Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
Nick Harper <nharper@google.com> Thu, 02 March 2017 01:38 UTC
Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA7A2129640 for <unbearable@ietfa.amsl.com>; Wed, 1 Mar 2017 17:38:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R52ND2uaMSDt for <unbearable@ietfa.amsl.com>; Wed, 1 Mar 2017 17:38:24 -0800 (PST)
Received: from mail-qk0-x22f.google.com (mail-qk0-x22f.google.com [IPv6:2607:f8b0:400d:c09::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 345851293F2 for <unbearable@ietf.org>; Wed, 1 Mar 2017 17:38:24 -0800 (PST)
Received: by mail-qk0-x22f.google.com with SMTP id n127so101312395qkf.0 for <unbearable@ietf.org>; Wed, 01 Mar 2017 17:38:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=eyM3NWnleGqzogf4u+DPHy/5NyRM99Quzh99TPpCSU0=; b=BtnkvXJW8zxz0apaMK1KdnE2u0krtXRWyWMpQAO+4fjr6OzmAqu/eHIcfBEvt6WNL4 9VbItyfJd9mL5MJ7GKc/e9w1b+ZJKOMQTsfRXHy80fYcoAvfeJPDN69aou4krdJdMbDD +0h/XVHVVYBv5vTQUgZtfQx+1SwkoeGJfrf++PamY95p5rltPbB9m8tdwqAebipVdRst Fu2C0iTtUcL7OwgniC1zL5FkV3FQOYF+p4Vw+AVhNQ+d2xkPWgM2jfr+qYLz/tspYpRM /YTUtniLFKICahcCLsLLyqYZZSUlpVXitr7xbPmB4Xw+wVnGzbPegrMzUWGpRQrYsnzN upUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=eyM3NWnleGqzogf4u+DPHy/5NyRM99Quzh99TPpCSU0=; b=lziuM3UPHloK5Bj/NsSRTcybkJJeXf2UWPD6UJmWi7B4f+NtY++ltyQoMCESuEq68Q knwBviNUetDJiOSLKTu6fuID86ayrSSoSj0iN1ScdmxgrEuh04hCC0BiU1bADLooV66z pWOlqkXwyAlnqvTSgtvp3d/uwsO9fz4PbB/eT2tVvfAWIfpJOjTSyJeoer/U/FYmRE57 8tf1lOzyFoomrD3lal5TXYPn1CwgYYLRV6jxnh92I9AotcGDYxyQk9qIce1qcnGvBBVm wsQjLe49l2lZJ4CUo/sDfrkb1cjwhSrm4g208iveR4XJYho00IfGdY5a9tf7LUcmqiKf APIg==
X-Gm-Message-State: AMke39lMjTUMbcxAi160DYbnWZRcvJyKwfVl/Mit5lqRSAZYVxbsFu1aBBYbnKWnxtze2m0lLNgjfH8Tjzzr6Irs
X-Received: by 10.200.55.181 with SMTP id d50mr15331504qtc.140.1488418703239; Wed, 01 Mar 2017 17:38:23 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.21.105 with HTTP; Wed, 1 Mar 2017 17:36:47 -0800 (PST)
In-Reply-To: <DM2PR21MB0091DE5B213D2363FAF353CF8C280@DM2PR21MB0091.namprd21.prod.outlook.com>
References: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com> <DM2PR0301MB084793F58146F8574BF36EE18C780@DM2PR0301MB0847.namprd03.prod.outlook.com> <CACdeXiJGcsTxrSWmd5BZrfoWTHhFF3+RisQFD628iYNMzZakhQ@mail.gmail.com> <CACdeXiJFe7-jM9qEnNB+Wp3joGxF_X1z+-dPywb9SRZuSNmAzQ@mail.gmail.com> <DM2PR21MB0091E3F087E1AECA3A63A3788C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXi+YjLaXtoX47LtVK4Ay2y-mCOOraV46gbbbuQPL40ngXg@mail.gmail.com> <DM2PR21MB00910C83983BEE885B0E04288C560@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiLON5OAjfFCNsenCeaGV3a_LDoi17VAk=fSzF0YA5=f7Q@mail.gmail.com> <CACdeXiLNCrPSz0_hZSpQ6tsoHB7ryJ2dCnHjUYwu5vu5fO4XBg@mail.gmail.com> <SN1PR21MB0096D7426A4E230E284F0D058C560@SN1PR21MB0096.namprd21.prod.outlook.com> <CACdeXiKuzNh0fP9b-jEF82m-6mX+i04To96GMa_tFNcuznGn+A@mail.gmail.com> <DM2PR21MB00914BA07BA984E931B88FEB8C290@DM2PR21MB0091.namprd21.prod.outlook.com> <CACdeXiKQjaoAArLBcjRj+kUJUqH+f1bA5yeCCiQ6GMXzWJURBw@mail.gmail.com> <CABkgnnV0+vumfkZAMRZ_8q5pTkwf_CqhZ+deeVWdbF9SFaHoJw@mail.gmail.com> <DM2PR21MB0091DE5B213D2363FAF353CF8C280@DM2PR21MB0091.namprd21.prod.outlook.com>
From: Nick Harper <nharper@google.com>
Date: Wed, 01 Mar 2017 17:36:47 -0800
Message-ID: <CACdeXiKweRaZEKi4kqmPfUc2JLyZLGbp8tFRpkTfmJisPCMWRg@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/hsUKulh9XSClrhAXyXqiYCmGxzY>
Cc: IETF Tokbind WG <unbearable@ietf.org>, Martin Thomson <martin.thomson@gmail.com>
Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 01:38:26 -0000
> -----Original Message----- > From: Martin Thomson [mailto:martin.thomson@gmail.com] > Sent: Wednesday, March 1, 2017 4:53 PM > To: Nick Harper <nharper@google.com> > Cc: Andrei Popov <Andrei.Popov@microsoft.com>; IETF Tokbind WG <unbearable@ietf.org> > Subject: Re: [Unbearable] 0-RTT Token Binding: When to switch exporters? > > Would it help to include a clear signal about which keys are intended to be exported and used? Yes, I plan to include some sort of signal so that the server doesn't have to do trial verification. This could be defining a new set of key types that when used in a TokenBinding struct indicate the signature is over the early exporter, or it could be an indicator extension in the TokenBinding struct (or maybe something else). The former has the benefit that it is covered by the signature (unless the signature format changes). On Wed, Mar 1, 2017 at 4:54 PM, Andrei Popov <Andrei.Popov@microsoft.com> wrote: > This solution introduces a lot of complexity, but does not address the fundamental problem, which is that the client can't prove possession of the TB key in 0-RTT. So, if I have a site that requires strong protection of tokens with TB, I would disable 0-RTT application data, or at least reject requests that arrive in 0-RTT and require bound tokens to be authorized. The signature over the early exporter proves that the client had possession of the TB key sometime after the server issued the NewSessionTicket used for starting the 0-RTT connection. Whether this is good enough depends on the threat model of the server. Obviously a server that is paranoid can choose to reject 0-RTT data if Token Binding is also negotiated on the connection, and I'm fine with that. However, a server may decide that it is not concerned with client malware stealing a NewSessionTicket (and corresponding data to replay a 0-RTT TokenBindingMessage), and find this proof of possession good enough. 0-RTT data has different security properties than 0.5-RTT or post-handshake application data in TLS 1.3, so it's reasonable for a TokenBindingMessage sent in 0-RTT application data to have different security properties.
- [Unbearable] 0-RTT Token Binding: When to switch … Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Martin Thomson
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Eric Rescorla
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Eric Rescorla
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Eric Rescorla
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Martin Thomson
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Eric Rescorla
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Bill Cox
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Denis
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov