IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-ietf-oauth-spop-11

Ben Laurie <benl@google.com> Sat, 06 June 2015 09:03 UTC

Return-Path: <benl@google.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 12AEF1B2AE5 for <secdir@ietfa.amsl.com>; Sat, 6 Jun 2015 02:03:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.389
X-Spam-Level:
X-Spam-Status: No, score=-1.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YM1p2wz9BT5A for <secdir@ietfa.amsl.com>; Sat, 6 Jun 2015 02:03:05 -0700 (PDT)
Received: from mail-vn0-x231.google.com (mail-vn0-x231.google.com [IPv6:2607:f8b0:400c:c0f::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 267E71B2AE2 for <secdir@ietf.org>; Sat, 6 Jun 2015 02:03:05 -0700 (PDT)
Received: by vnbf129 with SMTP id f129so1659208vnb.2 for <secdir@ietf.org>; Sat, 06 Jun 2015 02:03:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=N8dgEG9dQEBCy6kx1PknrSU5OlOiOCGVhanH+pcoC4I=; b=J5Gh9TzFo6Gkd60GFnEoWJnOy7k6SrcjdFK7/5O4LUORIkonOPILfY5Dj9tbpmtvsa R6XfYRo33kqP3Znm2/wV88c+Vr01s+yKd1VFShT5ytneuG6BPeONnGE+g3MJQRDdg5LX HbD3R0UC9fEy1jMdiFhW/80QTKcSy+WnDvJowYsbrfoluLIB2J7x7PQDtYGnzPCiomMF wlg/dZuzpOUOrN/zhsEJ2lRr5JmuQpOePYLAhCVFXzH//hxPqAmIqQ3eTFgIo340m4nx 6SavVeF2Y7FCaTWSW1SeS1Hz1tY9eF3CnZObrHlQ960kVGj7GLObIxaWp2z1g5EDAicu JlMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=N8dgEG9dQEBCy6kx1PknrSU5OlOiOCGVhanH+pcoC4I=; b=TT9sBCFHXm3uz0G7C7GA04vkNXpMvqbvYqjmcBCMr/4tLHWuvNXffuIXEg55lw7k0E e9eTHank26kYD0vbZBzKif8cD1ubtU0TlxB12U8AaLgNa6V3bjeeRqA9rXw+VVulupIt Hgv/CktI6VTDqnlreC8f7DYpewOzr1KGIJJCoK3zVNrhhXUFsTL9p7h8B2sbASHlYQIa 72fGAFGIjLysRmlFjifyDCKlFZbmx51J/NgNHXfxZbWYjP35ycTZ+FntoqEGVYxqhWlf 6J/qKxWlURZkrKtvRgSM09LpDDvfqNysKCAQvAUw1MBBGvdwS+6gm1c/Oj2TpybPit3Y cB/g==
X-Gm-Message-State: ALoCoQkMIyPMp1NcA1mdUfmQdEB5O4c3F8pIP/nGEutpAfpZw5Vi+RPO81JIAYS1hN+S/jMXFqvo
MIME-Version: 1.0
X-Received: by 10.52.75.201 with SMTP id e9mr13171263vdw.33.1433581384185; Sat, 06 Jun 2015 02:03:04 -0700 (PDT)
Received: by 10.52.76.6 with HTTP; Sat, 6 Jun 2015 02:03:04 -0700 (PDT)
In-Reply-To: <EC70A4CD-44F5-4BA8-9955-BABBA551863F@ve7jtb.com>
References: <CABrd9SQ68C1j3sax73mEmkZCgxgQZtB6=L8m6aDR-fj9yF1kyw@mail.gmail.com> <A52DB2EA-4969-408A-81C8-36DB2988E938@ve7jtb.com> <CABrd9STRbh4OFtSKcrgjpUJWBFkkstYqqqmiFCNbtkKqCxJ3tA@mail.gmail.com> <EC70A4CD-44F5-4BA8-9955-BABBA551863F@ve7jtb.com>
Date: Sat, 06 Jun 2015 10:03:04 +0100
Message-ID: <CABrd9SQT941=cARDycjoTqJmeHKp0LciXj2N-1XnceRTqUw+_w@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: John Bradley <ve7jtb@ve7jtb.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/C6MqfVia4lTms8vmJVzhwCAKYo8>
Cc: draft-ietf-oauth-spop.all@tools.ietf.org, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-oauth-spop-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jun 2015 09:03:07 -0000

On 6 June 2015 at 02:48, John Bradley <ve7jtb@ve7jtb.com> wrote:
> inline
>> On Jun 5, 2015, at 11:56 AM, Ben Laurie <benl@google.com> wrote:
>>
>> On 5 June 2015 at 14:54, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>> Thanks for the review Ben.
>>>
>>> The security issue is well known to Apple and the subject of debate for some time.
>>>
>>> OAuth states native applications SHOULD use the system browser to train users not to expose credentials to applications.
>>>
>>> Apples approach to this point has been to recommend application developers use web views to get around the feature/security issue of insecure inter application communications.
>>>
>>> This is documenting the work around that Google , Ping, T-Mobile and others have in production to work around the issue of multiple applications being allowed to register the same custom scheme and not prompting the user about what app to return to.
>>>
>>> Prompting the user as on Android is only a partial solution as users are not perfect.  So doing a proof for code is not a bad thing, and may prevent new attacks on public clients.
>>>
>>> The OIDF NAPPS working group is working with MDM vendors, Google, Microsoft (for there apps on other platforms), to develop a better identity API approach for native apps.
>>> We are hoping that can provide a better long term solution for platforms.
>>>
>>> I will also note that custom per IdP API solutions have not always worked.  Facebook has recently abandoned the custom solution apple provided them with in iOS as apple was not able to keep up with changes on the Facebook side.
>>>
>>> From a protocol point of view this was the best we could come up with to deal with the issue now.
>>>
>>> Inline.
>>>> On Jun 5, 2015, at 9:44 AM, Ben Laurie <benl@google.com> wrote:
>>>>
>>>> I have reviewed this document as part of the security directorate's
>>>> ongoing effort to review all IETF documents being processed by the
>>>> IESG.  These comments were written primarily for the benefit of the
>>>> security area directors.  Document editors and WG chairs should treat
>>>> these comments just like any other last call comments.
>>>>
>>>> Status: ready with issues.
>>>>
>>>> It is disappointing that such a protocol must be introduced to work
>>>> around security deficiencies in application platforms - have these
>>>> security issues been reported to vendors?
>>>>
>>>> Anyway, issues:
>>>>
>>>> 1. Security consideration says: "Concatenating a publicly known value
>>>> to a code_challenge
>>>>  (with 256 bits of entropy) and then hashing it with SHA256 would
>>>>  actually reduce the entropy in the resulting code_verifier making it
>>>>  easier for an attacker to brute force." This makes no sense. A
>>>> brute force attack would still require iteration of 2^256 inputs. How
>>>> is that easier?
>>>>
>>> I can try an make it clearer that the 256 bits being referred to is the total size of salt + secret.
>>>
>>> The point we were trying to make is that if the salt is included in the 256 bit input then the attack space is reduced by the size of the nonce.
>>> If you make the hash bigger then you are still better off making all the entropy secret.
>>>
>>> An example would be having a 128 bit salt that is known and a 128 bit secret.  A brute force attack would require 2^128 inputs rather than 2^256 inputs if it were all secret.
>>>
>>> This came from a request to explain why we don’t have a salt to protect against rainbow table lookup, like passwords.
>>
>> Ah, I see. Though you then have to explain why you are constraining to
>> 256 bits…
>
> This wouldn't apply to the plain transform.   For the S256 transform having more than 256bits of entropy is just more work for no benefit.
>
> Later someone could define a SHA512 transform if they want to use more entropy, though 256bits is probably enough unless some flaw is found in SHA256.
> We did debate truncating the hash as 256bits is probably overkill for a single use challenge at this point, but that would have introduced possible implementation errors, and only provide a small saving of message size.
>
> A asymmetric transform is also possible as an extension once we have Token Binding completed and deployed,  but that is future work.
>
> For the moment SHA 256 with 256bits of entropy for the input to generate a key for a single use token, is infeasible to brute force.

I agree. But we're not debating that, we're debating the claim that
adding salt reduces attack cost. Which is only true if you add an
artificial constraint on input size.

>
>>
>>>> 2. The introduction says "No client secret is used (since public
>>>> clients cannot keep their secrets confidential.)". However, a client
>>>> secret is used. I suspect I know what is intended, but this should be
>>>> clarified.
>>>>
>>>
>>> How about?
>>>
>>> 3) The attacker has access to the client id and client secret (if provisioned).  All native app client-
>>>      instances use the same client id, and client secret.  Secrets provisioned in client binaries cannot be considered confidential.
>>
>> I think the issue is that "client secret" has meaning independent of
>> OAuth, but you are using it in the sense that the OAuth standards use
>> it - perhaps "OAuth client secret" would make this clearer?
>>
>
> How about?
>
> 3) The attacker has access to the OAuth client id and OAuth client secret (if provisioned).  All OAuth native app client-
>      instances use the same client id, and client secret.  Secrets provisioned in client binaries cannot be considered confidential.

Fine.

>
> John B.
>>>
>>> John B.
>>>
>>>
>>>> _______________________________________________
>>>> secdir mailing list
>>>> secdir@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/secdir
>>>> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
>

v2.23.0 | Report a Bug | By Email