Institute of Information Security
Breaking and Fixing HTTPS Compound Authentication: TLS 1.3, Token Binding, and OAuth 2.0
Although transport layer protocols such as TLS allow client authentication based on strong credentials such as public-key certificates, application protocols such as HTTPS more commonly employ a compound authentication protocol that composes server authentication at the transport layer with user authentication within the application, based on bearer tokens such as passwords or OAuth tokens. We will discuss the strengths and weaknesses of such compound authentication protocols via recent attacks on TLS, HTTPS, and popular websites. We will then see how new protocols such as TLS 1.3 and Token Binding offer a new way of building compound authentication modes for OAuth 2.0 that prevent a large class of credential forwarding attacks.
Lessons from breaking and defending OAuth in practice
Although the risks of bearer token protocols are widely acknowledged by the security community, the adaptability of bearer tokens to different transports has led them, especially OAuth 2.0, to dominate the ecosystem. Published research and the author's own experience have demonstrated repeated weaknesses arising from misuse or missing security properties in a variety of the client-side communication channels employed by these protocols. This talk surveys how flaws and variations in the browser and app platforms implementing these channels further complicate the task of trying to secure popular OAuth 2 implementations and explores several ways large classes of these problems could be significantly mitigated for already deployed systems, at large scale, through improvements at the HTTP protocol level.
| Thursday, July 14 | Friday, July 15 | |
|---|---|---|
| 9:15 | Coffee | Coffee |
| 9:30 | ||
| 9:45 | Opening Remarks | |
| 10:00 | Invited Talk: Karthikeyan Bhargavan Breaking and Fixing HTTPS Compound Authentication: TLS 1.3, Token Binding, and OAuth 2.0 slides | Invited Talk: Andrey Labunets Lessons from breaking and defending OAuth in practice slides |
| 10:15 | ||
| 10:30 | ||
| 10:45 | ||
| 11:00 | Break | Break |
| 11:15 | ||
| 11:30 | Oliver Pfaff: OAuth for Operational Technology? pdf slides | Kaoru Maeda: Design Guidelines Wanted for Group Service IdP pdf slides |
| 11:45 | ||
| 12:00 | ||
| 12:15 | Lunch | Lunch |
| 12:30 | ||
| 12:45 | ||
| 13:00 | ||
| 13:15 | ||
| 13:30 | Daniel Fett, Ralf Küsters, and Guido Schmitz: A Comprehensive Formal Security Analysis of OAuth 2.0 pdf slides | Hannes Tschofenig: Solving IoT Security Challenges with OAuth 2.0 slides |
| 13:45 | ||
| 14:00 | ||
| 14:15 | Wanpeng Li and Chris Mitchell: Does the IdP Mix-Up attack really work? pdf slides | Michael Jones: OAuth 2.0 Mix-Up Mitigation: Status and Next Steps (Discussion) pdf |
| 14:30 | ||
| 14:45 | ||
| 15:00 | Break | Break |
| 15:15 | ||
| 15:30 | Giada Sciarretta, Roberto Carbone, Silvio Ranise, and Alessandro Armando: An OAuth-based Single Sign-On solution for Mobile Applications pdf slides | Tobias Wich, Christian Mainka, Vladislav Mladenov: PrOfESSOS: Automated OpenID Connect Security Assessment pdf slides |
| 15:45 | ||
| 16:00 | ||
| 16:15 | Discussion with the IETF OAuth Working Group about recent attacks on OAuth | |
| 16:30 | ||
| 16:45 | ||
| 17:00 | Social Event (Sightseeing Tour of the roman city of Trier) Meeting point: inside the Tourist Information at Porta Nigra (from the workshop venue, take Bus 4 to Porta Nigra at 16:25) | |
| … | ||
| 19:00 | ||
| 19:15 | ||
| 19:30 | Dinner | |
| … |