IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-ietf-oauth-spop-11

John Bradley <ve7jtb@ve7jtb.com> Fri, 05 June 2015 13:54 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24C911B2FB5 for <secdir@ietfa.amsl.com>; Fri, 5 Jun 2015 06:54:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gLMDvSXIhLHX for <secdir@ietfa.amsl.com>; Fri, 5 Jun 2015 06:54:21 -0700 (PDT)
Received: from mail-qk0-f177.google.com (mail-qk0-f177.google.com [209.85.220.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDC861B2FB1 for <secdir@ietf.org>; Fri, 5 Jun 2015 06:54:20 -0700 (PDT)
Received: by qkoo18 with SMTP id o18so40821087qko.1 for <secdir@ietf.org>; Fri, 05 Jun 2015 06:54:20 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=8bQtAa6tmBNZnHDclpqSD375crZwZVi6MKzg3DHMlAU=; b=awLQN8IPCGNHk1I3m7eaeuKCZk0U/Y38RI47lXFRpiPVTIScdfB/QWNHnVAjk8aXrA goxsJtlGdZ2QFNjNpyXX4cQyvEg6BZByS0RtNL01VZuDCNhhGllOkJgMcdRDdXNmZ9D+ A6Z2O3fQFHMIgITNbfen6rYacxKcUpOxziuJPFZs4/JAaroU8XknSkWsBjjuZSRd4PKs U0zh5TFUDvFsN2mfz8PxBSbC4QLfjQv2pqN+GUeLUPE5BDTEPSJMZ/o43MZ9OjDrcQ1B Igbt3WeRPWjENY5KAXc5vjTXtJ1BgtVK1ziiyV5t53Yb8WuZFosjkvh3aC0WyhD31nra 9IPw==
X-Gm-Message-State: ALoCoQkvevjWDwJzZEI/LzHxZ5igMlqhIwBr3LCFb7+57w148zHyL83+rSxNuwo0iy2gMr7xuDb3
X-Received: by 10.140.216.208 with SMTP id m199mr4317672qhb.69.1433512459913; Fri, 05 Jun 2015 06:54:19 -0700 (PDT)
Received: from [192.168.8.100] ([181.202.130.165]) by mx.google.com with ESMTPSA id o19sm3996371qkh.25.2015.06.05.06.54.14 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 05 Jun 2015 06:54:19 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_627DD0D8-8E7A-46D7-BA53-662226EC8E13"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CABrd9SQ68C1j3sax73mEmkZCgxgQZtB6=L8m6aDR-fj9yF1kyw@mail.gmail.com>
Date: Fri, 05 Jun 2015 10:54:08 -0300
Message-Id: <A52DB2EA-4969-408A-81C8-36DB2988E938@ve7jtb.com>
References: <CABrd9SQ68C1j3sax73mEmkZCgxgQZtB6=L8m6aDR-fj9yF1kyw@mail.gmail.com>
To: Ben Laurie <benl@google.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/3B7qsN3nXKaLwmQLAYjA0D4L2uk>
Cc: draft-ietf-oauth-spop.all@tools.ietf.org, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-oauth-spop-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2015 13:54:23 -0000

Thanks for the review Ben.

The security issue is well known to Apple and the subject of debate for some time.

OAuth states native applications SHOULD use the system browser to train users not to expose credentials to applications.

Apples approach to this point has been to recommend application developers use web views to get around the feature/security issue of insecure inter application communications.

This is documenting the work around that Google , Ping, T-Mobile and others have in production to work around the issue of multiple applications being allowed to register the same custom scheme and not prompting the user about what app to return to.

Prompting the user as on Android is only a partial solution as users are not perfect.  So doing a proof for code is not a bad thing, and may prevent new attacks on public clients.

The OIDF NAPPS working group is working with MDM vendors, Google, Microsoft (for there apps on other platforms), to develop a better identity API approach for native apps.
We are hoping that can provide a better long term solution for platforms.

I will also note that custom per IdP API solutions have not always worked.  Facebook has recently abandoned the custom solution apple provided them with in iOS as apple was not able to keep up with changes on the Facebook side.

From a protocol point of view this was the best we could come up with to deal with the issue now.

Inline.
> On Jun 5, 2015, at 9:44 AM, Ben Laurie <benl@google.com> wrote:
> 
> I have reviewed this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the
> IESG.  These comments were written primarily for the benefit of the
> security area directors.  Document editors and WG chairs should treat
> these comments just like any other last call comments.
> 
> Status: ready with issues.
> 
> It is disappointing that such a protocol must be introduced to work
> around security deficiencies in application platforms - have these
> security issues been reported to vendors?
> 
> Anyway, issues:
> 
> 1. Security consideration says: "Concatenating a publicly known value
> to a code_challenge
>   (with 256 bits of entropy) and then hashing it with SHA256 would
>   actually reduce the entropy in the resulting code_verifier making it
>   easier for an attacker to brute force." This makes no sense. A
> brute force attack would still require iteration of 2^256 inputs. How
> is that easier?
> 
I can try an make it clearer that the 256 bits being referred to is the total size of salt + secret.

The point we were trying to make is that if the salt is included in the 256 bit input then the attack space is reduced by the size of the nonce. 
If you make the hash bigger then you are still better off making all the entropy secret.

An example would be having a 128 bit salt that is known and a 128 bit secret.  A brute force attack would require 2^128 inputs rather than 2^256 inputs if it were all secret.

This came from a request to explain why we don’t have a salt to protect against rainbow table lookup, like passwords.


> 2. The introduction says "No client secret is used (since public
> clients cannot keep their secrets confidential.)". However, a client
> secret is used. I suspect I know what is intended, but this should be
> clarified.
> 

How about?

3) The attacker has access to the client id and client secret (if provisioned).  All native app client-
      instances use the same client id, and client secret.  Secrets provisioned in client binaries cannot be considered confidential.

John B.


> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview

v2.23.0 | Report a Bug | By Email