[Unbearable] Removing explicit public key crypto from Token Binding
Nick Sullivan <nicholas.sullivan@gmail.com> Mon, 03 April 2017 02:15 UTC
Return-Path: <nicholas.sullivan@gmail.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B5A1126DCA for <unbearable@ietfa.amsl.com>; Sun, 2 Apr 2017 19:15:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vbwwf0YTm1rq for <unbearable@ietfa.amsl.com>; Sun, 2 Apr 2017 19:14:59 -0700 (PDT)
Received: from mail-vk0-x230.google.com (mail-vk0-x230.google.com [IPv6:2607:f8b0:400c:c05::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7376B127071 for <unbearable@ietf.org>; Sun, 2 Apr 2017 19:14:58 -0700 (PDT)
Received: by mail-vk0-x230.google.com with SMTP id z204so123611435vkd.1 for <unbearable@ietf.org>; Sun, 02 Apr 2017 19:14:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=jCECSWXEukNTiqBBOIaxhzSbFF/5RgbjaphFbQOjAl0=; b=nymRFK1bNW+Ic4JNgbkjvZoqfDqXsmAsDasc3vMPSdiov6+liPedKTRJahGcAavoH/ rUp0GWCoGjVx9ors2f487p6Tf5lKK9hTbkIClkjoTu5QoyX4ZG6Qhsvb7aW7ToPoQ7nZ 1DVakZRyYTHdAl2elXzGeNoSxG9/OxcpNeOHG/xxtnA0Dg1ovgMZPTkpD7EJH2R4sN0K pvIBuTZvF0Df2zBuBtAMWYXpPK8Eezy3zWAB68IjuVvDeSMj2q/Oixi9SrIuTuOr+T+6 OvzgxdbezJkmf2Kn4bmIjJu2SqOHECOE9whnBlGgxFFtqqZVTPGt+wlYKkhaoKIGz15v I9nA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=jCECSWXEukNTiqBBOIaxhzSbFF/5RgbjaphFbQOjAl0=; b=fgLyyDxMj5CdWSwtQ/+DSUSMDwfpIdLS009pGE97eTKtg98TmA28mslat4h94LzZ9E whb5hPSDneZrDd7Ss7aERbpS5ekf54/JmM9Bx+VAwhP5nid2gSgSXcQjvgumvL05pIha C8ca14TelFcA2nFmfNhHccS1rQXxuyYDv0pwUTbmNzsjIrXvi6PkLFOQrXVegv7Zm7c9 9LSIhHWD0UxjhZKG2ultvzy3/MYyMD4+9sXEACN+F/GbMkkvRYC/9sVa0X7qEvT2aZ7B pe6ilby08SnCYkPT/9UQp4hNX5n00Zhk6w61KV+v/fFeXHLlnvs20gzyQ6nCahWAg0y/ edsA==
X-Gm-Message-State: AFeK/H2OcfvLzcFCbakn913R8PV4DNVpuyvBWGYvqOwJdR/hUatbJrKwKU/QZ/7xuRClrXLnkDlSgdr0jv/qkg==
X-Received: by 10.159.55.142 with SMTP id q14mr5386032uaq.40.1491185697487; Sun, 02 Apr 2017 19:14:57 -0700 (PDT)
MIME-Version: 1.0
From: Nick Sullivan <nicholas.sullivan@gmail.com>
Date: Mon, 03 Apr 2017 02:14:46 +0000
Message-ID: <CAOjisRyCx1RJ=2nJw_sVuJdh9f_ZdV+EF77MY4sM=wm20LXZVw@mail.gmail.com>
To: unbearable@ietf.org
Content-Type: multipart/alternative; boundary="94eb2c041276cb027f054c39b916"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/jlAqKlkvTgWiVa5ABLGNcEBm81U>
Subject: [Unbearable] Removing explicit public key crypto from Token Binding
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Apr 2017 02:15:02 -0000
Please pardon the timing of this review, I know it's not fun receiving critiques and large suggestions so late in the process but I think there are serious issues with the Token Binding Protocol draft that should be discussed. The introduction of public key crypto at the application layer seems like a major downside to the current Token Binding Protocol draft. We went through a similar design in the Secondary Certificate Authentication in HTTP/2 draft, and learned a bunch of lessons that could be applied to Token Binding. From these lessons, I have some suggestions that could result in a much shorter draft that is less complex and will result in a lower maintenance burden going forward. Long story short: I think the explicit public key crypto pieces should be removed from this draft. First, let me spell out some of the downsides of introducing public key crypto to the application layer: a) Public key crypto is hard to do right. Historically, applications have done a bad job at handling public key cryptography. You don't have to look far past the recent curve point validation issues in JWS libraries to see this. Exposing "low-level" APIs like digital signature validation to applications is best avoided if you want a secure application. For example, things like asking an HTTP server to properly seed the randomness in an ECDSA signature expands the scope of what developers at this layer are used to dealing with. b) Maintenance burden. Every new signature algorithm to be used here needs to be added to the new IANA registry. Every time this happens, this document needs to be updated. Which working group is responsible for updating drafts to add new algorithms or remove compromised ones once TOKBIND is over and we're discussing post-quantum signatures? This document is already behind the curve by supporting P-256 instead of the CFRG-chosen signature algorithms ed25519 and ed448. c) It's done better elsewhere. Correctly defining how to do public key crypto in a draft like this seems duplicative of other work. Defining the tricky part of actually binding a public key into TLS should be done with the support of those who have experience with doing this wrong and learning from their mistakes, like the TLS working group itself. d) Layering. This draft in particular is bound the semantics of several TLS extensions. Not only does the application need to know the result of the token binding extension, it needs to know whether or not the extended master secret has been used. Depending on the correct calculation of a master secret is an esoteric point that applications may forget to enforce. Channel-ID is problematic because it introduces additional complexity at the TLS layer and introduces privacy issues. Token Binding improves this by putting the messages at the application layer, but at the cost of also bringing the public key cryptography into the application. Is there a middle ground? I suggest there is. Here's a proposal: rather than defining the signature algorithm and the binding to the exporter at the application layer, leverage the TLS library itself to do the binding. This can be done with Exported Authenticators ( https://tools.ietf.org/html/draft-sullivan-tls-exported-authenticator-01) The basic idea is that the application provides a private key and certificate to the TLS library and the TLS library returns a binding of that certificate to the connection called an "exported authenticator". This opaque binding can be transported by the application from one party to another. The receiving party can pass the exported authenticator into the TLS library, which returns the certificate if it's valid and bound to the current connection. Under the hood, the exported authenticator looks like the triplet of TLS messages {Certificate, CertificateVerify and Finished} with an exporter as the handshake context. It maps very closely to what Token Binding is doing now, but eliminates the need for public key crypto in the application. Instead, the application layer just needs to pass around opaque blobs that can be decoded by the TLS library into certificates. To be more concrete about how this could work for the Token Binding protocol, a self-signed certificate could be used in place of the TokenBindingPublicKey and the exported authenticator could be used in place of the TokenBinding. The tokenbinding_type and extensions could be embedded in the certificate as X.509 extensions. Or application-defined TLS extensions. I don't know the exact right mapping, but it doesn't seem difficult to define. My proposed change would bring the following benefits: - signature algorithms support would evolve with TLS libraries rather than with application libraries and updates to this document - the "token binding key parameters" registry would no longer be needed - several pages would be eliminated from this draft - no public key crypto functions added to applications that don't currently use public key crypto Nick P.S. This proposal also has the interesting benefit of allowing token binding to be symmetrical. Both clients and servers could created token bindings. Currently the same exporter is used for both so there's a possibility of putting server token binding in the place of client token bindings.
- [Unbearable] Removing explicit public key crypto … Nick Sullivan
- Re: [Unbearable] Removing explicit public key cry… Andrei Popov