IETF Logo Mail Archive

Re: [GNAP] RS validation of access tokens

Justin Richer <jricher@mit.edu> Tue, 22 August 2023 14:48 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 60A3AC14CF0C for <txauth@ietfa.amsl.com>; Tue, 22 Aug 2023 07:48:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.405
X-Spam-Level:
X-Spam-Status: No, score=-4.405 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mit.edu
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dMkRn_SeqWx2 for <txauth@ietfa.amsl.com>; Tue, 22 Aug 2023 07:48:56 -0700 (PDT)
Received: from outgoing-exchange-1.mit.edu (outgoing-exchange-1.mit.edu [18.9.28.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7492C14F74E for <txauth@ietf.org>; Tue, 22 Aug 2023 07:48:55 -0700 (PDT)
Received: from oc11exedge2.exchange.mit.edu (OC11EXEDGE2.EXCHANGE.MIT.EDU [18.9.3.18]) by outgoing-exchange-1.mit.edu (8.14.7/8.12.4) with ESMTP id 37MEmNFD011941 for <txauth@ietf.org>; Tue, 22 Aug 2023 10:48:54 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mit.edu; s=outgoing; t=1692715734; bh=bICRnYfUnih7urteswSPf15qDfdUwee2I02Ndg6cUHY=; h=From:Subject:Date:Message-ID:Content-Type:MIME-Version; b=ASEGKIDHWEonOLISoVSgVBUuG6yiIUpAux7J6K/88USRzwSNsOnVg9SbjarRjcO3n CmQzPAcYFUFzbeKqZptBKLwfi309mO5tacOMpGY/X2+iYSi6CoaW3LAytVzVud4C3J qkeqAnR0Bl0o6SKr9YbAt88Erdc6TXL7pIqskYxuXsdAxltB4XS7YODa8HnQuPVPmr W6QFmB+pYDsB9yIwEQ/Y7gu/P82EQeS5ZbhyJAnNh67gmP/pGieTuaHnGmc48P01Uw x/RM1zA/fbrCs8rZ9JtJfCMiF6LDANx3QL/t421MIyi68jJY4NE7UR6ZnHsS5udLim CjAHrDSuf+50g==
Received: from oc11expo30.exchange.mit.edu (18.9.4.103) by oc11exedge2.exchange.mit.edu (18.9.3.18) with Microsoft SMTP Server (TLS) id 15.0.1497.48; Tue, 22 Aug 2023 10:47:42 -0400
Received: from oc11exhyb7.exchange.mit.edu (18.9.1.112) by oc11expo30.exchange.mit.edu (18.9.4.103) with Microsoft SMTP Server (TLS) id 15.0.1497.42; Tue, 22 Aug 2023 10:48:00 -0400
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.101) by oc11exhyb7.exchange.mit.edu (18.9.1.112) with Microsoft SMTP Server (TLS) id 15.0.1497.48 via Frontend Transport; Tue, 22 Aug 2023 10:48:00 -0400
Received: from DM6PR01MB4444.prod.exchangelabs.com (2603:10b6:5:78::15) by SA0PR01MB6188.prod.exchangelabs.com (2603:10b6:806:da::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6699.20; Tue, 22 Aug 2023 14:47:59 +0000
Received: from DM6PR01MB4444.prod.exchangelabs.com ([fe80::7fe8:9de9:e874:3835]) by DM6PR01MB4444.prod.exchangelabs.com ([fe80::7fe8:9de9:e874:3835%4]) with mapi id 15.20.6678.031; Tue, 22 Aug 2023 14:47:59 +0000
From: Justin Richer <jricher@mit.edu>
To: GNAP Mailing List <txauth@ietf.org>
Thread-Topic: [GNAP] RS validation of access tokens
Thread-Index: AQHZwdi0ZbZgwM3sfEuH5yihsGlQUa/2i4sA
Date: Tue, 22 Aug 2023 14:47:59 +0000
Message-ID: <5BFDBC7F-C24D-474D-A699-BEA7DE333831@mit.edu>
References: <42276B6A-3792-44FD-97A5-A75F6280831A@mit.edu>
In-Reply-To: <42276B6A-3792-44FD-97A5-A75F6280831A@mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=mit.edu;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DM6PR01MB4444:EE_|SA0PR01MB6188:EE_
x-ms-office365-filtering-correlation-id: c6054e82-62c9-4f35-76b0-08dba31ec754
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: /GKk1V8gm8JVm/IkJl/qdC/cQFDYeuf+qbPvfbxTE2+6mq1lqeyPz3JeYujKcAfDivN6Dhmv1RZO+sZEpbrQUQnlIUj9leKKAf8w13nr8mEN2Cb1Dgd4/TNe68ps7lWipH0geRaAX6NXvDckxix/gf4OejamINBxUJBX3PVW5AjMBG8TQfcLg2mRPvjvwTrYuH9bzjbQro0gKf1WL290Pj+Nid+uul/CSNs0EUUWa+/hFaQAJUlGvl3ta4w9FI9QzP4RUT0xQ/JLe01bTCqvTNcZvUVMxubnlhr6+MSYoMpQ+nGa35MAE4iZRWE+F47O6OqumvHE4XB11VidiPHZrYM67lCkI8Bs5xEp3kyQCI4118dTK0xSVxDa37QDoGvwZCt9/rVYl2xzW5V8Wtqv9tlLVGTkrmmANUlzZIDUf3cx3RshB6EssHG1m4YaoaBkYFGrP3lb3KjJzOu7AuWkVhtc2qzeg5WfZs8C+PQ4gWuSXC3i3Sc14iIZXqm3a8bsnZQMookJD38iKhjflZnCwzLberNroMaFqBmscjoBhptHdzN8CkgSh31rt4/8EKQXxTPpYVklo9WkDK76tmO2V1PtfM5wbLkWAVCRioR41ifhJ2ocUd7JjFUfsFr510SgQYokO6Z0JPKoX14aRZny3w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR01MB4444.prod.exchangelabs.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(376002)(366004)(136003)(346002)(396003)(451199024)(186009)(1800799009)(86362001)(5660300002)(91956017)(76116006)(64756008)(66556008)(2616005)(33656002)(786003)(66476007)(66946007)(2906002)(316002)(6916009)(66446008)(966005)(8676002)(478600001)(8936002)(41300700001)(71200400001)(6486002)(53546011)(38070700005)(38100700002)(6506007)(122000001)(6512007)(166002)(26005)(36756003)(75432002)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: wfzupimVjrmkb+RDhz4fQ8sOn6LwrLSB70AxZksbEVfo7SU3iN1DQd/4ZDdasSBIZDk94HLvEbsvJazBN/pEga+RE38tHz/f7xEc+aaa/bCeZuUW7lXgYv+GeuMGzi07xTXdB9LCCrZk36Rw/UllHUBW73qMYVasd2zVXRu69T81UHgvT6h/+YymvSeam5U18y3DriuViOM90q83fvnuQmhpC608RGdxWQKdjlfnY0vQn177C9zqjvMQ+l5kJ5iiqaZ5g4nXYUwgjiUdvpTklmwVuGDjjwuITBApzBlOHZPlznbTDx/Ju1cyQGVllavUSwHmpGo2JYL4MoA5sUcf6V6Mol435HvFVhHOnuTH3r90KEIPpjbZaHCMVrv1NvJWDaI8xabX6VGGECatv6l/H8n8Mc7V5QiaZWay0ZtaExqCXI7vXOULeAseX0Gu5aOVWJuSZm7P5SSaD0BFYp0ZFYEGlCHu/dclRmIK95ow/GKt1eR72Ljcd0pW0/zbE9cB1/5MCavaehzZAS2115dbFXjIpZ6UdzAADBmlfCBTQjUjCftnIRdWKPHKpffjiFfYI++meha5v5nS/gothr3fU1Bqfk//ou6ZPplBMSPtpntbdj87tJLpec90LHWez5aUNqG+0konNICVJZ3DMkEFJa5uiOGWj7jF3esx5tp9BhVc/5vjNMrmHrqwd6Cy/8VscLgPZ/IyGJwy47iEcuvowaOSaQPvjzV5kj+ZupqUMRWa5GQMEWIh2tglFw/c7apfUdySOZKw7zMdu428UOwF+7C4bY75Ova6fEN92im1cLFgI3QUz92jSrOPDRDATJlJAypdknXUXJ4oZkd/6zTLC+9N8vrP5cjEUV33ODj1FZANuQU/U9qGNsUsADZeN0hxkGNCY0U/Rzoc+5Ef4SO+OuP7xIQ/j4c3jZBVA2T1ujxUpLLJJ1dzAHK77CehrsCwQSCkg7/kj0Ayu3MGzec32u+TWbSZTFVs2yi1isE5e+Fd7Tqummjv6kwAyST+399wPeHabXPTapu/VwGwV6bE2NQwvsIw33as5nnc8hxun+hWkZDaNHpGNE7YfAfVetAr+yEhm0VC3hLsfENCBygSP4nWIJVHoZZmcMvpStxF26Dk/nDl7+QdUVDK21idxqmdMsFmdpnmd5gKhz6znBRudQB8cMGGlLDUd2Hlp88fClAadGx81T6q7DjwsXtZS6D8YU4PMg3kHpg03yWyTuzRvRKvZ2G7NMDLyXkMUcEf6z7MbAgV0yCgiMZiVqA/BheRSgEU7p0MSf9EYC5GqZLPOyVTc9LczwdnA7gJDBmHzM+I+lJ4HLZlXnW+7eGRnD07lVHzx9X1NaR50hEADGUCFSaLqs1aaqU5fHEKIE5eAF+tOIXVhbMRwvkB16vMUUl44h0gamUgdOggVpJ5pB0J2HG8xMbRLUpgWZ4e92Szw+oIsQCUyQ9ZbH2pyzV7XIH9iexx3bcd2sFtnLHL3s5IJ58Gx3lLtk0aAbAcJiptDXeaPJIxZTlhFLByOZrHX3/0cradErZ6AFvTbl4KrC0TntVThKEV8ehKZ4sG6pHOo931mi2s3NFb+2vaYtqs5JGp
Content-Type: multipart/alternative; boundary="_000_5BFDBC7FC24D474DA699BEA7DE333831mitedu_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR01MB4444.prod.exchangelabs.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c6054e82-62c9-4f35-76b0-08dba31ec754
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Aug 2023 14:47:59.1161 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 64afd9ba-0ecf-4acf-bc36-935f6235ba8b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Bhpfz529TbChVUBG7O0b3GyQFUoYmNubj2MT/SyD/FmSTO81L5OR7VNCuqJSh6cU
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA0PR01MB6188
X-OriginatorOrg: mit.edu
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/PNuULCy8Wt82WDS66ShJZDivDW0>
Subject: Re: [GNAP] RS validation of access tokens
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Aug 2023 14:48:58 -0000

This issue was discussed today at the OAuth Security Workshop, I was in attendance along with three of the researchers who had proposed the issue into GitHub. Fundamentally, we came to the understanding that the security property being modeled under attack was not fundamental to GNAP, but it does warrant a reasonable set of warnings for implementors to avoid accidentally stumbling into it.

The proposed outcome is to write or clarify three main points:

- Call out more clearly that a token with an AS-provided key has some of the same attack surfaces as a bearer token. While such a token could not be used directly by the RS, it can be captured and replayed to an unwitting client application by an attacker, with the key intact. Warnings against using and accepting AS-provided keys will be written up. Currently the feature will remain in the core specification with these warnings in the RS draft, though this may warrant a specific cross reference added to core.

- As proposed in the issue below by Yaron, a new section will be written in the RS draft describing the importance of AS choice for token validation and acceptance.

- A new security consideration section in the RS draft that discusses the token substitution attack, the circumstances under which it can occur, and the tradeoffs for those circumstances.


If you have input into any of these items, please suggest text that might help.

Thank you,
 — Justin



On Jul 29, 2023, at 5:54 AM, Justin Richer <jricher@mit.edu> wrote:

As discussed in the meeting today, the following issue raises a question on the security properties of the RS processing tokens during a specific kind of attack:

https://github.com/ietf-wg-gnap/gnap-resource-servers/issues/56

While the editors believe that this can be addressed sufficiently with a security consideration, the conversation in the room indicated that there is further discussion that needs to be had first. The editors and chairs are planning to reach out to the research team that filed the issue for clarification. With the OAuth Security Workshop coming up, this might prove a good opportunity to discuss the issue with the security and research community. The editors will bring the results of those discussions back to the list.

If you have something to add to the attack and model as described, please add to the discussion on the GitHub issue.

 — Justin
--
TXAuth mailing list
TXAuth@ietf.org
https://www.ietf.org/mailman/listinfo/txauth

v2.23.0 | Report a Bug | By Email