[Unbearable] Binding tokens to scope in HTTP

Nick Sullivan <nicholas.sullivan@gmail.com> Mon, 03 April 2017 16:47 UTC

Return-Path: <nicholas.sullivan@gmail.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C7F5129478 for <unbearable@ietfa.amsl.com>; Mon, 3 Apr 2017 09:47:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9-yUAlKLSRZM for <unbearable@ietfa.amsl.com>; Mon, 3 Apr 2017 09:47:52 -0700 (PDT)
Received: from mail-vk0-x22b.google.com (mail-vk0-x22b.google.com [IPv6:2607:f8b0:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9377612709D for <unbearable@ietf.org>; Mon, 3 Apr 2017 09:47:52 -0700 (PDT)
Received: by mail-vk0-x22b.google.com with SMTP id d188so144305348vka.0 for <unbearable@ietf.org>; Mon, 03 Apr 2017 09:47:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=Dgbq0d1Vw9sqJ3ZtDXgbDdNZFJJmE5Yh4abYtISFQGU=; b=L6pwMEqZkF/NezCNAxbBJCi/cXmh9AczHFvbcC0rXKM8OZh8vXsuD9YKrC7otVON97 7b4hwHgahYqOzWkRBbPNIZxXN5mMnwSoeTC5DkwmR/PCEUpV4TxsItk0laKOcEQTQaGo Ug34B7BZvKegbEipKFbscHzvTx7Lfb/OmLGKu2yzR3bw4Zmzz6NflDiHIDVUPfUnrYUq j/BVW+NTMdgHEWdN1ETYz7ESPbkXL3RdEDONLgBYVFooCMqJGuXT9GaDZPTZpgT2AklM CgfPpvjxI/2HP2Dm++0DUjoL0DlP5hEe3sexszdDXohmB1sbuq+7aZU3i5JMPF4lqwMn bG+g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=Dgbq0d1Vw9sqJ3ZtDXgbDdNZFJJmE5Yh4abYtISFQGU=; b=MJF8mORTYcaEMcIay44P4jz0Bfnox2vM/s3C5pSfSRL1TkHgHgjqG2KCdoxSXNnSCu 86m9NFSV9zbshMOdmg2OUjLuZR0BnI/oIDG+jm/lcswlih1zxFxvdeAoBDEYtGEFj1eT 6P6Lab0ZsjZJHUckaGRUWiqjWUtim1ppqvdcaazsZ9RPjIwmTAqQALSxOElqrFDdqaW+ s4fkvfzAnRkz1DZyWDEvWMF3Oz8BunVfs9TwpuekEQ/cZnIaJq3hhVCddWwClqRqVc/m OeecC+h2i/Cc8iUAS56etlJS/Y4zczYEaW1fLakrwpPoH9RG46N6HiHizVJdKZO1dYxy J4Lg==
X-Gm-Message-State: AFeK/H3S9lylfQTUQot5NGSe2RO55MtMQG6Nj+LrBORxewp1GDjrvVNIGlW6IOK8jpqw0EeHWp2TENxq5OD5jA==
X-Received: by 10.176.83.124 with SMTP id y57mr7909621uay.141.1491238070850; Mon, 03 Apr 2017 09:47:50 -0700 (PDT)
MIME-Version: 1.0
From: Nick Sullivan <nicholas.sullivan@gmail.com>
Date: Mon, 03 Apr 2017 16:47:40 +0000
Message-ID: <CAOjisRx2iixVWb_-jNVrSM9VpjeEOoQ+WDb9H=POg=VOAHzGkQ@mail.gmail.com>
To: "unbearable@ietf.org" <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c1927007d1c32054c45eb5c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/1p74aixm7CTHOIWwAMlwoSXJXXg>
Subject: [Unbearable] Binding tokens to scope in HTTP
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Apr 2017 16:47:55 -0000

The token binding header does not have any identity bound to it. This is
potentially problematic because it makes it much more likely that this
protocol is vulnerable to unknown key share issues.

Unknown key share attacks happen when a public key is used without binding
it to an identity by a signature. For example, Richard Barnes recently
published a draft describing how DANE with raw keys was vulnerable to this
style of: https://tools.ietf.org/html/draft-barnes-dane-uks-00.

In section 2.1. of draft-ietf-tokbind-https, the key pair scoping is
defined to be eTLD+1. Depending on the threat model, this requirement can
be subverted.

Consider an attacker who has access to read and modify headers, but not
private keys. Imagine a buggy/malicious service worker or something else of
this sort. Now imagine a site with a.example.com and b.example.com and a
wildcard *.example.com certificate. The attacker can take token binding
headers from a.example.com and put them on requests to b.example.com and
the cookies set on b.example.com will be bound to a.example.com's key.

This doesn't sound like a large issue, but it's indicative of the type of
subtle problems not binding the key to a context can cause.

If the token context was bound to the scope by including the eTLD+1 in the
(or the origin if the browser intends to use stricter token scoping), *and*
this scope was covered by the signature then this would not be possible.
The server could check the host header against the token context and then
refuse the token binding for new cookies.

A logical place to put this would be in the extensions of the token binding
structure, but unfortunately the extensions is not signed and so can be
modified. Is there a reason the extensions field of the TokenBinding
structure is not signed by the private key?

Nick