[Unbearable] Possible attack on Token Binding with RSA key exchange
Nick Harper <nharper@google.com> Fri, 01 September 2017 22:04 UTC
Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68D11132DF5 for <unbearable@ietfa.amsl.com>; Fri, 1 Sep 2017 15:04:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A1rspJk2WFvi for <unbearable@ietfa.amsl.com>; Fri, 1 Sep 2017 15:04:00 -0700 (PDT)
Received: from mail-qt0-x235.google.com (mail-qt0-x235.google.com [IPv6:2607:f8b0:400d:c0d::235]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E039B13315F for <unbearable@ietf.org>; Fri, 1 Sep 2017 15:03:59 -0700 (PDT)
Received: by mail-qt0-x235.google.com with SMTP id u11so6551409qtu.1 for <unbearable@ietf.org>; Fri, 01 Sep 2017 15:03:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=ao4l96CW/DMn1pIItnKEhs4Kp/FwlTBIN2HTXYr3HNg=; b=AXPoRGpRF5XFMhNvYFzg1+JukPK9/H0aogPkkRSPmSmMH/QfTdNNrZCb2sD4sS32G/ oOW+I1v5u2Ga4zVz3BZHIUtC49tPnz5t+zPIRB6e3W26f7FhbhEeZ7OJVkbnI5V8kwQj +Pen/1z6HHgkd1yA4p08iz4e9WhTp8qQX78/vMeHyNrBDuiauZV0viQoyBiSsedqE2tm M3M1+cUIr8r5knJQpwW+2IVieXLgJLuC6lqxvKGgdtNcLISigUNNP+YBSouDmBOA3xPb W4Y89nJqc6PnnjLp0Z98twnamx+4umk5dYaxtSj3Egs8EA9mEoHxWgY/pmwEHUKi3WSW gl2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=ao4l96CW/DMn1pIItnKEhs4Kp/FwlTBIN2HTXYr3HNg=; b=aHnUQO47H0cxK19tjEPQUdGbMOFOl52+ArjL5sq6vba7nkuooludFlhOimBhZa8Kwv suSQIk/Tk+ywGrl6US7CrJVm2wzW8YlDjnBcS56MCUk2+ZOrSn3gPHgNGqugp84xlQoX tyLczcvYNDE6BtnKJS59hwPKT631lqEmMpu4/bnvLIDNbYAGtVQ19Ex9uyIH4dd+e2u+ YL2ZG7ukKT4Sjxzrg4OFm41ROw4VWzhGyXVzs5trIPIBDskxYIHah+BatW/d0ws6z4il +orCXHMCu7DREy1blxdRn1+sFLnPsjSotqrRPGs600LFb0uYQhIkFgUZ2xg7ugO+djqf Cf8w==
X-Gm-Message-State: AHPjjUjzkG7UOBVI/oD02u6g2TADgFw6S+vDsE/ylS8O0LID1CRAGGzk YKAu1macfd6s5OosavzpYSTzuwc7IL2b9xE=
X-Google-Smtp-Source: ADKCNb4b/Hg2am45yxoRfZoxep6+0VhYTI5pbYQKpyAbNNV6eTfNNu+2eCepA7sKMrMicsOlOws8cknW45NaEAw7eew=
X-Received: by 10.237.37.189 with SMTP id x58mr4890927qtc.230.1504303437681; Fri, 01 Sep 2017 15:03:57 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.237.36.152 with HTTP; Fri, 1 Sep 2017 15:03:37 -0700 (PDT)
From: Nick Harper <nharper@google.com>
Date: Fri, 01 Sep 2017 15:03:37 -0700
Message-ID: <CACdeXiJK_=C8-DB=jd=pTb5VBT250_3+ptScqT5S_kDPDZK+qg@mail.gmail.com>
To: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/neZEoQs6Mig1l8sY1lRh_6Zye_M>
Subject: [Unbearable] Possible attack on Token Binding with RSA key exchange
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Sep 2017 22:04:01 -0000
I came across an attack on Token Binding today, which I think is worth addressing in TBPROTO in some fashion (likely another paragraph in Security Considerations). This attack involves an adversary with the private key of a server it wishes to impersonate, and was mentioned in draft-balfanz-tls-channelid in the last paragraph of its Security Considerations. In brief, if an attacker has possession of a server's private key, it can hijack a TLS connection between client and server if the connection uses RSA key exchange instead of (EC)DHE key exchange, which allows the attacker to exercise the bound token without possession of the Token Binding private key. I realize that we're past WGLC at this point, but I think this should be addressed. On one end, we could require forward-secret key exchange modes with Token Binding. We could also describe this specific attack in the Security Considerations, or we could expand the Security Considerations to describe what attacks are and aren't in the Token Binding threat model, to say that attacks where the adversary has the server's private key are out of scope.
- [Unbearable] Possible attack on Token Binding wit… Nick Harper
- Re: [Unbearable] Possible attack on Token Binding… Subodh Iyengar
- Re: [Unbearable] Possible attack on Token Binding… Subodh Iyengar
- Re: [Unbearable] Possible attack on Token Binding… Andrei Popov
- Re: [Unbearable] Possible attack on Token Binding… Nick Harper
- Re: [Unbearable] Possible attack on Token Binding… Andrei Popov
- Re: [Unbearable] Possible attack on Token Binding… Lanlan Pan