IETF Logo Mail Archive

Re: [secdir] Secdir review of draft-ietf-oauth-spop-11

John Bradley <ve7jtb@ve7jtb.com> Sat, 06 June 2015 15:52 UTC

Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D57EA1B334D for <secdir@ietfa.amsl.com>; Sat, 6 Jun 2015 08:52:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.099
X-Spam-Level:
X-Spam-Status: No, score=0.099 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MzLBkQaB5POR for <secdir@ietfa.amsl.com>; Sat, 6 Jun 2015 08:52:30 -0700 (PDT)
Received: from mail-qc0-f177.google.com (mail-qc0-f177.google.com [209.85.216.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D69E1B334B for <secdir@ietf.org>; Sat, 6 Jun 2015 08:52:30 -0700 (PDT)
Received: by qcnj1 with SMTP id j1so13178244qcn.0 for <secdir@ietf.org>; Sat, 06 Jun 2015 08:52:29 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=enVdY0rgRxmaI+og9u3RJX65Mv1JV7EOEgfztldCOmU=; b=jH1QFDbUFj7EpdCuSSbZokjc4ie9tq2LVYWcAI8zBhA8uEUz1v4T4N+AEvA2DsZ1f+ 62lNCX83+h4dU6DuOCW6fHIa9ihJYjuU/MqyA4odeD+P7n1peaRPrH3TADkfwZjPvjMi gDGG6rxZAHNW5hXuBAz+CG99UGlU5EmyrtM1zRfMb4TL2gU/Oo9sj5qJQKrpJfK9qJjn E571c/9tRTvmWBq/jsEUzU1GTcXAxrKZqydVGeKijLmTiyFSqk2LP7pMWy5gOjqvNBFw vOTbNLIEycYVLqvLnCSsD13+ShkMRmFuwNvXHN6LOAbq6aLST30D5+3rY1/x5rTIGDl1 TPzg==
X-Gm-Message-State: ALoCoQnBT3/YQ3C/p+AbKKvXl9+YM/E42ZYCOK82aQKDnafApMuDYrtBsnrL3W2bhhdlRKZimmf4
X-Received: by 10.140.149.76 with SMTP id 73mr10873724qhv.94.1433605949686; Sat, 06 Jun 2015 08:52:29 -0700 (PDT)
Received: from [192.168.1.216] (186-79-85-97.baf.movistar.cl. [186.79.85.97]) by mx.google.com with ESMTPSA id 4sm5479235qku.20.2015.06.06.08.52.26 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Sat, 06 Jun 2015 08:52:28 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_8DDF2E8C-FD06-42A8-9365-06E7D4E1BE8B"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CABrd9SQT941=cARDycjoTqJmeHKp0LciXj2N-1XnceRTqUw+_w@mail.gmail.com>
Date: Sat, 06 Jun 2015 12:52:22 -0300
Message-Id: <0849D10A-7DD4-477E-A048-935821E4E427@ve7jtb.com>
References: <CABrd9SQ68C1j3sax73mEmkZCgxgQZtB6=L8m6aDR-fj9yF1kyw@mail.gmail.com> <A52DB2EA-4969-408A-81C8-36DB2988E938@ve7jtb.com> <CABrd9STRbh4OFtSKcrgjpUJWBFkkstYqqqmiFCNbtkKqCxJ3tA@mail.gmail.com> <EC70A4CD-44F5-4BA8-9955-BABBA551863F@ve7jtb.com> <CABrd9SQT941=cARDycjoTqJmeHKp0LciXj2N-1XnceRTqUw+_w@mail.gmail.com>
To: Ben Laurie <benl@google.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/J2NHhiCZ7BoufSpxzEY1g2whOhA>
Cc: draft-ietf-oauth-spop.all@tools.ietf.org, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-oauth-spop-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jun 2015 15:52:33 -0000

Ben,

I have updated the draft based on your feedback.

I changed the wording in the security consideration to say that adding a salt doesn’t increase the workload for an attacker given 256 bits of entropy and a sha256 hash.

Let me know if that wording works for you.

John B.
> On Jun 6, 2015, at 6:03 AM, Ben Laurie <benl@google.com> wrote:
> 
> On 6 June 2015 at 02:48, John Bradley <ve7jtb@ve7jtb.com> wrote:
>> inline
>>> On Jun 5, 2015, at 11:56 AM, Ben Laurie <benl@google.com> wrote:
>>> 
>>> On 5 June 2015 at 14:54, John Bradley <ve7jtb@ve7jtb.com> wrote:
>>>> Thanks for the review Ben.
>>>> 
>>>> The security issue is well known to Apple and the subject of debate for some time.
>>>> 
>>>> OAuth states native applications SHOULD use the system browser to train users not to expose credentials to applications.
>>>> 
>>>> Apples approach to this point has been to recommend application developers use web views to get around the feature/security issue of insecure inter application communications.
>>>> 
>>>> This is documenting the work around that Google , Ping, T-Mobile and others have in production to work around the issue of multiple applications being allowed to register the same custom scheme and not prompting the user about what app to return to.
>>>> 
>>>> Prompting the user as on Android is only a partial solution as users are not perfect.  So doing a proof for code is not a bad thing, and may prevent new attacks on public clients.
>>>> 
>>>> The OIDF NAPPS working group is working with MDM vendors, Google, Microsoft (for there apps on other platforms), to develop a better identity API approach for native apps.
>>>> We are hoping that can provide a better long term solution for platforms.
>>>> 
>>>> I will also note that custom per IdP API solutions have not always worked.  Facebook has recently abandoned the custom solution apple provided them with in iOS as apple was not able to keep up with changes on the Facebook side.
>>>> 
>>>> From a protocol point of view this was the best we could come up with to deal with the issue now.
>>>> 
>>>> Inline.
>>>>> On Jun 5, 2015, at 9:44 AM, Ben Laurie <benl@google.com> wrote:
>>>>> 
>>>>> I have reviewed this document as part of the security directorate's
>>>>> ongoing effort to review all IETF documents being processed by the
>>>>> IESG.  These comments were written primarily for the benefit of the
>>>>> security area directors.  Document editors and WG chairs should treat
>>>>> these comments just like any other last call comments.
>>>>> 
>>>>> Status: ready with issues.
>>>>> 
>>>>> It is disappointing that such a protocol must be introduced to work
>>>>> around security deficiencies in application platforms - have these
>>>>> security issues been reported to vendors?
>>>>> 
>>>>> Anyway, issues:
>>>>> 
>>>>> 1. Security consideration says: "Concatenating a publicly known value
>>>>> to a code_challenge
>>>>> (with 256 bits of entropy) and then hashing it with SHA256 would
>>>>> actually reduce the entropy in the resulting code_verifier making it
>>>>> easier for an attacker to brute force." This makes no sense. A
>>>>> brute force attack would still require iteration of 2^256 inputs. How
>>>>> is that easier?
>>>>> 
>>>> I can try an make it clearer that the 256 bits being referred to is the total size of salt + secret.
>>>> 
>>>> The point we were trying to make is that if the salt is included in the 256 bit input then the attack space is reduced by the size of the nonce.
>>>> If you make the hash bigger then you are still better off making all the entropy secret.
>>>> 
>>>> An example would be having a 128 bit salt that is known and a 128 bit secret.  A brute force attack would require 2^128 inputs rather than 2^256 inputs if it were all secret.
>>>> 
>>>> This came from a request to explain why we don’t have a salt to protect against rainbow table lookup, like passwords.
>>> 
>>> Ah, I see. Though you then have to explain why you are constraining to
>>> 256 bits…
>> 
>> This wouldn't apply to the plain transform.   For the S256 transform having more than 256bits of entropy is just more work for no benefit.
>> 
>> Later someone could define a SHA512 transform if they want to use more entropy, though 256bits is probably enough unless some flaw is found in SHA256.
>> We did debate truncating the hash as 256bits is probably overkill for a single use challenge at this point, but that would have introduced possible implementation errors, and only provide a small saving of message size.
>> 
>> A asymmetric transform is also possible as an extension once we have Token Binding completed and deployed,  but that is future work.
>> 
>> For the moment SHA 256 with 256bits of entropy for the input to generate a key for a single use token, is infeasible to brute force.
> 
> I agree. But we're not debating that, we're debating the claim that
> adding salt reduces attack cost. Which is only true if you add an
> artificial constraint on input size.
> 
>> 
>>> 
>>>>> 2. The introduction says "No client secret is used (since public
>>>>> clients cannot keep their secrets confidential.)". However, a client
>>>>> secret is used. I suspect I know what is intended, but this should be
>>>>> clarified.
>>>>> 
>>>> 
>>>> How about?
>>>> 
>>>> 3) The attacker has access to the client id and client secret (if provisioned).  All native app client-
>>>>     instances use the same client id, and client secret.  Secrets provisioned in client binaries cannot be considered confidential.
>>> 
>>> I think the issue is that "client secret" has meaning independent of
>>> OAuth, but you are using it in the sense that the OAuth standards use
>>> it - perhaps "OAuth client secret" would make this clearer?
>>> 
>> 
>> How about?
>> 
>> 3) The attacker has access to the OAuth client id and OAuth client secret (if provisioned).  All OAuth native app client-
>>     instances use the same client id, and client secret.  Secrets provisioned in client binaries cannot be considered confidential.
> 
> Fine.
> 
>> 
>> John B.
>>>> 
>>>> John B.
>>>> 
>>>> 
>>>>> _______________________________________________
>>>>> secdir mailing list
>>>>> secdir@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/secdir
>>>>> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview

v2.23.0 | Report a Bug | By Email