IETF Logo Mail Archive

Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?

Nick Harper <nharper@google.com> Thu, 02 March 2017 01:38 UTC

Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA7A2129640 for <unbearable@ietfa.amsl.com>; Wed, 1 Mar 2017 17:38:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R52ND2uaMSDt for <unbearable@ietfa.amsl.com>; Wed, 1 Mar 2017 17:38:24 -0800 (PST)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 345851293F2 for <unbearable@ietf.org>; Wed, 1 Mar 2017 17:38:24 -0800 (PST)
Received: by mail-qk0-x22f.google.com with SMTP id n127so101312395qkf.0 for <unbearable@ietf.org>; Wed, 01 Mar 2017 17:38:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=eyM3NWnleGqzogf4u+DPHy/5NyRM99Quzh99TPpCSU0=; b=BtnkvXJW8zxz0apaMK1KdnE2u0krtXRWyWMpQAO+4fjr6OzmAqu/eHIcfBEvt6WNL4 9VbItyfJd9mL5MJ7GKc/e9w1b+ZJKOMQTsfRXHy80fYcoAvfeJPDN69aou4krdJdMbDD +0h/XVHVVYBv5vTQUgZtfQx+1SwkoeGJfrf++PamY95p5rltPbB9m8tdwqAebipVdRst Fu2C0iTtUcL7OwgniC1zL5FkV3FQOYF+p4Vw+AVhNQ+d2xkPWgM2jfr+qYLz/tspYpRM /YTUtniLFKICahcCLsLLyqYZZSUlpVXitr7xbPmB4Xw+wVnGzbPegrMzUWGpRQrYsnzN upUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=eyM3NWnleGqzogf4u+DPHy/5NyRM99Quzh99TPpCSU0=; b=lziuM3UPHloK5Bj/NsSRTcybkJJeXf2UWPD6UJmWi7B4f+NtY++ltyQoMCESuEq68Q knwBviNUetDJiOSLKTu6fuID86ayrSSoSj0iN1ScdmxgrEuh04hCC0BiU1bADLooV66z pWOlqkXwyAlnqvTSgtvp3d/uwsO9fz4PbB/eT2tVvfAWIfpJOjTSyJeoer/U/FYmRE57 8tf1lOzyFoomrD3lal5TXYPn1CwgYYLRV6jxnh92I9AotcGDYxyQk9qIce1qcnGvBBVm wsQjLe49l2lZJ4CUo/sDfrkb1cjwhSrm4g208iveR4XJYho00IfGdY5a9tf7LUcmqiKf APIg==
X-Gm-Message-State: AMke39lMjTUMbcxAi160DYbnWZRcvJyKwfVl/Mit5lqRSAZYVxbsFu1aBBYbnKWnxtze2m0lLNgjfH8Tjzzr6Irs
X-Received: by 10.200.55.181 with SMTP id d50mr15331504qtc.140.1488418703239; Wed, 01 Mar 2017 17:38:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.21.105 with HTTP; Wed, 1 Mar 2017 17:36:47 -0800 (PST)
In-Reply-To: <DM2PR21MB0091DE5B213D2363FAF353CF8C280@DM2PR21MB0091.namprd21.prod.outlook.com>
References: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com> <DM2PR0301MB084793F58146F8574BF36EE18C780@DM2PR0301MB0847.namprd03.prod.outlook.com> <CACdeXiJGcsTxrSWmd5BZrfoWTHhFF3+RisQFD628iYNMzZakhQ@mail.gmail.com> <CACdeXiJFe7-jM9qEnNB+Wp3joGxF_X1z+-dPywb9SRZuSNmAzQ@mail.gmail.com> <DM2PR21MB0091E3F087E1AECA3A63A3788C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXi+YjLaXtoX47LtVK4Ay2y-mCOOraV46gbbbuQPL40ngXg@mail.gmail.com> <DM2PR21MB00910C83983BEE885B0E04288C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiLON5OAjfFCNsenCeaGV3a_LDoi17VAk=fSzF0YA5=f7Q@mail.gmail.com> <CACdeXiLNCrPSz0_hZSpQ6tsoHB7ryJ2dCnHjUYwu5vu5fO4XBg@mail.gmail.com> <SN1PR21MB0096D7426A4E230E284F0D058C560@SN1PR21MB0096.namprd21.prod.outlook.com> <CACdeXiKuzNh0fP9b-jEF82m-6mX+i04To96GMa_tFNcuznGn+A@mail.gmail.com> <DM2PR21MB00914BA07BA984E931B88FEB8C290@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiKQjaoAArLBcjRj+kUJUqH+f1bA5yeCCiQ6GMXzWJURBw@mail.gmail.com> <CABkgnnV0+vumfkZAMRZ_8q5pTkwf_CqhZ+deeVWdbF9SFaHoJw@mail.gmail.com> <DM2PR21MB0091DE5B213D2363FAF353CF8C280@DM2PR21MB0091.namprd21.prod.outlook.com>
From: Nick Harper <nharper@google.com>
Date: Wed, 01 Mar 2017 17:36:47 -0800
Message-ID: <CACdeXiKweRaZEKi4kqmPfUc2JLyZLGbp8tFRpkTfmJisPCMWRg@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/hsUKulh9XSClrhAXyXqiYCmGxzY>
Cc: IETF Tokbind WG <unbearable@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 01:38:26 -0000

> -----Original Message-----
> From: Martin Thomson [mailto:martin.thomson@gmail.com]
> Sent: Wednesday, March 1, 2017 4:53 PM
> To: Nick Harper <nharper@google.com>
> Cc: Andrei Popov <Andrei.Popov@microsoft.com>; IETF Tokbind WG <unbearable@ietf.org>
> Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
>
> Would it help to include a clear signal about which keys are intended to be exported and used?

Yes, I plan to include some sort of signal so that the server doesn't
have to do trial verification. This could be defining a new set of key
types that when used in a TokenBinding struct indicate the signature
is over the early exporter, or it could be an indicator extension in
the TokenBinding struct (or maybe something else). The former has the
benefit that it is covered by the signature (unless the signature
format changes).


On Wed, Mar 1, 2017 at 4:54 PM, Andrei Popov <Andrei.Popov@microsoft.com> wrote:
> This solution introduces a lot of complexity, but does not address the fundamental problem, which is that the client can't prove possession of the TB key in 0-RTT. So, if I have a site that requires strong protection of tokens with TB, I would disable 0-RTT application data, or at least reject requests that arrive in 0-RTT and require bound tokens to be authorized.

The signature over the early exporter proves that the client had
possession of the TB key sometime after the server issued the
NewSessionTicket used for starting the 0-RTT connection. Whether this
is good enough depends on the threat model of the server. Obviously a
server that is paranoid can choose to reject 0-RTT data if Token
Binding is also negotiated on the connection, and I'm fine with that.
However, a server may decide that it is not concerned with client
malware stealing a NewSessionTicket (and corresponding data to replay
a 0-RTT TokenBindingMessage), and find this proof of possession good
enough.

0-RTT data has different security properties than 0.5-RTT or
post-handshake application data in TLS 1.3, so it's reasonable for a
TokenBindingMessage sent in 0-RTT application data to have different
security properties.

v2.23.0 | Report a Bug | By Email