Internet DRAFT - draft-hallambaker-httpintegrity
draft-hallambaker-httpintegrity
Internet Engineering Task Force P. Hallam-Baker
Internet-Draft Comodo Group Inc.
Intended status: Standards Track November 14, 2012
Expires: May 18, 2013
HTTP Integrity Header
draft-hallambaker-httpintegrity-02
Abstract
The HTTP Integrity header provides a means of specifying
authentication data in HTTP requests and responses. This document
defines the HTTP integrity header and specifies its use to
authenticate and verify specific parts of an HTTP message. The means
by which the symmetric or asymmetric keys used to authenticate the
messages is outside the scope of this document.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 18, 2013.
Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
Hallam-Baker Expires May 18, 2013 [Page 1]
�
Internet-Draft HTTP Integrity Header November 2012
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Use in conjunction with TLS. . . . . . . . . . . . . . . . 4
1.2. Use in Web Services . . . . . . . . . . . . . . . . . . . 4
1.3. User Authentication and Authorization . . . . . . . . . . 5
2. Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2.1. Example of Use . . . . . . . . . . . . . . . . . . . . . . 6
2.1.1. Client Request . . . . . . . . . . . . . . . . . . . . 7
2.1.2. Server Response . . . . . . . . . . . . . . . . . . . 7
2.1.3. Design Notes for Key Exchange . . . . . . . . . . . . 7
3. Syntax and options . . . . . . . . . . . . . . . . . . . . . . 8
3.1. Required Attributes . . . . . . . . . . . . . . . . . . . 9
3.1.1. Attribute id=[base64(value)] (required) . . . . . . . 9
3.1.2. Attribute value=[base64(value)] (required) . . . . . . 9
3.1.3. Replay Attack Prevention Attributes . . . . . . . . . 9
3.1.3.1. Attribute nnonce=[base64(value)],
rnonce=[base64(value)] . . . . . . . . . . . . . . 10
3.1.3.2. Attribute count=[hex(stream),hex(count)] . . . . . 10
3.1.4. Scope Attributes . . . . . . . . . . . . . . . . . . . 10
3.1.4.1. Attribute content=[true|false] . . . . . . . . . . 11
3.1.4.2. Attribute start=[true|false] . . . . . . . . . . . 11
3.1.4.3. Attribute header=[escaped(headers)] . . . . . . . 11
3.2. TLS Channel Binding Attributes . . . . . . . . . . . . . . 11
3.2.1. Attribute tlsu=[value] . . . . . . . . . . . . . . . . 11
3.2.2. Attribute tlss=[value] . . . . . . . . . . . . . . . . 11
3.3. Preparing the Input to the Authentication Algorithm . . . 11
4. Security Considerations . . . . . . . . . . . . . . . . . . . 12
4.1. Data outside the specified scope is not authenticated . . 12
4.2. Truncated Hash Algorithms . . . . . . . . . . . . . . . . 12
4.3. Randomness of Secret Keys and nonces . . . . . . . . . . . 12
4.4. Weak Ciphers . . . . . . . . . . . . . . . . . . . . . . . 12
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
6. References . . . . . . . . . . . . . . . . . . . . . . . . . . 12
6.1. Normative References . . . . . . . . . . . . . . . . . . . 12
6.2. Non Normative References . . . . . . . . . . . . . . . . . 13
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13
Hallam-Baker Expires May 18, 2013 [Page 2]
�
Internet-Draft HTTP Integrity Header November 2012
1. Introduction
The HTTP Integrity header provides a simple and effective means of
authenticating components of a HTTP message [RFC2616] inband without
disclosure of the secret(s) used as the basis for authentication.
This approach has considerable advantages over the traditional
approaches of using HTTP Cookies [RFC2965] containing an
authentication secret, embedding authentication data within the HTTP
message content or relying on integrity checks in other protocol
layers.
Used in conjunction with an appropriate means of key exchange, the
Integrity header provides an equivalent security functionality to the
use of authentication cookies without the vulnerabilities intrinsic
to the use of static authentication secrets that are disclosed to the
verifying party en-clair to effect verification.
Use of a HTTP header to provide authentication information offers a
simpler and more flexible approach than including the authentication
information in the message content using schemes such as PKCS#7/CMS
[RFC5652], XML Signature [RFC3275] or JSON Signature [TBS]. The
chief technical challenge in such specifications being to reliably
identify the exact scope of the data being signed and the form of
encoding. Moving the integrity check to a HTTP header permits the
scope of the signature to be defined as the scope of the HTTP content
body and the encoding to be the HTTP transport encoding.
Use of the HTTP Intergity header permits the same mutual
authentication guarantees provided by TLS client authentication
[RFC5246] without the need to provision client certificates and with
considerably less complexity.
For simplicity, the HTTP Integrity header is strictly limited to
identifying a authentication context, the HTTP transaction item(s) to
be authenticated and the resulting authentication value. The means
of establishing the keys and algorithms that make up the
authentication context are outside the scope of this document.
In the typical case the authentication context identifier is a ticket
(c.f. Kerberos [RFC4120]) that contains the account identifier,
shared secret(s) and algorithm identifier required a Web Service
protocol or Web Browser Authentication protocol. This approach
permits a stateless server design in which the server does not store
per-account keys.
Hallam-Baker Expires May 18, 2013 [Page 3]
�
Internet-Draft HTTP Integrity Header November 2012
1.1. Use in conjunction with TLS.
Transport Layer Security (TLS) [RFC5246] provides transport layer
enhancements to protect the confidentiality and integrity of
messages. Use of the HTTP Integrity header compliments the use of
TLS security rather than replacing TLS.
While TLS provides for server and client authentication, these
controls are implemented at the transport layer and access to these
features requires the traversal of a protocol layer boundary that is
frequently undesirable or inappropriate. In particular the API
available to the client may not expose the necessary functionality
and many server deployments make use of external cryptographic
accelerator devices that cause the TLS session to be terminated on an
entirely different machine. Access control requires authorization in
addition to authentication. Since authorization is fundamentally an
application layer concern, attempts to carry authorization data at
the transport layer tend to be rather unsatisfactory requiring both
the sender and receiver to cross the protocol layer.
1.2. Use in Web Services
The HTTP Integrity header was originally developed to simplify
implemenatation of Web Services. Using the SOAP [TBS] approach a Web
Service message is encoded in XML [TBS], wrapped in a SOAP envelope
and a WS-Security [TBS] header with an XML Signature [TBS] attached.
The whole package is then attached to a HTTP message as a content
payload.
This approach involves a considerable degree of complexity and in
most cases achieves nothing more than attaching an authentication
value. Carrying the authentication value as a HTTP header eliminates
the need for the SOAP and WS-Security layers entirely. For example,
the following example is a HTTP request in the Omnibroker connection
protocol [TBS].
Hallam-Baker Expires May 18, 2013 [Page 4]
�
Internet-Draft HTTP Integrity Header November 2012
Post / HTTP/1.1
Host: example.com
Cache-Control: no-store
Content-Type: Application/json;charset=UTF-8
Content-Length: 78
Integrity: content=true;
value=cjkMkfnnYP8JYWZAbRLvtpqImmOK3rsrOT1XcvAgHDk=;
id=TUMnorO0SjHHS7D2uFcGlRYJ0Hd3eibwe0ogptoNMQuCYmCHfHAJcJlyvi
j8WoXDglTSOkctnmoBzl8W0NLSlcgSyZcmsAyoWs8y1Rn2ZlO2WBgoWrFIOqPa4
oB29dgs/ei6ieINZtmvXNCm2NUkWA==
{
"TicketRequest": {
"ChallengeResponse": "TctLOG74cwpm26YNpEibcQ=="}}
A single HTTP message MAY have multiple Integrity headers. This
facilitates support for multi-party transactions in which A submits a
transaction to B who countersigns it and passes it to C who is
required to chek that she has proof of agreement by both A and B.
Use of the Integrity header permits the developer to isolate
integrity and authentication checks to a single point of control, as
is advised by best security practice. The security monitor examines
a HTTP message, verifies that the required integrity data is present
and correct and only passes the payload on for processing by the Web
Service itself if and only if the verification checks have been
passed.
1.3. User Authentication and Authorization
The term 'user authentication' is frequently applied indiscriminately
to three separate concerns; credential management, session management
and session continuation.
Credential management describes the means by which credentials are
created, issued and revoked.
Session management describes the means by which a party
demonstrates holdership of a credential to establish an
authentication session and the means by which that authentication
session may be terminated.
Session continuation describes the means by which a party
demonstrates that a particular transaction is taking place within
the context of a particular authentication session.
The HTTP Integrity header is designed to support only Session
Continuation. While a session continuation mechanism is not in
Hallam-Baker Expires May 18, 2013 [Page 5]
�
Internet-Draft HTTP Integrity Header November 2012
itself a solution to the problem of user authentication, the
provision of a robust session continuation mechanism that does not
depend on a bearer token addresses the most challenging problem
facing the designers of SAML, OpenID and OAUTH.
2. Use
The Integrity header has two required attributes, the id attribute
which identifies an authentication context and the value attribute
which authenticates the HTTP message in which it is presented within
the specified authentication context and optional attributes
specified.
The authentication context comprises all the information used to
authenticate and validate HTTP messages. This includes the choice of
cryptographic algorithms, the keys and any protocol options such as
the TLS channel binding or protections against replay attack.
Confining the choice of cryptographic algorithm, protocol etc. to the
authentication context eliminates the need for identifiers to specify
these attributes in the Integrity header. Note that while the
Integrity header primarily designed for use with a symmetric key
authentication algorithm (MAC), it MAY be employed to support use of
an public key based scheme such as a digital signature.
The means by which the authentication context is established are
outside the scope of this document. In the simplest approach, the
authentication context might be passed as in-band plaintext in a
prior HTTP exchange. In a more elaborate scheme the authentication
context might be established using an authentication framework such
as Kerberos, SAML or OpenID.
The authentication identifier MAY be of any length up to the maximum
permitted by the client and server. This permits an authentication
mechanism to avoid the need to maintain server side per-session state
by encoding the server authentication context as encrypted data in
the authentication identifier. Alternatively, the same approach
might be used to avoid the need to maintain client side state.
The optional attributes are used to provide protection against replay
attacks, specify the scope of the authentication check and protect
against TLS man in the middle attacks.
2.1. Example of Use
[The following example is for illustrative purposes only to aid
discussion of the draft and should not be part of a final document.]
Hallam-Baker Expires May 18, 2013 [Page 6]
�
Internet-Draft HTTP Integrity Header November 2012
The Plaintext Authentication exchange supports message authentication
using a MAC and a key exchanged as plaintext in-band. The
communication pattern consists of an initial exchange in which the
server returns the credential and authentication context to the
client followed by an indeterminate number of messages authenticated
under that context.
2.1.1. Client Request
By definition, the protocol exchange is initiated by a client
request. The client advises the server that it supports the use of
the scheme by means of the Support header (in an actual protocol
mechanism, this should probably be some other header but none appears
to be a precise match).
Get / HTTP/1.1
Host: example.com
Support: Plaintext
2.1.2. Server Response
The server responds with the Authentication Context identifier, the
key and the algorithm to use:
HTTP/1.1 201 OK
Plaintext:
id=TUMnorO0SjHHS7D2uFcGlRYJ0Hd3eibwe0ogptoNMQuCYmCHfHAJcJlyvi
j8WoXDglTSOkctnmoBzl8W0NLSlcgSyZcmsAyoWs8y1Rn2ZlO2WBgoWrFIOqPa4
oB29dgs/ei6ieINZtmvXNCm2NUkWA==
key=7eb219188339135ba51e8715f3900bfb974995e145d6e490e4addbbdb26f4bb4
alg=HMAC-SHA256
From this point on the client and server protect their messages using
the Integrity header as shown in the previous example.
2.1.3. Design Notes for Key Exchange
While the Plaintext mechanism described above offers better security
than the use of HTTP cookes as bearer tokens, the construction is
very much sub optimal.
In particular a full key exchange binding should describe the precise
manner in which the scope is and the replay attack protection
attributes are fed into the digest algorithm. It is also desirable
for an authentication mechanism to use separate keys for different
purposes, in particular use of separate keys for requests and
Hallam-Baker Expires May 18, 2013 [Page 7]
�
Internet-Draft HTTP Integrity Header November 2012
responses.
As specified, the mechanism only provides protection against passive
eavesdropping attacks if the Plaintext exchange is protected by an
adequate confidentiality protection. For example the use of TLS. A
stronger protection MAY be established by passing the key value
through a Diffie Hellman key exchange.
In the Diffie Hellman approach, the key establishment would have the
following pattern:
1. Client->Server Initiate conversation, signal support for DH key
exchange option.
2. Server->Client Pass initial Authentication Context identifier and
server Diffie Hellman key parameters.
3. Client->Server Pass client Diffie Hellman parameters,
authenticate message under established key.
4. Server->Client Optionally specify a new Authentication Context
identifier to reflect the fact that the initial aunthentication
context has been updated to include the client information.
Note that even though the key exchange is only completed in the third
message, all messages following and including the third message are
protected.
A separate draft describing a lightweight exchange to replace the use
of bearer tokens is planned. Such a draft should probably support
both the plaintext and the Diffie Hellman approaches to ensure that
there is no remaining excuse for http authentication cookie
attrocities.
3. Syntax and options
The Integrity header has the tag 'Integrity' and takes a sequence of
attribute values as follows:
[Insert ABNF here]
Four classes of attribute are currently specified:
Required Attributes that MUST always be specified. These are the
Authentication Context Identifier attribute 'id' and the
Authentication Value attribute 'value'.
Hallam-Baker Expires May 18, 2013 [Page 8]
�
Internet-Draft HTTP Integrity Header November 2012
Replay Attack Prevention Attributes used to implement replay
prevention mechanisms.
Scope Attributes Attributes that specify the scope over which the
authentication value is calculated
TLS Channel Binding Attributes Attributes used to protect against
TLS channel rebinding and/or TLS channel stripping attacks.
3.1. Required Attributes
3.1.1. Attribute id=[base64(value)] (required)
The ticket attribute identifies the authentication context under
which the authentication value has been generated. The attribute is
an opaque sequence of octets in base64 encoding.
3.1.2. Attribute value=[base64(value)] (required)
The value attribute specifies the value resulting from applying the
authentication context and nonce (if present) to the specified scope.
3.1.3. Replay Attack Prevention Attributes
Three means of protection against replay attack are supported:
Challenge-Response Challenge response mechanisms are supported by
the nnonce and cnnonce attributes. The challenger specifies a new
nonce using the nnonce attribute which the responder MUST use to
calculate the authentication value. In the case that the nonce
value to be used cannot be determined by the context, an
authentication protocol MAY require the reponder to return the
value of the challenge nonce using the rnonce attribute.
This approach provides a very high degree of protection but is
limited to sequential protocols in which there is only one
exchange in progress at the same time.
Counter Counter based mechanisms are supported by the count
attribute. The value of a counter MUST increase for successive
transactions within the same transaction stream. Concurrency MAY
be supported by specifying multiple streams but this requires a
separate counter state to be maintained for each transaction
stream.
Hallam-Baker Expires May 18, 2013 [Page 9]
�
Internet-Draft HTTP Integrity Header November 2012
Time Time based approaches are supported by the time attribute. If
the value of the time attribute falls within the permitted
acceptance window, the message MAY be accepted. Otherwise the
message MUST be rejected.
Using a time based approach avoids the need to maintain state at
either the client or server. The principal disadvantage of this
approach being that the mechanism only protects against a replay
attack within a specific time.
Another disadvantage to the time based approach is that it relies
on the sender and receiver maintaining a tollerably close time
synchronization over the duration of the transaction and for the
latency introduced by the communication path being tollerably
small.
An authentication protocol MAY employ multiple replay attack
protection schemes within the same exchange. For example a time
based approach MAY be employed to perform an initial check before
retreiving the state information needed to validate a Counter or
Challenge Response based mechanism.
3.1.3.1. Attribute nnonce=[base64(value)], rnonce=[base64(value)]
The nnonce and rnonce attributes specify a nonce value to be used in
combination with a challenge-response mechanism defined by the
specified authentication context. The nnonce attribute is used to
specify a new nonce value, the rnonce attribute is used to specify a
returned nonce value.
3.1.3.2. Attribute count=[hex(stream),hex(count)]
Specifies a stream identifier and a count value that MUST increase
monotonically for successive messages with the same identifier. The
stream and count values are specified as hexadecimal encoded positive
integers.
3.1.3.2.1. Attribute time=[value]
Specifies a time value to be used in combination with the specified
authentication context. The format of the time value is determined
by the authentication context.
3.1.4. Scope Attributes
Scope attributes specify which parts of the message are
authenticated.
Hallam-Baker Expires May 18, 2013 [Page 10]
�
Internet-Draft HTTP Integrity Header November 2012
Separating the scope attribute from the authentication context
permits the scope of the authentication check to be declared to
intermediaries and allows the same authentication context to be used
to authenticate different portions of the HTTP message separately.
The scope is specified by the start, header and content attributes.
The order in which the scope attributes are specified is immaterial.
The scope is always constructed in the same order as the elements
occur in a HTTP message, i.e. start, headers and content.
3.1.4.1. Attribute content=[true|false]
If set true, the specified scope includes the message body. The
content transfer encoding (e.g. chunked) is ignored for the purpose
of determining the content.
3.1.4.2. Attribute start=[true|false]
If set true, the specified scope includes the message start line.
This being the request Line in the case of a request and the status
line in the case of a response.
3.1.4.3. Attribute header=[escaped(headers)]
Specifies HTTP headers to be included in the specified scope
following the escaped encoding defined in DKIM.
3.2. TLS Channel Binding Attributes
TLS channel binding is used to ensure that the HTTP session is
protected by TLS and to prevent man in the middle attacks against
TLS.
3.2.1. Attribute tlsu=[value]
Specifies the TLS unique channel binding as specified in [RFC5929].
3.2.2. Attribute tlss=[value]
Specifies the TLS server end point channel binding as specified in
[RFC5929].
3.3. Preparing the Input to the Authentication Algorithm
[Should specify how the content scope is assembles and how the replay
attack attributes are included within it.]
Hallam-Baker Expires May 18, 2013 [Page 11]
�
Internet-Draft HTTP Integrity Header November 2012
4. Security Considerations
4.1. Data outside the specified scope is not authenticated
The integrity check only extends to the portions of the message that
are within the specified scope.
4.2. Truncated Hash Algorithms
If the authentication context permits the use of a truncated MAC, it
MUST specify the minimum length of the MAC after truncation and
verifiers MUST reject MAC values shorter than that length as invalid.
4.3. Randomness of Secret Keys and nonces
The security of any cryptographic protocol relies on the difficulty
of guessing secret keys. Secret keys and nonces SHOULD be generated
using a mechanism that ensures that the range of possible values is
sufficiently large to prevent 'brute force' guessing attacks. For
more information see [RFC4086].
4.4. Weak Ciphers
Specification of the cryptographic algorithms used to construct the
Integrity header value is implicit in the authentication context
identifier and thus outside the scope of this specification.
5. IANA Considerations
Add the 'Integrity' header to the list of provisional HTTP headers.
[Upgrade if/when this becomes an RFC]
Create a registry for Integrity Header attributes. The initial
contents of the registry to be:
[Stuff from rest of document.]
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Hallam-Baker Expires May 18, 2013 [Page 12]
�
Internet-Draft HTTP Integrity Header November 2012
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2965] Kristol, D. and L. Montulli, "HTTP State Management
Mechanism", RFC 2965, October 2000.
[RFC4086] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
Requirements for Security", BCP 106, RFC 4086, June 2005.
[RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", RFC 5246, August 2008.
[RFC5929] Altman, J., Williams, N., and L. Zhu, "Channel Bindings
for TLS", RFC 5929, July 2010.
6.2. Non Normative References
[RFC3275] Eastlake, D., Reagle, J., and D. Solo, "(Extensible Markup
Language) XML-Signature Syntax and Processing", RFC 3275,
March 2002.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC 4120,
July 2005.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, September 2009.
Author's Address
Phillip Hallam-Baker
Comodo Group Inc.
Email: philliph@comodo.com
Hallam-Baker Expires May 18, 2013 [Page 13]
�
