Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC signatures
Justin Richer <jricher@MIT.EDU> Tue, 13 May 2014 15:28 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 155291A00DD for <oauth@ietfa.amsl.com>; Tue, 13 May 2014 08:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.251
X-Spam-Level:
X-Spam-Status: No, score=-3.251 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Dcjpbh8Dr6ZU for <oauth@ietfa.amsl.com>; Tue, 13 May 2014 08:28:05 -0700 (PDT)
Received: from dmz-mailsec-scanner-3.mit.edu (dmz-mailsec-scanner-3.mit.edu [18.9.25.14]) by ietfa.amsl.com (Postfix) with ESMTP id 0A2F21A00E3 for <oauth@ietf.org>; Tue, 13 May 2014 08:28:04 -0700 (PDT)
X-AuditID: 1209190e-f79946d000000c39-f7-537239fe830c
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-3.mit.edu (Symantec Messaging Gateway) with SMTP id AE.76.03129.EF932735; Tue, 13 May 2014 11:27:58 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id s4DFRunE010553; Tue, 13 May 2014 11:27:57 -0400
Received: from artemisia.richer.local (static-96-237-195-53.bstnma.fios.verizon.net [96.237.195.53]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s4DFRp2x001182 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 13 May 2014 11:27:54 -0400
Content-Type: multipart/signed; boundary="Apple-Mail=_CF8164B1-FB58-4C88-AE26-F96EC1BB70A8"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 7.2 \(1874\))
From: Justin Richer <jricher@MIT.EDU>
In-Reply-To: <CAOBb0SJ2Du9UAfcVkj-yyOQjgScbnb0V6H1P874aYndzc58Jag@mail.gmail.com>
Date: Tue, 13 May 2014 11:27:47 -0400
Message-Id: <FD6BA47D-1E80-4DD3-B99F-F0B5E757644C@mit.edu>
References: <CAOBb0SLV0iX3TREx0kOxvoiUUau3us6YW4jQwzFT8Vz1Aq6Miw@mail.gmail.com> <9378C75B-2146-4E8D-BDD6-B4F495C52B84@oracle.com> <53710CC9.2000600@gmx.net> <CAOBb0SJ2Du9UAfcVkj-yyOQjgScbnb0V6H1P874aYndzc58Jag@mail.gmail.com>
To: Blair Strang <blair.strang@covata.com>
X-Mailer: Apple Mail (2.1874)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrOKsWRmVeSWpSXmKPExsUixG6nrvvPsijYYNprSYvVs9YxWSzdeY/V 4uTbV2wWVx4tZHdg8fi6xttj8ab9bB5LlvxkCmCO4rJJSc3JLEst0rdL4MrYsmIzW8HkhYwV K09/ZmtgXNzJ2MXIySEhYCJx4PI+KFtM4sK99WwgtpDAbCaJR316XYxcQPZGRok3n/eyQDg3 mSSWL20Fc5gFJjFKLH/zhR2khVdAT6JpzUQmEFtYwEXi+9kbzCA2m4CqxPyVt8DinAKBEtsO TWABsVmA4rv3fwKzmQXqJaadXMECMcdKYt2FA0wQ2x4xSjTdeg7WLCKgJTFlci8bxK2yEo8+ NLFMYBSYheyQWUgOmQU2OEni789WRghbW2LZwtfMELaBxNPOV6yY4voSb97NgeqVl9j+dg5U 3FJi8cwbLBC2rcStvgVQNXYSj6YtYl3AyL2KUTYlt0o3NzEzpzg1Wbc4OTEvL7VI11gvN7NE LzWldBMjKB45Jfl2MH49qHSIUYCDUYmHd8GzgmAh1sSy4srcQ4ySHExKoryrTIuChfiS8lMq MxKLM+KLSnNSiw8xqgDterRh9QVGKZa8/LxUJRHez3pAdbwpiZVVqUX5MGXSHCxK4rxvra2C hQTSE0tSs1NTC1KLYLIyHBxKErxTLIAaBYtS01Mr0jJzShDSTBychxglOHiAhp8AqeEtLkjM Lc5Mh8ifYtTlaHq3vIVJCOwCKXHepSBFAiBFGaV5cHNg6fUVozjQi8K8i0CqeICpGW7SK6Al TEBLrKTzQZaUJCKkpBoYK8oYVTkNWl29ohhZDL3/5D17LzjfYss99yuRfDybWHVv72TdJeKv +3BtVJayXewN1Tlfnyeeuyd+4YEqU+O29IgGjbWSbwU8DoiLSd6TuVZffCdts6l2XOmLTQeV lCY+r394719xyarSlad4XIwnNqutbYz7fGNVyq9X3Vc0JW59jJu/KOW3EktxRqKhFnNRcSIA YnqKXooDAAA=
Archived-At: http://mailarchive.ietf.org/arch/msg/oauth/wvKJRn7bzE820bYP5gyq8LdY4IA
Cc: Scott Contini <scott.contini@covata.com>, OAuth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC signatures
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 15:28:08 -0000
Blair, You’re right in that the MAC draft is effectively abandoned now as the WG has moved on to other signed-token mechanisms. As part of that effort, I’ve put together a JWS-based HTTP request signature mechanism (referenced in Hannes’s presentation): http://tools.ietf.org/id/draft-richer-oauth-signed-http-request-01.html This differs from the AWS spec (submitted as an HTTP Auth WG Draft, as I understand it: http://tools.ietf.org/id/draft-cavage-http-signatures-02.html) in that it uses JWS as the signing mechanism (without a custom HTTP header format). There’s still a fair amount of work that needs to be done in order to get it in shape, but I think that these different methods can definitely inform each other. — Justin On May 13, 2014, at 2:34 AM, Blair Strang <blair.strang@covata.com> wrote: > Hi Hannnes, > > Yes, so in terms of well-defined specs for HTTP request signing, there is basically AWS, OAuth 1.0a HMAC, and the OAuth 2.0 draft HMAC stuff which is looking a bit abandoned. > > The v2 and v4 signing processes for AWS are documented here. > [1] http://docs.aws.amazon.com/general/latest/gr/signature-version-2.html > [2] http://docs.aws.amazon.com/general/latest/gr/signature-version-4.html > > Looking at the slides you sent, my colleague Scott and I have been working on something running along the same lines. This has largely been for internal use, but we have had our eye on a design with general utility. > > So far we have been working to clearly define *only* how HTTP requests can be authenticated using a JWT/JWS, independent of the issues of key distribution and sessions (an OAuth2 extension is one option for sessions / key agreement, but there are obviously other ways). > > We actually have a spec and proof of concept in progress for JWS based request signing. We do need some time to clean up the spec for public consumption, but would you be interested in seeing that? > > Thanks, > > Blair. > > ---- Long form details below here ----- > > Our view is that request authentication (mac/signature) and the session (or key agreement) mechanisms needed to support it are largely orthogonal. > > We have been working to specify a mechanism for authenticating HTTP requests using JWT/JWS. (The tokens look just like JWTs, but it is better to specify on top of JWS). > > Our approach was that the client computes a "signature base string" or "string to sign" in a fashion very similar to AWS v2, while adding header signing similar to that in AWS v4. This fixes a gap in the OAuth 1.0a HMAC token spec. > > The client then embeds a digest of the "signature base string" in a JWS signed by the client, along with several other required fields (e.g. a field identifying the requestor, optional key id, expiry, list of signed http headers, ...) to authenticate the request. > > The nice thing about embedding the request digest in a JWT/JWS signed payload is that you get all the flexibility of JWS in terms of algorithms. > > Also, the implementation also comes out very nice, since you need just string processing of the request to get a canonical version plus a digest operation - and the "hard crypto stuff" can be handled by a JWS library. > > However, there are some constraints in terms of practicality using the JWS standard (not insurmountable, but there): > > 1. RSA - A client with a private key can easily RSA-sign HTTP requests, but the Authorization: header will be several hundred bytes long due to the size of the RSA signature. Speed is high, but so is bandwidth required. > > 2. ECDSA - ECDSA produces much smaller payloads (few hundred bytes) but requires much more processing effort (order of milliseconds). > > 3. HMAC - A shared HMAC key will be the most efficient in terms of speed & storage, but requires additional session establishment dance which is slightly less elegant than a client using a private key directly. > > Request authorisation using a private key directly works well for server-to-server or "big client" to server, but not so well for mobile with power and bandwidth constraints. In this case, the approach we are taking for a client to bootstrap from possession of a private key is to send an RSA signed request to establish a shared HMAC key, then use HMAC signed requests. > > Thanks & regards, > > Blair. > > -- > Blair Strang | Senior Security Engineer > Covata | Own Your Data > covata.com > > Level 4 156 Clarence Street | Sydney NSW 2000 > © 2014 CDHL parent company for all Covata entities > > > > > > > > > > On Tue, May 13, 2014 at 4:02 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: > Hi Phil, > Hi Blair, > > this is a good point. I also don't see a reason why the HTTP protocol > version should be included in the keyed message digest (from a security > point of view). > > It might, however, be worthwhile to point out that we are exploring > different solution directions, as described in this slide deck > http://www.tschofenig.priv.at/oauth/IETF-OAuth-PoP.pptx > > For this reason it might be interesting to know what AWS implements. Do > you guys have a reference? > > Ciao > Hannes > > > On 05/09/2014 05:47 AM, Phil Hunt wrote: > > Fyi > > > > Phil > > > > Begin forwarded message: > > > >> *From:* Blair Strang <blair.strang@covata.com > >> <mailto:blair.strang@covata.com>> > >> *Date:* May 8, 2014 at 18:47:58 PDT > >> *Resent-To:* hannes.tschofenig@gmx.net > >> <mailto:hannes.tschofenig@gmx.net>, jricher@mitre.org > >> <mailto:jricher@mitre.org>, phil.hunt@yahoo.com > >> <mailto:phil.hunt@yahoo.com>, wmills@yahoo-inc.com > >> <mailto:wmills@yahoo-inc.com> > >> *To:* draft-ietf-oauth-v2-http-mac@tools.ietf.org > >> <mailto:draft-ietf-oauth-v2-http-mac@tools.ietf.org> > >> *Subject:* *HTTP protocol version in MAC signatures* > >> > >> Hi, > >> > >> [Not sure if this is the right address to submit this feedback to] > >> > >> Looking > >> over http://tools.ietf.org/html/draft-ietf-oauth-v2-http-mac-05 section 5.2. > >> "MAC Input String", it seems that the HTTP request line is used > >> verbatim during the construction of MAC tokens. > >> > >> Since this includes the transport (HTTP/1.1 versus say HTTP/1.0) it > >> seems that HTTP proxies which run different protocol versions on each > >> leg will break signatures. > >> > >> I would recommend removing the HTTP version from the MAC. The > >> transport is inherently a "per hop" type of thing, while request > >> signatures are conceptually "end to end". > >> > >> I am not aware of any specific security benefits derived from > >> including the HTTP protocol version in the MAC input string. This may > >> be why AWS version 2 and AWS version 4 signatures do not include it. > >> > >> Thanks and regards, > >> > >> Blair. > >> > > > > > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Fwd: HTTP protocol version in MAC sign… Phil Hunt
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Hannes Tschofenig
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Blair Strang
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Justin Richer
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Bill Mills
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Prateek Mishra
- Re: [OAUTH-WG] Fwd: HTTP protocol version in MAC … Sergey Beryozkin