IETF Logo Mail Archive

Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response

Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de> Wed, 09 December 2020 10:40 UTC

Return-Path: <karsten.meyerzuselhausen@hackmanit.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 713C73A1CA7 for <oauth@ietfa.amsl.com>; Wed, 9 Dec 2020 02:40:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.088
X-Spam-Level:
X-Spam-Status: No, score=-2.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hackmanit.de
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1DvE7ooPTNxk for <oauth@ietfa.amsl.com>; Wed, 9 Dec 2020 02:40:19 -0800 (PST)
Received: from mail-wm1-x329.google.com (mail-wm1-x329.google.com [IPv6:2a00:1450:4864:20::329]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 71E783A1CA5 for <oauth@ietf.org>; Wed, 9 Dec 2020 02:40:18 -0800 (PST)
Received: by mail-wm1-x329.google.com with SMTP id k10so1006846wmi.3 for <oauth@ietf.org>; Wed, 09 Dec 2020 02:40:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hackmanit.de; s=google; h=to:cc:references:from:subject:message-id:date:user-agent :mime-version:in-reply-to; bh=uuTJpiZS8FpsiCaslCPl2CgNUN4NTGPYU56kZvWIZeI=; b=gtpWltpSf/ZQpoEYmVjDlcpJs6GByMedTm0B6HunSTg14GioyE1+VApYeWQqRS+1i6 3Ok8SyeTl+Lg9vnCSzlaM5ctdygufoOvZ0rXcOBNGDUXN1eseYtTFIC6UDkJ7cpvslm/ iYzO8Ns9T1UuM2CpTsBQdrQBn33ibNPOxIn0kpHXoOuUdjJLQZOBUkLSh6XDgDdJtGe6 BKXLQ2f7tJwXRKCwTSOxfa5ecsFZv+6XER0QrUY4rPn3S5hpWCzG51Tf5MdY0uJb0Hc6 kvnips+HF33AVc+PHcKYUNMbU/XjPceKS1RA13ckPicJUil4ShFsl1l3iXOvH/qoTwfi sOLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:to:cc:references:from:subject:message-id:date :user-agent:mime-version:in-reply-to; bh=uuTJpiZS8FpsiCaslCPl2CgNUN4NTGPYU56kZvWIZeI=; b=pqVwb4pO0HLBXUBOfUeJReF0mBKl7nuOuz7mEyAJDNdKAg0sB9JPFhuIfhRq0xuN59 IO1JR46pN9oQ/E9DpCata0kt7wX3We5+fuOVeHL4aMyT/uDdjIS40nn6/3Rdv7kfdUQN kBrdrbdndnbCC29s/QrTBWKWSWm2LnA26/QXXlYaVRolcXSlpy7hl1kGNj5kRPq5xDY5 88UwK2ffyTSSmxDIb/HjjMMy9D9M9TsQgQ49F9rgrFWKW80w6JjWHJ3z+qSckLm2O4Rc 1QFhMqJOCvR7VfQ+cmUC3Qsu13HyKGqYJC+A5aQyewplL5UnDbNMzF2lBJsNaj9JGeDN 3poA==
X-Gm-Message-State: AOAM532eOzScrr0Mb4FiFUhNPXucJVQZFhtXKKYKRSIZRRYi0dgTeuCs IQRdKWci8zsnRy98kqabTLzdmxaRLUkbvQ==
X-Google-Smtp-Source: ABdhPJxfmGXqNa0YoZzVNUcBpMv/N7uOW735vrkW9ucmIQM4nM/wD5KkrZf2wdrUGGu4I993evPs3A==
X-Received: by 2002:a7b:c40b:: with SMTP id k11mr2095411wmi.36.1607510416091; Wed, 09 Dec 2020 02:40:16 -0800 (PST)
Received: from [192.168.178.22] (b2b-37-24-87-133.unitymedia.biz. [37.24.87.133]) by smtp.gmail.com with ESMTPSA id i9sm2917564wrs.70.2020.12.09.02.40.14 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 09 Dec 2020 02:40:14 -0800 (PST)
To: Warren Parad <wparad@rhosys.ch>
Cc: oauth <oauth@ietf.org>
References: <CADNypP9D1G94LuPcgczSVYL+0KyMYoAK_s3H4JZK80Bj2mJKtA@mail.gmail.com> <CAD9ie-t7OroYwPrTQtwTS3Reem9bM5PHcVZ7D_N=jSmd6O7UGw@mail.gmail.com> <CAJot-L1-dYLy_m_WZv=bEC=r0zWSdKNXBMOV6b9SD8VR-dZvJg@mail.gmail.com> <09d3639d-7d7e-9582-d728-cc223d21bcb6@hackmanit.de> <CAJot-L2FrMrxBGATVHd1DVwbqyMGoH7Dy1stP46vUVpEWrq21Q@mail.gmail.com>
From: Karsten Meyer zu Selhausen <karsten.meyerzuselhausen@hackmanit.de>
Message-ID: <7dacfb6c-4fca-5dda-8b4f-db5c8dadade1@hackmanit.de>
Date: Wed, 09 Dec 2020 11:40:13 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.5.1
MIME-Version: 1.0
In-Reply-To: <CAJot-L2FrMrxBGATVHd1DVwbqyMGoH7Dy1stP46vUVpEWrq21Q@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="3D2K66SGM5183wG5pE72XF5wbTYVMBoa2"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/uL1wPyuegi5DMYd1KYDuQzNx1PI>
Subject: Re: [OAUTH-WG] Call for Adoption - AS Issuer Identifier in Authorization Response
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2020 10:40:23 -0000

The attacker being able to manipulate the first request is an additional 
precondition for the mix-up attack variant we used as an example. The 
precondition is based on the attacker A2 defined in section 3 
<https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-3> 
of the security BCP.

There are other mix-up variants which work without this precondition. 
One variant is described in the security BCP 
<https://tools.ietf.org/html/draft-ietf-oauth-security-topics-16#section-4.4.1>, 
for example:

> *Mix-Up Without Interception*: A variant of the above attack works
>        even if the first request/response pair cannot be intercepted, for
>        example, because TLS is used to protect these messages: Here, it
>        is assumed that the user wants to start the grant using A-AS (and
>        not H-AS, see Attacker A1).  After the client redirected the user
>        to the authorization endpoint at A-AS, the attacker immediately
>        redirects the user to H-AS (changing the client ID to "7ZGZldHQ").
>        Note that a vigilant user might at this point detect that she
>        intended to use A-AS instead of H-AS.


On 09.12.2020 10:47, Warren Parad wrote:
> Okay, it wasn't clear that the user agent was required to be 
> compromised for this to be a problem. Here's where it breaks down for 
> me, if the attacker can manipulate the first request, why would they 
> not be able to manipulate the AS where the Auth Response code is 
> sent?  Unless we can guarantee there is an attack surface that would 
> only affect the authorization request AS selection and not the auth 
> response, the solution the draft lacks purpose for me.
>
> 	
>
> Warren Parad
>
> Founder, CTO
>
> Secure your user data and complete your authorization architecture. 
> Implement Authress <https://bit.ly/37SSO1p>.
>
>
> On Wed, Dec 9, 2020 at 8:55 AM Karsten Meyer zu Selhausen 
> <karsten.meyerzuselhausen@hackmanit.de 
> <mailto:karsten.meyerzuselhausen@hackmanit.de>> wrote:
>
>     Hi Warren,
>
>     I think there is some misunderstanding on how mix-up attacks work.
>     I will try to clear things up.
>
>     Have a look at the following mix-up attack example (slide 4
>     <https://datatracker.ietf.org/meeting/interim-2020-oauth-17/materials/slides-interim-2020-oauth-17-sessa-as-issuer-identifier-in-authorization-response-00#page=4>
>     from the interim meeting):
>
>     I marked the important parts:
>
>       * In step 1 the client stores the attacker's AS (A-AS) as the
>         selected AS.
>       * Step 5: The authorization response is issued by the honest *(=
>         not compromised)* AS, not by the attacker's AS. The H-AS will
>         use its own correct issuer identifier as the value for the AS
>         parameter.
>           o In a mix-up attack the attacker cannot directly influence
>             the value of the iss parameter in the authorization
>             response as it is issued by the H-AS.
>       * Step 6: The client sends the token request to the token
>         endpoint of the A-AS, because it stored the A-AS as the
>         selected AS in step 1. This leaks the authorization code to
>         the attacker who can use it in a code injection attack, for
>         example.
>
>     With an iss parameter present in step 5 the client would be able
>     to recognize that the code was issued by the H-AS, not by the
>     A-AS. The client would be able to abort the authorization grant
>     instead of leaking the code to the A-AS.
>
>     I hope this addresses your concerns.
>
>     Best regards,
>     Karsten
>
>     On 08.12.2020 20:15, Warren Parad wrote:
>>     As an implementer on both sides of the issue I'm struggling to
>>     understand how this problem would occur. I'm finding issues with
>>     the proposed problems:
>>
>>      1. Honest AS is compromised, assuming this does happen details
>>         on why adding iss to the AS response would prevent attacks is
>>         necessary for me. In other words, how would an AS be
>>         compromised in a way that would be identifiable through the
>>         issuer value? (my ignorant assumption is that a compromised
>>         AS is compromised enough that an attacker would be able to
>>         send the correct ISS)
>>      2. Attacker AS is registered. I fully support the idea that this
>>         can and will happen, however from attempting to
>>         test-implement this proposal, I can't see how the
>>         authorization would be sent to the wrong token endpoint.
>>         Since there is no information in the AS auth code response,
>>         the client must already have the knowledge of where they are
>>         going to send the token, no mix-up can be executed. I would
>>         argue, if anything, adding the ISS parameter would open a new
>>         attack surface by providing clients an opportunity to
>>         blatantly trust the ISS parameter as the honest AS and thus
>>         actually sending the code there instead of sending it to one
>>         specified in the metadata document.
>>
>>     My confusion is the following:
>>
>>       * Are multi AS services utilizing authorization codes in a way
>>         where there could be a mix up attack for #2.
>>       * Is there a #3 that I'm missing which even in light of #1 & #2
>>         I brought up that would still make this change valuable?
>>
>>     	
>>
>>     Warren Parad
>>
>>     Founder, CTO
>>
>>     Secure your user data and complete your authorization
>>     architecture. Implement Authress <https://bit.ly/37SSO1p>.
>>
>>
>>     On Tue, Dec 8, 2020 at 8:01 PM Dick Hardt <dick.hardt@gmail.com
>>     <mailto:dick.hardt@gmail.com>> wrote:
>>
>>         +1
>>         ᐧ
>>
>>         On Tue, Dec 8, 2020 at 4:51 AM Rifaat Shekh-Yusef
>>         <rifaat.s.ietf@gmail.com <mailto:rifaat.s.ietf@gmail.com>> wrote:
>>
>>             All,
>>
>>             This is a call for adoption for the following AS Issuer
>>             Identifier in Authorization Response as a WG document:
>>             https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/
>>             <https://datatracker.ietf.org/doc/draft-meyerzuselhausen-oauth-iss-auth-resp/>
>>
>>             Please, provide your feedback on the mailing list by Dec
>>             22nd.
>>
>>             Regards,
>>              Rifaat & Hannes
>>             _______________________________________________
>>             OAuth mailing list
>>             OAuth@ietf.org <mailto:OAuth@ietf.org>
>>             https://www.ietf.org/mailman/listinfo/oauth
>>             <https://www.ietf.org/mailman/listinfo/oauth>
>>
>>         _______________________________________________
>>         OAuth mailing list
>>         OAuth@ietf.org <mailto:OAuth@ietf.org>
>>         https://www.ietf.org/mailman/listinfo/oauth
>>         <https://www.ietf.org/mailman/listinfo/oauth>
>>
>     -- 
>     Karsten Meyer zu Selhausen
>     IT Security Consultant
>     Phone:	+49 (0)234 / 54456499
>     Web:	https://hackmanit.de  <https://hackmanit.de>  | IT Security Consulting, Penetration Testing, Security Training
>
>     Nehmen Sie an unserer nächsten Live Online-Schulung zur Sicherheit von OAuth und OpenID Connect am 27.01 + 28.01.2021 teil:
>     https://www.hackmanit.de/de/schulungen/127-live-online-schulung-single-sign-on-sicherheit-oauth-openid-connect-am-27-01-28-01-2021  <https://www.hackmanit.de/de/schulungen/127-live-online-schulung-single-sign-on-sicherheit-oauth-openid-connect-am-27-01-28-01-2021>
>
>     Hackmanit GmbH
>     Universitätsstraße 60 (Exzenterhaus)
>     44789 Bochum
>
>     Registergericht: Amtsgericht Bochum, HRB 14896
>     Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz
>
-- 
Karsten Meyer zu Selhausen
IT Security Consultant
Phone:	+49 (0)234 / 54456499
Web:	https://hackmanit.de | IT Security Consulting, Penetration Testing, Security Training

Nehmen Sie an unserer nächsten Live Online-Schulung zur Sicherheit von OAuth und OpenID Connect am 27.01 + 28.01.2021 teil:
https://www.hackmanit.de/de/schulungen/127-live-online-schulung-single-sign-on-sicherheit-oauth-openid-connect-am-27-01-28-01-2021

Hackmanit GmbH
Universitätsstraße 60 (Exzenterhaus)
44789 Bochum

Registergericht: Amtsgericht Bochum, HRB 14896
Geschäftsführer: Prof. Dr. Jörg Schwenk, Prof. Dr. Juraj Somorovsky, Dr. Christian Mainka, Dr. Marcus Niemietz

v2.19.0 | Report a Bug | By Email