Re: [Unbearable] Binding tokens to scope in HTTP
Bill Cox <waywardgeek@google.com> Mon, 03 April 2017 17:24 UTC
Return-Path: <waywardgeek@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67767129495 for <unbearable@ietfa.amsl.com>; Mon, 3 Apr 2017 10:24:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 38r4YauXccB7 for <unbearable@ietfa.amsl.com>; Mon, 3 Apr 2017 10:24:11 -0700 (PDT)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C668129469 for <unbearable@ietf.org>; Mon, 3 Apr 2017 10:24:11 -0700 (PDT)
Received: by mail-qk0-x22a.google.com with SMTP id g195so48482328qke.2 for <unbearable@ietf.org>; Mon, 03 Apr 2017 10:24:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=NvXiYhGhHEIquZ/eAOJzkKWr0ZySgYRotIf48nY1Y1I=; b=kFDjcUdH8FpENXbKSan2OXSiuSD6sKHgHkRf0/XP8gZuE3DkcBzmMSkwQ4w3mCEM75 W7VQAEWbS4M0TkipBMMOCJ7Ra3LpEpBz5NNAuTCGLdnzsO5LQEkxUgmnAGZxNTbhYrSu wHzcPMEbUAz0Kh7rRdKS+dr1w/c6A/fHAZQZLtejpCOmcyTt4ENpPbvP+5xyKNluLbq4 D0voM5jl7b0/gZogWcsKbMMX82Vrf9LhY3gtvdLibGDDam57y5j86R1G9BhyhXuzufUb feJssitMWDGWfsgzxYJMl1oTJsbLXTqkP/LvHG8BfnuJhkVjF50zBnMfpklgiNQNlMJw vePw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=NvXiYhGhHEIquZ/eAOJzkKWr0ZySgYRotIf48nY1Y1I=; b=Bb5Bq1xG8QbYUl9WnHVX+lcaxjCsCSUAE9f3nMBQifOWIS1E5G2lXCTd0j7dB3vvDY JBGgZTwUI2e3+3dUdk54cHrcaW2104uyHU+27yPAx5MTJyExyYCo2qJw/C2Z5H+bTGi+ yrOwvopJSI/5Lr3SFqALkC8KcSasVrXU47O5cuW1hhN72YzISud3YE/mTwtWsQbDWxIJ cayuPf04GgXmQUha8osx72wwPGsuKZ+WS9Pz6xlEyY3btmPEk9NQVYjef65epfOCEvdH clnXY1E9zEdmMPvqHZ0lWkfKWn0IV972ABJHEvnHCXq2accMxi9QRZHB5TnM0RSAFwKF ZDlQ==
X-Gm-Message-State: AFeK/H1/TLAqyrpHTMT0/03CZZYnUOohpC1NH9AiPCKuwCuEOuUxcvnaWECoCbXyuCP67om/SWqT0zB2gPcY02It
X-Received: by 10.55.147.129 with SMTP id v123mr16787013qkd.230.1491240250140; Mon, 03 Apr 2017 10:24:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.21.134 with HTTP; Mon, 3 Apr 2017 10:24:09 -0700 (PDT)
In-Reply-To: <CAOjisRx2iixVWb_-jNVrSM9VpjeEOoQ+WDb9H=POg=VOAHzGkQ@mail.gmail.com>
References: <CAOjisRx2iixVWb_-jNVrSM9VpjeEOoQ+WDb9H=POg=VOAHzGkQ@mail.gmail.com>
From: Bill Cox <waywardgeek@google.com>
Date: Mon, 03 Apr 2017 10:24:09 -0700
Message-ID: <CAH9QtQGvCx37f0KG+H0rqfYo8_cGMANdDiqZyuG1yzJxHxPeMA@mail.gmail.com>
To: Nick Sullivan <nicholas.sullivan@gmail.com>
Cc: "unbearable@ietf.org" <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary="94eb2c08bb6262e436054c466d55"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/Ei57-THRE5WMTPTxOQVDUPOBacE>
Subject: Re: [Unbearable] Binding tokens to scope in HTTP
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Apr 2017 17:24:14 -0000
The extensions used to be covered in earlier drafts. I forget why this was dropped, but IIRC, it was discussed on this list. In any case, it sounds like there are a number of people who would prefer to change TB extension numbers and effectively be a new extension rather than use the header's extension capability. Your example has a minor error: eTLD+1 for example.com is example.com, so a.example.com would have the same TB key as b.example.com. However, the idea for the attack is valid. eTLD+1 based security seems to be a kludge. I felt that binding to the sites covered by a certificate might make sense, but it does not work out. For example, we have certs for gmail.com and youtube.com, and certificates covering both, IIRC. We could use the same TB sig, bound to that certificate, for a lot of sites, reducing TB signature overhead. It also makes sense to me from a security perspective: the server has proven ownership of a collection of domains, so just bind to that. This would eliminate all the eTLD+1 security issues. However, we can't count on seeing the same certificate all the time. Sometimes a server will present a login.example.com certificate on one connection, and *.example.com on another. Most likely, the cookie that is used for auth would be bound to login.example.com, and would be rejected for all other *. example.com domains. I like the idea of signing extensions and also the host name from the host header. Bill On Mon, Apr 3, 2017 at 9:47 AM, Nick Sullivan <nicholas.sullivan@gmail.com> wrote: > The token binding header does not have any identity bound to it. This is > potentially problematic because it makes it much more likely that this > protocol is vulnerable to unknown key share issues. > > Unknown key share attacks happen when a public key is used without binding > it to an identity by a signature. For example, Richard Barnes recently > published a draft describing how DANE with raw keys was vulnerable to this > style of: https://tools.ietf.org/html/draft-barnes-dane-uks-00. > > In section 2.1. of draft-ietf-tokbind-https, the key pair scoping is > defined to be eTLD+1. Depending on the threat model, this requirement can > be subverted. > > Consider an attacker who has access to read and modify headers, but not > private keys. Imagine a buggy/malicious service worker or something else of > this sort. Now imagine a site with a.example.com and b.example.com and a > wildcard *.example.com certificate. The attacker can take token binding > headers from a.example.com and put them on requests to b.example.com and > the cookies set on b.example.com will be bound to a.example.com's key. > > This doesn't sound like a large issue, but it's indicative of the type of > subtle problems not binding the key to a context can cause. > > If the token context was bound to the scope by including the eTLD+1 in the > (or the origin if the browser intends to use stricter token scoping), *and* > this scope was covered by the signature then this would not be possible. > The server could check the host header against the token context and then > refuse the token binding for new cookies. > > A logical place to put this would be in the extensions of the token > binding structure, but unfortunately the extensions is not signed and so > can be modified. Is there a reason the extensions field of the TokenBinding > structure is not signed by the private key? > > Nick > > _______________________________________________ > Unbearable mailing list > Unbearable@ietf.org > https://www.ietf.org/mailman/listinfo/unbearable > >
- [Unbearable] Binding tokens to scope in HTTP Nick Sullivan
- Re: [Unbearable] Binding tokens to scope in HTTP Bill Cox
- Re: [Unbearable] Binding tokens to scope in HTTP Andrei Popov