IETF Logo Mail Archive

Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?

Nick Harper <nharper@google.com> Tue, 21 March 2017 19:01 UTC

Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37A3D12E855 for <unbearable@ietfa.amsl.com>; Tue, 21 Mar 2017 12:01:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ol9CWaZxbaiU for <unbearable@ietfa.amsl.com>; Tue, 21 Mar 2017 12:01:03 -0700 (PDT)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 155881294A2 for <unbearable@ietf.org>; Tue, 21 Mar 2017 12:00:50 -0700 (PDT)
Received: by mail-yw0-x22f.google.com with SMTP id p77so115834945ywg.1 for <unbearable@ietf.org>; Tue, 21 Mar 2017 12:00:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=V8LmzvzkxQI6yDDJ0xOc0xc+NsSWI7qePbZmQu284Lg=; b=HEJbmh3HizuP7RKN0+zndvUTuXU+CgXK7GcouoL5non54HwmqEBw+70gzUx+dwln0Z u2m3T27fCXEpR5Xx1ci/zB1pNkxPF9Yz8jamJ6kg11ATaXXnVSBamtDZqGbt2iEzwZsk I5GhPTA0Sv3Y1DBxVTlZI7S16QEcNK6GD6pV4JQWiPjPrlKjJZZ7CSjxqnTHfinGpmLr Unfk2Ep2YN8g/1bQZzHuNnsX/HM0fYHo7Z8lRcMrMfTkN9aUy/VgCKLxBJf40Y1NUzc6 IUL/6VPGWivrFItDg1664VQkI55BYMYULbbhbM/pHMCPS1ulIpz3ROLSh2vUqu2rkvhn W76A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=V8LmzvzkxQI6yDDJ0xOc0xc+NsSWI7qePbZmQu284Lg=; b=FW9m4qSCNBZ54neyvU+EvGMfYmrvFnOF2T8ddmKrpUJRXw3xsuLEhrQuSZcpeWFo7B LOqWB96wNvPPV6X0rJaTwYJUTwIhtKueFQbwSe8bIegtAjnQTywiXVov96A5MpKrsqfy WJxgpCH6xxLwgsjyBu9TbYp4vLNsM7tXz1Ov2m+Q5Cp8qXXqGAqJJdcTCFAEza2D43vH orWslnPQTx3PXMH1GIbmwXOwhbCjLMhG3gd8cBMlBguSDvzV54B4qt4upqjGyx6/u9Bw rER8d9R+B18gJtsKi5DcJigTg2uAMOje5JlegOPXQTau1Dofrmki6wnvxE+lkzvW65ui lSVA==
X-Gm-Message-State: AFeK/H2U/SQq91hn+YqZKV0i/FszvfRn0KZqPiiMUW7fKsqNuHg7mx6/X51YT6+hjlargyCSNBJIuVrctGgWaiJL
X-Received: by 10.129.75.3 with SMTP id y3mr20647949ywa.320.1490122847120; Tue, 21 Mar 2017 12:00:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.65.5 with HTTP; Tue, 21 Mar 2017 12:00:26 -0700 (PDT)
In-Reply-To: <DM2PR21MB00910C42F25CCC08B9CC4D588C3D0@DM2PR21MB0091.namprd21.prod.outlook.com>
References: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com> <DM2PR0301MB084793F58146F8574BF36EE18C780@DM2PR0301MB0847.namprd03.prod.outlook.com> <CACdeXiJGcsTxrSWmd5BZrfoWTHhFF3+RisQFD628iYNMzZakhQ@mail.gmail.com> <CACdeXiJFe7-jM9qEnNB+Wp3joGxF_X1z+-dPywb9SRZuSNmAzQ@mail.gmail.com> <DM2PR21MB0091E3F087E1AECA3A63A3788C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXi+YjLaXtoX47LtVK4Ay2y-mCOOraV46gbbbuQPL40ngXg@mail.gmail.com> <DM2PR21MB00910C83983BEE885B0E04288C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiLON5OAjfFCNsenCeaGV3a_LDoi17VAk=fSzF0YA5=f7Q@mail.gmail.com> <CACdeXiLNCrPSz0_hZSpQ6tsoHB7ryJ2dCnHjUYwu5vu5fO4XBg@mail.gmail.com> <SN1PR21MB0096D7426A4E230E284F0D058C560@SN1PR21MB0096.namprd21.prod.outlook.com> <CACdeXiKuzNh0fP9b-jEF82m-6mX+i04To96GMa_tFNcuznGn+A@mail.gmail.com> <DM2PR21MB00914BA07BA984E931B88FEB8C290@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiKQjaoAArLBcjRj+kUJUqH+f1bA5yeCCiQ6GMXzWJURBw@mail.gmail.com> <CABkgnnV0+vumfkZAMRZ_8q5pTkwf_CqhZ+deeVWdbF9SFaHoJw@mail.gmail.com> <DM2PR21MB0091DE5B213D2363FAF353CF8C280@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiKweRaZEKi4kqmPfUc2JLyZLGbp8tFRpkTfmJisPCMWRg@mail.gmail.com> <CACdeXiL6riBRb1-UDhVK-R5CvopzisJnYTRjWsvpimWA2G3DhQ@mail.gmail.com> <CABcZeBN2RhBsyj8_1F6bBnw9j10qdABwdZVdgwVcUr4Tf6sLtA@mail.gmail.com> <CACdeXiLZQSMxSqTPSHVqUwZomUpaMadUNYEEzF2to9Rx6nLMWQ@mail.gmail.com> <CABcZeBPvxX-8PuoV1oV-k5BnH3sjbWuuHfeAfh7FRhgtuVPkCQ@mail.gmail.com> <CACdeXi+rbsKf7zbpe4n49BUmj1ay0GSg_A48ZrAztKPY9+Fm2A@mail.gmail.com> <CABkgnnXBQEV4w7Zb=C9GE25-wp3oMVauKRZ21mCa+Qoby9XAPg@mail.gmail.com> <CABcZeBPpoex3axkkqgTRGWujGLbkC2GNqn+-50ipso3e9h8vJA@mail.gmail.com> <DM2PR21MB00910C42F25CCC08B9CC4D588C3D0@DM2PR21MB0091.namprd21.prod.outlook.com>
From: Nick Harper <nharper@google.com>
Date: Tue, 21 Mar 2017 12:00:26 -0700
Message-ID: <CACdeXiLJCrD=Z7Se5TJBzhE5JOjipWC+_gthBq_upRZyG=LSDg@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: Eric Rescorla <ekr@rtfm.com>, Martin Thomson <martin.thomson@gmail.com>, IETF Tokbind WG <unbearable@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/47wG-F9vfdEuWDJzKioQBRJO5T8>
Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 19:01:05 -0000

On Tue, Mar 21, 2017 at 10:07 AM, Andrei Popov
<Andrei.Popov@microsoft.com> wrote:
> The rules for the switch from 0-RTT EKM to the proper EKM are becoming
> fairly complex and hard-to-enforce.

We can make these rules much simpler if we use the 0-RTT exporter for
all token bindings on a connection where the server accepted 0-RTT
data.
>
> On the other hand, the use of 0-RTT EKM, generally, makes bound tokens
> replayable.
>
>
>
> I think that a server that cares enough about token replay to enable TB (and
> verify extra signatures) should not accept 0-RTT (at least with those
> clients that offer TB).

This depends on what the server's threat model is, and there are
servers that will choose to enable both TB and 0-RTT on the same
connection and accept the slightly weaker security properties.

There are two kinds of replay to consider with 0-RTT TB:

First is a network attacker retransmitting a ClientHello and early
data, i.e. repeating the exact same application message. This replay
problem exists without TB. A server that chooses to enable 0-RTT has
already mitigated this replay by e.g. including a nonce in requests so
that a replayed request is idempotent or otherwise deciding that the
0-RTT replay is acceptable.

Second replay of a TokenBinding message on a new connection (where the
exporter is the same). This involves client malware, which can just as
easily do private key operations to generate new TokenBinding messages
to use on new connections. In TBPROTO, this is also possible, but it
can only be done for active connections. With 0-RTT, the attacker can
do this for connections that will be created up to 7 days in the
future.

If a server's threat model does not include client malware, i.e. the
server is only using Token Binding to protect against attacks like XSS
(e.g. to protect cookies without the HttpOnly flag set, or OAuth
tokens), then enabling both TB and 0-RTT is perfectly reasonable.
Depending on the server's policies, even if client malware is in its
threat model it still could find the 7 day window acceptable.
>
>
>
> Cheers,
>
>
>
> Andrei
>
>
>

v2.23.0 | Report a Bug | By Email