Re: [Ace] ACE Framework Review

Mon, 12 Nov 2018 06:50:48 -0800 

On 12/11/2018 15:31, Michael Richardson wrote:



     > Management of the authz-info resource: * The authz-info resource is
     > vulnerable to DoS attacks: clients may (with or without intention) send
     > large numbers of access tokens to RS. A constrained RS may soon run out
     > of memory/storage space if it needs to store large numbers of

This seems like a really serious issue, and it seems that we need
an additional RTT to really fix it.



Note Steffi's words were: "store large numbers of tokens".


In order to have the RS store a large number of tokens, an attacker 
would need to have a large number of valid tokens for starters (since 
invalid tokens are not stored but discarded).



Furthermore, since the RS checks whether the audience of a token 
applies, and can safely discard tokens that do not have a matching 
audience the attacker would need to have a large number of tokens that 
all match an audience that this RS identifies with.



Finally we just learned at IETF 103 that OAuth typically does not use 
multiple, simultaneous access tokens for the same pair of client-RS. 
Thus if the token has a subject (sub claim) or some other binding to the 
client, the RS can safely discard all older tokens bound to the same client.



Therefore I propose that an attack that induces the RS to store a large 
number of tokens is quite hard to pull of.



Even so, lets still assume it would be possible, there is this part in 
the spec:


==========================
5.8.1.  The Authorization Information Endpoint

....
   The RS MUST be prepared to store at least one access token for future
   use.
....
==========================



This means that the RS can limit the total number of tokens it stores 
for future use based on its memory and storage space, as long as it 
stores at least one (in total, not per client).



Thus I'm curious what additional protections you would suggest are 
feasible and necessary for the authz-info endpoint?


/Ludwig



--
Ludwig Seitz, PhD
Security Lab, RISE
Phone +46(0)70-349 92 51

_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace






















					Reply via email to