Last Call Review of draft-ietf-ace-oauth-authz-27
review-ietf-ace-oauth-authz-27-secdir-lc-kent-2019-12-08-00

Request Review of draft-ietf-ace-oauth-authz
Requested rev. no specific revision (document currently at 45)
Type Last Call Review
Team Security Area Directorate (secdir)
Deadline 2019-12-13
Requested 2019-11-29
Authors Ludwig Seitz, Göran Selander, Erik Wahlstroem, Samuel Erdtman, Hannes Tschofenig
Draft last updated 2019-12-08
Completed reviews Secdir Last Call review of -27 by Stephen Kent (diff)
Genart Last Call review of -27 by Stewart Bryant (diff)
Secdir Telechat review of -41 by Phillip Hallam-Baker (diff)
Assignment Reviewer Stephen Kent 
State Completed
Review review-ietf-ace-oauth-authz-27-secdir-lc-kent-2019-12-08
Posted at https://mailarchive.ietf.org/arch/msg/secdir/QngyQ5jseC-p6Mq-umLX7DTFa9M
Reviewed rev. 27 (document currently at 45)
Review result Has Issues
Review completed: 2019-12-08

Review
review-ietf-ace-oauth-authz-27-secdir-lc-kent-2019-12-08

SECDIR review of draft-ietf-ace-oauth-authz-27
 
The summary of the review is almost ready, but needs some revisions.
 
I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written with the intent of improving security requirements and considerations in IETF drafts.  Comments not addressed in last call may be included in AD reviews during the IESG review.  Document editors and WG chairs should treat these comments just like any other last call comments.

This is a long document- 86 pages! It is a proposal for how to use OAuth 2.0 and CoAP to provide authorization security for Internet of Things (IoT) devices. IoT devices are often criticized as not being very secure, so this seems like a useful initiative. RFC 7228 (Technology for Constrained-Node Networks, and Informational document) is cited as inspiration and reference for this work. CoAP (RFC 7252) is expressly designed for the sort of environment that characterizes many IoT devices, hence is seems a natural choice for this authorization-focused framework. OAuth is not as obvious a candidate building block in this context, e.g., it is expressly designed for the HTTP context, yet CoAP is cited as the replacement for HTTP. This document adapts OAuth for the CoAp context.

This document has an extensive, 6-page Security Considerations section, appropriate for a document specifying an authorization framework. It begins by citing the OAuth 2.0 specification, the OAuth 2.0 threat model (RFC 6819), and OAuth 2.0 Token Introspection (RFC 7662).  All three of these documents are relevant, and they contain substantial Security Consideration sections. 

Section 6.1 deals with security for the tokens that are transmitted to convey authorization information. In general the requirements and advice provided here are good; I would prefer to see the admonition against use of a shared secret key for a group of serves to be a MUST NOT, as opposed to just NOT RECOMMENDED. I am not convinced that the suggestion for short lifetime tokens is necessary; we have seen how short duration certificate lifetimes and frequent CRL issuance in PKI contexts often is neither required nor advisable. This section ends by noting that only client-initiated revocation of tokens is addressed by RFC 7009. The authors note that revocation of long lifetime token remains an open issue. If this is likely to be a common case for IoT devices, leaving this as a TBD is not great.

Section 6.2 addresses communication security issues. The section opens by requiring an authorization server to offer confidentiality for client interactions, but the wording implies that a client need not make use of such protection. The reader is reminded that security requirements expressed in Section 5 of this document (a 25-page long section) MUST be addressed by a profile. I’d prefer to see references to specific parts of Section 5 that expressly addresses confidentiality, so that a reader can better understand when it is safe to reject the offer of confidentiality by a server. Encryption of CWTs is used as an example, which is appropriate because CBOR CWT is the default token format. The final paragraph of this section says that “developers MUST ensure that … ephemeral credentials … are not leaked to third parties.” This is good advice, but since adversaries are assumed to have physical access to IoT devices, the scope of this mandate is not clear. For example, is this text arguing for use of tamper-resistant hardware for storing private or session keys in IoT devices?

Section 6.3 focuses on long-term credentials. The sections begins by noting the challenges associated with providing protection for such credentials in devices in publicly-accessible locations, explicitly referring to specialized hardware. This a good, clear statement, not like the ambiguous MUST at the end of 6.2. The text requires that compromise of a credential at one device MUST NOT lead to compromise of other credentials not linked to the device in question. However, the next sentence says that sharing of secret (and, presumably, private) keys is NOT RECOMMENDED. This is a somewhat inconsistent pair of statements; if secret keys are shared, then the MUST NOT will be violated, right? Why not just say that secret keys MUST NIOT be shared across devices? The section states that operators should have procedures to replace credentials that have been (or are suspected to have been) compromised. Why is this admonition not a SHOULD? The mildly-worded (“… also need to …) advice about decommissioning devices seems minimally helpful. If this is important than make it a SHOULD, if it’s not, then RECOMMEND it.

Section 6.4 discusses the challenges associated with securing initial communication  between a client and a resource server (RS). This communication makes use of the (appropriately-named) Creation Hints message defined in 5.1.2.  The basis mechanism suggested here is use of a (possibly hard coded) list of trusted authorization servers (AS’s) and associated credentials, e.g., certificate fingerprints. The discussion here notes the potential for a DoS attack against an AS by a compromised RS, by having clients sends requests to the targeted AS. This is a useful comment, after noting that compromise of an RS would not cause an AS to grant requests to clients that it is not serving. 

Section 6.5 summarizes the “minimal” communication security requirements for the elements of the system described in this document (clients, AS’s and RS’s). I think it’s useful to collect these requirements in one place, although they have been described in various parts of Section 5. Unfortunately, the first sub-section seems to contradict Section 6.2! Specifically the text here says that all communication between a client and an AS MUST be encrypted, where as 6.2 requires only that an AS offer confidentiality. This inconsistency needs to be reconciled. The next subsection seems to be consistent. The final subsection (C-RS) notes the challenges of initial C/RS communication, and offers some suggested approaches. Some of the wording here is awkward. For example, the text notes that DTLS with server-side authentication “can be possible and are RECOMMENDED if supported by both parties.”  It would be better to state that “DTLS with server-side authentication is a RECOMMENDED mechanism for use in this context, and SHOULD be employed if supported by both the C and the RS.” 

Section 6.6 deals with token lifetimes. The section begins by suggesting use of nonces (as described in 5.1.2) to counter replay attacks in the event of “clock drift” between an RS and an AS. I appreciate the analysis of mechanisms that can be used to address the clock drift issue, including the discussion of potential problems associated with using nonces in the face of a reboot. However, the text provides no indication of how much “drift” is tolerable, vs. when use of nonces is needed, and 5.1.2 does not even mention clock drift. Perhaps the text can be revised to provide additional advice re clock drift.

Section 6.7 very briefly discussed the issue of combining profiles. The bottom line is that the security of a profile MUST NOT depend on the assumption that the profile is used exclusively throughout a given deployment. That’s a nice, straightforward warning!

Section 6.8 discusses circumstances in which data is transmitted and may not encrypted, e.g., error messages. The discussion here is fairly clear, and includes a RECOMMENTATION and a MUST, as well as an analysis of potential risks associated with transmitting different types of information w/o confidentiality protection. The section title says “unprotected” but this discussion focuses only on confidentiality, so a more descriptive title might help.

Section 6.9 provides guidance on how to deal with the ambiguity of how to match an “audience” value to a specific resource server. The authors admit that the Section 5 discussion about the (optional) audience parameter in the OAuth token is vague. They note that this is intentional, to accommodate a wide range of deployment scenarios.  Thus the discussion in this section provides guidance for several scenarios. This is a reasonable way to deal with the ambiguity from Section 5.

Section 6.10 examines denial of service attacks in the context of “introspection,” an optional aspect of OAuth which may be employed in this framework. The text examines two DoS attacks, one against resource servers and one against authorization servers, and suggests mitigations for both. 

Section 7 discusses privacy implications of the proposed framework. The discussion here is useful, addressing a set of concerns that arise due to client interactions with the AS and RS elements of the framework.