[Unbearable] Possible attack on Token Binding with RSA key exchange

Nick Harper <nharper@google.com> Fri, 01 September 2017 22:04 UTC

Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 68D11132DF5 for <unbearable@ietfa.amsl.com>; Fri, 1 Sep 2017 15:04:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id A1rspJk2WFvi for <unbearable@ietfa.amsl.com>; Fri, 1 Sep 2017 15:04:00 -0700 (PDT)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E039B13315F for <unbearable@ietf.org>; Fri, 1 Sep 2017 15:03:59 -0700 (PDT)
Received: by mail-qt0-x235.google.com with SMTP id u11so6551409qtu.1 for <unbearable@ietf.org>; Fri, 01 Sep 2017 15:03:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=ao4l96CW/DMn1pIItnKEhs4Kp/FwlTBIN2HTXYr3HNg=; b=AXPoRGpRF5XFMhNvYFzg1+JukPK9/H0aogPkkRSPmSmMH/QfTdNNrZCb2sD4sS32G/ oOW+I1v5u2Ga4zVz3BZHIUtC49tPnz5t+zPIRB6e3W26f7FhbhEeZ7OJVkbnI5V8kwQj +Pen/1z6HHgkd1yA4p08iz4e9WhTp8qQX78/vMeHyNrBDuiauZV0viQoyBiSsedqE2tm M3M1+cUIr8r5knJQpwW+2IVieXLgJLuC6lqxvKGgdtNcLISigUNNP+YBSouDmBOA3xPb W4Y89nJqc6PnnjLp0Z98twnamx+4umk5dYaxtSj3Egs8EA9mEoHxWgY/pmwEHUKi3WSW gl2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ao4l96CW/DMn1pIItnKEhs4Kp/FwlTBIN2HTXYr3HNg=; b=aHnUQO47H0cxK19tjEPQUdGbMOFOl52+ArjL5sq6vba7nkuooludFlhOimBhZa8Kwv suSQIk/Tk+ywGrl6US7CrJVm2wzW8YlDjnBcS56MCUk2+ZOrSn3gPHgNGqugp84xlQoX tyLczcvYNDE6BtnKJS59hwPKT631lqEmMpu4/bnvLIDNbYAGtVQ19Ex9uyIH4dd+e2u+ YL2ZG7ukKT4Sjxzrg4OFm41ROw4VWzhGyXVzs5trIPIBDskxYIHah+BatW/d0ws6z4il +orCXHMCu7DREy1blxdRn1+sFLnPsjSotqrRPGs600LFb0uYQhIkFgUZ2xg7ugO+djqf Cf8w==
X-Gm-Message-State: AHPjjUjzkG7UOBVI/oD02u6g2TADgFw6S+vDsE/ylS8O0LID1CRAGGzk YKAu1macfd6s5OosavzpYSTzuwc7IL2b9xE=
X-Google-Smtp-Source: ADKCNb4b/Hg2am45yxoRfZoxep6+0VhYTI5pbYQKpyAbNNV6eTfNNu+2eCepA7sKMrMicsOlOws8cknW45NaEAw7eew=
X-Received: by with SMTP id x58mr4890927qtc.230.1504303437681; Fri, 01 Sep 2017 15:03:57 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Fri, 1 Sep 2017 15:03:37 -0700 (PDT)
From: Nick Harper <nharper@google.com>
Date: Fri, 01 Sep 2017 15:03:37 -0700
Message-ID: <CACdeXiJK_=C8-DB=jd=pTb5VBT250_3+ptScqT5S_kDPDZK+qg@mail.gmail.com>
To: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/neZEoQs6Mig1l8sY1lRh_6Zye_M>
Subject: [Unbearable] Possible attack on Token Binding with RSA key exchange
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Sep 2017 22:04:01 -0000

I came across an attack on Token Binding today, which I think is worth
addressing in TBPROTO in some fashion (likely another paragraph in
Security Considerations). This attack involves an adversary with the
private key of a server it wishes to impersonate, and was mentioned in
draft-balfanz-tls-channelid in the last paragraph of its Security

In brief, if an attacker has possession of a server's private key, it
can hijack a TLS connection between client and server if the
connection uses RSA key exchange instead of (EC)DHE key exchange,
which allows the attacker to exercise the bound token without
possession of the Token Binding private key.

I realize that we're past WGLC at this point, but I think this should
be addressed. On one end, we could require forward-secret key exchange
modes with Token Binding. We could also describe this specific attack
in the Security Considerations, or we could expand the Security
Considerations to describe what attacks are and aren't in the Token
Binding threat model, to say that attacks where the adversary has the
server's private key are out of scope.