Hi all,
I discussed OAuth with some of the security experts here at Deutsche
Telekom. We came up w/ an idea for enhancing refresh token handling I
would like to discuss in the WG.
Assumption: refresh tokens have a very long duration (month to
unlimited) and are stored at the client in a persistent storage (e.g.
database or filesystem)
Question: How can token theft automatically be detected/prevented?
Let me detail the problem using three scenarios:
1) Client is a web site
Let's assume an attacker breaks into the server and gets access all
tokens stored there along with the client's secret. Abuse could be
prevented by changing the client secret, but this requires to _detect_
the theft first!
2) Mobile application/malware on same device
Let's assume an application on a mobile device, which stores refresh
token(s) in the device's file system. A malware on the same device could
read the token(s) from long-term storage and send it to a server under
the attackers control. One could prevent such an attack by using a
client secret (probably burned into the application), but that's not a
very reliable measure. Filesystem security could be used to prevent
eavesdropping, but its quality varies very much among mobile operating
systems. The token could be invalidated by the user, after he/she
realized the theft using some user self care function. But again, the
theft has to be detected.
3) Mobile application/cloning device software and configuration
Someone could clone a device (operating system, configuration,
applications and refresh tokens/client secrets) e.g. using a debug API
when the user has left the device unattended. According to our experts,
this does not take that much time and is typically not detectable
afterwards. The clone could be run on another device identical in
construction and could be used to access all applications on behalf of
the legitimate end user.
As a possible countermeasure, one could bind a refresh token to a device
specific properties, e.g. the IMEI - International Mobile Station
Equipment Identity. But not every device has a 3G module and access to
this data might not be possible on some platforms.
The impact of all attacks illustrated above strongly depends on the
power associated with a token. As soon as the attacker is able to spend
the end user's money or gets access to medical records it's getting
serious!
All countermeasures mentioned on the scenarios are either out of reach
of the Oauth spec, platform specific, or not very effective. What we
would like to achive is an automatic detection and at best prevention of
such attacks.
We came up with the following idea:
The authorization server automatically creates a new refresh token with
every "refresh" request (section 4) and invalidated the previous refresh
token. The client must use this new token for the next "refresh"
request. All attempts to obtain access tokens with an invalidated
refresh token are refused. Additionally, the authorization server should
hold a history of when the refresh token has been used. The client
application behavior depends on who uses the refresh token first after
it has been stolen.
a) If the end user uses the refresh token first, the stolen token is
invalidated automatically, any attempts of the attacker to obtain an
access token are refused by the authorization server.
b) Attacker uses the token first: The end users application attempts to
obtain an access token using the (already invalidated) refresh token are
refused. The client should notify the user of the problem and recomend
him/her to check its application authorizations (refresh tokens) in a
user self care portal. There, the user should have acces to information
on when the token has been used the last time and therewith detect any
odd behavior. The user could then revoke the token and/or alarm its
providers helpdesk.
We think the proposed change to the API would significantly contribute
to the overall security level of OAuth.
Thoughts?
regards,
Torsten.
_______________________________________________
OAuth mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/oauth
