Re: [sipcore] draft-ietf-sipcore-sip-token-authnz - Security of the token
Christer Holmberg <christer.holmberg@ericsson.com> Sun, 21 July 2019 15:44 UTC
Return-Path: <christer.holmberg@ericsson.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A9520120132 for <sipcore@ietfa.amsl.com>; Sun, 21 Jul 2019 08:44:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5JqMnZPiP5VL for <sipcore@ietfa.amsl.com>; Sun, 21 Jul 2019 08:43:56 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-eopbgr130077.outbound.protection.outlook.com [40.107.13.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27DEC12013A for <sipcore@ietf.org>; Sun, 21 Jul 2019 08:43:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EVgmQZDwQ98ZLNoNRSjqdapQ1p0xq5dxggqLizm5sspoEXOuVZZPLE3g5UZVtT9fizHf9Wiztf/y0AZUvqtk26rtwYDtjSyHrkf+p0DvwKmY9ZlDoAKyM+FEM5CWuXT4/2sdlziBBR6nYB4wQ4/duLAt2MCN6JqABmpCT5J8UEFp+ghq7S3aXfM4A3vGAb8O3Qk7rbWO/bjHFIdtTguvNTLPJfJuVJMSXlefU53dPBIrB6arbNNeLqSeKMVGQaJCrMgJsgQ53DF5sd1TEybtpwFgZnyhendqmYi3wg8EEzUWbc1KsLAFw/AR7sS0QoDT+owaRijg8oWvFHTx2oa+8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E0tHsc2+my294bsmiei3wn3TeCtU2n31qD1kr6oMUS0=; b=b2jd+HuNMamgQ7l4RM8pUyVAgkR76+YBXpIQTa9k6tfAslf0Lb5gKqZ5D12KVjG9ZxPgi+4DyrXgYK3wKt6Jxt9pwJhBpeezynAwaerWOMIQf7mDtn5jvB81r+1QPu2zPbgUy6+NKIjzAWznq4/VcZwLmSeOk/N6TMRGhC0QvHlTWtQxx4B0KD1TwXIYaxyu8D/KjooeWyQo7d+/AD1JvacmTpbHd/8cr6LhPjUPW0Q9MVr99BrtQcRQTZtjjC+b4MAtckbDf30In/cK7QKE69IjxmQaLIr0Aj/6D9SNorGCJgMLjZau7Zvvd0aF3p7peh4DOaUuSpyyklv+GdTFJg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=ericsson.com;dmarc=pass action=none header.from=ericsson.com;dkim=pass header.d=ericsson.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=E0tHsc2+my294bsmiei3wn3TeCtU2n31qD1kr6oMUS0=; b=n7tUy10U+ucIvPTfVUbmFhEWhSMAymTIwEKMUHuMn0HYU9KhoqkiR4YgNcjvNWN7I5EKw5QFNUHiZTQs2zptZHjb98ZxJ+QXZjq1nS6ZX21iVemkUid98XevprQa79HOcs5cs0VLAhjUkJ6SljXgNirBCPVuLub/yq32bt9wKCE=
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com (10.170.245.23) by HE1PR07MB3436.eurprd07.prod.outlook.com (10.170.247.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2115.9; Sun, 21 Jul 2019 15:43:53 +0000
Received: from HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43]) by HE1PR07MB3161.eurprd07.prod.outlook.com ([fe80::5050:a3a9:be80:cf43%5]) with mapi id 15.20.2094.009; Sun, 21 Jul 2019 15:43:53 +0000
From: Christer Holmberg <christer.holmberg@ericsson.com>
To: Yehoshua Gev <yoshigev@gmail.com>, "sipcore@ietf.org" <sipcore@ietf.org>
Thread-Topic: [sipcore] draft-ietf-sipcore-sip-token-authnz - Security of the token
Thread-Index: AQHVP7tDVzpq44wx5Eqf6X2UASwciqbVNImg
Date: Sun, 21 Jul 2019 15:43:53 +0000
Message-ID: <HE1PR07MB31610DB937960AB372A0D61993C50@HE1PR07MB3161.eurprd07.prod.outlook.com>
References: <HE1PR07MB316161BA8A7FC9516BB0665493CD0@HE1PR07MB3161.eurprd07.prod.outlook.com> <CAF_j7yZRn=-OwoRUR=RT5VoRUxv45VxGT79QQ+u9j643EfZB2w@mail.gmail.com>
In-Reply-To: <CAF_j7yZRn=-OwoRUR=RT5VoRUxv45VxGT79QQ+u9j643EfZB2w@mail.gmail.com>
Accept-Language: en-US
Content-Language: fi-FI
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=christer.holmberg@ericsson.com;
x-originating-ip: [176.93.45.161]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 180377fb-5982-4324-6e82-08d70df23bc4
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR07MB3436;
x-ms-traffictypediagnostic: HE1PR07MB3436:
x-microsoft-antispam-prvs: <HE1PR07MB343680389B5970A9796FEBCD93C50@HE1PR07MB3436.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0105DAA385
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(346002)(396003)(39860400002)(376002)(189003)(51444003)(199004)(9686003)(54896002)(2420400007)(15650500001)(86362001)(6436002)(2906002)(55016002)(6116002)(790700001)(561944003)(81166006)(33656002)(81156014)(68736007)(8936002)(9326002)(53936002)(6306002)(14454004)(3846002)(66066001)(66574012)(5660300002)(71200400001)(71190400001)(14444005)(110136005)(76176011)(476003)(316002)(11346002)(446003)(66446008)(64756008)(66556008)(66476007)(76116006)(66946007)(478600001)(256004)(25786009)(52536014)(2501003)(8676002)(486006)(6506007)(7736002)(7696005)(186003)(44832011)(102836004)(99286004)(74316002)(7110500001)(26005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3436; H:HE1PR07MB3161.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: A1E9hmV9HT8S9MIDQ8+WLE0Siu1duNISzM9+49xdwGygjWGPnYNINAZiLTkGDxwq1oHMVf2yunhEo8cmbKv7mMniY8xT1l2pwhVN6qLykfP3LbcA0yyvAejLz7O6Uu0nrEibtlt2F4rq/BPYR6lUgDJjs73e1YyQ/KJvGGIPVsyrvng5228G5myLGZZi/ql8qiaXmfRT11s/VRTclHjB5pzYhDPvO0siXo2stdnYQRpzlYKjFVqSoRuvBCXLU3UviuuVNGnpK/foNMUjQKhp+Tp9Ez8ExFZ+Jja651WabcOT6pa78CVd1V564NbiDKH6e2LRV9XNO8xrKyCq88OE/SFaNTNrAGoEtJehUSp3EfKb7z9cwZ9+DgGIJhdThFcH5xyvwfR1EQWb7UpUGovztdNfkdL9i4jR8/eWpwomcbU=
Content-Type: multipart/alternative; boundary="_000_HE1PR07MB31610DB937960AB372A0D61993C50HE1PR07MB3161eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 180377fb-5982-4324-6e82-08d70df23bc4
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jul 2019 15:43:53.0831 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: christer.holmberg@ericsson.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3436
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/zKgQ3SGd-vQjKgZnL6fMEbXC8-g>
Subject: Re: [sipcore] draft-ietf-sipcore-sip-token-authnz - Security of the token
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 15:44:08 -0000
Hi Yehoshua, Thanks for your input! I think OPTIONS 3 and 5 are outside the scope. The mechanism shall work with the existing OAuth infrastructure. OPTION 4 is too narrow – there are cases where the token is verified by the registrar. However, I DO agree with Olle that the token needs to be protected so that non-intended entities will not have access to it. But, that doesn’t always mean it has to be encrypted. For example, in your home gateway example you know that the header field will be removed before the SIP request is forwarded to non-intended entities. Also, we need to address the protection of the token, or the draft will never pass IESG review 😊 Regards, Christer Lähettäjä: sipcore <sipcore-bounces@ietf.org> Puolesta Yehoshua Gev Lähetetty: sunnuntai 21. heinäkuuta 2019 14.55 Vastaanottaja: sipcore@ietf.org Aihe: [sipcore] draft-ietf-sipcore-sip-token-authnz - Security of the token Hi, Looking at the discussion regarding the way to secure the access token, I think it will be good to summarize the options. OPTION 1 - Bearer authorization (as appears in the draft): Send the token as plain text on the Authorization header. This option is very straight-forward, but lacks the ability of the UAC to verify that the token is not exposed by some intermediary proxy. OPTION 2 - Token encryption (a proposal by Olle Johansson): Encrypt the token using a public key that is provided in a challenge. I believe that a public key of a UA doesn't normally change between challenges, so this method is prone to reply attacks (if the challenge be kept constant). Of course, this method can be extended to include a nonce, but it will make it more complicated. OPTION 3 - Digest scheme (a proposal by Dale Worley): Use a "digest"-like scheme to send a hashed value of the token. I believe this is problematic, as digest can only be used if both parties knows the password (or token) in advance, so it's enough to compare its hash value.. In our case, tokens can usually be validated only when their full value is revealed (e.g., validation of JWT token is done without pre-knowledge of the token). OPTION 4 - HTTP Authorization: Assuming that we resort to having only the first hop (the home proxy) perform the authentication, and restricting ourselves to WebRTC clients, the authorization can be done on the HTTP level of WebSocket creation. This option is available to use creating new standards, but apparently it's not enough (or the draft would not have been written). OPTION 5 - New challenge-response mechanism: Probably some combination of options 2 and 3, but having it standardized and performed by 3rd-party OAuth server. Just like RFC 5090 proposed a way for a RADIUS server to perform digest authentication, an extension to OAuth introspection endpoint (RFC 7662), can possibly be made to validate a token using a challenge-response mechanism. With this option, the "security burden" will fall on OAuth servers and not on the SIP UAs. Having laid out the options above (I'm sure there are options I've missed), I think that the scope of the current draft should remain minimal, and OPTION 1 should be used. For example, a common use case is that the home proxy perform the authentication, and remove the Authorization header when forwarding the request. For this use case, it will be nice if option 1 will remain available. Still, even for this scenario, maybe a simple challenge-response mechanism should be required, so the UAC will have a way to know that the home proxy supports this kind of authentication. Without it (if the proxy is not supporting), the UAC might send the token, and the proxy forward it to un-trusted entities. For the long run (on other drafts), the other options should probably be looked into, so the security restriction imposed by option 1 could be relaxed. Regards, Yehoshua
- Re: [sipcore] Thoughts about draft-ietf-sipcore-s… Christer Holmberg
- Re: [sipcore] Thoughts about draft-ietf-sipcore-s… Olle E. Johansson
- [sipcore] draft-ietf-sipcore-sip-token-authnz - S… Yehoshua Gev
- Re: [sipcore] draft-ietf-sipcore-sip-token-authnz… Christer Holmberg