draft-ietf-tokbind-negotiation-13.txt   draft-ietf-tokbind-negotiation-14.txt 
Internet Engineering Task Force A. Popov, Ed. Internet Engineering Task Force A. Popov, Ed.
Internet-Draft M. Nystroem Internet-Draft M. Nystroem
Intended status: Standards Track Microsoft Corp. Intended status: Standards Track Microsoft Corp.
Expires: November 10, 2018 D. Balfanz Expires: November 24, 2018 D. Balfanz
A. Langley A. Langley
Google Inc. Google Inc.
May 9, 2018 May 23, 2018
Transport Layer Security (TLS) Extension for Token Binding Protocol Transport Layer Security (TLS) Extension for Token Binding Protocol
Negotiation Negotiation
draft-ietf-tokbind-negotiation-13 draft-ietf-tokbind-negotiation-14
Abstract Abstract
This document specifies a Transport Layer Security (TLS) extension This document specifies a Transport Layer Security (TLS) extension
for the negotiation of Token Binding protocol version and key for the negotiation of Token Binding protocol version and key
parameters. parameters.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 36 skipping to change at page 1, line 36
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 10, 2018. This Internet-Draft will expire on November 24, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 41 skipping to change at page 3, line 41
TokenBindingParameters.token_binding_version. E.g. if the client TokenBindingParameters.token_binding_version. E.g. if the client
supports versions {1, 0} and {0, 13} of the Token Binding protocol, supports versions {1, 0} and {0, 13} of the Token Binding protocol,
it SHOULD indicate version {1, 0}. Please note that the server MAY it SHOULD indicate version {1, 0}. Please note that the server MAY
select any lower protocol version, see Section 3 select any lower protocol version, see Section 3
"Token Binding Negotiation Server Hello Extension" for more details. "Token Binding Negotiation Server Hello Extension" for more details.
If the client does not support the Token Binding protocol version If the client does not support the Token Binding protocol version
selected by the server, then the connection proceeds without Token selected by the server, then the connection proceeds without Token
Binding. [I-D.ietf-tokbind-protocol] describes version {1, 0} of the Binding. [I-D.ietf-tokbind-protocol] describes version {1, 0} of the
protocol. protocol.
Please note that the representation of the Token Binding protocol
version using two octets ("major" and "minor") is for human
convenience only and carries no protocol significance.
RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH: Prototype RFC EDITOR: PLEASE REMOVE THE FOLLOWING PARAGRAPH: Prototype
implementations of Token Binding drafts can indicate support of a implementations of Token Binding drafts can indicate support of a
specific draft version, e.g. {0, 1} or {0, 2}. specific draft version, e.g. {0, 1} or {0, 2}.
"key_parameters_list" contains the list of identifiers of the Token "key_parameters_list" contains the list of identifiers of the Token
Binding key parameters supported by the client, in descending order Binding key parameters supported by the client, in descending order
of preference. [I-D.ietf-tokbind-protocol] establishes an IANA of preference. [I-D.ietf-tokbind-protocol] establishes an IANA
registry for Token Binding key parameter identifiers. registry for Token Binding key parameter identifiers.
3. Token Binding Negotiation Server Hello Extension 3. Token Binding Negotiation Server Hello Extension
skipping to change at page 5, line 4 skipping to change at page 5, line 4
parameters identifier selected by the server from the client's list. parameters identifier selected by the server from the client's list.
4. Negotiating Token Binding Protocol Version and Key Parameters 4. Negotiating Token Binding Protocol Version and Key Parameters
It is expected that a server will have a list of Token Binding key It is expected that a server will have a list of Token Binding key
parameters identifiers that it supports, in preference order. The parameters identifiers that it supports, in preference order. The
server MUST only select an identifier that the client offered. The server MUST only select an identifier that the client offered. The
server SHOULD select the most highly preferred key parameters server SHOULD select the most highly preferred key parameters
identifier it supports which is also advertised by the client. In identifier it supports which is also advertised by the client. In
the event that the server supports none of the key parameters that the event that the server supports none of the key parameters that
the client advertises, then the server MUST NOT include the client advertises, then the server MUST NOT include the
"token_binding" extension in the server hello. "token_binding" extension in the server hello.
The client receiving the "token_binding" extension MUST terminate the The client receiving the "token_binding" extension MUST terminate the
handshake with a fatal "unsupported_extension" alert if any of the handshake with a fatal "unsupported_extension" alert if any of the
following conditions are true: following conditions are true:
1. The client did not include the "token_binding" extension in the 1. The client did not include the "token_binding" extension in the
client hello. client hello.
2. "token_binding_version" is higher than the Token Binding protocol 2. "token_binding_version" is higher than the Token Binding protocol
skipping to change at page 6, line 35 skipping to change at page 6, line 35
This document uses "Token Binding Key Parameters" registry originally This document uses "Token Binding Key Parameters" registry originally
created in [I-D.ietf-tokbind-protocol]. This document creates no new created in [I-D.ietf-tokbind-protocol]. This document creates no new
registrations in this registry. registrations in this registry.
6. Security Considerations 6. Security Considerations
6.1. Downgrade Attacks 6.1. Downgrade Attacks
The Token Binding protocol version and key parameters are negotiated The Token Binding protocol version and key parameters are negotiated
via "token_binding" extension within the TLS handshake. TLS prevents via the "token_binding" extension within the TLS handshake. TLS
active attackers from modifying the messages of the TLS handshake, detects handshake message modification by active attackers, therefore
therefore it is not possible for the attacker to remove or modify the it is not possible for an attacker to remove or modify the
"token_binding" extension. The signature algorithm and key length "token_binding" extension without breaking the TLS handshake. The
used in the Token Binding of type "provided_token_binding" MUST match signature algorithm and key length used in the Token Binding of type
the parameters negotiated via "token_binding" extension. "provided_token_binding" MUST match the parameters negotiated via the
"token_binding" extension.
6.2. Triple Handshake Vulnerability in TLS 1.2 and Older TLS Versions 6.2. Triple Handshake Vulnerability in TLS 1.2 and Older TLS Versions
The Token Binding protocol relies on the TLS Exporters [RFC5705] to The Token Binding protocol relies on the TLS Exporters [RFC5705] to
associate a TLS connection with a Token Binding. The triple associate a TLS connection with a Token Binding. The triple
handshake attack [TRIPLE-HS] is a known vulnerability in TLS 1.2 and handshake attack [TRIPLE-HS] is a known vulnerability in TLS 1.2 and
older TLS versions, allowing the attacker to synchronize keying older TLS versions, allowing an attacker to synchronize keying
material between TLS connections. The attacker can then successfully material between TLS connections. The attacker can then successfully
replay bound tokens. For this reason, the Token Binding protocol replay bound tokens. For this reason, the Token Binding protocol
MUST NOT be negotiated with these TLS versions, unless the Extended MUST NOT be negotiated with these TLS versions, unless the Extended
Master Secret [RFC7627] and Renegotiation Indication [RFC5746] TLS Master Secret [RFC7627] and Renegotiation Indication [RFC5746] TLS
extensions have also been negotiated. extensions have also been negotiated.
7. Acknowledgements 7. Acknowledgements
This document incorporates comments and suggestions offered by Eric This document incorporates comments and suggestions offered by Eric
Rescorla, Gabriel Montenegro, Martin Thomson, Vinod Anupam, Anthony Rescorla, Gabriel Montenegro, Martin Thomson, Vinod Anupam, Anthony
Nadalin, Michael B. Jones, Bill Cox, Nick Harper, Brian Campbell and Nadalin, Michael B. Jones, Bill Cox, Nick Harper, Brian Campbell,
others. Benjamin Kaduk, Alexey Melnikov and others.
This document was produced under the chairmanship of John Bradley and This document was produced under the chairmanship of John Bradley and
Leif Johansson. The area directors included Eric Rescorla, Kathleen Leif Johansson. The area directors included Eric Rescorla, Kathleen
Moriarty and Stephen Farrell. Moriarty and Stephen Farrell.
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-tokbind-protocol] [I-D.ietf-tokbind-protocol]
Popov, A., Nystrom, M., Balfanz, D., Langley, A., and J. Popov, A., Nystrom, M., Balfanz, D., Langley, A., and J.
Hodges, "The Token Binding Protocol Version 1.0", draft- Hodges, "The Token Binding Protocol Version 1.0", draft-
ietf-tokbind-protocol-17 (work in progress), April 2018. ietf-tokbind-protocol-18 (work in progress), May 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, (TLS) Protocol Version 1.2", RFC 5246,
DOI 10.17487/RFC5246, August 2008, DOI 10.17487/RFC5246, August 2008,
<https://www.rfc-editor.org/info/rfc5246>. <https://www.rfc-editor.org/info/rfc5246>.
 End of changes. 10 change blocks. 
15 lines changed or deleted 20 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/