Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation
draft-ietf-tokbind-negotiation-06
The information below is for an old version of the document.
Document | Type |
This is an older version of an Internet-Draft that was ultimately published as RFC 8472.
|
|
---|---|---|---|
Authors | Andrei Popov , Magnus Nyström , Dirk Balfanz , Adam Langley | ||
Last updated | 2016-11-23 | ||
Replaces | draft-popov-tokbind-negotiation | ||
RFC stream | Internet Engineering Task Force (IETF) | ||
Formats | |||
Reviews |
ARTART Telechat review
(of
-12)
by Matthew Miller
Ready w/issues
GENART Last Call review
(of
-10)
by Paul Kyzivat
Ready w/issues
|
||
Additional resources | Mailing list discussion | ||
Stream | WG state | In WG Last Call | |
Associated WG milestone |
|
||
Document shepherd | (None) | ||
IESG | IESG state | Became RFC 8472 (Proposed Standard) | |
Consensus boilerplate | Yes | ||
Telechat date | (None) | ||
Responsible AD | (None) | ||
Send notices to | (None) |
draft-ietf-tokbind-negotiation-06
Popov, et al. Expires May 27, 2017 [Page 4] Internet-Draft Token Binding Negotiation TLS Extension November 2016 for the TLS connection. Please note that TLS 1.2 and earlier versions support renegotiation, allowing the client and server to renegotiate the Token Binding protocol version and key parameters on the same connection. The client MUST use the negotiated key parameters in the "provided_token_binding" as described in [I-D.ietf-tokbind-protocol]. If the client does not support the Token Binding protocol version selected by the server, then the connection proceeds without Token Binding. Please note that the Token Binding protocol version and key parameters are negotiated for each TLS connection, which means that the client and server include their "token_binding" extensions both in the full TLS handshake that establishes a new TLS session and in the subsequent abbreviated TLS handshakes that resume the TLS session. 5. IANA Considerations This document updates the TLS "ExtensionType Values" registry originally created in [RFC4366]. IANA has provided the following temporary registration for the "token_binding" TLS extension: Value: 24 Extension name: token_binding Reference: this document IANA is requested to make this registration permanent, keeping the value of 24, which has been used by the prototype implementations of the Token Binding protocol. This document uses "Token Binding Key Parameters" registry originally created in [I-D.ietf-tokbind-protocol]. This document creates no new registrations in this registry. 6. Security Considerations 6.1. Downgrade Attacks The Token Binding protocol version and key parameters are negotiated via "token_binding" extension within the TLS handshake. TLS prevents active attackers from modifying the messages of the TLS handshake, therefore it is not possible for the attacker to remove or modify the "token_binding" extension. The signature algorithm and key length Popov, et al. Expires May 27, 2017 [Page 5] Internet-Draft Token Binding Negotiation TLS Extension November 2016 used in the TokenBinding of type "provided_token_binding" MUST match the parameters negotiated via "token_binding" extension. 6.2. Triple Handshake Vulnerability in TLS 1.2 and Older TLS Versions The Token Binding protocol relies on the TLS Exporters [RFC5705] to associate a TLS connection with a Token Binding. The triple handshake attack [TRIPLE-HS] is a known TLS protocol vulnerability allowing the attacker to synchronize exported keying material between TLS connections. The attacker can then successfully replay bound tokens. For this reason, the Token Binding protocol MUST NOT be negotiated with these TLS versions, unless the Extended Master Secret [RFC7627] and Renegotiation Indication [RFC5746] TLS extensions have also been negotiated. 7. Acknowledgements This document incorporates comments and suggestions offered by Eric Rescorla, Gabriel Montenegro, Martin Thomson, Vinod Anupam, Anthony Nadalin, Michael B. Jones, Bill Cox, Nick Harper, Brian Campbell and others. 8. References 8.1. Normative References [I-D.ietf-tokbind-protocol] Popov, A., Nystrom, M., Balfanz, D., Langley, A., and J. Hodges, "The Token Binding Protocol Version 1.0", draft- ietf-tokbind-protocol-10 (work in progress), September 2016. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC4366] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and T. Wright, "Transport Layer Security (TLS) Extensions", RFC 4366, DOI 10.17487/RFC4366, April 2006, <http://www.rfc-editor.org/info/rfc4366>. [RFC5226] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 5226, DOI 10.17487/RFC5226, May 2008, <http://www.rfc-editor.org/info/rfc5226>. Popov, et al. Expires May 27, 2017 [Page 6] Internet-Draft Token Binding Negotiation TLS Extension November 2016 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, <http://www.rfc-editor.org/info/rfc5246>. [RFC5705] Rescorla, E., "Keying Material Exporters for Transport Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705, March 2010, <http://www.rfc-editor.org/info/rfc5705>. [RFC5746] Rescorla, E., Ray, M., Dispensa, S., and N. Oskov, "Transport Layer Security (TLS) Renegotiation Indication Extension", RFC 5746, DOI 10.17487/RFC5746, February 2010, <http://www.rfc-editor.org/info/rfc5746>. [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., Langley, A., and M. Ray, "Transport Layer Security (TLS) Session Hash and Extended Master Secret Extension", RFC 7627, DOI 10.17487/RFC7627, September 2015, <http://www.rfc-editor.org/info/rfc7627>. 8.2. Informative References [TRIPLE-HS] Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., and P. Strub, "Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS. IEEE Symposium on Security and Privacy", 2014. Authors' Addresses Andrei Popov (editor) Microsoft Corp. USA Email: andreipo@microsoft.com Magnus Nystroem Microsoft Corp. USA Email: mnystrom@microsoft.com Popov, et al. Expires May 27, 2017 [Page 7] Internet-Draft Token Binding Negotiation TLS Extension November 2016 Dirk Balfanz Google Inc. USA Email: balfanz@google.com Adam Langley Google Inc. USA Email: agl@google.com Popov, et al. Expires May 27, 2017 [Page 8]