[secdir] Secdir last call review of draft-ietf-ace-oauth-authz-27

Stephen Kent via Datatracker <noreply@ietf.org> Sun, 08 December 2019 18:18 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 1871E12002E; Sun, 8 Dec 2019 10:18:53 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Stephen Kent via Datatracker <noreply@ietf.org>
To: <secdir@ietf.org>
Cc: last-call@ietf.org, draft-ietf-ace-oauth-authz.all@ietf.org, ace@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.111.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Stephen Kent <kent@alum.mit.edu>
Message-ID: <157582913296.4934.15140560361782598959@ietfa.amsl.com>
Date: Sun, 08 Dec 2019 10:18:53 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/QngyQ5jseC-p6Mq-umLX7DTFa9M>
Subject: [secdir] Secdir last call review of draft-ietf-ace-oauth-authz-27
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Dec 2019 18:18:53 -0000

Reviewer: Stephen Kent
Review result: Has Issues

SECDIR review of draft-ietf-ace-oauth-authz-27

The summary of the review is almost ready, but needs some revisions.

I have reviewed this document as part of the security directorate's ongoing
effort to review all IETF documents being processed by the IESG.  These
comments were written with the intent of improving security requirements and
considerations in IETF drafts.  Comments not addressed in last call may be
included in AD reviews during the IESG review.  Document editors and WG chairs
should treat these comments just like any other last call comments.

This is a long document- 86 pages! It is a proposal for how to use OAuth 2.0
and CoAP to provide authorization security for Internet of Things (IoT)
devices. IoT devices are often criticized as not being very secure, so this
seems like a useful initiative. RFC 7228 (Technology for Constrained-Node
Networks, and Informational document) is cited as inspiration and reference for
this work. CoAP (RFC 7252) is expressly designed for the sort of environment
that characterizes many IoT devices, hence is seems a natural choice for this
authorization-focused framework. OAuth is not as obvious a candidate building
block in this context, e.g., it is expressly designed for the HTTP context, yet
CoAP is cited as the replacement for HTTP. This document adapts OAuth for the
CoAp context.

This document has an extensive, 6-page Security Considerations section,
appropriate for a document specifying an authorization framework. It begins by
citing the OAuth 2.0 specification, the OAuth 2.0 threat model (RFC 6819), and
OAuth 2.0 Token Introspection (RFC 7662).  All three of these documents are
relevant, and they contain substantial Security Consideration sections.

Section 6.1 deals with security for the tokens that are transmitted to convey
authorization information. In general the requirements and advice provided here
are good; I would prefer to see the admonition against use of a shared secret
key for a group of serves to be a MUST NOT, as opposed to just NOT RECOMMENDED.
I am not convinced that the suggestion for short lifetime tokens is necessary;
we have seen how short duration certificate lifetimes and frequent CRL issuance
in PKI contexts often is neither required nor advisable. This section ends by
noting that only client-initiated revocation of tokens is addressed by RFC
7009. The authors note that revocation of long lifetime token remains an open
issue. If this is likely to be a common case for IoT devices, leaving this as a
TBD is not great.

Section 6.2 addresses communication security issues. The section opens by
requiring an authorization server to offer confidentiality for client
interactions, but the wording implies that a client need not make use of such
protection. The reader is reminded that security requirements expressed in
Section 5 of this document (a 25-page long section) MUST be addressed by a
profile. I’d prefer to see references to specific parts of Section 5 that
expressly addresses confidentiality, so that a reader can better understand
when it is safe to reject the offer of confidentiality by a server. Encryption
of CWTs is used as an example, which is appropriate because CBOR CWT is the
default token format. The final paragraph of this section says that “developers
MUST ensure that … ephemeral credentials … are not leaked to third parties.”
This is good advice, but since adversaries are assumed to have physical access
to IoT devices, the scope of this mandate is not clear. For example, is this
text arguing for use of tamper-resistant hardware for storing private or
session keys in IoT devices?

Section 6.3 focuses on long-term credentials. The sections begins by noting the
challenges associated with providing protection for such credentials in devices
in publicly-accessible locations, explicitly referring to specialized hardware.
This a good, clear statement, not like the ambiguous MUST at the end of 6.2.
The text requires that compromise of a credential at one device MUST NOT lead
to compromise of other credentials not linked to the device in question.
However, the next sentence says that sharing of secret (and, presumably,
private) keys is NOT RECOMMENDED. This is a somewhat inconsistent pair of
statements; if secret keys are shared, then the MUST NOT will be violated,
right? Why not just say that secret keys MUST NIOT be shared across devices?
The section states that operators should have procedures to replace credentials
that have been (or are suspected to have been) compromised. Why is this
admonition not a SHOULD? The mildly-worded (“… also need to …) advice about
decommissioning devices seems minimally helpful. If this is important than make
it a SHOULD, if it’s not, then RECOMMEND it.

Section 6.4 discusses the challenges associated with securing initial
communication  between a client and a resource server (RS). This communication
makes use of the (appropriately-named) Creation Hints message defined in 5.1.2.
 The basis mechanism suggested here is use of a (possibly hard coded) list of
trusted authorization servers (AS’s) and associated credentials, e.g.,
certificate fingerprints. The discussion here notes the potential for a DoS
attack against an AS by a compromised RS, by having clients sends requests to
the targeted AS. This is a useful comment, after noting that compromise of an
RS would not cause an AS to grant requests to clients that it is not serving.

Section 6.5 summarizes the “minimal” communication security requirements for
the elements of the system described in this document (clients, AS’s and RS’s).
I think it’s useful to collect these requirements in one place, although they
have been described in various parts of Section 5. Unfortunately, the first
sub-section seems to contradict Section 6.2! Specifically the text here says
that all communication between a client and an AS MUST be encrypted, where as
6.2 requires only that an AS offer confidentiality. This inconsistency needs to
be reconciled. The next subsection seems to be consistent. The final subsection
(C-RS) notes the challenges of initial C/RS communication, and offers some
suggested approaches. Some of the wording here is awkward. For example, the
text notes that DTLS with server-side authentication “can be possible and are
RECOMMENDED if supported by both parties.”  It would be better to state that
“DTLS with server-side authentication is a RECOMMENDED mechanism for use in
this context, and SHOULD be employed if supported by both the C and the RS.”

Section 6.6 deals with token lifetimes. The section begins by suggesting use of
nonces (as described in 5.1.2) to counter replay attacks in the event of “clock
drift” between an RS and an AS. I appreciate the analysis of mechanisms that
can be used to address the clock drift issue, including the discussion of
potential problems associated with using nonces in the face of a reboot.
However, the text provides no indication of how much “drift” is tolerable, vs.
when use of nonces is needed, and 5.1.2 does not even mention clock drift.
Perhaps the text can be revised to provide additional advice re clock drift.

Section 6.7 very briefly discussed the issue of combining profiles. The bottom
line is that the security of a profile MUST NOT depend on the assumption that
the profile is used exclusively throughout a given deployment. That’s a nice,
straightforward warning!

Section 6.8 discusses circumstances in which data is transmitted and may not
encrypted, e.g., error messages. The discussion here is fairly clear, and
includes a RECOMMENTATION and a MUST, as well as an analysis of potential risks
associated with transmitting different types of information w/o confidentiality
protection. The section title says “unprotected” but this discussion focuses
only on confidentiality, so a more descriptive title might help.

Section 6.9 provides guidance on how to deal with the ambiguity of how to match
an “audience” value to a specific resource server. The authors admit that the
Section 5 discussion about the (optional) audience parameter in the OAuth token
is vague. They note that this is intentional, to accommodate a wide range of
deployment scenarios.  Thus the discussion in this section provides guidance
for several scenarios. This is a reasonable way to deal with the ambiguity from
Section 5.

Section 6.10 examines denial of service attacks in the context of
“introspection,” an optional aspect of OAuth which may be employed in this
framework. The text examines two DoS attacks, one against resource servers and
one against authorization servers, and suggests mitigations for both.

Section 7 discusses privacy implications of the proposed framework. The
discussion here is useful, addressing a set of concerns that arise due to
client interactions with the AS and RS elements of the framework.