Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Signed Requests and Replay Prevention #4

Closed
OIDF-automation opened this issue Feb 1, 2023 · 6 comments
Closed

Signed Requests and Replay Prevention #4

OIDF-automation opened this issue Feb 1, 2023 · 6 comments

Comments

@OIDF-automation
Copy link

Imported from AB/Connect bitbucket: https://bitbucket.org/openid/connect/issues/1807

Original Reporter: tlodderstedt

Signed requests (according to JAR) do not contain a server (wallet) provided nonce. This bears the risk of an attacker replaying such a request in order to impersonate a legit verifier. If the message signature is used to authenticate the client (and present information to the user based on that), the attacker could utilize the request to exfiltrate PII.

In classical OAuth, this risk is mitigated by pre-configured redirect URIs bound to a certain client. With custom schemes and even claimed URLs (on Android), the redirect URI does not longer prevent such attacks. Encrypted responses would be another option, if authentic public keys are used.

I suggest to conduct an analysis whether the original security model of signed request is still appropriate for OpenID4VP.
@OIDF-automation
Copy link
Author

Imported from AB/Connect bitbucket - Original Commenter: mbj

I don’t understand why making a second request with the same parameters as the first constitutes an attack.

@OIDF-automation
Copy link
Author

Imported from AB/Connect bitbucket - Original Commenter: tlodderstedt

if the request is sent by an attacker on a different device where the attacker is able to capture the response, the attacker can impersonate the legitimate client. In our context this means, the attacker can trick the user into releasing credentials/claims.

@OIDF-automation
Copy link
Author

Imported from AB/Connect bitbucket - Original Commenter: KristinaYasuda

SIOP call - WG was looking for more clarification on what is the attack: some comments here:

https://lists.openid.net/pipermail/openid-specs-ab/2023-February/009711.html

@OIDF-automation
Copy link
Author

Imported from AB/Connect bitbucket - Original Commenter: KristinaYasuda

if the request is signed, the attacker replaying the request cannot change where the response from the wallet is going, so that mitigates the attach you are trying to prevent, right?

so yes, i think it makes sense either to 1/ have a pre-registered combination of client_id and redirect_uri or 2/ have a signed request with means to identify/trust the verifier (even if it is displaying the verifier’s domain to the user and asking the user to consent).

at least above is the conclusion of the discussions in ISO - might be worth having a clarification text

@Sakurann Sakurann removed the major label Feb 1, 2024
@awoie
Copy link
Contributor

awoie commented Mar 1, 2024

Related to #52 #59

@Sakurann
Copy link
Collaborator

Sakurann commented Apr 3, 2024

PR #59 introduced wallet nonce, so closing as resolved. cc @tlodderstedt @jogu

@Sakurann Sakurann closed this as completed Apr 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@awoie @Sakurann @OIDF-automation