Re: [GNAP] Mix Up Attack against GNAP

[Justin Richer <jricher@mit.edu>]

Hi David,

I think it’s similar to message forwarding, but there’s one important difference — the AAS already is modifying the message to HAS. It doesn’t need to forward the complete message from (2), it creates a brand new message in (3) and signs it with its own key. So the client knows it’s talking to AAS and vice versa, and AAS knows it’s talking to HAS and vice versa. What’s different is that AAS is able to take pieces out of the (valid) message from the client and make its own message out of those parts, and then get value out of that.

But that does raise an interesting question: what if ASS :did: simply forward the signed message from the client to HAS? The signature method would need to protect the target of the HTTP request, but I think that should already be covered in most of the signature methods. We need to put some focus on these signature methods directly in the near future, so that’s something to keep in mind here.

 — Justin

> On Jun 5, 2021, at 8:26 AM, David Chadwick <d.w.chadwick@verifiablecredentials.info> wrote:
> 
> This attack is similar to surreptitious forwarding (message 3). One solution is for the sender (Client) to identify the recipient in message 2 so that it cannot be altered by the AAS when it creates message 3. The grant endpoint of the AS that the client instance is talking to would seem to fit this solution
> 
> Kind regards
> 
> David
> 
> On 04/06/2021 15:59, Justin Richer wrote:
>> This week, some researchers reached out to the editors to describe an attack against GNAP in the front channel that’s inherited from OAuth 2. I will describe the attack, list out its preconditions, and then describe a proposed solution space. We’re looking for input and feedback from the group on managing this solution.
>> 
>> But first, many thanks to Åke Axeland and Adam Omar Oueidat for doing this analysis, putting together the diagram below, and bringing it to the group’s attention.
>> 
>> The attack is largely the same as one of the “AS Mix Up” attack cases in "Comprehensive Security Analysis of OAuth 2.0” by Daniel Fett and colleagues. It’s a kind of in-the-middle and/or phishing attack at its core. 
>> 
>> The attacker has their own authorization server (AAS) which can also act as a client instance. An uncompromised client (UC) instance and an uncompromised authorization server (HAS) are assumed. There is no compromise of secret keys or breaking of TLS in this attack.
>> 
>> 1. UC is a client of AAS, and might also be a client of HAS. User wants to authorize at HAS but tells UC to use AAS.
>> 2. UC starts a request at AAS, signed with UC’s key. AAS is imitating HAS.
>> 3. AAS forwards UC’s request parameters (Client nonce, interaction finish URI) to HAS, but signed with AAS’s key.
>> 4. HAS responds with an interaction start URL and server nonce to AAS
>> 5. AAS forwards the interaction start URL and server nonce to UC
>> 6. (Note) HAS is functionally telling the user to show up and interact, but doesn’t realize that the request is being proxied in this way.
>> 7. UC launches interaction start url, which is a function of HAS
>> 8. HAS returns the verification hash and interaction reference to UC
>> 9. UC validates the hash (which is correct) and sends the interaction reference to AAS
>> 10. AAS forwards the interaction reference to HAS 
>> 11. AAS receives an access token for calling an RS protected by HAS. The client receives no access token.
>> 
>> The diagram from the researchers is attached here. I’ll be using the numbers in the text list here like (1) to refer to specific steps.
>> 
>> <PastedGraphic-2.png>
>> Some preconditions and analysis:
>> 
>> Step (1) is made easier if the client has choice over which AS to talk to for a given request, since that’s how it starts talking to AAS instead of HAS. The danger of allowing a client to choose its AS at runtime has been discussed, but it’s a known pattern that we can’t expect to go away.
>> 
>> AAS is treated as a legitimate client of HAS and UC is a legitimate client of AAS. While dynamic clients can exacerbate this problem at runtime, at no time does HAS always knows the requests are coming from AAS and UC always knows it’s talking to AAS. There is no cryptographic impersonation and no theft of keys. 
>> 
>> The attack occurs because the user and client think they’re dealing with different AS’s, and you can’t expect a user to always be able to tell them apart, especially when the backend calls like (2) are hidden. It’s assumed that the user actually wants to authorize UC for HAS, but UC talks to AAS instead because of configuration (1). AAS can imitate HAS to the user to facilitate (1), and imitate UC to HAS, but only for human-facing portions (7). Static pre-registration makes this more difficult, assuming that all registrations are reviewed by humans. If HAS has no idea that UC exists, it wouldn’t necessarily know that AAS is impersonating anyone.
>> 
>> The token at the end (11), assuming it’s a bound token, is only good with AAS’s key and not UC’s key. This is great for the attacker until UC starts to act funny and raise suspicion, since the process didn’t ever complete. With the OAuth attack, and with bearer tokens in GNAP, the token can be passed through to the UC making UC none the wiser. 
>> 
>> The hash validation (9) does not protect against this specific attack. Since AAS sits in the middle, it has access to the Client nonce from UC, the server nonce from AAS, and the interaction reference at the appropriate times. AAS doesn’t need to generate the hash, but can force HAS to generate an appropriate hash.
>> 
>> The proposed mitigation(s): 
>> 
>> In OAuth 2, the accepted mitigation is to provide another query parameter with the “issuer” URL of the AS. We could do that here, but that would have the same downsides: the client has to check this value explicitly. Therefore we’re proposing that instead we use the existing validation hash algorithm and add an additional field. This would need to be something known to UC and HAS that can’t be impersonated by AAS, even if it’s known. Therefore, it makes sense to use something that’s derived. There are a few ideas of what to do here, each with benefits and drawbacks:
>> 
>> - The grant endpoint of the AS that the client instance is talking to.
>> - The continuation endpoint that the client instance will send the interaction reference to. (This might be different from the above)
>> - The continuation access token value
>> - A key hash for the AS the client is talking to (TLS key to one of these endpoints? Some other external key added to the mix?)
>> 
>> The important thing here is that it’s a value that’s known but not a shared-secret that’s passed between parties. The client doesn’t need to check anything new, just needs to do the hash validation that it should be doing anyway.
>> 
>> Requested feedback:
>> 
>> The editors are requesting feedback and discussion on the attack and the proposed mitigation strategy. As a group, we would also benefit from additional formal analysis of the protocol with and without the mitigation in place. Additionally, we need to be sure we aren’t accidentally cutting off a legitimate use case, like AS bridges and proxies that aren’t trying to hide their presence.
>> 
>>  — Justin
>> 
>> 
> -- 
> TXAuth mailing list
> TXAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/txauth