IETF Logo Mail Archive

Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base

"Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com> Mon, 05 December 2011 17:00 UTC

Return-Path: <zachary.zeltsan@alcatel-lucent.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6C0021F8C7A for <oauth@ietfa.amsl.com>; Mon, 5 Dec 2011 09:00:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SxYd9QfRcDP6 for <oauth@ietfa.amsl.com>; Mon, 5 Dec 2011 09:00:06 -0800 (PST)
Received: from ihemail1.lucent.com (ihemail1.lucent.com [135.245.0.33]) by ietfa.amsl.com (Postfix) with ESMTP id E181421F8C6E for <oauth@ietf.org>; Mon, 5 Dec 2011 09:00:05 -0800 (PST)
Received: from usnavsmail2.ndc.alcatel-lucent.com (usnavsmail2.ndc.alcatel-lucent.com [135.3.39.10]) by ihemail1.lucent.com (8.13.8/IER-o) with ESMTP id pB5GxxLr017217 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 5 Dec 2011 11:00:00 -0600 (CST)
Received: from USNAVSXCHHUB01.ndc.alcatel-lucent.com (usnavsxchhub01.ndc.alcatel-lucent.com [135.3.39.110]) by usnavsmail2.ndc.alcatel-lucent.com (8.14.3/8.14.3/GMO) with ESMTP id pB5GxiL9002760 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Mon, 5 Dec 2011 10:59:59 -0600
Received: from USNAVSXCHMBSA3.ndc.alcatel-lucent.com ([135.3.39.127]) by USNAVSXCHHUB01.ndc.alcatel-lucent.com ([135.3.39.110]) with mapi; Mon, 5 Dec 2011 10:59:52 -0600
From: "Zeltsan, Zachary (Zachary)" <zachary.zeltsan@alcatel-lucent.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Peter Saint-Andre <stpeter@stpeter.im>
Date: Mon, 05 Dec 2011 10:59:21 -0600
Thread-Topic: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
Thread-Index: Acywa8r+mb9dVIALTSuwf/d+upx7hwC/ViuA
Message-ID: <5710F82C0E73B04FA559560098BF95B1250CB2E0CB@USNAVSXCHMBSA3.ndc.alcatel-lucent.com>
References: <CALaySJJcPPSU5PAtk9GNL9iFBXj1HfWjkN32GeHsV_Ry2t+o=A@mail.gmail.com> <CAC4RtVABZSo2VXZ4pTGw9P+fdRrUWQajXm+SngQw6Ng9qK+NNQ@mail.gmail.com> <4ED7DF0C.4000701@cdatazone.org> <4ED7DF3B.5010107@stpeter.im> <4ED7EA1C.1040208@cs.tcd.ie>
In-Reply-To: <4ED7EA1C.1040208@cs.tcd.ie>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.57 on 135.245.2.33
X-Scanned-By: MIMEDefang 2.64 on 135.3.39.10
Cc: Barry Leiba <barryleiba@computer.org>, oauth WG <oauth@ietf.org>
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/oauth>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Dec 2011 17:00:07 -0000

BEAST is an attack against TLS 1.0. In order to succeed, an attacker, predicting that a user will eventually make an https connection to www.example.com, lures the user to an attacker-controlled web site. From that site the user browser downloads the attacker's script (e.g., JavaScript). Then, if the user indeed establishes https connection to www.example.com using the same browser window, an attacker can analyze the traffic generated by the normal user activity and the traffic generated on the same connection by the attacker's script. This may allow the attacker to decipher a targeted part (for example a part where the user's password should be) of the user traffic. The attack requires significant time. For example, it took 103 seconds for a published attack against PayPal to decipher a cookie.

OAuth 2.0 requires (MUST) TLS protection of the connections between the user browser and authorization endpoint and between client and the token endpoint. Both connections are not likely to last long enough for the attack to succeed.
The client's connection is a less likely target, because it is more difficult to get a client engaged in the described scenario. 

In my opinion vulnerability of TLS 1.0 to the BEAST attack does not affect significantly security of OAuth 2.0.
(TLS 1.1 and 1.2 are not vulnerable to the attack.)

Zachary Zeltsan
 
-----Original Message-----
From: oauth-bounces@ietf.org [mailto:oauth-bounces@ietf.org] On Behalf Of Stephen Farrell
Sent: Thursday, December 01, 2011 3:57 PM
To: Peter Saint-Andre
Cc: Barry Leiba; oauth WG
Subject: Re: [OAUTH-WG] TLS version requirements in OAuth 2.0 base



On 12/01/2011 08:10 PM, Peter Saint-Andre wrote:
> On 12/1/11 1:09 PM, Rob Richards wrote:
>> On 11/28/11 10:39 PM, Barry Leiba wrote:
>>>> The OAuth base doc refers in two places to TLS versions (with the 
>>>> same text in both places:
>>>>
>>>> OLD
>>>> The authorization server MUST support TLS 1.0 ([RFC2246]), SHOULD 
>>>> support TLS 1.2 ([RFC5246]) and its future replacements, and MAY 
>>>> support additional transport-layer mechanisms meeting its security 
>>>> requirements.
>>>>
>>>> In both the shepherd review and the AD review, this was called into
>>>> question:
>>>> 1. MUST for an old version and SHOULD for the current version seems 
>>>> wrong.
>>>> 2. Having specific versions required locks us into those versions 
>>>> (for example, all implementations will have to support TLS 1.0, 
>>>> even long after it becomes obsolete, unless we rev the spec.
>>> The comments I've gotten on this show a clear consensus against the 
>>> change I suggest, and against any attempt to require a version of 
>>> TLS other than 1.0.  I still, though, am concerned that locking this 
>>> spec into TLS 1.0 is limiting.  So let me propose an alternative 
>>> wording, which again tries to make the version(s) non-normative, 
>>> while making it clear which version(s) need to be implemented to get
>>> interoperability:
>>>
>>> NEW
>>> --------------------------------------------
>>> The authorization server MUST implement TLS.  Which version(s) ought 
>>> to be implemented will vary over time, and depend on the widespread 
>>> deployment and known security vulnerabilities at the time of 
>>> implementation.  At the time of this writing, TLS version
>>> 1.2 [RFC5246] is the most recent version, but has very limited 
>>> actual deployment, and might not be readily available in 
>>> implementation toolkits.  TLS version 1.0 [RFC2246] is the most 
>>> widely deployed version, and will give the broadest 
>>> interoperability.
>>>
>>> Servers MAY also implement additional transport-layer mechanisms 
>>> that meet their security requirements.
>>> --------------------------------------------
>>>
>>> Comments on this version?
>>>
>>> Barry
>>>
>>
>> Text is neutral enough for me as it's not mandating anything that 
>> isn't readily available. Only comment is whether or not there is a 
>> need to even talk about the specific versions or if just the following is enough:
>>
>> The authorization server MUST implement TLS. Which version(s) ought 
>> to be implemented will vary over time, and depend on the widespread 
>> deployment and known security vulnerabilities at the time of 
>> implementation.
>>
>> Servers MAY also implement additional transport-layer mechanisms that 
>> meet their security requirements.
>
> That seems fine to me.

FWIW, I think I'd prefer Barry's as Rob's would be more likely to generate discusses and we do know that there are some security advantages to TLS 1.2 vs. 1.0. (BTW, has anyone considered how or if the BEAST attack might affect oauth? Be good to know if someone's done that analysis.)

However, as AD, I could live with either, since lots of other specs just say TLS. (But you need to point to the latest RFC as normative or that will I bet generate discusses.)

Cheers,
S.


> Peter
>
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email