Network Working Group Johansson
Internet-Draft SU
Intended status: Standards Track November 18, 2007
Expires: May 21, 2008
Channel bindings for HTTP+TLS transport
draft-johansson-http-tls-cb-02
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on May 21, 2008.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Johansson Expires May 21, 2008 [Page 1]
Internet-Draft http-cbindings November 2007
Abstract
This document specifies a channel concept for HTTP with TLS and a
representation of that channel which can be used by protocols which
use channel bindings to delegate session protection to lower layers.
Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Introduction and motivation . . . . . . . . . . . . . . . . . 4
3. The HTTP+TLS Channel . . . . . . . . . . . . . . . . . . . . . 5
4. Discovery of the channel-bindings-proxy . . . . . . . . . . . 6
5. The Channel-Bindings-Proxy header . . . . . . . . . . . . . . 7
6. The Channel-Identifier header . . . . . . . . . . . . . . . . 8
7. Security Considerations . . . . . . . . . . . . . . . . . . . 10
8. Notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
10. Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
10.1. 01 to 02 . . . . . . . . . . . . . . . . . . . . . . . . 13
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
11.1. Normative References . . . . . . . . . . . . . . . . . . 14
11.2. Informative References . . . . . . . . . . . . . . . . . 14
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 15
Intellectual Property and Copyright Statements . . . . . . . . . . 16
Johansson Expires May 21, 2008 [Page 2]
Internet-Draft http-cbindings November 2007
1. Terminology
The keywords "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT"
and "MAY" that appear in this document are to be interpreted as
described in [RFC2119]
Johansson Expires May 21, 2008 [Page 3]
Internet-Draft http-cbindings November 2007
2. Introduction and motivation
For good or bad, several protocols use HTTP (or close approximations
as in the case of [RFC2910]) as a transport mechanisms and often rely
on [RFC2817] or [RFC2818] to provide security. Common security
requirements include authentication of the service, of the client and
protection of the session. It is not always appropriate to meet
these requirements using the same technology. For instance, the use
of certificates to authenticate users may be inefficient in an
enviroment where [RFC4120] is widely deployed while at the same time
certificates may be suitable for authenticating the service.
Channel bindings described in [RFC5056] provide a mechanism for
delegating session protection to a secure channel at a lower layer.
In this case the lower layer is HTTP with TLS either using [RFC2817]
or [RFC2818]. This document specifies this channel concept in a form
which makes it usable to upper layer protocols which can consume
channel bindings.
Johansson Expires May 21, 2008 [Page 4]
Internet-Draft http-cbindings November 2007
3. The HTTP+TLS Channel
In general an HTTP connection consists of a series of (non-proxied)
HTTP connections between a client, through a series of client-proxies
with a server. The server may also use proxies (for instance
concentrators) but that fact does not affect this specification.
Each client/proxy in the chain either knows that the next hop is
another proxy (by virtue of configuration or discovery) or has no
knowledge of another proxy in which case the next hop in the chain by
definition is the target endpoint or an imposter impersonating the
target endpoint.
The following figure illustrates the general case:
C --> P0 --> P1 ===> SP --> S
Here C is the client and S is the server. In between, P0 and P1
represents client proxies and SP represents a server SSL concentrator
(i.e. a server proxy). Both protected (TLS) and unprotected
connections may occur. In this figure the connection between P1 and
SP has been emphasized for reasons which will be explained below.
An HTTP+TLS channel is defined as an HTTP connection where at least
the connection from the last client proxy to the target endpoint uses
TLS either through [RFC2818] or [RFC2817]. The last client proxy is
called the channel-binding-proxy and is given a special role in this
specification. Note that in the non-proxied case an HTTP+TLS channel
is just a normal TLS-protected HTTP connection. This document
specifies a way to identify such channels for the purpouse of channel
bindings.
In the example case the connection representing the channel to be
identified is the one illustrated by the second (===>) arrow from the
left.. This is the link which leaves the client proxy chain and
hence leaves the client trust domain. The channel-binding-proxy in
this case would be P1.
In order to be used by protocols consuming channel bindings, an HTTP+
TLS channel must be identified by a value which can be observed by
the client or the channel-binding-proxy on behalf of the client.
The identifier for the channel is defined to be the hash of the
endpoint certificate using the digest algorithm from the certificate,
also known as a certificate fingerprint. In the non-proxied case the
client has direct access to the endpoint certificate and can compute
the fingerprint. In the general case the channel-binding-proxy has
access to the certifiate and is able to communicate it to the client.
Johansson Expires May 21, 2008 [Page 5]
Internet-Draft http-cbindings November 2007
4. Discovery of the channel-bindings-proxy
It is desirable for a client to be able to discover the existence of
a channel-bindings-proxy somewhere in its proxy-chain. In order to
accomplish this the client needs a method to inquire the the first
proxy in the chain if it knows if there is a channel-binding-proxy in
the chain. By either forwarding the request or (if the proxy is a
channel-bindings-proxy or has no knowledge about an upstream proxy)
answering it the proxy can inform the client about the existence or
absense of a channel-bindings-proxy in the chain.
Unfortunately this client-request cannot be implemented using a
request-header since there are no widely implemented request-headers
which are handled by proxies except for the Proxy-Authentication and
Proxy-Authorization headers which are not possible to reuse for this
application.
Instead the OPTIONS verb is used in the following way: The client
sends an OPTIONS request for the Request-URI "*" as per [RFC2616]
section 9.2 with Max-Forwards set to "0". As specified in [RFC2616]
a proxy is required to respond to this message itself rather than
forward it upstream. A proxy implementing this specification that is
configured as a channel-bindings-proxy MUST include a Channel-
Bindings-Proxy header (cf below) in the response. Each proxy sitting
between the client and the channel-bindings-proxy MUST re-issue any
OPTIONS request received this awy and include any Channel-Identifier
header received in the response-message to the client/proxy. Upon
receipt of the (final) response-message the client may (if the
message contains a Channel-Bindings-Proxy header) assume that the
proxy-chain contains a channel-bindings-proxy implementing this
specification.
Note well that this mechanism does not violate the intent of the
treatment of the Max-Forwards since the semantics of the Channel-
Bindings-Proxy is that the proxy has knowledge about a channel-
bindings-proxy somewhere in the proxy-chain (including the proxy
itself).
Johansson Expires May 21, 2008 [Page 6]
Internet-Draft http-cbindings November 2007
5. The Channel-Bindings-Proxy header
Information about the channel-bindings-proxy used in the discovery
process described above is represented by new the HTTP/1.1 header
'Channel-Bindings-Proxy' which contains the hostname of the channel-
bindings-proxy.
Johansson Expires May 21, 2008 [Page 7]
Internet-Draft http-cbindings November 2007
6. The Channel-Identifier header
An HTTP+TLS channel is represented as a new HTTP/1.1 header 'Channel-
Identifier' which contains the representation of the HTTP+TLS
channel. The 'Channel-Identifier' header has the following syntax in
Augmented BNF defined in [RFC2616]:
channel-identifier = hash-function *(SP channel-value)
hash-function = token
channel-value = 2HEX *(":" 2HEX)
; a hex-encoded sequence of bytes
; separated by colons of length > 0
The definitions of HEX, token and SP are taken from [RFC2616].
An HTTP proxy implementing this specification MUST NOT modify the
Channel-Identifier header unless explicitly configured to act as a
channel-bindings-proxy. A proxy configured as a channel-bindings-
proxy MUST for each TLS-protected HTTP connection add the Channel-
Identifier header to each received response-message.
A client implementing this specification MUST NOT accept or use the
Channel-Identifier header unless it has established that the proxy-
chain ends in a channel-bindings-proxy. Clients MUST support manual
configuration for the existence of a channel-bindings-proxy and
SHOULD support discovery as specified in the previous section. Other
mechanisms for discovering the existance of a channel-bindings-proxiy
may be specified in the future.
The client MUST NOT assume knowledge about which proxy is acting as
the channel-bindings-proxy. If the client does not have a proxy the
client may compute the Channel-Identifier header value given direct
access to the endpoint certificate. The client MUST NOT compute or
use the Channel-Identifier header value if it has a known proxy-chain
which does not include a channel-bindings-proxy.
When a client receives a reply message with a Channel-Identifier
header the client may use this as input to an upper-layer
authentication protocol which consumes channel-bindings. This means
that if the Channel-Identifier header changes the upper-layer
protocol will detect this change as a man-in-the middle attack and
the client MUST terminate the connection to the server. Clients MAY
cache channel-identifier/endpoint pairs.
The first time a client communicates with a target endpoint it has no
channel-identifier to bind authentication protocols to. In several
situations the first communication between a client and a server
results in an authentication mechanism negotiation challange from the
Johansson Expires May 21, 2008 [Page 8]
Internet-Draft http-cbindings November 2007
server at which point the channel-binding-proxy (or the client
itself) will have a channel-identifier to use for the first
authentication mechanism challenge.
If the client has a cached channel-identifier for an endpoint the
client SHOULD include the Channel-Identifier header in each outgoing
request. This gives the channel-binding-proxy the oportunity to
determine if response packets contain a forged channel-identifier and
may decide to terminate such connections at the proxy.
Johansson Expires May 21, 2008 [Page 9]
Internet-Draft http-cbindings November 2007
7. Security Considerations
There are several situations when the client has no knowledge of
proxies intercepting traffic. Such proxies are essentially man-in-
the-middle attacks but are also in many cases implicitly part of the
trust-domain of the client. In the case when the hidden proxy sits
between the client and the channel-bindings-proxy and does not alter
the Channel-Identifier header it does not matter. In deployments
where the last client proxy does not support the channel-bindings-
proxy feature it may be necessary to add another proxy outside this
proxy which can act as the channel-bindings-proxy.
The basic principle of the Channel-Bindings header is that it
contains data which is either observed and verified or computed by a
trusted proxy between the client and server. By replacing this
header value another proxy effectively moves the endpoint of the
channel. By using the header value as channel binding data for upper
layer authentication protocols the client effectively trusts the
proxy setting the value.
It is very imporant that a proxy configured to act as a channel-
bindings-proxy actually sets the Channel-Identifier header. A rogue
or non-functional channel-bindings-proxy which announces the channel-
bindings-feature but fails to provide or even filter-out the header
will make the client vulnerable to attack. Clients mayll wish to use
proxy authentication to identify trusted proxies.
Johansson Expires May 21, 2008 [Page 10]
Internet-Draft http-cbindings November 2007
8. Notes
What about TLS mechs besides X.509? This "only" requires finding
something which corresponds to the certificate fingerprint: i.e
something which can be computed by the client and the server together
or observed independently by the client.
Johansson Expires May 21, 2008 [Page 11]
Internet-Draft http-cbindings November 2007
9. IANA Considerations
Allocating the Channel-Identifier header.
Johansson Expires May 21, 2008 [Page 12]
Internet-Draft http-cbindings November 2007
10. Changes
10.1. 01 to 02
Changed from ABNF to Augmented BNF to align with [RFC2616].
Johansson Expires May 21, 2008 [Page 13]
Internet-Draft http-cbindings November 2007
11. References
11.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2616] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", RFC 2616, June 1999.
[RFC2817] Khare, R. and S. Lawrence, "Upgrading to TLS Within
HTTP/1.1", RFC 2817, May 2000.
[RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, May 2000.
[RFC4234] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 4234, October 2005.
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
Channels", RFC 5056, November 2007.
11.2. Informative References
[RFC2910] Herriot, R., Butler, S., Moore, P., Turner, R., and J.
Wenn, "Internet Printing Protocol/1.1: Encoding and
Transport", RFC 2910, September 2000.
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)", RFC 4120,
July 2005.
Johansson Expires May 21, 2008 [Page 14]
Internet-Draft http-cbindings November 2007
Author's Address
Leif Johansson
Stockholm university
Email: leifj@it.su.se
URI: http://www.su.se/
Johansson Expires May 21, 2008 [Page 15]
Internet-Draft http-cbindings November 2007
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in BCP 78, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgment
Funding for the RFC Editor function is provided by the IETF
Administrative Support Activity (IASA).
Johansson Expires May 21, 2008 [Page 16]