IETF Logo Mail Archive

Re: [Unbearable] Opaqueness of Token Binding ID

Andrei Popov <Andrei.Popov@microsoft.com> Wed, 31 August 2016 18:31 UTC

Return-Path: <Andrei.Popov@microsoft.com>
X-Original-To: unbearable@ietfa.amsl.com
Delivered-To: unbearable@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D3FD012D608 for <unbearable@ietfa.amsl.com>; Wed, 31 Aug 2016 11:31:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.021
X-Spam-Level:
X-Spam-Status: No, score=-2.021 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rgB6x1bjpbQk for <unbearable@ietfa.amsl.com>; Wed, 31 Aug 2016 11:31:50 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0138.outbound.protection.outlook.com [104.47.40.138]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B74F412D695 for <unbearable@ietf.org>; Wed, 31 Aug 2016 11:31:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dTO65UKV2CwmNLO9qWHvqX0MnftmAmTiH8uCSj+i/SA=; b=hPxh5LUYx4gFBffyu5P2pHpMEvDNgcwpP+JaeurPtx4edg8J6utVn4Ybyvqz4EOKNRTZWHJcpPNqH+6Gwwndn9X5cAOkBhxyJf0OBWLHtLcdZEzBRINEt3jC2Edbgg6VE03oK3f3Ys2UwSHVcjCnsThlNQmdvEWsw4B+FfAXJcw=
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) by CY1PR0301MB0842.namprd03.prod.outlook.com (10.160.163.148) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.599.9; Wed, 31 Aug 2016 18:31:17 +0000
Received: from CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) by CY1PR0301MB0842.namprd03.prod.outlook.com ([10.160.163.148]) with mapi id 15.01.0599.010; Wed, 31 Aug 2016 18:31:17 +0000
From: Andrei Popov <Andrei.Popov@microsoft.com>
To: Tokbind WG <unbearable@ietf.org>
Thread-Topic: Opaqueness of Token Binding ID
Thread-Index: AQHSA7C1QN5Po5xpx0Wbvq3ilbKBZaBjWm6QgAAJvkA=
Date: Wed, 31 Aug 2016 18:31:16 +0000
Message-ID: <CY1PR0301MB084219708F8ADE48189A3A888CE30@CY1PR0301MB0842.namprd03.prod.outlook.com>
References: <CADHfa2Byeb5OMJehqh=P7gFGr51U=11=N1xp4FHphFDBaHgmBA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=Andrei.Popov@microsoft.com;
x-originating-ip: [2001:4898:80e8:9::1d2]
x-ms-office365-filtering-correlation-id: fe699cb9-918b-4de1-65a1-08d3d1ccfeff
x-microsoft-exchange-diagnostics: 1; CY1PR0301MB0842; 6:NWCczjxL3opgXX/C2tXbOVttBdVJ8SZRwPqO+gcLOuw5lkVJ76+FzmeJcvar2IIlSOnZRSrPBXWSIo1SbO80oZ51teO3lARkXQS9fZYimqZGgnp1WqNHD3iHLsR8VW9zCRCgg/q1qf6PGu9WWn5jQ/nsw4FzMj2IeSRxGQNDHpGg0GxqNqrLGnJ1NiwN+Pvn6ANVOrejckrUSP3URs+wfiyrg0EOhRPzXMmCrmsDIuVREJnaEq9dB1WGUCKQe4BQihh1qBp2Q55FCZtyuzGpfds843BwezADP+EZwkXWb1CFnV7C8VnptWNskCNUUCgACAUY78RRbyq95K5SZMsdqQ==; 5:iwo5+TpvvNlMMnn/1W5tt3d+xP4ZryVIpawBw0WM9/LvxIMb+WCnIo0UcM6rskYWkSpbv98fI2dz9Fvp7vq821TtFc3F1zy8nlLFEEGD7S0eaI5nIyJTQxDJCLy6TCNBJulrsMs4/DtSzECvd/x6cw==; 24:uwvwwiLBnI773z0miLZ/I6XKUXkmh31XqdUG86Lh1Hf4j0ZzbmpNjN85wMMB49ia5FfazIbYPZeyTffJ9Rqyf/b1/xxVMeRSqYJh6xrll1E=; 7:fJB8d9f+CE0F5xUOVmnKjJ8Aul4MRdPZH6nOP4yWpnsOJbDo2L9pkwM/b4dUzf0/48ILHSgeWQU1NmTQ9prjCCJlyO7+0cF1GSkYwJiWMYUPQVMZYrOqGTwt/Y7EpFp5pYMBJlEChZRtHWXbYzTCcVJINuPEuEFPL04jtOXOae1Xa9ngZ0g0pFFOA5zK5tjp/90nw4mfIQQrADMDsGTPQWnsuQWCEINxbur+C+c1fel/vQ19/SVskpozF0zrERwa
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0301MB0842;
x-microsoft-antispam-prvs: <CY1PR0301MB0842BD02558BB414EDDC5A578CE30@CY1PR0301MB0842.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(211936372134217)(21748063052155)(79290750141951);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:CY1PR0301MB0842; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0301MB0842;
x-forefront-prvs: 00514A2FE6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(377454003)(478694002)(199003)(189002)(122556002)(1680700002)(86362001)(15975445007)(77096005)(6116002)(76576001)(5002640100001)(5660300001)(106356001)(790700001)(586003)(102836003)(107886002)(3280700002)(19580405001)(16601075003)(92566002)(110136002)(19617315012)(450100001)(189998001)(105586002)(19625215002)(87936001)(8936002)(19580395003)(5005710100001)(97736004)(2900100001)(2906002)(10290500002)(19300405004)(86612001)(33656002)(101416001)(50986999)(106116001)(8990500004)(7846002)(54356999)(10400500002)(74316002)(3660700001)(9686002)(7736002)(7696003)(76176999)(68736007)(8676002)(99286002)(81166006)(19609705001)(81156014)(16236675004)(11100500001)(10090500001)(7906003)(3826002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0301MB0842; H:CY1PR0301MB0842.namprd03.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CY1PR0301MB084219708F8ADE48189A3A888CE30CY1PR0301MB0842_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Aug 2016 18:31:16.8954 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0301MB0842
Archived-At: <https://mailarchive.ietf.org/arch/msg/unbearable/ebpUpuPBK2LGwsp5BG_q8G5ZDaA>
Subject: Re: [Unbearable] Opaqueness of Token Binding ID
X-BeenThere: unbearable@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "\"This list is for discussion of proposals for doing better than bearer tokens \(e.g. HTTP cookies, OAuth tokens etc.\) for web applications. The specific goal is chartering a WG focused on preventing security token export and replay attacks.\"" <unbearable.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/unbearable>, <mailto:unbearable-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/unbearable/>
List-Post: <mailto:unbearable@ietf.org>
List-Help: <mailto:unbearable-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/unbearable>, <mailto:unbearable-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 31 Aug 2016 18:31:53 -0000

TBPROTO currently says:
“Token Binding protocol implementations SHOULD make Token Binding IDs available to the application as opaque byte sequences.”

The reason is that a future TB version should be free to redefine the contents of the TB IDs, without breaking apps that rely on a certain TB ID structure.


Ø  It seems to me that it is safer to explicitly surface the fact that the Token Binding ID is a public key, and what kind of key it is, to other applications, rather than asking them to string-compare two strings whose semantics they don't understand.
Then the application would need to be aware of the TB version, and will likely need to be updated when we update the Token Binding protocol. We’ve already changed the contents/structure of TB IDs between drafts.

From: Dirk Balfanz [mailto:balfanz@google.com]
Sent: Wednesday, August 31, 2016 10:54 AM
To: Andrei Popov <Andrei.Popov@microsoft.com<mailto:Andrei.Popov@microsoft.com>>
Cc: Tokbind WG <unbearable@ietf.org<mailto:unbearable@ietf.org>>
Subject: Opaqueness of Token Binding ID

Hi Andrei & the rest of the Unbearables,

in the FIDO (well, W3C webauthn) discussion the question came up whether Token Binding IDs should be treated as opaque blobs in other protocols. In particular, FIDO assertions are (in part) over Token Binding IDs.

I had originally spec'd this out as including a JWK representation of the Token Binding key, as in:

// The FIDO signature is over this:
{
  "origin": "www.example.com<http://www.example.com>",
  "challenge": "129843adj03948",
  "tokbind": {
    "kty":"EC",
    "crv":"P-256",
    "x":"HzQwlfXX7Q4S5MtCRMzPO9tOyWjBqRl4tJ8",
    "y":"XVguGFLIZx1fXg375hi4-7-BxhMljw42Ht4"
  }
}

The webauthn participants are pointing out that the latest Token Binding spec says that other applications should use an opaque representation of the Token Binding ID, as in:

// The FIDO signature is over this:
{
  "origin": "www.example.com<http://www.example.com>",
  "challenge": "129843adj03948",
  "tokbind": "KJDSW34AAJSjasAKJsha-ISajj8sJSA..."
}

where the tokbind value would be the base64-enccoding of the TokenBindingID, as specified in ietf-tokbind-protocol.

It seems to me that it is safer to explicitly surface the fact that the Token Binding ID is a public key, and what kind of key it is, to other applications, rather than asking them to string-compare two strings whose semantics they don't understand.

I can't come up with a particular attack, since the Token Binding ID - just like the JWK - is an unambiguous representation of they key. Furthermore, since it is a canonical serialization, string comparison *should* be ok.

It seems strange, however, that the application (in this case webauthn) shouldn't be aware of the precise semantics of the tokbind value in this dictionary.

Any thoughts on this?

Dirk.

v2.23.0 | Report a Bug | By Email