Re: [secdir] Secdir review of draft-ietf-oauth-spop-11
John Bradley <ve7jtb@ve7jtb.com> Sat, 06 June 2015 02:32 UTC
Return-Path: <ve7jtb@ve7jtb.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C57261A90C0 for <secdir@ietfa.amsl.com>; Fri, 5 Jun 2015 19:32:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JCkZaWlLd1ic for <secdir@ietfa.amsl.com>; Fri, 5 Jun 2015 19:32:54 -0700 (PDT)
Received: from mail-qk0-f171.google.com (mail-qk0-f171.google.com [209.85.220.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 63EA01A8F4E for <secdir@ietf.org>; Fri, 5 Jun 2015 19:32:54 -0700 (PDT)
Received: by qkhg32 with SMTP id g32so49687840qkh.0 for <secdir@ietf.org>; Fri, 05 Jun 2015 19:32:53 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:cc:message-id:references:to; bh=IbayePrmpm4RAW27rOMIW0If1LJegngE7UQ9ObM/m5w=; b=Gal68DohvsIjqc230xYr28iu//laqFnlyvD04xdcH65eWJ50YR4742jVfNJD0tt1Dd CUgakqMWLFm1sKPFHiNl8QhrhmNIjOJm1mqrtsDFoVoZp0gis6sNsaIaRMzsDvBoL5Y5 8GcdQjcTIbIsc1YVldA18RkT6A5X0CS+yRep2wjSn3yZfM0fO8jAswnD17y3JVf/wSNX MAdBY8C/DBmY48Qa/wwSopTuUj3o7wk140luZtXM4Ai4DVgvqrPZLNFjvIbVtI2W6rAQ Jzvcem6dJDjWiIsRuVTTwj038ZdFvbM+xV3v6JoTu7eQbBPflhkZs4O76IrMw5uJv9yT ep4A==
X-Gm-Message-State: ALoCoQlYeyNPv0wLnvmT/+SOlQA/oKu37tfI9iMlAfUQ4GzFftgGrdMtYi9iyCqggjvnWBvNHipB
X-Received: by 10.55.26.165 with SMTP id l37mr12251889qkh.88.1433557973503; Fri, 05 Jun 2015 19:32:53 -0700 (PDT)
Received: from [192.168.1.216] (186-106-183-184.baf.movistar.cl. [186.106.183.184]) by mx.google.com with ESMTPSA id 84sm4803507qha.47.2015.06.05.19.32.45 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 05 Jun 2015 19:32:52 -0700 (PDT)
Content-Type: multipart/signed; boundary="Apple-Mail=_1BCBDC07-BA85-4813-AB91-3366321DCE56"; protocol="application/pkcs7-signature"; micalg="sha1"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
From: John Bradley <ve7jtb@ve7jtb.com>
In-Reply-To: <CABrd9STRbh4OFtSKcrgjpUJWBFkkstYqqqmiFCNbtkKqCxJ3tA@mail.gmail.com>
Date: Fri, 05 Jun 2015 22:48:00 -0300
Message-Id: <EC70A4CD-44F5-4BA8-9955-BABBA551863F@ve7jtb.com>
References: <CABrd9SQ68C1j3sax73mEmkZCgxgQZtB6=L8m6aDR-fj9yF1kyw@mail.gmail.com> <A52DB2EA-4969-408A-81C8-36DB2988E938@ve7jtb.com> <CABrd9STRbh4OFtSKcrgjpUJWBFkkstYqqqmiFCNbtkKqCxJ3tA@mail.gmail.com>
To: Ben Laurie <benl@google.com>
X-Mailer: Apple Mail (2.2098)
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/umk57IE97E-XWFYaDpgNTTFLsPA>
Cc: draft-ietf-oauth-spop.all@tools.ietf.org, The IESG <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] Secdir review of draft-ietf-oauth-spop-11
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 06 Jun 2015 02:32:56 -0000
inline > On Jun 5, 2015, at 11:56 AM, Ben Laurie <benl@google.com> wrote: > > On 5 June 2015 at 14:54, John Bradley <ve7jtb@ve7jtb.com> wrote: >> Thanks for the review Ben. >> >> The security issue is well known to Apple and the subject of debate for some time. >> >> OAuth states native applications SHOULD use the system browser to train users not to expose credentials to applications. >> >> Apples approach to this point has been to recommend application developers use web views to get around the feature/security issue of insecure inter application communications. >> >> This is documenting the work around that Google , Ping, T-Mobile and others have in production to work around the issue of multiple applications being allowed to register the same custom scheme and not prompting the user about what app to return to. >> >> Prompting the user as on Android is only a partial solution as users are not perfect. So doing a proof for code is not a bad thing, and may prevent new attacks on public clients. >> >> The OIDF NAPPS working group is working with MDM vendors, Google, Microsoft (for there apps on other platforms), to develop a better identity API approach for native apps. >> We are hoping that can provide a better long term solution for platforms. >> >> I will also note that custom per IdP API solutions have not always worked. Facebook has recently abandoned the custom solution apple provided them with in iOS as apple was not able to keep up with changes on the Facebook side. >> >> From a protocol point of view this was the best we could come up with to deal with the issue now. >> >> Inline. >>> On Jun 5, 2015, at 9:44 AM, Ben Laurie <benl@google.com> wrote: >>> >>> I have reviewed this document as part of the security directorate's >>> ongoing effort to review all IETF documents being processed by the >>> IESG. These comments were written primarily for the benefit of the >>> security area directors. Document editors and WG chairs should treat >>> these comments just like any other last call comments. >>> >>> Status: ready with issues. >>> >>> It is disappointing that such a protocol must be introduced to work >>> around security deficiencies in application platforms - have these >>> security issues been reported to vendors? >>> >>> Anyway, issues: >>> >>> 1. Security consideration says: "Concatenating a publicly known value >>> to a code_challenge >>> (with 256 bits of entropy) and then hashing it with SHA256 would >>> actually reduce the entropy in the resulting code_verifier making it >>> easier for an attacker to brute force." This makes no sense. A >>> brute force attack would still require iteration of 2^256 inputs. How >>> is that easier? >>> >> I can try an make it clearer that the 256 bits being referred to is the total size of salt + secret. >> >> The point we were trying to make is that if the salt is included in the 256 bit input then the attack space is reduced by the size of the nonce. >> If you make the hash bigger then you are still better off making all the entropy secret. >> >> An example would be having a 128 bit salt that is known and a 128 bit secret. A brute force attack would require 2^128 inputs rather than 2^256 inputs if it were all secret. >> >> This came from a request to explain why we don’t have a salt to protect against rainbow table lookup, like passwords. > > Ah, I see. Though you then have to explain why you are constraining to > 256 bits… This wouldn't apply to the plain transform. For the S256 transform having more than 256bits of entropy is just more work for no benefit. Later someone could define a SHA512 transform if they want to use more entropy, though 256bits is probably enough unless some flaw is found in SHA256. We did debate truncating the hash as 256bits is probably overkill for a single use challenge at this point, but that would have introduced possible implementation errors, and only provide a small saving of message size. A asymmetric transform is also possible as an extension once we have Token Binding completed and deployed, but that is future work. For the moment SHA 256 with 256bits of entropy for the input to generate a key for a single use token, is infeasible to brute force. > >>> 2. The introduction says "No client secret is used (since public >>> clients cannot keep their secrets confidential.)". However, a client >>> secret is used. I suspect I know what is intended, but this should be >>> clarified. >>> >> >> How about? >> >> 3) The attacker has access to the client id and client secret (if provisioned). All native app client- >> instances use the same client id, and client secret. Secrets provisioned in client binaries cannot be considered confidential. > > I think the issue is that "client secret" has meaning independent of > OAuth, but you are using it in the sense that the OAuth standards use > it - perhaps "OAuth client secret" would make this clearer? > How about? 3) The attacker has access to the OAuth client id and OAuth client secret (if provisioned). All OAuth native app client- instances use the same client id, and client secret. Secrets provisioned in client binaries cannot be considered confidential. John B. >> >> John B. >> >> >>> _______________________________________________ >>> secdir mailing list >>> secdir@ietf.org >>> https://www.ietf.org/mailman/listinfo/secdir >>> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview
- [secdir] Secdir review of draft-ietf-oauth-spop-11 Ben Laurie
- Re: [secdir] Secdir review of draft-ietf-oauth-sp… John Bradley
- Re: [secdir] Secdir review of draft-ietf-oauth-sp… Ben Laurie
- Re: [secdir] Secdir review of draft-ietf-oauth-sp… John Bradley
- Re: [secdir] Secdir review of draft-ietf-oauth-sp… Ben Laurie
- Re: [secdir] Secdir review of draft-ietf-oauth-sp… John Bradley