> -----Original Message-----
> From: Ace <ace-boun...@ietf.org> On Behalf Of Ludwig Seitz
> Sent: Monday, November 12, 2018 9:50 PM
> To: ace@ietf.org
> Subject: Re: [Ace] ACE Framework Review
>
> On 12/11/2018 15:31, Michael Richardson wrote:
>
> >
> > > Management of the authz-info resource: * The authz-info resource
is
> > > vulnerable to DoS attacks: clients may (with or without
intention) send
> > > large numbers of access tokens to RS. A constrained RS may soon
run
> out
> > > of memory/storage space if it needs to store large numbers of
> >
> > This seems like a really serious issue, and it seems that we need an
> > additional RTT to really fix it.
> >
>
> Note Steffi's words were: "store large numbers of tokens".
>
> In order to have the RS store a large number of tokens, an attacker would
> need to have a large number of valid tokens for starters (since invalid
tokens
> are not stored but discarded).
>
> Furthermore, since the RS checks whether the audience of a token applies,
> and can safely discard tokens that do not have a matching audience the
> attacker would need to have a large number of tokens that all match an
> audience that this RS identifies with.
>
> Finally we just learned at IETF 103 that OAuth typically does not use
multiple,
> simultaneous access tokens for the same pair of client-RS.
> Thus if the token has a subject (sub claim) or some other binding to the
> client, the RS can safely discard all older tokens bound to the same
client.
Putting the last three "checks" into the text someplace about DoS attacks as
well as pointing to the echo option would be a good start to helping people
make sure that they think about this problem and that they look at it
solidly.
I would also suggest that sending the same token over and over should not be
a good attack as the RS can look at the AS and the token ID and not process
if it is the same.
Jim
>
> Therefore I propose that an attack that induces the RS to store a large
> number of tokens is quite hard to pull of.
>
> Even so, lets still assume it would be possible, there is this part in the
spec:
>
> ==========================
> 5.8.1. The Authorization Information Endpoint
>
> ....
> The RS MUST be prepared to store at least one access token for future
> use.
> ....
> ==========================
>
>
> This means that the RS can limit the total number of tokens it stores for
> future use based on its memory and storage space, as long as it stores at
> least one (in total, not per client).
>
> Thus I'm curious what additional protections you would suggest are
feasible
> and necessary for the authz-info endpoint?
>
> /Ludwig
>
>
>
> --
> Ludwig Seitz, PhD
> Security Lab, RISE
> Phone +46(0)70-349 92 51
>
> _______________________________________________
> Ace mailing list
> Ace@ietf.org
> https://www.ietf.org/mailman/listinfo/ace
_______________________________________________
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
