IETF Logo Mail Archive

Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?

Denis <denis.ietf@free.fr> Wed, 22 March 2017 08:09 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ED1A1295E7 for <unbearable@ietfa.amsl.com>; Wed, 22 Mar 2017 01:09:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eAco9fZjfang for <unbearable@ietfa.amsl.com>; Wed, 22 Mar 2017 01:09:47 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E9E3E131480 for <unbearable@ietf.org>; Wed, 22 Mar 2017 01:09:36 -0700 (PDT)
Received: from [192.168.0.13] (unknown [88.182.125.39]) by smtp6-g21.free.fr (Postfix) with ESMTP id 4C52378038D for <unbearable@ietf.org>; Wed, 22 Mar 2017 09:09:35 +0100 (CET)
To: unbearable@ietf.org
References: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com> <DM2PR21MB0091DE5B213D2363FAF353CF8C280@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiKweRaZEKi4kqmPfUc2JLyZLGbp8tFRpkTfmJisPCMWRg@mail.gmail.com> <CACdeXiL6riBRb1-UDhVK-R5CvopzisJnYTRjWsvpimWA2G3DhQ@mail.gmail.com> <CABcZeBN2RhBsyj8_1F6bBnw9j10qdABwdZVdgwVcUr4Tf6sLtA@mail.gmail.com> <CACdeXiLZQSMxSqTPSHVqUwZomUpaMadUNYEEzF2to9Rx6nLMWQ@mail.gmail.com> <CABcZeBPvxX-8PuoV1oV-k5BnH3sjbWuuHfeAfh7FRhgtuVPkCQ@mail.gmail.com> <CACdeXi+rbsKf7zbpe4n49BUmj1ay0GSg_A48ZrAztKPY9+Fm2A@mail.gmail.com> <CABkgnnXBQEV4w7Zb=C9GE25-wp3oMVauKRZ21mCa+Qoby9XAPg@mail.gmail.com> <CABcZeBPpoex3axkkqgTRGWujGLbkC2GNqn+-50ipso3e9h8vJA@mail.gmail.com> <DM2PR21MB00910C42F25CCC08B9CC4D588C3D0@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiLJCrD=Z7Se5TJBzhE5JOjipWC+_gthBq_upRZyG=LSDg@mail.gmail.com> <DM2PR21MB009145A3452CDBAF28D4A4678C3D0@DM2PR21MB0091.namprd21.prod.outlook.com>
From: Denis <denis.ietf@free.fr>
Message-ID: <c0f6cbe4-3c6e-133a-388a-ce2d93a177be@free.fr>
Date: Wed, 22 Mar 2017 09:09:36 +0100
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <DM2PR21MB009145A3452CDBAF28D4A4678C3D0@DM2PR21MB0091.namprd21.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------785C9BE9F1E3C839155DB631"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/EOJoItM0aVvQfrMA4RNqc3mZGIQ>
Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Mar 2017 08:09:51 -0000

Hi Andrei,

The text states:

    A basic property of Token Binding is that malware can't export the
    token and successfully use it from another machine,
    as long as it cannot also export the TB key.

This sentence is incorrect for two reasons:

    1° The major problem is not related to a malware, but to a specific
    piece of software voluntary installed and used by one client.

    2° There is no need to export the TB key, since one client can
    perform all the needed computations for the benefit of another client.

For example, simply protecting the TB key in a secure element (e.g. 
smart card or a HSM) is insufficient.

A basic property of the current Token Binding mechanism is that a 
specific piece of software voluntarily installed by a client can export
the token and perform all the needed computations so that the token can 
successfully be used from another machine.

As soon as someone will develop that piece of software and make it 
publicly available, everybody will be able to use it and
all the current Token Binding mechanisms will collapse.

Denis

> Hi Nick,
>
>> Second replay of a TokenBinding message on a new connection (where the exporter is the same). This involves client malware, which can just as easily do private key operations to generate new TokenBinding messages to use on new connections. In TBPROTO, this is also possible, but it can only be done for active connections. With 0-RTT, the attacker can do this for connections that will be created up to 7 days in the future.
> A basic property of Token Binding is that malware can't export the token and successfully use it from another machine, as long as it cannot also export the TB key. This is a useful property, because it means that once the client malware is removed, the attack is immediately stopped. This property is not present when Token Binding is used in combination with 0-RTT, because it may be possible for the malware to export the TLS 1.3 resumption secret.
>
>> If a server's threat model does not include client malware, i.e. the server is only using Token Binding to protect against attacks like XSS (e.g. to protect cookies without the HttpOnly flag set, or OAuth tokens), then enabling both TB and 0-RTT is perfectly reasonable.
>> Depending on the server's policies, even if client malware is in its threat model it still could find the 7 day window acceptable.
> Yes, I can easily imagine servers with such policies:).
> If the WG decides to allow the use of TB in combination with 0-RTT, then we should at least provide a way for the client to negotiate replayable/0-RTT TB option separately. This would allow a client to opt out of "replayable TB", while avoiding reauthentication on every connection. A server that receives a TLS 1.3 ClientHello advertising "proper TB" (and not "replayable TB") would either not negotiate Token Binding, or reject 0-RTT resumption with this client (and instead do a full handshake).
>
> A different client would be able to offer both "proper TB" and "replayable TB". Such a client would use the 0-RTT exporter throughout all 0-RTT connections, simplifying the rules... Would this work for you, Nick?
>
> Cheers,
>
> Andrei
> _______________________________________________
> Unbearable mailing list
> Unbearable@ietf.org
> https://www.ietf.org/mailman/listinfo/unbearable

v2.23.0 | Report a Bug | By Email