Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation
draft-ietf-tokbind-negotiation-06

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft that was ultimately published as RFC 8472.
Authors Andrei Popov , Magnus Nyström , Dirk Balfanz , Adam Langley
Last updated 2016-11-23
Replaces draft-popov-tokbind-negotiation
RFC stream Internet Engineering Task Force (IETF)
Formats
txt htmlized pdf bibtex bibxml
Reviews
GENART Telechat review (of -12) by Paul Kyzivat Ready
ARTART Telechat review (of -12) by Matthew Miller Ready w/issues
OPSDIR Last Call review (of -10) by Will LIU Ready
SECDIR Last Call review (of -10) by Hilarie Orman Ready
GENART Last Call review (of -10) by Paul Kyzivat Ready w/issues
Additional resources Mailing list discussion
Stream WG state In WG Last Call
Associated WG milestone
Dec 2017
TLS extension for Token Binding to IESG
Document shepherd (None)
IESG IESG state Became RFC 8472 (Proposed Standard)
Consensus boilerplate Yes
Telechat date (None)
Responsible AD (None)
Send notices to (None)
Email authors Email WG IPR References Referenced by Nits Search email archive
draft-ietf-tokbind-negotiation-06 
Popov, et al.             Expires May 27, 2017                  [Page 4]
Internet-Draft   Token Binding Negotiation TLS Extension   November 2016

   for the TLS connection.  Please note that TLS 1.2 and earlier
   versions support renegotiation, allowing the client and server to
   renegotiate the Token Binding protocol version and key parameters on
   the same connection.  The client MUST use the negotiated key
   parameters in the "provided_token_binding" as described in
   [I-D.ietf-tokbind-protocol].

   If the client does not support the Token Binding protocol version
   selected by the server, then the connection proceeds without Token
   Binding.

   Please note that the Token Binding protocol version and key
   parameters are negotiated for each TLS connection, which means that
   the client and server include their "token_binding" extensions both
   in the full TLS handshake that establishes a new TLS session and in
   the subsequent abbreviated TLS handshakes that resume the TLS
   session.

5.  IANA Considerations

   This document updates the TLS "ExtensionType Values" registry
   originally created in [RFC4366].  IANA has provided the following
   temporary registration for the "token_binding" TLS extension:

      Value: 24

      Extension name: token_binding

      Reference: this document

   IANA is requested to make this registration permanent, keeping the
   value of 24, which has been used by the prototype implementations of
   the Token Binding protocol.

   This document uses "Token Binding Key Parameters" registry originally
   created in [I-D.ietf-tokbind-protocol].  This document creates no new
   registrations in this registry.

6.  Security Considerations

6.1.  Downgrade Attacks

   The Token Binding protocol version and key parameters are negotiated
   via "token_binding" extension within the TLS handshake.  TLS prevents
   active attackers from modifying the messages of the TLS handshake,
   therefore it is not possible for the attacker to remove or modify the
   "token_binding" extension.  The signature algorithm and key length

Popov, et al.             Expires May 27, 2017                  [Page 5]
Internet-Draft   Token Binding Negotiation TLS Extension   November 2016

   used in the TokenBinding of type "provided_token_binding" MUST match
   the parameters negotiated via "token_binding" extension.

6.2.  Triple Handshake Vulnerability in TLS 1.2 and Older TLS Versions

   The Token Binding protocol relies on the TLS Exporters [RFC5705] to
   associate a TLS connection with a Token Binding.  The triple
   handshake attack [TRIPLE-HS] is a known TLS protocol vulnerability
   allowing the attacker to synchronize exported keying material between
   TLS connections.  The attacker can then successfully replay bound
   tokens.  For this reason, the Token Binding protocol MUST NOT be
   negotiated with these TLS versions, unless the Extended Master Secret
   [RFC7627] and Renegotiation Indication [RFC5746] TLS extensions have
   also been negotiated.

7.  Acknowledgements

   This document incorporates comments and suggestions offered by Eric
   Rescorla, Gabriel Montenegro, Martin Thomson, Vinod Anupam, Anthony
   Nadalin, Michael B.  Jones, Bill Cox, Nick Harper, Brian Campbell and
   others.

8.  References

8.1.  Normative References

   [I-D.ietf-tokbind-protocol]
              Popov, A., Nystrom, M., Balfanz, D., Langley, A., and J.
              Hodges, "The Token Binding Protocol Version 1.0", draft-
              ietf-tokbind-protocol-10 (work in progress), September
              2016.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC4366]  Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J.,
              and T. Wright, "Transport Layer Security (TLS)
              Extensions", RFC 4366, DOI 10.17487/RFC4366, April 2006,
              <http://www.rfc-editor.org/info/rfc4366>.

   [RFC5226]  Narten, T. and H. Alvestrand, "Guidelines for Writing an
              IANA Considerations Section in RFCs", BCP 26, RFC 5226,
              DOI 10.17487/RFC5226, May 2008,
              <http://www.rfc-editor.org/info/rfc5226>.

Popov, et al.             Expires May 27, 2017                  [Page 6]
Internet-Draft   Token Binding Negotiation TLS Extension   November 2016

   [RFC5246]  Dierks, T. and E. Rescorla, "The Transport Layer Security
              (TLS) Protocol Version 1.2", RFC 5246,
              DOI 10.17487/RFC5246, August 2008,
              <http://www.rfc-editor.org/info/rfc5246>.

   [RFC5705]  Rescorla, E., "Keying Material Exporters for Transport
              Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705,
              March 2010, <http://www.rfc-editor.org/info/rfc5705>.

   [RFC5746]  Rescorla, E., Ray, M., Dispensa, S., and N. Oskov,
              "Transport Layer Security (TLS) Renegotiation Indication
              Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010,
              <http://www.rfc-editor.org/info/rfc5746>.

   [RFC7627]  Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A.,
              Langley, A., and M. Ray, "Transport Layer Security (TLS)
              Session Hash and Extended Master Secret Extension",
              RFC 7627, DOI 10.17487/RFC7627, September 2015,
              <http://www.rfc-editor.org/info/rfc7627>.

8.2.  Informative References

   [TRIPLE-HS]
              Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti,
              A., and P. Strub, "Triple Handshakes and Cookie Cutters:
              Breaking and Fixing Authentication over TLS. IEEE
              Symposium on Security and Privacy", 2014.

Authors' Addresses

   Andrei Popov (editor)
   Microsoft Corp.
   USA

   Email: andreipo@microsoft.com

   Magnus Nystroem
   Microsoft Corp.
   USA

   Email: mnystrom@microsoft.com

Popov, et al.             Expires May 27, 2017                  [Page 7]
Internet-Draft   Token Binding Negotiation TLS Extension   November 2016

   Dirk Balfanz
   Google Inc.
   USA

   Email: balfanz@google.com

   Adam Langley
   Google Inc.
   USA

   Email: agl@google.com

Popov, et al.             Expires May 27, 2017                  [Page 8]