-
Notifications
You must be signed in to change notification settings - Fork 22
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Wallet Attestations and Nonces #71
Comments
why not reducing complexity by signing the request (request) with the private key where the public one is attested within the WIA (client_assertion)? I believe we can satisfy all the requirements without adding anything new and preserving the current implementations
|
@peppelinux You mean the signature over the request is the proof of possession for the wallet attestation? That would mean to send a signed request object to the PAR endpoint, right? Something like this: `POST /as/par HTTP/1.1 response_type=code That would reduce the attack surface as an attacker would need to replay the request. It does not work (out of the box) for token requests as there is no equivalent of a signed request there. |
The token request can be bound to the authorization code. Regarding the client authentication, both private_key_jwt or draft-looker-oauth-attestation-based-client-auth might be used. @tlodderstedt do you see any issues on this? |
I assume that a following this assumption, may we say that nonce is then not required anymore? |
@peppelinux As I wrote in my initial comment, one time use (jti) is a possible option for replay prevention. However, one time use limits scalability and nonces offer more implementation flexibility and are considered best practice. @fmarino-ipzs As I wrote in my initial comment, an authorization code cannot be used as nonce in a pushed authorization request. So we either stick to one time use or short expiration or we add support for nonces. |
adding a new endpoint for satisfying the same requirement satisfied by |
My comment was related to your last sentence regarding the token request where there is no equivalent to the signed request. For the PAR, the jti approach provides the same benefit in term of replay attack without introducing a new endpoint. |
@peppelinux Can you please describe why you assess use of a nonce as "overkill"? As I already stated, |
@peppelinux suggested to use a request signature as proof of possesion instead of the proof of possession in the wallet attestation pop. That would work for PAR but not for the token request, as there is no signed token request. So the question is whether the proof of possession is implemented as defined in draft-looker-oauth-attestation-based-client-auth (as JWT appended to the assertion) or as another private_key_jwt parameter. Not sure of the benefits of the later.
I disagree. Please read my comment above. |
From a security point of view (mitigation against replay attacks), I see no benefit in using a nonce over jti. On the contrary, using a nonce requires a new endpoint that does not come for free. But maybe I am missing something. Regarding the scalability issue, which has nothing to do with security or even PoP, could you give us some references? |
My intent is to reuse what we already have without require any additional endpoints made for the issuance like the nonce endpoint might represent. I look forward to the satisfaction of the security requirements with their implementation considerations, putting aside every personal taste, as an implementer, and above all the ideas to which we try to become attached. Here I share the flow that a group of developers and analysts have implemented and tested on stage, which uses both PAR and token endpoint with DPoP. We continue working on that, then our approach is still open. Since this beautiful working group is enriched by mutual experiences it will produce for sure a solution that objectively move, replace or improves, in our minds, the flow that is shared below: I believe that for the value of decision making, it is important to highlight why some choices are preferable to others, then we will implement them exactly like Buddhist monks destroy their sand mandalas for creating new ones (without getting attached!). In the previous flow the Probably you're trying to tell us that using the nonce endpoint it would give the benefit to reduce the cross checks above multiple JWS, HTTP Headers and HTTP parameters? If yes let's try to have a clear schema about the number of checks and the attested level of security given by these, then we'll definitively feel comfortable to adopting a solution instead of another |
I think that this really needs to be confirmed with objective elements (since this chat of nonce vs. jti is long from more than a year, you know 😅) with the cap of implementer I assume to have a cluster of services, be they whatever entity that deals with JWTs and serves the token endpoint. I require that a centralized or distributed storage is then used, where any transactions life time happen: creation, enrichment/update and pruning. If I have a nonce endpoint, when I issue a nonce this would be stored in the storage shared between the nodes. This would be the same for any transaction or couple of iss-jwt (unique-together) -> stored in the storage, be it a nonce or a couple of issuer-jti. There are other cases where the nonce is encrypted with a key that is know within the cluster, this doesn't require a storage, because any receiving party would validate by decrypting it (as some strategy does with the web cookies, for instance). anyway, due to the important number of mixed endpoints we used to have in the OAuth2 framework, we know that anyway we need a layer of persistence where the transaction is tracked and enriched/updated. Then I don't see these scalability improvements or concerns of a solution vs another. @tlodderstedt or @jogu, since you worked for decades in IETF and with success with all-about-nonce, could you please enlights why the nonce is a game changer in this context and the jti must then not be used? |
The key differences with jti vs nonce: nonce is generated by the authorization server and it doesn't actually necessarily need to store anything (sometimes it generates a hash or jwt in some fashion that means it can verify a value without needing to have stored it, or values can be communicated in advance to all servers). jti is generated by the client. Many authorization servers don't check jti uniqueness (it's not mandatory to implement in most specs). Checking jti properly definitely requires a store that is shared across all regions the token can be presented in. The size of the store varies depends on the validity time of the token, which is also set by the client (iat/exp) in many cases, and the size is potentially unbounded depending on how fast clients might present valid tokens. Because the jti is client selected, if a client is compromised in some way the attacker can generate valid jwts for use (potentially days) later (nonces prevent that). |
In the NL wallet, we would prefer to use nonces over jti primarily because we think there are security advantages over jwt:
Since a nonce is a value that didn't exist before the issuer generated it, a nonce-based approach just gives more guarantee that the pop that signs the nonce is truly "fresh". We plan to use nonces or similar mechanisms everywhere else whenever something is disclosed or issued, as it is indeed considered best practice. Not using it here would be the one exception to that. Since the wallet attestation (at least in our setup) serves as a sort of anchor on which the security of a large part of the rest of the setup depends, we feel that this is not a place where we can or should ignore security advantages such as the ones above. There are also advantages in the implementation, as previously mentioned. It can be implemented stateless if the issuer would e.g. sign the nonce into a JWT as @jogu suggests. And even if you do implement it using state, then it will be less state, that is easier to deal with. |
Unless I have forgotten a situation, I don't think that is possible in the VCI spec as all JWTs should have |
@jogu I agree on the different nature between jti and nonce, their directions and audiences, even if a jti is issued by any kind of jwt issuer, be it AS, RP, Client, OP and so on, but I fully got your point and I agree that handling a single value (nonce, even if encrypted with many bytes within it) is less that handling an entire JWT in term of computational and storage costs. Regarding the issue that some or many implementations doesn't properly handle the "uniqueness" of the jti would be better taken out, since we would say the same for every implementation that, for instance, supports X.509 without verifying properly a certificate chain; these consideration are too much relative to the technical debits of the implementations, even if, the value in your and also @tlodderstedt words may be found in two important aspects: 1) simplicity: a single value, issued by the actor that validates the flow where it is the main auditor; 2) implementation robustness: avoids the implementation weakness of mixing many properties taken from multiple sources, while a single value, when mandatory in the implementation (where jti is not) makes the difference in a completely arbitrary way. @sietseringers thank you for join in this discussion, here my though: JWT might mean many things depending on its payload, to avoid a replay the recipients are the traditional regarding the shared state I'm not convinced that nonce is different in this context, since it should be shared in that storage anyway. It is thin, it may be verified with encryption with internal logic of validation (then it may be reversible and not opaque to the issuer). Well, now that I've forced you to share a walk along this road, and had at least for me a brilliant chat on pros and cons, the still opened points on this thread of jti vs nonce I think are enough to move to the actionable stuffs within this thread. My scope is having a robust and secure interop with other parties, then it seems that we really want to go for the nonce endpoint. @tlodderstedt and @fmarino-ipzs if you agree I believe that this chat that started more than a year ago costs more than the implementation of a simple endpoint for the issuance of the nonce 😅 implementing it would costs less than 8 hours, not a problem, then ... I would like to focus more on the scopes and then on the big picture of this issue. Is this intended to say that the WIA must be ephemeral and one-time-use? If yes, I would say: it depends, maybe not. I assume that a WIA must be reused until its expiration and there might be cases where a WIA, bringin the public key attestation within it, should be reused along the same pseudonym (siopv2 id_token) that was issued along with it. Before raising too much ideas on that, I would say that probably it would time to say that it may be better to have multiple types of WIA for different scopes.
before deciding that WIA should be one-time-use, with a nonce, I would analyze with your help the impacts on the entire ecosystem for that. Then let's develop the nonce endpoint in few hours! |
Hi. If my understanding of the discussion is correct, there are essentially two strategies (which are, IMO, compatible) a) Passive sharing of a Wallet Attestation (jti-protection) a)
b) In EBSI, we implemented b). To me, a) is straightforward if JAdES is used as the wallet attestation can be transported as signer attributes. I believe we'll see both cases. |
Just to be clear on one point:
These are slightly different cases: In the case of TLS it is expected (and stated in many specs) that you must verify the certificate chain. In the case of |
Generally nonces are treated as shared state like the jti, indeed. In that sense I agree they are the same, but there are still differences. I expect that the nonce-based approach will result in less state, since generally you only need to remember the nonce until the client sends its response (a signature over the nonce), which will be (almost) immediately after fetching the nonce. By contrast, a jti will need to be remembered until the end of the expiration window, which is much longer. So there will be more state that needs to be remembed, also increasing the difficulty of obtaining performance and scalability as mentioned by @tlodderstedt. Additionally, I think the failure mode that I mentioned can really be a concern, in that it opens its own attack vector for a sufficiently powerful adversary:
That would be difficult so it might be considered hypothetical, but the nonce-based approach has no such potential attack vector at all.
Well, there are sufficient examples of vulnerabilities originating in improperly validating an X.509 chain. I believe a standard should strive to make it as easy as possible to write implementations that are secure, and I believe the nonce-based approach has an advantage there. |
If the nonce is not computed from the information, it must be shared with all AS in the cluster. However (as mentioned above)
Questions:
What's not mentioned in the flow is the credential offer. Could it contain a nonce? If the Wallet attestation should be bound to a session (IMO, that's not necessary), one could go with the flow:
this way, nonces or their hashes are not transported more than 1x. The attacker must get to the wallet to get all the info. If that happens, it's game over anyway. I don't see any issue with the flow presented by @peppelinux since the holder needs to authenticate anyway. Is this question about reducing the burden of the AS? |
@alenhorvat the point that you have raised Is very interesting, by adding a new unprotected endpoint then we should protect It in some way against the abuse. both nonce and JWT.jti are then stored with the sole difference that a signed JWT.jti protects the write with an authentication, while nonce not, then the implementers must use some way to protect the nonce endpoint against the abuses |
Both is not true for jti. Also, there is no need for a new nonce endpoint to issue nonces; DPoP issues nonces in headers in error messages. I wonder if the whole approach should not be structured more like DPoP, defining headers that can be used in requests of many types. Or even a DPoP extension, reusing the DPoP nonces and/or the DPoP PoP. |
it depends by the balancing type, the way you indicate is a sticky balancing that binds clients to endpoints (session persistence). This solution is awesome but works just for balancing and not for fault tolerance of the nodes, for this a shared storage is then needed.
indeed, a signed JWT.jti is authenticated.
I fully agree with you on this, here we have used DPoP in both the issuance and the presentation phase (for providing the WIA) https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/pid-eaa-issuance.html#detailed-flow |
To prevent a reply attack, the server needs to keep track of "consumed tickets", whether it is jti, nonce, or DPOP JWT. client-generated nonce: for the lifetime of the request from a security point of view, I don't see a big difference. From a capability point of view, it is similar. |
The storage costs depends also to the retention policy for the signed requests and responses Where identities are involved, with personal data, the retention duration Is established by gdpr and member states specific regulation Then the persistence of both jti and nonce (this latter contained in the signed requests) would be the same |
I'll second the point that nonces can be self-authenticating and self-contained and therefore need not be stored. A common way to achieve this is for the nonce to contain content encrypted to the server that creates it. |
Based on the discussion in the WG session today, I suggest the following design: a nonce is provided on demand with an error message from the PAR or token endpoint (as in DPoP). This way the wallet can send the wallet attestation (with a jti) and the issuer can decide whether it requires a nonce or not. And we don't need a separate endpoint. What do people think? |
It seems a good achievement to be further analyzed, below some notes in the wild. We now for sure have realized the requirement of providing the Wallet Instance Attestation during both the issuance and the presentation phase, even if the presentation is out of scope here I would put on the table that we're also working on this issue: openid/OpenID4VP#45 (comment) following the elements taken in my understanding we're trying to put in place a discovery process, which purpose is to obtain the wallet instance attestation "before-any" other operations made by its audience (CI or RP). If I'm on the right page, the discovery process ends with the acquisition of the wallet instance attestation, the verification of the PoP and the evaluation of the capabilities of the wallet instance. We have this requirement both in the issuance and in the presentation phases. Might we think to create a specialized endpoint to achieve this feature of wallet instance discovery, to be then the same implementation in both the issuance and the presentation phase, to be then reused as it is, like a kind of wallet instance registration endpoint? (even if that cannot be compared with a registration phase, but just a discovery where WIA is submitted to a trusted audience) |
Informational: Note that there's another option (we implemented 3 years ago in EBSI for a fully decentralised network of authZ servers without shared storage or sticky LB): Authenticated Key Encryption (we implemented AKE2). Long story short: The request is signed and contains an additional public key for encryption, the response is signed and encrypted according to AKE2. pro:
con:
Attack is only possible if the adversary gets access to the device; then it's game over anyway :) For details see: https://toc.cryptobook.us/book.pdf section 21.3 IMO, the cost of managing jti/nonce is probably lower than asking for a client-side decryption. But note that the security level can be higher (depending on the decryption key security). |
If we have so much trouble with the nonce, I would like to step back one second and ask how much we lose if we do attestation at the token endpoint? |
+1 for using nonces with a design similar to what is used in DPoP, where the server responds with |
the problem of misalignments of datetime between servers involved in interop and digital signatures would represent a security risk with higher priority than jti, considering for instance the impacts on evaluating jti doesn't bring any scope of freshness but just the requirement to keep it persistent until the JWT is not expired while jti impacts too much on the security and then the costs of the implementations, nonce can be provisioned at a first stage without any persistence by encrypting it with a symmetric key. That's why we found an agreement of the nonce, even if I would keep the nonce endpoint optional/recommended because there may be implementations that correctly implements jti as a replay attack mitigation/prevention, according to RFC 7519 |
That's perfectly fine. |
@alenhorvat We started earlier this year with wallet attestation as a VC but deliberatly chose not to do so.
|
I think that the roles client/AS or the relation between who is the client and who's the AS, in the wallet ecosystem are more ... relative! during the issuance the wallet instance is the client and the CI the AS, while in the presentation the RP is the client and the wallet instance is AS this would force us to provide the wallet instance for different scope in different ways, while for the wallet ecosystem I believe that it would be better define a wallet discovery endpoint that could be used in the same way by wallet-instance, RP and CI, in all the flows and use-cases, as commented here: #71 (comment) |
@paulbastian with "VC" I'm not referring to a specific format :) I'll not use VC anymore. I don't have any "format" preference. See my comment above on multiple possible formats for wallet attestations ;) @peppelinux , yes, the wallet can play both roles, depending on the scenario. I believe there are 2 elements: discovery (metadata/configuration), and authentication. If my understanding is correct, the issuer or verifier may ask the wallet instance to authenticate, and the proposal is to use the wallet instance attestation. I'm asking if Wallet Attestation is different because, during the issuance and presentation, the issuer/verifier might ask for additional tokens, so the token presentation flow should be supported anyway. If it is from a design or security perspective important to split authentication tokens (Wallet Instance Attestation) from attestation tokens (I'm a student), then this should be reflected. If that's the case, the most appropriate place would be to start wallet authentication after calling the authorisation server
This is why I'm trying to understand the design proposed/discussed and the rationale behind it. Informational: |
Here are my notes from today's call on this topic:
|
Could you please explain what "correct" means and whether that statement also applies to the token endpoint? |
In this flow a PAR request is used step 6 (PAR request) and step 14 (token endpoint request) uses the wallet instance attestation as client_attestation (PAR) and client_assertion (token endpoint) we cannot use it just on the token endpoint because this happens after the authorization and the user authentication, while within the authorization phase we need to attests the reliability of the wallet instance the wallet ecosystem assumes that the wallet instance attestation provides the proof of reliability of the wallet instance, it is signed by a trusted third parties and it gives also evidence of the wallet capabilities (not just cnf.jwk) according to the flow "pid-eaa-issuance.html#detailed-flow" the AS has the proof that it is always talking with the same party |
What is the role and purpose of the wallet instance attestation?
AS should get info about the wallet
|
@alenhorvat "wallet proof of reliability (I'm genuine)" for sure, then holder key binding ( |
So after discussing with @peppelinux , Giada and Amir on Friday, we agreed that:
Question remained whether to use the Dpop-style error providing the nonce at PAR endpoint or dedicated nonce endpoint. @peppelinux suggested that the nonce endpoint may be reused for OpenID4VP, although I don't see too much trouble getting a nonce there, as the Verifier always initiates the communication. Is it possible to provide the information that a nonce request must be made in the Issuer's metadata? In that way the wallet knows upfront that it should request a nonce first from PAR endpoint? |
Yes @paulbastian, we agreed! WIA at the PAR endpoint, indeed. And I confirm that there is some excitement in the idea of using oauth-attestation-based-client-auth on both PAR and Token endpoints, because these are RESTful endpoints where the same kind protection is used, reducing the overall complexity of both implementation and technical specs. Regarding to this point we would like to work on these:
We also agreed for implementing the nonce, and as you mentioned we may consider a brand new endpoint where a WIA+PoP is submitted for the return of a nonce. This would be reusable in both issuance and presentation and it also satisfy the requirement (even if not widely shared) of the wallet capabilities discovery before any protocol specific flow.
The answer I would like to give is yes we must, then a nonce_endpoint metadata claim would be then required for any kind of jwt-issuer that issues nonces. It also requires a nonce_endpoint_auth_methods_supported with ["attestation_based_client_auth"] as our default approach for the wallet ecosystem |
[quote replying to one of @danielfett's earlier comments]
It's worth mentioning that the
As best I can remember, some early conceptual designs/ideas for draft-ietf-oauth-attestation-based-client-auth used the DPoP Proof rather than the Client Attestation PoP JWT. The thinking, as I recall mostly from @tplooker, was to not have to reinvent or redefine a PoP mechanism in draft-ietf-oauth-attestation-based-client-auth - the experience developing DPoP did show that it was more tricky than was expected. Is it really worthwhile to have draft-ietf-oauth-attestation-based-client-auth go though the same? Perhaps that idea should be revisited? i.e. consider using the DPoP Proof header in draft-ietf-oauth-attestation-based-client-auth rather than the Client Attestation PoP JWT (as it is currently in -00). [I'm not trying to imply that DPoP did everything the right way at all but that many of the same issues were discussed during its development and addressed in some way] Even if not taken that far, I do think I prefer issuing nonces inline with the protocol messages (error or normal) over a dedicated endpoint for nonce getting. |
Maybe this is obvious to everyone but note that there are these two seemingly very much related issues in the repo for draft-ietf-oauth-attestation-based-client-auth and a resolution to this issue seems like it'll require changes to that piece rather than, or maybe in addition to, OpenID4VC. oauth-wg/draft-ietf-oauth-attestation-based-client-auth#39 |
I agree that technically the DPoP-Nonce is a concrete solution to provide the nonce in aswer to a request that has not previously carried it properly. However there might be some reactions against this solution due to the fact that in this way we're designing a flow that must handle an error-by-design approach, where the client must send a PAR without a nonce to obtain an error with the nonce to use for the next, equivalent, PAR request. From the development experience this might result frustrating in implementation and patchy in the overall design of the solution. did I get it wrong or is it this the direction that we may have? If yes I'm wondering if the nonce endpoint would make sense (as an endpoint protected by WIA~PoP) to give a good division by feature of specialized endpoints, where, if missing the DPoP-Nonce could be provisioned as well with the PAR response, as fallback/backup/hinting approach, but not a the default provisioning method of the nonce. WDYT? |
To me it would be much nicer to add a separate HTTP endpoint for requesting the nonce, for the reasons you've indicated (the other approach is error-by-design which is not pretty or developer friendly). If the issuer requires that the wallet uses a nonce while the wallet tries to use |
@Sakurann @pmhsfelix @c2bo @jogu @decentralgabe and Markus had a discussion about this topic after IIW. We came to the conclusion the AS provding the nonce in a error response is the better option, as
We think the client initially should send a attestation PoP with a jti (as specified in draft-ietf-oauth-attestation-based-client-auth). We suggest to add that feature to draft-ietf-oauth-attestation-based-client-auth as it is related to replay detection for this kind of attestations. |
If the discussion in OpenID4VP Advanced Flow leads us to not needing a nonce endpoint (which I think it will), I'm fine with DPoP-style nonce providing by the AS. We can define the mechanism in next iteration of Client Attestation |
With your same thought in my mind, see oauth-wg/draft-ietf-oauth-attestation-based-client-auth#64 (comment) |
I don't think this is solved, the nonce endpoint is currently only defined for c_nonce. I think the best direction is to describe a mechanism within Attestaiton-Based Client Authentication itself and leverage our experience from nonce endpoint. |
Currently, implementations can protect the PoP for wallet attestations (https://datatracker.ietf.org/doc/draft-looker-oauth-attestation-based-client-auth) by:
The latter does not work for Pushed Authorization Requests.
The proposal was made, to let the wallet request a nonce from the Issuer that can then be used for binding the wallet attestation. This came up in various discussions including the eIDAS expert group's touch point meeting on OID4VCI and discussions with member states.
The basic idea would be to define another endpoint, e.g. nonce endpoint, the wallet could be use to obtain that nonce.
The text was updated successfully, but these errors were encountered: