Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove HMAC and switch to Authorization #2571

Merged
merged 4 commits into from
Jun 27, 2023
Merged

Remove HMAC and switch to Authorization #2571

Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b30544b
Remove HMAC and switch to Authorization
DavidSchinazi Jun 23, 2023
e3b611c
review comments from MT
DavidSchinazi Jun 23, 2023
a23f23f
Review comment from CAW
DavidSchinazi Jun 26, 2023
6ee37bb
Suggestion from MT
DavidSchinazi Jun 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
288 changes: 105 additions & 183 deletions draft-ietf-httpbis-unprompted-auth.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
---
title: HTTP Unprompted Authentication
title: The Signature HTTP Authentication Scheme
docname: draft-ietf-httpbis-unprompted-auth-latest
submissiontype: IETF
number:
Expand Down Expand Up @@ -55,47 +55,47 @@ informative:

--- abstract

Existing HTTP authentication mechanisms are probeable in the sense that it is
Existing HTTP authentication schemes are probeable in the sense that it is
DavidSchinazi marked this conversation as resolved.
Show resolved Hide resolved
possible for an unauthenticated client to probe whether an origin serves
resources that require authentication. It is possible for an origin to hide the
fact that it requires authentication by not generating Unauthorized status
codes, however that only works with non-cryptographic authentication schemes:
cryptographic schemes (such as signatures or message authentication codes)
require a fresh nonce to be signed, and there is no existing way for the origin
to share such a nonce without exposing the fact that it serves resources that
require authentication. This document proposes a new non-probeable cryptographic
authentication scheme.
cryptographic signatures require a fresh nonce to be signed, and there is no
existing way for the origin to share such a nonce without exposing the fact
that it serves resources that require authentication. This document proposes a
new non-probeable cryptographic authentication scheme.

--- middle

# Introduction {#introduction}

Existing HTTP authentication mechanisms (see {{Section 11 of !HTTP=RFC9110}})
are probeable in the sense that it is possible for an unauthenticated client to
Existing HTTP authentication schemes (see {{Section 11 of !HTTP=RFC9110}}) are
probeable in the sense that it is possible for an unauthenticated client to
probe whether an origin serves resources that require authentication. It is
possible for an origin to hide the fact that it requires authentication by not
generating Unauthorized status codes, however that only works with
non-cryptographic authentication schemes: cryptographic schemes (such as
signatures or message authentication codes) require a fresh nonce to be signed,
and there is no existing way for the origin to share such a nonce without
exposing the fact that it serves resources that require authentication. This
document proposes a new non-probeable cryptographic authentication scheme.

Unprompted Authentication serves use cases in which a site wants to offer a
service or capability only to "those who know" while all others are given no
indication the service or capability exists. The conceptual model is that of a
"speakeasy". "Knowing" is via an externally-defined mechanism by which keys
are distributed. For example, a company might offer remote employee access to
company services directly via its website using their employee credentials, or
offer access to limited special capabilities for specific employees, while
making discovering (probing for) such capabilities difficult. Members of
less well-defined communities might use more ephemeral keys to acquire access
to geography- or capability-specific resources, as issued by an entity whose
user base is larger than the available resources can support (by having that
entity metering the availability of keys temporally or geographically).
Unprompted Authentication is also useful for cases where a service provider
wants to distribute user-provisioning information for its resources without
exposing the provisioning location to non-users.
non-cryptographic authentication schemes: cryptographic signatures require a
fresh nonce to be signed, and there is no existing way for the origin to share
such a nonce without exposing the fact that it serves resources that require
authentication. This document proposes a new non-probeable cryptographic
authentication scheme.

The Signature HTTP authentication scheme serves use cases in which a site wants
to offer a service or capability only to "those who know" while all others are
given no indication the service or capability exists. The conceptual model is
that of a "speakeasy". "Knowing" is via an externally-defined mechanism by
which keys are distributed. For example, a company might offer remote employee
access to company services directly via its website using their employee
credentials, or offer access to limited special capabilities for specific
employees, while making discovering (probing for) such capabilities difficult.
Members of less well-defined communities might use more ephemeral keys to
acquire access to geography- or capability-specific resources, as issued by an
entity whose user base is larger than the available resources can support (by
having that entity metering the availability of keys temporally or
geographically). The Signature HTTP authentication scheme is also useful for
cases where a service provider wants to distribute user-provisioning
information for its resources without exposing the provisioning location to
non-users.

There are scenarios where servers may want to expose the fact that
authentication is required for access to specific resources. This is left for
Expand All @@ -109,129 +109,74 @@ This document uses the following terminology from {{Section 3 of
!STRUCTURED-FIELDS=RFC8941}} to specify syntax and parsing: Integer and Byte
Sequence.

# Computing the Authentication Proof {#compute-proof}
# The Signature Authentication Scheme

This document only defines the Signature and HMAC authentication schemes for
uses of HTTP with TLS {{!TLS=RFC8446}}. This includes any use of HTTP over TLS
as typically used for HTTP/2 {{H2}}, or HTTP/3 {{H3}} where the transport
protocol uses TLS as its authentication and key exchange mechanism
{{?QUIC-TLS=RFC9001}}.
This document defines the "Signature" HTTP authentication scheme. It uses
asymmetric cryptography. User agents possess a key ID and a public/private key
pair, and origin servers maintain a mapping of authorized key IDs to their
associated public keys.

The user agent leverages a TLS keying material exporter {{!KEY-EXPORT=RFC5705}}
to generate a nonce which can be signed using the chosen key. The keying
material exporter uses a label that starts with the characters
"EXPORTER-HTTP-Unprompted-Authentication-" (see {{schemes}} for the labels and
contexts used by each scheme). The TLS keying material exporter is used to
generate a 32-byte key which is then used as a nonce.
This authentication scheme is only defined for uses of HTTP with TLS
{{!TLS=RFC8446}}. This includes any use of HTTP over TLS as typically used for
HTTP/2 {{H2}}, or HTTP/3 {{H3}} where the transport protocol uses TLS as its
authentication and key exchange mechanism {{?QUIC-TLS=RFC9001}}.

Because the TLS keying material exporter is only secure for authentication when
it is uniquely bound to the TLS session {{!RFC7627}}, the Signature and HMAC
authentication schemes require either one of the following properties:
it is uniquely bound to the TLS session {{!RFC7627}}, the Signature
authentication scheme requires either one of the following properties:

* The TLS version in use is greater or equal to 1.3 {{TLS}}.
* The TLS version in use is greater or equal to 1.2 and the Extended
Master Secret extension {{RFC7627}} has been negotiated.

Clients MUST NOT use the Signature and HMAC authentication
schemes on connections that do not meet one of the two properties
above. If a server receives a request that uses these authentication
schemes on a connection that meets neither of the above properties,
the server MUST treat the request as malformed.
* The TLS version in use is 1.2 and the Extended Master Secret extension
{{RFC7627}} has been negotiated.

# Header Field Definition {#header-definition}
Clients MUST NOT use the Signature authentication scheme on connections that do
not meet one of the two properties above. If a server receives a request that
uses this authentication scheme on a connection that meets neither of the above
properties, the server MUST treat the request as malformed.

The "Unprompted-Authentication" header field allows a user agent to authenticate
with an origin server. The authentication is scoped to the HTTP request
associated with this header field. The value of the Unprompted-Authentication
header field is a credentials object, as defined in {{Section 11.4 of HTTP}}.
Credentials contain an authentication scheme followed by optional authentication
parameters.
# Computing the Authentication Proof {#compute-proof}

The user agent leverages a TLS keying material exporter {{!KEY-EXPORT=RFC5705}}
with the label "EXPORTER-HTTP-Signature-Authentication" to generate a 32-byte
symmetric key. That symmetric key is then used as nonce which can be signed
DavidSchinazi marked this conversation as resolved.
Show resolved Hide resolved
using the client's chosen asymmetric private key. The resulting signature is
then transmitted to the server using the Authorization field.

# Authentication Parameters

This specification defines the following authentication parameters, they can be
used by the authentication schemes defined in {{schemes}}.
This specification defines the following authentication parameters:
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You are using structured fields for the definitions of these, even though Authorization doesn't use SF. That's good, but I might take this opportunity to make this point.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think I agree with the idea but I'm not sure I see what you mean. Do you have thoughts on how best to make said point?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"These parameters use SF [RFC8941 (or -bis)] in their definition, though the Authorization field does not use SF."

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done


## The k Parameter {#parameter-k}

The OPTIONAL "k" (key ID) parameter is a byte sequence that identifies which key
The REQUIRED "k" (key ID) parameter is a byte sequence that identifies which key
the user agent wishes to use to authenticate. This can for example be used to
point to an entry into a server-side database of known keys.

## The p Parameter {#parameter-p}

The OPTIONAL "p" (proof) parameter is a byte sequence that specifies the proof
The REQUIRED "p" (proof) parameter is a byte sequence that specifies the proof
that the user agent provides to attest to possessing the credential that matches
its key ID.

## The s Parameter {#parameter-s}

The OPTIONAL "s" (signature) parameter is an integer that specifies the
signature algorithm used to compute the proof transmitted in the "p" directive.
Its value is an integer between 0 and 255 inclusive from the IANA "TLS
SignatureAlgorithm" registry maintained at
<[](https://www.iana.org/assignments/tls-parameters#tls-parameters-16)>.

## The h Parameter {#parameter-h}

The OPTIONAL "h" (hash) parameter is an integer that specifies the hash
algorithm used to compute the proof transmitted in the "p" directive. Its value
is an integer between 0 and 255 inclusive from the IANA "TLS HashAlgorithm"
registry maintained at
<[](https://www.iana.org/assignments/tls-parameters#tls-parameters-18)>.

# Authentication Schemes {#schemes}

This document defines the "Signature" and "HMAC" HTTP authentication schemes.

## Signature {#signature}

The "Signature" HTTP Authentication Scheme uses asymmetric cryptography.
User agents possess a key ID and a public/private key pair, and origin servers
maintain a mapping of authorized key IDs to their associated public keys. When
using this scheme, the "k", "p", and "s" parameters are REQUIRED. The TLS keying
material export label for this scheme is
"EXPORTER-HTTP-Unprompted-Authentication-Signature" and the associated context
is empty. The nonce is then signed using the selected asymmetric signature
algorithm and transmitted as the proof directive.
The REQUIRED "s" (signature) parameter is an integer that specifies the
signature scheme used to compute the proof transmitted in the "p" directive.
Its value is an integer between 0 and 65535 inclusive from the IANA "TLS
SignatureScheme" registry maintained at
<[](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-signaturescheme)>.

For example, the key ID "basement" authenticating using Ed25519
{{?ED25519=RFC8410}} could produce the following header field (lines are folded
to fit):

~~~
Unprompted-Authentication: Signature k=:YmFzZW1lbnQ=:;s=7;
Authorization: Signature k=:YmFzZW1lbnQ=:;s=2055;
p=:SW5zZXJ0IHNpZ25hdHVyZSBvZiBub25jZSBoZXJlIHdo
aWNoIHRha2VzIDUxMiBiaXRzIGZvciBFZDI1NTE5IQ==:
~~~

## HMAC {#hmac}

The "HMAC" HTTP Authentication Scheme uses symmetric cryptography. User
agents possess a key ID and a secret key, and origin servers maintain a mapping
of authorized key IDs to their associated secret key. When using this scheme,
the "k", "p", and "h" parameters are REQUIRED. The TLS keying material export
label for this scheme is "EXPORTER-HTTP-Unprompted-Authentication-HMAC" and the
associated context is empty. The nonce is then HMACed using the selected HMAC
algorithm and transmitted as the proof directive.

For example, the key ID "basement" authenticating using HMAC-SHA-512
{{?SHA=RFC6234}} could produce the following header field (lines are folded to
fit):

~~~
Unprompted-Authentication: HMAC k=:YmFzZW1lbnQ=:;h=6;
p=:SW5zZXJ0IEhNQUMgb2Ygbm9uY2UgaGVyZSB3aGljaCB0YWtl
cyA1MTIgYml0cyBmb3IgU0hBLTUxMiEhISEhIQ==:
~~~

## Other HTTP Authentication Schemes

The HTTP Authentication Scheme registry maintained by IANA at
<[](https://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml)>
contains entries not defined in this document. Those entries MAY be used with
Unprompted Authentication.

# Server Handling

Servers that wish to introduce resources whose existence cannot be probed need
Expand All @@ -241,10 +186,10 @@ authentication failures with the exact same response that they would have used
for non-existent resources. For example, this can mean using HTTP status code
404 (Not Found) instead of 401 (Unauthorized). Such authentication failures
can be caused for example by:
* absence of the Unprompted-Authentication field
* failure to parse the Unprompted-Authentication field
* use of Unprompted Authentication with an unknown key ID
* failure to validate the signature or MAC.
* absence of the Authorization field
* failure to parse the Authorization field
* use of the Signature authentication scheme with an unknown key ID
* failure to validate the signature.

Such servers MUST also ensure that the timing of their request handling does
not leak any information. This can be accomplished by delaying responses to
Expand All @@ -253,10 +198,9 @@ verification is not observable.

# Intermediary Considerations {#intermediary}

Since the Signature and HMAC HTTP Authentication Schemes leverage TLS keying
material exporters, their output cannot be transparently forwarded by HTTP
intermediaries. HTTP intermediaries that support this specification have two
options:
Since the Signature HTTP authentication scheme leverages TLS keying material
exporters, its output cannot be transparently forwarded by HTTP intermediaries.
HTTP intermediaries that support this specification have two options:

* The intermediary can validate the authentication received from the client,
then inform the upstream HTTP server of the presence of valid authentication.
DavidSchinazi marked this conversation as resolved.
Show resolved Hide resolved
Expand All @@ -270,87 +214,65 @@ upstream HTTP server is out of scope for this document.

# Security Considerations {#security}

Unprompted Authentication allows a user agent to authenticate to an origin
server while guaranteeing freshness and without the need for the server
to transmit a nonce to the user agent. This allows the server to accept
The Signature HTTP authentication scheme allows a user agent to authenticate to
an origin server while guaranteeing freshness and without the need for the
server to transmit a nonce to the user agent. This allows the server to accept
authenticated clients without revealing that it supports or expects
authentication for some resources. It also allows authentication without
the user agent leaking the presence of authentication to observers due to
authentication for some resources. It also allows authentication without the
user agent leaking the presence of authentication to observers due to
clear-text TLS Client Hello extensions.

The authentication proofs described in this document are not bound to individual
HTTP requests; if the key is used for authentication proofs on multiple
requests they will all be identical. This allows for better compression when
sending over the wire, but implies that client implementations that multiplex
different security contexts over a single HTTP connection need to ensure that
those contexts cannot read each other's header fields. Otherwise, one context
would be able to replay the unprompted authentication header field of another.
This constraint is met by modern Web browsers. If an attacker were to compromise
the browser such that it could access another context's memory, the attacker
might also be able to access the corresponding key, so binding authentication to
requests would not provide much benefit in practice.

Key material used for authentication in unprompted authentication, whether
symmetric or asymmetric MUST NOT be reused in other protocols. Doing so can
undermine the security guarantees of the authentication.

Origins offering Unprompted Authentication are able to link requests that use
the same key for the Authentication Schemes provided. However, requests are
not linkable across origins if the keys used are specific to the individual
origins using Unprompted Authentication.
The authentication proofs described in this document are not bound to
individual HTTP requests; if the key is used for authentication proofs on
DavidSchinazi marked this conversation as resolved.
Show resolved Hide resolved
multiple requests on the same connection, they will all be identical. This
allows for better compression when sending over the wire, but implies that
client implementations that multiplex different security contexts over a single
HTTP connection need to ensure that those contexts cannot read each other's
header fields. Otherwise, one context would be able to replay the Authorization
header field of another. This constraint is met by modern Web browsers. If an
attacker were to compromise the browser such that it could access another
context's memory, the attacker might also be able to access the corresponding
key, so binding authentication to requests would not provide much benefit in
practice.

Key material used for the Signature HTTP authentication scheme MUST NOT be
reused in other protocols. Doing so can undermine the security guarantees of
the authentication.

Origins offering this scheme are able to link requests that use the same key.
DavidSchinazi marked this conversation as resolved.
Show resolved Hide resolved
DavidSchinazi marked this conversation as resolved.
Show resolved Hide resolved
However, requests are not linkable across origins if the keys used are specific
to the individual origins using this scheme.

# IANA Considerations {#iana}

## Unprompted-Authentication Header Field {#iana-header}

This document will request IANA to register the following entry in the "HTTP
Field Name" registry maintained at
<[](https://www.iana.org/assignments/http-fields)>:

Field Name:

: Unprompted-Authentication

Template:
## HTTP Authentication Schemes Registry {#iana-schemes}

: None
This document, if approved, requests IANA to register the following entry in
the "HTTP Authentication Schemes" Registry maintained at
<[](https://www.iana.org/assignments/http-authschemes)>:

Status:
Authentication Scheme Name:

: provisional (permanent if this document is approved)
: Signature

Reference:

: This document

Comments:
Notes:

: None
{: spacing="compact"}

## HTTP Authentication Schemes Registry {#iana-schemes}

This document, if approved, requests IANA to add two new entries to the
"HTTP Authentication Schemes" Registry maintained at
<[](https://www.iana.org/assignments/http-authschemes)>.
Both entries have the Reference set to this document, and the Notes empty.
The Authentication Scheme Name of the entries are:

* Signature

* HMAC

## TLS Keying Material Exporter Labels {#iana-exporter-label}

This document, if approved, requests IANA to register the following entries in
This document, if approved, requests IANA to register the following entry in
the "TLS Exporter Labels" registry maintained at
<[](https://www.iana.org/assignments/tls-parameters#exporter-labels)>:

* EXPORTER-HTTP-Unprompted-Authentication-Signature

* EXPORTER-HTTP-Unprompted-Authentication-HMAC
Value:

Both of these entries are listed with the following qualifiers:
: EXPORTER-HTTP-Signature-Authentication

DTLS-OK:

Expand Down