IETF Logo Mail Archive

Re: [OAUTH-WG] Mix-Up and CnP/ Code injection

Torsten Lodderstedt <torsten@lodderstedt.net> Sat, 30 April 2016 17:57 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0191312D180 for <oauth@ietfa.amsl.com>; Sat, 30 Apr 2016 10:57:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level:
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m9qxhQoIOmFy for <oauth@ietfa.amsl.com>; Sat, 30 Apr 2016 10:57:32 -0700 (PDT)
Received: from smtprelay05.ispgateway.de (smtprelay05.ispgateway.de [80.67.31.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D5A1C12D18D for <oauth@ietf.org>; Sat, 30 Apr 2016 10:57:31 -0700 (PDT)
Received: from [79.218.84.141] (helo=[192.168.71.104]) by smtprelay05.ispgateway.de with esmtpsa (TLSv1.2:DHE-RSA-AES128-SHA:128) (Exim 4.84) (envelope-from <torsten@lodderstedt.net>) id 1awZ8z-0007H4-4Q; Sat, 30 Apr 2016 19:57:29 +0200
To: Nat Sakimura <sakimura@gmail.com>, oauth@ietf.org
References: <571B60BA.8090301@lodderstedt.net> <CABzCy2DeMSGc_yjKi=NWJjh7RLoVsb+KyD9S_MuiQ_gJNg5+fw@mail.gmail.com>
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Message-ID: <49355f12-ef58-0637-47e0-7acd54e882d9@lodderstedt.net>
Date: Sat, 30 Apr 2016 19:57:30 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.0
MIME-Version: 1.0
In-Reply-To: <CABzCy2DeMSGc_yjKi=NWJjh7RLoVsb+KyD9S_MuiQ_gJNg5+fw@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------563498E932E886F3C1DAD40E"
X-Df-Sender: dG9yc3RlbkBsb2RkZXJzdGVkdC5uZXQ=
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/lX1JAxouByJo-pr53bDRWJmelFQ>
Subject: Re: [OAUTH-WG] Mix-Up and CnP/ Code injection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 30 Apr 2016 17:57:35 -0000

Hi Nat,

sure, one could also authenticate and cryptographically protect the 
redirect response. Leveraging OIDC concepts is an idea worth considering 
but they should be adopted to the OAuth philosophy. The id token as used 
in the hybrid flows mixes an identity assertion with elements of 
transport security measures. A OAuth AS does not provide identity data 
to clients, so we only need the transport security part.

I personally would prefer a OAuth response object (similar to request 
object you have proposed) over the id token. Such a response object 
could contain (and directly protect) state, code and other response 
values. I consider this the more elegant design and it is easier to 
implement then having detached signatures over hash values of codes or 
access tokens. Moreover, it would allow to encrypt the response as well.

Generally, our threat analysis so far does not have provided 
justification for cryptographically protected redirect responses. All 
proposals currently on the table stop mix up and code injection using 
simpler mechanisms.

I think OAuth 2.0 is a huge success due to its balance of versatility, 
security and _simplicity_. We definitely need to keep it secure, but we 
should also keep it as simple as possible.

kind regards,
Torsten.

Am 29.04.2016 um 10:08 schrieb Nat Sakimura:
> As I look at it more and more, it started to look like the problem of 
> accepting tainted values without message authentication. To fix the 
> root cause, we would have to authenticate response. ID Token was 
> designed to also serve as a solution anticipating it.
>
> Any concrete ideas?
>
> On Sat, Apr 23, 2016 at 04:47 Torsten Lodderstedt 
> <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
>
>     Hi all,
>
>     discussion about Mix-Up and CnP seems to have stopped after the
>     session
>     in BA - at least in the OAuth WG. There is a discussion about
>     mitigations in OpenId Connect going on at the OpenId Connect
>     mailing list.
>
>     I'm very much interested to find a solution within the OAuth realm as
>     I'm not interested to either implement two solutions (for OpenId
>     Connect
>     and OAuth) or adopt a OpenId-specific solution to OAuth (use id!
>     tokens
>     in the front channel). I therefore would like to see progress and
>     propose to continue the discussion regarding mitigations for both
>     threats.
>
>     https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-00
>     proposes reasonable mitigations for both attacks. There are
>     alternatives
>     as well:
>     - mix up:
>     -- AS specific redirect uris
>     -- Meta data/turi
>     (https://tools.ietf.org/html/draft-sakimura-oauth-meta-07#section-5)
>     - CnP:
>     -- use of the nonce parameter (as a distinct mitigation beside
>     state for
>     counter XSRF)
>
>     Anyone having an opinion?
>
>     best regards,
>     Torsten.
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org <mailto:OAuth@ietf.org>
>     https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email