Re: [secdir] Security review of draft-ietf-oauth-dyn-reg-management-12
Ben Laurie <benl@google.com> Fri, 03 April 2015 17:26 UTC
Return-Path: <benl@google.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 123521ACE39 for <secdir@ietfa.amsl.com>; Fri, 3 Apr 2015 10:26:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.389
X-Spam-Level:
X-Spam-Status: No, score=-1.389 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FM_FORGED_GMAIL=0.622, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pfo0lHs7V1n9 for <secdir@ietfa.amsl.com>; Fri, 3 Apr 2015 10:26:21 -0700 (PDT)
Received: from mail-qc0-x22e.google.com (mail-qc0-x22e.google.com [IPv6:2607:f8b0:400d:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8C711ACE37 for <secdir@ietf.org>; Fri, 3 Apr 2015 10:26:20 -0700 (PDT)
Received: by qcay5 with SMTP id y5so92760747qca.1 for <secdir@ietf.org>; Fri, 03 Apr 2015 10:26:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=Y7Kb7CAYEGkhV9B6WOwo7snEt3GNaaHJcffemTzM+Jw=; b=OF0ChbmbOv7HWRaYwrB0HMSzt8L9A1g1g1GAcqKl7cmgSQKK27gz0THtva4Q0KSmlG +Bfp+btykJgNF5CDmQgzxxJ2ja7SG7/6CfBrNKc5XHIC9iMn64cfy8iC/4HEujWYYf4t w5uY3tNWeJjOULD4nD9OwukjPDld6KjnZgbHp3rSTJL6P8iAO1vtTzalh8Acqz8bP95V xlR6g+gi+04Uy13MvMug4Z6+wcVnxhQdp56VOwZAEwa9ICgVuKulo6LdLBLynS7aF5G+ 62w3Lcf0DyBVpGIhLyTzyZjBoowHI04wTeRf/MDCEH7SE2aR+Yc0D3xSYkNeIJrYTeDp Maiw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding; bh=Y7Kb7CAYEGkhV9B6WOwo7snEt3GNaaHJcffemTzM+Jw=; b=AhXfPLIyntLWde4QfUJCkkOIscy/jVpsaTWYLoYVTDuMpYSwa+Sx/9fqPrAgmnOBar eMVbDyd7chrgWG9jPk0XzCtJS47QyW6aEB4s3tgalRvMWtueYz1ITnB80HnKzdEd1IIh CrOQTLWBOaKcMEnFaeaZ8sIWItiOp43gXWx+Hm5A2jQpPdzIwPAmntuaXO789FepNXUa 4gTdL8zcJ+vK+rDnbYJsF2QVuteJYoJPd/VNRLWm6a9WYFGCDnyUDCLmAeppPA3VzHQR aBgAcY00ZlY609ZG/Pws+uvZHosLwCF7iIJre5r91D1tmxviP8EbQszyeuowdrlPtGhf TF3Q==
X-Gm-Message-State: ALoCoQkrWRa0Msl2yzWFogZ+TEtZ2BPBW0FdCLHdMoixhplzQ0UC60aQuNiQHQNSLdckXpW1D74G
MIME-Version: 1.0
X-Received: by 10.140.217.16 with SMTP id n16mr4047174qhb.82.1428081980217; Fri, 03 Apr 2015 10:26:20 -0700 (PDT)
Received: by 10.229.178.135 with HTTP; Fri, 3 Apr 2015 10:26:20 -0700 (PDT)
In-Reply-To: <951E5D91-BC5D-48CC-8B9C-D88804FB5B87@mit.edu>
References: <CABrd9STmvLWy_Bz7e+pN_0vANxajtD+fMzVM+trwn6+k50Mifw@mail.gmail.com> <118C77E9-FAD2-48C1-A6E1-4D20D219449F@mit.edu> <CABrd9SRVeW5ieSyZSZ3ykT2taZAfKnC7nhnRAf=+BSUKnT-L5A@mail.gmail.com> <951E5D91-BC5D-48CC-8B9C-D88804FB5B87@mit.edu>
Date: Fri, 03 Apr 2015 18:26:20 +0100
Message-ID: <CABrd9SSp3eqH1KB-rHCVtiQ8_m4O_pF4GAB7Pagv24uMPxW=0A@mail.gmail.com>
From: Ben Laurie <benl@google.com>
To: Justin Richer <jricher@mit.edu>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/ZW51z3PpMSqJWGitV80CdXPOleY>
Cc: draft-ietf-oauth-dyn-reg-management.all@tools.ietf.org, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Security review of draft-ietf-oauth-dyn-reg-management-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2015 17:26:22 -0000
On 3 April 2015 at 18:22, Justin Richer <jricher@mit.edu> wrote: >> >>>> Issue: " Since the client configuration endpoint is an OAuth 2.0 protected >>>> resource, it SHOULD have some rate limiting on failures to prevent >>>> the registration access token from being disclosed though repeated >>>> access attempts." >>>> >>>> I am not sure what this is getting at. Limits on key re-use? Some kind >>>> of BEAST defence? Something else? >>>> >>>> Without some quantification of the threat, it seems hard to act on >>>> this requirement. >>> >>> The rate limiting is going to take a number of different forms depending on the platform and deployment characteristics of the authorization server, so we don’t recommend any particular approach. This is also something that’s going to be changing quickly over the years, and instead of prescribing a specific solution we thought it better to describe the problem here and say that it must be mitigated. >> >> Solution to what? This is precisely my issue - you haven't described >> the problem, you've described a solution to some problem I'm finding >> hard to guess. >> >> In other words: how could the registration access token be disclosed >> through repeated access attempts? > > An attacker could keep poking at a client configuration endpoint with random self-generated tokens until it finds one that works. There’s no oracle attack or other portion that lets the attacker know they’re getting closer to a good token, just a basic repeated hammering of a protected resource This problem is mitigated by having a sufficiently random token (as recommended in RFC6750 and RFC6819) as well as rate-limiting the connections to the endpoint (also suggested by RFC6819). This is fairly common advice for any endpoint protected by a secret (in this case, an OAuth token). Is there a better way to state this so that it’s more clear to developers what they should look out for? How about making it a non-problem by requiring sufficiently strong tokens that there is no possibility of brute force? Mildly astonished that this attack is even considered feasible.
- [secdir] Security review of draft-ietf-oauth-dyn-… Ben Laurie
- [secdir] MTI ... Re: Security review of draft-iet… Hannes Tschofenig
- Re: [secdir] MTI ... Re: Security review of draft… Benjamin Kaduk
- Re: [secdir] MTI ... Re: Security review of draft… Stephen Farrell
- Re: [secdir] MTI ... Re: Security review of draft… Hannes Tschofenig
- Re: [secdir] MTI ... Re: Security review of draft… Kathleen Moriarty
- Re: [secdir] MTI ... Re: Security review of draft… stephen.farrell
- Re: [secdir] MTI ... Re: Security review of draft… Ben Laurie
- Re: [secdir] MTI ... Re: Security review of draft… Radia Perlman
- Re: [secdir] MTI ... Re: Security review of draft… Hannes Tschofenig
- Re: [secdir] MTI ... Re: Security review of draft… Ben Laurie
- Re: [secdir] MTI ... Re: Security review of draft… Stephen Farrell
- Re: [secdir] MTI ... Re: Security review of draft… Kathleen Moriarty
- Re: [secdir] Security review of draft-ietf-oauth-… Ben Laurie
- Re: [secdir] Security review of draft-ietf-oauth-… Ben Laurie
- Re: [secdir] Security review of draft-ietf-oauth-… Justin Richer
- Re: [secdir] Security review of draft-ietf-oauth-… Justin Richer
- Re: [secdir] Security review of draft-ietf-oauth-… Justin Richer
- Re: [secdir] Security review of draft-ietf-oauth-… Kathleen Moriarty
- Re: [secdir] Security review of draft-ietf-oauth-… Justin Richer
- Re: [secdir] Security review of draft-ietf-oauth-… Ben Laurie