Geek Answers Handbook

OAuth 2.0 - carrier notes against Mac tokens. Why not use Mac-Tokens?

I searched for other questions in this thread, but I did not find the answer to this completely. So tell me if I'm wrong. I am new to this topic and you can correct me with pleasure. Here is what I think at the moment:

I surfed the Internet for 2 days, figuring out what is the actual state of the art for authorizing a web request. Now I quickly realized that OAuth 2.0 seems to be the most common standard. But OAuth 2.0 itself is all but standardized. From my eyes this is a mess of different settings for each larger company. But in any case, there are two ways to exchange authorization information: Mac-Tokens and Toker-Tokens.

In my opinion, Mac-Tokens offer more security. So why is it not widely implemented? The only reason I could find is that it is a bit more complicated. And I heard several times that Mac-Tokens is not recommended if the client is not 100% trusted, because the client must keep a secret. But where is the difference? In any case, the client must store authorization information. In my opinion, it does not matter to print its bearer token or mac-secret. But what makes the difference is that the mac-secret (and not the token token) is not transmitted over the wire for each request.

So you can tell me a sensible reason why not use mac-tokens? (except that you have more effort) Am I missing something? Or I skipped the methods of two tokens.

Thanks for reading and your help.

+5
source share
3 answers

The danger is that if the client continues to insist that the SSL / TLS certificate is valid, which is a step that many clients do not accept, then the token is susceptible to the person in an average attack.

The Mac Token is not affected by this attack; It may be correct to say that the Mac token provides some authenticity in the absence of SSL / TLS or indeed when it is not used correctly.

The Mac icon enhances the known weakness of the Media marker.

The client should not trust the shared MAC key. A new key must be created for each client. This is no more a security risk to trust each client with its own key than to trust them with carrier tokens.

I think the problem occurs when exchanging an Auhtorization grant for an access token. For a Mac key, this returns a symmetric secret key. If a client inaccurately checks SSL / TLS certificates, then this is also subject to a MITM attack.

In short, a Mac token might be less preferable because it is more complex, but you still need to do SSL / TLS to make it secure, and if you do, then the media token will also be secure.

+1
source

In my opinion, the answer may be simple: the carrier token mechanism assumes the existence of an SSL / TLS layer, while the MAC token tries to replace it. Since SSL / TLS is widely used and used, why do something more complicated than necessary?

Yes, as was recently seen with a vulnerability in the heart, many things are actually not as reliable as expected, but who guarantees that the MAC implementation also does not fail?

Another point, as you mentioned, is the exchange of symmetrical secrets. In the absence of an absolutely reliable secondary channel, this can be difficult. And customer confidence can also be a problem.

+1
source

If SSL / TLS was used correctly, and client credentials issued in a confidential and self-service manner do not have a big advantage for accepting MAC instead of carrier tokens. Only adds complexity. The client is responsible for maintaining the confidentiality of client_secret. Of course, there are customers who prefer to use MAC thinking to improve security.

0
source

More articles:


All Articles