Re: [OAUTH-WG] OAuth: the ABC attack (the Alice and Bob Collusion attack)

Nat Sakimura <> Fri, 11 November 2016 07:27 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B3A54129A16 for <>; Thu, 10 Nov 2016 23:27:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mgmdvDr5cVwO for <>; Thu, 10 Nov 2016 23:27:24 -0800 (PST)
Received: from ( [IPv6:2607:f8b0:400c:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E96E0129A13 for <>; Thu, 10 Nov 2016 23:27:23 -0800 (PST)
Received: by with SMTP id p9so7106577vkd.3 for <>; Thu, 10 Nov 2016 23:27:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=EHk1TTwcgPyC8tDQGCoUScqxFTtglbyMuyZvD6syF9M=; b=Qw0XbwEh9pL1q1W6H203JqOamnxxJqq9KpwhwfVIfraIVVePHfyzd1YqdAJYk6C4EM EJ5og8T0LGqA3T1+Q7Hch/FGcDYaSU0xw9TuVH6U4+fJD6cWK1pkq1oXrxFQz5vY08jb FyIeYErA9y+GmGSYCjrLqYn+8Webzc1yyJnrAjkvHnF9dvzQ5NvqA8tzz8DQnqo0fPRz 2wm1r+LzSofZrqAWdrL2e2OCb1nyU8XEBdMiiZvnHiL+hJ/xQp/CPyVheY8xkC0E4Czz YGiZ/+X3b0F1Hzta00IFB8zoXIuLhCAcgPUFNgSUB/bMYFSRioPC+/7zyHHhxKt1TMOJ 1N4w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=EHk1TTwcgPyC8tDQGCoUScqxFTtglbyMuyZvD6syF9M=; b=GiZ4T37uIKdS2+IJJi+MQpH++9OCR1ELF9BO7kF+UcRLklcYnj9kWo0y4dnVxe4kgb OCIeZKpzWCUTVN3+fVacAXF9bfcICebAKHwpYITkKvkRVkXeYo7VzTHZy7KUwSjSQ80e 7dWPi8/XyHENosHiv9BZFY+FdmR2Bi+oLgeWZayZzxdrF8oNtEYNd8LDpYg3e1X/AUMs G1fFmSy3Dp7hfdPmlCi2o34tFm4J5Iul7aQTs7P+t23QAUw6A9fXPeU/Iv4XYcfyEbPb VBaaEIAciQJKc5P8BKl5hBW2X0X8AeVBkgBYnhE7p6NQ8uOQHP576SLRpAQG3aqQuX+5 s2Eg==
X-Gm-Message-State: ABUngvcO/RlKXkdupHAPjS+L67UBHrW/kqJ85gzu8GB/0D0GZhcL9oBYu7xZ91icIF97IGzoLgiNP/QA+suY+Q==
X-Received: by with SMTP id b63mr997986vkf.70.1478849242861; Thu, 10 Nov 2016 23:27:22 -0800 (PST)
MIME-Version: 1.0
References: <>
In-Reply-To: <>
From: Nat Sakimura <>
Date: Fri, 11 Nov 2016 07:27:12 +0000
Message-ID: <>
To: Denis <>,
Content-Type: multipart/alternative; boundary="001a11439232cc19240541016b44"
Archived-At: <>
Subject: Re: [OAUTH-WG] OAuth: the ABC attack (the Alice and Bob Collusion attack)
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 11 Nov 2016 07:27:27 -0000

Thanks Denis for pointing it out. It may be desirable to add ABC attack to
the list of threats. Torsten et al. are updating Threat Model and Security
Considerations so it could potentially be included in there.

Some remarks:

   - I suppose the assumption is that the Bob does not share his
   credentials with Alice: Otherwise, sharing the credential would achieve
   something worse.
   - In addition, it assumes that Bob does not give his device to Alice:
   Otherwise, something similar to ABC attack can be achieved by Bob giving
   Alice his Laptop or Phone, and I guess this happens more often than
   shipping Bob's access token to Alice.
   - With these assumptions:
      - It looks like a variation of token injection attack that we have
      been talking about for many years.
      - If we token bind the refresh and access tokens, the ABC attack as
      described does not work.
      - For something like Age verification, recognizing such attacks, it
      probably is a bad practice to rely on refresh/access token. The service
      should do more active check, e.g., through OpenID Connect.



On Tue, Nov 8, 2016 at 2:54 AM Denis <> wrote:

> Section 5 of "draft-ietf-oauth-pop-architecture-08.txt" identifies
> requirements.
> One of them (which, BTW, should be moved into Section 4 - Threats) is :
> Collusion:
>       Resource servers that collude ...
> This threat addresses the case of "*collusion between servers"* while the
> case of "*collusion between clients"*
> has not been considered. When access tokens are being used, *collusion
> between clients *is of primary importance.
> Let us consider the following "Alice and Bob Collusion attack" (ABC
> attack).
> An uncle (Bob) is willing to collaborate with his young niece (Alice) who
> is less than 18 during a short period of time.
> The niece is opening her own session and creates an account on a server.
> The uncle does not hand over his own session to her niece
> at any point of time.
> Let us assume that some crypto expert has written two specific pieces of
> software. One has been installed on the laptop
> of the uncle and another one on the laptop of the niece. The two laptops
> are able to communicate using a network (e.g. a WAN or a LAN).
> The niece creates an account on a resource server. Later on, the resource
> server asks her (or him ?) to demonstrate that she (or his ?)
> is more than 18. She forwards the information received from the resource
> server to her uncle using the network. The uncle receives
> that information and connects to an Authorization Server. The uncle
> requests an access token containing information demonstrating
> that he is older than 18 and passed it back to his niece. The niece then
> presents it to the resource server. The access token is accepted.
> Since the niece has been able to demonstrate once that she is more than
> 18, the resource server will remember this attribute
> and in the future she will not need to demonstrate it again. She will keep
> the advantages related to this attribute associated
> with her account on that resource server until she does not need it
> anymore, i.e. when she will really be over 18.
> Whatever kind of cryptographic is being used, when two users collaborate, a
> software-only solution will be
> unable to prevent the transfer of an attribute of a user that possess it
> to another user that does not possess it .
> The use of a secure element simply protecting the confidentiality and the
> integrity of some secret key or private key will be ineffective
> to counter the Alice and Bob collusion attack. Additional properties will
> be required for the secure element.
> RFC 6819 (OAuth 2.0 Threat Model and Security Considerations) issued in
> January 2013 has omitted to take into consideration
> the Alice and Bob Collusion attack.
> Section 2.3 of the ABC4Trust project about key-binding in Deliverable D2.2
> available at:
> states on page 17 :
> To prevent “credential pooling”, i.e., multiple Users sharing their
> credentials, credentials can optionally be bound to a secret key,
> i.e. a cryptographically strong random value that is assumed to be known
> only to a particular user. The credential specification
> specifies whether the credentials issued according to this specification are
> to employ key binding or not.
> A presentation token derived from such a key-bound credential always
> contains an implicit proof of knowledge of the underlying secret key,
> so that the Verifier can be sure that the rightful owner of the credential
> was involved in the creation of the presentation token.
> As an extra protection layer, the credentials can also be bound to a
> trusted physical device, such as a smart card, by keeping
> the secret key in a protected area of the device. That is, the key cannot
> be extracted from the device, but the device does participate
> in the presentation token generation to include an implicit proof of
> knowledge of this key in the token. Thus, for credentials that are
> key-bound
> to a physical device it is impossible to create a presentation token
> without the device.
> The rightful owner of the credential was indeed involved in real-time in
> the creation of the presentation token but in the collaboration scenario,
> the key binding mechanism is not sufficient to counter that specific
> attack. ABC4Trust, Idemix (IBM) and U-Prove (Microsoft) are currently
> not resistant to the "ABC attack".
> The IRMA card project ( based on the use of a
> smart card and of the Idemix scheme claims to provide security
> and privacy simultaneously. However, this project will not be resistant
> either to the ABC attack.
> *draft-ietf-oauth-pop-architecture-08 should take into consideration the
> ABC attack.*
> The threat related to the ABC attack should be identified in the security
> considerations section
> and the core of the document should attempt to identify one or more ways
> to counter it.
> The scope of draft-ietf-oauth-token-exchange-06 is limited to the
> definition of a basic request and response protocol for
> an STS-style token exchange utilizing OAuth 2.0. Section 6 (Security
> Considerations) has omitted to take into consideration
> the ABC attack and therefore the currently described "basic request and
> response protocol" will allow Bob to obtain an access
> token and to pass it successfully to Alice so that she can use it.
> *draft-ietf-oauth-token-exchange-06 **should take into consideration the
> ABC attack.*
> The threat related to the ABC attack should be identified in the security
> considerations section
> and the core of the document should attempt to identify one or more ways
> to counter it.
> Denis
> PS. I have recently registered to the OAuth mailing list.
> _______________________________________________
> OAuth mailing list

Nat Sakimura

Chairman of the Board, OpenID Foundation