[Feature Request] Implement token binding negotiation

[davidgtonge]

TLDR:

Web services generate various security tokens (e.g. HTTP cookies, OAuth tokens, etc.) for web applications to access protected resources. Currently these are bearer tokens, i.e. any party in possession of such token gains access to the protected resource. Attackers export bearer tokens from client machines or from compromised network connections, present these bearer tokens to Web services, and impersonate authenticated users. Token Binding enables defense against such attacks by cryptographically binding security tokens to a secret held by the client.

The latest specs are here:
https://datatracker.ietf.org/wg/tokbind/documents/

It is already supported by the Dot Net Framework:
https://blogs.msdn.microsoft.com/dotnet/2015/11/30/net-framework-4-6-1-is-now-available/

It has client side support in:

• Chrome
• Edge?

It has been implemented in BoringSSL

Related PR: #927
Related extension discussion: https://www.ietf.org/mail-archive/web/unbearable/current/msg00296.html

cc: @waywardgeek

[waywardgeek]

I am in the process of open-sourcing Google's token binding library right
now, though I am not sure how long this process takes... It does token
binding negotiation with BoringSSL and OpenSSL using the custom extension
API, so no code is required directly in OpenSSL (other than a 1-line change
I have pending).

Assuming the custom extension API continues to be supported long term, this
is how I prefer to implement token binding support. I prefer not adding
any additional complexity to directly OpenSSL if we can avoid it.

The library is in C++, links to OpenSSL, and provides everything needed by
a higher level HTTP library to implement token binding in few lines of
code. I added token binding support to a simple HTTP client in < 80 lines
of C++ code. I will also write a token binding negotiation test for
OpenSSL to verify expected negotiation behavior, particularly when
resuming. Anyway... support is coming.

Thanks,
Bill

On Tue, Jun 21, 2016 at 6:33 AM, Dave Tonge notifications@github.com
wrote:

TLDR:

Web services generate various security tokens (e.g. HTTP cookies, OAuth
tokens, etc.) for web applications to access protected resources. Currently
these are bearer tokens, i.e. any party in possession of such token gains
access to the protected resource. Attackers export bearer tokens from
client machines or from compromised network connections, present these
bearer tokens to Web services, and impersonate authenticated users. Token
Binding enables defense against such attacks by cryptographically binding
security tokens to a secret held by the client.

The latest specs are here:
https://datatracker.ietf.org/wg/tokbind/documents/

It is already supported by the Dot Net Framework:

https://blogs.msdn.microsoft.com/dotnet/2015/11/30/net-framework-4-6-1-is-now-available/

It has client side support in:

• Chrome https://bugs.chromium.org/p/chromium/issues/detail?id=467312
• Edge?

It has been implemented in BoringSSL
https://groups.google.com/forum/#!searchin/mailing.openssl.dev/%22token%2420binding%22/mailing.openssl.dev/v3DlPhWNxFw/94H23Z4KCAAJ

Related PR: #927 #927
Related extension discussion:
https://www.ietf.org/mail-archive/web/unbearable/current/msg00296.html

cc: @waywardgeek https://github.com/waywardgeek

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#1242, or mute the thread
https://github.com/notifications/unsubscribe/AAVYYoW74tHcyY3dx2_a5CoMA1ZYNjtMks5qN-g8gaJpZM4I6vOg
.

[davidgtonge]

Thanks Bill - looking forward to see the library. Perhaps we can leave this issue open for now and add the link when it's open sourced.

[kaduk]

I guess this became https://github.com/google/token_bind ?
If so, do we still need to keep this issue open in openssl?

[t8m]

Closing as a third party library implementing this on top of openssl is available.