Re: [secdir] [Ace] Secdir last call review of draft-ietf-ace-oauth-authz-27

Ludwig Seitz <ludwig_seitz@gmx.de> Sat, 14 December 2019 11:58 UTC

Return-Path: <ludwig_seitz@gmx.de>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CDC412007C; Sat, 14 Dec 2019 03:58:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=gmx.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7pbg6ysrBLxU; Sat, 14 Dec 2019 03:58:36 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 16A7812006B; Sat, 14 Dec 2019 03:58:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1576324709; bh=4heapEDiKbnSADfYNhNKEJBr53zZBckMHqqWNiCnCBo=; h=X-UI-Sender-Class:Subject:To:References:Cc:From:Date:In-Reply-To; b=aVOPiRQxLDaUTUCDsLUxTO/wbF0sloY5H9vzFUH4eQn4gWayLnd+/ixUA4MV3jf2m ee78+duYSjBnGtYyYRXVzcisNzTA/oLhE8MzT2KqdaSrW35voaJ6W0m3dZrS2uzBTS 5zZGGPl/q1+pGb3fwXO6FK4K/SFYhr+nGqNXIRYQ=
X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c
Received: from [192.168.1.220] ([84.217.44.37]) by mail.gmx.com (mrgmx004 [212.227.17.190]) with ESMTPSA (Nemesis) id 1MjS5A-1i0jhH24Zm-00kxyN; Sat, 14 Dec 2019 12:58:29 +0100
To: kent@alum.mit.edu, secdir@ietf.org
References: <157582913296.4934.15140560361782598959@ietfa.amsl.com>
Cc: ace@ietf.org, last-call@ietf.org, draft-ietf-ace-oauth-authz.all@ietf.org
From: Ludwig Seitz <ludwig_seitz@gmx.de>
Message-ID: <bb10ffa0-ea6d-70db-4957-8b9abd5a5ddf@gmx.de>
Date: Sat, 14 Dec 2019 12:58:22 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.1
MIME-Version: 1.0
In-Reply-To: <157582913296.4934.15140560361782598959@ietfa.amsl.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
X-Provags-ID: V03:K1:+mkxzRcWwP0fa7gDAha7g44bWMAK4REqDro7md6batoFV41eG+l zllYqfO0SV0qAx4gCCZB5IHEqWUxJT9i3DR0YaifrPpGm+uLvOFXw8mw067ESI6OUPmoGFH tVIhE52yM0mnSOYBAN080y1oDTttRjJsy2xHBk5oWdvdAqzCBnY4WBVU868qTIznT3SLIxH tG/doB6osIe1rpi/tIdpg==
X-UI-Out-Filterresults: notjunk:1;V03:K0:tWM5mC1rLfo=:wEtnKc0lXjs34KvXsgMqv5 +T503+YAPW8QpI3CQPPx2gH9lvccvSbsIICyuGZptgegwh2U5a3kOleAo/ofccT3o9/u8q2WE HvH+g/bmn2aOz8pKdKQdo/f9Ot3YLsvFicT7JU4lncAbuPagkQAzRIHj9LC4d8gugMBoewniA IcouvYnVIExbUN+8NlHO4f5TV4Gn0e1exks5Lu2MTtczrTtxdOy92rEih04nDoRw5AWkj5MTU YT8YLZ9wISRJZpGRDcYf0f+F1wBn3Vd8Xaqa1gbEp0mgF/cvIVEhkr4FwaY/jz/CtbDJ+HLyW Hw9PQdg+iogVMvrNIqPfBSxNdqPRnJ835ACssK+BhDE8wLOD++35xi8HKNq6w4kQIGlrBBQqj SfsjcyCxWkCg+VKIJpJeGPQmAsLVPB2Q+OL/LWt1Y2yI61+TG63UCW/DK28V5LaiUkRORZ2Yt s5vTR4OqbHVY4jDpfDwzpaSPxfv5oLIHZni93YvK2k7R5qzBodBBzxvU7PZkAgRS6OsKav2zf l1hU3XJlpilSQe8UppaDmOMbyvL4Z+Mg0tT5PVE2JuKiGCopFF/wD52CfB/KVul/SBeR4Zldi PxDQ23mjnXXgfPPfnsaLGTWc/x11x1SRiMugfZaS3c/fqWh1Fke2x98x0oyEtF2KxC6ehH9Or MGwR+uA6kxiqTZ08F5T2rusDG+75oAHYw+p4v1MKQtIVXhGd8qaoqLv+107MLrxj57iwb3pRV b9Jb+hZZ66KtCG4NDw8AZ+fiRmByGtdlPtKTuqjGUSoWzSjzONc0MX0L3bFNelELO4vApBHvm p5jBOT5GLK93/MeynT7J5rgFGZvN1shm/YJOB8Q+ieM9oYlbUF3LM5II+cr8pSA4xCIXRuTKA n2V96beza4nAR/D4rU1NUNRhMDG2ohxhBLqQx2aNIYuls88jzdxaNy6VWBpl7O20PD23ew0zu IzJE73oc7ame0j1ne0qaKuMpRfRsPuzySVUds5JzR1Pzjc246z7dBzPnzHe7ZOW7oH4A/mWdh ZG7yh4hXperPU18m3akMgQT8PiRdGYG38KzqFsQEDJsyQy1mLnJ3vASvnMatd9BWJtiu0fcJP YzxfUf/Pn9R2GNCmf1yGtkNh4MUgrsUOnH7kNSuBdxJRv21kfFJhG/mTTOFBpP1dv2+zHKJNG 8EC6+Q6GrtnTe5+fVni0b39d3VMXtdl53+OdeZJDfOKEo2/6Np1JgixniiUlGBijqKArmDMa8 YB21M3orDoSIB+y8X3Zp2ILN2pk76vE9k103ra0XBf1QVYiTEUgTNlmgybRE=
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/cEZPZjo5stUgk3g3o3st8tioyXs>
Subject: Re: [secdir] [Ace] Secdir last call review of draft-ietf-ace-oauth-authz-27
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 14 Dec 2019 11:58:40 -0000

On 2019-12-08 19:18, Stephen Kent via Datatracker wrote:
> Reviewer: Stephen Kent
> Review result: Has Issues
>
> SECDIR review of draft-ietf-ace-oauth-authz-27
>
> The summary of the review is almost ready, but needs some revisions.
>
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  These
> comments were written with the intent of improving security requirements and
> considerations in IETF drafts.  Comments not addressed in last call may be
> included in AD reviews during the IESG review.  Document editors and WG chairs
> should treat these comments just like any other last call comments.
>

Thank you for your helpful review Stephen. I have some follow-up
questions inline.

I will submit a draft update as soon as possible, note that this may be
delayed by my affiliation change.

Regards,

Ludwig


> This is a long document- 86 pages! It is a proposal for how to use OAuth 2.0
> and CoAP to provide authorization security for Internet of Things (IoT)
> devices. IoT devices are often criticized as not being very secure, so this
> seems like a useful initiative. RFC 7228 (Technology for Constrained-Node
> Networks, and Informational document) is cited as inspiration and reference for
> this work. CoAP (RFC 7252) is expressly designed for the sort of environment
> that characterizes many IoT devices, hence is seems a natural choice for this
> authorization-focused framework. OAuth is not as obvious a candidate building
> block in this context, e.g., it is expressly designed for the HTTP context, yet
> CoAP is cited as the replacement for HTTP. This document adapts OAuth for the
> CoAp context.

As Ben stated the ACE WG has had extensive discussions on which solution
to choose, and the OAuth model has the advantage of being able to
temporally decouple the authorization decision from the actual resource
access, which enables several use cases involving devices with
intermittent connectivity (note that several other proposals had the
same design property). Furthermore the possible re-use of OAuth
specifications was seen as favorable when the final decision was made to
go forward with this solution.


> This document has an extensive, 6-page Security Considerations section,
> appropriate for a document specifying an authorization framework. It begins by
> citing the OAuth 2.0 specification, the OAuth 2.0 threat model (RFC 6819), and
> OAuth 2.0 Token Introspection (RFC 7662).  All three of these documents are
> relevant, and they contain substantial Security Consideration sections.
>
> Section 6.1 deals with security for the tokens that are transmitted to convey
> authorization information. In general the requirements and advice provided here
> are good; I would prefer to see the admonition against use of a shared secret
> key for a group of serves to be a MUST NOT, as opposed to just NOT RECOMMENDED.

Ok, will fix.

> I am not convinced that the suggestion for short lifetime tokens is necessary;
> we have seen how short duration certificate lifetimes and frequent CRL issuance
> in PKI contexts often is neither required nor advisable.

In constrained environments with intermittent connectivity, short token
lifetime is seen as an advantage, as it might be hard to convey
revocation decisions or other changes of access rights to offline
devices. The short token lifetime limits the window of exposure, if a
token and the corresponding proof-of-possession credentials get stolen.
I would therefore prefer to keep that paragraph as it is.

> This section ends by
> noting that only client-initiated revocation of tokens is addressed by RFC
> 7009. The authors note that revocation of long lifetime token remains an open
> issue. If this is likely to be a common case for IoT devices, leaving this as a
> TBD is not great.

The situation is the same as for OAuth 2.0. The short token lifetime is
often given as an explanation why a revocation mechanism is not really
needed.
We have however submitted a proposal for a revocation mechanism in
https://datatracker.ietf.org/doc/draft-tiloca-ace-revoked-token-notification

>
> Section 6.2 addresses communication security issues. The section opens by
> requiring an authorization server to offer confidentiality for client
> interactions, but the wording implies that a client need not make use of such
> protection. The reader is reminded that security requirements expressed in
> Section 5 of this document (a 25-page long section) MUST be addressed by a
> profile. I’d prefer to see references to specific parts of Section 5 that
> expressly addresses confidentiality, so that a reader can better understand
> when it is safe to reject the offer of confidentiality by a server.

The implication you read from the text was not intended, section 5
clearly specifies that confidentiality is mandatory.  This is addressed
in the body part of that section (4th paragraph). I'm a bit at a loss on
how to make that more apparent, so that the reader does not go an a
fruitless hunt in the subsections of section 5. Any suggestions are most
welcome.
In the meantime I will adjust the wording to clarify that
confidentiality is mandatory.
Note that Appendix C collects all requirements on profiles and lists the
specific subsection where they appears.

> Encryption
> of CWTs is used as an example, which is appropriate because CBOR CWT is the
> default token format. The final paragraph of this section says that “developers
> MUST ensure that … ephemeral credentials … are not leaked to third parties.”
> This is good advice, but since adversaries are assumed to have physical access
> to IoT devices, the scope of this mandate is not clear. For example, is this
> text arguing for use of tamper-resistant hardware for storing private or
> session keys in IoT devices?

I guess it is up to the security level required by the specific
application. I physical key extraction attack is not trivial, so the
value of the protected asset has to be gauged against the additional
cost for tamper-resistant hardware.
A more simple, but less secure mitigation could e.g. be to glue over
interfaces that an attacker could use for key extraction (e.g. debug
ports) if they are not needed for normal operations.

Would you like to have such considerations added to this section?

>
> Section 6.3 focuses on long-term credentials. The sections begins by noting the
> challenges associated with providing protection for such credentials in devices
> in publicly-accessible locations, explicitly referring to specialized hardware.
> This a good, clear statement, not like the ambiguous MUST at the end of 6.2.
> The text requires that compromise of a credential at one device MUST NOT lead
> to compromise of other credentials not linked to the device in question.
> However, the next sentence says that sharing of secret (and, presumably,
> private) keys is NOT RECOMMENDED. This is a somewhat inconsistent pair of
> statements; if secret keys are shared, then the MUST NOT will be violated,
> right? Why not just say that secret keys MUST NIOT be shared across devices?

Agreed, will fix.

> The section states that operators should have procedures to replace credentials
> that have been (or are suspected to have been) compromised. Why is this
> admonition not a SHOULD? The mildly-worded (“… also need to …) advice about
> decommissioning devices seems minimally helpful. If this is important than make
> it a SHOULD, if it’s not, then RECOMMEND it.

Ageed, I will make both a SHOULD.

>
> Section 6.5 summarizes the “minimal” communication security requirements for
> the elements of the system described in this document (clients, AS’s and RS’s).
> I think it’s useful to collect these requirements in one place, although they
> have been described in various parts of Section 5. Unfortunately, the first
> sub-section seems to contradict Section 6.2! Specifically the text here says
> that all communication between a client and an AS MUST be encrypted, where as
> 6.2 requires only that an AS offer confidentiality. This inconsistency needs to
> be reconciled.

The rewriting of 6.2 should fix this inconsistency.

> The next subsection seems to be consistent. The final subsection
> (C-RS) notes the challenges of initial C/RS communication, and offers some
> suggested approaches. Some of the wording here is awkward. For example, the
> text notes that DTLS with server-side authentication “can be possible and are
> RECOMMENDED if supported by both parties.”  It would be better to state that
> “DTLS with server-side authentication is a RECOMMENDED mechanism for use in
> this context, and SHOULD be employed if supported by both the C and the RS.”
>

I'll try to rephrase to make it more readable.


> Section 6.6 deals with token lifetimes. The section begins by suggesting use of
> nonces (as described in 5.1.2) to counter replay attacks in the event of “clock
> drift” between an RS and an AS. I appreciate the analysis of mechanisms that
> can be used to address the clock drift issue, including the discussion of
> potential problems associated with using nonces in the face of a reboot.
> However, the text provides no indication of how much “drift” is tolerable, vs.
> when use of nonces is needed, and 5.1.2 does not even mention clock drift.
> Perhaps the text can be revised to provide additional advice re clock drift.
>

I will add a paragraph about that noting that the critical factors are
the lifetime time of a token (lifetime >> clock drift), and the
criticality of timely expiration.

> Section 6.7 very briefly discussed the issue of combining profiles. The bottom
> line is that the security of a profile MUST NOT depend on the assumption that
> the profile is used exclusively throughout a given deployment. That’s a nice,
> straightforward warning!
>
> Section 6.8 discusses circumstances in which data is transmitted and may not
> encrypted, e.g., error messages. The discussion here is fairly clear, and
> includes a RECOMMENTATION and a MUST, as well as an analysis of potential risks
> associated with transmitting different types of information w/o confidentiality
> protection. The section title says “unprotected” but this discussion focuses
> only on confidentiality, so a more descriptive title might help.

I added a sentence instead that also points out the option that active
attackers may manipulate unprotected information to induce incorrect
behavior.

/Ludwig