There were some critical flaws identified in the last draft proposal
and their suggestions to overcome these issues are well thought
through.
After reviewing their proposals carefully, I have the following comments:
** Requirement for authentication and authorisation before first tag
We had previously discussed a multi-tiered methodology for tagging
where "box fresh" a device could tag without having to register. As
acknowledged by Sean and Chris this leaves a broadcaster prone to
flooding and resource exhaustion attacks, blindingly accepting and
storing data every time a device (valid or otherwise) requests so.
If we did allow any new device to submit tags straight away it could
be exploited by a 3rd party randomly generating device IDs and
submitting tags. Furthermore, if they hit the same ID as an existing
device that has yet to be authenticated and switch to using the new
token authorisation they could submit tags on that devices behalf.
That's not to say these risks could be minimised. One way this could
be eased is to hold those devices in a soft state, keeping those
records for a relatively short amount of time before being purged. In
addition, flood prevention could be imposed when a large number of
"unique" devices tag from a single IP, for example.
What I'd like to see is a careful use of language in the specification
to that there is nothing to stop a broadcaster implementing their
servers to behave in this way. I think it would be interesting to
allow options to exist, probably with attention drawn to the security
benefits of the least exploitable method. Thoughts?
** OAuth2 specification
As the OAuth2 specification is still draft, do we need to stick a flag
in the sand and say which version we should use? As stated:
> We actually use only a small portion of the specification
> (http://tools.ietf.org/html/draft-ietf-oauth-v2-13#section-4.4) in
> which a client obtains an authorization Token in response to
> presenting a client credentials.
Therefore am I right in thinking we actually utilise the methodology
of OAuth2 but, by explicitly defining the process in Tag, snapshot it
at the point of capture. Rather we are using the methodology of OAuth2
instead of declaring that a tag server should support OAuth2?
Whilst on the topic of OAuth2, it may be beneficial to alter some of
the language we've used within Tag to ease understanding. For example
in the realm of OAuth, our UDI or "Device Identifier" is actually a
"Client Identifier". I actually prefer this term as RadioTAG is just
as likely to be implemented in software (such as a smartphone) as it
is a hardware radio device. Therefore "Client" is a much more suited
term of reference in my opinion.
** The use of Device/Client ID as part of the authorisation process
Because the OAuth implementation has a requirement on the user keying
the client identifier read from the client screen in to the web front
end the previously proposed use of a UUID poses increased complexity
where the user has to copy a 32 digit number (hyphens could, at least,
be pre-populated).
If we looked to the use of a shorter ID we run the risk of collision
across multiple vendors. However, if we move to using a technology
such as OAuth between service providers for sharing user data rather
than client data, there is no specific requirement for client identity
to be unique outside the scope of any single service provider.
Therefore, we could propose service provider issued client IDs. Rather
than being a client ID it's more of a temporary token, issued to any
device that doesn't have an authorised token in memory. Once true
authorisation has been performed, the temporary token is terminated
and no longer valid.
Because this token only needs to be unique within a single providers
scope, we can greatly simplify it making it easier for an end user to
copy. If we use a base 36 number of 6 digits, we have an available
pool of 2.18 billion possible values. If clients are specified to
always accept and update a new incoming temporary ID on any
transaction until authorised with a proper token, it is possible to
recycle and have short lifetimes on the temporary tokens to avoid an
exploit exhausting the available tokens as discussed in other similar
attacks.
Thanks again.
A
--
Andy Buckingham
RadioTAG Application Team Lead
RadioDNS Project and Global Radio (UK)
t: +44 (0)117 900 5357
e: andy.bu...@radiodns.org
w: http://radiodns.org/
Follow the RadioDNS Project via Twitter: @radiodns
Welcome to the group. I'll attempt to answer your questions based on
my understanding of the recent proposal, will anyone else who feels
this doesn't match up with their interpretation feel free to question
and/or correct me.
> - can a single user own and authenticate multiple devices?
Absolutely. Based on my understanding of the proposal this "just
works". The user would go through the same process for each device,
but under the same user account on the web front end.
> - can a single device be authenticated by multiple user accounts?
This is a little out of the scope of the current proposal as it's very
much up to the service provider how they want to handle it. One way
would be for the SP to show an error when the user enters the device
ID, "Sorry this device is already registered to another user you can't
do this". Alternatively, they could add a button "Request permission
from owner?", which means the originating user is asked permission on
their next login/via e-mail etc. Once this confirmation occurs, the
device just works. They wouldn't need to go through the token process
as the device is already established.
The only time this would differ would be if devices have a concept of
multiple users on the device. In this instance we might want to
specify that the device treats each user in a "jailed" state, each
user has their own tokens/auth etc. Then, depending on which user is
"logged in" on the device they would authorise in the original way as
if they're the only person with the device doing it for the first
time.
> Should we consider what would happen if Charlie tried to hack this
> account after Alice had authenticated her device? ie used the same
> device ID to access and add to her tags? Or does OAuth only allow 1
> device <> 1 account, and therefore precludes this from happening?
Once authorised the token defines the relationship between device and
user account. Once the device is known by the service provider to be
in an authenticated state with a token issued, it should not allow
anyone to re-register it, unless the user authenticates in the web
front end and resets the auth procedure. This should make your
proposed attack suitably difficult! :)
Thanks for throwing these questions out to the group.
Andy.
The BBCs recent proposals were still loosely based on top of the
earlier drafts we had circulated around the team.
In those the device ID was intended to be a UUID, defined by many
existing specifications (ISO/IEC 11578:1996, ITU-T Rec. X.667 |
ISO/IEC 9834-8:2005 and RFC 4122). These were intended to be generated
on device reset and there would be a single identifier for the device.
One obvious consideration for this would be the feasibility of an
implementation of UUID generation on silicon.
The reason for allowing the device ID to be generated at run time and
changed on the device was in light of a user selling the device. If
the old user didn't release control of that identifier, the new one
may be unable to register - though this does depend slightly on how we
agree the interchange of tokens and device IDs work, as you suggest.
If at all possible I'd like to still keep open the possibility of a
service provider being able to implement very basic tagging without
the immediate need for registration. It is possible, however, that if
the service provider doesn't like tokens to a client but sees them as
an alternative access method instead of a client id, then a static
device ID could still be used. As you suggest, a device ID resets the
tokens and the user goes through a registration process again.
As device IDs are such a big part of the authorisation/pin code
process now the big thing I'd like to tackle is finding a suitably
unique and hard to guess identifier that is relatively short and
simple for a user to input. Robin, from a silicon point of view does
the service provider issue device identifier complicate things
significantly?
> b) My second question was related to the user experience when they attempt to create tags from more than one service.
> When they first press the tag button, they are prompted to register, and associate their device with an account via the WFE, and the tag is created.
> If they then tune to a different station, from a different service provider, and press the tag button - presumably the RadioDNS entry will point to a different service provider, and they will be expected to register again, with potentially a different WFE?
> Is this the expected behaviour?
Yes, currently this is expected behaviour. It is expected the device
keys the token(s) against the tag server address resolved from the SRV
lookup. For example, all of Global Radio's services might resolve to
tags.musicradio.com - this would only require a single token for all
Global radio stations. As you suggest we need to carefully think about
storage capabilities of devices and limitations associated. I would
consider defining a minimum number of token records as acceptable and
that if the device is capable of storing more it should do so.
We should probably stick a note here that this is an extreme
circumstance where the device is not affiliated with a 3rd party, for
example a manufacturers listening lounge service may exist as a
mediator and take responsibility for storing a lot of this data.
That's not to say we shouldn't find a reasonable solution for off the
shelf devices that don't have such support from a back end.
Andy.
Hi Robin, thank you for taking the time to look at the protocol from a
device manufacturer's perspective, it's very useful to have your insights.
I think it would be useful for us to do a version of the protocol where
the device/client id is issued by the service provider. We didn't do
this to begin with as it adds another vector of complexity. Hopefully
we'll get chance to look at this next week.
One advantage of issuing the id from the service is that it would also
support devices that can have multiple users (with some kind of
user-switching support), each user on the device could then have their
own "device id" and therefore auth token.
> Are the TagService and AuthService always guaranteed to be paired, or is there a circumstance that more than one TagService might share an AuthService?
> If so, then presumably it's the AuthService that the token needs to be stored against by the device, rather than the TagService?
Yes, the AuthService is where device id and token would be stored and
associated (with an account).
We're currently working on a reference implementation that will also
hopefully demonstrate this in another way.
Thanks again,
Chris