IETF Logo Mail Archive

Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?

Andrei Popov <Andrei.Popov@microsoft.com> Tue, 21 March 2017 20:26 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5042D12E856 for <unbearable@ietfa.amsl.com>; Tue, 21 Mar 2017 13:26:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O8L_Qp8ob-sE for <unbearable@ietfa.amsl.com>; Tue, 21 Mar 2017 13:26:00 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0118.outbound.protection.outlook.com [104.47.42.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C956012E872 for <unbearable@ietf.org>; Tue, 21 Mar 2017 13:26:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=LSGFc9kdo//2KvCzeO7J0vyFelht8pch3A2i31uNY/c=; b=kdJlX894EjGX41RMvfmKqu+7nP7jnqnKuRNNTF1+OYKOjF8xm4ZTxxbLfLkZ4Xkv2kk8aj1HKN66uEJhB3uP/u7P0onjtgHxThDdwvTPXFcMQY5AozQG4LYIf6R9+/Mk6PqOJa3Xmj5C8ExVRJoJ2HFptuOivt+b3j3VFzRsZlU=
Received: from DM2PR21MB0091.namprd21.prod.outlook.com (10.161.141.14) by DM2PR21MB0089.namprd21.prod.outlook.com (10.161.141.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1005.0; Tue, 21 Mar 2017 20:25:59 +0000
Received: from DM2PR21MB0091.namprd21.prod.outlook.com ([10.161.141.14]) by DM2PR21MB0091.namprd21.prod.outlook.com ([10.161.141.14]) with mapi id 15.01.1005.000; Tue, 21 Mar 2017 20:25:59 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Nick Harper <nharper@google.com>
CC: Eric Rescorla <ekr@rtfm.com>, Martin Thomson <martin.thomson@gmail.com>, IETF Tokbind WG <unbearable@ietf.org>
Thread-Topic: [Unbearable] 0-RTT Token Binding: When to switch exporters?
Thread-Index: AQHSbdvurWwJUrGAZkyxVvys5avGZKE28kcggCd4oACAH07+gIABRECQgAAemICAAAhjEIAAGSoAgAAPAQCAAAUIUIAAII2AgAACEkCAAYowAIAAA7aAgAAAjZCAAAvMgIANyhiAgA+AzwCAACeWgIAAQYWAgAAFbwCAAC/PgIAAp9qAgABMl0CAACIyAIAACuww
Date: Tue, 21 Mar 2017 20:25:58 +0000
Message-ID: <DM2PR21MB009145A3452CDBAF28D4A4678C3D0@DM2PR21MB0091.namprd21.prod.outlook.com>
References: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com> <DM2PR0301MB084793F58146F8574BF36EE18C780@DM2PR0301MB0847.namprd03.prod.outlook.com> <CACdeXiJGcsTxrSWmd5BZrfoWTHhFF3+RisQFD628iYNMzZakhQ@mail.gmail.com> <CACdeXiJFe7-jM9qEnNB+Wp3joGxF_X1z+-dPywb9SRZuSNmAzQ@mail.gmail.com> <DM2PR21MB0091E3F087E1AECA3A63A3788C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXi+YjLaXtoX47LtVK4Ay2y-mCOOraV46gbbbuQPL40ngXg@mail.gmail.com> <DM2PR21MB00910C83983BEE885B0E04288C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiLON5OAjfFCNsenCeaGV3a_LDoi17VAk=fSzF0YA5=f7Q@mail.gmail.com> <CACdeXiLNCrPSz0_hZSpQ6tsoHB7ryJ2dCnHjUYwu5vu5fO4XBg@mail.gmail.com> <SN1PR21MB0096D7426A4E230E284F0D058C560@SN1PR21MB0096.namprd21.prod.outlook.com> <CACdeXiKuzNh0fP9b-jEF82m-6mX+i04To96GMa_tFNcuznGn+A@mail.gmail.com> <DM2PR21MB00914BA07BA984E931B88FEB8C290@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiKQjaoAArLBcjRj+kUJUqH+f1bA5yeCCiQ6GMXzWJURBw@mail.gmail.com> <CABkgnnV0+vumfkZAMRZ_8q5pTkwf_CqhZ+deeVWdbF9SFaHoJw@mail.gmail.com> <DM2PR21MB0091DE5B213D2363FAF353CF8C280@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiKweRaZEKi4kqmPfUc2JLyZLGbp8tFRpkTfmJisPCMWRg@mail.gmail.com> <CACdeXiL6riBRb1-UDhVK-R5CvopzisJnYTRjWsvpimWA2G3DhQ@mail.gmail.com> <CABcZeBN2RhBsyj8_1F6bBnw9j10qdABwdZVdgwVcUr4Tf6sLtA@mail.gmail.com> <CACdeXiLZQSMxSqTPSHVqUwZomUpaMadUNYEEzF2to9Rx6nLMWQ@mail.gmail.com> <CABcZeBPvxX-8PuoV1oV-k5BnH3sjbWuuHfeAfh7FRhgtuVPkCQ@mail.gmail.com> <CACdeXi+rbsKf7zbpe4n49BUmj1ay0GSg_A48ZrAztKPY9+Fm2A@mail.gmail.com> <CABkgnnXBQEV4w7Zb=C9GE25-wp3oMVauKRZ21mCa+Qoby9XAPg@mail.gmail.com> <CABcZeBPpoex3axkkqgTRGWujGLbkC2GNqn+-50ipso3e9h8vJA@mail.gmail.com> <DM2PR21MB00910C42F25CCC08B9CC4D588C3D0@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiLJCrD=Z7Se5TJBzhE5JOjipWC+_gthBq_upRZyG=LSDg@mail.gmail.com>
In-Reply-To: <CACdeXiLJCrD=Z7Se5TJBzhE5JOjipWC+_gthBq_upRZyG=LSDg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:a::1d2]
x-microsoft-exchange-diagnostics: 1; DM2PR21MB0089; 7:4r8faVhUo5lZbxEK6lBsVO5LS+WRI8R9RR5mLRpwSWna9WrMh6hoXYVFE6ED/MN/sTrgOYdIyjvkfjOr1MmMYXeSZMFGgqg7+P2OnUJksfjqZyxA6Y+VjbftVPPr6SACEhZJKfjuV7ZxWIExTGICadOfnkjOGbErEnEAh4J2D0gZk+CjpKCF56LlnIGt60yGJ5YELOl5acDZfvmXd5Z/2Dctb84d7B+s1yJzGJHilr6xEojfaqs5dm68AH1hKe1ufIfrGwIPv9juBD48acZfD6G8+jOG8JWgGOFFsJrJOheKDiIV4MmE7UB17ul4I9xJr5lwd5cuu2kT/IZK9cMbd+nZHkmEylFAgsmrfecS3+8=
x-ms-office365-filtering-correlation-id: b68d7ac4-a6c5-4f00-38f7-08d470987c98
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081); SRVR:DM2PR21MB0089;
x-microsoft-antispam-prvs: <DM2PR21MB0089208912970CE2785CFBC98C3D0@DM2PR21MB0089.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006021)(93001021)(6055026)(61426038)(61427038)(6041248)(20161123560025)(20161123564025)(20161123558025)(20161123555025)(20161123562025)(6072148); SRVR:DM2PR21MB0089; BCL:0; PCL:0; RULEID:; SRVR:DM2PR21MB0089;
x-forefront-prvs: 02530BD3AA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39840400002)(39860400002)(39450400003)(39410400002)(39850400002)(55016002)(9686003)(189998001)(122556002)(33656002)(99286003)(7736002)(3280700002)(53936002)(54906002)(86362001)(3660700001)(86612001)(25786009)(2900100001)(6246003)(229853002)(38730400002)(8936002)(110136004)(8676002)(81166006)(4326008)(2906002)(2950100002)(106356001)(5005710100001)(76176999)(74316002)(68736007)(54356999)(102836003)(50986999)(7696004)(10090500001)(8990500004)(93886004)(39060400002)(5660300001)(6116002)(6436002)(305945005)(10290500002)(77096006)(6506006)(6916009); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR21MB0089; H:DM2PR21MB0091.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:ovrnspm; PTR:InfoNoRecords; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Mar 2017 20:25:59.0400 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR21MB0089
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/F_-UIq6t5s2tZg2ZBFNXZ2nnOVs>
Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Mar 2017 20:26:02 -0000

Hi Nick,

> Second replay of a TokenBinding message on a new connection (where the exporter is the same). This involves client malware, which can just as easily do private key operations to generate new TokenBinding messages to use on new connections. In TBPROTO, this is also possible, but it can only be done for active connections. With 0-RTT, the attacker can do this for connections that will be created up to 7 days in the future.

A basic property of Token Binding is that malware can't export the token and successfully use it from another machine, as long as it cannot also export the TB key. This is a useful property, because it means that once the client malware is removed, the attack is immediately stopped. This property is not present when Token Binding is used in combination with 0-RTT, because it may be possible for the malware to export the TLS 1.3 resumption secret.

> If a server's threat model does not include client malware, i.e. the server is only using Token Binding to protect against attacks like XSS (e.g. to protect cookies without the HttpOnly flag set, or OAuth tokens), then enabling both TB and 0-RTT is perfectly reasonable.
> Depending on the server's policies, even if client malware is in its threat model it still could find the 7 day window acceptable.

Yes, I can easily imagine servers with such policies:). 
If the WG decides to allow the use of TB in combination with 0-RTT, then we should at least provide a way for the client to negotiate replayable/0-RTT TB option separately. This would allow a client to opt out of "replayable TB", while avoiding reauthentication on every connection. A server that receives a TLS 1.3 ClientHello advertising "proper TB" (and not "replayable TB") would either not negotiate Token Binding, or reject 0-RTT resumption with this client (and instead do a full handshake).

A different client would be able to offer both "proper TB" and "replayable TB". Such a client would use the 0-RTT exporter throughout all 0-RTT connections, simplifying the rules... Would this work for you, Nick?

Cheers,

Andrei

v2.23.0 | Report a Bug | By Email