[sipcore] draft-ietf-sipcore-sip-token-authnz - Security of the token
Yehoshua Gev <yoshigev@gmail.com> Sun, 21 July 2019 11:55 UTC
Return-Path: <yoshigev@gmail.com>
X-Original-To: sipcore@ietfa.amsl.com
Delivered-To: sipcore@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB62412011B for <sipcore@ietfa.amsl.com>; Sun, 21 Jul 2019 04:55:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 69h2n33sl8X2 for <sipcore@ietfa.amsl.com>; Sun, 21 Jul 2019 04:55:37 -0700 (PDT)
Received: from mail-ua1-x92b.google.com (mail-ua1-x92b.google.com [IPv6:2607:f8b0:4864:20::92b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7FA3712011E for <sipcore@ietf.org>; Sun, 21 Jul 2019 04:55:37 -0700 (PDT)
Received: by mail-ua1-x92b.google.com with SMTP id 34so14269506uar.8 for <sipcore@ietf.org>; Sun, 21 Jul 2019 04:55:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=aKagafErbnghmNROCRfdfatuJ1PN9zF+LsDjBKTXrJM=; b=IyfNrPrAQKFNmCP2JYVACMqE7/o08xfKEZS2LqjZzv5182O8r0ZLddfp2WwhTaIOUb mlfKefXUYTkiRjRYRo7Ga/r4UELwUkaGiTi1iYNk8SPCt12Ac+SdhehSyKmeBAK7NvbA 8ypkCAq7TbYjE+dtHv/2yn8fEWth4SNgxmdllErXixAZ+jXhO8cEsdhFwd83ZCsixPzA 6bNMnazS+HovSw62V6FrIIJqZykzw9UmRxolw4hXpLm045aq9M7qoBObf0bjhd683oEQ RSjaiyiKkiSiRvsFeJEnU/72ITbfyuV8/2OxR/ovx69GtM9sTiLFtavVMEunZNT7tTSd fVSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=aKagafErbnghmNROCRfdfatuJ1PN9zF+LsDjBKTXrJM=; b=LscHVnqNGnGnTtaeR+o34dIWJ0yKTiqsuwWtODIgPhLICQ+9OKKak/DbZ0dRWhTiKO dTW9lIkHxaadVYEo4TY+3LgYX7qDG/XSEvCPrk2SkUV66XFkQV6yaZJNTnYVYF+KzvnS XAbia6lDxGo7dg3vb+O8KO4I55ZVodlAsX+sPQZb1mc/SRwxw8Vgd0TIwEeL8PBkjn0J 62JPuzqb62lQn1xVlJth3St3BmyPPRCWVCNPj1hRpphd1wySCAvJZwJ2yeOxL4vEuh2L y6GrTNlFuv4BL9nqzeuelrppDVPLflfBqs243PhVaUq05PDcLSQ98XFa4sBQ9yDIzUtm E+uw==
X-Gm-Message-State: APjAAAWNHgv0+OOYHfTrsY09TpKVFBt43J60Tdi7lJNgOmUbgUjuGdHq fFA3c9gA8ybbykhmPl/WC4Py6ld+DgIvjC+nhBjA0sfp
X-Google-Smtp-Source: APXvYqxCTCRzwx3jcd3klDlUYr5uZkSprVWhSwFMvvaPl6pc8GujBmEtvqzOnSY99EvP28S/2RHbeSlYmM4ymU6xzfw=
X-Received: by 2002:ab0:b99:: with SMTP id c25mr39271223uak.53.1563710136458; Sun, 21 Jul 2019 04:55:36 -0700 (PDT)
MIME-Version: 1.0
References: <HE1PR07MB316161BA8A7FC9516BB0665493CD0@HE1PR07MB3161.eurprd07.prod.outlook.com>
In-Reply-To: <HE1PR07MB316161BA8A7FC9516BB0665493CD0@HE1PR07MB3161.eurprd07.prod.outlook.com>
From: Yehoshua Gev <yoshigev@gmail.com>
Date: Sun, 21 Jul 2019 14:55:24 +0300
Message-ID: <CAF_j7yZRn=-OwoRUR=RT5VoRUxv45VxGT79QQ+u9j643EfZB2w@mail.gmail.com>
To: "sipcore@ietf.org" <sipcore@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000372258058e2fa3c1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/sipcore/jTbtaLqU4hcPdJ32l5Eer9cUVCE>
Subject: [sipcore] draft-ietf-sipcore-sip-token-authnz - Security of the token
X-BeenThere: sipcore@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: SIP Core Working Group <sipcore.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/sipcore>, <mailto:sipcore-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sipcore/>
List-Post: <mailto:sipcore@ietf.org>
List-Help: <mailto:sipcore-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/sipcore>, <mailto:sipcore-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 11:55:40 -0000
Hi, Looking at the discussion regarding the way to secure the access token, I think it will be good to summarize the options. OPTION 1 - Bearer authorization (as appears in the draft): Send the token as plain text on the Authorization header. This option is very straight-forward, but lacks the ability of the UAC to verify that the token is not exposed by some intermediary proxy. OPTION 2 - Token encryption (a proposal by Olle Johansson): Encrypt the token using a public key that is provided in a challenge. I believe that a public key of a UA doesn't normally change between challenges, so this method is prone to reply attacks (if the challenge be kept constant). Of course, this method can be extended to include a nonce, but it will make it more complicated. OPTION 3 - Digest scheme (a proposal by Dale Worley): Use a "digest"-like scheme to send a hashed value of the token. I believe this is problematic, as digest can only be used if both parties knows the password (or token) in advance, so it's enough to compare its hash value. In our case, tokens can usually be validated only when their full value is revealed (e.g., validation of JWT token is done without pre-knowledge of the token). OPTION 4 - HTTP Authorization: Assuming that we resort to having only the first hop (the home proxy) perform the authentication, and restricting ourselves to WebRTC clients, the authorization can be done on the HTTP level of WebSocket creation. This option is available to use creating new standards, but apparently it's not enough (or the draft would not have been written). OPTION 5 - New challenge-response mechanism: Probably some combination of options 2 and 3, but having it standardized and performed by 3rd-party OAuth server. Just like RFC 5090 proposed a way for a RADIUS server to perform digest authentication, an extension to OAuth introspection endpoint (RFC 7662), can possibly be made to validate a token using a challenge-response mechanism. With this option, the "security burden" will fall on OAuth servers and not on the SIP UAs. Having laid out the options above (I'm sure there are options I've missed), I think that the scope of the current draft should remain minimal, and OPTION 1 should be used. For example, a common use case is that the home proxy perform the authentication, and remove the Authorization header when forwarding the request. For this use case, it will be nice if option 1 will remain available. Still, even for this scenario, maybe a simple challenge-response mechanism should be required, so the UAC will have a way to know that the home proxy supports this kind of authentication. Without it (if the proxy is not supporting), the UAC might send the token, and the proxy forward it to un-trusted entities. For the long run (on other drafts), the other options should probably be looked into, so the security restriction imposed by option 1 could be relaxed. Regards, Yehoshua
- Re: [sipcore] Thoughts about draft-ietf-sipcore-s… Christer Holmberg
- Re: [sipcore] Thoughts about draft-ietf-sipcore-s… Olle E. Johansson
- [sipcore] draft-ietf-sipcore-sip-token-authnz - S… Yehoshua Gev
- Re: [sipcore] draft-ietf-sipcore-sip-token-authnz… Christer Holmberg