Re: [Unbearable] Possible attack on Token Binding with RSA key exchange
Subodh Iyengar <subodh@fb.com> Fri, 01 September 2017 22:28 UTC
Return-Path: <prvs=0417ddadad=subodh@fb.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98CD713304F for <unbearable@ietfa.amsl.com>; Fri, 1 Sep 2017 15:28:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.82
X-Spam-Level:
X-Spam-Status: No, score=-0.82 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=fb.com header.b=rdWPFRNc; dkim=pass (1024-bit key) header.d=fb.onmicrosoft.com header.b=PBcuWpN7
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZxBh9PJYUh55 for <unbearable@ietfa.amsl.com>; Fri, 1 Sep 2017 15:28:15 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A603132FD0 for <unbearable@ietf.org>; Fri, 1 Sep 2017 15:28:15 -0700 (PDT)
Received: from pps.filterd (m0089730.ppops.net [127.0.0.1]) by m0089730.ppops.net (8.16.0.21/8.16.0.21) with SMTP id v81MNuoq016423; Fri, 1 Sep 2017 15:28:11 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.com; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=facebook; bh=dAdkntssiguEe8KDzGGoMKdI2lNa/X0Gf7T9sJ/aJco=; b=rdWPFRNcpLisdOmjYDiNsPCpckDXpjroZF5iarOkXYerL+tjE9Ir+BbSdCDlgk6zco24 DRj1znGTbumgO1odedKHdHSxEQehDMXAAeb/Wq6QkCvH6v5vsYs84rYY1CBs4xGERlGv ygiBRrqJw1YtGDj4rSjLGODDQQfkIr1oid0=
Received: from mail.thefacebook.com ([199.201.64.23]) by m0089730.ppops.net with ESMTP id 2cqd7agnm3-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 01 Sep 2017 15:28:11 -0700
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (192.168.54.28) by o365-in.thefacebook.com (192.168.16.15) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 1 Sep 2017 15:28:10 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dAdkntssiguEe8KDzGGoMKdI2lNa/X0Gf7T9sJ/aJco=; b=PBcuWpN7BQyvizrDxcLxiHCx7CmB8trzY3gyHPqNn9pC7USD7qVEKZ46oZVe9VN9phGerCkmnzhr6ZnewpTXCFrWTQFq9PSlQfF5KH/Yem4OEWyUh+TtUSa854mnRpCgHvFnjxX3H+Rlmmk7QpgSZoFfGw+yxFeEZ+K8A5tPTkE=
Received: from MWHPR15MB1455.namprd15.prod.outlook.com (10.173.234.145) by MWHPR15MB1165.namprd15.prod.outlook.com (10.175.2.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.13.10; Fri, 1 Sep 2017 22:28:08 +0000
Received: from MWHPR15MB1455.namprd15.prod.outlook.com ([10.173.234.145]) by MWHPR15MB1455.namprd15.prod.outlook.com ([10.173.234.145]) with mapi id 15.20.0013.014; Fri, 1 Sep 2017 22:28:08 +0000
From: Subodh Iyengar <subodh@fb.com>
To: Nick Harper <nharper@google.com>, IETF Tokbind WG <unbearable@ietf.org>
Thread-Topic: [Unbearable] Possible attack on Token Binding with RSA key exchange
Thread-Index: AQHTI25JlXppjsf+6EaqZMtSSVKoZKKgl2CegAAEEsI=
Date: Fri, 01 Sep 2017 22:28:08 +0000
Message-ID: <MWHPR15MB14556750C654628F47186232B6920@MWHPR15MB1455.namprd15.prod.outlook.com>
References: <CACdeXiJK_=C8-DB=jd=pTb5VBT250_3+ptScqT5S_kDPDZK+qg@mail.gmail.com>, <MWHPR15MB14559C4298AF55C40193F405B6920@MWHPR15MB1455.namprd15.prod.outlook.com>
In-Reply-To: <MWHPR15MB14559C4298AF55C40193F405B6920@MWHPR15MB1455.namprd15.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [2620:10d:c090:180::1:304a]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR15MB1165; 20:+xsQ059ZfxzAxMZ5eyLK5QlRxXtT0HY8Z/cPFjTT0E6sptT8VQ3cAZ7+QFY8937sJ0rVwHMBCWEXx8EwsOlSo62n/IqfPOA+7SMUGCSrUhF4khVNyVE01H0olMOgub2/l+DeI/TuT2hR6eSHBQRqudtOey1VG5wpkHiw0g2hzzA=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 0a1031f4-145a-40cf-55fd-08d4f188b8bf
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(300000502095)(300135100095)(22001)(2017030254152)(300000503095)(300135400095)(2017052603199)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:MWHPR15MB1165;
x-ms-traffictypediagnostic: MWHPR15MB1165:
x-exchange-antispam-report-test: UriScan:(158342451672863)(10436049006162)(192374486261705)(211936372134217)(153496737603132);
x-microsoft-antispam-prvs: <MWHPR15MB1165C57F4DD8BD0C86CD0341B6920@MWHPR15MB1165.namprd15.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(3002001)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(920507026)(6041248)(20161123562025)(20161123558100)(20161123564025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123555025)(20161123560025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:MWHPR15MB1165; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:MWHPR15MB1165;
x-forefront-prvs: 0417A3FFD2
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(189002)(199003)(97736004)(8676002)(2950100002)(54896002)(2906002)(189998001)(236005)(6306002)(25786009)(3280700002)(6436002)(6506006)(53936002)(102836003)(229853002)(6116002)(77096006)(3660700001)(34040400001)(6246003)(7736002)(74316002)(86362001)(575784001)(478600001)(76176999)(50986999)(54356999)(55016002)(81166006)(19627405001)(81156014)(2900100001)(606006)(966005)(105586002)(2940100002)(99286003)(8936002)(53546010)(14454004)(106356001)(7696004)(5660300001)(68736007)(33656002)(101416001)(9686003); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR15MB1165; H:MWHPR15MB1455.namprd15.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: fb.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_MWHPR15MB14556750C654628F47186232B6920MWHPR15MB1455namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Sep 2017 22:28:08.1132 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR15MB1165
X-OriginatorOrg: fb.com
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-09-01_06:, , signatures=0
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/Q9nzCoBGo11NRi6eGRu7rLt8eZY>
Subject: Re: [Unbearable] Possible attack on Token Binding with RSA key exchange
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Sep 2017 22:28:16 -0000
Having said that, even if we only support forward secure ciphers, I do not think we can reasonably claim that we are secure against the threat of stolen private keys. I like the the carrot opportunity this brings to encourage adoption of forward secure cipher suites. Subodh ________________________________ From: Subodh Iyengar Sent: Friday, September 1, 2017 3:24:25 PM To: Nick Harper; IETF Tokbind WG Subject: Re: [Unbearable] Possible attack on Token Binding with RSA key exchange +1 to requiring that token binding only be used with forward secure cipher suites. I believe the extended master secret requirement of token binding prevents the attack on forward secure suites, i.e. an attacker cannot change the DH share advertised by the real server and thus needs to get the private key for it. Subodh ________________________________ From: Unbearable <unbearable-bounces@ietf.org> on behalf of Nick Harper <nharper@google.com> Sent: Friday, September 1, 2017 3:03:37 PM To: IETF Tokbind WG Subject: [Unbearable] Possible attack on Token Binding with RSA key exchange I came across an attack on Token Binding today, which I think is worth addressing in TBPROTO in some fashion (likely another paragraph in Security Considerations). This attack involves an adversary with the private key of a server it wishes to impersonate, and was mentioned in draft-balfanz-tls-channelid in the last paragraph of its Security Considerations. In brief, if an attacker has possession of a server's private key, it can hijack a TLS connection between client and server if the connection uses RSA key exchange instead of (EC)DHE key exchange, which allows the attacker to exercise the bound token without possession of the Token Binding private key. I realize that we're past WGLC at this point, but I think this should be addressed. On one end, we could require forward-secret key exchange modes with Token Binding. We could also describe this specific attack in the Security Considerations, or we could expand the Security Considerations to describe what attacks are and aren't in the Token Binding threat model, to say that attacks where the adversary has the server's private key are out of scope. _______________________________________________ Unbearable mailing list Unbearable@ietf.org https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_unbearable&d=DwICAg&c=5VD0RTtNlTh3ycd41b3MUw&r=h3Ju9EBS7mHtwg-wAyN7fQ&m=aK_8DMmoWWiiQJmFt3JvhVLT6eh7Qm3nf3WuMhMC7vM&s=B0sKQEO8i8hDpLizsh7X8ins9EGGwOwcckYqZku7zEE&e=
- [Unbearable] Possible attack on Token Binding wit… Nick Harper
- Re: [Unbearable] Possible attack on Token Binding… Subodh Iyengar
- Re: [Unbearable] Possible attack on Token Binding… Subodh Iyengar
- Re: [Unbearable] Possible attack on Token Binding… Andrei Popov
- Re: [Unbearable] Possible attack on Token Binding… Nick Harper
- Re: [Unbearable] Possible attack on Token Binding… Andrei Popov
- Re: [Unbearable] Possible attack on Token Binding… Lanlan Pan