IETF Logo Mail Archive

Re: [Unbearable] ramifications of longer EKMs

Brian Campbell <bcampbell@pingidentity.com> Thu, 23 February 2017 00:09 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 82FE8129CDA for <unbearable@ietfa.amsl.com>; Wed, 22 Feb 2017 16:09:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KThFZHE4JNkg for <unbearable@ietfa.amsl.com>; Wed, 22 Feb 2017 16:09:28 -0800 (PST)
Received: from mail-yb0-x231.google.com (mail-yb0-x231.google.com [IPv6:2607:f8b0:4002:c09::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94577129CD1 for <unbearable@ietf.org>; Wed, 22 Feb 2017 16:09:28 -0800 (PST)
Received: by mail-yb0-x231.google.com with SMTP id a5so5089774ybb.2 for <unbearable@ietf.org>; Wed, 22 Feb 2017 16:09:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=gmail; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Jirn5KL/Ud3aMB7rEyibM3BykG7splW6zJsWA1Yq/RU=; b=pmYR+fz4jLujeBrg5WX4+80jb1ozKYxrzI5lOJdJ9blaLxtAoYRSLjv01RMmwQssx8 2ZJwmdKoWYN7RM3hZfMWwdZ2ctW6sJ2+qH+KPZECApECjdJDTiPTF7qtE+JCKPmi2P20 Wirvi94pN3dZaIin7+b9KUIYHQfhAlJjHC9b8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Jirn5KL/Ud3aMB7rEyibM3BykG7splW6zJsWA1Yq/RU=; b=hRSYXENa47Zu/istrzdjfh/oJGsrriU1FUuViuxSf82OyMvY6TdCEanR97rr41KBz1 QoV2gq6Bl5huliVOpYHZqI5nY/9e7Ik7TspxYeRD6sYchCEYedqTT5mOexWs57m1DJoO R7qY4aNINf7abrEF3IQBN2QEulDK5Ji3N9fWz7A2PAdArI82upWzPLkwLYeWVwHT9h2D b5e7BB2A3jDtfNL+t3gz+PS9O1E0Hv/8sQ1ekxz/nYtvX1B62DjsMKi8bgKDcjybjlsg /YufRiTAYXlIdLgb4cZkaFDcSK8qIVx0RDjGUWXi2Rkbs3Yfl9da1kjkhxM2tfgUyd4O cUbw==
X-Gm-Message-State: AMke39nSphf+G86yGOEofUxphQ/XLe58m67zvw1bLJ20NZvGHkInCjBr+nrdnphuUaK2/b16ytMkRIJRT2CkYRWc
X-Received: by 10.37.163.38 with SMTP id d35mr5178828ybi.32.1487808567598; Wed, 22 Feb 2017 16:09:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.37.126.131 with HTTP; Wed, 22 Feb 2017 16:08:57 -0800 (PST)
In-Reply-To: <CY1PR0301MB0842D765811AA4C37AE332938C500@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <CA+k3eCTRAdwW9xj2JRcs7LwgXJtWj=zDFrZVGJVLmV-vHuYstw@mail.gmail.com> <CY1PR0301MB0842D765811AA4C37AE332938C500@CY1PR0301MB0842.namprd03.prod.outlook.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 22 Feb 2017 17:08:57 -0700
Message-ID: <CA+k3eCQw4KErXHrQWx=uEmf6OKvp9nGQYiC2nWk4+exorxjDCg@mail.gmail.com>
To: Andrei Popov <Andrei.Popov@microsoft.com>
Content-Type: multipart/alternative; boundary="94eb2c19a52c2a803f0549276d3e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/quUPRCbsxA55HpRUdf6R5j07KIw>
Cc: IETF Tokbind WG <unbearable@ietf.org>
Subject: Re: [Unbearable] ramifications of longer EKMs
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 00:09:31 -0000

>
> The WG decided that the negotiated TB key parameters (specifically,
> signature scheme), rather than TB version, determine the size of the EKM.
> This means that a “dumb” (or “slim”?) TTRP supporting TB vX does not
> guarantee compatibility with all TB key types that may be defined (perhaps,
> after the TTRP ships) for TB vX.
>

That's true. And matching up supported TB key parameters will likely be a
challenge for the currently proposed TTRP support model regardless.

Parsing TB messages at TTRP is not necessary: the TTRP could pass along all
> EKM lengths it supports (at the cost of extra bytes on the wire). Even
> then, a new signature scheme can be defined requiring an EKM length that is
> not supported by the TTRP.
>

That's a good point and an approach I hadn't considered. Allows for the
TTRP stay similarly "dumb"/"slim".  The extra bytes cost is not ideal and
it's feels a little ugly. But would probably be better than the parsing
approach I was thinking of.


>
>
> My preferred option is 3), where TB v 1.0 will only ever use 32-byte EKM
> values. Future TB versions may define some other EKM(s).
>
> I could live with option 1) as well, but then I would be reluctant to
> negotiate those TB key parameters that require a different EKM length (for
> TB v 1.0). Which effectively turns option 1) into option 3) J.
>

I don't know that it would necessarily turn option 1) into option 3) but I
can see and concede the point.


> Option 2) does not make sense to me, because TTRP can’t realistically
> require one particular model of TB processing in a datacenter (as there is
> little reason for a datacenter operator to comply).
>

I'm not sure I follow this?

I'd think, if this kind of model was used, a TTRP could do all the TB
validation work and just expose the TB ID(s) to the backend where they can
bind to whatever tokens/cookies they are issuing. The backend apps would
only be able to use TB key parameters that the TTRP supports but that's
pretty much true of the other model too - the TTRP still is the one
negotiating.


> Option 4) defeats the purpose of having per-signature-scheme EKM lengths.
> If we don’t care for per-signature-scheme EKM lengths, then we should go
> with 3).
>

It only defeats the purpose of having per-signature-scheme EKM lengths in
the case of a refereed TB using a longer EKM than the provided. Which
should be a much less common occurrence and something that would dissipate
over time as the new TB key parameters type gets adopted/deployed.



On Wed, Feb 22, 2017 at 4:32 PM, Andrei Popov <Andrei.Popov@microsoft.com>
wrote:

> The WG decided that the negotiated TB key parameters (specifically,
> signature scheme), rather than TB version, determine the size of the EKM.
> This means that a “dumb” (or “slim”?) TTRP supporting TB vX does not
> guarantee compatibility with all TB key types that may be defined (perhaps,
> after the TTRP ships) for TB vX.
>
>
>
> Ø  It's even less ideal for the model that's proposed in HTTPS Token
> Binding and TLS Terminating Reverse Proxies
> <https://tools.ietf.org/html/draft-campbell-tokbind-tls-term-00> because
> the TLS Terminating Reverse Proxy (TTRP), which we are trying to keep as
> "dumb" as possible, has to process the TokenBindingMessage to know the
> length of the EKM(s) that it will pass along in the Token-Binding-Context
> header/message.
>
> Parsing TB messages at TTRP is not necessary: the TTRP could pass along
> all EKM lengths it supports (at the cost of extra bytes on the wire). Even
> then, a new signature scheme can be defined requiring an EKM length that is
> not supported by the TTRP.
>
>
>
> My preferred option is 3), where TB v 1.0 will only ever use 32-byte EKM
> values. Future TB versions may define some other EKM(s).
>
> I could live with option 1) as well, but then I would be reluctant to
> negotiate those TB key parameters that require a different EKM length (for
> TB v 1.0). Which effectively turns option 1) into option 3) J.
>
> Option 2) does not make sense to me, because TTRP can’t realistically
> require one particular model of TB processing in a datacenter (as there is
> little reason for a datacenter operator to comply).
>
> Option 4) defeats the purpose of having per-signature-scheme EKM lengths.
> If we don’t care for per-signature-scheme EKM lengths, then we should go
> with 3).
>
>
>
> Cheers,
>
>
>
> Andrei
>
>
>
>
>
> *From:* Unbearable [mailto:unbearable-bounces@ietf.org] *On Behalf Of *Brian
> Campbell
> *Sent:* Wednesday, February 22, 2017 1:53 PM
> *To:* IETF Tokbind WG <unbearable@ietf.org>
> *Subject:* [Unbearable] ramifications of longer EKMs
>
>
>
> Shortly after Seoul TBPROTO-11 "Clarified that other signature schemes
> may require longer exporter output
> <https://github.com/TokenBinding/Internet-Drafts/commit/cac99f7c9337f32c8573c878878d4da7f9eeb186>",
> which generally seems like a good thing in terms of facilitating
> cryptographic agility going forward (i.e. a super-duper signature scheme
> might need to sign over a longer EKM to realize its super-duperness).
>
> However, that future TokenBindingKeyParameters type might use a longer EKM
> has some ramifications when a TokenBindingMessage has more than one
> TokenBinding that maybe weren't fully considered. A server has to parse the
> TokenBindingMessage and look at the TokenBindingKeyParameters of each
> TokenBinding in order to know the length of the EKM to use in validating
> the signature on each. And possibly have to get two (or more) different EKM
> values to service a single TokenBindingMessage or request. This situation
> only occurs when a referred_token_binding is sent but that's a valid case
> that needs to be handled and the server can't really know if it's there
> without parsing the message. So rather than getting the EKM based on the
> negotiated key parameters type, the whole TokenBindingMessage needs to
> effectively be preprocessed.
>
> It's certainly possible to do things that way but it seems potentially
> error prone (especially given that all the currently defined
> TokenBindingKeyParameters use 32 byte EKMs so there's likely an
> ossification effect) and less than ideal.
>
> It's even less ideal for the model that's proposed in HTTPS Token Binding
> and TLS Terminating Reverse Proxies
> <https://tools.ietf.org/html/draft-campbell-tokbind-tls-term-00> because
> the TLS Terminating Reverse Proxy (TTRP), which we are trying to keep as
> "dumb" as possible, has to process the TokenBindingMessage to know the
> length of the EKM(s) that it will pass along in the Token-Binding-Context
> header/message. The Token-Binding-Context message also would need to be
> updated to allow for more than one EKM value. That feels rather ugly and
> somewhat undermines the effort to keep as much TB related processing out of
> the TTRP as possible.
>
> Thoughts on this?
>
> Seems to me like there are a few options,
>
> 1) Leave it as it is and suck up the complexity on the server side and in
> the TTRP spec.
>
> 2) Leave it as it is and suck up the complexity on the server side but
> change the model of the TTRP spec to do token binding validation and
> processing in the TTRP and pass just validated TokenBindingIDs (or
> something) to the back-end/origin server
>
> 3) Go back to TB only ever using 32 byte EKM values, which isn't as crypto
> agile but will likely be good enough for a long long time
>
> 4) Change things so that the EKM length used for all the TokenBindings in
> a single TokenBindingMessage is determined by the negotiated key parameters
> type. This simplifies things considerably while still providing some
> agility. The downside is not getting the benefits of a longer EKM when a
> referred would use it but the provided doesn't. Which doesn't seem that bad
> actually.
>
> 5) Something else and/or I'm confused and made a mistake in thinking about
> this whole issue.
>
>
>
>
>
>
>
>

v2.29.0 | Report a Bug | By Email | System Status