Re: [GNAP] Defense protection
Justin Richer <jricher@mit.edu> Tue, 01 June 2021 13:51 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C4203A18B3 for <txauth@ietfa.amsl.com>; Tue, 1 Jun 2021 06:51:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3lkKNHZbXAVV for <txauth@ietfa.amsl.com>; Tue, 1 Jun 2021 06:51:52 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 24A413A18C3 for <txauth@ietf.org>; Tue, 1 Jun 2021 06:51:51 -0700 (PDT)
Received: from [192.168.1.49] (static-71-174-62-56.bstnma.fios.verizon.net [71.174.62.56]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 151DpnFx001963 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 1 Jun 2021 09:51:49 -0400
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.120.23.2.6\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <CAHbuEH49sZjKvE0JVsa39WuFG83FbBcQQAyXH-V8TNGt-b-wtw@mail.gmail.com>
Date: Tue, 01 Jun 2021 09:51:48 -0400
Cc: GNAP Mailing List <txauth@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A96FB6BB-E01C-40FD-9F77-126780157F98@mit.edu>
References: <CAHbuEH49sZjKvE0JVsa39WuFG83FbBcQQAyXH-V8TNGt-b-wtw@mail.gmail.com>
To: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
X-Mailer: Apple Mail (2.3608.120.23.2.6)
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/8RR5xAfpx5yFVbPSfgMBD3UMWYU>
Subject: Re: [GNAP] Defense protection
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Jun 2021 13:51:57 -0000
Hi Kathleen, thanks so much for raising this topic! It’s important that GNAP learn from what’s come before. Some aspects of that are already built into the design, based on what we’ve learned form years of OIDC and SAML deployments. One of the things that made the SAML attacks work was that the fake assertions could be easily injected into SP’s (the relying party equivalent) with a browser request by the attackers. GNAP already doesn’t allow injection of results (such as assertions) over the front channel, so an attacker would need to run an in-the-middle attack against the AS and return the faulty assertion as well. Properly configured OIDC (with state and nonce) has some similar protections, but even then it’s more easily misconfigured. I agree that the detection of unusual events needs to be part of the protocol. Maybe we should have more language about the direct information return — things like assertions and subject information — and explicitly tell clients that they shouldn’t accept that information from unexpected calls of any type? We might also want to lock down the callback function from extensions so that people don’t re-invent the implicit flow and all its problems. I don’t know if there’s anything that can be done around protecting against key theft. The key is the identity of the component proven through the protocol. Do you have suggestions on how this can be called out more? The security considerations section is just a placeholder still, and it seems that would be a good place for it, to me. — Justin > On May 28, 2021, at 3:28 PM, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> wrote: > > Hello! > > In light of recent attacks against SAML and OAuth, I'd like to see what defense mechanisms and detection could be built into the spec. One example would be from the recent SAML attack. If there was a detection of instances of authorization without authentication, the SAML attack used in SolarWinds might have been detected sooner. > > If you think along the lines of fraud detection, where you detect unusual events, there may be some specific to GNAP that could enable early detection of abuse, misuse, or exploits. > > Are there some planned? Would people like to brainstorm on this? > Thanks! > > -- > > Best regards, > Kathleen > -- > TXAuth mailing list > TXAuth@ietf.org > https://www.ietf.org/mailman/listinfo/txauth
- [GNAP] Defense protection Kathleen Moriarty
- Re: [GNAP] Defense protection Adrian Gropper
- Re: [GNAP] Defense protection Kathleen Moriarty
- Re: [GNAP] Defense protection Warren Parad
- Re: [GNAP] Defense protection Adrian Gropper
- Re: [GNAP] Defense protection Kathleen Moriarty
- Re: [GNAP] Defense protection Alan Karp
- Re: [GNAP] Defense protection Cendyne
- Re: [GNAP] Defense protection Fabien Imbault
- Re: [GNAP] Defense protection Justin Richer
- Re: [GNAP] Defense protection Fabien Imbault
- Re: [GNAP] Defense protection Denis