IETF Logo Mail Archive

Re: [OAUTH-WG] Mix-Up and CnP/ Code injection

William Denniss <wdenniss@google.com> Mon, 02 May 2016 02:08 UTC

Return-Path: <wdenniss@google.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B536412B05E for <oauth@ietfa.amsl.com>; Sun, 1 May 2016 19:08:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.996
X-Spam-Level:
X-Spam-Status: No, score=-2.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S-hVZMQyybhs for <oauth@ietfa.amsl.com>; Sun, 1 May 2016 19:08:18 -0700 (PDT)
Received: from mail-oi0-x229.google.com (mail-oi0-x229.google.com [IPv6:2607:f8b0:4003:c06::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A82012B05B for <oauth@ietf.org>; Sun, 1 May 2016 19:08:18 -0700 (PDT)
Received: by mail-oi0-x229.google.com with SMTP id k142so175674493oib.1 for <oauth@ietf.org>; Sun, 01 May 2016 19:08:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=SRCATVNdlK3KSQia5BvHN+S8NSkGreOyfUZaVKnwVZ8=; b=RVmO0lAZpd/eaJIkNdCl7S9T9VGn/j/lIjGugKQ9O9e13uEGTEayiN4WdPAsm37Ucz t40RRNYw+WiWXPRMAZzwiKEivmO3mUNX9q/nBi4yOAtvCCq9VRdiizDiCmtsWv5qLZNT mWXp9L3etCAk6skU0EyJSb0wbWOrcWTIdQnA/xcjc2nwtDAM8kRfCOxY5QQ1rfwh0gfx q4PjE1DLDr8wUI/kWQ49f2CiL/Q3edeD/Ylal8eCyBuko1WvS5eMxRdjje/cVozplTSt yjwqdCrWkyQ7asJFPaQI1HRWUYvHssuuV9lXanUi94W5/3XIJ31V8X1cGqtJYVBFYeBr EOEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=SRCATVNdlK3KSQia5BvHN+S8NSkGreOyfUZaVKnwVZ8=; b=UxedIGIcyXfP4k6PytpF1nMhg4lry0c09GGXgHsy7H5W2wQ1YS9CPCNzfuL6cidg7A vGNu5+LN12nW61hc3tPuqibDLB0m5z7INY7cDZEtGIpjccm2RZbfz2BHiLw6VJ0UQwuC mg0OMVZfDl/sZyMUVAa/2uh5SMgR2ot/NQ/TdgIRb4tfdBu9TWBdNNhnZN7QXadk36NS AVWWcL/LuMByY7ZXib0og+dCetWr5JlYKJD4xuNkwjhxZ1Wrvx4zL7NSLri1q8KgQtzm Kc3Aig90jZcDhoMfwd3jCkHYCZhuNPfn8fFAsjIvo28s97KGVGEdZEID4cHwpCh4Kbh2 DRmA==
X-Gm-Message-State: AOPr4FXEW1Sq1zODrcq24rzlFxMvrfYAB7hjyu1LO+9SZ3IMmVKbvyxBRQrzsz2+zQg1a43u0b/kB0YdVSIQ9zTU
X-Received: by 10.202.104.213 with SMTP id o82mr12490935oik.165.1462154897210; Sun, 01 May 2016 19:08:17 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.182.179.42 with HTTP; Sun, 1 May 2016 19:07:57 -0700 (PDT)
In-Reply-To: <CABzCy2DD+E4CNUHL3Bh_sZW+UF2Ea4tBA6am+LkJbrisepxMgQ@mail.gmail.com>
References: <571B60BA.8090301@lodderstedt.net> <CABzCy2DeMSGc_yjKi=NWJjh7RLoVsb+KyD9S_MuiQ_gJNg5+fw@mail.gmail.com> <49355f12-ef58-0637-47e0-7acd54e882d9@lodderstedt.net> <DA464416-4C42-4A3A-B829-70E14B6C1149@mit.edu> <CABzCy2DD+E4CNUHL3Bh_sZW+UF2Ea4tBA6am+LkJbrisepxMgQ@mail.gmail.com>
From: William Denniss <wdenniss@google.com>
Date: Sun, 01 May 2016 19:07:57 -0700
Message-ID: <CAAP42hBTMP=j7O5uCsaux0NmKdwEZF7Mt3DOzPNYYvsd8R+z4w@mail.gmail.com>
To: Nat Sakimura <sakimura@gmail.com>
Content-Type: multipart/alternative; boundary="001a1140a3d041a2ca0531d277c8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/lx4-qIWOwJqA-26xNKZHXHXFLhM>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Mix-Up and CnP/ Code injection
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2016 02:08:20 -0000

I'm inclined to think that Nat's comment is right: "As I look at it more
and more, it started to look like the problem of accepting tainted values
without message authentication. To fix the root cause, we would have to
authenticate response. ID Token was designed to also serve as a solution
anticipating it."

Even if we workaround the current issue with more unbound plain text
params, will it solve the *next* issue?  Personally I'm not convinced.

I also wonder at what level of risk is the right solution "code id_token",
which the researchers note *will* mitigate the attacks (when implemented
correctly).

If we absolutely must solve this without "id_token", I know John has a few
ideas for lightweight binding of the request & response by hashing the
request URL and some config. I wonder if a "lightweight crypto" approach is
superior to "more unbound params" as the best non-id_token option.

On Sat, Apr 30, 2016 at 10:36 PM, Nat Sakimura <sakimura@gmail.com> wrote:

> It actually depends on what risk level the transaction is at. For low risk
> transactions, just having separate redirection endpoint may be adequate. On
> the other hand, I can easily think of an attack that replaces iss on the
> authz response making the control invalid posing questions on whether it is
> worth introducing it.
> On Sun, May 1, 2016 at 14:21 Justin Richer <jricher@mit.edu> wrote:
>
>> I agree that we’re getting dangerously close to recommending signed
>> assertions at every step of the process, thereby bypassing HTTP. This was
>> the same mistake that WS-* and SOAP made, let’s not repeat it if we can.
>>
>>  — Justin
>>
>> On Apr 30, 2016, at 10:57 AM, Torsten Lodderstedt <
>> torsten@lodderstedt.net> wrote:
>>
>> Hi Nat,
>>
>> sure, one could also authenticate and cryptographically protect the
>> redirect response. Leveraging OIDC concepts is an idea worth considering
>> but they should be adopted to the OAuth philosophy. The id token as used in
>> the hybrid flows mixes an identity assertion with elements of transport
>> security measures. A OAuth AS does not provide identity data to clients, so
>> we only need the transport security part.
>>
>> I personally would prefer a OAuth response object (similar to request
>> object you have proposed) over the id token. Such a response object could
>> contain (and directly protect) state, code and other response values. I
>> consider this the more elegant design and it is easier to implement then
>> having detached signatures over hash values of codes or access tokens.
>> Moreover, it would allow to encrypt the response as well.
>>
>> Generally, our threat analysis so far does not have provided
>> justification for cryptographically protected redirect responses. All
>> proposals currently on the table stop mix up and code injection using
>> simpler mechanisms.
>>
>> I think OAuth 2.0 is a huge success due to its balance of versatility,
>> security and _simplicity_. We definitely need to keep it secure, but we
>> should also keep it as simple as possible.
>>
>> kind regards,
>> Torsten.
>> Am 29.04.2016 um 10:08 schrieb Nat Sakimura:
>>
>> As I look at it more and more, it started to look like the problem of
>> accepting tainted values without message authentication. To fix the root
>> cause, we would have to authenticate response. ID Token was designed to
>> also serve as a solution anticipating it.
>>
>> Any concrete ideas?
>>
>> On Sat, Apr 23, 2016 at 04:47 Torsten Lodderstedt <
>> torsten@lodderstedt.net> wrote:
>>
>>> Hi all,
>>>
>>> discussion about Mix-Up and CnP seems to have stopped after the session
>>> in BA - at least in the OAuth WG. There is a discussion about
>>> mitigations in OpenId Connect going on at the OpenId Connect mailing
>>> list.
>>>
>>> I'm very much interested to find a solution within the OAuth realm as
>>> I'm not interested to either implement two solutions (for OpenId Connect
>>> and OAuth) or adopt a OpenId-specific solution to OAuth (use id! tokens
>>> in the front channel). I therefore would like to see progress and
>>> propose to continue the discussion regarding mitigations for both
>>> threats.
>>>
>>> https://tools.ietf.org/html/draft-ietf-oauth-mix-up-mitigation-00
>>> proposes reasonable mitigations for both attacks. There are alternatives
>>> as well:
>>> - mix up:
>>> -- AS specific redirect uris
>>> -- Meta data/turi
>>> (https://tools.ietf.org/html/draft-sakimura-oauth-meta-07#section-5)
>>> - CnP:
>>> -- use of the nonce parameter (as a distinct mitigation beside state for
>>> counter XSRF)
>>>
>>> Anyone having an opinion?
>>>
>>> best regards,
>>> Torsten.
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>

v2.23.0 | Report a Bug | By Email