IETF Logo Mail Archive

Re: [OAUTH-WG] BCP: Client collaborative attacks

"Manger, James" <James.H.Manger@team.telstra.com> Thu, 29 October 2020 02:25 UTC

Return-Path: <James.H.Manger@team.telstra.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4A8C3A0B6F for <oauth@ietfa.amsl.com>; Wed, 28 Oct 2020 19:25:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=team.telstra.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x0FQ00749xOH for <oauth@ietfa.amsl.com>; Wed, 28 Oct 2020 19:25:12 -0700 (PDT)
Received: from ipxdno.tcif.telstra.com.au (ipxdno.tcif.telstra.com.au [203.35.82.212]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 126533A0B66 for <oauth@ietf.org>; Wed, 28 Oct 2020 19:25:05 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.77,428,1596463200"; d="scan'208,217";a="240389701"
X-Amp-Result: SKIPPED(no attachment in message)
Received: from unknown (HELO ipcbni.tcif.telstra.com.au) ([10.97.216.204]) by ipodni.tcif.telstra.com.au with ESMTP; 29 Oct 2020 13:25:03 +1100
Received: from wsapp6784.srv.dir.telstra.com ([10.75.3.133]) by ipcbni.tcif.telstra.com.au with ESMTP; 29 Oct 2020 13:25:03 +1100
Received: from wsapp5584.srv.dir.telstra.com (10.75.131.20) by wsapp6784.srv.dir.telstra.com (10.75.3.133) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 29 Oct 2020 13:25:03 +1100
Received: from AUS01-SY3-obe.outbound.protection.outlook.com (10.172.229.125) by autodiscover.team.telstra.com (10.75.131.20) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 29 Oct 2020 13:25:03 +1100
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BeBEgeHohhnaosRlQrBQgX6Hkpqiq73KavOxwBAUrCOFKQpFAa1GGzQZGA7S4oRr0Mo7xL+YICHTpdorFolVeVWP9N4KacawT8uzF2eY6q63S8IOfczDpJT5lgVCim6xp6qu/H4+hujD35g+MvtQQlNzU8FH/ir88b1YI/26TLoMv0z9M1QzGMaCSrYAV/VCQL3gW6IuncU9sMZvPs/8+BBzq2FHK1gmheLfoJK8Ss1xH0e4y1UkS+f4c9InBa/F+q++yN9295iRA0RCHyon80oPbIZ52MgPq8kT/MuO6h164gcXnDF8/zzXcATXyn1gkhmiOOptQ3HCmHSG/Ni3CQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LdkqfRVw7MyrGBW9pBTQoisjypJIg+V59CuZrmqwXNU=; b=gGinu1Il9xZUczosiMhkDzzHYguh7Z2wfGx7ynmyYJgfu+g47FSu+dTtm+RYZZzILwQt/HFXdu0p3vgNBLDditaCjgvV+Tz212y+wAmZ2bMXS4IQE3c3QYlINIyi+4ucIzNM3LX2u/tlmEgvAoVmg1XxGoCLQHEjfE2CUGZTdESKQ2OMN100Q2rmvP1hIO+P9Ozat9jHKQxCBzs8X3pKgjQuhe3bJRdFhVxHb7hJt64Ov8LPx6Wizz0IxRykirdwkJczVT2sA0difBzALjepcQieGSWnEObVzBgpL8Wl6RvIOI1FW8LLE6D69+g4h2rj3p69SsLrrAIVxBbqAFtE4g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=team.telstra.com; dmarc=pass action=none header.from=team.telstra.com; dkim=pass header.d=team.telstra.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=team.telstra.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LdkqfRVw7MyrGBW9pBTQoisjypJIg+V59CuZrmqwXNU=; b=tlnjZBGLL+2fjQWniS+Cp52cnNB8c07JslwyQ8JZiwE16tgtGDRpJd7z81JF71H1k/nhp/cuyJLW5vDMKQ4hSQiCJtptHr8KLVyeIgMd86OTfEnaVbJy/OG1x30hqs+Oo5DIuGD5oqYNdFHG1S+APnzch9oh/oWiUTk9vVEbcXM=
Received: from ME2PR01MB3011.ausprd01.prod.outlook.com (2603:10c6:201:19::12) by ME2PR01MB2466.ausprd01.prod.outlook.com (2603:10c6:201:1b::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3499.18; Thu, 29 Oct 2020 02:25:02 +0000
Received: from ME2PR01MB3011.ausprd01.prod.outlook.com ([fe80::a52e:8dfd:877a:3972]) by ME2PR01MB3011.ausprd01.prod.outlook.com ([fe80::a52e:8dfd:877a:3972%7]) with mapi id 15.20.3477.028; Thu, 29 Oct 2020 02:25:02 +0000
From: "Manger, James" <James.H.Manger@team.telstra.com>
To: Denis <denis.ietf@free.fr>, Daniel Fett <fett@danielfett.de>, "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] BCP: Client collaborative attacks
Thread-Index: AQHWq8SAV39nbzcrrkCd6bB+C+9SVKmqY6IAgAAb/KCAAH0gAIAAcr8AgAANWwCAAkti4A==
Date: Thu, 29 Oct 2020 02:25:02 +0000
Message-ID: <ME2PR01MB3011BEC9D33427E51F2244C0E5140@ME2PR01MB3011.ausprd01.prod.outlook.com>
References: <ME2PR01MB3011145F49559C4996B7E1E0E5160@ME2PR01MB3011.ausprd01.prod.outlook.com> <BD7EE048-1BBC-48D8-831A-6BA02CE01F40@forgerock.com> <0e7842c8-5939-a0ce-0e24-2f7c776a3d44@danielfett.de> <efba4321-aa33-6f69-d43c-055bb14d4703@free.fr>
In-Reply-To: <efba4321-aa33-6f69-d43c-055bb14d4703@free.fr>
Accept-Language: en-AU, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.60
dlp-reaction: no-action
authentication-results: free.fr; dkim=none (message not signed) header.d=none;free.fr; dmarc=none action=none header.from=team.telstra.com;
x-originating-ip: [144.132.40.82]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c6fc41a5-d125-4d8a-8c7a-08d87bb1d75d
x-ms-traffictypediagnostic: ME2PR01MB2466:
x-microsoft-antispam-prvs: <ME2PR01MB246620D4C7643F1E66BCF5F9E5140@ME2PR01MB2466.ausprd01.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /H2R2FhaFHaWy1NE6hmPkTZ5oUnlTngeIYjA13/xfSgfAquWVit9q66sJk813SEZteZHzNMzHo2YXrJKC8TTl+ZkEplZiWmCGplTK4QRy6OzbOlVpTSTXaeZS2x3r6JmQhZI0ImXhBBWTrjZDYy2+m2MsMEd2qxWurmJOmLDRnSi+IHs6rZ9WlHzk5mk8LY5mjtp4bP9s9zXHxjbdG8KyHCSg6uoelyQvUnFwk/ZhSRHKg+NzI9ddv5Yof+EU9/I8O8tsxa/TOJwc2retRkPQsVKmori6N3ldaW+G0Ca2f58VotyaPmQUVovQMsoUSDlgAIG4hx3YkQUaKUOyiAR/VxtaCUBFSJJZ2uVEcqHnR52ogukem0z82fpb3FXPuGNOgr7BZB/Xb0JtIyoSuGnDC9GfZDwvUM+7/sQ5u3HZ6S/RS6JSh7djimQ3VpSNGk00Edb8ai6S9BbEyiTQ/Sv4NxRF36VIAshLBMD0yHnD8o=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:ME2PR01MB3011.ausprd01.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(346002)(39860400002)(376002)(366004)(52536014)(110136005)(7696005)(316002)(71200400001)(8676002)(9686003)(26005)(166002)(186003)(2906002)(83380400001)(5660300002)(86362001)(76116006)(83080400002)(66476007)(33656002)(55016002)(966005)(6506007)(8936002)(478600001)(66446008)(64756008)(66946007)(66556008)(15398625002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 52mURmJgl5KpdffZcvSwEqGc0bYU8IP41hxj5k9lIiKquqY9UUYJX8r+y78CnXnVK7XULHpR0dJs0AWSLYJFDcAnh+IIefEJT11paQhZIijbRY6i1VjXkciEy7wgEEVdePPWnnF01s6k3Rn2eQcehgiDDem0m9tRtu7UxF+TFO79vV/I/I/Y4JOGZbhWCWQLGKiUUhVwCX0P7f7CJ4qLPvuninA21KTS5l9Ki/o9BVTQR+LwSXOYglZKA8YIPhdSIWWq795upxOfh5RYFnd3XGJ64HhW/EHJeQWANDLR2pMOhXNkdBHzG1z52BhJIIfoAfNxaC1G8CFjjmbZkHYnmjx/z3lpKROTIUHJvU6xH6FwcAlQGfPL45rnyy35CHEh3RTnBH5cFleRW5VBTED74lfIWqyvfkAXwBtAqvhrex935BT063+CZD35xXr8H9SmZJZ4kCuvXvtqHUpqOltigC5lC0VW+0UFQUafFcSWlXwLj1wG2DFMZHigd4Vya6iqFQgxn3Ja2X5U/MpPAVFqrE8oZ2bo7LAULeQwSzsXczAHAqNfoawcCKkn8oftUmslOKYnrP+j+Rp5yHBsyT3nGRHpY9zqX9CaXt4dqLx5cdvxbc42ukeHfZDXuiPobBqTL9BPj6Nbs0M9hkRzoJfE3g==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_ME2PR01MB3011BEC9D33427E51F2244C0E5140ME2PR01MB3011ausp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: ME2PR01MB3011.ausprd01.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c6fc41a5-d125-4d8a-8c7a-08d87bb1d75d
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Oct 2020 02:25:02.4915 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 49dfc6a3-5fb7-49f4-adea-c54e725bb854
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: HsoshwbwcGXbzmk3TftBWBJzyfvlkpZ8KiD3z6kwjmjbo6bYg1J8mOGEBhW7bEipS9a7rHUSTfabshksy6ue4hH5LBaj1j1eVOgMuyBf3yQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME2PR01MB2466
X-OriginatorOrg: team.telstra.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/rh0rjW6Mf8JtdwcPFgmkOOE0E4Y>
Subject: Re: [OAUTH-WG] BCP: Client collaborative attacks
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Oct 2020 02:25:15 -0000

>> When using secure elements with specific properties, it is possible to counter the Alice & Bob Collusion attack.

You don’t just need the Secure Element’s properties (key-pair generated on SE; non-exportable private key; high-entropy key-id generated on SE; conformance cert; special APDUs), you also need the wider scheme to enforce that any user only ever has 1 SE active at a time.

Only-1-SE-per-user-at-a-time seems fairly fundamental to strongly combating collaborative attacks. But it is totally inappropriate to many (most?) scenarios where OAuth is used.


>> https://zisc.ethz.ch/wp-content/uploads/2017/02/pinkas_privacy-by-design-eID-scheme-supporting-Attribute-based-Access-Control.pdf

This eID scheme looks pretty good. You can see why this scheme would like particular features in a profile of OAuth.

But this is one highly specialised profile of OAuth (+ FIDO + SE + eID + …) that is quite unlike the “typical” use of OAuth. Its requirements aren’t “best practice” for all OAuth deployments.


P.S. I don’t think your content has been “deleted from this thread”. Just not every reply includes the full email trail. It is all still at https://mailarchive.ietf.org/arch/browse/oauth/?gbt=1&index= for instance.

--
James Manger

v2.23.0 | Report a Bug | By Email