Re: [OAUTH-WG] WGLC review of draft-ietf-oauth-security-topics-13
Benjamin Kaduk <kaduk@mit.edu> Tue, 26 November 2019 15:51 UTC
Return-Path: <kaduk@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3629B1208E8 for <oauth@ietfa.amsl.com>; Tue, 26 Nov 2019 07:51:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DlOy38M_cQ3a for <oauth@ietfa.amsl.com>; Tue, 26 Nov 2019 07:51:20 -0800 (PST)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD8F51208D1 for <oauth@ietf.org>; Tue, 26 Nov 2019 07:51:20 -0800 (PST)
Received: from mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id xAQFpGOl004529 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 26 Nov 2019 10:51:18 -0500
Date: Tue, 26 Nov 2019 07:51:16 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Pedram Hosseyni <pedram.hosseyni@sec.uni-stuttgart.de>
Cc: oauth@ietf.org
Message-ID: <20191126155116.GW32847@mit.edu>
References: <fc5c22c1-7459-0337-4a27-5f666bd271ad@sec.uni-stuttgart.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <fc5c22c1-7459-0337-4a27-5f666bd271ad@sec.uni-stuttgart.de>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vwfMs3qnOh2NhHbw16qraXChqCI>
Subject: Re: [OAUTH-WG] WGLC review of draft-ietf-oauth-security-topics-13
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Nov 2019 15:51:22 -0000
Hi Pedram, On Thu, Nov 21, 2019 at 02:50:52PM +0100, Pedram Hosseyni wrote: > > Also, for this or the next version of this document, the Cuckoo's Token > attack (see Section IV-A of http://arxiv.org/abs/1901.11520/ ), should > be addressed. We also discussed this issue extensively at the last OSW > in Stuttgart. I took a look at the paper, and I'm not sure I'm properly understanding the "Cuckoo's Token" attack. Looking at Figure 4 of the paper to have something concrete to refer to, I assume that the client, as a white box, is presumed to be honest. Since the access token is bound to the client, I assume that the attacker has to return the phished access token to the same client that originally (honestly) got it, as otherwise the token will not be usable at the RS. The paper concludes that in step 6, the client gets access to the honest resource owner's resources, and furthermore that the attacker has access to those resources through the client. It's that last part that I'm not sure I understand -- if the client is honest, why would it return resource information to the attacker? The best I can come up with is that there's some sense of a "session" between the user and client, such that the client links its resource accesses with the "session" on behalf of which the access occurs, and is willing to return such information back to the user only on the "linked session". (The countermeasure makes sense and is a good practice, of course.) Thanks, Ben
- [OAUTH-WG] WGLC review of draft-ietf-oauth-securi… Pedram Hosseyni
- Re: [OAUTH-WG] WGLC review of draft-ietf-oauth-se… Benjamin Kaduk
- Re: [OAUTH-WG] WGLC review of draft-ietf-oauth-se… Pedram Hosseyni
- Re: [OAUTH-WG] WGLC review of draft-ietf-oauth-se… Benjamin Kaduk
- Re: [OAUTH-WG] [EXT] Re: WGLC review of draft-iet… Peck, Michael A
- Re: [OAUTH-WG] [EXT] Re: WGLC review of draft-iet… Pedram Hosseyni
- Re: [OAUTH-WG] [EXT] Re: WGLC review of draft-iet… Torsten Lodderstedt