Re: [GNAP] Mix Up Attack against GNAP
Justin Richer <jricher@mit.edu> Sun, 06 June 2021 12:42 UTC
Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82F3E3A1996 for <txauth@ietfa.amsl.com>; Sun, 6 Jun 2021 05:42:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.195
X-Spam-Level:
X-Spam-Status: No, score=-4.195 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CjKVUkFQDIDo for <txauth@ietfa.amsl.com>; Sun, 6 Jun 2021 05:42:42 -0700 (PDT)
Received: from outgoing-exchange-3.mit.edu (outgoing-exchange-3.mit.edu [18.9.28.13]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6C8F43A1994 for <txauth@ietf.org>; Sun, 6 Jun 2021 05:42:41 -0700 (PDT)
Received: from oc11exedge2.exchange.mit.edu (OC11EXEDGE2.EXCHANGE.MIT.EDU [18.9.3.18]) by outgoing-exchange-3.mit.edu (8.14.7/8.12.4) with ESMTP id 156Cgdc1001089; Sun, 6 Jun 2021 08:42:39 -0400
Received: from w92expo18.exchange.mit.edu (18.7.74.72) by oc11exedge2.exchange.mit.edu (18.9.3.18) with Microsoft SMTP Server (TLS) id 15.0.1497.18; Sun, 6 Jun 2021 08:42:10 -0400
Received: from oc11expo18.exchange.mit.edu (18.9.4.49) by w92expo18.exchange.mit.edu (18.7.74.72) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Sun, 6 Jun 2021 08:42:38 -0400
Received: from oc11expo18.exchange.mit.edu ([18.9.4.49]) by oc11expo18.exchange.mit.edu ([18.9.4.49]) with mapi id 15.00.1497.015; Sun, 6 Jun 2021 08:42:38 -0400
From: Justin Richer <jricher@mit.edu>
To: David Chadwick <d.w.chadwick@verifiablecredentials.info>, "txauth@ietf.org" <txauth@ietf.org>
Thread-Topic: [GNAP] Mix Up Attack against GNAP
Thread-Index: AQHXWVI9kDl2iW5Nh0G/gRYQcS4T1KsFnH+A///liICAAEfxAP//1jKAgAB2aYD//8tqAAAhA6YAAAKMhoAAA2JagP//1W3Z
Date: Sun, 06 Jun 2021 12:42:38 +0000
Message-ID: <700c3b99bf4b43b4a0ec8dcc28e8136a@oc11expo18.exchange.mit.edu>
References: <D7C06A29-9B90-4F1F-A7C0-6885E9C7D84E@mit.edu> <3950725f-26e5-0eb5-92bb-5e2ed977ac85@verifiablecredentials.info> <429623E4-5C45-474C-801A-6953E803BAE6@mit.edu> <7deb4b8f-6d2e-c386-23d6-7286a5077cc6@verifiablecredentials.info> <BA18D0FD-D307-4194-9195-C573D81CEBE1@mit.edu> <fe56669a-236e-1c1e-0d3a-c1551747d03a@verifiablecredentials.info> <9259F10A-7E27-4D1B-BF3C-32905928F847@mit.edu> <9482fcaa-80ae-83e6-eec9-0b757df4b900@verifiablecredentials.info> <CAJot-L3aLtdo5H2qSO+uC2HkrSAowcJs9X8bFYnBHLbCXteYFw@mail.gmail.com>, <265bc1a1-a28a-d1ad-d0b4-3cae341ccc6c@verifiablecredentials.info>
In-Reply-To: <265bc1a1-a28a-d1ad-d0b4-3cae341ccc6c@verifiablecredentials.info>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [71.174.62.56]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/NixqrsjGbh41Q4Z0PaFh_q7q5LQ>
Subject: Re: [GNAP] Mix Up Attack against GNAP
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 06 Jun 2021 12:42:48 -0000
David, A key difference with GNAP is that it doesn't rely only on redirects. Instead they are just one of many extensible options for interaction. Presenting VC's can happen using VCHTTPAPI or CHAPI or even DIDCOMM and the user never redirects. Redirects are inherently phishable even with the mitigation you describe, and so if you want to avoid them and use something else, that's great and GNAP has space for that explicitly. It's one of the most important breaks from OAuth core: don't start with the assumption the user is in a browser. But redirects aren't going away for everyone and so it's important that when people do choose to use them, they are as secure as they can be. You still have to deal with the trade-off and that's why security analysis like this is so important! - Justin ________________________________________ From: TXAuth [txauth-bounces@ietf.org] on behalf of David Chadwick [d.w.chadwick@verifiablecredentials.info] Sent: Sunday, June 6, 2021 7:10 AM To: txauth@ietf.org Subject: Re: [GNAP] Mix Up Attack against GNAP My understanding is that all these types of federated systems with redirections: SAML, Oauth, OIDC, are open to phishing attacks. To counteract this you should remove redirections from the protocol. OIDC SIOPv2 with verifiable credentials/presentations should solve this type of attack I believe. Also it is using a TTP for verification, which is one of your proposed solutions. Your proposed solution of adding data to the auth code is what I have already suggested: the message should cryptographically contain the identity of the sender and receiver and then all parties know who the intended recipient and originator are. And if you want to add a redirection in the response then that should also be inside the protected message. Kind regards David On 06/06/2021 10:33, Warren Parad wrote: I don't think that would solve the problem, although it might give the user client a second chance to avoid the vulnerability, it isn't a fix so far as I understand it. I like Justin's writeup, and knowing that it took me some time to appreciate the challenge, perhaps reframing the problem might help make it more clear. (And a real case that has happened) 1. An app network exists, and anyone can register an app. A malicious app registers a client with which itself is granted AS-like capabilities to the app network. The app pretends to be Google Drive, and the login screen is a perfect match for google's login. 2. Through a phishing attack, users are sent an email and directed to login to this malicious app. 3. The user navigates through the flow and returns to a legit application with an auth code 4. All along this malicious app has been intercepting the data the user has been providing and using it to authenticate itself as a valid app. If the user completes the flow the malicious app, will have a valid token for the HAS with the privileges the user thought they were granting the honest app. At this point the users client only has two* pieces of information: * Where the initial request to start the flow was sent * The Auth Code To break the vulnerability it must intentionally be so that the user client does NOT send the auth code to the same place where the initial request to start the flow was sent. Which means that the only available piece of information in the auth code. In OAuth, it has been introduced to create a third piece of information, the ISS url. Which can be used to look up where to send the auth code. It doesn't matter what endpoints or secrets are shared, none of them will be of any use, because the client is intentionally always communicating with the malicious app. The user may not want to, but they are anyway. the PKCE prevents interception or vulnerabilities in the flow, but this isn't a vulnerability in the flow, it is a malicious proxy. The only way to avoid this attack is one of: * Trust a third party for verification * include data in the auth code that the client can use to identify where to send the auth code * include data adjacent to the auth code which identifies how to handle the auth code Hope that helps. Warren [https://lh6.googleusercontent.com/DNiDx1QGIrSqMPKDN1oKevxYuyVRXsqhXdfZOsW56Rf2A74mUKbAPtrJSNw4qynkSjoltWkPYdBhaZJg1BO45YOc1xs6r9KJ1fYsNHogY-nh6hjuIm9GCeBRRzrSc8kWcUSNtuA] Warren Parad Founder, CTO Secure your user data with IAM authorization as a service. Implement Authress<https://authress.io/>. On Sun, Jun 6, 2021 at 10:21 AM David Chadwick <d.w.chadwick@verifiablecredentials.info<mailto:d.w.chadwick@verifiablecredentials.info>> wrote: So effectively you are saying that a client can be redirected to anywhere in the world and not know whether this is correct or not, or, it has to assume that it is correct regardless of where it is. In this case I suggest that these two locations should share a secret that they can both give to the client so that it knows these two endpoints are collaborating together. If you use something like the OIDC PKCE scheme then the first endpoint can send the hash of the secret, and the second endpoint can send the secret itself for the client to hash. Kind regards David On 05/06/2021 21:35, Justin Richer wrote: It’s completely reasonable for any legitimate AS to split the hosting of its user-facing stuff from its backend stuff. Google already does this with OAuth/OIDC today, and expecting this to change to something more constrained would be a non-starter for many deployments. Additionally, we can’t assume that everything is web-based and that things are happening within a browser. Furthermore, relying on the client to do some kind of comparison between the URL it starts the transaction with and the URL used for interaction is going to lead to misbehaving clients simply being more susceptible to this and related attacks. I’m of the school of thought that we should expect the minimum number of very specific things from the client in order to enforce security principles. — Justin On Jun 5, 2021, at 3:43 PM, David Chadwick <d.w.chadwick@verifiablecredentials.info<mailto:d.w.chadwick@verifiablecredentials.info>> wrote: But the start URL has HAS in it (message 5), when the client was talking to AAS. So this should be sufficient should it not to determine that something is wrong? Especially if SOP is being enforced, then the url of HAS and AAS wont have the same origin Kind regards David On 05/06/2021 17:39, Justin Richer wrote: But that’s what I’m saying — the client knows it’s talking to AAS and not HAS so with this kind of solution it would just create a message cryptographically tagged to AAS. And then on the next step, AAS creates a message cryptographically bound to HAS. So even if the client already says “this message is for AAS” explicitly, the attack surface doesn’t change. Only if the client thought it was talking to HAS would this make a difference, but that’s not what’s happening here. This, I believe, is what makes this kind of attack much more subtle than a simple message relay. — Justin On Jun 5, 2021, at 11:09 AM, David Chadwick <d.w.chadwick@verifiablecredentials.info<mailto:d.w.chadwick@verifiablecredentials.info>> wrote: Hi Justin the point I am making is that the message created by the Client must be received by the ultimate recipient, knowing that the Client created it and that the ultimate recipient is the intended recipient. In the current flow both recipients know they are the intended recipients, but also know that different clients are talking to them. Thus any solution must have the message originator cryptographically protecting both the sender and recipient addresses. Once you do this, you thwart the current vulnerability. Kind regards David On 05/06/2021 15:51, Justin Richer wrote: Hi David, I think it’s similar to message forwarding, but there’s one important difference — the AAS already is modifying the message to HAS. It doesn’t need to forward the complete message from (2), it creates a brand new message in (3) and signs it with its own key. So the client knows it’s talking to AAS and vice versa, and AAS knows it’s talking to HAS and vice versa. What’s different is that AAS is able to take pieces out of the (valid) message from the client and make its own message out of those parts, and then get value out of that. But that does raise an interesting question: what if ASS :did: simply forward the signed message from the client to HAS? The signature method would need to protect the target of the HTTP request, but I think that should already be covered in most of the signature methods. We need to put some focus on these signature methods directly in the near future, so that’s something to keep in mind here. — Justin On Jun 5, 2021, at 8:26 AM, David Chadwick <d.w.chadwick@verifiablecredentials.info<mailto:d.w.chadwick@verifiablecredentials.info>> wrote: This attack is similar to surreptitious forwarding (message 3). One solution is for the sender (Client) to identify the recipient in message 2 so that it cannot be altered by the AAS when it creates message 3. The grant endpoint of the AS that the client instance is talking to would seem to fit this solution Kind regards David On 04/06/2021 15:59, Justin Richer wrote: This week, some researchers reached out to the editors to describe an attack against GNAP in the front channel that’s inherited from OAuth 2. I will describe the attack, list out its preconditions, and then describe a proposed solution space. We’re looking for input and feedback from the group on managing this solution. But first, many thanks to Åke Axeland and Adam Omar Oueidat for doing this analysis, putting together the diagram below, and bringing it to the group’s attention. The attack is largely the same as one of the “AS Mix Up” attack cases in "Comprehensive Security Analysis of OAuth 2.0” by Daniel Fett and colleagues. It’s a kind of in-the-middle and/or phishing attack at its core. The attacker has their own authorization server (AAS) which can also act as a client instance. An uncompromised client (UC) instance and an uncompromised authorization server (HAS) are assumed. There is no compromise of secret keys or breaking of TLS in this attack. 1. UC is a client of AAS, and might also be a client of HAS. User wants to authorize at HAS but tells UC to use AAS. 2. UC starts a request at AAS, signed with UC’s key. AAS is imitating HAS. 3. AAS forwards UC’s request parameters (Client nonce, interaction finish URI) to HAS, but signed with AAS’s key. 4. HAS responds with an interaction start URL and server nonce to AAS 5. AAS forwards the interaction start URL and server nonce to UC 6. (Note) HAS is functionally telling the user to show up and interact, but doesn’t realize that the request is being proxied in this way. 7. UC launches interaction start url, which is a function of HAS 8. HAS returns the verification hash and interaction reference to UC 9. UC validates the hash (which is correct) and sends the interaction reference to AAS 10. AAS forwards the interaction reference to HAS 11. AAS receives an access token for calling an RS protected by HAS. The client receives no access token. The diagram from the researchers is attached here. I’ll be using the numbers in the text list here like (1) to refer to specific steps. <PastedGraphic-2.png> Some preconditions and analysis: Step (1) is made easier if the client has choice over which AS to talk to for a given request, since that’s how it starts talking to AAS instead of HAS. The danger of allowing a client to choose its AS at runtime has been discussed, but it’s a known pattern that we can’t expect to go away. AAS is treated as a legitimate client of HAS and UC is a legitimate client of AAS. While dynamic clients can exacerbate this problem at runtime, at no time does HAS always knows the requests are coming from AAS and UC always knows it’s talking to AAS. There is no cryptographic impersonation and no theft of keys. The attack occurs because the user and client think they’re dealing with different AS’s, and you can’t expect a user to always be able to tell them apart, especially when the backend calls like (2) are hidden. It’s assumed that the user actually wants to authorize UC for HAS, but UC talks to AAS instead because of configuration (1). AAS can imitate HAS to the user to facilitate (1), and imitate UC to HAS, but only for human-facing portions (7). Static pre-registration makes this more difficult, assuming that all registrations are reviewed by humans. If HAS has no idea that UC exists, it wouldn’t necessarily know that AAS is impersonating anyone. The token at the end (11), assuming it’s a bound token, is only good with AAS’s key and not UC’s key. This is great for the attacker until UC starts to act funny and raise suspicion, since the process didn’t ever complete. With the OAuth attack, and with bearer tokens in GNAP, the token can be passed through to the UC making UC none the wiser. The hash validation (9) does not protect against this specific attack. Since AAS sits in the middle, it has access to the Client nonce from UC, the server nonce from AAS, and the interaction reference at the appropriate times. AAS doesn’t need to generate the hash, but can force HAS to generate an appropriate hash. The proposed mitigation(s): In OAuth 2, the accepted mitigation is to provide another query parameter with the “issuer” URL of the AS. We could do that here, but that would have the same downsides: the client has to check this value explicitly. Therefore we’re proposing that instead we use the existing validation hash algorithm and add an additional field. This would need to be something known to UC and HAS that can’t be impersonated by AAS, even if it’s known. Therefore, it makes sense to use something that’s derived. There are a few ideas of what to do here, each with benefits and drawbacks: - The grant endpoint of the AS that the client instance is talking to. - The continuation endpoint that the client instance will send the interaction reference to. (This might be different from the above) - The continuation access token value - A key hash for the AS the client is talking to (TLS key to one of these endpoints? Some other external key added to the mix?) The important thing here is that it’s a value that’s known but not a shared-secret that’s passed between parties. The client doesn’t need to check anything new, just needs to do the hash validation that it should be doing anyway. Requested feedback: The editors are requesting feedback and discussion on the attack and the proposed mitigation strategy. As a group, we would also benefit from additional formal analysis of the protocol with and without the mitigation in place. Additionally, we need to be sure we aren’t accidentally cutting off a legitimate use case, like AS bridges and proxies that aren’t trying to hide their presence. — Justin -- TXAuth mailing list TXAuth@ietf.org<mailto:TXAuth@ietf.org> https://www.ietf.org/mailman/listinfo/txauth -- TXAuth mailing list TXAuth@ietf.org<mailto:TXAuth@ietf.org> https://www.ietf.org/mailman/listinfo/txauth
- [GNAP] Mix Up Attack against GNAP Justin Richer
- Re: [GNAP] Mix Up Attack against GNAP David Chadwick
- Re: [GNAP] Mix Up Attack against GNAP Justin Richer
- Re: [GNAP] Mix Up Attack against GNAP Justin Richer
- Re: [GNAP] Mix Up Attack against GNAP David Chadwick
- Re: [GNAP] Mix Up Attack against GNAP David Chadwick
- Re: [GNAP] Mix Up Attack against GNAP Justin Richer
- Re: [GNAP] Mix Up Attack against GNAP David Chadwick
- Re: [GNAP] Mix Up Attack against GNAP Warren Parad
- Re: [GNAP] Mix Up Attack against GNAP David Chadwick
- Re: [GNAP] Mix Up Attack against GNAP Justin Richer
- Re: [GNAP] Mix Up Attack against GNAP Justin Richer
- Re: [GNAP] Mix Up Attack against GNAP David Chadwick
- Re: [GNAP] Mix Up Attack against GNAP Justin Richer