<div dir="ltr"><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Hi Daniel</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Thank you very much for this.</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">I look forward to reviewing the paper and trust that it will help us to improve the FAPI specs, especially in developing a clearer description of the attacker model.</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Please pass my thanks to the other authors.</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Best Regards</div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif"><br></div><div class="gmail_default" style="font-family:trebuchet ms,sans-serif">Dave</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, 1 Feb 2019 at 14:33, Daniel Fett via Openid-specs-fapi <<a href="mailto:openid-specs-fapi@lists.openid.net">openid-specs-fapi@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF">
<p>All,<br>
<br>
Pedram, Ralf, and I have worked on analyzing the security of the
FAPI profiles using formal methods.<br>
<br>
The "executive summary" of our findings is that we have found some
attacks when specific, relatively strong attacker models are used.
(From our point of view, it would be very useful to make the
attacker model in the FAPI more explicit, see Issue #175 [1].)
Apart from that, we were able to prove the security of FAPI when
certain fixes are applied.</p>
<p>This makes FAPI the only Open Banking security profile with
proven security!<br>
</p>
<p>We have communicated details of the attacks we found to the
authors listed in the draft over the last months. We will now also
follow up with filing more specific Bitbucket Issues for
mitigations that are not in the spec yet.<br>
<br>
Our research paper based on the analysis will be published at
Security and Privacy in May. A preprint version is now available
at [2].<br>
<br>
-Daniel<br>
<br>
[1] <a class="gmail-m_4440409767769730778moz-txt-link-freetext" href="https://bitbucket.org/openid/fapi/issues/175/clarify-attacker-model-pkce-method-and" target="_blank">https://bitbucket.org/openid/fapi/issues/175/clarify-attacker-model-pkce-method-and</a><br>
[2] <a class="gmail-m_4440409767769730778moz-txt-link-freetext" href="https://arxiv.org/abs/1901.11520" target="_blank">https://arxiv.org/abs/1901.11520</a></p>
<p>An Extensive Formal Security Analysis of the OpenID
Financial-grade API<br>
</p>
<p>Daniel Fett (<a href="http://yes.com" target="_blank">yes.com</a> AG), Pedram Hosseyni (University of
Stuttgart), Ralf Küsters (University of Stuttgart)<br>
</p>
<p><br>
Abstract:</p>
<p>Forced by regulations and industry demand, banks<br>
worldwide are working to open their customers’ online banking<br>
accounts to third-party services via web-based APIs. By using<br>
these so-called Open Banking APIs, third-party companies, such<br>
as FinTechs, are able to read information about and initiate<br>
payments from their users’ bank accounts. Such access to<br>
financial data and resources needs to meet particularly high<br>
security requirements to protect customers.</p>
<p>One of the most promising standards in this segment is the<br>
OpenID Financial-grade API (FAPI), currently under develop-<br>
ment in an open process by the OpenID Foundation and backed<br>
by large industry partners. The FAPI is a profile of OAuth 2.0<br>
designed for high-risk scenarios and aiming to be secure against<br>
very strong attackers. To achieve this level of security, the FAPI<br>
employs a range of mechanisms that have been developed to<br>
harden OAuth 2.0, such as Code and Token Binding (including<br>
mTLS and OAUTB), JWS Client Assertions, and Proof Key for<br>
Code Exchange.</p>
<p>In this paper, we perform a rigorous, systematic formal analy-<br>
sis of the security of the FAPI, based on an existing
comprehensive<br>
model of the web infrastructure—the Web Infrastructure Model<br>
(WIM) proposed by Fett, Küsters, and Schmitz. To this end, we<br>
first develop a precise model of the FAPI in the WIM, including<br>
different profiles for read-only and read-write access, different<br>
flows, different types of clients, and different combinations of<br>
security features, capturing the complex interactions in a web-<br>
based environment. We then use our model of the FAPI to<br>
precisely define central security properties. In an attempt to<br>
prove these properties, we uncover partly severe attacks, breaking<br>
authentication, authorization, and session integrity properties.<br>
We develop mitigations against these attacks and finally are able<br>
to formally prove the security of a fixed version of the FAPI.</p>
<p>Although financial applications are high-stakes environments,<br>
this work is the first to formally analyze and, importantly,
verify<br>
an Open Banking security profile.</p>
<p>By itself, this analysis is an important contribution to the<br>
development of the FAPI since it helps to define exact security<br>
properties and attacker models, and to avoid severe security risks<br>
before the first implementations of the standard go live.</p>
<p>Of independent interest, we also uncover weaknesses in the<br>
aforementioned security mechanisms for hardening OAuth 2.0.<br>
We illustrate that these mechanisms do not necessarily achieve<br>
the security properties they have been designed for.<br>
<br>
</p>
</div>
_______________________________________________<br>
Openid-specs-fapi mailing list<br>
<a href="mailto:Openid-specs-fapi@lists.openid.net" target="_blank">Openid-specs-fapi@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fapi" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fapi</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div style="font-size:1em;font-weight:bold;line-height:1.4"><div style="color:rgb(97,97,97);font-family:"Open Sans";font-size:14px;font-weight:normal;line-height:21px"><div style="font-family:Arial,Helvetica,sans-serif;font-size:0.925em;line-height:1.4;color:rgb(220,41,30);font-weight:bold"><div style="font-size:14px;font-weight:normal;color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4"><div style="font-weight:400;color:rgb(51,51,51);line-height:normal"><div style="color:rgb(0,164,183);font-weight:bold;font-size:1em;line-height:1.4">Dave Tonge</div><div style="font-size:0.8125em;line-height:1.4">CTO</div><div style="font-size:0.8125em;line-height:1.4;margin:0px"><a href="http://www.google.com/url?q=http%3A%2F%2Fmoneyhubenterprise.com%2F&sa=D&sntz=1&usg=AFQjCNGUnR5opJv5S1uZOVg8aISwPKAv3A" style="color:rgb(131,94,165)" target="_blank"><img alt="Moneyhub Enterprise" height="50" src="http://content.moneyhub.co.uk/images/teal_Moneyhub-Ent_logo_200x50.png" title="Moneyhub Enterprise" width="200" style="border: none; padding: 0px; border-radius: 2px; margin: 7px;"></a></div><div style="padding:8px 0px"><div style="padding:8px 0px"><div style="letter-spacing:normal;line-height:normal"><div style="padding:8px 0px"><span style="color:rgb(0,164,183);font-size:11px">Moneyhub Financial Technology, 5th Floor, 10 Temple Back, Bristol, BS1 6FL</span></div><span style="font-size:11px;line-height:15.925px;color:rgb(0,164,183);font-weight:bold">t: </span><span style="font-size:11px;line-height:15.925px">+44 (0)117 280 5120</span><br style="color:rgb(0,164,183);font-size:11px;line-height:15.925px"></div><div style="letter-spacing:normal;line-height:normal"><span style="font-size:11px;line-height:15.925px"><br></span></div><div style="color:rgb(97,97,97);font-family:"Open Sans";letter-spacing:normal"><div style="line-height:1.4"><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.75em">Moneyhub Enterprise is a trading style of Moneyhub Financial Technology Limited which is authorised and regulated by the Financial Conduct Authority ("FCA"). Moneyhub Financial Technology is entered on the Financial Services Register </span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;font-size:0.75em;background-color:transparent">(FRN </span><span style="color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;font-size:10.5px;font-weight:700">809360</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em">) at <a href="http://fca.org.uk/register" target="_blank">fca.org.uk/register</a>. M</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:10.5px">oneyhub</span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em"> Financial Technology is registered in England & Wales, company registration number </span><span style="color:rgb(51,51,51);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em"> </span><span style="font-weight:bold;color:rgb(0,164,183);font-family:lato,"open sans",arial,sans-serif;background-color:transparent;font-size:0.75em">06909772</span><span style="background-color:transparent"><font color="#333333" face="lato, open sans, arial, sans-serif"><span style="font-size:0.75em"> .</span></font></span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:10.5px">Moneyhub</span><span style="background-color:transparent;font-size:0.75em"> Financial Technology Limited 2018 </span><span style="background-color:transparent;color:rgb(34,34,34);font-family:arial,sans-serif;font-size:x-small">©</span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:0.75em"><br></span></div><div style="font-family:lato,"open sans",arial,sans-serif;color:rgb(51,51,51);line-height:1.4"><span style="background-color:transparent;font-size:0.75em;color:rgb(136,136,136)">DISCLAIMER: This email (including any attachments) is subject to copyright, and the information in it is confidential. Use of this email or of any information in it other than by the addressee is unauthorised and unlawful. Whilst reasonable efforts are made to ensure that any attachments are virus-free, it is the recipient's sole responsibility to scan all attachments for viruses. All calls and emails to and from this company may be monitored and recorded for legitimate purposes relating to this company's business. Any opinions expressed in this email (or in any attachments) are those of the author and do not necessarily represent the opinions of Moneyhub Financial Technology Limited or of any other group company.</span></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>