< draft-schmaus-kitten-sasl-ht-05.txt   draft-schmaus-kitten-sasl-ht-06.txt >
Common Authentication Technology Next Generation F. Schmaus Common Authentication Technology Next Generation F. Schmaus
Internet-Draft C. Egger Internet-Draft C. Egger
Intended status: Experimental University of Erlangen-Nuremberg Intended status: Experimental University of Erlangen-Nuremberg
Expires: May 8, 2019 November 4, 2018 Expires: November 7, 2019 May 6, 2019
The Hashed Token SASL Mechanism The Hashed Token SASL Mechanism
draft-schmaus-kitten-sasl-ht-05 draft-schmaus-kitten-sasl-ht-06
Abstract Abstract
This document specifies the family of Hashed Token SASL mechanisms, This document specifies the family of Hashed Token SASL mechanisms
which are meant to be used for quick re-authentication of a previous which enable a proof-of-possession-based authentication scheme and
are meant to be used for quick re-authentication of a previous
session. The Hashed Token SASL mechanism's authentication sequence session. The Hashed Token SASL mechanism's authentication sequence
consists of only one round-trip. The usage of short-lived, consists of only one round-trip. The usage of short-lived,
exclusively ephemeral hashed tokens is achieving the single round- exclusively ephemeral hashed tokens is achieving the single round-
trip property. It further provides hash agility, mutual trip property. The SASL mechanism specified herin further provides
authentication and is secured by channel binding. hash agility, mutual authentication and is secured by channel
binding.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 8, 2019. This Internet-Draft will expire on November 7, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3 1.1. Conventions and Terminology . . . . . . . . . . . . . . . 3
1.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 3 1.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 3
2. The HT Family of Mechanisms . . . . . . . . . . . . . . . . . 3 2. The HT Family of Mechanisms . . . . . . . . . . . . . . . . . 4
3. The HT Authentication Exchange . . . . . . . . . . . . . . . 4 3. The HT Authentication Exchange . . . . . . . . . . . . . . . 5
3.1. Initiator First Message . . . . . . . . . . . . . . . . . 4 3.1. Initiator First Message . . . . . . . . . . . . . . . . . 5
3.2. Initiator Authentication . . . . . . . . . . . . . . . . 6 3.2. Initiator Authentication . . . . . . . . . . . . . . . . 6
3.3. Final Responder Message . . . . . . . . . . . . . . . . . 6 3.3. Final Responder Message . . . . . . . . . . . . . . . . . 6
4. Compliance with SASL Mechanism Requirements . . . . . . . . . 6 4. Compliance with SASL Mechanism Requirements . . . . . . . . . 6
5. Requirements for the Application-Protocol Extension . . . . . 7 5. Requirements for the Application-Protocol Extension . . . . . 7
6. Security Considerations . . . . . . . . . . . . . . . . . . . 7 6. Security Considerations . . . . . . . . . . . . . . . . . . . 7
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 7 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8
8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8
8.1. Normative References . . . . . . . . . . . . . . . . . . 8 8.1. Normative References . . . . . . . . . . . . . . . . . . 8
8.2. Informative References . . . . . . . . . . . . . . . . . 10 8.2. Informative References . . . . . . . . . . . . . . . . . 10
Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 10 Appendix A. Acknowledgments . . . . . . . . . . . . . . . . . . 10
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11
1. Introduction 1. Introduction
This specification describes the family of Hashed Token (HT) Simple This specification describes the family of Hashed Token (HT) Simple
Authentication and Security Layer (SASL) [RFC4422] mechanisms. The Authentication and Security Layer (SASL) [RFC4422] mechanisms, which
HT mechanism is designed to be used with short-lived, exclusively enable a proof-of-possession-based authentication scheme. The HT
mechanism is designed to be used with short-lived, exclusively
ephemeral tokens, called SASL-HT tokens, and allow for quick, one ephemeral tokens, called SASL-HT tokens, and allow for quick, one
round-trip, re-authentication of a previous session. round-trip, re-authentication of a previous session.
Further properties of the HT mechanism are 1) hash agility, 2) mutual Further properties of the HT mechanism are 1) hash agility, 2) mutual
authentication, and 3) being secured by channel binding. authentication, and 3) being secured by channel binding.
Clients are supposed to request SASL-HT tokens from the server after Clients are supposed to request SASL-HT tokens from the server after
being authenticated using a "strong" SASL mechanism like SCRAM being authenticated using a "strong" SASL mechanism like SCRAM
[RFC5802]. Hence a typical sequence of actions using HT may look [RFC5802]. Hence a typical sequence of actions using HT may look
like the following: like the following:
skipping to change at page 4, line 14 skipping to change at page 4, line 27
Where <hash-alg> is the capitalised "Hash Name String" of the IANA Where <hash-alg> is the capitalised "Hash Name String" of the IANA
"Named Information Hash Algorithm Registry" [iana-hash-alg] as "Named Information Hash Algorithm Registry" [iana-hash-alg] as
specified in [RFC6920], and <cb-type> is one of 'ENDP' or 'UNIQ' specified in [RFC6920], and <cb-type> is one of 'ENDP' or 'UNIQ'
denoting the channel binding type. In the case of 'ENDP', the tls- denoting the channel binding type. In the case of 'ENDP', the tls-
server-end-point channel binding type is used. In the case of server-end-point channel binding type is used. In the case of
'UNIQ', the tls-unique channel binding type is used. Valid channel 'UNIQ', the tls-unique channel binding type is used. Valid channel
binding types are defined in the IANA "Channel-Binding Types" binding types are defined in the IANA "Channel-Binding Types"
registry [iana-cbt] as specified in [RFC5056]. registry [iana-cbt] as specified in [RFC5056].
+------+----------------------+ +---------+----------------------+
| CBT | Channel Binding Type | | cb-type | Channel Binding Type |
+------+----------------------+ +---------+----------------------+
| ENDP | tls-server-end-point | | ENDP | tls-server-end-point |
| UNIQ | tls-unique | | UNIQ | tls-unique |
+------+----------------------+ +---------+----------------------+
Mapping of CBT to Channel Bindings Mapping of cb-type to Channel Binding Types
The following table lists the HT SASL mechanisms registered by this The following table lists the HT SASL mechanisms registered by this
document. document.
+------------------+------------------+-----------------------------+ +------------------+------------------+-----------------------------+
| Mechanism Name | HT Hash | Channel-binding unique | | Mechanism Name | HT Hash | Channel-binding unique |
| | Algorithm | prefix | | | Algorithm | prefix |
+------------------+------------------+-----------------------------+ +------------------+------------------+-----------------------------+
| HT-SHA-512-ENDP | SHA-512 | tls-server-end-point | | HT-SHA-512-ENDP | SHA-512 | tls-server-end-point |
| HT-SHA-512-UNIQ | SHA-512 | tls-unique | | HT-SHA-512-UNIQ | SHA-512 | tls-unique |
skipping to change at page 5, line 36 skipping to change at page 5, line 50
initiator-hashed-token := HMAC(token, "Initiator" || cb-data) initiator-hashed-token := HMAC(token, "Initiator" || cb-data)
HMAC() is the function defined in [RFC2104] with H being the selected HMAC() is the function defined in [RFC2104] with H being the selected
HT hash algorithm, 'cb-data' represents the data provided by the HT hash algorithm, 'cb-data' represents the data provided by the
selected channel binding type, and 'token' are the UTF-8 encoded selected channel binding type, and 'token' are the UTF-8 encoded
octets of the SASL-HT token string which acts as a shared secret octets of the SASL-HT token string which acts as a shared secret
between initiator and responder. between initiator and responder.
The initiator-msg MAY be included in TLS 1.3 0-RTT early data, as The initiator-msg MAY be included in TLS 1.3 0-RTT early data, as
specified in [I-D.ietf-tls-tls13]. If this is the case, then the specified in [RFC8446]. If this is the case, then the initiating
initiating entity MUST NOT include any further application protocol entity MUST NOT include any further application protocol payload in
payload in the early data besides the HT initiator-msg and potential the early data besides the HT initiator-msg and potential required
required framing of the SASL profile. The responder MUST abort the framing of the SASL profile. The responder MUST abort the SASL
SASL authentication if the early data contains additional application authentication if the early data contains additional application
protocol payload. protocol payload.
TODO: It should be possible to exploit TLS 1.3 early data for TODO: It should be possible to exploit TLS 1.3 early data for
"0.5" RTT resumption of the application protocol's session. That "0.5" RTT resumption of the application protocol's session. That
is, on resumption the initiating entity MUST NOT send any is, on resumption the initiating entity MUST NOT send any
application protocol payload together with first flight data, application protocol payload together with first flight data,
besides the HT initiator-msg. But if the responding entity is besides the HT initiator-msg. But if the responding entity is
able to verify the TLS 1.3 early data, then it can send additional able to verify the TLS 1.3 early data, then it can send additional
application protocol payload right away together with the application protocol payload right away together with the
"resumption successful" response to the initiating entity. "resumption successful" response to the initiating entity.
skipping to change at page 8, line 27 skipping to change at page 8, line 32
Note: Members of this family MUST be explicitly registered Note: Members of this family MUST be explicitly registered
using the "IETF Review" [@!RFC5226] registration procedure. using the "IETF Review" [@!RFC5226] registration procedure.
Reviews MUST be requested on the Kitten WG mailing list Reviews MUST be requested on the Kitten WG mailing list
<kitten@ietf.org> (or a successor designated by the responsible <kitten@ietf.org> (or a successor designated by the responsible
Security AD). Security AD).
8. References 8. References
8.1. Normative References 8.1. Normative References
[I-D.ietf-tls-tls13]
Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", draft-ietf-tls-tls13-23 (work in progress),
January 2018.
[iana-cbt] [iana-cbt]
Williams, N., "IANA Channel-Binding Types", 2010, Williams, N., "IANA Channel-Binding Types", 2010,
<https://www.iana.org/assignments/channel-binding-types/ <https://www.iana.org/assignments/channel-binding-types/
channel-binding-types.xhtml>. channel-binding-types.xhtml>.
[iana-hash-alg] [iana-hash-alg]
Williams, N., "IANA Named Information Hash Algorithm Williams, N., "IANA Named Information Hash Algorithm
Registry", 2010, <https://www.iana.org/assignments/named- Registry", 2010, <https://www.iana.org/assignments/named-
information/named-information.xhtml#hash-alg>. information/named-information.xhtml#hash-alg>.
skipping to change at page 10, line 20 skipping to change at page 10, line 20
[RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A., [RFC7627] Bhargavan, K., Ed., Delignat-Lavaud, A., Pironti, A.,
Langley, A., and M. Ray, "Transport Layer Security (TLS) Langley, A., and M. Ray, "Transport Layer Security (TLS)
Session Hash and Extended Master Secret Extension", Session Hash and Extended Master Secret Extension",
RFC 7627, DOI 10.17487/RFC7627, September 2015, RFC 7627, DOI 10.17487/RFC7627, September 2015,
<https://www.rfc-editor.org/info/rfc7627>. <https://www.rfc-editor.org/info/rfc7627>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
8.2. Informative References 8.2. Informative References
[RFC5802] Newman, C., Menon-Sen, A., Melnikov, A., and N. Williams, [RFC5802] Newman, C., Menon-Sen, A., Melnikov, A., and N. Williams,
"Salted Challenge Response Authentication Mechanism "Salted Challenge Response Authentication Mechanism
(SCRAM) SASL and GSS-API Mechanisms", RFC 5802, (SCRAM) SASL and GSS-API Mechanisms", RFC 5802,
DOI 10.17487/RFC5802, July 2010, DOI 10.17487/RFC5802, July 2010,
<https://www.rfc-editor.org/info/rfc5802>. <https://www.rfc-editor.org/info/rfc5802>.
[RFC6120] Saint-Andre, P., "Extensible Messaging and Presence [RFC6120] Saint-Andre, P., "Extensible Messaging and Presence
Protocol (XMPP): Core", RFC 6120, DOI 10.17487/RFC6120, Protocol (XMPP): Core", RFC 6120, DOI 10.17487/RFC6120,
 End of changes. 15 change blocks. 
32 lines changed or deleted 34 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/