Re: [Wimse] Request Binding Proofs for Workload Identities
Joseph Salowey <joe@salowey.net> Sun, 03 December 2023 22:06 UTC
Return-Path: <joe@salowey.net>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84D21C14F5E9 for <wimse@ietfa.amsl.com>; Sun, 3 Dec 2023 14:06:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g5imo2zrQWeA for <wimse@ietfa.amsl.com>; Sun, 3 Dec 2023 14:05:58 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 739D6C14F5E5 for <wimse@ietf.org>; Sun, 3 Dec 2023 14:05:58 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-2c9f57d9952so13344251fa.3 for <wimse@ietf.org>; Sun, 03 Dec 2023 14:05:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20230601.gappssmtp.com; s=20230601; t=1701641156; x=1702245956; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=NdXQBmV00KgPBNkXaTdjf861DkgVxpYoHTvrDX1Zq8E=; b=Zx1tjSv5tMgh7VmJ5BINeErttITVfBvkRAlIKtmihVzAN9oVF3vkpvxG+lUIyjB9Tn cNmTgG6TPN6XNPxVW2vV5k4keU/mW+xWgvdf21olOjMZlZ2arm5l7ri6bFXVYxKRtIlZ udwPo5oIHVPUiicO00CEmL23VMs5FCxPVhLfevvHe+VFp8xHtBLPSit8HtK0QcFKeBwd 0ZUOC4oNWUf/LOYRUVyUbXp0Kg0xosG8xeodEm9gx/IPzjHngJuPZN/ktyVR19TktacJ isInyqUcQ3NcA4lclM7qzz+64IRnK+xYYFSmsbFQaAyHHrfucJZgIVD56JVPsBZdOHbH T54A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701641156; x=1702245956; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NdXQBmV00KgPBNkXaTdjf861DkgVxpYoHTvrDX1Zq8E=; b=JBLHL1oOJo2Z6swbRF47GUy6n0CDuszpFdsH9lxKeyUU91IhO0/PtgsSX+lqn6lEuM XQ+Ijp9NA6hWQ8aHLUVFnNnHBQFheXOb2lXqLJtzbyXU6o+D1veZ8WdaJnbltDmlY1f4 HKKlJrJK3BHg6NHav21Hy1J1hO8gufFQdTnYx+1O0b419ZzwTDWgmXJx0bmLs0DsC18W /duNlW930kHGu+JuLyTx8B//fTf7Y3uNqwKDtQUD2pN37gGIyiKPrFs6cS5RXfuCyL+m Sm7nBYIei1tTLuGCaK45FkvbN19JPSZLp7SwSwMlPQXwzaTnKXlsjrHydXgHau6C2lpr hT8g==
X-Gm-Message-State: AOJu0YwJiS7ixaQZfJXGZJTKB8fU7gQZbo7X4uHO7pHDKItyfFhNkwbY pZ36wbkppiJJrgv1cHB6x6CygqLJlQKUol0Ehg8oMw==
X-Google-Smtp-Source: AGHT+IFVA7CtA+PmHeb9ae9WNCFlnwr6+5DnKKey8NweE+3TNHNAm892Sq+VrVxNcKGwy44WVQTAhTjCFffQfXULQYg=
X-Received: by 2002:a2e:a0d3:0:b0:2ca:86c:fdf2 with SMTP id f19-20020a2ea0d3000000b002ca086cfdf2mr5771ljm.100.1701641156389; Sun, 03 Dec 2023 14:05:56 -0800 (PST)
MIME-Version: 1.0
References: <DBAPR83MB0422F6D97F9CF28A8FE303EC91BCA@DBAPR83MB0422.EURPRD83.prod.outlook.com> <1577f4bb-a1d5-4035-b274-2a89aafcebf4@gmx.net> <DBAPR83MB0422109C0A23D63D83A490989181A@DBAPR83MB0422.EURPRD83.prod.outlook.com>
In-Reply-To: <DBAPR83MB0422109C0A23D63D83A490989181A@DBAPR83MB0422.EURPRD83.prod.outlook.com>
From: Joseph Salowey <joe@salowey.net>
Date: Sun, 03 Dec 2023 14:05:45 -0800
Message-ID: <CAOgPGoDTQjBz61WR+iOzFL=hvLxA_p9JMgtnhbmww9c2TNmkRQ@mail.gmail.com>
To: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "wimse@ietf.org" <wimse@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a97e40060ba234e0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/xgf6LzLmYhgcy5RHobjD7R1hHGI>
Subject: Re: [Wimse] Request Binding Proofs for Workload Identities
X-BeenThere: wimse@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wimse>, <mailto:wimse-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse/>
List-Post: <mailto:wimse@ietf.org>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wimse>, <mailto:wimse-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Dec 2023 22:06:02 -0000
On Fri, Dec 1, 2023 at 7:54 AM Pieter Kasselman <pieter.kasselman= 40microsoft.com@dmarc.ietf.org> wrote: > Hi Hannes > > > > I think we may want to distinguish between the different kinds of tokens > that are being used and the different purposes they are being used for. > > > > This proposal is not about making replay of OAuth Access Tokens, which > carries authorization information, detectable. We have solutions for that > (e.g. DPoP). > > > > The use cases I had in mind was more about those cases where tokens (in > JWT format) is used for identification\authentication scenarios. The > JWT-SVID is an example of this. Imagine a chain of workloads A->B->C. The > idea is that if Workload A authenticates to B with their token, and B then > uses A’s token to impersonate A to C, C can detect it (and preferably > reject it, or at least take it into account when making the authorization > decision, which may include other information from a transaction token, > time of day, the risk management engine and so forth). The proposal is to > create a proof (a JWS signature) that contains claims about the request. If > workload B presents workload A’s JWT to workload C, it will be unable to > produce a proof that binds it to the latest request. > > > > Perhaps we should just be as specific as calling it “Request Binding > Proofs for JWT SVIDs”, although I was hoping we could be a little more > generic as there are bound to be other places where JWTs are being used for > authentication in this way. > > > [Joe] I don't think we should tie this solely to JWT SVIDs, it can have broader applicability. In the description above I believe the proof is explicitly attached to a key (raw key or key in the form of an X.509 cert). There is a trend for deployments to move to shorter lived keys; will this result in failures due to key rotation. Should we include binding to a service identity as an alternative and require that the identity be attached to an authentication credential which requires strong proof of possession like an X509 SPIFFE Svid? > Does that help? > > > > Cheers > > > > Pieter > > > > *From:* Hannes Tschofenig <hannes.tschofenig@gmx.net> > *Sent:* Wednesday, November 29, 2023 3:37 PM > *To:* Pieter Kasselman <pieter.kasselman@microsoft.com>; wimse@ietf.org > *Subject:* Re: [Wimse] Request Binding Proofs for Workload Identities > > > > Hi Pieter, > > > > Am 28.11.2023 um 22:13 schrieb Pieter Kasselman: > > Hi folks > > > > The Constrained Credential Security use case that we identified in draft-gilman-wimse-use-cases-00 > - Workload Identity Use Cases (ietf.org) > <https://datatracker.ietf.org/doc/draft-gilman-wimse-use-cases/> has been > coming up in a number of discussions. The absence of any good mitigations > is considered a risk, and given the prevalence of token theft along with > the attractiveness of a compromised workload identity, not an entirely > unjustified one. > > > > I would like to suggest a different term for this use case, something like > "capability restricted token" or "Tokens with reduced permissions". I think > this describes it much better since you are talking about limiting the > impact of token theft. The text in Section 4.10 of the OAuth Security BCP > then come to mind as possible solutions, such as sender-constrained access > tokens or audience-restricted access tokens. > > > > Before going into the details of your solution, I am wondering whether you > are expecting > > > > a) the "control plane" to provide a PoP-based service account token to the > workload, or > > b) that the authorization server provides the PoP token to the workload > when the workload presents the service account token. > > > > (Note that I am using the terms from > <draft-hofmann-wimse-workload-identity-bcp> to refer to the two different > entities issuing tokens.) > > > > Ciao > > Hannes > > > > In SPIFFE, for example, it would be highly desirable to have a way to bind > a JWT SVID to a transaction to enable workloads and cloud resources to > detect if the JWT SVID is being replayed, and if it is, to take it into > account when making an authorization decision (e.g. transaction with JWT > SVIDs that are being replayed are rejected). Existing mechanism like DPoP > that provide similar functionality to sender constrain Access Tokens does > not quite work (for reasons that Evan Gilman outlined in the BoF session). > > > > Proposed WIMSE Deliverable > > --------------------------------------- > > One proposal to address this is to introduce the concept of a Request > Binding Proof. A Request Binding Proof cryptographically binds a JWT (e.g. > JWT SVID) to a request in such a way that the JWT cannot be used with > another request without being detected by the recipient of the JWT. When a > workload makes a request to another workload or resource, it presents its > JWT credential (e.g. a JWT SVID), along with a Request Binding Proof. The > receiving workload will use the JWT as a way to authenticate the calling > workload and then verify that the Request Binding Proof to ensure the JWT > is used in the context of the current request. A specific application of > this binding mechanism is to bind a SPIFFE Verifiable Identity Document JWT > (SVID JWT) to a request. I would like to propose that the creation of a > standard for a Request Binding Proof should be a WIMSE deliverable. > > > > Strawman > > -------------- > > Making a quick strawman sketch of what a transaction binding proof might > look like, includes: > > > > 1. Include a reference to a public key or the public key itself to > JWT used by the workload (e.g. the JWT SVID does not include a public key > today) > 2. Define a request binding proof by profiling the JSON Web Signature > (JWS) specification to contain specific claims that can be bound to the > request. > > > > Some additional ideas below: > > > > Workload JWT claims (e.g. used as part of a JWT SVID extension) > > > -------------------------------------------------------------------------------------- > > To support request binding, JWTs MUST include a kid claim as defined in > https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4 (open > question, can this be the X5u or X5t parameter representing the X.509 SVID)? > > > > Request Binding Proof > > ----------------------------- > > The Request Binding Proof is a JWT [RFC7519] that is signed (using JSON > Web Signature (JWS) [RFC7515]) with a private key chosen by the workload. > The JOSE Header of a Request Binding Proof MUST contain at least the > following parameters: > > 1. typ: A field with the value dpop+jwt, which explicitly types the > DPoP proof JWT as recommended in Section 3.11 of [RFC8725]. > 2. alg: An identifier for a JWS asymmetric digital signature algorithm > from [IANA.JOSE.ALGS]. It MUST NOT be none or an identifier for a symmetric > algorithm (Message Authentication Code (MAC)). > 3. kid: Claim indicating which key was used to secure the JWS. It must > match the kid claim in the JWT SVID (open question, can this be the X5u or > X5t parameter representing the X.509 SVID). > > The JWS payload contains the following claims: > > 1. iat (Issued At): The timestamp at which the Transaction Binding > proof was created (REQUIRED) > 2. jti (JWT ID): A unique identifier for the JWT to mitigate replay > attacks (REQUIRED). > 3. tth: Hash of the Transaction Token (see transaction token draft: > https://datatracker.ietf.org/doc/draft-tulshibagwale-oauth-transaction-tokens/ > ). The value MUST be the result of a base64url encoding (as defined in > Section 2 of [RFC7515]) the SHA-256 [SHS] hash of the ASCII encoding of the > associated access token's value. (OPTIONAL) > 4. rqd: A claim, whose value is a JSON object the describes the > request details bound to the workload identity. The contents of the rqd > claim changes, depending on the typeof request. > > The JSON value of the rqd claim MAY include the following values, > depending on the request type (these are meant to illustrative and may not > be the most appropriate, correct or sufficient – a topic for discussion): > > 1. htm: The value of the HTTP method (Section 9.1 of [RFC9110]) of the > request to which the JWT is attached. This value MUST be used if the > request is an HTTP request. > 2. htu: The HTTP target URI (Section 7.1 of [RFC9110]) of the request > to which the JWT is attached, without query and fragment parts. This value > MUST be used if the request is an HTTP request. > 3. krt: The Kafka Request Type. This value MUST be used if this is a > Kafka request. > 4. ktn: The Kafka Topic name to which the request is being directed. > This value MUST be used if this is a Kafka request. > 5. ktp: The Kafka Partition within a topic. This value MUST be used if > this is a Kafka request. > 6. gsm: The gRPC service method. This value MUST be used if this is a > gRPC request. > 7. Other? > > The proof is generated by using the private key corresponding to the kid > claim in the JWT (e.g. JWT SVID) to sign over the JWT Request Binding Proof > (more details to be added). > > The Request Binding Proof is verified by using the public key > corresponding to the kid claim in the JWT (e.g. JWT SVID) to verify the > Transaction Binding Proof. In addition to the cryptographic verification, > the verifier MUST verify that: > > 1. The kid claim in the JWT SVID equals the kid claim in the > Transaction Bindng Proof > 2. The iat claim is in the accepted boundaries (less than 5 minutes > old). > 3. The tth claim matches the hash of the Transaction Token hash, if > one is used. > 4. The rqd claim contents matches the actual request details (e.g. htm > and htu parameters match). > 5. Additional verification steps to be added > > I would be happy to expand on the above and turn it into a ID draft if > there is interest in pursuing this further in WIMSE or elsewhere. > > Cheers > > Pieter > > > > > > > > > > > > -- > Wimse mailing list > Wimse@ietf.org > https://www.ietf.org/mailman/listinfo/wimse >
- [Wimse] Request Binding Proofs for Workload Ident… Pieter Kasselman
- Re: [Wimse] Request Binding Proofs for Workload I… Evan Gilman
- Re: [Wimse] Request Binding Proofs for Workload I… Hannes Tschofenig
- Re: [Wimse] Request Binding Proofs for Workload I… Pieter Kasselman
- Re: [Wimse] Request Binding Proofs for Workload I… Joseph Salowey
- Re: [Wimse] Request Binding Proofs for Workload I… Pieter Kasselman
- Re: [Wimse] Request Binding Proofs for Workload I… Joseph Salowey
- Re: [Wimse] Request Binding Proofs for Workload I… Pieter Kasselman
- Re: [Wimse] Request Binding Proofs for Workload I… Marco Marques
- Re: [Wimse] Request Binding Proofs for Workload I… Yaron Sheffer
- Re: [Wimse] Request Binding Proofs for Workload I… Pieter Kasselman