IETF Logo Mail Archive

Re: [secdir] Secdir last call review of draft-ietf-oauth-jwsreq-30

Nat Sakimura <nat@nat.consulting> Sat, 31 October 2020 13:14 UTC

Return-Path: <nat@digitalideas.tokyo>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC25E3A0AA7 for <secdir@ietfa.amsl.com>; Sat, 31 Oct 2020 06:14:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.25, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=nat-consulting.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LusrBLYBop7X for <secdir@ietfa.amsl.com>; Sat, 31 Oct 2020 06:14:13 -0700 (PDT)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 885D03A0AE3 for <secdir@ietf.org>; Sat, 31 Oct 2020 06:13:50 -0700 (PDT)
Received: by mail-wm1-x32d.google.com with SMTP id c9so3663620wml.5 for <secdir@ietf.org>; Sat, 31 Oct 2020 06:13:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nat-consulting.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=oLsijETixkqRmx/2mBPjCimHb2/Y97x6GJZeLRHKsVY=; b=FtqPVE2al2KLDS/7tQ3lbY9809Uq4hR7UDiK0juFNIvRTx1Mgagun2nlCW4axnYQEs 5M+tfbku2q8jl/7qLoo/2xTccW6Pz0ZaeR8WOzMkL5oqyOjfFT6eg9nTu9oeyrdhnne4 xIQp32oKdW/WmmnUio50ceEKPoNwyIg2DFk7zTv1Sqj+I+YVtq2K1DtIsr6mg9uWarP9 tp21E4EJzje8hfPZs7EfcNdXZm9kMw+IeL/YXXSZVYZkzWk1RVpRXB5JrrBGPECWFXFU O6JQpDE9zA8MlonQ0mahvUB779zyJjEX8PD7oxHXX5J5D8d8T6/egBf3y9ZKEIlAnrB4 LhQQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=oLsijETixkqRmx/2mBPjCimHb2/Y97x6GJZeLRHKsVY=; b=OLG47M+pbb3eO3i3ZipiilQGLBhOcerrGfIrzc35koP42eBNBHem1ZSKm7EkE3zaKQ YcAyjgSWVNuxF7j5WHgE7+AGdkrdog13Ab8KDk7rYX039Q9uKGWeX0kQPA6/wIf3bRZk TUYx/FivY12QPbuDIWZVeI1vwvMLE7NxophsuodDRZFy9HNajWrntQH90HzR9hBJ1YFd PhPyEOSQRZwMItoQnJ7FcD/gFnDGsEIUUyULS51k3ydOAFyrU5DjLm+a0CSecU2qVJaz KlX4rU0IjvP4lAJp7/ox48Lb2AHGUeX5qXYnawykIo/inDi5EyScp7FIR/eanIuBnuhk Asbg==
X-Gm-Message-State: AOAM533sRIEbq+TpilcCXgiwlcN+a1itIVH9WOvPoF2ekDEFKYJFPewe SsamAbqbOI/51CKLKzyiK7v4K6As3MqKz6DlSF2z5Q==
X-Google-Smtp-Source: ABdhPJyCqetP57O/TxMPaVaUrVUruYrjFWMdJSt/aBt5a4IsnDnfAKzLCysyVnZzDYZCTJxY7y3d2E+6aY6cp5xPikw=
X-Received: by 2002:a7b:cb13:: with SMTP id u19mr8283754wmj.89.1604150028452; Sat, 31 Oct 2020 06:13:48 -0700 (PDT)
MIME-Version: 1.0
References: <160108120392.5893.18114957198518376382@ietfa.amsl.com>
In-Reply-To: <160108120392.5893.18114957198518376382@ietfa.amsl.com>
From: Nat Sakimura <nat@nat.consulting>
Date: Sat, 31 Oct 2020 22:13:37 +0900
Message-ID: <CAJcjuEKzX1KYOUiU_zmZaQaRR4kdnZBdfFX1tpOiyqDQaCjvcQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: secdir@ietf.org, IETF oauth WG <oauth@ietf.org>, last-call@ietf.org, draft-ietf-oauth-jwsreq.all@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/cloMIgl4q4ib4b9aoK0f3c_MQ44>
X-Mailman-Approved-At: Mon, 02 Nov 2020 00:05:50 -0800
Subject: Re: [secdir] Secdir last call review of draft-ietf-oauth-jwsreq-30
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 31 Oct 2020 13:14:16 -0000

Hi Watson,

Thanks very much for the review. I thought I have sent my response
earlier, which I actually did not. It was sitting in my draft box. I
apologize for it.

My responses inline:

On Sat, Sep 26, 2020 at 9:46 AM Watson Ladd via Datatracker
<noreply@ietf.org> wrote:
>
> Reviewer: Watson Ladd
> Review result: Serious Issues
>
> I generated this review of this document as part of the security directorate's
> ongoing effort to review all IETF documents being processed by the IESG.  These
> comments were written with the intent of improving security requirements and
> considerations in IETF drafts.  Comments not addressed in last call may be
> included in AD reviews during the IESG review.  Document editors and WG chairs
> should treat these comments just like any other last call comments.
>
> Two minor issues: On page 4, "This offers an additional degree of privacy
> protection." should be reworded. I don't think it makes sense in context, where
> authenticity was discussed.


In the course of the edit, explanation about two distinct privacy
benefits was collated in one sentence and has become very difficult to
parse.

What it is trying to express as privacy benefits are the following.

1) The authorization request content is sent to the AS in the
backchannel so it will not be exposed through the browser to the eyes
of an active or passive outsider observing what is going on in the
browser.  In the RFC6749 framework case, the authorization request
goes through the browser redirect and it could leak to the adversary
via WPAD/PAC Attack, referrer, browser history, etc. Also, if the
browser was infected by an adversary controlled malware, the content
can be sniffed by the adversary. In the case of JAR, it does not
happen. This is one privacy benefit it is trying to explain.

2) The location that the authorization request is getting pushed to
does not have to be the AS. A trusted third party that examines the
content for the conformance to the collection minimization principle
may act as the party that accepts the authorization request and issues
the request_uri. AS can then just evaluate the domain part of
request_uri to evaluate that the authorization request is conformant
to this principle. This is another privacy benefit from the point of
view of the individual user.


> It took me a while to understand what the by reference method is: maybe the
> intro should say via URL instead of by reference.


request_uri can be URL or a handle such as URN. That is why the "by
reference" word is being used, per the suggestion of the WG.

>
>
> And now for the thorny issues with this draft. Signatures and encryption are
> different. And encrypting a signed blob doesn't mean the signer encrypted it.
> Then there are a plethora of methods specified in the draft  to authenticate
> the blob, which will give different results in maliciously constructed
> examples. The security considerations section should discuss what the encrypted
> vs signed choices give in the way of security, and it doesn't. This makes me
> worry.

We don’t expect the encryption to ensure authenticity, that’s what the
signatures are used for.

Note; All JWE encryption suites are AEAD. So, if only confidentiality
with integrity protection is sought, that would suffice. However, it
does not prove that it did not get tampered before it was encrypted
nor prove that it really came from the issuer.
Thus, just encrypting the authorization request does not fulfil the
security property that we want.
That is why it is presenting two modes:

(a) JWS Signed; and
(b) JWS Signed and encrypted.

If what is sought is only the source authentication, integrity
protection and non-repudiation, (a) suffices.
On the other hand, if the request object that includes some sensitive
data is being sent to the AS via redirect,
one may want to further encrypt it so (b) is also provided.

I didn't quite get what is meant by "plethora of methods specified in
the draft to authenticate the blob ... "
There is a bit of text about authenticating the source (=client) but
not much on the blob itself.
The discussion around the signature and/or encryption is covered in
RFC7519 (JWT), the format that the request object assumes.
This is required reading when implementing this spec, so WG thought it
is not worth repeating here.
Attacks etc. on the signature and encryption are covered in RFC7515
and RFC7516 respectively.

>
> Looking at the cited reference for attacks, I see the fix is to include
> information about which IPD was used by the RP. But the draft before us doesn't
> mandate that. It's not clear than how the cited attack is prevented by the
> draft. Saying that the communication through the user-agent is subject to

The mention of mix-up attack was introduced after the Last call by one
of the comment. It just added it in the sentence with a reference. I
am ok to remove it.

Having said that, the heart of mix-up attack is that the combination
of the client believes that it is communicating with the
attacker-controlled AS (AAS) while it in-fact is talking to Honest AS
(HAS), AND HAS unable to find out that the client is thinking that it
is talking to AAS not him.

OAuth JAR seems to mitigate it in two ways:

a) Use request_uri which is hosted by the AS. Then, if the client is
thinking that it is talking to the AAS, then it will push it to AAS
and when the user is redirected to HAS, HAS will find out that the
request_uri is not created by herself and return an error, making the
mix-up attack fail.

b) Include `aud` in the request. Then, when the HAS will find that the
request was minted to AAS and not her. So, it will result in an error,
making the mix-up attack fail.

So, I added mix-up attack to the sentence thinking the commenter's
request to add it is fine, but I am fine with removing it.

> manipulation, and this prevents it, ignores that the attacker in that position
> sees a lot more. The user-agent as resource owner modifying the requested
> resources is a very funny sort of attack: can't they do what they want with the
> resources since they control the access?

If the client is in the browser, yes.
But in the mainstream case, the client is not in the browser but the
web-server that the browser is communicating with and the resource
access happens without being mediated by the browser.

>
>
> Key management is ignored. This is a very important issue, especially

A lot of ground is covered by RFC 7515, 7516, 7517, 7518, 7519, 7591,
and 8414 so this document is not specifically restating them.

>
> considering the potential problems with the reuse of JWT. I'd like to see a

Are you talking about the reuse of the request object by an adversary
trying to act as an honest client?
Even if it happens, the malicious client does not have the proper
client credential so it cannot redeem the code it obtained with the
token. It is no different than RFC6749 code grant. Protocols that
extend it, such as OpenID Connect, have introduced nonce to prevent
the reuse and used JAR (it is called request object there) to further
protect tampering and achieve client authentication even in the front
channel.

> recommendation that keys be separated by intended uses, rather than limiting
> particular fields in an ad-hoc manner.

Could you kindly elaborate on the "ad-hoc manner" part so that I can
understand it more fully?

>
>
> Then we have section 11. What section 11 introduces is an entire new dramatis
> personae, the Trust Framework Provider, with no prior discussion of what it is
> or a reference to where it is defined and a good number of statements about how
> it works that aren't really  clear what they mean from the document to me.

Trust Framework Provider first appears in 5.2.1.
At the time of writing the related text, it was a pretty well-known
concept. In the United State, it was part of its National Strategy
(NSTIC) and internationally, it was even taken up at WEF Davos
meeting. It is quite surprising that such a mainstream concept faded
into obscurity so quickly. The reason for introducing it was to a)
justify request_uri as some WG members wanted it to be removed, b)
justify that requst_uri to be served from a different domain. Now that
people appreciate it, e.g., it can be seen from PAR, the justification
for a) probably is no longer required. A full explanation for b) would
probably be a much longer text but I doubt if it belongs to this
document. I am fine with removing the reference to Trust framework
etc. as long as the capability to push the authorization request to a
place other than the client or the authorization server is not
removed.

>
> My biggest concern is that these issues are signs that the problem this draft
> is trying to solve and the mechanisms to solve it haven't been analyzed as
> thoroughly as they should have been. Without that sort of thorough analysis
> it's not certain that the mechanisms actually solve the problem and it's not
> clear what the recommendations to implementers have to be to preserve those
> properties.

OAuth JAR, as the name "The OAuth 2.0 Authorization Framework: JWT
Secured Authorization Request (JAR)" suggests, is a framework and not
a house itself. One such example is FAPI [1] which was formally
verified [2].

[1] https://bitbucket.org/openid/fapi/src/master/Financial_API_WD_002.md
[2] https://arxiv.org/abs/1901.11520

>
> Obviously this draft has had a long and tortured history with multiple reviews,
>  and what I'm suggesting needs to happen is a lot of work. But it's essential
> in any security protocol to do this analysis and be clear about what is, and
> what is not, protected by the protocol.

OAuth JAR is nothing but just another binding to OAuth 2.0. Where RFC6749
binds it to form encoding, it provides two additional bindings:
    1) binding to JWT, and
    2) binding to the pushed authorization request that is referenced by a URI.
It is this simple. As such, it would also inherit some of the
shortcomings in RFC6749. However, it is not this document to address
them. It should be done by other documents so that the result can be
encoded using the mechanisms provided in this document.

It is quite surprising that this fact is not getting appreciated and
is taking such a long time to complete.
Maybe I should delete all the explanation text and leave it with just
the core text. Explanation and justification text for defining
additional bindings probably are just distractions now as it is now
appreciated and used all over the world unlike when the project was
started.

>
> Sincerely,
> Watson Ladd
>

Thanks again for your detailed comments.

Best wishes,

--
Nat Sakimura
NAT.Consulting LLC

v2.23.0 | Report a Bug | By Email