Bearer Tokens Considered Harmful

From MgmtWiki
Revision as of 14:36, 2 October 2018 by Tom (talk | contribs) (History)

Jump to: navigation, search

Introduction

This paper discusses the limitations of Channel Binding or other half-way measures to fix a broken security feature introduced with OAuth 2.0, Bearer Tokens. The conclusion is that Bearer Tokens themselves are the problem and we need to be working on finding better ways to authorize the release of resources on the web.

History

Given that the internet had its genesis from a DoD grant, it is curious that security has never been part of the design of any of its parts. Security has always been added on afterwards and we continue to struggle with that poor fit between security and openness today. The internet really only supports machine to machine links. This was codified in the Open System Interconnect model (OSI) by the telecommunications monopolies as a means to propagate their control of telecommunications. At the time I was working with Richard desJardins from the NASA to create a User Guide to OSI (UGOSI), which failed in its effort to make a clear case to the user why the OSI model was good for them. That was just one harbinger of the failure of the internet to address user issues which continues to this day. The first security problem, between different enterprises, was addressed by IPSEC which worked well until one of the machines was in possession of the user and could be connected to the internet at any point. Shared secrets between different enterprises no longer works for devices that moved beyond the control of the enterprise.

With the introduction of the user to the security issue, IPSEC (and OSI) was hacked with Channel Binding in RFC 5056 (released 2007-11) which crosses almost all of the OSI levels (from 2 to 7) to give the user control of the secrets used to establish the security channel. This hack has working well for client computers that are attached to a "home" network, in effect allowing the client computer to be treated as "local" to the enterprise networks and inside the enterprise firewall, protected from the hostile internet. Of course the hack was incomplete in that the user controlled client computer could also attach to the raw internet which was the source of external infection vectors. Microsoft introduced a version of channel binding which could also use HTTPS (SSL) connections in Extended Authentication Protocol (EAP) in 2009[1] to address Man-in-the-Middle attacks.[2] This created several problems, including the one where the SSL connection was terminated at an edge computer and could not be known at the service computer. That was addressed by another hack, Service Binding patented by Mark Novak[3] where a clear text client service binding value is received from a client at the target server, the client service binding value is compared to a server service binding value, and a communication channel is formed between the client and the target server when the client service binding value matches the server service binding value. The overriding assumption is still that the enterprise controls security.

Problems

It was into this environment that OAuth 1.0 (using a convoluted version of shared secrets) morphed into OAuth 2.0 (using public key) which was still based on one computer talking to another computer. Among the many fields that could be addressed was the


only type bearer is actually supported by any existing implementation.

References

  1. Microsoft SWI, Extended Protection for Authentication. (2009-12-08) https://blogs.technet.microsoft.com/srd/2009/12/08/extended-protection-for-authentication/
  2. Microsoft, Man in the Middle. https://msdn.microsoft.com/en-us/library/cc247407.aspx
  3. Mark Novak +1, Service Binding. Patent (2014-09-30) us 8850553
Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Bearer_Tokens_Considered_Harmful&oldid=3721"