IETF Logo Mail Archive

Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?

Nick Harper <nharper@google.com> Tue, 28 February 2017 22:46 UTC

Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A84DE129789 for <unbearable@ietfa.amsl.com>; Tue, 28 Feb 2017 14:46:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4J9UIlyXgxfa for <unbearable@ietfa.amsl.com>; Tue, 28 Feb 2017 14:46:56 -0800 (PST)
Received: from mail-yw0-x230.google.com (mail-yw0-x230.google.com [IPv6:2607:f8b0:4002:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC5D512973D for <unbearable@ietf.org>; Tue, 28 Feb 2017 14:46:53 -0800 (PST)
Received: by mail-yw0-x230.google.com with SMTP id l138so19469661ywc.0 for <unbearable@ietf.org>; Tue, 28 Feb 2017 14:46:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=jOKaM7t8tWUFCQzHhjipXX5zsiYFKWSZ2qzLPt3GcPk=; b=VKa+I1+ebuqsjNzOYkLCq7fFdqG8vReuxtqrr2YFfLT9qhVLrI1feWmtBjUO5HS+BQ 6Zhn7QZjt9rmwRSi0mt3a/IrdvK/ZFvimR8PdVP6OOJ+Fqnexew66uvjiSzK8sZBbnPN iwGljErrYMZbh0RH3jq6KrUx3L2MyvcojE42z72AQoDkPjLela8mbp5iHKC60RaaW8yF E5jJM7ok5u00t9ug2xfv3jnv22FR+p+nVsIJVYmJJDH//Ci1P1m942FX767KqhzAnKsE kOAIRUwpdw7d2lQluijow/fDVBoHCV2ehf5CRF76bb3NSUwPF8cCgFoSRUNTyr6dYMoK FSMw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=jOKaM7t8tWUFCQzHhjipXX5zsiYFKWSZ2qzLPt3GcPk=; b=AfPWR0Nkp8LD3n3tks7nsM6CjEAoDovXjz12kYOPLc30jqh32VBdOntGJjTL1uKQDK FqNjr4qyg7RSyUyRTFEyl4C6FYAC+jdiDcakRfE0CCmNgwsSwSlB1+csuBv2Yann+bNz nx0WDJfRhilsd3ABKsyF7gD+0m+Sr8yiw1+HDQzGio+CEEh+j/NFh35ps5ytCaXIWYoG gUP7AKd2pOcPjGEk+VpGtHrwHiYZXZJTxeN9Kb32R6/6FS/aKpoXl4NwVI0kNoWXwhnc 4Dp60mocYJQCyYuE9DGU3daQknvMPnfPAeJr7h5glg7HUg6L2tYYaV2249osBMMZUg5A qm7g==
X-Gm-Message-State: AMke39mNOoqeYpE+kDiw7MKGBPjsAm/aKKzpbPJzPY7f0803FLkJk0zhyG5q40cll6IQVnyrgvErm5Jed6o1P37N
X-Received: by 10.129.173.68 with SMTP id l4mr1503075ywk.351.1488322012637; Tue, 28 Feb 2017 14:46:52 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.65.5 with HTTP; Tue, 28 Feb 2017 14:46:32 -0800 (PST)
In-Reply-To: <CACdeXiLON5OAjfFCNsenCeaGV3a_LDoi17VAk=fSzF0YA5=f7Q@mail.gmail.com>
References: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com> <DM2PR0301MB084793F58146F8574BF36EE18C780@DM2PR0301MB0847.namprd03.prod.outlook.com> <CACdeXiJGcsTxrSWmd5BZrfoWTHhFF3+RisQFD628iYNMzZakhQ@mail.gmail.com> <CACdeXiJFe7-jM9qEnNB+Wp3joGxF_X1z+-dPywb9SRZuSNmAzQ@mail.gmail.com> <DM2PR21MB0091E3F087E1AECA3A63A3788C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXi+YjLaXtoX47LtVK4Ay2y-mCOOraV46gbbbuQPL40ngXg@mail.gmail.com> <DM2PR21MB00910C83983BEE885B0E04288C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiLON5OAjfFCNsenCeaGV3a_LDoi17VAk=fSzF0YA5=f7Q@mail.gmail.com>
From: Nick Harper <nharper@google.com>
Date: Tue, 28 Feb 2017 14:46:32 -0800
Message-ID: <CACdeXiLNCrPSz0_hZSpQ6tsoHB7ryJ2dCnHjUYwu5vu5fO4XBg@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/La9PMIlIMATliluF-q1m6GcW4E0>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Feb 2017 22:46:57 -0000

Here's a solution that I think would handle the case of an HTTP server
rejecting a request because it doesn't like the strength of the
exporter used for Token Binding:

- On requests sent in early data, the client uses the early exporter
(it's the only option).
- For requests sent after the handshake has completed, the client MAY
continue to use the early exporter.
- Once the client has received a response from the server, it SHOULD
switch to using the (not early) exporter for new requests on that
connection (requests that the client has already started to build but
haven't sent yet can continue using the early exporter, per the
previous point).
- A server that receives a token-bound request using the early
exporter MAY request that the client re-send the request using the
(not early) exporter. This signal would be application-specific; for
HTTP this could be done by sending a 307 status code with the Location
header pointing to the same URI. A client that implements the SHOULD
in the previous point will switch exporters by the time it re-sends
the request.

This solves the implementation problems of requiring the exporter to
match which data its sent in, and I think it offers a reasonable
solution for a server to reject a request because of exporter strength
and have the client retry it with the regular exporter. This is only
an outline of a solution and still has details that would need to be
worked out. In particular, the client needs to indicate in its
TokenBinding struct which exporter it used or the server has to do
trial verification.


On Tue, Feb 28, 2017 at 1:52 PM, Nick Harper <nharper@google.com> wrote:
> On Tue, Feb 28, 2017 at 12:55 PM, Andrei Popov
> <Andrei.Popov@microsoft.com> wrote:
>> Correct, the ClientHello is also needed. Not sure this makes things
>> significantly better, but it is an additional piece the attacker needs. I
>> guess we’re referring to the same attack, but disagreeing on whether “this
>> still has decent security properties”J.
>
> Yes, it sounds like we're talking about the same attack, and the
> additional piece of the ClientHello (in addition to the resumption
> PSK) doesn't change its feasibility that much. If we do any form of
> 0-RTT Token Binding, this attack will exist in some form. It is the
> major difference between 0-RTT Token Binding and regular Token
> Binding. My comment about "decent security properties" was that always
> using the 0-RTT exporter (if there is a token binding sent and
> accepted in early data) has decent security properties compared to
> using the 0-RTT exporter only for token bindings sent in early data.
>>
>>
>> It seems that the right thing to do is not allow Token Binding messages
>> until exporter_secret is available.
>
> That restriction would effectively mean that Token Binding can't be
> used with 0-RTT.

v2.23.0 | Report a Bug | By Email