Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
Nick Harper <nharper@google.com> Tue, 21 March 2017 19:01 UTC
Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 37A3D12E855 for <unbearable@ietfa.amsl.com>; Tue, 21 Mar 2017 12:01:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ol9CWaZxbaiU for <unbearable@ietfa.amsl.com>; Tue, 21 Mar 2017 12:01:03 -0700 (PDT)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com [IPv6:2607:f8b0:4002:c05::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 155881294A2 for <unbearable@ietf.org>; Tue, 21 Mar 2017 12:00:50 -0700 (PDT)
Received: by mail-yw0-x22f.google.com with SMTP id p77so115834945ywg.1 for <unbearable@ietf.org>; Tue, 21 Mar 2017 12:00:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=V8LmzvzkxQI6yDDJ0xOc0xc+NsSWI7qePbZmQu284Lg=; b=HEJbmh3HizuP7RKN0+zndvUTuXU+CgXK7GcouoL5non54HwmqEBw+70gzUx+dwln0Z u2m3T27fCXEpR5Xx1ci/zB1pNkxPF9Yz8jamJ6kg11ATaXXnVSBamtDZqGbt2iEzwZsk I5GhPTA0Sv3Y1DBxVTlZI7S16QEcNK6GD6pV4JQWiPjPrlKjJZZ7CSjxqnTHfinGpmLr Unfk2Ep2YN8g/1bQZzHuNnsX/HM0fYHo7Z8lRcMrMfTkN9aUy/VgCKLxBJf40Y1NUzc6 IUL/6VPGWivrFItDg1664VQkI55BYMYULbbhbM/pHMCPS1ulIpz3ROLSh2vUqu2rkvhn W76A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=V8LmzvzkxQI6yDDJ0xOc0xc+NsSWI7qePbZmQu284Lg=; b=FW9m4qSCNBZ54neyvU+EvGMfYmrvFnOF2T8ddmKrpUJRXw3xsuLEhrQuSZcpeWFo7B LOqWB96wNvPPV6X0rJaTwYJUTwIhtKueFQbwSe8bIegtAjnQTywiXVov96A5MpKrsqfy WJxgpCH6xxLwgsjyBu9TbYp4vLNsM7tXz1Ov2m+Q5Cp8qXXqGAqJJdcTCFAEza2D43vH orWslnPQTx3PXMH1GIbmwXOwhbCjLMhG3gd8cBMlBguSDvzV54B4qt4upqjGyx6/u9Bw rER8d9R+B18gJtsKi5DcJigTg2uAMOje5JlegOPXQTau1Dofrmki6wnvxE+lkzvW65ui lSVA==
X-Gm-Message-State: AFeK/H2U/SQq91hn+YqZKV0i/FszvfRn0KZqPiiMUW7fKsqNuHg7mx6/X51YT6+hjlargyCSNBJIuVrctGgWaiJL
X-Received: by 10.129.75.3 with SMTP id y3mr20647949ywa.320.1490122847120; Tue, 21 Mar 2017 12:00:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.65.5 with HTTP; Tue, 21 Mar 2017 12:00:26 -0700 (PDT)
In-Reply-To: <DM2PR21MB00910C42F25CCC08B9CC4D588C3D0@DM2PR21MB0091.namprd21.prod.outlook.com>
References: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com> <DM2PR0301MB084793F58146F8574BF36EE18C780@DM2PR0301MB0847.namprd03.prod.outlook.com> <CACdeXiJGcsTxrSWmd5BZrfoWTHhFF3+RisQFD628iYNMzZakhQ@mail.gmail.com> <CACdeXiJFe7-jM9qEnNB+Wp3joGxF_X1z+-dPywb9SRZuSNmAzQ@mail.gmail.com> <DM2PR21MB0091E3F087E1AECA3A63A3788C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXi+YjLaXtoX47LtVK4Ay2y-mCOOraV46gbbbuQPL40ngXg@mail.gmail.com> <DM2PR21MB00910C83983BEE885B0E04288C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiLON5OAjfFCNsenCeaGV3a_LDoi17VAk=fSzF0YA5=f7Q@mail.gmail.com> <CACdeXiLNCrPSz0_hZSpQ6tsoHB7ryJ2dCnHjUYwu5vu5fO4XBg@mail.gmail.com> <SN1PR21MB0096D7426A4E230E284F0D058C560@SN1PR21MB0096.namprd21.prod.outlook.com> <CACdeXiKuzNh0fP9b-jEF82m-6mX+i04To96GMa_tFNcuznGn+A@mail.gmail.com> <DM2PR21MB00914BA07BA984E931B88FEB8C290@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiKQjaoAArLBcjRj+kUJUqH+f1bA5yeCCiQ6GMXzWJURBw@mail.gmail.com> <CABkgnnV0+vumfkZAMRZ_8q5pTkwf_CqhZ+deeVWdbF9SFaHoJw@mail.gmail.com> <DM2PR21MB0091DE5B213D2363FAF353CF8C280@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiKweRaZEKi4kqmPfUc2JLyZLGbp8tFRpkTfmJisPCMWRg@mail.gmail.com> <CACdeXiL6riBRb1-UDhVK-R5CvopzisJnYTRjWsvpimWA2G3DhQ@mail.gmail.com> <CABcZeBN2RhBsyj8_1F6bBnw9j10qdABwdZVdgwVcUr4Tf6sLtA@mail.gmail.com> <CACdeXiLZQSMxSqTPSHVqUwZomUpaMadUNYEEzF2to9Rx6nLMWQ@mail.gmail.com> <CABcZeBPvxX-8PuoV1oV-k5BnH3sjbWuuHfeAfh7FRhgtuVPkCQ@mail.gmail.com> <CACdeXi+rbsKf7zbpe4n49BUmj1ay0GSg_A48ZrAztKPY9+Fm2A@mail.gmail.com> <CABkgnnXBQEV4w7Zb=C9GE25-wp3oMVauKRZ21mCa+Qoby9XAPg@mail.gmail.com> <CABcZeBPpoex3axkkqgTRGWujGLbkC2GNqn+-50ipso3e9h8vJA@mail.gmail.com> <DM2PR21MB00910C42F25CCC08B9CC4D588C3D0@DM2PR21MB0091.namprd21.prod.outlook.com>
From: Nick Harper <nharper@google.com>
Date: Tue, 21 Mar 2017 12:00:26 -0700
Message-ID: <CACdeXiLJCrD=Z7Se5TJBzhE5JOjipWC+_gthBq_upRZyG=LSDg@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Cc: Eric Rescorla <ekr@rtfm.com>, Martin Thomson <martin.thomson@gmail.com>, IETF Tokbind WG <unbearable@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/47wG-F9vfdEuWDJzKioQBRJO5T8>
Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 19:01:05 -0000
On Tue, Mar 21, 2017 at 10:07 AM, Andrei Popov <Andrei.Popov@microsoft.com> wrote: > The rules for the switch from 0-RTT EKM to the proper EKM are becoming > fairly complex and hard-to-enforce. We can make these rules much simpler if we use the 0-RTT exporter for all token bindings on a connection where the server accepted 0-RTT data. > > On the other hand, the use of 0-RTT EKM, generally, makes bound tokens > replayable. > > > > I think that a server that cares enough about token replay to enable TB (and > verify extra signatures) should not accept 0-RTT (at least with those > clients that offer TB). This depends on what the server's threat model is, and there are servers that will choose to enable both TB and 0-RTT on the same connection and accept the slightly weaker security properties. There are two kinds of replay to consider with 0-RTT TB: First is a network attacker retransmitting a ClientHello and early data, i.e. repeating the exact same application message. This replay problem exists without TB. A server that chooses to enable 0-RTT has already mitigated this replay by e.g. including a nonce in requests so that a replayed request is idempotent or otherwise deciding that the 0-RTT replay is acceptable. Second replay of a TokenBinding message on a new connection (where the exporter is the same). This involves client malware, which can just as easily do private key operations to generate new TokenBinding messages to use on new connections. In TBPROTO, this is also possible, but it can only be done for active connections. With 0-RTT, the attacker can do this for connections that will be created up to 7 days in the future. If a server's threat model does not include client malware, i.e. the server is only using Token Binding to protect against attacks like XSS (e.g. to protect cookies without the HttpOnly flag set, or OAuth tokens), then enabling both TB and 0-RTT is perfectly reasonable. Depending on the server's policies, even if client malware is in its threat model it still could find the 7 day window acceptable. > > > > Cheers, > > > > Andrei > > >
- [Unbearable] 0-RTT Token Binding: When to switch … Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Martin Thomson
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Eric Rescorla
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Eric Rescorla
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Eric Rescorla
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Martin Thomson
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Eric Rescorla
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Bill Cox
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Denis
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov