draft-ietf-httpbis-unprompted-auth-06.txt   draft-ietf-httpbis-unprompted-auth-latest.txt 
HTTPBIS Working Group D. Schinazi HTTPBIS Working Group D. Schinazi
Internet-Draft Google LLC Internet-Draft Google LLC
Intended status: Standards Track D. Oliver Intended status: Standards Track D. Oliver
Expires: July 27, 2024 Guardian Project Expires: November 29, 2024 Guardian Project
J. Hoyland J. Hoyland
Cloudflare Inc. Cloudflare Inc.
January 24, 2024 May 28, 2024
The Signature HTTP Authentication Scheme The Concealed HTTP Authentication Scheme
draft-ietf-httpbis-unprompted-auth-06 draft-ietf-httpbis-unprompted-auth-latest
Abstract Abstract
Existing HTTP authentication schemes are probeable in the sense that Most HTTP authentication schemes are probeable in the sense that it
it is possible for an unauthenticated client to probe whether an is possible for an unauthenticated client to probe whether an origin
origin serves resources that require authentication. It is possible serves resources that require authentication. It is possible for an
for an origin to hide the fact that it requires authentication by not origin to hide the fact that it requires authentication by not
generating Unauthorized status codes, however that only works with generating Unauthorized status codes, however that only works with
non-cryptographic authentication schemes: cryptographic signatures non-cryptographic authentication schemes: cryptographic signatures
require a fresh nonce to be signed, and there is no existing way for require a fresh nonce to be signed. At the time of writing, there
the origin to share such a nonce without exposing the fact that it was no existing way for the origin to share such a nonce without
serves resources that require authentication. This document proposes exposing the fact that it serves resources that require
a new non-probeable cryptographic authentication scheme. authentication. This document proposes a new non-probeable
cryptographic authentication scheme.
About This Document About This Document
This note is to be removed before publishing as an RFC. This note is to be removed before publishing as an RFC.
The latest revision of this draft can be found at The latest revision of this draft can be found at
<https://httpwg.org/http-extensions/draft-ietf-httpbis-unprompted- <https://httpwg.org/http-extensions/draft-ietf-httpbis-unprompted-
auth.html>. Status information for this document may be found at auth.html>. Status information for this document may be found at
<https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted- <https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-
auth/>. auth/>.
skipping to change at page 2, line 15 skipping to change at page 2, line 20
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 27, 2024. This Internet-Draft will expire on November 29, 2024.
Copyright Notice Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Conventions and Definitions . . . . . . . . . . . . . . . 3 1.1. Conventions and Definitions . . . . . . . . . . . . . . . 4
2. The Signature Authentication Scheme . . . . . . . . . . . . . 4 2. The Concealed Authentication Scheme . . . . . . . . . . . . . 4
3. TLS Usage . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Client Handling . . . . . . . . . . . . . . . . . . . . . . . 4
4. Computing the Authentication Proof . . . . . . . . . . . . . 4 3.1. Key Exporter Context . . . . . . . . . . . . . . . . . . 4
4.1. Key Exporter Context . . . . . . . . . . . . . . . . . . 5 3.2. Key Exporter Output . . . . . . . . . . . . . . . . . . . 6
4.2. Key Exporter Output . . . . . . . . . . . . . . . . . . . 6 3.3. Signature Computation . . . . . . . . . . . . . . . . . . 7
4.3. Signature Computation . . . . . . . . . . . . . . . . . . 7 4. Authentication Parameters . . . . . . . . . . . . . . . . . . 7
5. Authentication Parameters . . . . . . . . . . . . . . . . . . 7 4.1. The k Parameter . . . . . . . . . . . . . . . . . . . . . 8
5.1. The k Parameter . . . . . . . . . . . . . . . . . . . . . 8 4.2. The a Parameter . . . . . . . . . . . . . . . . . . . . . 8
5.2. The a Parameter . . . . . . . . . . . . . . . . . . . . . 8 4.3. The p Parameter . . . . . . . . . . . . . . . . . . . . . 8
5.3. The p Parameter . . . . . . . . . . . . . . . . . . . . . 8 4.4. The s Parameter . . . . . . . . . . . . . . . . . . . . . 8
5.4. The s Parameter . . . . . . . . . . . . . . . . . . . . . 8 4.5. The v Parameter . . . . . . . . . . . . . . . . . . . . . 8
5.5. The v Parameter . . . . . . . . . . . . . . . . . . . . . 8 5. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
6. Example . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 6. Server Handling . . . . . . . . . . . . . . . . . . . . . . . 9
7. Non-Probeable Server Handling . . . . . . . . . . . . . . . . 9 6.1. Frontend Handling . . . . . . . . . . . . . . . . . . . . 9
8. Intermediary Considerations . . . . . . . . . . . . . . . . . 10 6.2. Communication between Frontend and Backend . . . . . . . 10
9. Security Considerations . . . . . . . . . . . . . . . . . . . 10 6.3. Backend Handling . . . . . . . . . . . . . . . . . . . . 10
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 6.4. Non-Probeable Server Handling . . . . . . . . . . . . . . 11
10.1. HTTP Authentication Schemes Registry . . . . . . . . . . 11 7. Requirements on TLS Usage . . . . . . . . . . . . . . . . . . 12
10.2. TLS Keying Material Exporter Labels . . . . . . . . . . 11 8. Security Considerations . . . . . . . . . . . . . . . . . . . 12
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
11.1. Normative References . . . . . . . . . . . . . . . . . . 12 9.1. HTTP Authentication Schemes Registry . . . . . . . . . . 13
11.2. Informative References . . . . . . . . . . . . . . . . . 13 9.2. TLS Keying Material Exporter Labels . . . . . . . . . . . 13
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 14 9.3. HTTP Field Name . . . . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 14
10.1. Normative References . . . . . . . . . . . . . . . . . . 14
10.2. Informative References . . . . . . . . . . . . . . . . . 15
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 16
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
HTTP authentication schemes (see Section 11 of [HTTP]) allow origins HTTP authentication schemes (see Section 11 of [HTTP]) allow origins
to restrict access for some resources to only authenticated requests. to restrict access for some resources to only authenticated requests.
While these schemes commonly involve a challenge where the origin While these schemes commonly involve a challenge where the origin
asks the client to provide authentication information, it is possible asks the client to provide authentication information, it is possible
for clients to send such information unprompted. This is for clients to send such information unprompted. This is
particularly useful in cases where an origin wants to offer a service particularly useful in cases where an origin wants to offer a service
or capability only to "those who know" while all others are given no or capability only to "those who know" while all others are given no
indication the service or capability exists. Such designs rely on an indication the service or capability exists. Such designs rely on an
externally-defined mechanism by which keys are distributed. For externally-defined mechanism by which keys are distributed. For
example, a company might offer remote employee access to company example, a company might offer remote employee access to company
services directly via its website using their employee credentials, services directly via its website using their employee credentials,
or offer access to limited special capabilities for specific or offer access to limited special capabilities for specific
employees, while making discovering (probing for) such capabilities employees, while making discovering (or probing for) such
difficult. Members of less well-defined communities might use more capabilities difficult. Members of less well-defined communities
ephemeral keys to acquire access to geography- or capability-specific might use more ephemeral keys to acquire access to geography- or
resources, as issued by an entity whose user base is larger than the capability-specific resources, as issued by an entity whose user base
available resources can support (by having that entity metering the is larger than the available resources can support (by having that
availability of keys temporally or geographically). entity metering the availability of keys temporally or
geographically).
While digital-signature-based HTTP authentication schemes already While digital-signature-based HTTP authentication schemes already
exist ([HOBA]), they rely on the origin explicitly sending a fresh exist (e.g., [HOBA]), they rely on the origin explicitly sending a
challenge to the client, to ensure that the signature input is fresh. fresh challenge to the client, to ensure that the signature input is
That makes the origin probeable as it send the challenge to fresh. That makes the origin probeable as it sends the challenge to
unauthenticated clients. This document defines a new signature-based unauthenticated clients. This document defines a new signature-based
authentication scheme that is not probeable. authentication scheme that is not probeable.
1.1. Conventions and Definitions 1.1. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here. capitals, as shown here.
This document uses the notation from Section 1.3 of [QUIC]. This document uses the notation from Section 1.3 of [QUIC].
2. The Signature Authentication Scheme 2. The Concealed Authentication Scheme
This document defines the "Signature" HTTP authentication scheme. It This document defines the "Concealed" HTTP authentication scheme. It
uses asymmetric cryptography. User agents possess a key ID and a uses asymmetric cryptography. Clients possess a key ID and a public/
public/private key pair, and origin servers maintain a mapping of private key pair, and origin servers maintain a mapping of authorized
authorized key IDs to their associated public keys. key IDs to their associated public keys.
The client uses a TLS keying material exporter to generate data to be The client uses a TLS keying material exporter to generate data to be
signed (see Section 4) then sends the signature using the signed (see Section 3) then sends the signature using the
Authorization or Proxy-Authorization header field. The signature and Authorization or Proxy-Authorization header field. The signature and
additional information are exchanged using authentication parameters additional information are exchanged using authentication parameters
(see Section 5). (see Section 4).
3. TLS Usage
This authentication scheme is only defined for uses of HTTP with TLS
[TLS]. This includes any use of HTTP over TLS as typically used for
HTTP/2 [H2], or HTTP/3 [H3] where the transport protocol uses TLS as
its authentication and key exchange mechanism [QUIC-TLS].
Because the TLS keying material exporter is only secure for
authentication when it is uniquely bound to the TLS session
[RFC7627], the Signature authentication scheme requires either one of
the following properties:
o The TLS version in use is greater or equal to 1.3 [TLS].
o The TLS version in use is 1.2 and the Extended Master Secret
extension [RFC7627] has been negotiated.
Clients MUST NOT use the Signature authentication scheme on
connections that do not meet one of the two properties above. If a
server receives a request that uses this authentication scheme on a
connection that meets neither of the above properties, the server
MUST treat the request as malformed.
4. Computing the Authentication Proof 3. Client Handling
The user agent computes the authentication proof using a TLS keying When a client wishes to uses the Concealed HTTP authentication scheme
material exporter [KEY-EXPORT] with the following parameters: with a request, it SHALL compute the authentication proof using a TLS
keying material exporter [KEY-EXPORT] with the following parameters:
o the label is set to "EXPORTER-HTTP-Signature-Authentication" o the label is set to "EXPORTER-HTTP-Concealed-Authentication"
o the context is set to the structure described in Section 4.1 o the context is set to the structure described in Section 3.1
o the exporter output length is set to 48 bytes (see Section 4.2) o the exporter output length is set to 48 bytes (see Section 3.2)
4.1. Key Exporter Context 3.1. Key Exporter Context
The TLS key exporter context is described in Figure 1: The TLS key exporter context is described in Figure 1:
Signature Algorithm (16), Signature Algorithm (16),
Key ID Length (i), Key ID Length (i),
Key ID (..), Key ID (..),
Public Key Length (i), Public Key Length (i),
Public Key (..), Public Key (..),
Scheme Length (i), Scheme Length (i),
Scheme (..), Scheme (..),
skipping to change at page 5, line 27 skipping to change at page 5, line 23
Host (..), Host (..),
Port (16), Port (16),
Realm Length (i), Realm Length (i),
Realm (..), Realm (..),
Figure 1: Key Exporter Context Format Figure 1: Key Exporter Context Format
The key exporter context contains the following fields: The key exporter context contains the following fields:
Signature Algorithm: The signature scheme sent in the "s" Parameter Signature Algorithm: The signature scheme sent in the "s" Parameter
(see Section 5.4). (see Section 4.4).
Key ID: The key ID sent in the "k" Parameter (see Section 5.1). Key ID: The key ID sent in the "k" Parameter (see Section 4.1).
Public Key: The public key used by the server to validate the Public Key: The public key used by the server to validate the
signature provided by the client (the encoding is described signature provided by the client (the encoding is described
below). below).
Scheme: The scheme for this request, encoded using the format of the Scheme: The scheme for this request, encoded using the format of the
scheme portion of a URI as defined in Section 3.1 of [URI]. scheme portion of a URI as defined in Section 3.1 of [URI].
Host: The host for this request, encoded using the format of the Host: The host for this request, encoded using the format of the
host portion of a URI as defined in Section 3.2.2 of [URI]. host portion of a URI as defined in Section 3.2.2 of [URI].
Port: The port for this request, encoded in network byte order. Port: The port for this request, encoded in network byte order.
Note that the port is either included in the URI, or is the Note that the port is either included in the URI, or is the
default port for the scheme in use; see Section 3.2.3 of [URI]. default port for the scheme in use; see Section 3.2.3 of [URI].
Realm: The real of authentication that is sent in the realm Realm: The realm of authentication that is sent in the realm
authentication parameter (Section 11.5 of [HTTP]). If the realm authentication parameter (Section 11.5 of [HTTP]). If the realm
authentication parameter is not present, this SHALL be empty. authentication parameter is not present, this SHALL be empty.
This document does not define a means for the origin to This document does not define a means for the origin to
communicate a realm to the client. If a client is not configured communicate a realm to the client. If a client is not configured
to use a specific realm, it SHALL use an empty realm and SHALL NOT to use a specific realm, it SHALL use an empty realm and SHALL NOT
send the realm authentication parameter. send the realm authentication parameter.
The Signature Algorithm and Port fields are encoded as unsigned The Signature Algorithm and Port fields are encoded as unsigned
16-bit integers in network byte order. The Key ID, Public Key, 16-bit integers in network byte order. The Key ID, Public Key,
Scheme, Host, and Real fields are length prefixed strings; they are Scheme, Host, and Realm fields are length prefixed strings; they are
preceded by a Length field that represents their length in bytes. preceded by a Length field that represents their length in bytes.
These length fields are encoded using the variable-length integer These length fields are encoded using the variable-length integer
encoding from Section 16 of [QUIC] and MUST be encoded in the minimum encoding from Section 16 of [QUIC] and MUST be encoded in the minimum
number of bytes necessary. number of bytes necessary.
The encoding of the public key is determined by the Signature The encoding of the public key is determined by the Signature
Algorithm in use as follows: Algorithm in use as follows:
RSASSA-PSS algorithms: The public key is an RSAPublicKey structure RSASSA-PSS algorithms: The public key is an RSAPublicKey structure
[PKCS1] encoded in DER [X.690]. BER encodings which are not DER [PKCS1] encoded in DER [X.690]. BER encodings which are not DER
MUST be rejected. MUST be rejected.
skipping to change at page 6, line 30 skipping to change at page 6, line 26
ECDSA algorithms: The public key is a ECDSA algorithms: The public key is a
UncompressedPointRepresentation structure defined in UncompressedPointRepresentation structure defined in
Section 4.2.8.2 of [TLS], using the curve specified by the Section 4.2.8.2 of [TLS], using the curve specified by the
SignatureScheme. SignatureScheme.
EdDSA algorithms: The public key is the byte string encoding defined EdDSA algorithms: The public key is the byte string encoding defined
in [EdDSA]. in [EdDSA].
This document does not define the public key encodings for other This document does not define the public key encodings for other
algorithms. In order for a SignatureScheme to be usable with the algorithms. In order for a SignatureScheme to be usable with the
Signature HTTP authentication scheme, its public key encoding needs Concealed HTTP authentication scheme, its public key encoding needs
to be defined in a corresponding document. to be defined in a corresponding document.
4.2. Key Exporter Output 3.2. Key Exporter Output
The key exporter output is 48 bytes long. Of those, the first 32 The key exporter output is 48 bytes long. Of those, the first 32
bytes are part of the input to the signature and the next 16 bytes bytes are part of the input to the signature and the next 16 bytes
are sent alongside the signature. This allows the recipient to are sent alongside the signature. This allows the recipient to
confirm that the exporter produces the right values. This is confirm that the exporter produces the right values. This is
described in Figure 2: described in Figure 2:
Signature Input (256), Signature Input (256),
Verification (128), Verification (128),
Figure 2: Key Exporter Output Format Figure 2: Key Exporter Output Format
The key exporter context contains the following fields: The key exporter context contains the following fields:
Signature Input: This is part of the data signed using the client's Signature Input: This is part of the data signed using the client's
chosen asymmetric private key (see Section 4.3). chosen asymmetric private key (see Section 3.3).
Verification: The verification is transmitted to the server using Verification: The verification is transmitted to the server using
the v Parameter (see Section 5.5). the v Parameter (see Section 4.5).
4.3. Signature Computation 3.3. Signature Computation
Once the Signature Input has been extracted from the key exporter Once the Signature Input has been extracted from the key exporter
output (see Section 4.2), it is prefixed with static data before output (see Section 3.2), it is prefixed with static data before
being signed to mitigate issues caused by key reuse. The signature being signed to mitigate issues caused by key reuse. The signature
is computed over the concatenation of: is computed over the concatenation of:
o A string that consists of octet 32 (0x20) repeated 64 times o A string that consists of octet 32 (0x20) repeated 64 times
o The context string "HTTP Signature Authentication" o The context string "HTTP Concealed Authentication"
o A single 0 byte which serves as a separator o A single 0 byte which serves as a separator
o The Signature Input extracted from the key exporter output (see o The Signature Input extracted from the key exporter output (see
Section 4.2) Section 3.2)
For example, if the Signature Input has all its 32 bytes set to 01, For example, if the Signature Input has all its 32 bytes set to 01,
the content covered by the signature (in hexadecimal format) would the content covered by the signature (in hexadecimal format) would
be: be:
2020202020202020202020202020202020202020202020202020202020202020 2020202020202020202020202020202020202020202020202020202020202020
2020202020202020202020202020202020202020202020202020202020202020 2020202020202020202020202020202020202020202020202020202020202020
48545450205369676E61747572652041757468656E7469636174696F6E 48545450205369676E61747572652041757468656E7469636174696F6E
00 00
0101010101010101010101010101010101010101010101010101010101010101 0101010101010101010101010101010101010101010101010101010101010101
Figure 3: Example Content Covered by Signature Figure 3: Example Content Covered by Signature
This constructions mirrors that of the TLS 1.3 CertificateVerify This constructions mirrors that of the TLS 1.3 CertificateVerify
message defined in Section 4.4.3 of [TLS]. message defined in Section 4.4.3 of [TLS].
The resulting signature is then transmitted to the server using the The resulting signature is then transmitted to the server using the
"p" Parameter (see Section 5.3). "p" Parameter (see Section 4.3).
5. Authentication Parameters 4. Authentication Parameters
This specification defines the following authentication parameters. This specification defines the following authentication parameters.
All of the byte sequences below are encoded using base64url (see All of the byte sequences below are encoded using base64url (see
Section 5 of [BASE64]) without quotes and without padding. In other Section 5 of [BASE64]) without quotes and without padding. In other
words, these byte sequence authentication parameters values MUST NOT words, these byte sequence authentication parameters values MUST NOT
include any characters other then ASCII letters, digits, dash and include any characters other then ASCII letters, digits, dash and
underscore. underscore.
The integer below is encoded without a minus and without leading The integer below is encoded without a minus and without leading
zeroes. In other words, the integer authentication parameters value zeroes. In other words, the integer authentication parameters value
MUST NOT include any characters other than digits, and MUST NOT start MUST NOT include any characters other than digits, and MUST NOT start
with a zero unless the full value is "0". with a zero unless the full value is "0".
Using the syntax from [ABNF]: Using the syntax from [ABNF]:
signature-byte-sequence-param-value = *( ALPHA / DIGIT / "-" / "_" ) concealed-byte-sequence-param-value = *( ALPHA / DIGIT / "-" / "_" )
signature-integer-param-value = %x31-39 1*4( DIGIT ) / "0" concealed-integer-param-value = %x31-39 1*4( DIGIT ) / "0"
Figure 4: Authentication Parameter Value ABNF Figure 4: Authentication Parameter Value ABNF
5.1. The k Parameter 4.1. The k Parameter
The REQUIRED "k" (key ID) parameter is a byte sequence that The REQUIRED "k" (key ID) parameter is a byte sequence that
identifies which key the user agent wishes to use to authenticate. identifies which key the client wishes to use to authenticate. This
This can for example be used to point to an entry into a server-side can for example be used to point to an entry into a server-side
database of known keys. database of known keys.
5.2. The a Parameter 4.2. The a Parameter
The REQUIRED "a" (public key) parameter is a byte sequence that The REQUIRED "a" (public key) parameter is a byte sequence that
contains the public key used by the server to validate the signature contains the public key used by the server to validate the signature
provided by the client. This avoids key confusion issues (see provided by the client. This avoids key confusion issues (see
[SEEMS-LEGIT]). The encoding of the public key is described in [SEEMS-LEGIT]). The encoding of the public key is described in
Section 4.1. Section 3.1.
5.3. The p Parameter 4.3. The p Parameter
The REQUIRED "p" (proof) parameter is a byte sequence that specifies The REQUIRED "p" (proof) parameter is a byte sequence that specifies
the proof that the user agent provides to attest to possessing the the proof that the client provides to attest to possessing the
credential that matches its key ID. credential that matches its key ID.
5.4. The s Parameter 4.4. The s Parameter
The REQUIRED "s" (signature) parameter is an integer that specifies The REQUIRED "s" (signature) parameter is an integer that specifies
the signature scheme used to compute the proof transmitted in the "p" the signature scheme used to compute the proof transmitted in the "p"
directive. Its value is an integer between 0 and 65535 inclusive directive. Its value is an integer between 0 and 65535 inclusive
from the IANA "TLS SignatureScheme" registry maintained at from the IANA "TLS SignatureScheme" registry maintained at
<<https://www.iana.org/assignments/tls-parameters/tls- <<https://www.iana.org/assignments/tls-parameters/tls-
parameters.xhtml#tls-signaturescheme>>. parameters.xhtml#tls-signaturescheme>>.
5.5. The v Parameter 4.5. The v Parameter
The REQUIRED "v" (verification) parameter is a byte sequence that The REQUIRED "v" (verification) parameter is a byte sequence that
specifies the verification that the user agent provides to attest to specifies the verification that the client provides to attest to
possessing the key exporter output (see Section 4.2 for details). possessing the key exporter output (see Section 3.2 for details).
This avoids issues with signature schemes where certain keys can This avoids issues with signature schemes where certain keys can
generate signatures that are valid for multiple inputs (see generate signatures that are valid for multiple inputs (see
[SEEMS-LEGIT]). [SEEMS-LEGIT]).
6. Example 5. Example
For example, the key ID "basement" authenticating using Ed25519 For example, the key ID "basement" authenticating using Ed25519
[ED25519] could produce the following header field: [ED25519] could produce the following header field:
NOTE: '\' line wrapping per RFC 8792 NOTE: '\' line wrapping per RFC 8792
Authorization: Signature \ Authorization: Concealed \
k=YmFzZW1lbnQ, \ k=YmFzZW1lbnQ, \
a=VGhpcyBpcyBh-HB1YmxpYyBrZXkgaW4gdXNl_GhlcmU, \ a=VGhpcyBpcyBh-HB1YmxpYyBrZXkgaW4gdXNl_GhlcmU, \
s=2055, \ s=2055, \
v=dmVyaWZpY2F0aW9u_zE2Qg, \ v=dmVyaWZpY2F0aW9u_zE2Qg, \
p=SW5zZXJ0_HNpZ25hdHVyZSBvZiBub25jZSBoZXJlIHdo\ p=SW5zZXJ0_HNpZ25hdHVyZSBvZiBub25jZSBoZXJlIHdo\
aWNoIHRha2VzIDUxMiBiaXRz-GZvciBFZDI1NTE5IQ aWNoIHRha2VzIDUxMiBiaXRz-GZvciBFZDI1NTE5IQ
Figure 5: Example Header Field Figure 5: Example Header Field
7. Non-Probeable Server Handling 6. Server Handling
Servers that wish to introduce resources whose existence cannot be In this section, we subdivide the server role in two:
probed need to ensure that they do not reveal any information about
those resources to unauthenticated clients. In particular, such
servers MUST respond to authentication failures with the exact same
response that they would have used for non-existent resources. For
example, this can mean using HTTP status code 404 (Not Found) instead
of 401 (Unauthorized). Such authentication failures can be caused
for example by:
o absence of the Authorization (or Proxy-Authorization) field o the "frontend" runs in the HTTP server that terminates the TLS or
QUIC connection created by the client.
o failure to parse that field o the "backend" runs in the HTTP server that has access to the
database of accepted key identifiers and public keys.
o use of the Signature authentication scheme with an unknown key ID In most deployments, we expect the frontend and backend roles to both
be implemented in a single HTTP origin server (as defined in
Section 3.6 of [HTTP]). However, these roles can be split such that
the frontend is an HTTP gateway (as defined in Section 3.7 of [HTTP])
and the backend is an HTTP origin server.
o mismatch between key ID and provided public key 6.1. Frontend Handling
o failure to validate the verification parameter If a frontend is configured to check the Concealed authentication
scheme, it will parse the Authorization (or Proxy-Authorization)
header field. If the authentication scheme is set to "Concealed",
the frontend MUST validate that all the required authentication
parameters are present and can be parsed correctly as defined in
Section 4. If any parameter is missing or fails to parse, the
frontend MUST ignore the entire Authorization (or Proxy-
Authorization) header field.
o failure to validate the signature. The frontend then uses the data from these authentication parameters
to compute the key exporter output, as defined in Section 3.2. The
frontend then shares the header field and the key exporter output
with the backend.
In order to validate the signature, the server needs to first parse 6.2. Communication between Frontend and Backend
the field containing the signature, then look up the key ID in its
database of public keys, and finally perform the cryptographic If the frontend and backend roles are implemented in the same
validation. These steps can take time, and an attacker could detect machine, this can be handled by a simple function call.
use of this mechanism if that time is observable by comparing the
timing of a request for a known non-existent resource to the timing If the roles are split between two separate HTTP servers, then the
of a request for a potentially authenticated resource. Servers can backend won't be able to directly access the TLS keying material
mitigate this observability by slightly delaying responses to some exporter from the TLS connection between the client and frontend, so
non-existent resources such that the timing of the authentication the frontend needs to explictly send it. This document defines the
verification is not observable. This delay needs to be carefully "Concealed-Auth-Export" request header field for this purpose. The
considered to avoid having the delay itself leak the fact that this Concealed-Auth-Export header field's value is a Structured Field Byte
origin uses this mechanism at all. Sequence (see Section 3.3.5 of [STRUCTURED-FIELDS]) that contains the
48-byte key exporter output (see Section 3.2), without any
parameters. For example:
NOTE: '\' line wrapping per RFC 8792
Concealed-Auth-Export: :VGhpcyBleGFtcGxlIFRMUyBleHBvcn\
RlciBvdXRwdXQgaXMgNDggYnl0ZXMgI/+h:
Figure 6: Example Concealed-Auth-Export Header Field
The frontend SHALL forward the HTTP request to the backend, including
the original unmodified Authorization (or Proxy-Authorization) header
field and the newly added Concealed-Auth-Export header field.
Note that, since the security of this mechanism requires the key
exporter output to be correct, backends need to trust frontends to
send it truthfully. This trust relationship is common because the
frontend already needs access to the TLS certificate private key in
order to respond to requests. HTTP servers that parse the Concealed-
Auth-Export header field MUST ignore it unless they have already
established that they trust the sender. Similarly, frontends that
send the Concealed-Auth-Export header field MUST ensure that they do
not forward any Concealed-Auth-Export header field received from the
client.
6.3. Backend Handling
Once the backend receives the Authorization (or Proxy-Authorization)
header field and the key exporter output, it looks up the key ID in
its database of public keys. The backend SHALL then perform the
following checks:
o validate that all the required authentication parameters are
present and can be parsed correctly as defined in Section 4
o ensure the key ID is present in the backend's database and maps to
a corresponding public key
o validate that the public key from the database is equal to the one
in the Authorization (or Proxy-Authorization) header field
o validate that the verification field from the Authorization (or
Proxy-Authorization) header field matches the one extracted from
the key exporter output
o verify the cryptographic signature as defined in Section 3.3
If all of these checks succeed, the backend can consider the request
to be properly authenticated, and can reply accordingly (the backend
can also forward the request to another HTTP server).
If any of the above checks fail, the backend MUST treat it as if the
Authorization (or Proxy-Authorization) header field was missing.
6.4. Non-Probeable Server Handling
Servers that wish to introduce resources whose existence cannot be
probed need to ensure that they do not reveal any information about
those resources to unauthenticated clients. In particular, such
servers MUST respond to authentication failures with the exact same
response that they would have used for non-existent resources. For
example, this can mean using HTTP status code 404 (Not Found) instead
of 401 (Unauthorized).
The authentication checks described above can take time to compute,
and an attacker could detect use of this mechanism if that time is
observable by comparing the timing of a request for a known non-
existent resource to the timing of a request for a potentially
authenticated resource. Servers can mitigate this observability by
slightly delaying responses to some non-existent resources such that
the timing of the authentication verification is not observable.
This delay needs to be carefully considered to avoid having the delay
itself leak the fact that this origin uses this mechanism at all.
Non-probeable resources also need to be non-discoverable for Non-probeable resources also need to be non-discoverable for
unauthenticated users. For example, if a server operator wishes to unauthenticated users. For example, if a server operator wishes to
hide an authenticated resource by pretending it does not exist to hide an authenticated resource by pretending it does not exist to
unauthenticated users, then the server operator needs to ensure there unauthenticated users, then the server operator needs to ensure there
are no unauthenticated pages with links to that resource, and no are no unauthenticated pages with links to that resource, and no
other out-of-band ways for unauthenticated users to discover this other out-of-band ways for unauthenticated users to discover this
resource. resource.
8. Intermediary Considerations 7. Requirements on TLS Usage
Since the Signature HTTP authentication scheme leverages TLS keying This authentication scheme is only defined for uses of HTTP with TLS
material exporters, its output cannot be transparently forwarded by [TLS]. This includes any use of HTTP over TLS as typically used for
HTTP intermediaries. HTTP intermediaries that support this HTTP/2 [H2], or HTTP/3 [H3] where the transport protocol uses TLS as
specification have two options: its authentication and key exchange mechanism [QUIC-TLS].
o The intermediary can validate the authentication received from the Because the TLS keying material exporter is only secure for
client, then inform the upstream HTTP server of the presence of authentication when it is uniquely bound to the TLS session
valid authentication. [RFC7627], the Concealed authentication scheme requires either one of
the following properties:
o The intermediary can export the Signature Input and Verification o The TLS version in use is greater or equal to 1.3 [TLS].
(see Section 4.2}), and forward it to the upstream HTTP server,
then the upstream server performs the validation.
The mechanism for the intermediary to communicate this information to o The TLS version in use is 1.2 and the Extended Master Secret
the upstream HTTP server is out of scope for this document. extension [RFC7627] has been negotiated.
Note that both of these mechanisms require the upstream HTTP server Clients MUST NOT use the Concealed authentication scheme on
to trust the intermediary. This is usually the case because the connections that do not meet one of the two properties above. If a
intermediary already needs access to the TLS certificate private key server receives a request that uses this authentication scheme on a
in order to respond to requests. connection that meets neither of the above properties, the server
MUST treat the request as if the authentication were not present.
9. Security Considerations 8. Security Considerations
The Signature HTTP authentication scheme allows a user agent to The Concealed HTTP authentication scheme allows a client to
authenticate to an origin server while guaranteeing freshness and authenticate to an origin server while guaranteeing freshness and
without the need for the server to transmit a nonce to the user without the need for the server to transmit a nonce to the client.
agent. This allows the server to accept authenticated clients This allows the server to accept authenticated clients without
without revealing that it supports or expects authentication for some revealing that it supports or expects authentication for some
resources. It also allows authentication without the user agent resources. It also allows authentication without the client leaking
leaking the presence of authentication to observers due to clear-text the presence of authentication to observers due to clear-text TLS
TLS Client Hello extensions. Client Hello extensions.
The authentication proofs described in this document are not bound to The authentication proofs described in this document are not bound to
individual HTTP requests; if the key is used for authentication individual HTTP requests; if the key is used for authentication
proofs on multiple requests on the same connection, they will all be proofs on multiple requests on the same connection, they will all be
identical. This allows for better compression when sending over the identical. This allows for better compression when sending over the
wire, but implies that client implementations that multiplex wire, but implies that client implementations that multiplex
different security contexts over a single HTTP connection need to different security contexts over a single HTTP connection need to
ensure that those contexts cannot read each other's header fields. ensure that those contexts cannot read each other's header fields.
Otherwise, one context would be able to replay the Authorization Otherwise, one context would be able to replay the Authorization
header field of another. This constraint is met by modern Web header field of another. This constraint is met by modern Web
browsers. If an attacker were to compromise the browser such that it browsers. If an attacker were to compromise the browser such that it
could access another context's memory, the attacker might also be could access another context's memory, the attacker might also be
able to access the corresponding key, so binding authentication to able to access the corresponding key, so binding authentication to
requests would not provide much benefit in practice. requests would not provide much benefit in practice.
Key material used for the Signature HTTP authentication scheme MUST Key material used for the Concealed HTTP authentication scheme MUST
NOT be reused in other protocols. Doing so can undermine the NOT be reused in other protocols. Doing so can undermine the
security guarantees of the authentication. security guarantees of the authentication.
Origins offering this scheme can link requests that use the same key. Origins offering this scheme can link requests that use the same key.
However, requests are not linkable across origins if the keys used However, requests are not linkable across origins if the keys used
are specific to the individual origins using this scheme. are specific to the individual origins using this scheme.
10. IANA Considerations 9. IANA Considerations
10.1. HTTP Authentication Schemes Registry 9.1. HTTP Authentication Schemes Registry
This document, if approved, requests IANA to register the following This document, if approved, requests IANA to register the following
entry in the "HTTP Authentication Schemes" Registry maintained at entry in the "HTTP Authentication Schemes" Registry maintained at
<<https://www.iana.org/assignments/http-authschemes>>: <<https://www.iana.org/assignments/http-authschemes>>:
Authentication Scheme Name: Signature Authentication Scheme Name: Concealed
Reference: This document Reference: This document
Notes: None Notes: None
10.2. TLS Keying Material Exporter Labels 9.2. TLS Keying Material Exporter Labels
This document, if approved, requests IANA to register the following This document, if approved, requests IANA to register the following
entry in the "TLS Exporter Labels" registry maintained at entry in the "TLS Exporter Labels" registry maintained at
<<https://www.iana.org/assignments/tls-parameters#exporter-labels>>: <<https://www.iana.org/assignments/tls-parameters#exporter-labels>>:
Value: EXPORTER-HTTP-Signature-Authentication Value: EXPORTER-HTTP-Concealed-Authentication
DTLS-OK: N DTLS-OK: N
Recommended: Y Recommended: Y
Reference: This document Reference: This document
11. References 9.3. HTTP Field Name
11.1. Normative References This document, if approved, requests IANA to register the following
entry in the "Hypertext Transfer Protocol (HTTP) Field Name" registry
maintained at <<https://www.iana.org/assignments/http-fields/http-
fields.xhtml>>:
Field Name: Concealed-Auth-Export
Template: None
Status: permanent
Reference: This document
Comments: None
10. References
10.1. Normative References
[ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax [ABNF] Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", STD 68, RFC 5234, Specifications: ABNF", STD 68, RFC 5234,
DOI 10.17487/RFC5234, January 2008, DOI 10.17487/RFC5234, January 2008,
<https://www.rfc-editor.org/info/rfc5234>. <https://www.rfc-editor.org/info/rfc5234>.
[BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data [BASE64] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006,
<https://www.rfc-editor.org/info/rfc4648>. <https://www.rfc-editor.org/info/rfc4648>.
skipping to change at page 13, line 15 skipping to change at page 15, line 15
[RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A.,
Langley, A., and M. Ray, "Transport Layer Security (TLS) Langley, A., and M. Ray, "Transport Layer Security (TLS)
Session Hash and Extended Master Secret Extension", Session Hash and Extended Master Secret Extension",
RFC 7627, DOI 10.17487/RFC7627, September 2015, RFC 7627, DOI 10.17487/RFC7627, September 2015,
<https://www.rfc-editor.org/info/rfc7627>. <https://www.rfc-editor.org/info/rfc7627>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[STRUCTURED-FIELDS]
Nottingham, M. and P. Kamp, "Structured Field Values for
HTTP", RFC 8941, DOI 10.17487/RFC8941, February 2021,
<https://www.rfc-editor.org/info/rfc8941>.
[TLS] Rescorla, E., "The Transport Layer Security (TLS) Protocol [TLS] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>. <https://www.rfc-editor.org/info/rfc8446>.
[URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform [URI] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66, Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, DOI 10.17487/RFC3986, January 2005, RFC 3986, DOI 10.17487/RFC3986, January 2005,
<https://www.rfc-editor.org/info/rfc3986>. <https://www.rfc-editor.org/info/rfc3986>.
[X.690] ITU-T, "Information technology - ASN.1 encoding Rules: [X.690] ITU-T, "Information technology - ASN.1 encoding Rules:
Specification of Basic Encoding Rules (BER), Canonical Specification of Basic Encoding Rules (BER), Canonical
Encoding Rules (CER) and Distinguished Encoding Rules Encoding Rules (CER) and Distinguished Encoding Rules
(DER)", ISO/IEC 8824-1:2021 , February 2021. (DER)", ISO/IEC 8824-1:2021 , February 2021.
11.2. Informative References 10.2. Informative References
[ED25519] Josefsson, S. and J. Schaad, "Algorithm Identifiers for [ED25519] Josefsson, S. and J. Schaad, "Algorithm Identifiers for
Ed25519, Ed448, X25519, and X448 for Use in the Internet Ed25519, Ed448, X25519, and X448 for Use in the Internet
X.509 Public Key Infrastructure", RFC 8410, X.509 Public Key Infrastructure", RFC 8410,
DOI 10.17487/RFC8410, August 2018, DOI 10.17487/RFC8410, August 2018,
<https://www.rfc-editor.org/info/rfc8410>. <https://www.rfc-editor.org/info/rfc8410>.
[H2] Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113, [H2] Thomson, M., Ed. and C. Benfield, Ed., "HTTP/2", RFC 9113,
DOI 10.17487/RFC9113, June 2022, DOI 10.17487/RFC9113, June 2022,
<https://www.rfc-editor.org/info/rfc9113>. <https://www.rfc-editor.org/info/rfc9113>.
 End of changes. 74 change blocks. 
174 lines changed or deleted 259 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/