HTTPS Token Binding with TLS Terminating Reverse ProxiesPing Identitybrian.d.campbell@gmail.com
General
Internet Engineering Task ForceToken BindingReverse ProxyTLS TerminationSec-Provided-Token-Binding-IDSec-Referred-Token-Binding-ID
This document defines HTTP header fields that enable
a TLS terminating reverse proxy to convey information to a backend server
about the validated Token Binding Message
received from a client, which enables that backend server to bind, or verify the binding
of, cookies and other security tokens to the client's Token Binding key.
This facilitates the reverse proxy and backend
server functioning together as though they are a single logical
server side deployment of HTTPS Token Binding.
Token Binding over HTTP
provides a mechanism that enables HTTP
servers to cryptographically bind cookies and other security tokens
to a key generated by the client.
When the use of Token Binding is negotiated in the TLS
handshake
the client sends an
encoded Token Binding Message
as a header in each HTTP request, which proves possession
of one or more private keys held by the client. The public portion of the
keys are represented in the Token Binding IDs of the Token Binding Message
and for each one there is a signature over some data, which includes the exported keying material
of the TLS connection. An HTTP server issuing
cookies or other security tokens can associate them with the Token Binding ID, which
ensures those tokens cannot be used successfully over a different TLS connection
or by a different client than the one to which they were issued.
A fairly common deployment architecture for HTTPS applications is to have the backend HTTP application
servers sit behind a reverse proxy that terminates TLS connections from clients.
The proxy is accessible to the internet and
dispatches client requests to the appropriate backend server within a private or protected network.
The backend servers are not directly accessible by clients and are only reachable
through the reverse proxy. The details of such deployments are typically opaque to clients
who make requests to the proxy server and see responses as though they originated
from the proxy server itself.
Although HTTPS is also usually employed between the proxy and the backend server,
the TLS connection that the client establishes for HTTPS is between
itself and the reverse proxy server.
Token Binding facilitates a binding of security tokens to a key held by the client by way of
the TLS connection between that client and the server.
In a deployment where TLS is terminated by a reverse proxy, however, the
TLS connection is between the client and the proxy while the backend server is likely the
system that will issue and validate cookies or other security tokens.
Additional steps are therefore needed to enable the use of
Token Binding in such deployment architectures. In the absence of a standardized approach,
different implementations will address it differently, which will make interoperability
between such implementations difficult or impossible without complex configurations or custom integrations.
This document standardizes
HTTP header field names that a
TLS terminating reverse proxy (TTRP) adds to requests that it sends to the backend servers.
The headers contain information from the validated Token Binding Message
sent by the client to the proxy,
thus enabling the backend server to bind, or verify the binding of,
cookies and other security tokens to the client's Token Binding key.
The usage of the
headers, both the TTRP adding the headers and the backend application server using the headers to
bind cookies or other tokens, are to be configuration options of the respective
systems as they will not always be applicable.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL"
in this document are to be interpreted as described in
BCP 14
when, and only when, they appear in all capitals, as shown here.
The field-values of the HTTP headers defined herein utilize the following encoded forms.
A Token Binding ID is represented as an EncodedTokenBindingID,
which is thea base64url encoding of
the TokenBindingID byte sequence (see section 3 of )
using the URL and filename safe alphabet described in Section 5 of
, with all trailing pad characters '=' omitted
and without the inclusion of any line breaks, whitespace, or other
additional characters. ABNF syntax for EncodedTokenBindingID
is shown in below.
A Token Binding type value (a single byte) can be represented as an EncodedTokenBindingType,
which is a case-insensitive hex encoding (Section 8 of ).
The ABNF definition is shown in below.
The Token Binding Protocol
recommends that implementations make Token Binding IDs
available to the application as opaque byte sequences, enabling those
applications to use the Token Binding IDs when generating and verifying
bound tokens. In the context of a TLS terminating reverse proxy (TTRP)
deployment, the TTRP makes the Token Binding ID(s) available to the backend
application with the following header fields.
The Token Binding ID of the provided Token Binding represented as an
EncodedTokenBindingID.
The Token Binding ID of the referred Token Binding represented as an
EncodedTokenBindingID.
Additional Token Bindings that are sent by the client and validated by the TTRP are represented as a comma-separated list
of the concatenation of the EncodedTokenBindingType, a period (".") character, and the EncodedTokenBindingID
of each.
Both Sec-Provided-Token-Binding-ID
and Sec-Referred-Token-Binding-ID are
single HTTP header field-valued as defined in
Section 3.2 of , which MUST NOT have a list of values or occur multiple times
in a request.
All header fields defined herein are only for use in HTTP requests
and MUST NOT to be used in HTTP responses.
This section defines the applicable processing rules for a
TLS terminating reverse proxy (TTRP) and backend server(s) to provide server side support of
Token Binding over HTTP
using the HTTP headers described in .
Use of the technique is to be a configuration or deployment option and
the processing rules described herein are for servers operating with that option enabled.
A TTRP negotiates the use of Token Binding with the client, such as is described in
and validates the Token Binding Message as defined in
The Token Binding Protocol
and
Token Binding over HTTP
for each HTTP request on
the underlying TLS connection. Requests with a valid Token Binding Message (and meeting
any other authorization or policy requirements of the TTRP) are dispatched to the backend
server with the following modifications.
The
Sec-Token-Binding
header in the
original incoming request MUST be removed from the request that is dispatched to the backend
server.
The Token Binding ID of the provided Token Binding of the Token Binding Message
MUST be placed in the
Sec-Provided-Token-Binding-ID
header field of the dispatched request using the format defined in .
If the Token Binding Message contains a referred Token Binding, the referred Token Binding ID
MUST be placed in the
Sec-Referred-Token-Binding-ID
header field of the dispatched request using the format defined in .
Otherwise, the
Sec-Referred-Token-Binding-ID
header field MUST NOT be present in the dispatched request.
If the Token Binding Message contains any additional validated Token Bindings, they are placed in the
Sec-Other-Token-Binding-ID header field using the format defined
in . If the Token Binding Message contains no additional valid Token Bindings,
the Sec-Referred-Token-Binding-ID
header field MUST NOT be present in the dispatched request.
Any occurrence of the Sec-Provided-Token-Binding-ID,
Sec-Referred-Token-Binding-ID, and Sec-Other-Token-Binding-ID
headers in the original incoming request MUST be removed or overwritten before forwarding the request.
Requests made over a connection where the use of Token Binding was not negotiated MUST be sanitized
by removing any occurrences of the
Sec-Provided-Token-Binding-ID,
Sec-Referred-Token-Binding-ID,
and Sec-Other-Token-Binding-ID
header fields prior to
dispatching the request to the backend server.
Forward proxies and other intermediaries MUST NOT add
the Sec-Provided-Token-Binding-IDSec-Referred-Token-Binding-ID, or Sec-Other-Token-Binding-ID header to requests.
Extra line breaks and whitespace have been added to the following examples
for display and formatting purposes only.
The following Sec-Token-Binding header is from
an HTTP request made over a TLS connection between the client
and the TTRP where the use of Token Binding has been negotiated.
The base64url-encoded representation of the exported keying material for that
connection is AYVUayPTP9RmELNpGjFl6Ykm2CUx7pUMxe35yb11dgU,
which can be used to validate the Token Binding Message.
The encoded Token Binding Message has the provided Token Binding that the
client uses with the server.
After validating the Token Binding Message, the TTRP removes the
Sec-Token-Binding header and adds the following
Sec-Provided-Token-Binding-ID header with the
provided Token Binding ID to the request that is dispatched to the
backend server.
The following Sec-Token-Binding header is from
an HTTP request made over a TLS connection between the client
and the TTRP where the use of Token Binding has been negotiated.
The base64url-encoded representation of the exported keying material for that
connection is wEWWCP1KPxfq-QL4NxYII_P4ti_9YYqrTpGs28BZEqE,
which can be used to validate the Token Binding Message.
The encoded Token Binding Message has the provided Token Binding that the
client uses with the server as well as the referred Token Binding that it
uses with a different server.
After validating the Token Binding Message, the TTRP removes the
Sec-Token-Binding header and adds the following
Sec-Provided-Token-Binding-ID and
Sec-Referred-Token-Binding-ID headers,
with the provided and referred Token Binding IDs respectively,
to the request that is dispatched to the backend server.
The following Sec-Token-Binding header is from
an HTTP request made over a TLS connection between the client
and the TTRP where the use of Token Binding has been negotiated.
The base64url-encoded representation of the exported keying material for that
connection is Zr_1DESCcDoaltcZCK613UrEWHRf2B3w9i3bwcxpacc,
which can be used to validate the Token Binding Message.
The encoded Token Binding Message has the provided Token Binding and two other Token Bindings.
After validating the Token Binding Message, the TTRP removes the
Sec-Token-Binding header and adds the following
Sec-Provided-Token-Binding-ID and
Sec-Other-Token-Binding-ID headers
to the request that is dispatched to the backend server.
TLS 1.2 is cited in this document because,
at the time of writing, it is the latest version that is widely deployed.
However, this document is applicable with other TLS versions that allow for
negotiating the use of Token Binding. ,
for example, describes Token Binding for TLS 1.3.
Implementation security considerations for TLS, including version recommendations,
can be found in
Recommendations for Secure Use of Transport Layer Security (TLS)
and Datagram Transport Layer Security (DTLS).
The headers described herein enable a reverse proxy and backend server
to function together as though they are a single logical server side deployment of HTTPS Token Binding.
Use of the headers outside that intended use case, however, may undermine the protections
afforded by Token Binding. Therefore steps MUST be taken to prevent unintended use, both in
sending the headers and in relying on their value.
Producing and consuming the headers SHOULD be
a configurable option, respectively, in a reverse proxy and backend server
(or individual application in that server). The default configuration for both should be
to not use the headers thus requiring an "opt-in" to the functionality.
Backend servers MUST only accept the headers from trusted reverse proxies.
And reverse proxies MUST sanitize the incoming request before forwarding it on
by removing or overwriting any existing instances of the headers.
Otherwise arbitrary clients can control the header values as seen
and used by the backend server.
The communication between a reverse proxy and backend server needs to be secured
against eavesdropping and modification by unintended parties.
The configuration options and request sanitization are necessarily functionally of the
respective servers. The other requirements can be met in a number of ways, which
will vary based on specific deployments. The communication between a reverse proxy and
backend server, for example, might be over a mutually authenticated TLS with the
insertion and consumption headers
occurring only on that connection. Alternatively the network topology might
dictate a private network such that the backend application is only able to accept requests
from the reverse proxy and the proxy can only make requests to that server. Other
deployments that meet the requirements set forth herein are also possible.
Employing the Sec- header field prefix for the headers
defined herein denotes them as forbidden header names (see ),
which means they cannot be set or modified programmatically by script running in-browser.
This document specifies the following new HTTP header fields,
registration of which is requested in the "Permanent Message Header Field Names" registry
defined in .
Header Field Name: Sec-Provided-Token-Binding-ID
Applicable protocol: HTTP
Status: standard
Author/change Controller: IETF
Specification Document(s): [[ this specification ]]
Header Field Name: Sec-Referred-Token-Binding-ID
Applicable protocol: HTTP
Status: standard
Author/change Controller: IETF
Specification Document(s): [[ this specification ]]
Header Field Name: Sec-Other-Token-Binding-ID
Applicable protocol: HTTP
Status: standard
Author/change Controller: IETF
Specification Document(s): [[ this specification ]]
Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS)Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) are widely used to protect data exchanged over application protocols such as HTTP, SMTP, IMAP, POP, SIP, and XMPP. Over the last
few years, several serious attacks on TLS have emerged, including attacks on its most commonly used cipher suites and their modes of operation. This document provides recommendations for improving the
security of deployed services that use TLS and DTLS. The recommendations are applicable to the majority of use cases.
FetchWhatWG
The author would like to thank the following people for their various contributions to the specification:
Vinod Anupam,
Dirk Balfanz,
John Bradley,
William Denniss,
Nick Harper,
Jeff Hodges,
Subodh Iyengar,
Leif Johansson,
Michael B. Jones,
Yoav Nir,
James Manger,
Andrei Popov,
Eric Rescorla,
Piotr Sikora,
Martin Thomson,
and
Hans Zandbelt
[[ to be removed by the RFC Editor before publication as an RFC ]]
draft-ietf-tokbind-ttrp-06
Move TLS Versions and Best Practices out of Security Considerations to its own top-level section.
draft-ietf-tokbind-ttrp-05
Editorial updates.Change one character in the last example to help emphasize the case-insensitivity of hex.Add a TLS Versions and Best Practices section with BCP195 and also mention of ietf-tokbind-tls13 and ietf-tls-tls13.
draft-ietf-tokbind-ttrp-04
Add an example with Sec-Other-Token-Binding-ID.Use the HEXDIG core ABNF rule for EncodedTokenBindingType and mention case-insensitive in the text.Minor editorial fixes.Add to the Acknowledgements and remove the 'and others' bit.
draft-ietf-tokbind-ttrp-03
Add a header to allow for additional token binding types other than provided and referred to be conveyed.Reword the Abstract somewhat for (hopefully) improved readability.Minor editorial and formatting updates.
draft-ietf-tokbind-ttrp-02
Add to the Acknowledgements.Update references for Token Binding negotiation, protocol, and https.Use the boilerplate from RFC 8174.Reformat the "HTTP Header Fields and Processing Rules" section to make the
header names more prominent and move the encoding definitions earlier.
draft-ietf-tokbind-ttrp-01
Prefix the header names with "Sec-" so that they are denoted as forbidden header names by Fetch https://fetch.spec.whatwg.org/Removed potentially confusing sentence from Security Considerations per https://mailarchive.ietf.org/arch/msg/unbearable/O0IpppyyEqMrQjEkyEi8p8CeBGAEditorial fixes.
draft-ietf-tokbind-ttrp-00
Initial WG draft from draft-campbell-tokbind-ttrp.
draft-campbell-tokbind-ttrp-01
Minor editorial fixes.Add to the Acknowledgements.
draft-campbell-tokbind-ttrp-00
Initial draft based on 'consensus to work on the problem' from the Seoul meeting [1][2]
and reflecting the consensus approach from discussions at the Chicago meeting [3].
[1] https://www.ietf.org/proceedings/97/minutes/minutes-97-tokbind-01.txt (minutes from Seoul)
[2] https://www.ietf.org/proceedings/97/slides/slides-97-tokbind-reverse-proxies-00.pdf (slides from Seoul)
[3] https://mailarchive.ietf.org/arch/msg/unbearable/_ZHI8y2Vs5WMP8VMRr7zroo_sNU (summary of discussion)