Re: [GNAP] Defense protection

Alan Karp <alanhkarp@gmail.com> Sat, 29 May 2021 05:46 UTC

Return-Path: <alanhkarp@gmail.com>
X-Original-To: txauth@ietfa.amsl.com
Delivered-To: txauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD8C93A134D for <txauth@ietfa.amsl.com>; Fri, 28 May 2021 22:46:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ud4pr-mkS_h6 for <txauth@ietfa.amsl.com>; Fri, 28 May 2021 22:45:59 -0700 (PDT)
Received: from mail-qk1-x72e.google.com (mail-qk1-x72e.google.com [IPv6:2607:f8b0:4864:20::72e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 543DA3A1342 for <txauth@ietf.org>; Fri, 28 May 2021 22:45:59 -0700 (PDT)
Received: by mail-qk1-x72e.google.com with SMTP id h20so6277902qko.11 for <txauth@ietf.org>; Fri, 28 May 2021 22:45:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=IAOJd3RRSCIOo8LBqS8KctuaaBEW4OimwKr6IWL5FFw=; b=B0ovhfeQiBEhEVjbNG2c4uIl8Msa6o1JDWfVvf4cvpuyEFHa2OkDWmf/Po+e3i4+KM hGOnLhRIY5AfUSm5iWql+Q50FtJt8aDd7WIfnjbB+LoFsMq2MtuBuSAd36hatOAtdVsj /rqILQCWA0yC/wqQnN370BoIwNi1K04Xz8o9czIEmDao7I1dw+DqC6Y03lW7PQIEbdzt UIrHUBAh0AbxMKA8z6q2wP5DCuwc7utBVHCc7gZGxeXPvdAJP70RB+B2t4DmYOPIVAH3 HopAqQdHvxnYyd+81asUfU7riKq5jWCcC6Q7YEm873ovHBRTtQ+pwD0kQ4rORfNA0+7I IJAA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=IAOJd3RRSCIOo8LBqS8KctuaaBEW4OimwKr6IWL5FFw=; b=OsnOqoWF1ns2Xpxj/1cvkeaVugSPEOFFlk2Yh0pl2du/00qAadHgHqUtyYtMjIyHqI PtzMzwlPZqetrV+ukHY6oXZrIyxcWrPavn/VIf5VcIXEtXUXLt9iE0TU2/q7BK+om2NN fTs36f5V3FTmiGntGujV6NspV8GJYIetYsfHy1IwGYHNn79Fbd3vxg3ch8R76CF74JMb mAxHp63Jugil6F+vwBPQUsNBYeXoj2RyeCexSRYKeuTLiB5R0Hp2zdQDkTBkJ6e3xlnF oSgOnwnwp5x1tUtLJwuwJCQc4ltd8fPRTLVwO+XmP5PzOEVrmjovKz5lVpyCIpk245GK jiRQ==
X-Gm-Message-State: AOAM532Mg5IUMKTLX4XiP1oP0pXXi5jXnTuGCgYvQnNPcU2MntiFivf3 Ubvk/w/LErWjytNbsPo1I8zG867/pALe9yJEBXo=
X-Google-Smtp-Source: ABdhPJz2z14vMNZrV14WFdzi47HxelFbRgSaj7vNGOLts9OQrUX8IFfSrh1gmHZiRe2YjNGs8Bxoc/T+ADT80JVn57g=
X-Received: by 2002:a05:620a:24cf:: with SMTP id m15mr7023068qkn.435.1622267157848; Fri, 28 May 2021 22:45:57 -0700 (PDT)
MIME-Version: 1.0
References: <CAHbuEH49sZjKvE0JVsa39WuFG83FbBcQQAyXH-V8TNGt-b-wtw@mail.gmail.com> <CANYRo8iiR-ukwWKQzVz2w4_P3wYdokpDecPSL=edfNLnKrEfng@mail.gmail.com> <CAHbuEH7MNvPwK5Yr=Uy=fE5i5-xe5=XyzbTZPZcb6hHA7=TueA@mail.gmail.com> <CANYRo8i1YkDtno=SY=GrMQoNKPNXAohjKNOYz6+EZJU1wyG7wg@mail.gmail.com>
In-Reply-To: <CANYRo8i1YkDtno=SY=GrMQoNKPNXAohjKNOYz6+EZJU1wyG7wg@mail.gmail.com>
From: Alan Karp <alanhkarp@gmail.com>
Date: Fri, 28 May 2021 22:45:45 -0700
Message-ID: <CANpA1Z0S=2wBkJ0=yeZpeBGxzF1s=qMZ4riLML3bnpPhgW6daA@mail.gmail.com>
To: Adrian Gropper <agropper@healthurl.com>
Cc: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, GNAP Mailing List <txauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000aca57105c3718185"
Archived-At: <https://mailarchive.ietf.org/arch/msg/txauth/SCySyM8GcmRfJvBDt52PMwZNoz8>
Subject: Re: [GNAP] Defense protection
X-BeenThere: txauth@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: GNAP <txauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/txauth>, <mailto:txauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/txauth/>
List-Post: <mailto:txauth@ietf.org>
List-Help: <mailto:txauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/txauth>, <mailto:txauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 29 May 2021 05:46:05 -0000

On Fri, May 28, 2021 at 1:09 PM Adrian Gropper <agropper@healthurl.com>
wrote:

> Thanks to Alan Karp, I have come to believe that delegation is essential
> and GNAP needs to speak of capabilities as first-class tokens and encourage
> their use.  This will become the main driver for adoption of GNAP over SAML
> or OAuth.
>

I would say attenuated delegation instead of just delegation.  Revocation
is important, too.

--------------
Alan Karp


On Fri, May 28, 2021 at 1:09 PM Adrian Gropper <agropper@healthurl.com>
wrote:

> Thanks to Alan Karp, I have come to believe that delegation is essential
> and GNAP needs to speak of capabilities as first-class tokens and encourage
> their use.  This will become the main driver for adoption of GNAP over SAML
> or OAuth.
>
> - Adrian
>
>
>
> On Fri, May 28, 2021 at 3:51 PM Kathleen Moriarty <
> kathleen.moriarty.ietf@gmail.com> wrote:
>
>> Hi Adrian,
>>
>> Thanks for your interest!
>>
>> This is a helpful link that describes how the attackers were able to
>> bypass MFA by stealing the signing key for SAML assertions:
>>
>> https://www.darkreading.com/attacks-breaches/solarwinds-campaign-focuses-attention-on-golden-saml-attack-vector/d/d-id/1339794
>>
>> https://owasp.org/www-chapter-singapore/assets/presos/Deconstructing_the_Solarwinds_Supply_Chain_Attack_and_Deterring_it_Honing_in_on_the_Golden_SAML_Attack_Technique.pdf
>>
>> I did read one that was a bit better, but can't find the link at the
>> moment.
>>
>> And one on shared OAuth credentials/token issuance:
>>
>> https://www.csoonline.com/article/3607348/how-to-defend-against-oauth-enabled-cloud-based-attacks.html
>>
>> It would be good to think about attack vectors and if not prevention,
>> minimally detection.
>>
>> Best regards,
>> Kathleen
>>
>> On Fri, May 28, 2021 at 3:41 PM Adrian Gropper <agropper@healthurl.com>
>> wrote:
>>
>>> Hi Kathleen,
>>>
>>> I am not aware of the attacks on SAML and OAuth and would appreciate a
>>> link or two.
>>>
>>> I hope we can provide guidance on how GNAP can facilitate Zero Trust
>>> Architecture and believe that includes guidance on how to audit various
>>> things as systems use GNAP protocols to separate concerns among independent
>>> actors.
>>>
>>> Count me in for a brainstorming sessio,
>>>
>>> - Adrian
>>>
>>>
>>> On Fri, May 28, 2021 at 3:29 PM Kathleen Moriarty <
>>> kathleen.moriarty.ietf@gmail.com> wrote:
>>>
>>>> Hello!
>>>>
>>>> In light of recent attacks against SAML and OAuth, I'd like to see what
>>>> defense mechanisms and detection could be built into the spec.  One example
>>>> would be from the recent SAML attack.  If there was a detection of
>>>> instances of authorization without authentication, the SAML attack used in
>>>> SolarWinds might have been detected sooner.
>>>>
>>>> If you think along the lines of fraud detection, where you detect
>>>> unusual events, there may be some specific to GNAP that could enable early
>>>> detection of abuse, misuse, or exploits.
>>>>
>>>> Are there some planned?  Would people like to brainstorm on this?
>>>> Thanks!
>>>>
>>>>
>>>> --
>>>>
>>>> Best regards,
>>>> Kathleen
>>>> --
>>>> TXAuth mailing list
>>>> TXAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/txauth
>>>>
>>>
>>
>> --
>>
>> Best regards,
>> Kathleen
>> --
>> TXAuth mailing list
>> TXAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/txauth
>>
>