rfc9577v4.txt | rfc9577.txt | |||
---|---|---|---|---|
skipping to change at line 348 ¶ | skipping to change at line 348 ¶ | |||
share redemption contexts. Failure to successfully synchronize this | share redemption contexts. Failure to successfully synchronize this | |||
state and use it for double-spend prevention can allow Clients to | state and use it for double-spend prevention can allow Clients to | |||
redeem tokens to one Origin that were issued after an interaction | redeem tokens to one Origin that were issued after an interaction | |||
with another Origin that shares the context. | with another Origin that shares the context. | |||
2.1.2. Sending Token Challenges | 2.1.2. Sending Token Challenges | |||
When used in an authentication challenge, the "PrivateToken" scheme | When used in an authentication challenge, the "PrivateToken" scheme | |||
uses the following parameters: | uses the following parameters: | |||
* "challenge", which contains a base64url TokenChallenge value, | * challenge, which contains a base64url TokenChallenge value, | |||
encoded per [RFC4648]. This document follows the default padding | encoded per [RFC4648]. This document follows the default padding | |||
behavior described in Section 3.2 of [RFC4648], so the base64url | behavior described in Section 3.2 of [RFC4648], so the base64url | |||
value MUST include padding. As an authentication parameter (auth- | value MUST include padding. As an authentication parameter (auth- | |||
param from [HTTP], Section 11.2), the value can be either a token | param from [HTTP], Section 11.2), the value can be either a token | |||
or a quoted-string and might be required to be a quoted-string if | or a quoted-string and might be required to be a quoted-string if | |||
the base64url string includes "=" characters. This parameter is | the base64url string includes "=" characters. This parameter is | |||
required for all challenges. | required for all challenges. | |||
* "token-key", which contains a base64url encoding of the public key | * token-key, which contains a base64url encoding of the public key | |||
for use with the issuance protocol indicated by the challenge. | for use with the issuance protocol indicated by the challenge. | |||
See [ISSUANCE] for more information about how this public key is | See [ISSUANCE] for more information about how this public key is | |||
used by the issuance protocols described in that specification. | used by the issuance protocols described in that specification. | |||
The encoding of the public key is determined by the token type; | The encoding of the public key is determined by the token type; | |||
see Section 6.2. As with "challenge", the base64url value MUST | see Section 6.2. As with challenge, the base64url value MUST | |||
include padding. As an authentication parameter (auth-param from | include padding. As an authentication parameter (auth-param from | |||
[HTTP], Section 11.2), the value can be either a token or a | [HTTP], Section 11.2), the value can be either a token or a | |||
quoted-string and might be required to be a quoted-string if the | quoted-string and might be required to be a quoted-string if the | |||
base64url string includes "=" characters. This parameter MAY be | base64url string includes "=" characters. This parameter MAY be | |||
omitted in deployments where Clients are able to retrieve the | omitted in deployments where Clients are able to retrieve the | |||
Issuer key using an out-of-band mechanism. | Issuer key using an out-of-band mechanism. | |||
* "max-age", which is an optional parameter that consists of the | * max-age, which is an optional parameter that consists of the | |||
number of seconds for which the challenge will be accepted by the | number of seconds for which the challenge will be accepted by the | |||
Origin. | Origin. | |||
The header field MAY also include the standard realm parameter, if | The header field MAY also include the standard realm parameter, if | |||
desired. Issuance protocols MAY define other parameters, some of | desired. Issuance protocols MAY define other parameters, some of | |||
which might be required. Clients MUST ignore parameters in | which might be required. Clients MUST ignore parameters in | |||
challenges that are not defined for the issuance protocol | challenges that are not defined for the issuance protocol | |||
corresponding to the token type in the challenge. | corresponding to the token type in the challenge. | |||
As an example, the WWW-Authenticate header field could look like | As an example, the WWW-Authenticate header field could look like | |||
skipping to change at line 525 ¶ | skipping to change at line 525 ¶ | |||
The authenticator value in the token structure is computed over the | The authenticator value in the token structure is computed over the | |||
token_type, nonce, challenge_digest, and token_key_id fields. A | token_type, nonce, challenge_digest, and token_key_id fields. A | |||
token is considered valid if token verification succeeds; see | token is considered valid if token verification succeeds; see | |||
Section 2.2.3 for details about verifying the token and its | Section 2.2.3 for details about verifying the token and its | |||
authenticator value. | authenticator value. | |||
2.2.2. Sending Tokens | 2.2.2. Sending Tokens | |||
When used for Client authorization, the "PrivateToken" authentication | When used for Client authorization, the "PrivateToken" authentication | |||
scheme defines one parameter, "token", which contains the base64url- | scheme defines one parameter, token, which contains the base64url- | |||
encoded token structure. As with the challenge parameters | encoded token structure. As with the challenge parameters | |||
(Section 2.1), the base64url value MUST include padding. As an | (Section 2.1), the base64url value MUST include padding. As an | |||
authentication parameter (auth-param from [HTTP], Section 11.2), the | authentication parameter (auth-param from [HTTP], Section 11.2), the | |||
value can be either a token or a quoted-string and might be required | value can be either a token or a quoted-string and might be required | |||
to be a quoted-string if the base64url string includes "=" | to be a quoted-string if the base64url string includes "=" | |||
characters. All unknown or unsupported parameters to "PrivateToken" | characters. All unknown or unsupported parameters to "PrivateToken" | |||
authentication credentials MUST be ignored. | authentication credentials MUST be ignored. | |||
Clients present this token structure to Origins in a new HTTP request | Clients present this token structure to Origins in a new HTTP request | |||
using the Authorization header field as follows: | using the Authorization header field as follows: | |||
skipping to change at line 721 ¶ | skipping to change at line 721 ¶ | |||
for discussion about safety considerations for 0-RTT HTTP data. | for discussion about safety considerations for 0-RTT HTTP data. | |||
5.3. Reflection Attacks | 5.3. Reflection Attacks | |||
The security properties of token challenges vary, depending on | The security properties of token challenges vary, depending on | |||
whether the challenge contains a redemption context or not, as well | whether the challenge contains a redemption context or not, as well | |||
as whether the challenge is a per-Origin challenge or not. For | as whether the challenge is a per-Origin challenge or not. For | |||
example, cross-Origin tokens with empty contexts can be reflected | example, cross-Origin tokens with empty contexts can be reflected | |||
from one party by another, as shown below. | from one party by another, as shown below. | |||
+--------+ +----------+ +--------+ | +--------+ +----------+ +--------+ | |||
| Origin | | Attacker | | Client | | | Origin | | Attacker | | Client | | |||
+---+----+ +----+-----+ +---+----+ | +---+----+ +----+-----+ +---+----+ | |||
| | | | | | | | |||
+-- TokenChallenge -->| | | +--- TokenChallenge -->| | | |||
| +-- (reflect challenge) ->| | | +-- (reflect challenge) -->| | |||
| |<-------- token ---------+ | | |<-------- Token ----------+ | |||
|<-- (reflect token) -+ | | |<-- (reflect token) --+ | | |||
| | | | | | | |||
Figure 2: Reflection Attack Example | Figure 2: Reflection Attack Example | |||
5.4. Token Exhaustion Attacks | 5.4. Token Exhaustion Attacks | |||
When a Client holds cross-Origin tokens with empty contexts, it is | When a Client holds cross-Origin tokens with empty contexts, it is | |||
possible for any Origin in the cross-Origin set to deplete that | possible for any Origin in the cross-Origin set to deplete that | |||
Client's set of tokens. To prevent this from happening, tokens can | Client's set of tokens. To prevent this from happening, tokens can | |||
be scoped to single Origins (with non-empty origin_info) such that | be scoped to single Origins (with non-empty origin_info) such that | |||
they can only be redeemed for a single Origin. Alternatively, if | they can only be redeemed for a single Origin. Alternatively, if | |||
skipping to change at line 772 ¶ | skipping to change at line 772 ¶ | |||
Context-bound token challenges require Clients to obtain matching | Context-bound token challenges require Clients to obtain matching | |||
tokens when challenged, rather than presenting a token that was | tokens when challenged, rather than presenting a token that was | |||
obtained from a different context in the past. This can make it more | obtained from a different context in the past. This can make it more | |||
likely that issuance and redemption events will occur at | likely that issuance and redemption events will occur at | |||
approximately the same time. For example, if a Client is challenged | approximately the same time. For example, if a Client is challenged | |||
for a token with a unique context at time T1 and then subsequently | for a token with a unique context at time T1 and then subsequently | |||
obtains a token at time T2, a colluding Issuer and Origin can link | obtains a token at time T2, a colluding Issuer and Origin can link | |||
this to the same Client if T2 is unique to the Client. This | this to the same Client if T2 is unique to the Client. This | |||
linkability is less feasible as the number of issuance events at time | linkability is less feasible as the number of issuance events at time | |||
T2 increases. Depending on the "max-age" token challenge parameter, | T2 increases. Depending on the max-age token challenge parameter, | |||
Clients MAY try to add delay to the time between being challenged and | Clients MAY try to add delay to the time between being challenged and | |||
redeeming a token to make this sort of linkability more difficult. | redeeming a token to make this sort of linkability more difficult. | |||
For more discussion on correlation risks between token issuance and | For more discussion on correlation risks between token issuance and | |||
redemption, see Section 6.3 of [ARCHITECTURE]. | redemption, see Section 6.3 of [ARCHITECTURE]. | |||
5.6. Cross-Context Linkability Attacks | 5.6. Cross-Context Linkability Attacks | |||
As discussed in Section 2.1, Clients SHOULD discard any context-bound | As discussed in Section 2.1, Clients SHOULD discard any context-bound | |||
tokens upon flushing cookies or changing networks, to prevent an | tokens upon flushing cookies or changing networks, to prevent an | |||
Origin from using the redemption context state as a cookie to | Origin from using the redemption context state as a cookie to | |||
skipping to change at line 812 ¶ | skipping to change at line 812 ¶ | |||
defined for use with the Privacy Pass token authentication scheme. | defined for use with the Privacy Pass token authentication scheme. | |||
These identifiers are 2-byte values, so the maximum possible value is | These identifiers are 2-byte values, so the maximum possible value is | |||
0xFFFF = 65535. | 0xFFFF = 65535. | |||
New registrations need to list the following attributes: | New registrations need to list the following attributes: | |||
Value: The 2-byte identifier for the algorithm. | Value: The 2-byte identifier for the algorithm. | |||
Name: Name of the issuance protocol. | Name: Name of the issuance protocol. | |||
Token Structure: The contents of the token structure; see | Token Structure: The contents of the token structure; see | |||
Section 2.2. | Section 2.2. | |||
Token Key Encoding: The encoding of the "token-key" parameter; see | Token Key Encoding: The encoding of the token-key parameter; see | |||
Section 2.1.2. | Section 2.1.2. | |||
TokenChallenge Structure: The contents of the TokenChallenge | TokenChallenge Structure: The contents of the TokenChallenge | |||
structure; see Section 2.1. | structure; see Section 2.1. | |||
Publicly Verifiable: A Y/N value indicating if the output tokens | Publicly Verifiable: A Y/N value indicating if the output tokens | |||
have the public verifiability property; see Section 3.5 of | have the public verifiability property; see Section 3.5 of | |||
[ARCHITECTURE] for more details about this property. | [ARCHITECTURE] for more details about this property. | |||
Public Metadata: A Y/N value indicating if the output tokens can | Public Metadata: A Y/N value indicating if the output tokens can | |||
contain public metadata; see Section 3.5 of [ARCHITECTURE] for | contain public metadata; see Section 3.5 of [ARCHITECTURE] for | |||
more details about this property. | more details about this property. | |||
Private Metadata: A Y/N value indicating if the output tokens can | Private Metadata: A Y/N value indicating if the output tokens can | |||
End of changes. 8 change blocks. | ||||
16 lines changed or deleted | 16 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. |