Re: [VoT] Security Problem with Primary Credential Usage

Josh Howlett <Josh.Howlett@jisc.ac.uk> Fri, 13 May 2016 16:13 UTC

Return-Path: <josh.howlett@jisc.ac.uk>
X-Original-To: vot@ietfa.amsl.com
Delivered-To: vot@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4B8012D187 for <vot@ietfa.amsl.com>; Fri, 13 May 2016 09:13:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.11
X-Spam-Level:
X-Spam-Status: No, score=-4.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=jisc365.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ON_O_ukujDad for <vot@ietfa.amsl.com>; Fri, 13 May 2016 09:13:36 -0700 (PDT)
Received: from eu-smtp-delivery-189.mimecast.com (eu-smtp-delivery-189.mimecast.com [146.101.78.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 020E612D5B1 for <vot@ietf.org>; Fri, 13 May 2016 09:13:34 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1lrp0017.outbound.protection.outlook.com [213.199.154.17]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-59-qwhJ_QurTBKoFsTOSEvq3g-1; Fri, 13 May 2016 17:13:28 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jisc365.onmicrosoft.com; s=selector1-jisc-ac-uk; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=sqOufKWvR/f1xN4KVmUzQx/xOS8PuDDjh0KDzqqPm9A=; b=gZLeaxH0C+Rb7sRbDDYcFemSQFPMZDNovfd4UcMU6K8r9HvuEtW9vz6fYxJRTb7MrF07SF8KqcPEfOgElHNx/SHqxWWIWc3js0Jp/hqqzIFIYzYc3aRsSbQinUicwHTJGlYVQf4G8CZqZxnhOM+9glcuJ5UryuKqVmhJjQX7Q1c=
Received: from VI1PR07MB1581.eurprd07.prod.outlook.com (10.165.239.15) by VI1PR07MB1583.eurprd07.prod.outlook.com (10.165.239.17) with Microsoft SMTP Server (TLS) id 15.1.492.11; Fri, 13 May 2016 16:13:25 +0000
Received: from VI1PR07MB1581.eurprd07.prod.outlook.com ([10.165.239.15]) by VI1PR07MB1581.eurprd07.prod.outlook.com ([10.165.239.15]) with mapi id 15.01.0492.019; Fri, 13 May 2016 16:13:25 +0000
From: Josh Howlett <Josh.Howlett@jisc.ac.uk>
To: Andrew Hughes <andrewhughes3000@gmail.com>
Thread-Topic: [VoT] Security Problem with Primary Credential Usage
Thread-Index: AQHRqSSZNX95Tb3iV0+BTBvWy0upq5+1f7EAgAAq7oCAAAEPAIAA2vOAgAAgQICAABdwAIAAA64AgAAVwQCAAAG3kIAAKI6AgAACMHA=
Date: Fri, 13 May 2016 16:13:25 +0000
Message-ID: <VI1PR07MB15811A0CAFF132D7B52B21E1BC740@VI1PR07MB1581.eurprd07.prod.outlook.com>
References: <1523279479.20160508222427@CryptoPhoto.com> <CAL4gWiJDg4CDFpwGm-AAJXig9f8HXYNyCRUrm+yirs5ntSfiNw@mail.gmail.com> <753DBE1F-3891-4BB6-811B-5B8682A81A28@mit.edu> <CAL4gWiJJtsEPk=5+vrtQpx4zsV04jjtZPh0CpxZs7cPBJxJa5w@mail.gmail.com> <CAL4gWiLS+Z15QApwLTiLw4rT8xQW4ALQL5aP6BD0=m6RxvMLSg@mail.gmail.com> <329351357.20160513194821@CryptoPhoto.com> <CAL4gWiJm0xY9Zbh=P-BELnTjJdDQu6=WX0enkdPPdRvHdU6w7A@mail.gmail.com> <VI1PR07MB1581074E9D3A21A52322C9E7BC740@VI1PR07MB1581.eurprd07.prod.outlook.com> <CAL4gWiLbRvkgLMGrzdW_Cg8GOnJYLT4z_hUeS8aPfhf-LiSTkw@mail.gmail.com> <VI1PR07MB15810CFDA10B2E5B0F3B4E88BC740@VI1PR07MB1581.eurprd07.prod.outlook.com> <CAGJp9UYo=Wmc7r8y_pbcEF+6sRXa8bB5R_HeRq6eb-u5G_AXvw@mail.gmail.com>
In-Reply-To: <CAGJp9UYo=Wmc7r8y_pbcEF+6sRXa8bB5R_HeRq6eb-u5G_AXvw@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [86.177.159.161]
x-ms-office365-filtering-correlation-id: d8a70ab8-bba4-44b0-ec11-08d37b498353
x-microsoft-exchange-diagnostics: 1; VI1PR07MB1583; 5:R5NhinLEBpXO4Xj7nVqzz+XBWULqUPUtNqCpGS2qcV1BqgcU6KJysfbIUqScrLl0AXv/icXl+EYaInpfZMiShAnrONwYh+fvrPnv0ZlRkCdVQqnDH5+ZRJJ48rSBhphSZ1Dtm0+R2najmkKqTYydUw==; 24:hSm6j/wzLN183ikzCg/fhIgEtmo/hdyqxuEd6SrFIFGBOcoFkg63YvNhBJdO7vqU7wN0hoUjebkBmXh+UCt1LI4FljmXm4HaPm9qfbhP2Ck=; 7:sZ9gi1MWS51zeL03qb4FywC+zSZc707CeHVazzCXp7Bhg1mFViEhpB7VN1hGXpLXYTLvjT5le2QnqR1xAPt/DXxFbU4W4mrkEGsQnzH5AUgX4l+/BjH4Vn91FA6zPozoxcJ5+fslUOQTAPqlxiHkBbq8qocM4eugvsJrXXJiOX1jlsKxrK9en3ELK5x+zEqz; 20:IzByuoEZQHkw4f9EMEibC4ya2qIrgAJ7EmXhqpN53R+E0bXJS/ubVWLHtlnr6Lc26D50BBTWgRBcAvunlF0ARFneeAh4H+cr2jIZQyMyn8RLCORNSt155VdHU7OjobbXKd6G0NWy7d7S/7zbdk6NoZWVDC423Zw0ha7pLbZsiQo=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:VI1PR07MB1583;
x-microsoft-antispam-prvs: <VI1PR07MB1583A91A0367C58E96A723F3BC740@VI1PR07MB1583.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(220618547472400);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046); SRVR:VI1PR07MB1583; BCL:0; PCL:0; RULEID:; SRVR:VI1PR07MB1583;
x-forefront-prvs: 0941B96580
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(53754006)(377454003)(24454002)(76576001)(5004730100002)(790700001)(3846002)(102836003)(93886004)(6116002)(86362001)(76176999)(54356999)(50986999)(106116001)(11100500001)(586003)(66066001)(1220700001)(1411001)(2950100001)(2900100001)(87936001)(92566002)(3660700001)(2906002)(110136002)(5008740100001)(189998001)(7110500001)(15975445007)(74316001)(15650500001)(3280700002)(4326007)(77096005)(19300405004)(16236675004)(2420400007)(1680700002)(19617315012)(81166006)(33656002)(8936002)(19625215002)(551544002)(5002640100001)(5890100001)(122556002)(19580395003)(5003600100002)(74482002)(551934003)(8676002)(19580405001)(9686002)(16601075003); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR07MB1583; H:VI1PR07MB1581.eurprd07.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-OriginatorOrg: jisc.ac.uk
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 May 2016 16:13:25.4266 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 48f9394d-8a14-4d27-82a6-f35f12361205
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB1583
X-MC-Unique: qwhJ_QurTBKoFsTOSEvq3g-1
Content-Type: multipart/alternative; boundary="_000_VI1PR07MB15811A0CAFF132D7B52B21E1BC740VI1PR07MB1581eurp_"
Archived-At: <http://mailarchive.ietf.org/arch/msg/vot/otikOPIHRXnIcOiPGbEVeGG8kvo>
Cc: Chris <cnd@geek.net.au>, Julian White <jwhite@nu-d.com>, Justin Richer <jricher@mit.edu>, "vot@ietf.org" <vot@ietf.org>
Subject: Re: [VoT] Security Problem with Primary Credential Usage
X-BeenThere: vot@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Vectors of Trust discussion list <vot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/vot>, <mailto:vot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/vot/>
List-Post: <mailto:vot@ietf.org>
List-Help: <mailto:vot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/vot>, <mailto:vot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 May 2016 16:13:48 -0000

Andrew,

I was responsible for the activity that developed eduGAIN, whose policy framework interconnects the R&E federations, and so I’m pretty familiar the R&E space at least ☺. And so we do have these examples, as you rightly point out, where discussions do happen but these tend to happen within the (typically sector-specific) pockets of operators, such R&E, and not between them. That’s the forum we need if we’re ever going to serve the “open internet”.

Josh.

From: Andrew Hughes [mailto:andrewhughes3000@gmail.com]
Sent: 13 May 2016 16:15
To: Josh Howlett <Josh.Howlett@jisc.ac.uk>;
Cc: Julian White <jwhite@nu-d.com>;; Chris <cnd@geek.net.au>;; vot@ietf.org; Justin Richer <jricher@mit.edu>;
Subject: Re: [VoT] Security Problem with Primary Credential Usage

Josh: the discussion about compatible policy frameworks does already take place, typically under the names: trust framework, federation agreements, inter-federation. You see elements of this in national schemes in NZ, US, UK, EU, CA and others - perhaps less so right now on the 'open internet' , but there's work happening in a number of pockets on this (R&E is quite advanced).

The semantic compatibility is coming soon-ish. There's a convergence underway on standardization of descriptions for roles, responsibilities, business functions and business processes for identification, authentication, authorization and access control systems ("Identity Systems"). I'm contributing to diacc.ca<http://diacc.ca> and kantarainitiative.org<http://kantarainitiative.org> along these lines, and starting to learn what ISO/IEC JTC 1 SC 27 WG 5 (Identity and Privacy) is developing.

andrew.


Andrew Hughes CISM CISSP
Independent Consultant
In Turn Information Management Consulting

o  +1 650.209.7542
m +1 250.888.9474
1249 Palmer Road,
Victoria, BC V8P 2H8
AndrewHughes3000@gmail.com<mailto:AndrewHughes3000@gmail.com>
ca.linkedin.com/pub/andrew-hughes/a/58/682/<http://ca.linkedin.com/pub/andrew-hughes/a/58/682/>
Identity Management | IT Governance | Information Security

On Fri, May 13, 2016 at 7:57 AM, Josh Howlett <Josh.Howlett@jisc.ac.uk<mailto:Josh.Howlett@jisc.ac.uk>> wrote:
Julian,

Yes, but note that (2) is actually an instance of (1), but where the number of parties happens to be greater than two. The choice of whether to use an internal or external registry is just an operational question. However, I don’t think this makes VoT superfluous: it still has value as a way of signalling alternate semantics defined within the trustmark agreement.

This does, however, suggest to me that VoT has limited utility when working across arbitrary trustmark agreements. And so to be candid, and without wishing to sound dispiriting, I suspect that working on the technical signalling without understanding how these agreements can be bound together is possibly premature; at least if you want something of general utility. More attention is needed on composable policy frameworks having compatible semantics, linked to an underlying legal architecture that works transitively across those agreements. Being the IETF, I understand that this probably isn’t the venue for that discussion ☺

Josh.

From: Julian White [mailto:jwhite@nu-d.com<mailto:jwhite@nu-d.com>]
Sent: 13 May 2016 13:43
To: Josh Howlett <Josh.Howlett@jisc.ac.uk<mailto:Josh.Howlett@jisc.ac.uk>>
Cc: Chris <cnd@geek.net.au<mailto:cnd@geek.net.au>>; vot@ietf.org<mailto:vot@ietf.org>; Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>>

Subject: Re: [VoT] Security Problem with Primary Credential Usage


Josh,

That is a good question, and equally applicable to how would an RP verify the claim of an IdP?

I think there are only a few usable options;

1) There is a direct relationship between the parties that assures the trustworthiness between themselves outside of the assertion and will only accept requests/responses from each other (via some means not defined here) - this kind of makes the VoT value superfluous since the answer is already known.

2) The trust schemes operate some sort of registry that the VoT links too - but then there also needs to be something that makes it impossible for me to impersonate a member of that scheme in the VoT, this is slightly more challenging.

Does that make sense?

Julian

On 13 May 2016 at 12:26, Josh Howlett <Josh.Howlett@jisc.ac.uk<mailto:Josh.Howlett@jisc.ac.uk>> wrote:
How does the IdP verify the RP’s authority to claim compliance?

From: vot [mailto:vot-bounces@ietf.org<mailto:vot-bounces@ietf.org>] On Behalf Of Julian White
Sent: 13 May 2016 12:12
To: Chris <cnd@geek.net.au<mailto:cnd@geek.net.au>>
Cc: vot@ietf.org<mailto:vot@ietf.org>; Justin Richer <jricher@mit.edu<mailto:jricher@mit.edu>>
Subject: Re: [VoT] Security Problem with Primary Credential Usage

Chris,

Yes I see your point, so the RP should assert with which trustmarks it complies too?

Regards,

On 13 May 2016 at 10:48, Chris <cnd@geek.net.au<mailto:cnd@geek.net.au>> wrote:
Hi Julian,

It is like I said at the start.  The entirety of the trustmark idea evaluates to one single strength - everything is equally untrustworthy, because it's all only unidirectional.

You can't solve trust without fixing BOTH ends.  It is a two-way street.  For as long as a user and proxy are indistinguishable, C0 == Ca == Cb == Cd == Ce == Cf.

I know it sounds like a little problem, but so was the debris on that last Concorde's runway.  This is the show stopper.

Chris.



Friday, May 13, 2016, 5:52:55 PM, you wrote:

Justin,

For my own clarity, can the RP pass a request for a specific trustmark, or list of trustmarks that it will accept? The text seems to imply that they will get whatever trustmark the IdP sends and have to make a decision based on that each time. In reality, since the evaluation of the trustmark is a cumbersome manual process I suspect RP's will whitelist trustmarks that they will accept so then it seems inefficient for and IdP to return a response under a trustmark the RP won't accept.

Thanks,

Julian.

On 12 May 2016 at 19:49, Julian White <jwhite@nu-d.com<mailto:jwhite@nu-d.com>> wrote:
That makes sense, tho that didn't come across in the description of the trustmark.
Julian
On 12 May 2016 19:45, "Justin Richer" <jricher@mit.edu<mailto:jricher@mit.edu>> wrote:
We explicitly left those kinds of things out of the vector as they’d really be related to the IdP itself and not the authentication transaction to which the VoT refers. In other words, the security of the IdP is related to the trust framework and assessment of the IdP and it can be published as part of the IdP’s discovery documents and associated trust marks. This is information that is going to remain the same regardless of the transaction.

This is also part of why you need to have a trustmark context to interpret the VoT in.

— Justin

On May 12, 2016, at 11:11 AM, Julian White <jwhite@nu-d.com<mailto:jwhite@nu-d.com>> wrote:

Hi,

I have a number of comments and questions (see attached), many of which are related to the issues raised by Chris, some maybe my misunderstanding coming in half way through the drafting tho.

I, like Chris, also think there needs to be something more explicit around the "security" of the IdP authentication which includes the measures to try and detect 'odd' things (like MITM). I would also go one step further in that I also want to know about the maturity of the IdP's "security", its of no use to me if they have really good credentials but store all the data in the clear on their website or have a load of administrative back-doors that could let anyone generate a valid authentication response.

It feels like we need to do more work in this area.

Regards,

Julian.

On 8 May 2016 at 13:24, Chris <cnd@geek.net.au<mailto:cnd@geek.net.au>> wrote:
Hi All,

I think there is a critical flaw in section 3.2 of https://tools.ietf.org/html/draft-richer-vectors-of-trust-02 (Primary Credential Usage)

Mutual-authentication is missing.  When no provision is made to prevent man-in-the-middle, credential harvesting, spoof, phishing, malware, or other common threats, this renders all possible vectors C0, Ca, Cb, Cd, Ce, Cf, and others equally untrustworthy.

We should consider inclusion either for the overall strength of the authentication process, or some breakdown of either all the techniques used or the strength of protection employed to thwart at least common attack scenarios.

This problem gets tricky quite fast:

Do we identify the authentication technology vendor? (if yes - who works out their resistance strength to common attacks?  what about different modes?)
Do we broadly identify the techniques (whos opinions count as to whether or not the technique is effective and against what threats?)
Do we identify or classify the threats and indicate which ones were mitigated (who should be trusted to decide if these really were mitigated?)

For example - tamper-proof hardware digital certificate devices with biometrics unlocks are totally useless, if the user paid no attention to a broken SSL warning, or has malware.  They're also equally useless in most corporate environments that use deep-packet inspection firewalls - and "unexpected certificates" (eg. from DPI or malicious) carry their own privacy problems (eg: passwords are not as "protected" as you think).  Much more common authentication "protection" of course, are two-step or sms one time codes - which are equally useless when an end user can be tricked into revealing them to spoof sites.

91% of successful break-ins start from phishing.  Right now, every vector is pointing one way - we need at least one "Vector of Trust" to point back the other way!

How about a 5th vector - "S" for "Security", which somehow allows an RP a level of confidence in the protection afforded to the user's actual authentication process, in terms of (or at least considering) a wide range of (and all common) modern threats.

Chris.

_______________________________________________
vot mailing list
vot@ietf.org<mailto:vot@ietf.org>
https://www.ietf.org/mailman/listinfo/vot

<draft-richer-vectors-of-trust-02.docx>_______________________________________________
vot mailing list
vot@ietf.org<mailto:vot@ietf.org>
https://www.ietf.org/mailman/listinfo/vot



_______________________________________________
vot mailing list
vot@ietf.org<mailto:vot@ietf.org>
https://www.ietf.org/mailman/listinfo/vot


Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.


_______________________________________________
vot mailing list
vot@ietf.org<mailto:vot@ietf.org>
https://www.ietf.org/mailman/listinfo/vot