IETF Logo Mail Archive

Re: [OAUTH-WG] potential issues in draft-ietf-oauth-signed-http-request?

Justin Richer <jricher@mit.edu> Tue, 21 July 2015 15:25 UTC

Return-Path: <jricher@mit.edu>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1780C1A897B for <oauth@ietfa.amsl.com>; Tue, 21 Jul 2015 08:25:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tNOGzZ4KYxTV for <oauth@ietfa.amsl.com>; Tue, 21 Jul 2015 08:25:18 -0700 (PDT)
Received: from dmz-mailsec-scanner-7.mit.edu (dmz-mailsec-scanner-7.mit.edu [18.7.68.36]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4CB501B2F8A for <oauth@ietf.org>; Tue, 21 Jul 2015 08:23:24 -0700 (PDT)
X-AuditID: 12074424-f79b46d000001e7f-a9-55ae63ea1e66
Received: from mailhub-auth-4.mit.edu ( [18.7.62.39]) (using TLS with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-7.mit.edu (Symantec Messaging Gateway) with SMTP id 08.E1.07807.AE36EA55; Tue, 21 Jul 2015 11:23:23 -0400 (EDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-4.mit.edu (8.13.8/8.9.2) with ESMTP id t6LFNMt0020048; Tue, 21 Jul 2015 11:23:22 -0400
Received: from [10.55.3.183] ([31.30.2.5]) (authenticated bits=0) (User authenticated as jricher@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id t6LFNILu017570 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 21 Jul 2015 11:23:20 -0400
Content-Type: multipart/alternative; boundary="Apple-Mail=_62EFE222-713B-4493-B558-26961687DD49"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2102\))
From: Justin Richer <jricher@mit.edu>
In-Reply-To: <CA+k3eCQJxzjJ1RSuBRqdT77sj7JiLPHnJc=odO-020jk1n--wQ@mail.gmail.com>
Date: Tue, 21 Jul 2015 17:23:16 +0200
Message-Id: <D88E2176-20C2-4C0F-8150-0C77176090D1@mit.edu>
References: <CA+k3eCQJxzjJ1RSuBRqdT77sj7JiLPHnJc=odO-020jk1n--wQ@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
X-Mailer: Apple Mail (2.2102)
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnleLIzCtJLcpLzFFi42IRYrdT132dvC7U4GyWxer/NxktTr59xebA 5LFkyU8mj7tHL7IEMEVx2aSk5mSWpRbp2yVwZdxZ9Iq1YEI3Y8Xl3WdYGhi7irsYOTkkBEwk tj9dwQhhi0lcuLeerYuRi0NIYDGTxKyFlxghnI2MEi9mb4bKLGeSWLO/jxmkhVkgQeLyw3lg 7bwCehI9574A2RwcwgKBEmt2M4GE2QRUJaavaQGzOYHC66f8YwexWYDiX9bsZAcpZxZQl2g/ 6QIxxUri/rkTYNOFBAIkdi86DGaLCOhL3H46hx3iUFmJrW9amSYwCsxCcsQsJEdAxLUlli18 zQxha0rs717OgimuIdH5bSLrAka2VYyyKblVurmJmTnFqcm6xcmJeXmpRbrmermZJXqpKaWb GMHh7qKyg7H5kNIhRgEORiUe3oqWtaFCrIllxZW5hxglOZiURHlvRK0LFeJLyk+pzEgszogv Ks1JLT7EKMHBrCTCeyISKMebklhZlVqUD5OS5mBREufd9IMvREggPbEkNTs1tSC1CCYrw8Gh JMF7LAmoUbAoNT21Ii0zpwQhzcTBCTKcB2h4E0gNb3FBYm5xZjpE/hSjopQ4rxNIQgAkkVGa B9cLS0evGMWBXhHmnQ9SxQNMZXDdr4AGMwENvjVrDcjgkkSElFQD40o5zcAVZ6a0mKSrbMx2 lFu/3SNpm55WjoX2lkWMVVzzZ07qe5Uwgb1t5v+cxS+vHRP6VrVY71f0I4Wl94v9fpzrmXJN L6RkhqVIek6zx9nAgKvbn9vfObVD0flSK8OCB5P3TktI0ppY9fvDFtGFi9Ye3Hpi7SyVRdNZ BLLZxLy/PchRZ115JUGJpTgj0VCLuag4EQBI7Bo2IgMAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/-SmcNDrCShS8ECNsoeGeiDqNtvU>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] potential issues in draft-ietf-oauth-signed-http-request?
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Jul 2015 15:25:22 -0000

Brian, thanks for reading through the document and setting fire to the strawman within.

Very good call on the hash inputs, I think you’re definitely right. I’m not sure how best to handle that apart from some kind of out-of-band delimiter. Maybe we should hash a dot-separated base64 encoded list? (I’m only half joking.)

The repeated/ordering problem is definitely one that would need to be sorted out (no pun intended). I think there’s some language in there that says that the ordering has to be the same, or that the server needs to be aware of it.

I wouldn’t be surprised if I fat-fingered in “client” in the wrong places a few times, too.

Also missing from the document: a means to communicate the JWT from the client to the RS. I envisioned it being in parallel to RFC6750, with the preferred method of being a header:


Authorization: Signed-Http eyj…. SIGNED JWT GOES HERE …. uyweWEafe23


With form and query parameters as other options. Note that adding this as a query parameter doesn’t screw up the signature calculation, since you have to specify which query parameters you signed.


 — Justin


> On Jul 21, 2015, at 4:19 PM, Brian Campbell <bcampbell@pingidentity.com> wrote:
> 
> I think I said, at the last meeting, that I would review draft-ietf-oauth-signed-http-request, which was maybe foolish of me, but I thought I should be timely and send something before the meeting tomorrow. Even though the document isn't on the agenda. 
> 
> Let me first say that I honestly don't know if this HTTP signing is the right approach or not for presenting some kind of 'better than bearer' access tokens to the RS. As such, I don't intend my reading/review of the document as either an endorsement of it or opposition to it. 
> 
> That said, I did notice a couple of potential security or interoperability issues that I wanted to raise.
> 
> Following the description of calculating the query parameter list and hash <https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-01#section-3.2> and validating the query parameter list and hash <https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-01#section-4.1> (text of both copied below) it seems like different query strings could result in the same hash value. For example,
> 
> The query string ?foo=bar%3D&bar= processed in order shown there would have a names list of ["foo", "bar"] and parameters of
>  foo=bar=
>  bar=
> and the hash would be of
>  foo=bar=bar=
> 
> While the different query string ?foo=&bar=bar%3D processed in the same order, left to right, would have the same names list of ["foo", "bar"] and parameters of 
>  foo=
>  bar=bar=
> and the hash would be of
>  foo=bar=bar=
> 
> It's a made up example but seems to show that different content in the query string can sometimes be manipulated to produce the same hash. I don't have an exploit in mind but the bad guys are smarter than me. And it's probably just generally the kind of thing a security related protocol shouldn't allow for. 
> 
> Or am I misunderstanding something?
> 
> Seems like encoding and delimitation need to be explicitly handled in whatever way the query parameters are dealt with. There's already a [[]] in there that hints at the possibility. 
> 
> The text also says "repeated parameter names are processed separately with no special handling" but, for that to work, doesn't it require that the client and server process repeated parameters in the same order?
> 
> I think the header list and hash likely has similar issues as it's basically the same approach.
> 
> As I look at the text again, shouldn't the 4.x sections talk about the server or resource server rather than the client?
>  
>  
> 3.2 <https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-01#section-3.2>.  Calculating the query parameter list and hash
> 
> 
> 
>    To generate the query parameter list and hash, the client creates two
>    data objects: an ordered list of strings to hold the query parameter
>    names and a string buffer to hold the data to be hashed.
> 
>    The client iterates through all query parameters in whatever order it
>    chooses and for each query parameter it does the following:
> 
> 
>    1.  Adds the name of the query parameter to the end of the list.
> 
>    2.  Encodes the name and value of the query parameter as "name=value"
>        and appends it to the string buffer.  [[Separated by an
>        ampersand?  Alternatively we could have this also pulled into an
>        ordered list and post-process the concatenation, but that might
>        be too deep into the weeds. ]]
> 
>    Repeated parameter names are processed separately with no special
>    handling.  Parameters MAY be skipped by the client if they are not
>    required (or desired) to be covered by the signature.
> 
>    The client then calculates the HMAC hash over the resulting string
>    buffer.  The list and the hash result are added as the value of the
>    "p" member.
> 
> 
> 
> 4.1 <https://tools.ietf.org/html/draft-ietf-oauth-signed-http-request-01#section-4.1>.  Validating the query parameter list and hash
> 
> 
> 
>    The client has at its disposal a map that indexes the query parameter
>    names to the values given.  The client creates a string buffer for
>    calculating the hash.  The client then iterates through the "list"
>    portion of the "p" parameter.  For each item in the list (in the
>    order of the list) it does the following:
> 
>    1.  Fetch the value of the parameter from the HTTP request parameter
>        map.  If a parameter is found in the list of signed parameters
>        but not in the map, the validation fails.
> 
>    2.  Encode the parameter as "name=value" and concatenate it to the
>        end of the string buffer. [[same separator issue as above.]]
> 
>    The client calculates the hash of the string buffer and base64url
>    encodes it.  The client compares that string to the string passed in
>    as the hash.  If the two match, the hash validates, and all named
>    parameters and their values are considered covered by the signature.
> 
>    There MAY be additional query parameters that are not listed in the
>    list and are therefore not covered by the signature.  The client MUST
>    decide whether or not to accept a request with these uncovered
>    parameters.
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email