Applicability of OAuth 2.0 hack to UMA?
Has anyone looked at “Signing into One Billion Mobile LApp Accounts Effortlessly with OAuth 2.0. https://www.blackhat.com/docs/eu-16/materials/eu-16-Yang-Signing-Into-Billio...” for applicability to UMA? Sincerely, John Wunderlich @PrivacyCDN https://twitter.com/PrivacyCDN Call: +1 (647) 669-4749 eMail: john@wunderlich.ca -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Because UMA leverages OAuth transactions, it is vulnerable to these same
attacks. However, they can be mitigated by use of existing Proof Key for
Code Exchange (PKCE - pronounced "pixie") protocols. I know Justin has
implemented PKCE in MITREid Connect. Not sure about other implementations.
Sarah
Sarah Squire
Engage Identity
http://engageidentity.com
On Sun, Nov 13, 2016 at 11:28 AM, John Wunderlich
Has anyone looked at “Signing into One Billion Mobile LApp Accounts Effortlessly with OAuth 2.0. https://www.blackhat.com/docs/eu-16/materials/eu-16-Yang-Signing-Into-Billio...” for applicability to UMA?
Sincerely, John Wunderlich @PrivacyCDN https://twitter.com/PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
Thanks
Sincerely,
John Wunderlich
@PrivacyCDN https://twitter.com/PrivacyCDN
Call: +1 (647) 669-4749
eMail: john@wunderlich.ca
On 13 November 2016 at 14:44, Sarah Squire
Because UMA leverages OAuth transactions, it is vulnerable to these same attacks. However, they can be mitigated by use of existing Proof Key for Code Exchange (PKCE - pronounced "pixie") protocols. I know Justin has implemented PKCE in MITREid Connect. Not sure about other implementations.
Sarah
Sarah Squire Engage Identity http://engageidentity.com
On Sun, Nov 13, 2016 at 11:28 AM, John Wunderlich
wrote: Has anyone looked at “Signing into One Billion Mobile LApp Accounts Effortlessly with OAuth 2.0. https://www.blackhat.com/docs/eu-16/materials/eu-16-Yang-Signing-Into-Billio...” for applicability to UMA?
Sincerely, John Wunderlich @PrivacyCDN https://twitter.com/PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
-- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
Not only that, but many of the attacks are on assumptions about how to use OAuth to make an authentication protocol. The paper does a decent job of explaining this, and I’ve also written an article on the topic: https://oauth.net/articles/authentication/ The same assumptions would be applied to UMA, which is also not an identity and authentication protocol. — Justin
On Nov 14, 2016, at 4:46 AM, John Wunderlich
wrote: Thanks
Sincerely, John Wunderlich @PrivacyCDN https://twitter.com/PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca mailto:john@wunderlich.ca
On 13 November 2016 at 14:44, Sarah Squire
mailto:sarah@engageidentity.com> wrote: Because UMA leverages OAuth transactions, it is vulnerable to these same attacks. However, they can be mitigated by use of existing Proof Key for Code Exchange (PKCE - pronounced "pixie") protocols. I know Justin has implemented PKCE in MITREid Connect. Not sure about other implementations. Sarah
Sarah Squire Engage Identity http://engageidentity.com http://engageidentity.com/ On Sun, Nov 13, 2016 at 11:28 AM, John Wunderlich
mailto:john@wunderlich.ca> wrote: Has anyone looked at “Signing into One Billion Mobile LApp Accounts Effortlessly with OAuth 2.0. https://www.blackhat.com/docs/eu-16/materials/eu-16-Yang-Signing-Into-Billio...” for applicability to UMA? Sincerely, John Wunderlich @PrivacyCDN https://twitter.com/PrivacyCDN
Call: +1 (647) 669-4749 tel:%2B1%20%28647%29%20669-4749 eMail: john@wunderlich.ca mailto:john@wunderlich.ca
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org mailto:WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org mailto:WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma http://kantarainitiative.org/mailman/listinfo/wg-uma
Timely reminder about that article; it's very helpful. And this is making me think even more about the right way to characterize UMA vis a vis OAuth in our intro section (I should be able to work on that tomorrow). If OIDC is fudge, what is UMA? S'mores? Eve Maler (sent from my iPad) | cell +1 425 345 6756
On Nov 13, 2016, at 9:04 PM, Justin Richer
wrote: Not only that, but many of the attacks are on assumptions about how to use OAuth to make an authentication protocol. The paper does a decent job of explaining this, and I’ve also written an article on the topic:
https://oauth.net/articles/authentication/
The same assumptions would be applied to UMA, which is also not an identity and authentication protocol.
— Justin
On Nov 14, 2016, at 4:46 AM, John Wunderlich
wrote: Thanks
Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
On 13 November 2016 at 14:44, Sarah Squire
wrote: Because UMA leverages OAuth transactions, it is vulnerable to these same attacks. However, they can be mitigated by use of existing Proof Key for Code Exchange (PKCE - pronounced "pixie") protocols. I know Justin has implemented PKCE in MITREid Connect. Not sure about other implementations. Sarah
Sarah Squire Engage Identity http://engageidentity.com
On Sun, Nov 13, 2016 at 11:28 AM, John Wunderlich
wrote: Has anyone looked at “Signing into One Billion Mobile LApp Accounts Effortlessly with OAuth 2.0.” for applicability to UMA? Sincerely, John Wunderlich @PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
This also makes me think about how much we want to tie UMA to OIDC. In
particular, I see a natural alliance between UMA and blockchain ID
standards because both are self-sovereign by nature. Neither UMA nor
blockchain ID depends on federation to be useful.
Adrian
On Sun, Nov 13, 2016 at 4:12 PM, Eve Maler
Timely reminder about that article; it's very helpful. And this is making me think even more about the right way to characterize UMA vis a vis OAuth in our intro section (I should be able to work on that tomorrow).
If OIDC is fudge, what is UMA? S'mores?
Eve Maler (sent from my iPad) | cell +1 425 345 6756
On Nov 13, 2016, at 9:04 PM, Justin Richer
wrote: Not only that, but many of the attacks are on assumptions about how to use OAuth to make an authentication protocol. The paper does a decent job of explaining this, and I’ve also written an article on the topic:
https://oauth.net/articles/authentication/
The same assumptions would be applied to UMA, which is also not an identity and authentication protocol.
— Justin
On Nov 14, 2016, at 4:46 AM, John Wunderlich
wrote: Thanks
Sincerely, John Wunderlich @PrivacyCDN https://twitter.com/PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
On 13 November 2016 at 14:44, Sarah Squire
wrote: Because UMA leverages OAuth transactions, it is vulnerable to these same attacks. However, they can be mitigated by use of existing Proof Key for Code Exchange (PKCE - pronounced "pixie") protocols. I know Justin has implemented PKCE in MITREid Connect. Not sure about other implementations.
Sarah
Sarah Squire Engage Identity http://engageidentity.com
On Sun, Nov 13, 2016 at 11:28 AM, John Wunderlich
wrote: Has anyone looked at “Signing into One Billion Mobile LApp Accounts Effortlessly with OAuth 2.0. https://www.blackhat.com/docs/eu-16/materials/eu-16-Yang-Signing-Into-Billio...” for applicability to UMA?
Sincerely, John Wunderlich @PrivacyCDN https://twitter.com/PrivacyCDN
Call: +1 (647) 669-4749 eMail: john@wunderlich.ca
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited. _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
-- Adrian Gropper MD PROTECT YOUR FUTURE - RESTORE Health Privacy! HELP us fight for the right to control personal health data. DONATE: http://patientprivacyrights.org/donate-2/
Really important point, at least in the case of UMA we are clear about managing access, but even there authorization gets munged into authentication or identity. Some stems from the name, but more from misunderstanding, thanks for reminding me about this article, good time to push it.
From: wg-uma-bounces@kantarainitiative.org [mailto:wg-uma-bounces@kantarainitiative.org] On Behalf Of Justin Richer
Sent: Sunday, November 13, 2016 3:05 PM
To: John Wunderlich
Cc: wg-uma@kantarainitiative.org UMA
Subject: Re: [WG-UMA] Applicability of OAuth 2.0 hack to UMA?
Not only that, but many of the attacks are on assumptions about how to use OAuth to make an authentication protocol. The paper does a decent job of explaining this, and I’ve also written an article on the topic:
https://oauth.net/articles/authentication/
The same assumptions would be applied to UMA, which is also not an identity and authentication protocol.
— Justin
On Nov 14, 2016, at 4:46 AM, John Wunderlich
participants (6)
-
Adrian Gropper
-
Eve Maler
-
John Wunderlich
-
Justin Richer
-
Salvatore D'Agostino
-
Sarah Squire