HTTPBIS Working Group D. Schinazi
Internet-Draft Google LLC
Intended status: Standards Track D. Oliver
Expires: December 30, 2023 Guardian Project
J. Hoyland
Cloudflare Inc.
June 28, 2023
The Signature HTTP Authentication Scheme
draft-ietf-httpbis-unprompted-auth-03
Abstract
Existing HTTP authentication schemes are probeable in the sense that
it is possible for an unauthenticated client to probe whether an
origin serves resources that require authentication. It is possible
for an origin to hide the fact that it requires authentication by not
generating Unauthorized status codes, however that only works with
non-cryptographic authentication schemes: cryptographic signatures
require a fresh nonce to be signed, and there is no existing way for
the origin to share such a nonce without exposing the fact that it
serves resources that require authentication. This document proposes
a new non-probeable cryptographic authentication scheme.
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
.
Discussion of this document takes place on the HTTP Working Group
mailing list (), which is archived at
. Working Group
information can be found at .
Source for this draft and an issue tracker can be found at
.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
Schinazi, et al. Expires December 30, 2023 [Page 1]
Internet-Draft The Signature HTTP Authentication Scheme June 2023
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 30, 2023.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Conventions and Definitions . . . . . . . . . . . . . . . 3
2. The Signature Authentication Scheme . . . . . . . . . . . . . 4
3. Computing the Authentication Proof . . . . . . . . . . . . . 4
3.1. Key Exporter Context . . . . . . . . . . . . . . . . . . 4
3.2. Key Exporter Output . . . . . . . . . . . . . . . . . . . 6
3.3. Signature Computation . . . . . . . . . . . . . . . . . . 6
4. Authentication Parameters . . . . . . . . . . . . . . . . . . 7
4.1. The k Parameter . . . . . . . . . . . . . . . . . . . . . 7
4.2. The p Parameter . . . . . . . . . . . . . . . . . . . . . 7
4.3. The s Parameter . . . . . . . . . . . . . . . . . . . . . 7
4.4. The v Parameter . . . . . . . . . . . . . . . . . . . . . 7
5. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
6. Non-Probeable Server Handling . . . . . . . . . . . . . . . . 8
7. Intermediary Considerations . . . . . . . . . . . . . . . . . 8
8. Security Considerations . . . . . . . . . . . . . . . . . . . 9
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
9.1. HTTP Authentication Schemes Registry . . . . . . . . . . 9
9.2. TLS Keying Material Exporter Labels . . . . . . . . . . . 10
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 10
10.1. Normative References . . . . . . . . . . . . . . . . . . 10
Schinazi, et al. Expires December 30, 2023 [Page 2]
Internet-Draft The Signature HTTP Authentication Scheme June 2023
10.2. Informative References . . . . . . . . . . . . . . . . . 11
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 12
1. Introduction
HTTP authentication schemes (see Section 11 of [HTTP]) allow origins
to restrict access for some resources to only authenticated requests.
While these schemes commonly involve a challenge where the origin
asks the client to provide authentication information, it is possible
for clients to send such information unprompted. This is
particularly useful in cases where an origin wants to offer a service
or capability only to "those who know" while all others are given no
indication the service or capability exists. Such designs rely on an
externally-defined mechanism by which keys are distributed. For
example, a company might offer remote employee access to company
services directly via its website using their employee credentials,
or offer access to limited special capabilities for specific
employees, while making discovering (probing for) such capabilities
difficult. Members of less well-defined communities might use more
ephemeral keys to acquire access to geography- or capability-specific
resources, as issued by an entity whose user base is larger than the
available resources can support (by having that entity metering the
availability of keys temporally or geographically).
While digital-signature-based HTTP authentication schemes already
exist ([HOBA]), they rely on the origin explicitly sending a fresh
challenge to the client, to ensure that the signature input is fresh.
That makes the origin probeable as it send the challenge to
unauthenticated clients. This document defines a new signature-based
authentication scheme that is not probeable.
1.1. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
This document uses the following terminology from Section 3 of
[STRUCTURED-FIELDS] to specify syntax and parsing: Integer and Byte
Sequence. This document uses the notation from Section 1.3 of
[QUIC].
Schinazi, et al. Expires December 30, 2023 [Page 3]
Internet-Draft The Signature HTTP Authentication Scheme June 2023
2. The Signature Authentication Scheme
This document defines the "Signature" HTTP authentication scheme. It
uses asymmetric cryptography. User agents possess a key ID and a
public/private key pair, and origin servers maintain a mapping of
authorized key IDs to their associated public keys.
This authentication scheme is only defined for uses of HTTP with TLS
[TLS]. This includes any use of HTTP over TLS as typically used for
HTTP/2 [H2], or HTTP/3 [H3] where the transport protocol uses TLS as
its authentication and key exchange mechanism [QUIC-TLS].
Because the TLS keying material exporter is only secure for
authentication when it is uniquely bound to the TLS session
[RFC7627], the Signature authentication scheme requires either one of
the following properties:
o The TLS version in use is greater or equal to 1.3 [TLS].
o The TLS version in use is 1.2 and the Extended Master Secret
extension [RFC7627] has been negotiated.
Clients MUST NOT use the Signature authentication scheme on
connections that do not meet one of the two properties above. If a
server receives a request that uses this authentication scheme on a
connection that meets neither of the above properties, the server
MUST treat the request as malformed.
3. Computing the Authentication Proof
The user agent computes the authentication proof using a TLS keying
material exporter [KEY-EXPORT] with the following parameters:
o the label is set to "EXPORTER-HTTP-Signature-Authentication"
o the context is set to the structure described in Section 3.1
o the exporter output length is set to 48 bytes (see Section 3.2)
3.1. Key Exporter Context
The TLS key exporter context is described in Figure 1:
Schinazi, et al. Expires December 30, 2023 [Page 4]
Internet-Draft The Signature HTTP Authentication Scheme June 2023
Signature Algorithm (16),
Key ID Length (i),
Key ID (..),
Scheme Length (i),
Scheme (..),
Host Length (i),
Host (..),
Port (16),
Realm Length (i),
Realm (..),
Figure 1: Key Exporter Context Format
The key exporter context contains the following fields:
Signature Algorithm: The signature scheme sent in the "p" Parameter
(see Section 4.3).
Key ID: The key ID sent in the "k" Parameter (see Section 4.1).
Scheme: The scheme for this request, encoded using the format of the
scheme portion of a URI as defined in Section 3.1 of [URI].
Host: The host for this request, encoded using the format of the
host portion of a URI as defined in Section 3.2.2 of [URI].
Port: The port for this request.
Realm: The real of authentication that is sent in the realm
authentication parameter (Section 11.5 of [HTTP]). If the realm
authentication parameter is not present, this SHALL be empty.
This document does not define a means for the origin to
communicate a realm to the client. If a client is not configured
to use a specific realm, it SHALL use an empty realm and SHALL NOT
send the realm authentication parameter.
The Signature Algorithm and Port fields are encoded as unsigned
16-bit integers in network byte order. The Key ID, Scheme, Host, and
Real fields are length prefixed strings; they are preceded by a
Length field that represents their length in bytes. These length
fields are encoded using the variable-length integer encoding from
Section 16 of [QUIC] and MUST be encoded in the minimum number of
bytes necessary.
Schinazi, et al. Expires December 30, 2023 [Page 5]
Internet-Draft The Signature HTTP Authentication Scheme June 2023
3.2. Key Exporter Output
The key exporter output is 48 bytes long. Of those, the first 32
bytes are part of the input to the signature and the next 16 bytes
are sent alongside the signature. This allows the recipient to
confirm that the exporter produces the right values. This is
described in Figure 2:
Signature Input (256),
Verification (128),
Figure 2: Key Exporter Output Format
The key exporter context contains the following fields:
Signature Input: This is part of the data signed using the client's
chosen asymmetric private key (see Section 3.3).
Verification: The verification is transmitted to the server using
the v Parameter (see Section 4.4).
3.3. Signature Computation
Once the Signature Input has been extracted from the key exporter
output (see Section 3.2), it is prefixed with static data before
being signed to mitigate issues caused by key reuse. The signature
is computed over the concatenation of:
o A string that consists of octet 32 (0x20) repeated 64 times
o The context string "HTTP Signature Authentication"
o A single 0 byte which serves as a separator
o The Signature Input extracted from the key exporter output (see
Section 3.2)
For example, if the Signature Input has all its 32 bytes set to 01,
the content covered by the signature (in hexadecimal format) would
be:
2020202020202020202020202020202020202020202020202020202020202020
2020202020202020202020202020202020202020202020202020202020202020
48545450205369676E61747572652041757468656E7469636174696F6E
00
0101010101010101010101010101010101010101010101010101010101010101
Schinazi, et al. Expires December 30, 2023 [Page 6]
Internet-Draft The Signature HTTP Authentication Scheme June 2023
This constructions mirrors that of the TLS 1.3 CertificateVerify
message defined in Section 4.4.3 of [TLS].
The resulting signature is then transmitted to the server using the
"p" Parameter (see Section 4.2).
4. Authentication Parameters
This specification defines the following authentication parameters.
These parameters use structured fields ([STRUCTURED-FIELDS]) in their
definition, even though the Authorization field itself does not use
structured fields.
4.1. The k Parameter
The REQUIRED "k" (key ID) parameter is a byte sequence that
identifies which key the user agent wishes to use to authenticate.
This can for example be used to point to an entry into a server-side
database of known keys.
4.2. The p Parameter
The REQUIRED "p" (proof) parameter is a byte sequence that specifies
the proof that the user agent provides to attest to possessing the
credential that matches its key ID.
4.3. The s Parameter
The REQUIRED "s" (signature) parameter is an integer that specifies
the signature scheme used to compute the proof transmitted in the "p"
directive. Its value is an integer between 0 and 65535 inclusive
from the IANA "TLS SignatureScheme" registry maintained at
<>.
4.4. The v Parameter
The REQUIRED "v" (verification) parameter is a byte sequence that
specifies the verification that the user agent provides to attest to
possessing the key exporter output. This avoids issues with
signature schemes where certain keys can generate signatures that are
valid for multiple inputs (see [SEEMS-LEGIT]).
5. Example
For example, the key ID "basement" authenticating using Ed25519
[ED25519] could produce the following header field (lines are folded
to fit):
Schinazi, et al. Expires December 30, 2023 [Page 7]
Internet-Draft The Signature HTTP Authentication Scheme June 2023
Authorization: Signature k=:YmFzZW1lbnQ=:;s=2055;
v=:dmVyaWZpY2F0aW9uXzE2Qg==:;
p=:SW5zZXJ0IHNpZ25hdHVyZSBvZiBub25jZSBoZXJlIHdo
aWNoIHRha2VzIDUxMiBiaXRzIGZvciBFZDI1NTE5IQ==:
6. Non-Probeable Server Handling
Servers that wish to introduce resources whose existence cannot be
probed need to ensure that they do not reveal any information about
those resources to unauthenticated clients. In particular, such
servers MUST respond to authentication failures with the exact same
response that they would have used for non-existent resources. For
example, this can mean using HTTP status code 404 (Not Found) instead
of 401 (Unauthorized). Such authentication failures can be caused
for example by: * absence of the Authorization field * failure to
parse the Authorization field * use of the Signature authentication
scheme with an unknown key ID * failure to validate the verification
parameter * failure to validate the signature.
Such servers MUST also ensure that the timing of their request
handling does not leak any information. This can be accomplished by
delaying responses to all non-existent resources such that the timing
of the authentication verification is not observable.
7. Intermediary Considerations
Since the Signature HTTP authentication scheme leverages TLS keying
material exporters, its output cannot be transparently forwarded by
HTTP intermediaries. HTTP intermediaries that support this
specification have two options:
o The intermediary can validate the authentication received from the
client, then inform the upstream HTTP server of the presence of
valid authentication.
o The intermediary can export the Signature Input and Verification
(see Section 3.2}), and forward it to the upstream HTTP server,
then the upstream server performs the validation.
The mechanism for the intermediary to communicate this information to
the upstream HTTP server is out of scope for this document.
Note that both of these mechanisms require the upstream HTTP server
to trust the intermediary. This is usually the case because the
intermediary already needs access to the TLS certificate private key
in order to respond to requests.
Schinazi, et al. Expires December 30, 2023 [Page 8]
Internet-Draft The Signature HTTP Authentication Scheme June 2023
8. Security Considerations
The Signature HTTP authentication scheme allows a user agent to
authenticate to an origin server while guaranteeing freshness and
without the need for the server to transmit a nonce to the user
agent. This allows the server to accept authenticated clients
without revealing that it supports or expects authentication for some
resources. It also allows authentication without the user agent
leaking the presence of authentication to observers due to clear-text
TLS Client Hello extensions.
The authentication proofs described in this document are not bound to
individual HTTP requests; if the key is used for authentication
proofs on multiple requests on the same connection, they will all be
identical. This allows for better compression when sending over the
wire, but implies that client implementations that multiplex
different security contexts over a single HTTP connection need to
ensure that those contexts cannot read each other's header fields.
Otherwise, one context would be able to replay the Authorization
header field of another. This constraint is met by modern Web
browsers. If an attacker were to compromise the browser such that it
could access another context's memory, the attacker might also be
able to access the corresponding key, so binding authentication to
requests would not provide much benefit in practice.
Key material used for the Signature HTTP authentication scheme MUST
NOT be reused in other protocols. Doing so can undermine the
security guarantees of the authentication.
Origins offering this scheme can link requests that use the same key.
However, requests are not linkable across origins if the keys used
are specific to the individual origins using this scheme.
9. IANA Considerations
9.1. HTTP Authentication Schemes Registry
This document, if approved, requests IANA to register the following
entry in the "HTTP Authentication Schemes" Registry maintained at
<>:
Authentication Scheme Name: Signature
Reference: This document
Notes: None
Schinazi, et al. Expires December 30, 2023 [Page 9]
Internet-Draft The Signature HTTP Authentication Scheme June 2023
9.2. TLS Keying Material Exporter Labels
This document, if approved, requests IANA to register the following
entry in the "TLS Exporter Labels" registry maintained at
<>:
Value: EXPORTER-HTTP-Signature-Authentication
DTLS-OK: N
Recommended: Y
Reference: This document
10. References
10.1. Normative References
[HTTP] Fielding, R., Ed., Nottingham, M., Ed., and J. Reschke,
Ed., "HTTP Semantics", STD 97, RFC 9110,
DOI 10.17487/RFC9110, June 2022,
.
[KEY-EXPORT]
Rescorla, E., "Keying Material Exporters for Transport
Layer Security (TLS)", RFC 5705, DOI 10.17487/RFC5705,
March 2010, .
[QUIC] Iyengar, J., Ed. and M. Thomson, Ed., "QUIC: A UDP-Based
Multiplexed and Secure Transport", RFC 9000,
DOI 10.17487/RFC9000, May 2021,
.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
.
[RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A.,
Langley, A., and M. Ray, "Transport Layer Security (TLS)
Session Hash and Extended Master Secret Extension",
RFC 7627, DOI 10.17487/RFC7627, September 2015,
.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, .
Schinazi, et al. Expires December 30, 2023 [Page 10]
Internet-Draft The Signature HTTP Authentication Scheme June 2023
[STRUCTURED-FIELDS]
Nottingham, M. and P. Kamp, "Structured Field Values for
HTTP", RFC 8941, DOI 10.17487/RFC8941, February 2021,
.
[TLS] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
.
[URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005,
.
10.2. Informative References
[ED25519] Josefsson, S. and J. Schaad, "Algorithm Identifiers for
Ed25519, Ed448, X25519, and X448 for Use in the Internet
X.509 Public Key Infrastructure", RFC 8410,
DOI 10.17487/RFC8410, August 2018,
.
[H2] Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113,
DOI 10.17487/RFC9113, June 2022,
.
[H3] Bishop, M., Ed., "HTTP/3", RFC 9114, DOI 10.17487/RFC9114,
June 2022, .
[HOBA] Farrell, S., Hoffman, P., and M. Thomas, "HTTP Origin-
Bound Authentication (HOBA)", RFC 7486,
DOI 10.17487/RFC7486, March 2015,
.
[MASQUE-ORIGINAL]
Schinazi, D., "The MASQUE Protocol", draft-schinazi-
masque-00 (work in progress), February 2019.
[QUIC-TLS]
Thomson, M., Ed. and S. Turner, Ed., "Using TLS to Secure
QUIC", RFC 9001, DOI 10.17487/RFC9001, May 2021,
.
Schinazi, et al. Expires December 30, 2023 [Page 11]
Internet-Draft The Signature HTTP Authentication Scheme June 2023
[SEEMS-LEGIT]
Jackson, D., Cremers, C., Cohn-Gordon, K., and R. Sasse,
"Seems Legit: Automated Analysis of Subtle Attacks on
Protocols That Use Signatures",
DOI 10.1145/3319535.3339813, CCS '19: Proceedings of the
2019 ACM SIGSAC Conference on Computer and Communications
Security, pp. 2165-2180, 2019.
Acknowledgments
The authors would like to thank many members of the IETF community,
as this document is the fruit of many hallway conversations. In
particular, the authors would like to thank Nick Harper, Dennis
Jackson, Ilari Liusvaara, Justin Richer, Ben Schwartz, Martin
Thomson, and Chris Wood for their reviews and contributions. The
mechanism described in this document was originally part of the first
iteration of MASQUE [MASQUE-ORIGINAL].
Authors' Addresses
David Schinazi
Google LLC
1600 Amphitheatre Parkway
Mountain View, CA 94043
United States of America
Email: dschinazi.ietf@gmail.com
David M. Oliver
Guardian Project
Email: david@guardianproject.info
URI: https://guardianproject.info
Jonathan Hoyland
Cloudflare Inc.
Email: jonathan.hoyland@gmail.com
Schinazi, et al. Expires December 30, 2023 [Page 12]