Re: [Unbearable] (late, sorry) WGLC question on establishing the binding or not
Nick Harper <nharper@google.com> Tue, 20 December 2016 20:04 UTC
Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4649D1295E5 for <unbearable@ietfa.amsl.com>; Tue, 20 Dec 2016 12:04:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.8
X-Spam-Level:
X-Spam-Status: No, score=-5.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sO-zQ7rmvx_8 for <unbearable@ietfa.amsl.com>; Tue, 20 Dec 2016 12:04:41 -0800 (PST)
Received: from mail-qk0-x22a.google.com (mail-qk0-x22a.google.com [IPv6:2607:f8b0:400d:c09::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB7861295ED for <unbearable@ietf.org>; Tue, 20 Dec 2016 12:04:40 -0800 (PST)
Received: by mail-qk0-x22a.google.com with SMTP id u25so49608467qki.2 for <unbearable@ietf.org>; Tue, 20 Dec 2016 12:04:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Jefungx7UrBtEltyiQfbCaPx/WqsOYn5zEnptidbsjQ=; b=HSa6SgZUseVhh6DaezFUbdQmMqDIEJ7DLDoGJgHvS3XUOixOfpLWSq1LUrOyIvkRmJ PmYy1ONH4VY4L8ho8WO+1NAfWpGOrSO89UQNuE9GZMZlCsILYSpd4zvPke0R5OBGm8OL alvlSY2FE6kv0zjIg0NbMyNUUvIeM6Mc1TU6JKaAlX6g6szgEwibjik4cUjS7EruoFJz RP9TpSiKNLCaMyCqcSUdgbnf97VE3+jAc0gubnZqY9YfMeahUL6pIS1zB7wyntLlaUJu tkYr/ngMCBRJ5dadE5abK1xdma1JZonPet/hUQiHdunyP0vi1otR98DKbSf8jPG3Sgq6 5k5g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Jefungx7UrBtEltyiQfbCaPx/WqsOYn5zEnptidbsjQ=; b=WnI0X8nlkCUpJae5HZnsMKYfIp9xvymxDnEfH+WTjP8IrzckJpV3XgXOPtgQj3/9S/ X8vyQosrniiYZNV20efld8xfflkiu3BZxGqNVQc2hnclpjOacdTy1MUtBDb0uRVDR0fR 7F31i9JYKFOa1YtH5buScWGXRsuylNZNmn46fiKLhDxQ5du0Q7wxJNTiUYNVaiGqYm6Y kBxXBRc82tagLIUqCAJMUAdna1KKGOxb6gbz6RrbzuXhgr0GG/1zKIWRY0/nJu5IFOmh GWwwqQk+bEZuPSfUcMnlybZ37yUIlOqxa/lN+WdsYGlZAl3l3ksxAQKBKRFPPLkXD2cJ rqww==
X-Gm-Message-State: AIkVDXKkJZr7/KJ4f6FKO/wvhjs3AxoMgG1rbOYQ/r1atSnMaEh3ocDejpG54OkqtYt0qDMSvrzHDVlXhqwIFBs6
X-Received: by 10.55.70.76 with SMTP id t73mr1179081qka.195.1482264279884; Tue, 20 Dec 2016 12:04:39 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.17.52 with HTTP; Tue, 20 Dec 2016 12:04:19 -0800 (PST)
In-Reply-To: <CA+k3eCQjJUWjNSJ_WKz6bB5yhx8qV+fEZHz_KRpj7-ofs-MBsQ@mail.gmail.com>
References: <CA+k3eCTDfFzVZ-oDVd5JohfoCMAprq_4q5gUs5QjfRQHb2Q+FA@mail.gmail.com> <CY1PR0301MB08427626BD31DB029C1754D98C900@CY1PR0301MB0842.namprd03.prod.outlook.com> <CA+k3eCQjJUWjNSJ_WKz6bB5yhx8qV+fEZHz_KRpj7-ofs-MBsQ@mail.gmail.com>
From: Nick Harper <nharper@google.com>
Date: Tue, 20 Dec 2016 12:04:19 -0800
Message-ID: <CACdeXiJVtUhZbv8vY2Zx9dG9Ze7Kgb-S_QQ+7CkAL6dvH980Rw@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="001a114abf6ade43b805441c8bd4"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/iuJfU8d2Bpfjc5HxFpOIBNsdS9g>
Cc: Andrei Popov <Andrei.Popov@microsoft.com>, IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] (late, sorry) WGLC question on establishing the binding or not
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Dec 2016 20:04:43 -0000
On Tue, Dec 20, 2016 at 11:53 AM, Brian Campbell <bcampbell@pingidentity.com > wrote: > Thanks Andrei, some further discussion inline... > > On Mon, Dec 19, 2016 at 5:37 PM, Andrei Popov <Andrei.Popov@microsoft.com> > wrote: > >> Ø What should a server do if it receives an HTTP request without a >> Sec-Token-Binding header on a TLS connection where token binding was >> negotiated in the handshake? >> >> This means TB is not established with this client, see TBNEGO: “If the >> client does not support the Token Binding protocol version selected by the >> server, then the connection proceeds without Token Binding.” >> > I knew I'd seen something like that somewhere but couldn't conjure it up. > Thanks for the pointer/reminder. > > But in defense of my own dumb question, that clearly covers the case where > the client doesn't support the TB version that the server chose. But > doesn't address the case where the client and server both indicate exactly > the same versions during negotiation but no TB message is sent at the > application layer. > > > Ø The case where the client and server both indicate exactly the same >> versions during negotiation but no TokenBindingMessage is sent, for >> example, seems like it should be a failure condition in the same vein as a >> mismatch between the negotiated TokenBindingKeyParameters and in the the >> TokenBindingKeyParameters of the provided_token_binding TokenBindingID. >> >> >> >> We could special-case and say that if a server picks the exact TB version >> a client sent, and the client’s subsequent request does not contain the TB >> message, then the request MUST be rejected. >> >> However, in practice this feels like a failure case for no good reason. >> >> >> >> I think we have 4 possibilities: >> >> 1. The client sends a TB message and a bound token => the server >> verifies per TBPROTO. >> >> 2. The client sends a TB message and no bound token => the server >> verifies per TBPROTO. >> >> 3. The client sends no TB message and a bound token => the server >> rejects per TBPROTO. >> >> 4. The client sends no TB message and no bound token => we could >> require that this be rejected, if the server picked the client’s offered TB >> version, but why create this failure case? >> > I'm not sure to be honest. That's why I'm asking. I don't fully understand > the reasoning behind the requirements that exist between the handshake > negotiation to checking the TB message. And the treatment of this case > feels a bit inconsistent to me. If TB was not negotiated but a TB message > is sent, reject the bindings. If TB was negotiated but the keyparams of the > provided TB in the TB message doesn't match the negotiated keyparams, > reject the bindings. When the TB version negotiated is identical but a TB > message isn't sent, it would seem to suggest at least a misbehaving client. > Maybe that's okay though. Even as I write it, it doesn't seem as > inconsistent as it did in my mind before. But I'm asking to try and better > understand the ramifications of the case. And the others. Are there > implications beyond a misbehaving client in the case of a mismatch between > the key parameters type that was negotiated and the key parameters type of > the provided_token_binding in the TB message? > > Since in this case (client and server sent exact same TB version in nego) a server knows that the client supports TB, so if the client doesn't send a TB message, either some sort of weird attack is happening (which we definitely don't want), or the client is buggy and negotiated TB when it shouldn't have. I would suggest that when servers can detect buggy clients, they be as strict as possible, which would mean TB should say that a server SHOULD reject the TB message (and maybe close the connection) in this case. > > > > > > > > _______________________________________________ > Unbearable mailing list > Unbearable@ietf.org > https://www.ietf.org/mailman/listinfo/unbearable > >
- [Unbearable] (late, sorry) WGLC question on estab… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… Andrei Popov
- Re: [Unbearable] (late, sorry) WGLC question on e… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… Nick Harper
- Re: [Unbearable] (late, sorry) WGLC question on e… Andrei Popov
- Re: [Unbearable] (late, sorry) WGLC question on e… Nick Harper
- Re: [Unbearable] (late, sorry) WGLC question on e… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… Andrei Popov
- Re: [Unbearable] (late, sorry) WGLC question on e… Nick Harper
- Re: [Unbearable] (late, sorry) WGLC question on e… Andrei Popov
- Re: [Unbearable] (late, sorry) WGLC question on e… Nick Harper
- Re: [Unbearable] (late, sorry) WGLC question on e… Andrei Popov
- Re: [Unbearable] (late, sorry) WGLC question on e… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… Andrei Popov
- Re: [Unbearable] (late, sorry) WGLC question on e… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… Andrei Popov
- Re: [Unbearable] (late, sorry) WGLC question on e… Nick Harper
- Re: [Unbearable] (late, sorry) WGLC question on e… Brian Campbell
- Re: [Unbearable] (late, sorry) WGLC question on e… =JeffH