IETF Logo Mail Archive

Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?

Andrei Popov <Andrei.Popov@microsoft.com> Fri, 13 January 2017 22:18 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AFBDC129EB9 for <unbearable@ietfa.amsl.com>; Fri, 13 Jan 2017 14:18:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.157
X-Spam-Level:
X-Spam-Status: No, score=-3.157 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-1.156, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hbbNgzIQx0U4 for <unbearable@ietfa.amsl.com>; Fri, 13 Jan 2017 14:18:36 -0800 (PST)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-bl2nam02on0109.outbound.protection.outlook.com [104.47.38.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 69AF2129499 for <unbearable@ietf.org>; Fri, 13 Jan 2017 14:18:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=wAtpeDjg1oKQh5/tSd2Mf+i9qJbgos/XDSPEVPm/H/I=; b=fTXMw0RSjR4BiQe1FNcs8un75UDj4Z46nN9bC9Gqxy+AhyVFDDbMf73Uz5TaVn9TtR3WPy1Ug0UTjuzR2CBRtx2yUChSc1Gor5V2nR02RB8hFkUOpc6DtT5Wz1p2z/6q7S1ocPUQa2PRHzUhdnD2yBZc0zGJh++dEhmPWMT+LXw=
Received: from DM2PR0301MB0847.namprd03.prod.outlook.com (10.160.215.145) by DM2PR0301MB0846.namprd03.prod.outlook.com (10.160.215.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.817.10; Fri, 13 Jan 2017 22:18:34 +0000
Received: from DM2PR0301MB0847.namprd03.prod.outlook.com ([10.160.215.145]) by DM2PR0301MB0847.namprd03.prod.outlook.com ([10.160.215.145]) with mapi id 15.01.0817.020; Fri, 13 Jan 2017 22:18:35 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Nick Harper <nharper@google.com>, IETF Tokbind WG <unbearable@ietf.org>
Thread-Topic: [Unbearable] 0-RTT Token Binding: When to switch exporters?
Thread-Index: AQHSbdvurWwJUrGAZkyxVvys5avGZKE28kcg
Date: Fri, 13 Jan 2017 22:18:35 +0000
Message-ID: <DM2PR0301MB084793F58146F8574BF36EE18C780@DM2PR0301MB0847.namprd03.prod.outlook.com>
References: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com>
In-Reply-To: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:b::1d2]
x-ms-office365-filtering-correlation-id: 1c57ff5a-bd4c-466a-570f-08d43c021db4
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:DM2PR0301MB0846;
x-microsoft-exchange-diagnostics: 1; DM2PR0301MB0846; 7:D3KoVZiQsakNzAyEHx1I8WBsSO2HikDBpg8VU7X/g/7kEuEgo6lKB1T3n55jADoIxuHq9fdQPMHWNg+ESKFp/a/WWe8vcfWW8FKfvhIiT7fu5Nc/kYZOr++ZiZPPHWmDZ6ffQ6h264hza1fBYpehkrom/z9FUKqtJj7ZKVPMP8/em16wfRTbDFO4iXXvqiZ4FP5G1bNs2RjxSSJ5sUNQCtVxCqp6qeTIEOOtobwtQJQyvYY/8tscX5//ycDjoVaMlO+7Qmrj/GYHrFslC5+0M65C2RWklO656gzDoUOIwRekF72zXkWJGQ/kn1/RAY7JHAuzN6pNJlRKk824z/FMUUP4OA5wwdYyorrJgCQKb+Ov5PeQWgmOXDGfCHps8dJUz07XJcjoh/crxoEw0Vy+QGkNRjXU33S5oasbr2O4Ldm0tEJ7/SavZ1/ox6vweXYOURTnyWLkNcwRuQBec9kWmPlC+16kXbHjfbIXlXzA8yU=
x-microsoft-antispam-prvs: <DM2PR0301MB0846B7B5DE46C7C3E6E095EC8C780@DM2PR0301MB0846.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041248)(20161123564025)(20161123555025)(20161123560025)(20161123562025)(20161123558021)(6047074)(6072148); SRVR:DM2PR0301MB0846; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0301MB0846;
x-forefront-prvs: 018632C080
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39840400002)(39410400002)(39450400003)(39850400002)(39860400002)(199003)(189002)(377454003)(86362001)(97736004)(107886002)(5001770100001)(8676002)(38730400001)(77096006)(86612001)(2906002)(54896002)(7736002)(229853002)(2950100002)(6436002)(2900100001)(6306002)(6506006)(55016002)(99286003)(9686003)(5660300001)(7696004)(25786008)(122556002)(92566002)(106356001)(106116001)(105586002)(76176999)(790700001)(189998001)(8990500004)(6116002)(10290500002)(5005710100001)(101416001)(10090500001)(74316002)(50986999)(54356999)(102836003)(81156014)(81166006)(8936002)(33656002)(3660700001)(3280700002)(68736007)(27001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0301MB0846; H:DM2PR0301MB0847.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR0301MB084793F58146F8574BF36EE18C780DM2PR0301MB0847_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jan 2017 22:18:35.0479 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0301MB0846
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/CDwy_VYw1vtsku36OlbYTXNE4BA>
Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2017 22:18:40 -0000

Ø  Another way to move the change in exporters out of the client's control would be to do it at a time that is implicit in the protocol. An obvious choice would be switch exporters when the client switches from sending early data to sending data post-handshake.
I think this type of approach is better.

Cheers,

Andrei

From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of Nick Harper
Sent: Friday, January 13, 2017 12:30 PM
To: IETF Tokbind WG <unbearable@ietf.org>
Subject: [Unbearable] 0-RTT Token Binding: When to switch exporters?

The current tokbind 0-RTT draft has the TLS 1.3 early exporter value used in the TokenBinding.signature for the entirety of the connection. One point of discussion that came up in Seoul was that we shouldn't use the 0-RTT exporter for too long. I agree that we shouldn't use it for too long, but I can't remember (or figure out from the meeting notes) if the reason is just because we prefer the crypto properties of the normal exporter, or are we also trying to prevent an attacker from being able to use the 0-RTT exporter indefinitely?

For the first case, the switch from the 0-RTT exporter to the normal exporter can be client-initiated. One possible design would be to have the client send an extension in the TokenBinding indicating that all future TokenBindings will use the normal exporter. This would function similar to the ratcheting idea (from section 4.1 of the I-D), but the ratchet doesn't take effect until this indicator extension is sent (before it's sent the server would accept both exporters). This would likely be done in combination with the idea of defining new key types to indicate that the 0-RTT exporter is in use so the server doesn't do trial verification.

If we want to move the switch from 0-RTT exporter to normal exporter out of the client's control (so that an attacker can't keep using the 0-RTT exporter indefinitely), a different solution is needed. One possible idea is to have the server send a message that conceptually means "all future TokenBindings must not use the 0-RTT exporter". Right now, Token Binding doesn't have any server-to-client messages, so this would require defining application-specific messages. Another way to move the change in exporters out of the client's control would be to do it at a time that is implicit in the protocol. An obvious choice would be switch exporters when the client switches from sending early data to sending data post-handshake.

v2.29.0 | Report a Bug | By Email | System Status