Where to move or what to do with V3.5 section (tokens section in session management chapter)

[elarlang]

There has been discussions here and there, what to do with V3.5 section. Mostly I have opened the topic in

• cleanup V3.5 Token-based Session Management #1917

Problem to solve: stateless tokens or "cryptographically secured tokens" as those are named now in requirements, are a wider topic and are not limited to sessions. Additionally, using stateless tokens for session management causes many new challenges for achieving the expected solution to fulfill security requirements.

Options are:

• Option 1 - A separate chapter for "Cryptographically Secured Tokens", for example located between "Web Services and API" and "OAuth and OIDC" chapters
  • At the moment it seems that we may have enough content for 2 sections: the crypto part for verifying the integrity and then the token content part such as expiration time, and audience, type etc. Need to re-check from V51 OAuth and OIDC requirements, how many of them can be made abstract.
  • We have better overview of the situation when current V3 opened issues are sorted
  • Easy to take it separately into scope while implementing and testing, for example, when no session management is needed (m2m)
  • We don't have the clear need for that yet, but it gives/leaves option to add token-specific section, for example JWT.
• Option 2 - Move the V3.5 section to V13 API and Web Service
  • It is mostly related to web services, but, by principle not limited to it.
• Option 3 - Move the V3.5 section to V5 Validation, Sanitization and Encoding
  • From the perspective, that "Validate before you accept and use it" it is input validation
• Option 4 - Leave it as it is
  • Something I really don't like and I have seen it causing confusion too many times. But it is one option.

[tghosth]

My order of preference:

• Option 4 - I still feel like the primary use is as a "session" although I agree it is a little weird.
• Option 2 - I think very closely related although not a 100% match
• Option 1 - Might prevent confusion with other topics.
• Option 3 - I really think this is confusing and the token stuff is to specialised to be here. V5 is also massive.

[elarlang]

ping @ryarmst @randomstuff @TobiasAhnoff

[ryarmst]

I do not have a strong opinion here as I do not see a clear obvious location.

Option 3 - @elarlang I have agreed with your point that many of these requirements are fundamentally validation issues and that V5 logically makes sense, but I don't think anyone looking at the ASVS for the first time would expect to find it there.

Option 1 - The more I think about this option, the more it seems reasonable especially thinking about implementation and testing.

@tghosth I do think if it moves, there ought to be guidance text in V3 for those who expect to find it there.

[randomstuff]

Would including "Cryptographically Secured Tokens" as a section of "V6 Cryptography" be weird?

[elarlang]

Would including "Cryptographically Secured Tokens" as a section of "V6 Cryptography" be weird?

Yes, for entire section it is weird. I would like to get out everything from V6 that is not a clear crypto problem or the "main problem to solve" is not a crypto problem. For that discussion we have #2375 (comment)

[elarlang]

Making the "Option 1" more clear.

VX.1 Token source and intgrity

Before validating the token content there is a need to verify, whether the token is initiated by a trusted party and if it is not tampered.

#	Description	L1	L2	L3	CWE
3.5.3	[MODIFIED, LEVEL L2 > L1] Verify that cryptographically secured tokens are validated using their digital signature or MAC to protect against tampering before accepting the token's contents.	✓	✓	✓	345
3.5.5	[ADDED] Verify that only algorithms on an allowlist can be used to create and verify cryptographically secured tokens, for a given context. The allowlist should include the permitted algorithms, ideally only either symmetric or asymmetric algorithms, and should not include the 'None' algorithm. If both symmetric and asymmetric are needed, additional controls should prevent key confusion.	✓	✓	✓	757
3.5.7	[ADDED] Verify that key material that is used to validate cryptographically secured tokens is from trusted pre-configured sources for the token issuer, preventing attackers from specifying untrusted sources and keys. For JWTs and other JWS structures, headers such as 'jku', 'x5u', and 'jwk' must be validated against an allowlist of trusted sources.	✓	✓	✓

Related open issues:

• Modify 3.5.5 - split key confusion part to a separate requirement #2360
• Add access token requirement for preventing "key confusion" #2361

VX.2 Accepting stateless token content

Before accepting the token content there is a need to validate if the token is in a valid time window and meant to be used for the given service and for a given purpose to avoid cross-usage over different services and token types from the same issuer.

Specific requirements for OAuth and OIDC are covered in the dedicated chapter.

#	Description	L1	L2	L3	CWE
3.5.4	[ADDED] Verify that, if a validity time span is present in the token data, the token and its content are accepted only if the verification time is within this validity time span. For example, for JWTs the claims 'nbf' and 'exp' must be verified.	✓	✓	✓	613
3.5.8	[ADDED] Verify that the service only accepts tokens which are intended for use with that service (audience). For JWTs, this can be achieved by validating the 'aud' claim against an allowlist defined in the service.	✓	✓	✓
3.5.9	[ADDED] Verify that the service receiving a token validates the token to be the correct type and is meant for the intended purpose before accepting the token's contents. For example, only access tokens can be accepted for authorization decisions and only ID tokens can be used for proving user authentication.	✓	✓	✓

Related open issues:

• proposal/discussion: JWT - 3.5.6 rephrase it to describe the goal and/or split to different requirements based on different goals #1967 - current V3.5.6 should be covered by a separate requirements

[TobiasAhnoff]

Hard to choose! I think option 1 is worth a try, sounds logical to have things closely related to APIs and Web Services together. I will try to explain how I reason about it.

If we do option 1 (or 2), then you could look at ASVS chapters as 3 main tracks:

Track 1, if your focus is a "classic" web application where users login, then it seems logical to look in V2 for user authentication, V3 to deal with user sessions, V4 for authorization and then V5, V6, V7... etc for more validation things that applies to your application.

Track 2, if your focus is integration APIs (service-to-service), you can basically skip V2 and V3 and start with V13 for general API and Web Services verifications, V14.7 for authenticating the service/client, then the new "cryptographically secured tokens" chapter (perhaps V15) for authenticating requests to the API , and then V4 and V5, V6, V7... etc.

Track 3, if the application use OAuth/OIDC, both tracks 1 and 2 apply, together with V51.

I'm not sure if it is good to think this way, but it is one way to look at how to organize ASVS chapters!

[randomstuff]

Yes, for entire section it is weird. I would like to get out everything from V6 that is not a clear crypto problem or the "main problem to solve" is not a crypto problem. For that discussion we have #2375 (comment)

Yes, the thing is that this does not feed neatly in "authentication" nor in "authorization" (because it can be both). On the other hand, these considerations overlaps greatly with certificate validation requirements (because a JWT token, a SAML token and a X.509 certificate are basically the same thing and JWT or CWT are sometimes used as certificates.

That being said maybe option 1 (a "Cryptographically Secured Tokens" chapter) would be fine. This chapter might be expanded later on to cover (if need be):

• JWT (having a dedicated section about JWT)
• X.509 certificate and certificate chain validation;
• SAML, XML signature, etc. (aargh);
• CWT
• PASETO
• Biscuit tokens
• attestations such as FIDO U2F Attestations, Remote attestations

[elarlang]

At the moment "Option 1" seems the way to go, but I think we should get the understanding of the topic and focus aligned first.

Tokens are just a format for delivering a message between parties - it's just a technology, it is not tied to authentication, authorization, or session management. It is a separate thing often used to provide other functionalities. So the separate chapter serves that goal.

A thing that bothers me is the discussions here are too cryptography-oriented. Cryptography is used to provide the confidence for separate parties, that the token came from a trusted party and is not tampered with. It is the important corner-stone for this, but at the same time - that is it. It is just one important part of the topic, but it is not the topic.

Validating the source and integrity gives the possibility to not keep the state for that information and that is why the rest of the world calls it stateless. Why this term is not good for us, is still not clear to me. The point for the token is to be stateless - cryptography is just a solution to make it happen. I don't think it deserves the name for that.

All this crypto part is important only for those few requirements that handle the source and integrity, as displayed in #2384 (comment) in section V1.X. After those checks, there is a need to validate the token's meta info, and then it is possible to validate and use the token's content. That means we should not carry the crypto requirement forward to other requirements, as it is already checked as a pre-condition. We have had this discussion also in some other issues #2182 (comment).

[tghosth]

Ok, I support Option 1. It sounds like the chapter heading would be something like "Stateless Tokens". As discussed with Elar, the goal is to be stateless and "cryptography" is just the mechanism to achieve this.

[elarlang]

Before I go for the PR, I would like to get "pong" from @randomstuff @ryarmst and @TobiasAhnoff . Any strong arguments against this direction?

[TobiasAhnoff]

I support Option 1, but I think "stateless" is worth discussing some more...should we do that here before we decide on Option 1? Or should it be part of a new issue for title and chapter text (given the new Option 1 chapter)?

There are some things about "stateless" that I feel are not clear to me, but I need some more time to be able to write something that is good input for the discussion :)

[randomstuff]

Option 1 sounds nice but actually I thinking restricting to stateless tokens as opposed to tokens in general might be problematic as many requirements might apply to stateful/opaque tokens as well?

[elarlang]

Or should it be part of a new issue for title and chapter text (given the new Option 1 chapter)?

This issue is about (re)structuring the current V3.5 content, so this issue here suits well.

Option 1 sounds nice but actually I thinking restricting to stateless tokens as opposed to tokens in general might be problematic as many requirements might apply to stateful/opaque tokens as well?

Yes, that is true and the main question here is, how to set the focus or priority for the chapter. If the focus is for crypto, then I can understand and agree with your previous question, that crypto-related requirements may belong to V6. For me, the topic here is stateless information transfer between services. At the same time, if we watch requirements we have at the moment in V3.5, only 3 of them are about crypto, the rest (at the moment also 3) are about token content/metainfo validation.

tokens in general

If we could call it "Token Security" or something like that, for me it feels too vague. But at the end, it is just a question how we set the logical scope for the structure and what kind of requirements are suitable for that.

In short, I repeat my current position - the topic I want to cover here is stateless information change between services (in a way, for stateful we have V3), crypto is important part for provide integrity check, but it is not the main topic.

[ryarmst]

For me, the topic here is stateless information transfer between services.

This is not the case in many applications I have seen where this content (existing requirements) would apply (either not fully stateless, or not for collaboration of different services).

To give a counterexample, 3.5.3 and 3.5.5 could (and perhaps should) apply to tokens that use stateful session (or other) identifiers, but are secured with a signature. Other requirements could apply as well and I am sure there are many scenarios where some state information is captured in tokens and some is stored by some server.

I think "Token Security" is a fine option, but I do agree that it is vague (hence the use of Cryptographically Secured Token). If the emphasis on cyrptography is at issue, what if we modified the definition to just "Secured Token"? There is existing terminology that is similar (like OAuth's Self-Encoded Tokens), but IMO it fails to capture the diversity of implementations that I think we ought to have requirements for.

Ultimately, however, as long as the terminology is defined and consistently used, I am less concerned about what naming is chosen. We have this challenge precisely because there is no clear precedent in the industry (mostly just confusion - see the previous debates over "stateless"), so as I have mentioned before, I think ASVS has the opportunity to set a more clear standard.

[elarlang]

Other requirements could apply as well and I am sure there are many scenarios where some state information is captured in tokens and some is stored by some server.

Important is to keep in mind that we don't talk about sessions here. Crypto provides the possibility to have the information stateless. If someone uses the same method for stateful token or opaque string, it does not make the concept of stateless token invalid.

[elarlang]

You can all throw in (here, or in slack) scenarios that you feel are not covered by current proposal AND are covered now. The goal is to have everything covered without any confusion.

[TobiasAhnoff]

I think "Token Security" or something else with Token is good, like "Token Management" or "Token Request Authentication". I also think it would be logical if the Session chapter had the same kind of title ("Session Management", "Session Security" or "Session Request Authentication".

The way I see it is that first you have either "User Authentication" (V2) or "Service Authentication" (V14.7). Then, depending on application requirements, you can do authentication on every request (not good for human users, but might be fine for services) or authenticate requests using either a session (V3) or a token (new chapter).

The session chapter contains all requirements that are expected when managing a session, like creation, termination, inactivity timeouts etc.

The token chapter contains all requirements that are expected when managing a token, like validation, expiration etc.

This works but perhaps gets somewhat confusing...since both sessions and tokens can be regarded as "stateless" or "stateful" solutions.

A session can have only the session id in a client-side cookie or custom header, and a token, in example an OAuth reference token, can be just a secure random string providing access to some server-side "state" (the token claims/properties).

While a JWT typically has no state on the server-side that needs to be shared between all server instances (except perhaps key material needed to validate the token), and you can also have a session without any server-side state.

An example of this is .NET, where you by default get an encrypted cookie (or set of cookies) containing e g a GUID, session data (claims) and maybe even access and refresh tokens (if also using OAuth/OIDC).

This session mechanism is "stateless", since (just as for a JWT) the only thing that need to be shared between server instances (to authenticate requests and provide information needed for authorization) is the key material (all client-side state/stateless session/tokens need to be integrity protected in some way).

The main difference is where state is stored and if it is expected to behave as a "session" or as a "token", e g if there are requirements on termination. A "stateless" solutions can´t be terminated like a "stateful" one (a good example is OAuth access-tokens, when using reference-tokens they can be revoked instantly, while JWTs are valid until they expire).

So maybe one way to see it is to have one chapter for "Authentication of requests with server-side state" and one for "Authentication of requests with client-side state (a k a stateless)"?

This might be explained in chapter text and titles can still be "Session Security" and "Token Security", since we often associate server-side state with "sessions" and client-side (stateless) with the term "token". Or, we can have titles that reflect this, perhaps something like "Server-side State Security" and "Client-side State Security", but I think I still prefer "Session Security/Management" and "Token Security/Management" (and having chapter text that explains "stateless" and how the two chapters relates to each other)

This might be a good idea or not...I have not had time to analyze how something like this would affect current requirements and organization, perhaps not that much, perhaps mostly chapter texts and where things are put...

This is a hard one!

[tghosth]

Having read the above, I see the challenge of the term "stateless" and the challenge of the term "cryptographically secured".

Maybe an alternative heading could be "Trusted Tokens". I don't think this is an industry term but I think it captures the whole point here which is that we are relying on values included in the token.

[elarlang]

Please give me some more hour(s) to prepare the points.

Meanwhile I recommend to read the issue content written so far - scope: (stateless) tokens only. No session management or other functionality involved.

[elarlang]

Sometimes I feel like my comments are not reaching GitHub. For example, explaining, that the topic here is not about session management (#2384 (comment), #2384 (comment))

So I make my points referenceable.

---

• Point 1 - "stateless" is a concept of delivering information to another party the way that the other party can be confident the message is correct and not tampered with
• Point 2 - stateless is a separate underlying technology and not part of any functionality, such as authentication, authorization, or session management
• Point 3 - "stateless token" is a well-known and industry-accepted term
• Point 4 - this issue is to solve "Point 2" - move section V3.5 away from session handling
• Point 5 - the scope for section V3.5 is "stateless token"
• Point 6 - add-on for point 5, before crypto-related requirements were changed, every requirement was talking about stateless token
• Point 7 - crypto is providing integrity checks for stateless tokens
• Point 8 - add-on for point 7, using cryptography for message integrity has wider usage than stateless tokens
• Point 9 - add-on for point 6, if the scope of a requirement is changed to be wider than the section it belongs, the requirement must be moved away
• Point 10 - probably (assumption) due to point 8, the scope for crypto-related requirements (3.5.3, 3.5.5) was changed to wider than stateless tokens, but left to the stateless tokens section they don't fit anymore
• Point 11 - so far, I have not been able to find the information or get the answer to my question - what was "the problem to solve" for the "Point 10" move?
• Point 12 - stateless tokens are not only about checking the integrity, it is also validating the token's content (aud, sub, iss, exp, nbf)
• Point 13 - to solve the created problem "Point 10", the entire section V3.5 can not be moved to V6 due to "Point 12"
• Point 14 - for usability of ASVS, it is good that related requirements are not too much spread around the document
• Point 15 - for having a separate chapter, there must be enough content
• Point 16 - for each section it is good if it contains requirements for common functionality and scope
• Point 17 - the "Option 1" proposal made in Where to move or what to do with V3.5 section (tokens section in session management chapter) #2384 (comment), explained in Where to move or what to do with V3.5 section (tokens section in session management chapter) #2384 (comment)
  • to solve Point 2 and Point 3 - it was proposed to have a separate chapter for stateless tokens
  • taking into account the scope: Point 5, Point 6 - stateless tokens
  • Point 15 - was satisfied
  • To satisfy Point 16 (and Point 12) - split crypto and content-related requirements into separate sections
  • conflict created in the section via Point 10 was underestimated
• Point 18 - stateless tokens are underlying and really widespread technology worth a separate chapter
• Point 19 - a separate chapter for stateless tokens makes it "extendable" for the future (it is not that flexible if to have a separate section in a separate chapters)
• Point 20 - scoping (by current definition) opaque strings are not part of the chapter scope, it is something to take into account to solve Point 10
• Point 21 - duplicating Point 1, Point 2 and some others - session management, keeping a state or whatever other functionality is out of scope from this issue

---

My first preference is to solve "Point 10" - revert the scope change for crypto-related requirements to be stateless tokens oriented.

Actually, the question is - are they by content wide enough to be valid outside of the stateless tokens section or it is just the attitude towards them? E. g. the validation question - are those ready to be moved to V6 as they are?

If it creates a gap or not covered area, it should be considered to have a separate more general requirement into V6 to cover that - as we have more general requirement in current V3.5 to have abstract requirements and specific requirements in the OAuth section to cover the special need.

This proposal satisfies: Point 5, Point 14, Point 15

---

If the first preference is "voted against"

• Point 16 - we need to split crypto and token content-related requirements into a separate section in separate chapters

This does not satisfy points:

• Point 14 - The usability of ASVS is not good
• Point 15 - we don't have enough content anymore for a separate chapter
  • crypto-related parts to V6, content checks to V13

---

In summary, I find it to be not aligned (filtered) that I need to explain the scope for the section that was conflicted with a questionable move. And now there seems to be an attitude that everything else must be aligned with the questionable move going against many listed points (e.g. 2, 3, 5, 9, 14, 16).

[tghosth]

Point 2 - stateless is a separate underlying technology and not part of any functionality, such as authentication, authorization, or session management

Agree

Point 1 - "stateless" is a concept of delivering information to another party the way that the other party can be confident the message is correct and not tampered with
Point 3 - "stateless token" is a well-known and industry-accepted term

I think the point was made above that (right or wrong) you could have a system that uses "stateless tokens" but also relies on some sort of server side state (I am not using the word session here). This is why I suggested that maybe the word "stateless" is not 100% accurate despite being industry accepted and that trusted token might more accurately represent the situation. Again not session management specific.

Point 8 - add-on for point 7, using cryptography for message integrity has wider usage than stateless tokens
Point 10 - probably (assumption) due to point 8, the scope for crypto-related requirements (3.5.3, 3.5.5) was changed to wider than stateless tokens, but left to the stateless tokens section they don't fit anymore
Point 11 - so far, I have not been able to find the information or get the answer to my question - what was "the problem to solve" for the "Point 10" move?

3.5.3 and 3.5.5 explicitly refer to tokens, I am not sure what here would be considered "wider than stateless tokens". Do you mean that these requirements were expanded to not just be relevant to "session management" but trusted tokens in general?

Point 12 - stateless tokens are not only about checking the integrity, it is also validating the token's content (aud, sub, iss, exp, nbf)
Point 13 - to solve the created problem "Point 10", the entire section V3.5 can not be moved to V6 due to "Point 12"
Point 14 - for usability of ASVS, it is good that related requirements are not too much spread around the document
Point 15 - for having a separate chapter, there must be enough content
Point 16 - for each section it is good if it contains requirements for common functionality and scope
Point 18 - stateless tokens are underlying and really widespread technology worth a separate chapter
Point 19 - a separate chapter for stateless tokens makes it "extendable" for the future (it is not that flexible if to have a separate section in a separate chapters)

Agree

Point 17

I don't think there is significant conflict here, I think it is just a subtle terminology question about what stateless means, as noted in my response to Point 3.

Point 20 - scoping (by current definition) opaque strings are not part of the chapter scope, it is something to take into account to solve Point 10

I think there is a terminology thing here. Broadly speaking, I think that the new chapter should cover a situation where we rely on the contents of the token to make security sensitive decisions. The alternative is that the token or whatever is just an ID which is used to look something up at the back end.

Point 21 - duplicating Point 1, Point 2 and some others - session management, keeping a state or whatever other functionality is out of scope from this issue

I think that Server-side State != Session but given my response to Point 20 we could side-step the issue by not referring to "state" in the name of the chapter.

My first preference is to solve "Point 10" - revert the scope change for crypto-related requirements to be stateless tokens oriented.

I don't really understand what you are proposing here. From reading the comments, I think we all agree that these requirements can be moved to a dedicated section and there is just some discussion on the specific scope and definition.

---

In summary, I think we need to create a new chapter and move the token requirements over. I think we can argue about the specifics afterwards. I think your arguments above support my suggestion to refer to them as Trusted Tokens :)

[tghosth]

@elarlang if you feel this still needs discussion, I think we need to get a call together next week.

[elarlang]

I think the point was made above that (right or wrong) you could have a system that uses "stateless tokens" but also relies on some sort of server side state (I am not using the word session here). This is why I suggested that maybe the word "stateless" is not 100% accurate despite being industry accepted and that trusted token might more accurately represent the situation. Again not session management specific.

I also responded to that above, that if you use content from stateless token to keep the state, does not make the concept of stateless token invalid and it does not change anything of the process of validating it. In other words, does not change the scope of this issue/chapter.

3.5.3 and 3.5.5 explicitly refer to tokens, I am not sure what here would be considered "wider than stateless tokens". Do you mean that these requirements were expanded to not just be relevant to "session management" but trusted tokens in general?

Examples from this thread:

• From Where to move or what to do with V3.5 section (tokens section in session management chapter) #2384 (comment)

  • I thinking restricting to stateless tokens as opposed to tokens in general might be problematic as many requirements might apply to stateful/opaque tokens as well?

• From Where to move or what to do with V3.5 section (tokens section in session management chapter) #2384 (comment)

  • To give a counterexample, 3.5.3 and 3.5.5 could (and perhaps should) apply to tokens that use stateful session (or other) identifiers, but are secured with a signature.