IETF Logo Mail Archive

Re: [Wimse] Request Binding Proofs for Workload Identities

Joseph Salowey <joe@salowey.net> Sun, 03 December 2023 22:06 UTC

Return-Path: <joe@salowey.net>
X-Original-To: wimse@ietfa.amsl.com
Delivered-To: wimse@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84D21C14F5E9 for <wimse@ietfa.amsl.com>; Sun, 3 Dec 2023 14:06:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=salowey-net.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g5imo2zrQWeA for <wimse@ietfa.amsl.com>; Sun, 3 Dec 2023 14:05:58 -0800 (PST)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 739D6C14F5E5 for <wimse@ietf.org>; Sun, 3 Dec 2023 14:05:58 -0800 (PST)
Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-2c9f57d9952so13344251fa.3 for <wimse@ietf.org>; Sun, 03 Dec 2023 14:05:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=salowey-net.20230601.gappssmtp.com; s=20230601; t=1701641156; x=1702245956; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=NdXQBmV00KgPBNkXaTdjf861DkgVxpYoHTvrDX1Zq8E=; b=Zx1tjSv5tMgh7VmJ5BINeErttITVfBvkRAlIKtmihVzAN9oVF3vkpvxG+lUIyjB9Tn cNmTgG6TPN6XNPxVW2vV5k4keU/mW+xWgvdf21olOjMZlZ2arm5l7ri6bFXVYxKRtIlZ udwPo5oIHVPUiicO00CEmL23VMs5FCxPVhLfevvHe+VFp8xHtBLPSit8HtK0QcFKeBwd 0ZUOC4oNWUf/LOYRUVyUbXp0Kg0xosG8xeodEm9gx/IPzjHngJuPZN/ktyVR19TktacJ isInyqUcQ3NcA4lclM7qzz+64IRnK+xYYFSmsbFQaAyHHrfucJZgIVD56JVPsBZdOHbH T54A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701641156; x=1702245956; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=NdXQBmV00KgPBNkXaTdjf861DkgVxpYoHTvrDX1Zq8E=; b=JBLHL1oOJo2Z6swbRF47GUy6n0CDuszpFdsH9lxKeyUU91IhO0/PtgsSX+lqn6lEuM XQ+Ijp9NA6hWQ8aHLUVFnNnHBQFheXOb2lXqLJtzbyXU6o+D1veZ8WdaJnbltDmlY1f4 HKKlJrJK3BHg6NHav21Hy1J1hO8gufFQdTnYx+1O0b419ZzwTDWgmXJx0bmLs0DsC18W /duNlW930kHGu+JuLyTx8B//fTf7Y3uNqwKDtQUD2pN37gGIyiKPrFs6cS5RXfuCyL+m Sm7nBYIei1tTLuGCaK45FkvbN19JPSZLp7SwSwMlPQXwzaTnKXlsjrHydXgHau6C2lpr hT8g==
X-Gm-Message-State: AOJu0YwJiS7ixaQZfJXGZJTKB8fU7gQZbo7X4uHO7pHDKItyfFhNkwbY pZ36wbkppiJJrgv1cHB6x6CygqLJlQKUol0Ehg8oMw==
X-Google-Smtp-Source: AGHT+IFVA7CtA+PmHeb9ae9WNCFlnwr6+5DnKKey8NweE+3TNHNAm892Sq+VrVxNcKGwy44WVQTAhTjCFffQfXULQYg=
X-Received: by 2002:a2e:a0d3:0:b0:2ca:86c:fdf2 with SMTP id f19-20020a2ea0d3000000b002ca086cfdf2mr5771ljm.100.1701641156389; Sun, 03 Dec 2023 14:05:56 -0800 (PST)
MIME-Version: 1.0
References: <DBAPR83MB0422F6D97F9CF28A8FE303EC91BCA@DBAPR83MB0422.EURPRD83.prod.outlook.com> <1577f4bb-a1d5-4035-b274-2a89aafcebf4@gmx.net> <DBAPR83MB0422109C0A23D63D83A490989181A@DBAPR83MB0422.EURPRD83.prod.outlook.com>
In-Reply-To: <DBAPR83MB0422109C0A23D63D83A490989181A@DBAPR83MB0422.EURPRD83.prod.outlook.com>
From: Joseph Salowey <joe@salowey.net>
Date: Sun, 03 Dec 2023 14:05:45 -0800
Message-ID: <CAOgPGoDTQjBz61WR+iOzFL=hvLxA_p9JMgtnhbmww9c2TNmkRQ@mail.gmail.com>
To: Pieter Kasselman <pieter.kasselman=40microsoft.com@dmarc.ietf.org>
Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "wimse@ietf.org" <wimse@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a97e40060ba234e0"
Archived-At: <https://mailarchive.ietf.org/arch/msg/wimse/xgf6LzLmYhgcy5RHobjD7R1hHGI>
Subject: Re: [Wimse] Request Binding Proofs for Workload Identities
X-BeenThere: wimse@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: WIMSE Workload Identity in Multi-Service Environment <wimse.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wimse>, <mailto:wimse-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/wimse/>
List-Post: <mailto:wimse@ietf.org>
List-Help: <mailto:wimse-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wimse>, <mailto:wimse-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 03 Dec 2023 22:06:02 -0000

On Fri, Dec 1, 2023 at 7:54 AM Pieter Kasselman <pieter.kasselman=
40microsoft.com@dmarc.ietf.org> wrote:

> Hi Hannes
>
>
>
> I think we may want to distinguish between the different kinds of tokens
> that are being used and the different purposes they are being used for.
>
>
>
> This proposal is not about making replay of OAuth Access Tokens, which
> carries authorization information, detectable. We have solutions for that
> (e.g. DPoP).
>
>
>
> The use cases I had in mind was more about those cases where tokens (in
> JWT format) is used for identification\authentication scenarios. The
> JWT-SVID is an example of this. Imagine a chain of workloads A->B->C. The
> idea is that if Workload A authenticates to B with their token, and B then
> uses A’s token to impersonate A to C, C can detect it (and preferably
> reject it, or at least take it into account when making the authorization
> decision, which may include other information from a transaction token,
> time of day, the risk management engine and so forth). The proposal is to
> create a proof (a JWS signature) that contains claims about the request. If
> workload B presents workload A’s JWT to workload C, it will be unable to
> produce a proof that binds it to the latest request.
>
>
>
> Perhaps we should just be as specific as calling it “Request Binding
> Proofs for JWT SVIDs”, although I was hoping we could be a little more
> generic as there are bound to be other places where JWTs are being used for
> authentication in this way.
>
>
>
[Joe] I don't think we should tie this solely to JWT SVIDs, it can have
broader applicability.

In the description above I believe the proof is explicitly attached to a
key (raw key or key in the form of an X.509 cert).  There is a trend for
deployments to move to shorter lived keys; will this result in failures due
to key rotation.  Should we include binding to a service identity as an
alternative and require that the identity be attached to an
authentication credential which requires strong proof of possession like an
X509 SPIFFE Svid?




> Does that help?
>
>
>
> Cheers
>
>
>
> Pieter
>
>
>
> *From:* Hannes Tschofenig <hannes.tschofenig@gmx.net>
> *Sent:* Wednesday, November 29, 2023 3:37 PM
> *To:* Pieter Kasselman <pieter.kasselman@microsoft.com>; wimse@ietf.org
> *Subject:* Re: [Wimse] Request Binding Proofs for Workload Identities
>
>
>
> Hi Pieter,
>
>
>
> Am 28.11.2023 um 22:13 schrieb Pieter Kasselman:
>
> Hi folks
>
>
>
> The Constrained Credential Security use case that we identified in draft-gilman-wimse-use-cases-00
> - Workload Identity Use Cases (ietf.org)
> <https://datatracker.ietf.org/doc/draft-gilman-wimse-use-cases/> has been
> coming up in a number of discussions. The absence of any good mitigations
> is considered a risk, and given the prevalence of token theft along with
> the attractiveness of a compromised workload identity, not an entirely
> unjustified one.
>
>
>
> I would like to suggest a different term for this use case, something like
> "capability restricted token" or "Tokens with reduced permissions". I think
> this describes it much better since you are talking about limiting the
> impact of token theft. The text in Section 4.10 of the OAuth Security BCP
> then come to  mind as possible solutions, such as sender-constrained access
> tokens or audience-restricted access tokens.
>
>
>
> Before going into the details of your solution, I am wondering whether you
> are expecting
>
>
>
> a) the "control plane" to provide a PoP-based service account token to the
> workload, or
>
> b) that the authorization server provides the PoP token to the workload
> when the workload presents the service account token.
>
>
>
> (Note that I am using the terms from
> <draft-hofmann-wimse-workload-identity-bcp> to refer to the two different
> entities issuing tokens.)
>
>
>
> Ciao
>
> Hannes
>
>
>
> In SPIFFE, for example, it would be highly desirable to have a way to bind
> a JWT SVID to a transaction to enable workloads and cloud resources to
> detect if the JWT SVID is being replayed, and if it is, to take it into
> account when making an authorization decision (e.g. transaction with JWT
> SVIDs that are being replayed are rejected). Existing mechanism like DPoP
> that provide similar functionality to sender constrain Access Tokens does
> not quite work (for reasons that Evan Gilman outlined in the BoF session).
>
>
>
> Proposed WIMSE Deliverable
>
> ---------------------------------------
>
> One proposal to address this is to introduce the concept of a Request
> Binding Proof. A Request Binding Proof cryptographically binds a JWT (e.g.
> JWT SVID) to a request in such a way that the JWT cannot be used with
> another request without being detected by the recipient of the JWT. When a
> workload makes a request to another workload or resource, it presents its
> JWT credential (e.g. a JWT SVID), along with a Request Binding Proof. The
> receiving workload will use the JWT as a way to authenticate the calling
> workload and then verify that the Request Binding Proof to ensure the JWT
> is used in the context of the current request. A specific application of
> this binding mechanism is to bind a SPIFFE Verifiable Identity Document JWT
> (SVID JWT) to a request. I would like to propose that the creation of a
> standard for a Request Binding Proof should be a WIMSE deliverable.
>
>
>
> Strawman
>
> --------------
>
> Making a quick strawman sketch of what a transaction binding proof might
> look like, includes:
>
>
>
>    1. Include a reference to a public key or the public key itself  to
>    JWT used by the workload (e.g. the JWT SVID does not include a public key
>    today)
>    2. Define a request binding proof by profiling the JSON Web Signature
>    (JWS) specification to contain specific claims that can be bound to the
>    request.
>
>
>
> Some additional ideas below:
>
>
>
> Workload JWT claims (e.g. used as part of a JWT SVID extension)
>
>
> --------------------------------------------------------------------------------------
>
> To support request binding, JWTs MUST include a kid claim as defined in
> https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.4 (open
> question, can this be the X5u or X5t parameter representing the X.509 SVID)?
>
>
>
> Request Binding Proof
>
> -----------------------------
>
> The Request Binding Proof is a JWT [RFC7519] that is signed (using JSON
> Web Signature (JWS) [RFC7515]) with a private key chosen by the workload.
> The JOSE Header of a Request Binding Proof MUST contain at least the
> following parameters:
>
>    1. typ: A field with the value dpop+jwt, which explicitly types the
>    DPoP proof JWT as recommended in Section 3.11 of [RFC8725].
>    2. alg: An identifier for a JWS asymmetric digital signature algorithm
>    from [IANA.JOSE.ALGS]. It MUST NOT be none or an identifier for a symmetric
>    algorithm (Message Authentication Code (MAC)).
>    3. kid: Claim indicating which key was used to secure the JWS. It must
>    match the kid claim in the JWT SVID (open question, can this be the X5u or
>    X5t parameter representing the X.509 SVID).
>
> The JWS payload contains the following claims:
>
>    1. iat (Issued At): The timestamp at which the Transaction Binding
>    proof was created (REQUIRED)
>    2. jti (JWT ID): A unique identifier for the JWT to mitigate replay
>    attacks (REQUIRED).
>    3. tth: Hash of the Transaction Token (see transaction token draft:
>    https://datatracker.ietf.org/doc/draft-tulshibagwale-oauth-transaction-tokens/
>    ). The value MUST be the result of a base64url encoding (as defined in
>    Section 2 of [RFC7515]) the SHA-256 [SHS] hash of the ASCII encoding of the
>    associated access token's value. (OPTIONAL)
>    4. rqd: A claim, whose value is a JSON object the describes the
>    request details bound to the workload identity. The contents of the rqd
>    claim changes, depending on the typeof request.
>
> The JSON value of the rqd claim MAY include the following values,
> depending on the request type (these are meant to illustrative and may not
> be the most appropriate, correct or sufficient – a topic for discussion):
>
>    1. htm: The value of the HTTP method (Section 9.1 of [RFC9110]) of the
>    request to which the JWT is attached. This value MUST be used if the
>    request is an HTTP request.
>    2. htu: The HTTP target URI (Section 7.1 of [RFC9110]) of the request
>    to which the JWT is attached, without query and fragment parts. This value
>    MUST be used if the request is an HTTP request.
>    3. krt: The Kafka Request Type. This value MUST be used if this is a
>    Kafka request.
>    4. ktn: The Kafka Topic name to which the request is being directed.
>    This value MUST be used if this is a Kafka request.
>    5. ktp: The Kafka Partition within a topic. This value MUST be used if
>    this is a Kafka request.
>    6. gsm: The gRPC service method. This value MUST be used if this is a
>    gRPC request.
>    7. Other?
>
> The proof is generated by using the private key corresponding to the kid
> claim in the JWT (e.g. JWT SVID) to sign over the JWT Request Binding Proof
> (more details to be added).
>
> The Request Binding Proof is verified by using the public key
> corresponding to the kid claim in the JWT (e.g. JWT SVID) to verify the
> Transaction Binding Proof. In addition to the cryptographic verification,
> the verifier MUST verify that:
>
>    1. The kid claim in the JWT SVID equals the kid claim in the
>    Transaction Bindng Proof
>    2. The iat claim is in the accepted boundaries (less than 5 minutes
>    old).
>    3. The tth claim matches the hash of the Transaction Token hash, if
>    one is used.
>    4. The rqd claim contents matches the actual request details (e.g. htm
>    and htu parameters match).
>    5. Additional verification steps to be added
>
> I would be happy to expand on the above and turn it into a ID draft if
> there is interest in pursuing this further in WIMSE or elsewhere.
>
> Cheers
>
> Pieter
>
>
>
>
>
>
>
>
>
>
>
> --
> Wimse mailing list
> Wimse@ietf.org
> https://www.ietf.org/mailman/listinfo/wimse
>

v2.23.0 | Report a Bug | By Email