[Unbearable] 0-RTT Token Binding: When to switch exporters?
Nick Harper <nharper@google.com> Fri, 13 January 2017 20:30 UTC
Return-Path: <nharper@google.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77EAF129532 for <unbearable@ietfa.amsl.com>; Fri, 13 Jan 2017 12:30:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.899
X-Spam-Level:
X-Spam-Status: No, score=-5.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-3.199, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s2Ce-KmTxpYB for <unbearable@ietfa.amsl.com>; Fri, 13 Jan 2017 12:30:43 -0800 (PST)
Received: from mail-yw0-x22d.google.com (mail-yw0-x22d.google.com [IPv6:2607:f8b0:4002:c05::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9025B129511 for <unbearable@ietf.org>; Fri, 13 Jan 2017 12:30:43 -0800 (PST)
Received: by mail-yw0-x22d.google.com with SMTP id l75so38034706ywb.0 for <unbearable@ietf.org>; Fri, 13 Jan 2017 12:30:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=nDm9JWEtg62AvskH49bAoP065NcBNFu/8L1XIKbozIg=; b=VHqdKiZvad2kgYmA0yU82bPdFQQKDQ8I0PzYEH8W5cCME8LaDH0Px6UxXsjxOlq3Pw KqNCmX5phP9oAAMtklt0Nyh6cKvxzYcmVAgp2O8KKmgAldJsjlmvy8nkuYilD5iS9zJn VTOBviYz9Cw/cRs7lWyAz+eRkdOQUD1rYanb20tGhiKY8jH/H+YEfnAfFuEYI71sqy4V sccOgpzn34v5xFElnsUc1LQlNcfnp/iIwQP/m3P6uG4gHRmddkEH1GDpVQaZ3qxhj5Ia QlpvO5vZ3OOsgXGoFik2ufd71YY7UOlwA+fKrUSZnggnsihQPz1RymdjSA32MU6vUPKk Eygg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=nDm9JWEtg62AvskH49bAoP065NcBNFu/8L1XIKbozIg=; b=djtyqBW0wDJzR6MXqeyjOYMQvl6+Nftw0YA2J3+1cROafu4Y6sOnSExiO54OlbifkA MFhaW7kju6kHQsWY33Sv3sMqvQHTdf6jXejEQgFo4SKE7Stj7t2x/IPjwuRwD9PAn+Qf QYJCev8cRhlcMzra8fV3A7ZxkB7a9QFAUQ9vz3X6TZLDkv/1aYazWvDjMNVs7hr+itYF YqG3wTmqmjkEhVdnjTFdoKxrRaBL1xa41CJA4tJdGjbAmAHrSlQEBXuGv7Q+P6DvlWsW IaD/OAVqSydRFWqPENyk1zkcDhnWM4sj/pafGNRso3ouaWjxGkR13fDK8yP845+B1ErS BcSA==
X-Gm-Message-State: AIkVDXLrU/EETKRuAFcyjCrHjg5apYBmn2DOLKDhXGHAmHU2FzEsNcTH06u6oCJ3jz0Rh9S2kL2/HXjDzkjdgOra
X-Received: by 10.13.226.141 with SMTP id l135mr18891919ywe.77.1484339442439; Fri, 13 Jan 2017 12:30:42 -0800 (PST)
MIME-Version: 1.0
Received: by 10.129.161.87 with HTTP; Fri, 13 Jan 2017 12:30:22 -0800 (PST)
From: Nick Harper <nharper@google.com>
Date: Fri, 13 Jan 2017 12:30:22 -0800
Message-ID: <CACdeXiK2Hs=Kz_5OFryWR+9_t6nDL_p7NKjw=CwRsua_E5S9Mw@mail.gmail.com>
To: IETF Tokbind WG <unbearable@ietf.org>
Content-Type: multipart/alternative; boundary="001a114fbd5e31eaf20545ffb552"
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/waiABfhYxEEO1iovRWz7U37yYyI>
Subject: [Unbearable] 0-RTT Token Binding: When to switch exporters?
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2017 20:30:45 -0000
The current tokbind 0-RTT draft has the TLS 1.3 early exporter value used in the TokenBinding.signature for the entirety of the connection. One point of discussion that came up in Seoul was that we shouldn't use the 0-RTT exporter for too long. I agree that we shouldn't use it for too long, but I can't remember (or figure out from the meeting notes) if the reason is just because we prefer the crypto properties of the normal exporter, or are we also trying to prevent an attacker from being able to use the 0-RTT exporter indefinitely? For the first case, the switch from the 0-RTT exporter to the normal exporter can be client-initiated. One possible design would be to have the client send an extension in the TokenBinding indicating that all future TokenBindings will use the normal exporter. This would function similar to the ratcheting idea (from section 4.1 of the I-D), but the ratchet doesn't take effect until this indicator extension is sent (before it's sent the server would accept both exporters). This would likely be done in combination with the idea of defining new key types to indicate that the 0-RTT exporter is in use so the server doesn't do trial verification. If we want to move the switch from 0-RTT exporter to normal exporter out of the client's control (so that an attacker can't keep using the 0-RTT exporter indefinitely), a different solution is needed. One possible idea is to have the server send a message that conceptually means "all future TokenBindings must not use the 0-RTT exporter". Right now, Token Binding doesn't have any server-to-client messages, so this would require defining application-specific messages. Another way to move the change in exporters out of the client's control would be to do it at a time that is implicit in the protocol. An obvious choice would be switch exporters when the client switches from sending early data to sending data post-handshake.
- [Unbearable] 0-RTT Token Binding: When to switch … Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Martin Thomson
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Eric Rescorla
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Eric Rescorla
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Eric Rescorla
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Martin Thomson
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Eric Rescorla
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Nick Harper
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Bill Cox
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Denis
- Re: [Unbearable] 0-RTT Token Binding: When to swi… Andrei Popov