IETF Logo Mail Archive

Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft

George Fletcher <gffletch@aol.com> Fri, 22 January 2016 19:05 UTC

Return-Path: <gffletch@aol.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 664421B2C50 for <oauth@ietfa.amsl.com>; Fri, 22 Jan 2016 11:05:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i1tvmKFsYHRw for <oauth@ietfa.amsl.com>; Fri, 22 Jan 2016 11:05:49 -0800 (PST)
Received: from omr-m001e.mx.aol.com (omr-m001e.mx.aol.com [204.29.186.1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBF4A1B2C47 for <oauth@ietf.org>; Fri, 22 Jan 2016 11:05:48 -0800 (PST)
Received: from mtaout-mbd01.mx.aol.com (mtaout-mbd01.mx.aol.com [172.26.252.13]) by omr-m001e.mx.aol.com (Outbound Mail Relay) with ESMTP id 0DBFA380008F; Fri, 22 Jan 2016 14:05:48 -0500 (EST)
Received: from [10.172.102.124] (unknown [10.172.102.124]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by mtaout-mbd01.mx.aol.com (MUA/Third Party Client Interface) with ESMTPSA id 4E7C538000098; Fri, 22 Jan 2016 14:05:47 -0500 (EST)
To: Paul Madsen <paul.madsen@gmail.com>, John Bradley <ve7jtb@ve7jtb.com>, David Waite <david@alkaline-solutions.com>
References: <BY2PR03MB442662C73E3904E73D9B9EFF5C30@BY2PR03MB442.namprd03.prod.outlook.com> <2EB9855D-BAB2-4B90-B649-F1B24B8834EC@alkaline-solutions.com> <DC542E43-8D0B-4728-AB46-AC70F190D8AD@ve7jtb.com> <80218A07-9D37-42A3-B90A-56AEDBC3A86C@alkaline-solutions.com> <CAANoGhJT8j0ZO09kBJHpg+QVkFi-RuoA42Rb+zd698aC9AmLUw@mail.gmail.com> <CAAP42hCzVtXiECAZzaU-YEQe01BPbOc6OTL-u=PLQkxdsYeSfQ@mail.gmail.com> <56A260B6.4060302@aol.com> <478C8683-0E47-43E7-A7F3-75F89AB1DCDA@alkaline-solutions.com> <EB5584D0-33AD-4CEB-8A51-D30A4D57B7BE@ve7jtb.com> <56A27C3E.2070301@gmail.com>
From: George Fletcher <gffletch@aol.com>
Organization: AOL LLC
Message-ID: <56A27D8A.3040804@aol.com>
Date: Fri, 22 Jan 2016 14:05:46 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <56A27C3E.2070301@gmail.com>
Content-Type: multipart/alternative; boundary="------------010007060602050505060904"
x-aol-global-disposition: G
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mx.aol.com; s=20150623; t=1453489547; bh=ZCM/t7g0BBDOXo4l81jScMH/qlakBuDlhcUrbgdGcuI=; h=From:To:Subject:Message-ID:Date:MIME-Version:Content-Type; b=sGwgCG5D6EboO+FwUjEHhsqHkgsPkBB2u4HfkvCNoanK1511IPAG1fDG15zlO9PfV 2h7/H+gWfu0uJhXlqvCSguE+EnFJgIjzIPfUMIZIADhxiFIoEg55abn7kph1MyIus8 gL5HXAXVaUwe0tqoYdm1pBST56I6JgeEU7O8rcc4=
x-aol-sid: 3039ac1afc0d56a27d8b1956
X-AOL-IP: 10.172.102.124
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/l4y_sB2ZKPo99uIg9H1sX8MEJ_0>
Cc: IETF oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Second OAuth 2.0 Mix-Up Mitigation Draft
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Jan 2016 19:05:52 -0000

Isn't that your department Paul? I have high expectations!

On 1/22/16 2:00 PM, Paul Madsen wrote:
> tshirt or it didnt happen
>
> On 1/22/16 1:57 PM, John Bradley wrote:
>> Now that we have a cool name all we need is a logo for the attack and 
>> per haps an anime character, and we are done with all the hard work:)
>>
>> John B.
>>> On Jan 22, 2016, at 2:54 PM, David Waite 
>>> <david@alkaline-solutions.com> wrote:
>>>
>>> It’s pronounced FronkenSTEEN-ian.
>>>
>>> -DW
>>>
>>>> On Jan 22, 2016, at 10:02 AM, George Fletcher <gffletch@aol.com 
>>>> <mailto:gffletch@aol.com>> wrote:
>>>>
>>>> "Frankensteinian Amalgamation" -- David Waite
>>>>
>>>> I like it! :)
>>>>
>>>> On 1/22/16 8:11 AM, William Denniss wrote:
>>>>> +1 ;)
>>>>> On Fri, Jan 22, 2016 at 8:45 PM John Bradley <ve7jtb@ve7jtb.com> 
>>>>> wrote:
>>>>>
>>>>>     Perhaps Frankenstein response is a better name than cut and
>>>>>     paste attack.
>>>>>
>>>>>     John B.
>>>>>
>>>>>     On Jan 22, 2016 1:22 AM, "David Waite"
>>>>>     <david@alkaline-solutions.com> wrote:
>>>>>
>>>>>>         On Jan 21, 2016, at 2:50 PM, John Bradley
>>>>>>         <ve7jtb@ve7jtb.com> wrote:
>>>>>>
>>>>>>         In that case you probably would put a hash of the state
>>>>>>         in the code to manage size.  The alg would be up to the
>>>>>>         AS, as long as it used the same hash both places it would
>>>>>>         work.
>>>>>         Yes, true.
>>>>>>
>>>>>>         Sending the state to the token endpoint is like having
>>>>>>         nonce and c_hash in the id_token, it binds the issued
>>>>>>         code to the browser instance.
>>>>>         I think I understand what you are saying. Someone won’t be
>>>>>         able to frankenstein up a state and a token from two
>>>>>         different responses from an AS, and have a client
>>>>>         successfully fetch an access token based on the amalgamation.
>>>>>>         This protects against codes that leak via redirect uri
>>>>>>         pattern matching. failures etc.  It prevents an attacker
>>>>>>         from being able to replay a code from a different browser.
>>>>>         Yes, if a party intercepts the redirect_url, or the AS
>>>>>         fails to enforce one time use (which even for a compliant
>>>>>         implementation could just mean the attacker was faster
>>>>>         than the state propagated within the AS)
>>>>>
>>>>>         Makes sense. Thanks John.
>>>>>
>>>>>         -DW
>>>>>
>>>>>>         If the client implements the other mitigations on the
>>>>>>         authorization endpoint, then it wouldn't be leaking the
>>>>>>         code via the token endpoint.
>>>>>>
>>>>>>         The two mitigations are for different attacks, however
>>>>>>         some of the attacks combined both vulnerabilities.
>>>>>>
>>>>>>         Sending the iss and client_id is enough to stop the
>>>>>>         confused client attacks, but sending state on its own
>>>>>>         would not have stopped all of them.
>>>>>>
>>>>>>         We discussed having them in separate drafts, and may
>>>>>>         still do that.   However for discussion having them in
>>>>>>         one document is I think better in the short run.
>>>>>>
>>>>>>         John B.
>>>>>>
>>>>>>>         On Jan 21, 2016, at 4:48 PM, David Waite
>>>>>>>         <david@alkaline-solutions.com> wrote:
>>>>>>>
>>>>>>>         Question:
>>>>>>>
>>>>>>>         I understand how “iss" helps mitigate this attack
>>>>>>>         (client knows response was from the appropriate issuer
>>>>>>>         and not an attack where the request was answered by
>>>>>>>         another issuer).
>>>>>>>
>>>>>>>         However, how does passing “state” on the
>>>>>>>         authorization_code grant token request help once you
>>>>>>>         have the above in place? Is this against some alternate
>>>>>>>         flow of this attack I don’t see, or is it meant to
>>>>>>>         mitigate some entirely separate attack?
>>>>>>>
>>>>>>>         If one is attempting to work statelessly (e.g. your
>>>>>>>         “state” parameter is actual state and not just a
>>>>>>>         randomly generated value), a client would have always
>>>>>>>         needed some way to differentiate which issuer the
>>>>>>>         authorization_code grant token request would be sent to.
>>>>>>>
>>>>>>>         However, if an AS was treating “code” as a token (for
>>>>>>>         instance, encoding: client, user, consent time and
>>>>>>>         approved scopes), the AS now has to include the client’s
>>>>>>>         state as well. This would effectively double (likely
>>>>>>>         more with encoding) the state sent in the authorization
>>>>>>>         response back to the client redirect URL, adding more
>>>>>>>         pressure against maximum URL sizes.
>>>>>>>
>>>>>>>         -DW
>>>>>
>>>>>     _______________________________________________
>>>>>     OAuth mailing list
>>>>>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>>>>>     https://www.ietf.org/mailman/listinfo/oauth
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>
>>>> -- 
>>>> Chief Architect
>>>> Identity Services Engineering     Work:george.fletcher@teamaol.com
>>>> AOL Inc.                          AIM:  gffletch
>>>> Mobile: +1-703-462-3494           Twitter:http://twitter.com/gffletch
>>>> Office: +1-703-265-2544           Photos:http://georgefletcher.photography
>>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Chief Architect
Identity Services Engineering     Work: george.fletcher@teamaol.com
AOL Inc.                          AIM:  gffletch
Mobile: +1-703-462-3494           Twitter: http://twitter.com/gffletch
Office: +1-703-265-2544           Photos: http://georgefletcher.photography

v2.30.2 | Report a Bug | By Email | System Status