Token Binding for Transport Layer Security (TLS) Version 1.3 Connections
Google Inc.
nharper@google.com
General
Internet-Draft
Negotiation of the Token Binding protocol is only defined for Transport Layer
Security (TLS) versions 1.2 and earlier. Token Binding users may wish to use it
with TLS 1.3; this document defines a backwards compatible way to negotiate
Token Binding on TLS 1.3 connections.
Negotiating Token Binding using a TLS extension as
described in is fairly straightforward, but is
restricted to TLS 1.2 and earlier. Only one minor change is needed to use this
extension to negotiate Token Binding on connections using TLS 1.3 and later.
Instead of the server putting the “token_binding” extension in the ServerHello
like in TLS 1.2, in TLS 1.3 the server puts it in EncryptedExtensions instead.
This document also non-normatively provides a clarification for the definition
of the TokenBinding.signature field from , since
TLS 1.3 defines an alternate (but API-compatible) exporter mechanism to the one
in used in .
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL
NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and
“OPTIONAL” in this document are to be interpreted as described in
.
In TLS 1.3, the “token_binding” TLS extension may be present only in ClientHello
and EncryptedExtensions handshake messages. The format of the “token_binding”
TLS extension remains the same as defined in .
A client puts the “token_binding” TLS extension in its ClientHello to indicate
its support for the Token Binding protocol. The client should follow the same
rules for when to send this extension and the contents of its data as in section
2 of . Since the “token_binding” extension
remains unchanged from TLS 1.2 to TLS 1.3 in the ClientHello, a client sending
the “token_binding” extension in a TLS 1.3 ClientHello is backwards compatible
with a server that only supports TLS 1.2.
A server puts the “token_binding” TLS extension in the EncryptedExtensions
message following its ServerHello to indicate support for the Token Binding
protocol and to select protocol version and key parameters. The server includes
the extension following the same rules as section 3 of
, with the following changes:
The “token_binding” TLS extension is in EncryptedExtensions instead of
ServerHello.
The server MUST NOT include both the “token_binding” extension and the
“early_data” extension on the same connection.
requires that extensions define their interaction with
0-RTT. The “token_binding” extension MUST NOT be used with 0-RTT unless
otherwise specified in another draft. A client MAY include both “early_data” and
“token_binding” extensions in its ClientHello - this indicates that the client
is willing to resume a connection and send early data (without Token Binding),
or negotiate Token Binding on the connection and have early data rejected.
This non-normative section provides a clarification on the definition of the
TokenBinding.signature field when used on a TLS 1.3 connection.
defines the TokenBinding.signature field in terms
of an exported keying material (EKM) value as defined in .
provides an equivalent interface in section 7.5. For
clarity, using the terminology from , the EKM used in
section 3.3 of in TLS 1.3 is the exporter value
(section 7.5 of ) computed with the following parameters:
Secret: exporter_master_secret.
label: The ASCII string “EXPORTER-Token-Binding” with no terminating NUL.
context_value: No context value is supplied.
key_length: 32 bytes.
These are the same input values as specified in section 3.3 of
.
The consideration regarding downgrade attacks in
still apply here: The parameters negotiated in
the “token_binding” extension are protected by the TLS handshake. An active
network attacker cannot modify or remove the “token_binding” extension without
also breaking the TLS connection.
This extension cannot be used with 0-RTT data, so the concerns in
about replay do not apply here.
Key words for use in RFCs to Indicate Requirement Levels
In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation
This document specifies a Transport Layer Security (TLS) extension for the negotiation of Token Binding protocol version and key parameters.
The Transport Layer Security (TLS) Protocol Version 1.3
This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery.
Keying Material Exporters for Transport Layer Security (TLS)
A number of protocols wish to leverage Transport Layer Security (TLS) to perform key establishment but then use some of the keying material for their own purposes. This document describes a general mechanism for allowing that. [STANDARDS-TRACK]
The Token Binding Protocol Version 1.0
This document specifies Version 1.0 of the Token Binding protocol. The Token Binding protocol allows client/server applications to create long-lived, uniquely identifiable TLS bindings spanning multiple TLS sessions and connections. Applications are then enabled to cryptographically bind security tokens to the TLS layer, preventing token export and replay attacks. To protect privacy, the Token Binding identifiers are only conveyed over TLS and can be reset by the user at any time.