HTTPBIS Working Group D. Schinazi
Internet-Draft Google LLC
Intended status: Standards Track D. Oliver
Expires: August 8, 2023 Guardian Project
J. Hoyland
Cloudflare Inc.
February 4, 2023
HTTP Unprompted Authentication
draft-ietf-httpbis-unprompted-auth-01
Abstract
Existing HTTP authentication mechanisms are probeable in the sense
that it is possible for an unauthenticated client to probe whether an
origin serves resources that require authentication. It is possible
for an origin to hide the fact that it requires authentication by not
generating Unauthorized status codes, however that only works with
non-cryptographic authentication schemes: cryptographic schemes (such
as signatures or message authentication codes) require a fresh nonce
to be signed, and there is no existing way for the origin to share
such a nonce without exposing the fact that it serves resources that
require authentication. This document proposes a new non-probeable
cryptographic authentication scheme.
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
.
Discussion of this document takes place on the HTTP Working Group
mailing list (), which is archived at
. Working Group
information can be found at .
Source for this draft and an issue tracker can be found at
.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Schinazi, et al. Expires August 8, 2023 [Page 1]
Internet-Draft HTTP Unprompted Authentication February 2023
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 8, 2023.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Conventions and Definitions . . . . . . . . . . . . . . . 4
2. Computing the Authentication Proof . . . . . . . . . . . . . 4
3. Header Field Definition . . . . . . . . . . . . . . . . . . . 5
4. Authentication Parameters . . . . . . . . . . . . . . . . . . 5
4.1. The k Parameter . . . . . . . . . . . . . . . . . . . . . 5
4.2. The p Parameter . . . . . . . . . . . . . . . . . . . . . 5
4.3. The s Parameter . . . . . . . . . . . . . . . . . . . . . 5
4.4. The h Parameter . . . . . . . . . . . . . . . . . . . . . 5
5. Authentication Schemes . . . . . . . . . . . . . . . . . . . 6
5.1. Signature . . . . . . . . . . . . . . . . . . . . . . . . 6
5.2. HMAC . . . . . . . . . . . . . . . . . . . . . . . . . . 6
5.3. Other HTTP Authentication Schemes . . . . . . . . . . . . 7
6. Server Handling . . . . . . . . . . . . . . . . . . . . . . . 7
7. Intermediary Considerations . . . . . . . . . . . . . . . . . 7
8. Security Considerations . . . . . . . . . . . . . . . . . . . 8
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
9.1. Unprompted-Authentication Header Field . . . . . . . . . 8
9.2. HTTP Authentication Schemes Registry . . . . . . . . . . 9
Schinazi, et al. Expires August 8, 2023 [Page 2]
Internet-Draft HTTP Unprompted Authentication February 2023
9.3. TLS Keying Material Exporter Labels . . . . . . . . . . . 9
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 9
10.1. Normative References . . . . . . . . . . . . . . . . . . 9
10.2. Informative References . . . . . . . . . . . . . . . . . 10
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 11
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction
Existing HTTP authentication mechanisms (see Section 11 of [HTTP])
are probeable in the sense that it is possible for an unauthenticated
client to probe whether an origin serves resources that require
authentication. It is possible for an origin to hide the fact that
it requires authentication by not generating Unauthorized status
codes, however that only works with non-cryptographic authentication
schemes: cryptographic schemes (such as signatures or message
authentication codes) require a fresh nonce to be signed, and there
is no existing way for the origin to share such a nonce without
exposing the fact that it serves resources that require
authentication. This document proposes a new non-probeable
cryptographic authentication scheme.
Unprompted Authentication serves use cases in which a site wants to
offer a service or capability only to "those who know" while all
others are given no indication the service or capability exists. The
conceptual model is that of a "speakeasy". "Knowing" is via an
externally-defined mechanism by which keys are distributed. For
example, a company might offer remote employee access to company
services directly via its website using their employee credentials,
or offer access to limited special capabilities for specific
employees, while making discovering (probing for) such capabilities
difficult. Members of less well-defined communities might use more
ephemeral keys to acquire access to geography- or capability-specific
resources, as issued by an entity whose user base is larger than the
available resources can support (by having that entity metering the
availability of keys temporally or geographically). Unprompted
Authentication is also useful for cases where a service provider
wants to distribute user-provisioning information for its resources
without exposing the provisioning location to non-users.
There are scenarios where servers may want to expose the fact that
authentication is required for access to specific resources. This is
left for future work.
Schinazi, et al. Expires August 8, 2023 [Page 3]
Internet-Draft HTTP Unprompted Authentication February 2023
1.1. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document uses the following terminology from Section 3 of
[STRUCTURED-FIELDS] to specify syntax and parsing: Integer and Byte
Sequence.
2. Computing the Authentication Proof
This document only defines the Signature and HMAC authentication
schemes for uses of HTTP with TLS [TLS]. This includes any use of
HTTP over TLS as typically used for HTTP/2 [H2], or HTTP/3 [H3] where
the transport protocol uses TLS as its authentication and key
exchange mechanism [QUIC-TLS].
The user agent leverages a TLS keying material exporter [KEY-EXPORT]
to generate a nonce which can be signed using the chosen key. The
keying material exporter uses a label that starts with the characters
"EXPORTER-HTTP-Unprompted-Authentication-" (see Section 5 for the
labels and contexts used by each scheme). The TLS keying material
exporter is used to generate a 32-byte key which is then used as a
nonce.
Because the TLS keying material exporter is only secure for
authentication when it is uniquely bound to the TLS session
[RFC7627], the Signature and HMAC authentication schemes require
either one of the following properties:
o The TLS version in use is greater or equal to 1.3 [TLS].
o The TLS version in use is greater or equal to 1.2 and the Extended
Master Secret extension [RFC7627] has been negotiated.
Clients MUST NOT use the Signature and HMAC authentication schemes on
connections that do not meet one of the two properties above. If a
server receives a request that uses these authentication schemes on a
connection that meets neither of the above properties, the server
MUST treat the request as malformed.
Schinazi, et al. Expires August 8, 2023 [Page 4]
Internet-Draft HTTP Unprompted Authentication February 2023
3. Header Field Definition
The "Unprompted-Authentication" header field allows a user agent to
authenticate with an origin server. The authentication is scoped to
the HTTP request associated with this header field. The value of the
Unprompted-Authentication header field is a credentials object, as
defined in Section 11.4 of [HTTP]. Credentials contain an
authentication scheme followed by optional authentication parameters.
4. Authentication Parameters
This specification defines the following authentication parameters,
they can be used by the authentication schemes defined in Section 5.
4.1. The k Parameter
The OPTIONAL "k" (key ID) parameter is a byte sequence that
identifies which key the user agent wishes to use to authenticate.
This can for example be used to point to an entry into a server-side
database of known keys.
4.2. The p Parameter
The OPTIONAL "p" (proof) parameter is a byte sequence that specifies
the proof that the user agent provides to attest to possessing the
credential that matches its key ID.
4.3. The s Parameter
The OPTIONAL "s" (signature) parameter is an integer that specifies
the signature algorithm used to compute the proof transmitted in the
"p" directive. Its value is an integer between 0 and 255 inclusive
from the IANA "TLS SignatureAlgorithm" registry maintained at
<>.
4.4. The h Parameter
The OPTIONAL "h" (hash) parameter is an integer that specifies the
hash algorithm used to compute the proof transmitted in the "p"
directive. Its value is an integer between 0 and 255 inclusive from
the IANA "TLS HashAlgorithm" registry maintained at
<>.
Schinazi, et al. Expires August 8, 2023 [Page 5]
Internet-Draft HTTP Unprompted Authentication February 2023
5. Authentication Schemes
This document defines the "Signature" and "HMAC" HTTP authentication
schemes.
5.1. Signature
The "Signature" HTTP Authentication Scheme uses asymmetric
cryptography. User agents possess a key ID and a public/private key
pair, and origin servers maintain a mapping of authorized key IDs to
their associated public keys. When using this scheme, the "k", "p",
and "s" parameters are REQUIRED. The TLS keying material export
label for this scheme is "EXPORTER-HTTP-Unprompted-Authentication-
Signature" and the associated context is empty. The nonce is then
signed using the selected asymmetric signature algorithm and
transmitted as the proof directive.
For example, the key ID "basement" authenticating using Ed25519
[ED25519] could produce the following header field (lines are folded
to fit):
Unprompted-Authentication: Signature k=:YmFzZW1lbnQ=:;s=7;
p=:SW5zZXJ0IHNpZ25hdHVyZSBvZiBub25jZSBoZXJlIHdo
aWNoIHRha2VzIDUxMiBiaXRzIGZvciBFZDI1NTE5IQ==:
5.2. HMAC
The "HMAC" HTTP Authentication Scheme uses symmetric cryptography.
User agents possess a key ID and a secret key, and origin servers
maintain a mapping of authorized key IDs to their associated secret
key. When using this scheme, the "k", "p", and "h" parameters are
REQUIRED. The TLS keying material export label for this scheme is
"EXPORTER-HTTP-Unprompted-Authentication-HMAC" and the associated
context is empty. The nonce is then HMACed using the selected HMAC
algorithm and transmitted as the proof directive.
For example, the key ID "basement" authenticating using HMAC-SHA-512
[SHA] could produce the following header field (lines are folded to
fit):
Unprompted-Authentication: HMAC k="YmFzZW1lbnQ=";h=6;
p="SW5zZXJ0IEhNQUMgb2Ygbm9uY2UgaGVyZSB3aGljaCB0YWtl
cyA1MTIgYml0cyBmb3IgU0hBLTUxMiEhISEhIQ=="
Schinazi, et al. Expires August 8, 2023 [Page 6]
Internet-Draft HTTP Unprompted Authentication February 2023
5.3. Other HTTP Authentication Schemes
The HTTP Authentication Scheme registry maintained by IANA at
<> contains entries not defined in this document.
Those entries MAY be used with Unprompted Authentication.
6. Server Handling
Servers that wish to introduce resources whose existence cannot be
probed need to ensure that they do not reveal any information about
those resources to unauthenticated clients. In particular, such
servers MUST respond to authentication failures with the exact same
response that they would have used for non-existent resources. For
example, this can mean using HTTP status code 404 (Not Found) instead
of 401 (Unauthorized). Such authentication failures can be caused
for example by: * absence of the Unprompted-Authentication field *
failure to parse the Unprompted-Authentication field * use of
Unprompted Authentication with an unknown key ID * failure to
validate the signature or MAC.
Such servers MUST also ensure that the timing of their request
handling does not leak any information. This can be accomplished by
delaying responses to all non-existent resources such that the timing
of the authentication verification is not observable.
7. Intermediary Considerations
Since the Signature and HMAC HTTP Authentication Schemes leverage TLS
keying material exporters, their output cannot be transparently
forwarded by HTTP intermediaries. HTTP intermediaries that support
this specification have two options:
o The intermediary can validate the authentication received from the
client, then inform the upstream HTTP server of the presence of
valid authentication.
o The intermediary can export the nonce (see Section 2}), and
forward it to the upstream HTTP server, then the upstream server
performs the validation.
The mechanism for the intermediary to communicate this information to
the upstream HTTP server is out of scope for this document.
Schinazi, et al. Expires August 8, 2023 [Page 7]
Internet-Draft HTTP Unprompted Authentication February 2023
8. Security Considerations
Unprompted Authentication allows a user agent to authenticate to an
origin server while guaranteeing freshness and without the need for
the server to transmit a nonce to the user agent. This allows the
server to accept authenticated clients without revealing that it
supports or expects authentication for some resources. It also
allows authentication without the user agent leaking the presence of
authentication to observers due to clear-text TLS Client Hello
extensions.
The authentication proofs described in this document are not bound to
individual HTTP requests; if the key is used for authentication
proofs on multiple requests they will all be identical. This allows
for better compression when sending over the wire, but implies that
client implementations that multiplex different security contexts
over a single HTTP connection need to ensure that those contexts
cannot read each other's header fields. Otherwise, one context would
be able to replay the unprompted authentication header field of
another. This constraint is met by modern Web browsers. If an
attacker were to compromise the browser such that it could access
another context's memory, the attacker might also be able to access
the corresponding key, so binding authentication to requests would
not provide much benefit in practice.
Key material used for authentication in unprompted authentication,
whether symmetric or asymmetric MUST NOT be reused in other
protocols. Doing so can undermine the security guarantees of the
authentication.
Sites offering Unprompted Authentication are able to link requests
that use the same key for the Authentication Schemes provided.
However, requests are not linkable across other sites if the keys
used are private to the individual sites using Unprompted
Authentication.
9. IANA Considerations
9.1. Unprompted-Authentication Header Field
This document will request IANA to register the following entry in
the "HTTP Field Name" registry maintained at
<>:
Field Name: Unprompted-Authentication
Template: None
Status: provisional (permanent if this document is approved)
Reference: This document
Schinazi, et al. Expires August 8, 2023 [Page 8]
Internet-Draft HTTP Unprompted Authentication February 2023
Comments: None
9.2. HTTP Authentication Schemes Registry
This document, if approved, requests IANA to add two new entries to
the "HTTP Authentication Schemes" Registry maintained at
<>. Both entries
have the Reference set to this document, and the Notes empty. The
Authentication Scheme Name of the entries are:
o Signature
o HMAC
9.3. TLS Keying Material Exporter Labels
This document, if approved, requests IANA to register the following
entries in the "TLS Exporter Labels" registry maintained at
<>:
o EXPORTER-HTTP-Unprompted-Authentication-Signature
o EXPORTER-HTTP-Unprompted-Authentication-HMAC
Both of these entries are listed with the following qualifiers:
DTLS-OK: N
Recommended: Y
Reference: This document
10. References
10.1. Normative References
[HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", STD 97, RFC 9110,
DOI 10.17487/RFC9110, June 2022,
.
[KEY-EXPORT]
Rescorla, E., "Keying Material Exporters for Transport
Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705,
March 2010, .
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
Schinazi, et al. Expires August 8, 2023 [Page 9]
Internet-Draft HTTP Unprompted Authentication February 2023
[RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A.,
Langley, A., and M. Ray, "Transport Layer Security (TLS)
Session Hash and Extended Master Secret Extension",
RFC 7627, DOI 10.17487/RFC7627, September 2015,
.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, .
[STRUCTURED-FIELDS]
Nottingham, M. and P. Kamp, "Structured Field Values for
HTTP", RFC 8941, DOI 10.17487/RFC8941, February 2021,
.
[TLS] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
.
10.2. Informative References
[ED25519] Josefsson, S. and J. Schaad, "Algorithm Identifiers for
Ed25519, Ed448, X25519, and X448 for Use in the Internet
X.509 Public Key Infrastructure", RFC 8410,
DOI 10.17487/RFC8410, August 2018,
.
[H2] Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113,
DOI 10.17487/RFC9113, June 2022,
.
[H3] Bishop, M., Ed., "HTTP/3", RFC 9114, DOI 10.17487/RFC9114,
June 2022, .
[QUIC-TLS]
Thomson, M., Ed. and S. Turner, Ed., "Using TLS to Secure
QUIC", RFC 9001, DOI 10.17487/RFC9001, May 2021,
.
[SHA] Eastlake 3rd, D. and T. Hansen, "US Secure Hash Algorithms
(SHA and SHA-based HMAC and HKDF)", RFC 6234,
DOI 10.17487/RFC6234, May 2011,
.
Schinazi, et al. Expires August 8, 2023 [Page 10]
Internet-Draft HTTP Unprompted Authentication February 2023
Acknowledgments
The authors would like to thank many members of the IETF community,
as this document is the fruit of many hallway conversations. Ben
Schwartz contributed ideas to this document.
Authors' Addresses
David Schinazi
Google LLC
1600 Amphitheatre Parkway
Mountain View, CA 94043
United States of America
Email: dschinazi.ietf@gmail.com
David M. Oliver
Guardian Project
Email: david@guardianproject.info
URI: https://guardianproject.info
Jonathan Hoyland
Cloudflare Inc.
Email: jonathan.hoyland@gmail.com
Schinazi, et al. Expires August 8, 2023 [Page 11]