Re: [GNAP] Defense protection
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Fri, 28 May 2021 20:44 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5B90B3A352B for <txauth@ietfa.amsl.com>; Fri, 28 May 2021 13:44:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.087
X-Spam-Level:
X-Spam-Status: No, score=-2.087 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3rsJQjuEw8Sg for <txauth@ietfa.amsl.com>; Fri, 28 May 2021 13:44:44 -0700 (PDT)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 47B963A3529 for <txauth@ietf.org>; Fri, 28 May 2021 13:44:44 -0700 (PDT)
Received: by mail-vs1-xe35.google.com with SMTP id j12so2819973vsq.9 for <txauth@ietf.org>; Fri, 28 May 2021 13:44:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vYqxjqq6ow4/809N8pFM2mIrww5RdQjXx9Ikp1UTaRE=; b=Un0bHq+ECESoUbop5nreMPH85AkRmJ5zbrv/6YQefqMOstEUNmRMTYRzBVlg9wjKaQ 5RKqdiRmFGVG1ONhfK36WZZpUGfbz6s/ndaOn9LkwQ5pOqVcO8RufkbKui3jC2dsWehC QUrZZwLzIvCJ8fAsKIeDmlRktNttFRCbVnVWR0Bl+4/W1Bx+sq5LdBnEVtHQ1xZB83K5 QkgKKaIbsF70zN085lYxf3vjVR6YRnnvIlmYUM+/CKI0Kvcg2UN3jj9UgDVooSEPdYJl dKDnI5Q8ft5Wpuka43MxwFDYeQ0QjKCXN+dPLLpXGwmRbp7yby0Ck7mapWFFDE9w//t4 Ettw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vYqxjqq6ow4/809N8pFM2mIrww5RdQjXx9Ikp1UTaRE=; b=CGdYF0e8Qs/TtE6flLBB1sAabFSmeW+EXEmNxJd4AZOAwbJw3KdUgABlhvCxW40juY cZjC18JrGt9/z9kMkOvzOmEBUUQ5bnGFU8dcQC/8ljToFfawl286dibgzyJZaP6lNHBu f3BU3Ns2m/SkMxDz1ID3Q9gdG1Ha9Ig2Ydz0jayFVe5caC1C7jJ5RKRDTVl7Qy7uWnDx r+tkySEBPBY0P6padn1hiPhOE+xLopLNxO+q/HRBvIjquti4viq46ZgkSGrx0t41Km7z Wl46f17K6Arp9tSszt9lRQgBUMkXlit40EqUZHlLF/HA8N0rz5WYhCnhLZrtK/dL7IMl hzFQ==
X-Gm-Message-State: AOAM5303Ahj4tjLcTmy3rETmnsQtC5I4/8+Wd8Jfwe8wZqRBFK/oa96Y 9RKhDcl9mlsCCIgYUXjg13uGwqp3AQrWk6fIJqs=
X-Google-Smtp-Source: ABdhPJxAxeZW23tnh2Ti0PsUyc6/eWP8IvWFNznMyR6SiL7Z5VHIADK0acJ3mJMMig4pMYWN5u4LpZBG9Z6JrlIV7Eo=
X-Received: by 2002:a05:6102:1168:: with SMTP id k8mr8969004vsg.41.1622234681714; Fri, 28 May 2021 13:44:41 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbuEH49sZjKvE0JVsa39WuFG83FbBcQQAyXH-V8TNGt-b-wtw@mail.gmail.com> <CANYRo8iiR-ukwWKQzVz2w4_P3wYdokpDecPSL=edfNLnKrEfng@mail.gmail.com> <CAHbuEH7MNvPwK5Yr=Uy=fE5i5-xe5=XyzbTZPZcb6hHA7=TueA@mail.gmail.com> <CAJot-L1GaCo1pUh5mvB=WFJU69vmp2JjT8-ONN1mM159Sc_-Sg@mail.gmail.com>
In-Reply-To: <CAJot-L1GaCo1pUh5mvB=WFJU69vmp2JjT8-ONN1mM159Sc_-Sg@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Fri, 28 May 2021 16:44:05 -0400
Message-ID: <CAHbuEH4sWL7aR03eOvxEqvCjLjuyYgz9kXepCsOOr+zeYOxoaA@mail.gmail.com>
To: Warren Parad <wparad@rhosys.ch>
Cc: Adrian Gropper <agropper@healthurl.com>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f22c4205c369f103"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/0exUA-f_E_UEbLu8OZPXZpjZCFw>
Subject: Re: [GNAP] Defense protection
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 28 May 2021 20:44:49 -0000
Warren, We can think about advice on detection and having that be built into the security considerations. There is a clear example given in the SAML case. I'm raising this as food for thought and to see what we can do. Security needs to be better, more scalable, and easier on the user base. That's not a simple combination. These attacks are only a sample of what is to come. If there is a vulnerability or a blind spot, it will be used. Best regards, Kathleen On Fri, May 28, 2021 at 4:02 PM Warren Parad <wparad@rhosys.ch> wrote: > Correct me if I'm mistaken, it sounds like the Golden SAML attack amounts > to getting control of the signer's private key. I'm going to go out on a > limb here and say, I'm not sure any protocol solution would help solve this > problem. But I would love to be mistaken. It's possible to make this harder > by allowing multiparty signers to be required (or at least allowed/enabled) > to prevent single vulnerable issues. There are other issues with that sort > of solution, such as then requiring more nodes to sign each request and > thus providing more physical attack surfaces. It's hard for me to evaluate > the trade off there. > > In the case of the OAuth article it seems to suggest, phishing is the > problem. The solution here is preventing the user from entering their > "password" in malicious locations. I'm hoping that browsers will better > support first-class login apis and sanitization for better protection here, > however, nothing first comes to mind about what protocol could do to stop > that. I would say here, browsers need to get better, device OSs need to be > better. Maybe there are better solutions lurking out there. > > Warren Parad > > Founder, CTO > Secure your user data with IAM authorization as a service. Implement > Authress <https://authress.io/>. > > > On Fri, May 28, 2021 at 9:51 PM Kathleen Moriarty < > kathleen.moriarty.ietf@gmail.com> wrote: > >> Hi Adrian, >> >> Thanks for your interest! >> >> This is a helpful link that describes how the attackers were able to >> bypass MFA by stealing the signing key for SAML assertions: >> >> https://www.darkreading.com/attacks-breaches/solarwinds-campaign-focuses-attention-on-golden-saml-attack-vector/d/d-id/1339794 >> >> https://owasp.org/www-chapter-singapore/assets/presos/Deconstructing_the_Solarwinds_Supply_Chain_Attack_and_Deterring_it_Honing_in_on_the_Golden_SAML_Attack_Technique.pdf >> >> I did read one that was a bit better, but can't find the link at the >> moment. >> >> And one on shared OAuth credentials/token issuance: >> >> https://www.csoonline.com/article/3607348/how-to-defend-against-oauth-enabled-cloud-based-attacks.html >> >> It would be good to think about attack vectors and if not prevention, >> minimally detection. >> >> Best regards, >> Kathleen >> >> On Fri, May 28, 2021 at 3:41 PM Adrian Gropper <agropper@healthurl.com> >> wrote: >> >>> Hi Kathleen, >>> >>> I am not aware of the attacks on SAML and OAuth and would appreciate a >>> link or two. >>> >>> I hope we can provide guidance on how GNAP can facilitate Zero Trust >>> Architecture and believe that includes guidance on how to audit various >>> things as systems use GNAP protocols to separate concerns among independent >>> actors. >>> >>> Count me in for a brainstorming sessio, >>> >>> - Adrian >>> >>> >>> On Fri, May 28, 2021 at 3:29 PM Kathleen Moriarty < >>> kathleen.moriarty.ietf@gmail.com> wrote: >>> >>>> Hello! >>>> >>>> In light of recent attacks against SAML and OAuth, I'd like to see what >>>> defense mechanisms and detection could be built into the spec. One example >>>> would be from the recent SAML attack. If there was a detection of >>>> instances of authorization without authentication, the SAML attack used in >>>> SolarWinds might have been detected sooner. >>>> >>>> If you think along the lines of fraud detection, where you detect >>>> unusual events, there may be some specific to GNAP that could enable early >>>> detection of abuse, misuse, or exploits. >>>> >>>> Are there some planned? Would people like to brainstorm on this? >>>> Thanks! >>>> >>>> >>>> -- >>>> >>>> Best regards, >>>> Kathleen >>>> -- >>>> TXAuth mailing list >>>> TXAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/txauth >>>> >>> >> >> -- >> >> Best regards, >> Kathleen >> -- >> TXAuth mailing list >> TXAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/txauth >> > -- Best regards, Kathleen
- [GNAP] Defense protection Kathleen Moriarty
- Re: [GNAP] Defense protection Adrian Gropper
- Re: [GNAP] Defense protection Kathleen Moriarty
- Re: [GNAP] Defense protection Warren Parad
- Re: [GNAP] Defense protection Adrian Gropper
- Re: [GNAP] Defense protection Kathleen Moriarty
- Re: [GNAP] Defense protection Alan Karp
- Re: [GNAP] Defense protection Cendyne
- Re: [GNAP] Defense protection Fabien Imbault
- Re: [GNAP] Defense protection Justin Richer
- Re: [GNAP] Defense protection Fabien Imbault
- Re: [GNAP] Defense protection Denis