Month: January 2016

OAuth Threat Model, Mobile and Oracle Mobile Security Suite

January 31, 2016February 7, 2017 · Leave a comment ·

Researchers in Germany recently found two previously unknown vulnerabilities in OAuth2.0, in the publication A Comprehensive Formal Security Analysis of OAuth 2.0.

An extensive OAuth thread model RFC 6819 exists. A SAML threat model by OWASP is discussed in – On Breaking SAML: Be whoever you want to be. OAuth and SAML protocols serve as prototypes for OpenId Connect protocol – which implements an authentication layer as an extension of authorization layer of OAuth2 and has a similar threat model. The above two vulnerabilities occur in both OAuth2 and OpenID Connect.

In the Microsoft paper, OAuth demystified for Mobile Application Developers, the authors discussed why OAuth is so easy to get wrong for mobile apps – it was originally designed for websites, not mobile. The browser redirection step that OAuth heavily relies on, cannot be performed securely on iOS in the general case. Moreover the complexity of the protocol means that out of 149 apps tested, 60% were faulty and vulnerable.

This is interesting because in the Oracle Mobile Security Suite we developed at BitzerMobile, these problems were addressed in a bulletproof manner for enterprise applications, by wrapping web access protocols into a simpler challenge response protocol that was injected securely into mobile apps. The app and the device are authenticated independently of the user. This reduces the attack surface considerably, for a common use.

A useful summary of attacks and countermeasures from OAuth and OpenID Connect Risks and Vulnerabilities follows:

Attack Category	Countermeasures
Extracting credentials or tokens in captured traffic	TLS encryption
Impersonating authorization server or resource server	TLS server authentication
Manufacturing or modifying tokens	Issue tokens as signed JWTs
Redirect manipulation	Require clients to declare redirect URIs during registration
Guessing or interception of client credentials	Use signed JWTs for client authentication
Client session hijacking or fixation	Use the State parameter to ensure continuity of client session throughout the OAuth flow

The Relying Party (RP), aka Client (in unfortunately overloaded OAuth parlance), aka ‘Relying’ Service Provider (in Kerberos parlance), is a third party service which needs access. It may not have an incentive to follow the protocol intent (e.g. enforce adequate controls). Or it may willing to accept more data than the protocol intended.

The latter is the case in the first attack, where the IDP sends a 307 temporary redirect resulting in password form data being sent to the RP. The RP receives the user creds. The fix is to use a 302 Found.

The second attack has to do with HTTPS not being used in the path between the user and the RP, which allows a MITM to manipulate the request and send it to an Attacker IDP instead of the Honest IDP. The fix is for the RP to use HTTPS instead which is immune to MITM (but who enforces this ? the redirect is too quick for the user to inspect the site certs).

Note: OAuth terminology becomes clearer to an enterprise mindset by expanding the terms auth server, resource owner, resource server, client. The “client” is an untrusted service w.r.t. user creds but needs temporary access to HTTP resources. Instead of using the “resource owners” username/password, it must acquire an access_token for this access. In correspondence with Kerberos/SAML, the functional roles are

1. Identity Provider (=IDP =auth server = KDC. e.g. twitter, fb as a pure login service),

2. Trusted Server (=resource server, that is in same trust zone as IDP. e.g. twitter tweets/profile, fb photos/profile),

3. Relying Service ( a delegate service that wants to provide additional functionality using data from Trusted Service and user identity from IDP, e.g. filter tweets, mash photos, partner HR app; called client in OAuth). The client_id/client_secret are created for this entity – a bit like an independent KDC principal name. The client is a Relying Service which is in a different trust domain from the IDP/Trusted Service and needs an access token. This Relying Service may need to authenticate itself to the Trusted Service – which is done using a client_secret, in cases where the RS can keep a secret (i.e. in web apps, not mobile and browser based apps). One would need as many clients_ids as the number of clients that lie in independently revocable auth domains.

4. the User (=resource owner, a person or organization who has credentials/data stored in the IDP/TS and desires use of the Relying Service with existing IDP credentials). The “authorization grant” is a credential that identifies the user and correspond to the Kerberos Ticket Granting Ticket aka TGT.

There are four oauth authorization grant types: authorization_code, implicit, resource owner, client_credentials. Authorization_code authenticates both user and client. Implicit authenticates only the user, not the client (no client_secret, no authorization grant). In Resource_owner the client does authenticate itself, but gets the access token directly. Client credentials (RS-TS) is the simplest one and is used for M2M communications, here the client is acting on its own behalf, not the user. The type depends on the method used by the client to request authorization and the types supported by the authorization server.

The difference from the NFS/KDC case is that in the NFS case the additional (server) principals is created for the NFS server, not the NFS client. The focus in NFS is on not sending the password over the wire. In OAuth the focus is on not giving the password to the client.

Let’s Encrypt. Less Green ?

January 30, 2016September 15, 2017 · Leave a comment ·

Letsencrypt.com is a service conceived to reduce the friction in enabling HTTPS on a website, by automating SSL certificate creation, validation, signing, installation and renewal. The server certificate setup which used to take hours can be done in a minute. Encryption will reduce the incidence of man-in-the-middle (MITM) attacks, which can easily insert or modify the javascript in transit.

Some of this is driven by Mozilla and its large public backers with perhaps an interest in showing the green bar and lock for more websites. A self-signed cert would also provide free encryption, prevent MITM attacks and be easy to setup but would throw an untrusted connection alert to the user.

So is LetsEncrypt encryption enough to show a green bar for a website ? Because regular certification schemes require a purchase, one has to go through a credit card verification step before being issued their cert. Certs with Extended Validation have more steps to go through. There are three types of certs based on level of validation – DV, OV, EV. Doman Validation (DV) does not try to check identity of the user and is what LetsEncrypt automates using a challenge-response scheme. Clicking on websites which use LetsEncrypt DV confirms that they display a green lock/bar (using firefox).

The problem with a widely accepted CA which has a zero cost barrier for setting up HTTPS is similar to that with the free precursor to OpenDNS. A number of less than trustworthy websites can set themselves up as mirror images of trustworthy websites and send phishing attacks by email or sms, and an end-user has no way of telling the difference. Here’s a link on how to do just such a phishing attack with LetsEncrypt. So is LetsEncrypt making the web less secure ?

It’s true that the large number of CAs with their diverse validation mechanisms makes the existing scheme not so great – especially when CAs are compromised and/or issue bad certs (e.g Superfish, Comodo, NIC). However one could inspect the CA trusted authority and if there was reason to believe it is not trustworthy – e.g. see this pic (Chris Palmer), one could avoid clicking the link.

I think the average user should receive a better visual indication on the level of trust provided by a LetsEncrypt cert that has undergone a lower level of validation by design. Use a less green color ?

End users should be more aware of the certification process and get into the habit of explicitly checking Cert chains for HTTPS by clicking on the green lock displayed next to the URL.

Update: The owner field is not defined in a Domain Validated cert like ones issued by LetsEncrypt. https://superuser.com/questions/1042383/how-to-set-the-owner-of-certificate-generated-by-lets-encrypt

Cloud Access Security Brokers

January 17, 2016January 21, 2016 · Leave a comment ·

Skyhigh Networks which was mentioned in my previous post is one example of a Cloud Access Security Broker. There are several other companies in this field – NetSkope, Bitglass, Palerra, CipherCloud, Elastica, Adallom, Zscaler, some more familiar than others.

Gartner says the penetration will be 25% in the enterprise in 2016. Here’s a comparison table.

There is considerable scope for innovation in this space based on different user requirements – for instance the amount and type of sharing of the data affects the architecture. Homomorphic encryption while theoretically possible is not yet practical. I expect to see more differentiation before consolidation of different technologies in the domain.

Real World Crypto 2016

January 10, 2016May 20, 2019 · 2 Comments ·

SSL/TLS dominated the conference with talks on its use at FB, Google, Amazon and modifications in the direction of TLS 1.3, with presentations on QUIC, OPTLS, S2N and more, covering things like lower latency, forward secrecy, better ciphers. Some of the optimizations can have an impact on data center operations efficiency.

The timing attack on S2N protocol was interesting – the KL divergence measures the difference between two probability distributions and can be used to leak information from an SSL stream.

Privacy preserving operations on encrypted data (Skyhigh) talk was also interesting. Paul Grubbs discussed searchable symmetric encryption tradeoffs and open questions around a stateless SSE. In case of an encryption proxy, who maintains it ? The client would find it cumbersome. So an encrypted index is maintained by Skyhigh. This is not easy to manage. Also if one wants *both* security and privacy the search times and/or the number of roundtrips goes up.

Cryptol is a software from Galois to simulate ciphers and is useful to model, verify and even implement them. It is written in Haskell and is open source. It comes with several examples including the Enigma cipher. I tried this and will blog about it later.

I expected some presentations on DNS security – e.g. DNSSEC and DANE; talked to attendees from Verisign on their offerings (ddos monitoring, threat intelligence graph). DNS operates over IP (vs an out-of-band method for updates/insertions); with DNSSEC the DNS server needs to trust the same CA as the origin server which feeds it the DNS record. The general feeling I think is the trust problem has to be solved at the application layer and attacks like the Kaminsky attack have been mitigated against.

Here’s a diagram of the QUIC protocol. The claim is zero RTT for a repeat (secure) connection to the server (75% of the time), by combining TCP and SSL handshakes into one and caching state on the client. A practical attack on QUIC is discussed in this paper, a type of adaptive chosen ciphertext attack, which references this paper by Zhang, Reiter et al, discussing more general PAAS attacks including an SAML SSO attack.

Perfect forward secrecy definition: A public-key system has the property of forward secrecy if it generates one random secret key per session to complete a key agreement, without using a deterministic algorithm .

If the attacker starts recording SSL sessions and later gets a compromised server private key, he can decrypt the sessions, without forward secrecy. With TLS 1.2 forward secrecy is optional and with session resumption optimization it is effectively disabled. TLS1.3 mandates forward secrecy with DH key exchanges.

Spark and Scala

January 5, 2016January 13, 2022 · Leave a comment ·

Spark is a general-purpose distributed data processing engine that is used for for variety of big data use cases – e.g. analysis of logs and event data for security, fraud detection and intrusion detection. It has the notion of Resilient Distributed Datasets. The “resilience” has to do with lineage of a datastructure, not to replication. Lineage means the set of operators applied to the original datastructure. Lineage and metadata are used to recover lost data, in case of node failures, using recomputation.

Spark word count example discussed in today’s meetup.

val textfile = sc.textFile("obama.txt") val counts = textFile.flatMap(line=>line.split(" ")).filter(_.length>4).map(word=>(word,1)).reduceByKey(_+_) val sortedCounts = counts.map(_.swap).sortByKey(false) sortedCounts.take(10)

Scala is a functional programming language which is used in Spark. It prefers immutable datastructures. Sounds great! How are state changes done then ? Through function calls. Recursion has a bigger role to play because it is a way for state changes to happen via function calls. The stack is utilized for the writes, rather than the heap. I recalled seeing a spiral scala program earlier and found one here on the web. Modified it to find the reverse spiral. Here’s the resulting code. The takeaway is that functional programs are structured differently – one could do some things more naturally. It feels closer to how the mind works. As long as one get the base cases right, one can build large amount of complexity trivially. On the other hand, if one has to start top down and must debug a large call stack, it could be challenging.

// rt annotated spiral program. // source http://www.kaiyin.co.vu/2015/10/draw-plain-text-spiral-in-scala.html // reference: http://www.cis.upenn.edu/~matuszek/Concise%20Guides/Concise%20Scala.html // syntax highlight: http://bsnyderblog.blogspot.com/2012/12/vim-syntax-highlighting-for-scala-bash.html import java.io.{File, PrintWriter} import scala.io.Source  object SpiralObj {   // object keyword => a singleton object of a class defined implicitly by the same name   object Element {   // subclass. how is element a singleton ? there are several elements. has 3 subclasses which are not singetons     private class ArrayElement(  // subsubclass, not a singleton                                 val contents: Array[String]  // "primary constructor" is defined in class declaration, must be called                                 ) extends Element     private class LineElement(s: String) extends Element {       val contents = Array(s)     }     private class UniformElement(  // height and width of a line segment. what if we raise width to 2. works.                                   ch: Char,                                   override val width: Int,   // override keyword is required to override an inherited method                                   override val height: Int                                   ) extends Element {       private val line = ch.toString * width  // fills the characters in a line       def contents = Array.fill(height)(line) // duplicates line n(=height) times, to create a width*height rectangle     }     // three constructor like methods     def elem(contents: Array[String]): Element = {       new ArrayElement(contents)     }     def elem(s: String): Element = {       new ArrayElement(Array(s))     }     def elem(chr: Char, width: Int, height: Int): Element = {       new UniformElement(chr, width, height)     }   }     abstract class Element {     import Element.elem     // contents to be implemented     def contents: Array[String]      def width: Int = contents(0).length      def height: Int = contents.length      // prepend this to that, so it appears above     def above(that: Element): Element = {      // above uses widen       val this1 = this widen that.width       val that1 = that widen this.width       elem(this1.contents ++ that1.contents)     }      // prefix new bar line by line     def beside(that: Element): Element = {     // beside uses heighten       val this1 = this heighten that.height       val that1 = that heighten this.height       elem(         for ((line1, line2) <- this1.contents zip that1.contents)           yield line1 + line2       )     }      // add padding above and below     def heighten(h: Int): Element = {          // heighten uses above       if (h <= height) this       else {         val top = elem(' ', width, (h - height) / 2)         val bottom = elem(' ', width, h - height - top.height)         top above this above bottom       }     }      // add padding left and right     def widen(w: Int): Element = {             // widen uses beside       if (w <= width) this       else {         val left = elem(' ', (w - width) / 2, height)         val right = elem(' ', w - width - left.width, height)         left beside this beside right       }     }      override def toString = contents mkString "\n"   }     object Spiral {     import Element._     val space = elem("*")     val corner1 = elem("/")     val corner2 = elem("\\")     def spiral(nEdges: Int, direction: Int): Element = { // clockwise spiral       if(nEdges == 0) elem("+")       else {         //val sp = spiral(nEdges - 1, (direction + 1) % 4) // or (direction - 1) % 4, but we don't want negative numbers         val sp = spiral(nEdges - 1, (direction + 3) % 4) // or (direction - 1) % 4, but we don't want negative numbers         var verticalBar = elem('|', 1, sp.height)        // vertBar and horizBar have last two params order switched         var horizontalBar = elem('-', sp.width, 1)     val thick = 1         // at this stage, assume the n-1th spiral exists and you are adding another "line" to it (not a whole round)         // use "above" and "beside" operators to attach the line to the spiral         if(direction == 0) {           horizontalBar = elem('r', sp.width, thick)           (corner1 beside horizontalBar) above (sp beside space) //  order is left to right         }else if(direction == 1) {           verticalBar = elem('d',thick, sp.height)           (sp above space) beside (corner2 above verticalBar)         } else if(direction == 2) {           horizontalBar = elem('l', sp.width, thick)           (space beside sp) above (horizontalBar beside corner1)         } else {           verticalBar = elem('u',thick, sp.height)           (verticalBar above corner2) beside (space above sp)         }       }     }      def revspiral(nEdges: Int, direction: Int): Element = { // try counterclockwise       if(nEdges == 0) elem("+")       else {         //val sp = spiral(nEdges - 1, (direction + 1) % 4) // or (direction - 1) % 4, but we don't want negative numbers         val sp = revspiral(nEdges - 1, (direction + 3) % 4) // or (direction - 1) % 4, but we don't want negative numbers         var verticalBar = elem('|', 1, sp.height)        // vertBar and horizBar have last two params order switched         var horizontalBar = elem('-', sp.width, 1)     val thick = 1         // at this stage, assume the n-1th spiral exists and you are adding another "line" to it (not a whole round)         if(direction == 0) { // right           horizontalBar = elem('r', sp.width, thick)           (sp beside space) above (corner2 beside horizontalBar)         }else if(direction == 1) { // up           verticalBar = elem('u',thick, sp.height)           (space above sp) beside (verticalBar above corner1)         } else if(direction == 2) { // left           horizontalBar = elem('l', sp.width, thick)           (horizontalBar beside corner2 ) above (space beside sp)          } else { // down           verticalBar = elem('d',thick, sp.height)           (corner1 above verticalBar) beside (sp above space)         }       }     }     def draw(n: Int): Unit = {       println()       println(spiral(n, n % 4))  // %4 returns 0,1,2,3 .    right, down, left, up       println()       println(revspiral(n, n % 4))  // %4 returns 0,1,2,3        }   } }  object Main {   def usage() {       print("usage: scala Main szInt");   }    def main(args: Array[String]) {          import SpiralObj._     if(args.length > 0) {         val spsize = args(0)         Spiral.draw(spsize.toInt)     } else {     usage()         println()     }   } }

A note on tail-call recursion. If the last statement of function is a call to another function, then the return position of the called function is the same as that of the calling function. The current stack position is valid for the called function. Such a function is tail recursive and the effect is that of a loop – a series of function calls can be made without consuming stack space.

Secure Machinery

On the evolution of security and intelligent machinery