HTTPBIS Working Group | D. Schinazi |
Internet-Draft | Google LLC |
Intended status: Standards Track | D. Oliver |
Expires: December 30, 2023 | Guardian Project |
J. Hoyland | |
Cloudflare Inc. | |
June 28, 2023 |
Existing HTTP authentication schemes are probeable in the sense that it is possible for an unauthenticated client to probe whether an origin serves resources that require authentication. It is possible for an origin to hide the fact that it requires authentication by not generating Unauthorized status codes, however that only works with non-cryptographic authentication schemes: cryptographic signatures require a fresh nonce to be signed, and there is no existing way for the origin to share such a nonce without exposing the fact that it serves resources that require authentication. This document proposes a new non-probeable cryptographic authentication scheme.¶
This note is to be removed before publishing as an RFC.¶
Status information for this document may be found at <https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-auth/>.¶
Discussion of this document takes place on the HTTP Working Group mailing list (<mailto:ietf-http-wg@w3.org>), which is archived at <https://lists.w3.org/Archives/Public/ietf-http-wg/>. Working Group information can be found at <https://httpwg.org/>.¶
Source for this draft and an issue tracker can be found at <https://github.com/httpwg/http-extensions/labels/unprompted-auth>.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as “work in progress”.¶
This Internet-Draft will expire on December 30, 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
HTTP authentication schemes (see Section 11 of [HTTP]) allow origins to restrict access for some resources to only authenticated requests. While these schemes commonly involve a challenge where the origin asks the client to provide authentication information, it is possible for clients to send such information unprompted. This is particularly useful in cases where an origin wants to offer a service or capability only to "those who know" while all others are given no indication the service or capability exists. Such designs rely on an externally-defined mechanism by which keys are distributed. For example, a company might offer remote employee access to company services directly via its website using their employee credentials, or offer access to limited special capabilities for specific employees, while making discovering (probing for) such capabilities difficult. Members of less well-defined communities might use more ephemeral keys to acquire access to geography- or capability-specific resources, as issued by an entity whose user base is larger than the available resources can support (by having that entity metering the availability of keys temporally or geographically).¶
While digital-signature-based HTTP authentication schemes already exist ([HOBA]), they rely on the origin explicitly sending a fresh challenge to the client, to ensure that the signature input is fresh. That makes the origin probeable as it send the challenge to unauthenticated clients. This document defines a new signature-based authentication scheme that is not probeable.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document uses the following terminology from Section 3 of [STRUCTURED-FIELDS] to specify syntax and parsing: Integer and Byte Sequence. This document uses the notation from Section 1.3 of [QUIC].¶
This document defines the "Signature" HTTP authentication scheme. It uses asymmetric cryptography. User agents possess a key ID and a public/private key pair, and origin servers maintain a mapping of authorized key IDs to their associated public keys.¶
This authentication scheme is only defined for uses of HTTP with TLS [TLS]. This includes any use of HTTP over TLS as typically used for HTTP/2 [HTTP/2], or HTTP/3 [HTTP/3] where the transport protocol uses TLS as its authentication and key exchange mechanism [QUIC-TLS].¶
Because the TLS keying material exporter is only secure for authentication when it is uniquely bound to the TLS session [RFC7627], the Signature authentication scheme requires either one of the following properties:¶
Clients MUST NOT use the Signature authentication scheme on connections that do not meet one of the two properties above. If a server receives a request that uses this authentication scheme on a connection that meets neither of the above properties, the server MUST treat the request as malformed.¶
The user agent computes the authentication proof using a TLS keying material exporter [KEY-EXPORT] with the following parameters:¶
Signature Algorithm (16), Key ID Length (i), Key ID (..), Scheme Length (i), Scheme (..), Host Length (i), Host (..), Port (16), Realm Length (i), Realm (..),
Figure 1: Key Exporter Context Format
The key exporter context contains the following fields:¶
The Signature Algorithm and Port fields are encoded as unsigned 16-bit integers in network byte order. The Key ID, Scheme, Host, and Real fields are length prefixed strings; they are preceded by a Length field that represents their length in bytes. These length fields are encoded using the variable-length integer encoding from Section 16 of [QUIC] and MUST be encoded in the minimum number of bytes necessary.¶
The key exporter output is 48 bytes long. Of those, the first 32 bytes are part of the input to the signature and the next 16 bytes are sent alongside the signature. This allows the recipient to confirm that the exporter produces the right values. This is described in Figure 2:¶
Signature Input (256), Verification (128),
Figure 2: Key Exporter Output Format
The key exporter context contains the following fields:¶
Once the Signature Input has been extracted from the key exporter output (see Section 3.2), it is prefixed with static data before being signed to mitigate issues caused by key reuse. The signature is computed over the concatenation of:¶
For example, if the Signature Input has all its 32 bytes set to 01, the content covered by the signature (in hexadecimal format) would be:¶
2020202020202020202020202020202020202020202020202020202020202020 2020202020202020202020202020202020202020202020202020202020202020 48545450205369676E61747572652041757468656E7469636174696F6E 00 0101010101010101010101010101010101010101010101010101010101010101
This constructions mirrors that of the TLS 1.3 CertificateVerify message defined in Section 4.4.3 of [TLS].¶
The resulting signature is then transmitted to the server using the p Parameter (see Section 4.2).¶
This specification defines the following authentication parameters. These parameters use structured fields ([STRUCTURED-FIELDS]) in their definition, even though the Authorization field itself does not use structured fields.¶
The REQUIRED "k" (key ID) parameter is a byte sequence that identifies which key the user agent wishes to use to authenticate. This can for example be used to point to an entry into a server-side database of known keys.¶
The REQUIRED "p" (proof) parameter is a byte sequence that specifies the proof that the user agent provides to attest to possessing the credential that matches its key ID.¶
The REQUIRED "s" (signature) parameter is an integer that specifies the signature scheme used to compute the proof transmitted in the "p" directive. Its value is an integer between 0 and 65535 inclusive from the IANA "TLS SignatureScheme" registry maintained at <https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme>.¶
The REQUIRED "v" (verification) parameter is a byte sequence that specifies the verification that the user agent provides to attest to possessing the key exporter output. This avoids issues with signature schemes where certain keys can generate signatures that are valid for multiple inputs (see [SEEMS-LEGIT]).¶
For example, the key ID "basement" authenticating using Ed25519 [ED25519] could produce the following header field (lines are folded to fit):¶
Authorization: Signature k=:YmFzZW1lbnQ=:;s=2055; v=:dmVyaWZpY2F0aW9uXzE2Qg==:; p=:SW5zZXJ0IHNpZ25hdHVyZSBvZiBub25jZSBoZXJlIHdo aWNoIHRha2VzIDUxMiBiaXRzIGZvciBFZDI1NTE5IQ==:
Servers that wish to introduce resources whose existence cannot be probed need to ensure that they do not reveal any information about those resources to unauthenticated clients. In particular, such servers MUST respond to authentication failures with the exact same response that they would have used for non-existent resources. For example, this can mean using HTTP status code 404 (Not Found) instead of 401 (Unauthorized). Such authentication failures can be caused for example by: * absence of the Authorization field * failure to parse the Authorization field * use of the Signature authentication scheme with an unknown key ID * failure to validate the verification parameter * failure to validate the signature.¶
Such servers MUST also ensure that the timing of their request handling does not leak any information. This can be accomplished by delaying responses to all non-existent resources such that the timing of the authentication verification is not observable.¶
Since the Signature HTTP authentication scheme leverages TLS keying material exporters, its output cannot be transparently forwarded by HTTP intermediaries. HTTP intermediaries that support this specification have two options:¶
The mechanism for the intermediary to communicate this information to the upstream HTTP server is out of scope for this document.¶
Note that both of these mechanisms require the upstream HTTP server to trust the intermediary. This is usually the case because the intermediary already needs access to the TLS certificate private key in order to respond to requests.¶
The Signature HTTP authentication scheme allows a user agent to authenticate to an origin server while guaranteeing freshness and without the need for the server to transmit a nonce to the user agent. This allows the server to accept authenticated clients without revealing that it supports or expects authentication for some resources. It also allows authentication without the user agent leaking the presence of authentication to observers due to clear-text TLS Client Hello extensions.¶
The authentication proofs described in this document are not bound to individual HTTP requests; if the key is used for authentication proofs on multiple requests on the same connection, they will all be identical. This allows for better compression when sending over the wire, but implies that client implementations that multiplex different security contexts over a single HTTP connection need to ensure that those contexts cannot read each other's header fields. Otherwise, one context would be able to replay the Authorization header field of another. This constraint is met by modern Web browsers. If an attacker were to compromise the browser such that it could access another context's memory, the attacker might also be able to access the corresponding key, so binding authentication to requests would not provide much benefit in practice.¶
Key material used for the Signature HTTP authentication scheme MUST NOT be reused in other protocols. Doing so can undermine the security guarantees of the authentication.¶
Origins offering this scheme can link requests that use the same key. However, requests are not linkable across origins if the keys used are specific to the individual origins using this scheme.¶
This document, if approved, requests IANA to register the following entry in the "HTTP Authentication Schemes" Registry maintained at <https://www.iana.org/assignments/http-authschemes>:¶
This document, if approved, requests IANA to register the following entry in the "TLS Exporter Labels" registry maintained at <https://www.iana.org/assignments/tls-parameters#exporter-labels>:¶
The authors would like to thank many members of the IETF community, as this document is the fruit of many hallway conversations. In particular, the authors would like to thank Nick Harper, Dennis Jackson, Ilari Liusvaara, Justin Richer, Ben Schwartz, Martin Thomson, and Chris Wood for their reviews and contributions. The mechanism described in this document was originally part of the first iteration of MASQUE [MASQUE-ORIGINAL].¶