IETF Logo Mail Archive

Re: [OAUTH-WG] Authorization code security issue (reframed)

Phil Hunt <phil.hunt@oracle.com> Mon, 04 April 2011 19:10 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: oauth@core3.amsl.com
Delivered-To: oauth@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 502D13A66B4 for <oauth@core3.amsl.com>; Mon, 4 Apr 2011 12:10:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.535
X-Spam-Level:
X-Spam-Status: No, score=-6.535 tagged_above=-999 required=5 tests=[AWL=0.064, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZPQCI9J1rAhE for <oauth@core3.amsl.com>; Mon, 4 Apr 2011 12:10:54 -0700 (PDT)
Received: from rcsinet10.oracle.com (rcsinet10.oracle.com [148.87.113.121]) by core3.amsl.com (Postfix) with ESMTP id 048CA3A6407 for <oauth@ietf.org>; Mon, 4 Apr 2011 12:10:53 -0700 (PDT)
Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by rcsinet10.oracle.com (Switch-3.4.2/Switch-3.4.2) with ESMTP id p34JCXUI023448 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 4 Apr 2011 19:12:35 GMT
Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by acsinet15.oracle.com (Switch-3.4.2/Switch-3.4.1) with ESMTP id p34JCW3V024150 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 4 Apr 2011 19:12:33 GMT
Received: from abhmt016.oracle.com (abhmt016.oracle.com [141.146.116.25]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id p34JCWDj026098; Mon, 4 Apr 2011 14:12:33 -0500
Received: from [192.168.1.8] (/24.85.235.164) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 04 Apr 2011 12:12:32 -0700
Mime-Version: 1.0 (Apple Message framework v1084)
Content-Type: text/plain; charset="us-ascii"
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <E9027E9C-0C84-44C1-ACC0-AF6BAACE68E3@kiva.org>
Date: Mon, 04 Apr 2011 12:12:30 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <AE605F06-3C20-49C8-901D-CE0DEACEA588@oracle.com>
References: <133605.76951.qm@web55802.mail.re3.yahoo.com> <4D99EA6C.8060003@oracle.com> <A9D3EC74-A563-4F45-8D55-5B6C12BCE661@oracle.com> <188405.40029.qm@web37607.mail.mud.yahoo.com> <ABD11083-4FD2-4FE3-8AA6-5126FBC78529@oracle.com> <3671511D-F730-42F8-8916-FE674268AB80@kiva.org> <3CB0493B-C5D4-4ACA-B66D-C1E9FE23BA12@oracle.com> <E9027E9C-0C84-44C1-ACC0-AF6BAACE68E3@kiva.org>
To: Skylar Woodward <skylar@kiva.org>
X-Mailer: Apple Mail (2.1084)
X-Source-IP: acsmt357.oracle.com [141.146.40.157]
X-Auth-Type: Internal IP
X-CT-RefId: str=0001.0A090204.4D9A1821.00DF:SCFSTAT5015188,ss=1,fgs=0
Cc: Oleg Gryb <oleg@gryb.info>, OAuth WG <oauth@ietf.org>, Prateek Mishra <prateek.mishra@oracle.com>
Subject: Re: [OAUTH-WG] Authorization code security issue (reframed)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Apr 2011 19:10:56 -0000

I was referring to a mobile client that passes the request via an external browser. That browser is capable of running SSL with server authentication only.

Phil
phil.hunt@oracle.com




On 2011-04-04, at 12:08 PM, Skylar Woodward wrote:

> Maybe you can explain your example in more detail then? I'm assuming your "client app" is a web application hosted on web server supporting only HTTP.
> 
> How does the nonce or request_id get to the provider as part of the authorization request in your example?  (step 1)
> 
> 
> On Apr 4, 2011, at 3:03 PM, Phillip Hunt wrote:
> 
>> It doesn't require client side ssl. 
>> 
>> Phil
>> 
>> Sent from my phone. 
>> 
>> On 2011-04-04, at 11:47, Skylar Woodward <skylar@kiva.org> wrote:
>> 
>>> How does the client app transmit the nonce (random number) to the web browser for redirect to the provider? If the client app does not support HTTPS, it can't set up a secure session on its own to give the browser/user something to pass on during the provider authorization.
>>> 
>>> To me, this is nothing different that a unique value of "state" which robust clients will already use to differentiate request flows. Such a state variable would be exposed both on its way and back of the provider's redirect.
>>> 
>>> 
>>> In any case, I see HTTPS as the simple solution here. I question if it is in the scope of OAuth to provide a mechanism to the community to protect against such MITM attacks between a hosted web application and the web browser.  If the nature of the data requires such protection, the app developer (or the provider) can work to provide such security outside of HTTPS.  In the right context, tunneling customer traffic through a provider-provided VPN could be considered a reasonable protection for the cases folks have outlined.  It just doesn't seem like a popular need at this point, and there seem to be no easy wins for hosted clients unable to register with a certificate authority.
>>> 
>>> 
>>> 
>>> On Apr 4, 2011, at 2:23 PM, Phil Hunt wrote:
>>> 
>>>> I have been wondering if we can combine a couple of things such as a client generated transaction secret and use limited TLS to achieve a fix.  Note: this would address a hacker sniffing a returned authorization code, but it probably does little for the MITM scenario that was also outlined.
>>>> 
>>>> 1. The client app generate a random number or sequence of characters, lets call it "request_id", then that value would be included and securely (using TLS) transmitted in the authorization request.
>>>> 2. The authorization server does its usual thing and returns, preferably securely but not necessarily, the authorization code to the client app.
>>>> 3. Upon requesting an access_token, the client app also includes the same request_id in its secure request to the token endpoint.
>>>> 4. The token server verifies that the "request_id" matches the request_id supplied in the authorize request (in addition to all the other processing).
>>>> 
>>>> Since both requests are sent securely a sniffing client cannot obtain the client request_id even though it might be able to obtain the authorization code being returned.
>>>> 
>>>> What this might allow is that the client can transmit a secret protected by TLS in its outbound request, but can accept non-secure delivery of the authorization code.  The token server then has a means to verify that the client exchanging the authorization code is the same one that made the initial request.
>>>> 
>>>> This is off the top of my head, I am sure the proposal is likely not yet a complete solution, but maybe someone can build on that.
>>>> 
>>>> Phil
>>>> phil.hunt@oracle.com
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 2011-04-04, at 10:52 AM, Oleg Gryb wrote:
>>>> 
>>>>> After looking into exiting (and working) implementations of OAuth 1.0 in mobile world I have strong doubts about possibility of implementing what was suggested in option #3. 
>>>>> 
>>>>> In my view, two conditions are needed to achieve that:
>>>>> 
>>>>> 1. Something unique stored on a mobile client.
>>>>> 2. That something should be a secret, so other (malicious) clients could not reuse it.
>>>>> 
>>>>> Distribution of that "unique secrets" should be automated in the mobile world and is usually included to mobile application 
>>>>> activation process, but that activation process can't make conditions 1 & 2 above met in full, becuase:
>>>>> 
>>>>> 1. As soon as secrets are distributed to a mobile device they are not quite secret any more
>>>>> 2. As soon as the secret becomes known, a simulator or other mobile device can be used to spoof the traffic
>>>>> 
>>>>> I would consider option #3 as an illusion until somebody comes up with a solution that would address the described issues.
>>>>> 
>>>>> BTW, the draft of "OAuth Dynamic Client Registration Protocol" (http://tools.ietf.org/html/draft-oauth-dyn-reg-v1-00) has expired on Feb. 12 and I didn't see any attempts to re-vitalise it. I think it would be better and more beneficial for the community to return to this protocol rather than inventing a new method of "mutual authentication". 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> From: Phil Hunt <phil.hunt@oracle.com>
>>>>> To: Prateek Mishra <prateek.mishra@oracle.com>
>>>>> Cc: OAuth WG <oauth@ietf.org>
>>>>> Sent: Mon, April 4, 2011 9:52:17 AM
>>>>> Subject: Re: [OAUTH-WG] Authorization code security issue (reframed)
>>>>> 
>>>>> Apologies for the long message (again). I have attempted to sum things up and bring out the issue without using any existing service or party as an example of problems. It seems some have taken offence to my previous message pushing for a solution. As a result it was not productive. I apologize.  Hopefully this message sticks to the issue of developing an appropriate counter measure to threats as that is my only intent.
>>>>> 
>>>>> As Prateek clarified in the previous message to Francisco, SAML also uses SHOULD, but artifact security is achieved by an additional counter-measure...
>>>>>> The identity provider MUST ensure that only the service provider to whom the <Response> message has
>>>>>> been issued is given the message as the result of an <ArtifactResolve> request.
>>>>> 
>>>>> Yet, in OAuth the client app is not unique for a particular set of client credentials we currently have no way to verify that the correct client got the code. This has been the mechanism that the community has been assuming solves the problem. Client credentials do not always work to protect the authorization code because in OAuth you can have many many clients with the same credential. For example everyone with the same mobile app likely has the same client credential. Thus a copy of a valid client app which is easy to obtain becomes the hacker's attack vector. So, the client credential is not an effective counter in this case.
>>>>> 
>>>>> Several have commented that there are other supplementary techniques for protection, but in my view, most of them work indirectly and/or depend on correct collective configuration of several components. Some of these are: tokens may be used one time; tokens are invalidated if used a second time, tokens are sufficiently unique, etc.  All of these will help. But none are designed to directly counter the attack. In fact the best one - token invalidation carries the additional problem of unreliable service for the legitimate client. The hacker can deny service to anyone in the room simply by re-using any tokens seen.
>>>>> 
>>>>> From my perspective, the "easy" solution was to increase the requirements on TLS from SHOULD to MUST to prevent eavesdropping of the code. This was echoed by several others. I agree this will not work for everyone. Many have made strong arguments for why they can't use it. But without a MUST we are still missing a direct counter to the threat.
>>>>> 
>>>>> I don't want to change things at this late date, but maybe this means introducing some form of mutual authentication -- some way for the requesting client "instance" to prove that they are the copy eligible to use an authorization code. 
>>>>> 
>>>>> To end this discussion, I propose we vote on the proposal from Eran plus one new option...
>>>>> 1. Include a normative MUST use TLS for the client redirection URI endpoint.
>>>>> 2. Include a normative SHOULD use TLS for the client redirection URI endpoint with strong language explaining the various attacks possible if the endpoint is not made secure.
>>>>> 3. Keep current language of SHOULD, but develop a direct counter-measure to token theft such as specific client instance identification or mutual authentication.
>>>>> 
>>>>> Phil
>>>>> phil.hunt@oracle.com
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> On 2011-04-04, at 8:57 AM, Prateek Mishra wrote:
>>>>> 
>>>>>> Francisco,
>>>>>> 
>>>>>> You are right, I was in error to suggest that it was a MUST.
>>>>>> 
>>>>>> I think my main concern was that security considerations should not be based on polling developers/deployers of an existing or legacy protocol.
>>>>>> 
>>>>>> SAML does include some additional countermeasures though - for example (lines 595-596, profiles document) - that specifically deal with the
>>>>>> artifact being leaked - 
>>>>>> 
>>>>>> [quote]
>>>>>> The identity provider MUST ensure that only the service provider to whom the <Response> message has
>>>>>> been issued is given the message as the result of an <ArtifactResolve> request.
>>>>>> [\quote]
>>>>>> 
>>>>>> - prateek
>>>>>>> Hi Prateek,
>>>>>>> 
>>>>>>>> I would like to strongly disagree with this proposal.
>>>>>>>> 
>>>>>>>> It amounts to explicitly making OAuth 2.0 insecure so as to
>>>>>>>> satisfy some mysterious and unspecified set of legacy OAuth
>>>>>>>> 1.0 deployments.
>>>>>>>> 
>>>>>>>> The SAML web SSO (artifact) profile - which shares many
>>>>>>>> characteristics with the initial steps in OAuth - requires
>>>>>>>> precisely such a counter-measure and is widely implemented
>>>>>>>> in 1000s of deployments.
>>>>>>> 
>>>>>>> What counter-measure is this?  Can you provide a reference?
>>>>>>> Section 4.1.3.5 of 
>>>>>>> http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf
>>>>>>> recommends TLS but does not require it.
>>>>>>> 
>>>>>>> Francisco
>>>>>>> 
>>>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>> 
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email