for sensitive APIs. The most popular choice, OAuth 2.0 - which has been chosen by the Open Banking Working Group, BBVA, RBS, and Mondo - is also amongst the worst from a security perspective.Teller provides an API for your bank account. The EU is forcing all European banks to expose account APIs with PSD II by end of 2017. These banks are disconcertingly converging around OAuth 2.0* without fully considering the impact on their customers, and something needs to be done before it's too late.* One notable exception is the Open Bank Project. It is sticking with OAuth 1.0a precisely because OAuth 1.0a doesn't share the same security issues as OAuth 2.0.Man-in-the-middleOne of the biggest problems with OAuth 2.0 is that it delegates all security concerns to TLS but only the client authenticates the server (via it's SSL certificate), the server does not authenticate the client. This means the server has no way of knowing who is actually sending the request. Is it a bona fide user, or is an attacker tampering with the request? When an attacker is able to insinuate themselves between a legitimate user and the server, it's called a man-in-the-middle (MITM) attack. It looks like this:client attempts to connect to serviceattacker successfully reroutes traffic to a host it controlsmalicious host accepts connection from clientmalicious host connects to serviceservice accepts connection from malicious hostclient communicates with service proxied through malicious host, which can see and tamper with any data sent or receivedYou're probably thinking "hang on, isn't this the point of SSL?" Yes it is, but there are a number of ways to present a bogus certificate and a client accept it. The most realistic threat is the client developer not properly verifying the server certificate, i.e. was it ultimately signed by a trusted certificate authority?Follow Tim Pope @tpopePull requests to disable SSL certificate verification: more common than you would think.2:24 PM - 11 Feb 20135 5 Retweets 5 5 likesUnfortunately a large number of developers think that disabling SSL peer verification is the correct fix to a SSL path validation error. There are many more that will offer the same advice with the caveat that it introduces a security issue that < 100% of readers will consider. As an API provider with a duty of care to our users we can't simply hope developers on our platform don't do this.Bearer tokensOnce a user authorises a client application to access its account, the application obtains a bearer token from the authorisation server. As the name suggests if you have possession of the bearer token then you are essentially the user. There is no cryptographic proof that the requesting client is the intended developer and not an attacker. If an attacker is able to successfully MITM a client it could have catastrophic implications for the user, e.g. an empty bank account, loans opened in their name, etc. OAuth 2.0 is simply a security car crash from a bank's perspective. They have no way to prove that an API transaction is bona fide, exposing them to unlimited liability.For more information on OAuth 2.0 shortcomings see OAuth Bearer Tokens are a Terrible Idea and OAuth 2.0 and the Road to Hell by Eran Hammer the original primary author of OAuth 2.0 who formally removed his name from the standard, calling it "the biggest professional disappointment of [his] career."Finding something betterSitting down to design the solution to this problem I had two high-level goals:be the most secure solution for the usernot unnecessarily impede developer experience. Developers are users too and their needs deserve equal consideration.From a security perspective I wanted:cryptographic proof of client identityto stop MITM attacksto unimpeachably attribute a request to a given developer. In cryptography this is known as non-repudiation.(N.B. Non-repudiation is a de facto requirement of PSD II. If a bank can't prove an account owner authorised a transaction, they're liable for any losses incurred by the user.)There are solutions to the bearer token problem like JWT tokens (RFC7523) but in most cases these rely on a shared secret which is used to computed a HMAC-based signature. Shared secrets mean no non-repudiation. Public key cryptography can be used with JWT tokens but they don't solve the problem of how the client will generate key pairs, demonstrate proof of possession of the private key, and enrol the public key with the API. Most importantly using JWT tokens make it basically impossible for you to experiment with an API using cURL. A major impediment to developer experience.In an ideal world we'd have cryptographic proof of the client's identity without it having to leak through the application level (and stop us cURLing the API!). As I thought about it it became the clear the answer was hiding in plain sight: SSL client certificates.Client SSL AuthenticationA SSL handshake involving client certificates contains an extra message at the end of the handshake, the CertificateVerify message. Client Server ClientHello --------> ServerHello Certificate* ServerKeyExchange* CertificateRequest* <-------- ServerHelloDone Certificate* ClientKeyExchange CertificateVerify* [ChangeCipherSpec] Finished --------> [ChangeCipherSpec] <-------- Finished Application Data <-------> Application Data Fig. 1 - Message flow for a full handshakeThe client collects all the handshake messages and signs them with it's private key and sends the result to the server. The server then verifies the signature using the public key of the client certificate. If the signature can be verified with the public key, the server knows the client is in possession of the private key, and is therefore a bona fide user.Let's look at this in the context of our original attack:client attempts to connect to serviceattacker successfully reroutes traffic to a host it controlsmalicious host accepts connection from client accepting the client's certificatemalicious host connects to servicethe malicious host will fail to SSL handshake because the host doesn’t have the private key for the client’s certificate. The attacker therefore cannot compute the correct CertificateVerify handshake message. The CertificateVerify message from the first handshake cannot be used because the handshake sequences diverge (different server certificates presented by the host).Introducing TAuthTAuth is Client SSL Authentication + User Tokens + Great Tooling.Client SSL authentication is often overlooked because of the poor UX of using client certificates in the browser and that generating certificates is a painful multistep process involving arcane OpenSSL CLI incantations. However as we're talking about API clients the browser UX point is irrelevant. As far as certificate generation goes, we can write better tools. These days it's possible to generate a key pair, a PKCS#10 certificate request, and sign it all in the browser. Thanks to WebCrypto the whole process is reduced to one click.This is how Teller does it:A private key and a SSL certificate signed by Teller generated in one click.And this is what a request looks like with client certificates:Let's recap what we've achieved here:Cryptographic proof of the client identityThe cURLability of the API is preservedThe client developer has generated a private key known only to them and no one else, meaning the bank can actually say "you did that transaction" (non-repudiation)Token securityNotice in the above example. The Teller API accepts connections from clients without a client certificate. We do this because we provide developers with read-only personal access tokens for their own accounts if they want to quickly hack something up and not bother with provisioning certs. Now notice how the API does not accept the token presented, but accepts it when used with the client SSL certificate. TAuth bearer tokens are bound on the server side to a private key through an application. This means they are useless without the private key (which only the developer ever has) and therefore not sensitive. As matter of fact, here is one for my bank account: You'll need the private key it's bound to for it to be of any use, and that has never left my laptop.TAuth tokens do not expire (but can be revoked). OAuth 2.0 introduced the concept of time-limited tokens. Large internet companies found it useful for scaling purposes to issue self-encoded, encrypted tokens. The drawbacks are developers have to pay the complexity cost of refreshing tokens and most importantly tokens cannot be revoked, they're good until they expire. For bank account APIs this is an undesirable property, a token should be void as soon as the account owner wishes. TAuth checks the token revocation status at each request.Given that we have no need for self-encoded tokens and that tokens are useless to anyone without the private key, we can consider them public and directly return them in the callback further simplifying things for the developer compared to OAuth without compromising the user's security.Bonus: DDOS mitigationTAuth can help mitigate layer 7 based DDOS attacks too. If the client does not present a valid client certificate the server can just choose to bounce the connection.ConclusionOAuth 2.0 is simply not fit for use with sensitive APIs and all the pieces needed to build something that is exist today. Aside from unbound bearer tokens, OAuth is too open-ended and complicated to get right for most developers. It's so bad it even has it's own threat model as a separate RFC to offer mitigations for the endless problems that can happen.TAuth stands for Trusted Authentication, and it provides the best security for users while maintaining the highest possible quality developer experience. Less can go wrong when everything is simpler. If your bank has OAuth 2.0 in production you must ask yourself, do they really know what they're doing?TAuth is available in production today for our existing beta users and we've already begun the work to make it an open standard we hope the industry adopts. If you're at a bank and want to offer your customers the security they deserve email me - sg at teller.ioSign up for the beta waiting list at Teller.io. _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] TAuth Dick Hardt
- Re: [OAUTH-WG] TAuth Brock Allen
- Re: [OAUTH-WG] TAuth Justin Richer
- Re: [OAUTH-WG] TAuth Dick Hardt
- Re: [OAUTH-WG] TAuth Takahiko Kawasaki
- Re: [OAUTH-WG] TAuth Stevie Graham
- Re: [OAUTH-WG] TAuth Justin Richer