draft-ietf-httpbis-unprompted-auth-10.txt   draft-ietf-httpbis-unprompted-auth-latest.txt 
HTTPBIS Working Group D. Schinazi HTTPBIS Working Group D. Schinazi
Internet-Draft Google LLC Internet-Draft Google LLC
Intended status: Standards Track D. Oliver Intended status: Standards Track D. Oliver
Expires: March 1, 2025 Guardian Project Expires: March 15, 2025 Guardian Project
J. Hoyland J. Hoyland
Cloudflare Inc. Cloudflare Inc.
August 28, 2024 September 11, 2024
The Concealed HTTP Authentication Scheme The Concealed HTTP Authentication Scheme
draft-ietf-httpbis-unprompted-auth-10 draft-ietf-httpbis-unprompted-auth-latest
Abstract Abstract
Most HTTP authentication schemes are probeable in the sense that it Most HTTP authentication schemes are probeable in the sense that it
is possible for an unauthenticated client to probe whether an origin is possible for an unauthenticated client to probe whether an origin
serves resources that require authentication. It is possible for an serves resources that require authentication. It is possible for an
origin to hide the fact that it requires authentication by not origin to hide the fact that it requires authentication by not
generating Unauthorized status codes, however that only works with generating Unauthorized status codes, however that only works with
non-cryptographic authentication schemes: cryptographic signatures non-cryptographic authentication schemes: cryptographic signatures
require a fresh nonce to be signed. At the time of writing, there require a fresh nonce to be signed. Prior to this document, there
was no existing way for the origin to share such a nonce without was no existing way for the origin to share such a nonce without
exposing the fact that it serves resources that require exposing the fact that it serves resources that require
authentication. This document proposes a new non-probeable authentication. This document defines a new non-probeable
cryptographic authentication scheme. cryptographic authentication scheme.
About This Document About This Document
This note is to be removed before publishing as an RFC. This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at The latest revision of this draft can be found at
<https://httpwg.org/http-extensions/draft-ietf-httpbis-unprompted- <https://httpwg.org/http-extensions/draft-ietf-httpbis-unprompted-
auth.html>. Status information for this document may be found at auth.html>. Status information for this document may be found at
<https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted- <https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-
skipping to change at page 2, line 20 skipping to change at page 2, line 20
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 1, 2025. This Internet-Draft will expire on March 15, 2025.
Copyright Notice Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 38 skipping to change at page 3, line 38
asks the client to provide authentication information, it is possible asks the client to provide authentication information, it is possible
for clients to send such information unprompted. This is for clients to send such information unprompted. This is
particularly useful in cases where an origin wants to offer a service particularly useful in cases where an origin wants to offer a service
or capability only to "those who know" while all others are given no or capability only to "those who know" while all others are given no
indication the service or capability exists. Such designs rely on an indication the service or capability exists. Such designs rely on an
externally-defined mechanism by which keys are distributed. For externally-defined mechanism by which keys are distributed. For
example, a company might offer remote employee access to company example, a company might offer remote employee access to company
services directly via its website using their employee credentials, services directly via its website using their employee credentials,
or offer access to limited special capabilities for specific or offer access to limited special capabilities for specific
employees, while making discovering (or probing for) such employees, while making discovering (or probing for) such
capabilities difficult. Members of less well-defined communities capabilities difficult. As another example, members of less well-
might use more ephemeral keys to acquire access to geography- or defined communities might use more ephemeral keys to acquire access
capability-specific resources, as issued by an entity whose user base to geography- or capability-specific resources, as issued by an
is larger than the available resources can support (by having that entity whose user base is larger than the available resources can
entity metering the availability of keys temporally or support (by having that entity metering the availability of keys
geographically). temporally or geographically).
While digital-signature-based HTTP authentication schemes already While digital-signature-based HTTP authentication schemes already
exist (e.g., [HOBA]), they rely on the origin explicitly sending a exist (e.g., [HOBA]), they rely on the origin explicitly sending a
fresh challenge to the client, to ensure that the signature input is fresh challenge to the client, to ensure that the signature input is
fresh. That makes the origin probeable as it sends the challenge to fresh. That makes the origin probeable as it sends the challenge to
unauthenticated clients. This document defines a new signature-based unauthenticated clients. This document defines a new signature-based
authentication scheme that is not probeable. authentication scheme that is not probeable.
1.1. Conventions and Definitions 1.1. Conventions and Definitions
skipping to change at page 4, line 20 skipping to change at page 4, line 20
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
This document uses the notation from Section 1.3 of [QUIC]. This document uses the notation from Section 1.3 of [QUIC].
2. The Concealed Authentication Scheme 2. The Concealed Authentication Scheme
This document defines the "Concealed" HTTP authentication scheme. It This document defines the "Concealed" HTTP authentication scheme. It
uses asymmetric cryptography. Clients possess a key ID and a public/ uses asymmetric cryptography. Clients possess a key ID and a public/
private key pair, and origin servers maintain a mapping of authorized private key pair, and origin servers maintain a mapping of authorized
key IDs to their associated public keys. key IDs to associated public keys.
The client uses a TLS keying material exporter to generate data to be The client uses a TLS keying material exporter to generate data to be
signed (see Section 3) then sends the signature using the signed (see Section 3) then sends the signature using the
Authorization or Proxy-Authorization header field. The signature and Authorization (or Proxy-Authorization) header field (see Section 11
additional information are exchanged using authentication parameters of [HTTP]). The signature and additional information are exchanged
(see Section 4). using authentication parameters (see Section 4). Once the server
receives these, it can check whether the signature validates against
an entry in its database of known keys. The server can then use the
validation result to influence its response to the client, for
example by restricting access to certain resources.
3. Client Handling 3. Client Handling
When a client wishes to uses the Concealed HTTP authentication scheme When a client wishes to use the Concealed HTTP authentication scheme
with a request, it SHALL compute the authentication proof using a TLS with a request, it SHALL compute the authentication proof using a TLS
keying material exporter with the following parameters: keying material exporter with the following parameters:
o the label is set to "EXPORTER-HTTP-Concealed-Authentication" o the label is set to "EXPORTER-HTTP-Concealed-Authentication"
o the context is set to the structure described in Section 3.1 o the context is set to the structure described in Section 3.1
o the exporter output length is set to 48 bytes (see Section 3.2) o the exporter output length is set to 48 bytes (see Section 3.2)
Note that TLS 1.3 keying material exporters are defined in Note that TLS 1.3 keying material exporters are defined in
skipping to change at page 8, line 16 skipping to change at page 8, line 16
concealed-byte-sequence-param-value = *( ALPHA / DIGIT / "-" / "_" ) concealed-byte-sequence-param-value = *( ALPHA / DIGIT / "-" / "_" )
concealed-integer-param-value = %x31-39 1*4( DIGIT ) / "0" concealed-integer-param-value = %x31-39 1*4( DIGIT ) / "0"
Figure 4: Authentication Parameter Value ABNF Figure 4: Authentication Parameter Value ABNF
4.1. The k Parameter 4.1. The k Parameter
The REQUIRED "k" (key ID) Parameter is a byte sequence that The REQUIRED "k" (key ID) Parameter is a byte sequence that
identifies which key the client wishes to use to authenticate. This identifies which key the client wishes to use to authenticate. This
can, for example, be used to point to an entry in a server-side is used by the backend to point to an entry in a server-side database
database of known keys. of known keys, see Section 6.3.
4.2. The a Parameter 4.2. The a Parameter
The REQUIRED "a" (public key) Parameter is a byte sequence that The REQUIRED "a" (public key) Parameter is a byte sequence that
specifies the public key used by the server to validate the signature specifies the public key used by the server to validate the signature
provided by the client. This avoids key confusion issues (see provided by the client. This avoids key confusion issues (see
[SEEMS-LEGIT]). The encoding of the public key is described in [SEEMS-LEGIT]). The encoding of the public key is described in
Section 3.1.1. Section 3.1.1.
4.3. The p Parameter 4.3. The p Parameter
skipping to change at page 14, line 4 skipping to change at page 14, line 4
Reference: This document Reference: This document
9.3. HTTP Field Name 9.3. HTTP Field Name
This document, if approved, requests IANA to register the following This document, if approved, requests IANA to register the following
entry in the "Hypertext Transfer Protocol (HTTP) Field Name" registry entry in the "Hypertext Transfer Protocol (HTTP) Field Name" registry
maintained at <<https://www.iana.org/assignments/http-fields/http- maintained at <<https://www.iana.org/assignments/http-fields/http-
fields.xhtml>>: fields.xhtml>>:
Field Name: Concealed-Auth-Export Field Name: Concealed-Auth-Export
Template: None
Status: permanent Status: permanent
Structured Type: Item
Template: None
Reference: This document Reference: This document
Comments: None Comments: None
10. References 10. References
10.1. Normative References 10.1. Normative References
[ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008, DOI 10.17487/RFC5234, January 2008,
skipping to change at page 16, line 31 skipping to change at page 16, line 31
"Seems Legit: Automated Analysis of Subtle Attacks on "Seems Legit: Automated Analysis of Subtle Attacks on
Protocols That Use Signatures", Protocols That Use Signatures",
DOI 10.1145/3319535.3339813, CCS '19: Proceedings of the DOI 10.1145/3319535.3339813, CCS '19: Proceedings of the
2019 ACM SIGSAC Conference on Computer and Communications 2019 ACM SIGSAC Conference on Computer and Communications
Security, pp. 2165-2180, 2019. Security, pp. 2165-2180, 2019.
Acknowledgments Acknowledgments
The authors would like to thank many members of the IETF community, The authors would like to thank many members of the IETF community,
as this document is the fruit of many hallway conversations. In as this document is the fruit of many hallway conversations. In
particular, the authors would like to thank David Benjamin, Nick particular, the authors would like to thank David Benjamin, Reese
Harper, Dennis Jackson, Ilari Liusvaara, Francois Michel, Lucas Enghardt, Nick Harper, Dennis Jackson, Ilari Liusvaara, Francois
Pardue, Justin Richer, Ben Schwartz, Martin Thomson, and Chris A. Michel, Lucas Pardue, Justin Richer, Ben Schwartz, Martin Thomson,
Wood for their reviews and contributions. The mechanism described in and Chris A. Wood for their reviews and contributions. The
this document was originally part of the first iteration of MASQUE mechanism described in this document was originally part of the first
[MASQUE-ORIGINAL]. iteration of MASQUE [MASQUE-ORIGINAL].
Authors' Addresses Authors' Addresses
David Schinazi David Schinazi
Google LLC Google LLC
1600 Amphitheatre Parkway 1600 Amphitheatre Parkway
Mountain View, CA 94043 Mountain View, CA 94043
United States of America United States of America
Email: dschinazi.ietf@gmail.com Email: dschinazi.ietf@gmail.com
 End of changes. 14 change blocks. 
26 lines changed or deleted 31 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/