IETF Logo Mail Archive

Re: [Unbearable] Switching exporters for 0-RTT Token Binding

Andrei Popov <Andrei.Popov@microsoft.com> Thu, 27 April 2017 22:48 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2E21129457 for <unbearable@ietfa.amsl.com>; Thu, 27 Apr 2017 15:48:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lc9QoWMEhvWl for <unbearable@ietfa.amsl.com>; Thu, 27 Apr 2017 15:48:49 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0091.outbound.protection.outlook.com [104.47.41.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0663412943C for <unbearable@ietf.org>; Thu, 27 Apr 2017 15:46:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Hr66F7SAf5B7ww+C2DXvy0vijljWrLGccGNTx82XzpM=; b=k8FQzDh5+ZteGOqsKdc1wqU1yHGi5zaBxy0SaqOLJ5Pjw15+JGiAtanv1xUR/vI2LDO6yLTPXJG3m1c+YT9FqdDNx6xDconarrbSzRRDaleQz6iwVhjRqvkv5o6jrpnn17tqNtvjMVcRaCbATX5nUPG/0A5q60v+8Vj236eID1k=
Received: from SN1PR21MB0096.namprd21.prod.outlook.com (10.161.254.16) by SN1PR21MB0095.namprd21.prod.outlook.com (10.161.254.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1075.0; Thu, 27 Apr 2017 22:46:19 +0000
Received: from SN1PR21MB0096.namprd21.prod.outlook.com ([10.161.254.16]) by SN1PR21MB0096.namprd21.prod.outlook.com ([10.161.254.16]) with mapi id 15.01.1075.000; Thu, 27 Apr 2017 22:46:19 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Nick Harper <nharper@google.com>, Benjamin Kaduk <kaduk@mit.edu>
CC: IETF Tokbind WG <unbearable@ietf.org>
Thread-Topic: [Unbearable] Switching exporters for 0-RTT Token Binding
Thread-Index: AQHSuJKlo0yoEMvGZUCTm+Pgzz+4KKHNhPAAgAxI7ICAAAxqsA==
Date: Thu, 27 Apr 2017 22:46:18 +0000
Message-ID: <SN1PR21MB0096D78DF3E9C07B23DC76078C100@SN1PR21MB0096.namprd21.prod.outlook.com>
References: <CACdeXiLF3G8tBO5z5L2mfe5N-kYMv_4TNFS2_0YdecquMM_kuw@mail.gmail.com> <20170420020846.GY30306@kduck.kaduk.org> <CACdeXiLPb-QwLhG89ahV_q8q3n16jA+WEnsTzKTAyMtYcVF4Pw@mail.gmail.com>
In-Reply-To: <CACdeXiLPb-QwLhG89ahV_q8q3n16jA+WEnsTzKTAyMtYcVF4Pw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: google.com; dkim=none (message not signed) header.d=none;google.com; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:6::4ca]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; SN1PR21MB0095; 7:+MMM9qO80CC0tLBUenvFmg/bekv+j5bg7UKJTGVtViXBrw2AowVkhL4H1x58MJo0Toq3ufY01/Aq8mWwI2CF9Ix8YSlonPw9UtFtgfFpYSxFZzuCX3qGsmT2XC5KRajal5Jl+gmbNfMUSUjg7pDDo+HfRYHDB8G6pKznZtEmGbbf6y/0A7f37btL9P36APpsh82ER8u7FxNiWzapPNkckp+80RfyI1kkHDfUs7WzdGSp5MNHstmqPX0zr7cXbTkelVYmeOAtc671ghbfj0IxCCmr4I9B2pNmhg/nBd8/tx3kWL7GHqSNKzJBT/8MLuRyqBXgvbdU13ULPlKPBxirFEuTSNU0qdR7JhB+wtHPVT4=
x-ms-office365-filtering-correlation-id: c4a53800-8d6e-4c64-997f-08d48dbf3881
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(48565401081)(201703131423075)(201703031133081); SRVR:SN1PR21MB0095;
x-microsoft-antispam-prvs: <SN1PR21MB009530C922E20B15D07219FF8C100@SN1PR21MB0095.namprd21.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705)(189930954265078)(100405760836317)(219752817060721);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(6055026)(61426038)(61427038)(6041248)(20161123562025)(20161123555025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123560025)(20161123564025)(20161123558100)(6072148); SRVR:SN1PR21MB0095; BCL:0; PCL:0; RULEID:; SRVR:SN1PR21MB0095;
x-forefront-prvs: 029097202E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39400400002)(39860400002)(39840400002)(39410400002)(39850400002)(377454003)(13464003)(24454002)(10090500001)(76176999)(54356999)(2171002)(122556002)(50986999)(6246003)(4326008)(53936002)(189998001)(99286003)(6306002)(55016002)(7736002)(9686003)(305945005)(53546009)(25786009)(38730400002)(81166006)(2900100001)(8990500004)(8936002)(8676002)(561944003)(5005710100001)(102836003)(6116002)(3280700002)(2950100002)(3660700001)(74316002)(7696004)(33656002)(10290500003)(2906002)(86362001)(77096006)(86612001)(6506006)(5660300001)(6436002)(229853002); DIR:OUT; SFP:1102; SCL:1; SRVR:SN1PR21MB0095; H:SN1PR21MB0096.namprd21.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Apr 2017 22:46:19.0338 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN1PR21MB0095
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/nmsGGC2raLUZa2RAHMEnv--AhiU>
Subject: Re: [Unbearable] Switching exporters for 0-RTT Token Binding
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Apr 2017 22:48:51 -0000

If one is willing to do TB without POP, then one will probably appreciate a simpler way to do this, with fewer moving parts and less room for interop issues. (IMHO, the value of TB without POP approaches zero, but that's a separate discussion.)

The extra complexity of upgrading to secure TB after a bound token and associated application message(s) have been accepted and processed does not increase security in the common use-cases that I can think of.

Cheers,

Andrei

-----Original Message-----
From: Unbearable [mailto:unbearable-bounces@ietf.org] On Behalf Of Nick Harper
Sent: Thursday, April 27, 2017 2:45 PM
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] Switching exporters for 0-RTT Token Binding

On Wed, Apr 19, 2017 at 7:08 PM, Benjamin Kaduk <kaduk@mit.edu> wrote:
> On Tue, Apr 18, 2017 at 03:24:40PM -0700, Nick Harper wrote:
>> One of the issues raised in Chicago around 0-RTT Token Binding is 
>> whether or not to switch from the 0-RTT exporter to the normal 
>> exporter, and I'd like to get some feedback from the Working Group on 
>> this.
>>
>> The two options I'm considering are as follows:
>> 1) Always use the 0-RTT exporter on connections where 0-RTT data is accepted.
>> 2) Use the 0-RTT exporter for Token Binding messages sent in 0-RTT.
>> The client switches to using the normal exporter soon after the 
>> handshake finishes, but it may send some Token Binding messages 
>> post-handshake using the 0-RTT exporter.
>> In both cases, if the server rejects 0-RTT data, the client uses the 
>> normal exporter (i.e. the client behaves the same as in TBPROTO).
>
> To make the obligatory statement of hopefully obvious facts, 0-RTT 
> data MUST NOT be used absent a profile that defines its use.
> Presumably the situation of most interest here is HTTP right now, and 
> many people would presume that the HTTP profile for early data will 
> say "just concatenate the two streams", but those are just 
> presumptions.  Perhaps some other profile would be appropriate for 
> non-HTTP cases, though with no concrete proposal it hardly seems worth 
> time to think about other than to note that whatever decision may be 
> reached here might be limited to HTTP in its applicability.
>
> If one presupposes that the profile for the use of 0-RTT is 
> "concatenate the streams", then the arguments against (1) are weakened 
> (though not entirely removed).  But I'm not sure what level of 
> consensus there is for such a (pre)supposition.

I have definitely been assuming an application profile of HTTP that concatenates the streams, and the use-case in mind for 0-RTT Token Binding is with HTTP.
>
> Having not fully thought through the matter, I still lean towards (2), 
> with the justification that token binding can be thought of as an 
> attempt to prove live possession of a key [associated to a token] on a 
> connection where that token is used.  The 0-RTT exporter does not have 
> a server contribution, so it's hard to really prove liveness of 
> possession using just it.  I acknowledge that there is engineering 
> work remainng to be done in making (2) practical/usable, and am not 
> really in a position to contribute much to that work, but that's my 
> current thinking on the matter.
>
> -Ben

I have similar reservations for (1) in that it doesn't really prove liveness of possession, but (2) only has this liveness of possession at some points in the protocol (i.e. after it has switched exporters).
If a server is doing 0-RTT Token Binding, then it doesn't need the stronger exporter for all requests - the weaker exporter is fine for some. I don't see a reason to upgrade partway through to the stronger exporter just because it is stronger. However, if there are use cases for accepting the weaker exporter at the beginning of a connection but then requiring the stronger exporter later in the connection, then (2) sounds like a good idea. (Preferring the stronger exporter isn't enough for this use case - it would need to require it, and absent option (2) the implementer of this use case would put the requests needing the stronger exporter on a separate, non-0-RTT, connection.)

For those considering implementing 0-RTT Token Binding, do you have any such use cases in mind or is option (1) good?

_______________________________________________
Unbearable mailing list
Unbearable@ietf.org
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Funbearable&data=02%7C01%7CAndrei.Popov%40microsoft.com%7Cc470223592b2491dd71c08d48db72ee5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636289265288924355&sdata=H98Owo1uWbXf11VGgzmau3XH3aGzYuNA27pOOaJtxBc%3D&reserved=0

v2.31.3 | Report a Bug | By Email | System Status