-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgss-browserid.txt
2520 lines (1607 loc) · 95.2 KB
/
gss-browserid.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
Network Working Group L. Howard
Internet-Draft PADL
Intended status: Experimental N. Williams
Expires: June 12, 2014 Cryptonector
December 9, 2013
A SASL and GSS-API Mechanism for the BrowserID Authentication Protocol
draft-howard-gss-browserid-07.txt
Abstract
This document defines protocols, procedures and conventions for a
Generic Security Service Application Program Interface (GSS-API)
security mechanism based on the BrowserID authentication mechanism.
Through the GS2 family of mechanisms defined in RFC 5801, these
protocols also define how Simple Authentication and Security Layer
(SASL, RFC 4422) applications may use BrowserID.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 12, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
Howard & Williams Expires June 12, 2014 [Page 1]
Internet-Draft BrowserID SASL & GSS-API December 2013
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Discovery and Negotiation . . . . . . . . . . . . . . . . 5
1.2. Authentication . . . . . . . . . . . . . . . . . . . . . . 5
1.3. Message protection services . . . . . . . . . . . . . . . 6
2. Requirements notation . . . . . . . . . . . . . . . . . . 7
3. Naming . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3.1. GSS name types . . . . . . . . . . . . . . . . . . . . . . 8
3.1.1. GSS_C_NT_BROWSERID_PRINCIPAL . . . . . . . . . . . . . . . 8
3.1.2. GSS_C_NT_USER_NAME . . . . . . . . . . . . . . . . . . . . 8
3.1.3. GSS_C_NT_HOSTBASED_SERVICE . . . . . . . . . . . . . . . . 8
3.1.4. GSS_C_NT_DOMAINBASED_SERVICE . . . . . . . . . . . . . . . 9
3.1.5. GSS_C_NT_ANONYMOUS . . . . . . . . . . . . . . . . . . . . 9
3.2. Name canonicalization . . . . . . . . . . . . . . . . . . 9
3.3. Exported name token format . . . . . . . . . . . . . . . . 9
3.4. Naming extensions . . . . . . . . . . . . . . . . . . . . 9
4. Context tokens . . . . . . . . . . . . . . . . . . . . . . 10
4.1. Base protocol . . . . . . . . . . . . . . . . . . . . . . 10
4.1.1. Initial context token . . . . . . . . . . . . . . . . . . 10
4.1.2. Acceptor context token . . . . . . . . . . . . . . . . . . 11
4.1.3. Initiator context completion . . . . . . . . . . . . . . . 12
4.2. Mutual authentication . . . . . . . . . . . . . . . . . . 12
4.2.1. Initiator mutual authentication context token . . . . . . 13
4.2.2. Acceptor mutual authentication context token . . . . . . . 13
4.2.3. Initiator mutual authentication context completion . . . . 13
4.2.4. Acceptor certificate advertisement . . . . . . . . . . . . 14
4.3. Fast re-authentication . . . . . . . . . . . . . . . . . . 15
4.3.1. Ticket generation . . . . . . . . . . . . . . . . . . . . 15
4.3.2. Initiator re-authentication context token . . . . . . . . 15
4.3.3. Acceptor re-authentication context token . . . . . . . . . 16
4.3.4. Interaction with mutual authentication . . . . . . . . . . 17
4.3.5. Ticket renewal . . . . . . . . . . . . . . . . . . . . . . 17
4.4. Extra round-trip (XRT) option . . . . . . . . . . . . . . 17
4.4.1. Initiator XRT advertisement . . . . . . . . . . . . . . . 17
4.4.2. Acceptor XRT advertisement . . . . . . . . . . . . . . . . 18
4.4.3. Initiator XRT context token . . . . . . . . . . . . . . . 18
4.4.4. Acceptor XRT context token validation . . . . . . . . . . 18
4.4.5. Interaction with message protection services . . . . . . . 18
5. Validation . . . . . . . . . . . . . . . . . . . . . . . . 19
5.1. Expiry times . . . . . . . . . . . . . . . . . . . . . . . 19
5.2. Audience . . . . . . . . . . . . . . . . . . . . . . . . . 19
5.3. Channel bindings . . . . . . . . . . . . . . . . . . . . . 19
5.4. Key agreement . . . . . . . . . . . . . . . . . . . . . . 19
Howard & Williams Expires June 12, 2014 [Page 2]
Internet-Draft BrowserID SASL & GSS-API December 2013
5.5. Signatures . . . . . . . . . . . . . . . . . . . . . . . . 20
5.6. Replay detection . . . . . . . . . . . . . . . . . . . . . 20
5.7. Return flags . . . . . . . . . . . . . . . . . . . . . . . 20
6. Assertion claims . . . . . . . . . . . . . . . . . . . . . 21
6.1. Request (initiator/UA) assertion . . . . . . . . . . . . . 21
6.1.1. "aud" (Audience) . . . . . . . . . . . . . . . . . . . . . 21
6.1.2. "exp" (Expiry time) . . . . . . . . . . . . . . . . . . . 22
6.1.3. "iat" (Issued at time) . . . . . . . . . . . . . . . . . . 22
6.1.4. "nbf" (Not before time) . . . . . . . . . . . . . . . . . 22
6.1.5. "epk" (Ephemeral Public Key) . . . . . . . . . . . . . . . 22
6.1.6. "cb" (Channel binding) . . . . . . . . . . . . . . . . . . 22
6.1.7. "nonce" (Mutual authentication nonce) . . . . . . . . . . 22
6.1.8. "tkt" (Ticket) . . . . . . . . . . . . . . . . . . . . . . 23
6.1.9. "opts" (Options) . . . . . . . . . . . . . . . . . . . . . 23
6.2. Response (acceptor/RP) assertion . . . . . . . . . . . . . 23
6.2.1. "iat" (Issued at time) . . . . . . . . . . . . . . . . . . 24
6.2.2. "epk" (Ephemeral Public Key) . . . . . . . . . . . . . . . 24
6.2.3. "exp" (Expiry time) . . . . . . . . . . . . . . . . . . . 24
6.2.4. "nonce" (Mutual authentication nonce) . . . . . . . . . . 25
6.2.5. "tkt" (Ticket) . . . . . . . . . . . . . . . . . . . . . . 25
6.2.6. "jti" (JWT ID) . . . . . . . . . . . . . . . . . . . . . . 25
6.3. Error (acceptor/RP) assertion . . . . . . . . . . . . . . 25
6.3.1. "gss-maj" (GSS major status code) . . . . . . . . . . . . 25
6.3.2. "gss-min" (GSS minor status code) . . . . . . . . . . . . 25
6.4. XRT assertion . . . . . . . . . . . . . . . . . . . . . . 28
7. Key derivation . . . . . . . . . . . . . . . . . . . . . . 29
7.1. Diffie-Hellman Key (DHK) . . . . . . . . . . . . . . . . . 29
7.2. Context Master Key (CMK) . . . . . . . . . . . . . . . . . 29
7.3. RP Response Key (RRK) . . . . . . . . . . . . . . . . . . 29
7.4. Context Root Key (CRK) . . . . . . . . . . . . . . . . . . 29
7.5. Authenticator Root Key (ARK) . . . . . . . . . . . . . . . 30
7.6. Authenticator Session Key (ASK) . . . . . . . . . . . . . 30
7.6.1. Extra Round Trip Key (XRTK) . . . . . . . . . . . . . . . 30
7.7. GSS Pseudo-Random Function (PRF) . . . . . . . . . . . . . 30
8. Example . . . . . . . . . . . . . . . . . . . . . . . . . 31
9. Security Considerations . . . . . . . . . . . . . . . . . 39
9.1. Host certificates for mutual authentication . . . . . . . 39
9.2. Error statuses . . . . . . . . . . . . . . . . . . . . . . 39
10. IANA Considerations . . . . . . . . . . . . . . . . . . . 40
10.1. OID Registry . . . . . . . . . . . . . . . . . . . . . . . 40
10.2. SASL Registry . . . . . . . . . . . . . . . . . . . . . . 41
11. References . . . . . . . . . . . . . . . . . . . . . . . . 42
11.1. Normative References . . . . . . . . . . . . . . . . . . . 42
11.2. Informative References . . . . . . . . . . . . . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . 45
Howard & Williams Expires June 12, 2014 [Page 3]
Internet-Draft BrowserID SASL & GSS-API December 2013
1. Introduction
[BrowserID] is a web-based three-party security protocol by which
user agents can present to a Relying Party (RP) a signed assertion of
e-mail address ownership. BrowserID was intended to be used for web
authentication. We find BrowserID to be useful in general, therefore
we define herein how to use it in many more applications.
The Simple Authentication and Security Layer (SASL) [RFC4422] is a
framework for providing authentication and message protection
services via pluggable mechanisms. Protocols that support it include
IMAP, SMTP, and XMPP.
The Generic Security Service Application Program Interface (GSS-API)
[RFC2743] provides a framework for authentication and message
protection services through a common programming interface. This
document conforms to the SASL and GSS-API bridge specified in
[RFC5801], so it defines both a SASL and GSS-API mechanism.
The BrowserID mechanism described in this document reuses the
existing web-based BrowserID protocol, but profiles it for use in
applications that support SASL or GSS-API, adding features such as
key agreement, mutual authentication, and fast re-authentication.
The following diagram illustrates the interactions between the three
parties in the GSS BrowserID protocol. Note that the terms client,
initiator and user agent (UA) are used interchangeably in this
document, as are server, acceptor and relying party (RP).
Howard & Williams Expires June 12, 2014 [Page 4]
Internet-Draft BrowserID SASL & GSS-API December 2013
+------------+
| BrowserID |
| identity |
| provider |
+------------+
// \\
// \\
// \\
// \\
make signed // \\ fetch IdP public
certificate // \\ key over HTTPS
for user's // \\ (RP may cache)
public key // \\
// \\
// \\
// \\
|/ \|
+-------------+ +-------------+
| SASL or GSS | GSS BrowserID | SASL or GSS |
| client/UA |<------------------->| server/RP |
| (initiator) | | (acceptor) |
+-------------+ +-------------+
Figure 1: Interworking Architecture
1.1. Discovery and Negotiation
The means of discovering GSS-API peers and their supported mechanisms
is out of this specification's scope. They may use SASL [RFC4422] or
the Simple and Protected Negotiation mechanism (SPNEGO) [RFC4178].
Discovery of a BrowserID identity provider (IdP) for a user is
described in the BrowserID specification. A domain publishes a
document containing their public key and URIs for authenticating and
provisioning users, or pointer to an authority containing such a
document.
1.2. Authentication
The GSS-API protocol involves a client, known as the initiator,
sending an initial security context token of a chosen GSS-API
security mechanism to a peer, known as the acceptor. The two peers
subsequently exchange, synchronously, as many security context tokens
as necessary to complete the authentication or fail. The specific
number of context tokens exchanged varies by security mechanism: in
the case of the BrowserID mechanism, it is typically two (i.e. a
single round trip), however it can be more in some cases. Once
Howard & Williams Expires June 12, 2014 [Page 5]
Internet-Draft BrowserID SASL & GSS-API December 2013
authentication is complete, the initiator and acceptor share a
security context which identifies the peers and can optionally be
used for integrity or confidentiality protecting subsequent
application messages.
The original BrowserID protocol, as defined outside this document,
specifies a bearer token authentication protocol for web
applications. The user agent generates a short-term key pair, the
public key of which is signed by the user's IdP. (The user must have
already authenticated to the IdP; how this is done is not specified
by BrowserID, but forms-based authentication is common.) The IdP
returns a certificate for the user which may be cached by the user's
browser. When authenticating to a Relying Party (RP), the browser
generates an identity assertion containing the RP domain and an
expiration time. The user agent signs this and presents both the
assertion and certificate to the RP. (The combination of an
assertion and zero or more certificates is termed a "backed
assertion".) The RP fetches the public key for the IdP, validates
the user's certificate (and those of any intermediate certifying
parties) and then verifies the assertion.
The GSS BrowserID protocol extends this by having the RP always send
back a response to the user agent, which at a minimum provides key
confirmation (this is needed for some key agreement methods) and
indicates the lifetime of the established security context. The key
confirmation token is also required for mutual authentication, when
the initiator application requests that feature.
1.3. Message protection services
GSS-API provides a number of a message protection services:
GSS_Wrap() integrity and optional confidentiality for a message
GSS_GetMIC() integrity for a message sent separately
GSS_Pseudo_random() shared key derivation (e.g., for keying external
confidentiality+integrity layers)
These services may be used with security contexts that have a shared
session key, to protect application-layer messages.
Howard & Williams Expires June 12, 2014 [Page 6]
Internet-Draft BrowserID SASL & GSS-API December 2013
2. Requirements notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
The reader is assumed to be familiar with the terms used in the
BrowserID specification.
Howard & Williams Expires June 12, 2014 [Page 7]
Internet-Draft BrowserID SASL & GSS-API December 2013
3. Naming
The GSS-API provides a rich security principal naming model. At its
most basic the query forms of names consist of a user-entered/
displayable string and a "name-type". Name-types are constants with
names prefixed with "GSS_C_NT_" in the GSS-API. Names may also have
attributes [RFC6680].
3.1. GSS name types
3.1.1. GSS_C_NT_BROWSERID_PRINCIPAL
This name may contain an e-mail address, or a service principal name
identifying an acceptor. The encoding of service principal names is
intended to be somewhat compatible with the Kerberos [RFC4120]
security protocol (without the realm name).
The following ABNF defines the 'name' rule that names of this type
must match.
[[anchor1: Should we reference RFC2822 here? The Mozilla BrowserID
docs sure don't.]]
char-normal = %x00-2E/%x30-3F/%x41-5B/%x5D-FF
char-escaped = "\" %x2F / "\" %x40 / "\" %x5C
name-char = char-normal / char-escaped
name-string = 1*name-char
user = name-string
domain = name-string
email = user "@" domain
service-name = name-string
service-host = name-string
service-specific = name-string
service-specifics = service-specific 0*("/" service-specifics)
spn = service-name ["/" service-host [ "/" service-specifics]]
name = email / spn
3.1.2. GSS_C_NT_USER_NAME
This name is implicitly converted to a GSS_C_NT_BROWSERID_PRINCIPAL.
A default domain may be appended when importing names of this type.
3.1.3. GSS_C_NT_HOSTBASED_SERVICE
This name is transformed by replacing the "@" symbol with a "/", and
then implicitly converted to a GSS_C_NT_BROWSERID_PRINCIPAL.
Howard & Williams Expires June 12, 2014 [Page 8]
Internet-Draft BrowserID SASL & GSS-API December 2013
3.1.4. GSS_C_NT_DOMAINBASED_SERVICE
[RFC5178] domain-based service names are transformed into a
GSS_C_NT_BROWSERID_PRINCIPAL as follows:
o the <service> name becomes the first component of the BrowserID
principal name (service-name in ABNF)
o the <hostname> becomes the second component (service-host)
o the <domain> name becomes the third component (service-specific)
3.1.5. GSS_C_NT_ANONYMOUS
If the initiator principal's leaf certificate does not contain a
"principal" claim, then the initiator name has this name type.
3.2. Name canonicalization
The BrowserID GSS-API mechanism performs no name canonicalization.
The mechanism's GSS_Canonicalize_name() returns an MN whose display
form is the same as the query form. Of course, the principal named
obtained from a CREDENTIAL HANDLE may be canonical in that the IdP
might only issue credentials for canonical names, but credential
acquisition is out of scope here.
3.3. Exported name token format
The exported name token format for the BrowserID GSS-API mechanism is
the same as the query form, plus the standard exported name token
format header mandated by the GSS-API [RFC2743].
[[anchor2: Do we wish to say anything about the exported composite
name token format? It should be an encoding of the initiator's leaf
certificate.]]
3.4. Naming extensions
The acceptor MAY surface attributes from the assertion and any
certificates using GSS_Get_name_attribute() (see [RFC6680]). The URN
prefix is "urn:<TBD>:params:gss:jwt". If a SAML assertion is present
in the "saml" parameter of the leaf certificate, it may be surfaced
using the URN prefix "urn:<TBD>:params:gss:federated-saml-attribute".
Attributes from the assertion MUST be marked as unauthenticated
unless otherwise validated by the acceptor (e.g. the audience).
Attributes from certificates SHOULD be marked as authenticated.
Howard & Williams Expires June 12, 2014 [Page 9]
Internet-Draft BrowserID SASL & GSS-API December 2013
4. Context tokens
All context tokens include a two-byte token identifier followed by a
backed BrowserID assertion. This document defines the following
token IDs:
+---------+----------+-------+--------------------------+
| Section | Token ID | ASCII | Description |
+---------+----------+-------+--------------------------+
| 4.1.1 | 0x632C | c, | Initiator context token |
| | | | |
| 4.1.2 | 0x432C | C, | Acceptor context token |
| | | | |
| | 0x442C | D, | Context deletion token |
| | | | |
| 4.2.4 | 0x6D2C | m, | Initiator metadata token |
| | | | |
| 4.2.4 | 0x4D2C | M, | Acceptor metadata token |
+---------+----------+-------+--------------------------+
The token ID has a human-readable ASCII encoding for the benefit of
pure SASL implementations of this mechanism.
4.1. Base protocol
4.1.1. Initial context token
The initial context token is framed per Section 1 of [RFC2743]:
GSS-API DEFINITIONS ::=
BEGIN
MechType ::= OBJECT IDENTIFIER
-- representing BrowserID mechanism
GSSAPI-Token ::=
[APPLICATION 0] IMPLICIT SEQUENCE {
thisMech MechType,
innerToken ANY DEFINED BY thisMech
-- token ID and backed assertion
}
END
Unlike many other GSS-API mechanisms such as Kerberos, this token
framing is not used by subsequent context or by [I-D.zhu-negoex]
metadata tokens. As such, pure SASL implementations of this
mechanism do not need to deal with DER encoding the mechanism object
identifier.
Howard & Williams Expires June 12, 2014 [Page 10]
Internet-Draft BrowserID SASL & GSS-API December 2013
GSS BrowserID is a family of mechanisms, where the last element in
the OID arc indicates the [RFC4121] encryption type supported for
message protection services. The OID prefix is
1.3.6.1.4.1.5322.24.1. The NULL encryption type is valid, in which
case services that require a key are not available.
The innerToken consists of the initiator context token ID
concatenated with a backed assertion for the audience corresponding
to the target name passed into GSS_Init_sec_context(). In addition,
the assertion MAY contain the additional claims, which are described
later in this document:
o ECDH key agreement parameters (see Section 6.1.5)
o Channel binding information (see Section 6.1.6)
o A nonce for binding the request to a response signed with a
private key for mutual authentication (see Section 6.1.7)
o A ticket identifier for fast re-authentication using an
established session key rather than a BrowserID certificate (see
Section 6.1.8)
The call to GSS_Init_sec_context() returns GSS_C_CONTINUE_NEEDED to
indicate that a subsequent context token from the acceptor is
expected.
4.1.2. Acceptor context token
Upon receiving a context token from the initiator, the acceptor
validates that the token is well formed and contains a valid
BrowserID mechanism OID and the initiator context token ID.
The acceptor then verifies the backed identity assertion per the
BrowserID specification. This includes validating the expiry times,
audience, certificate chain, and assertion signature. The acceptor
then verifies the channel binding token, if present, and any other
GSS-specific claims in the assertion. In case of failure, a response
assertion containing GSS major and minor status codes SHOULD be
returned.
If the [RFC3961] encryption type for the selected mechanism is not
ENCTYPE_NULL, the acceptor generates a ECDH public key using the
parameters received from the client (see Section 6.2.2), and from it
derives the RP Response Key (RRK) (see Section 7.3). The acceptor
then generates a response assertion containing its ECDH public key
and context expiration time (note that the context expiration time is
a purely informational quantity). The response assertion will be:
Howard & Williams Expires June 12, 2014 [Page 11]
Internet-Draft BrowserID SASL & GSS-API December 2013
o signed in the acceptor's private key, if mutual authentication was
requested, and the acceptor has a key (see Section 4.2);
o signed in the RRK, if the encryption type for the selected
mechanism is not ENCTYPE_NULL;
o not signed in all other cases.
The response assertion is encoded as a backed assertion, prefixed
with the acceptor context token ID. It SHALL have a certificate
count of zero.
Finally, the Context Root Key (CRK) (see Section 7.4) is derived from
the ECDH shared secret (if present) and GSS_S_COMPLETE is returned,
along with the initiator name from the verified assertion. If the
CRK is available, the replay_det_state (GSS_C_REPLAY_FLAG),
sequence_state (GSS_C_SEQUENCE_FLAG), conf_avail (GSS_C_CONF_FLAG)
and integ_avail (GSS_C_INTEG_FLAG) security context flags are set to
TRUE.
Other assertion/certificate claims MAY be made available via
GSS_Get_name_attribute().
4.1.3. Initiator context completion
Upon receiving the acceptor context token, the initiator unpacks the
response assertion and, if applicable, computes the ECDH shared
secret and RRK. The RRK is used to verify the response assertion
unless mutual authentication is available, in which case the
acceptor's public key will be used.
The initiator sets the context expiry time with that received in the
response assertion, if present; otherwise, the context expires when
the initiator principal's certificate expires.
The CRK is derived from the ECDH shared secret and GSS_S_COMPLETE is
returned to indicate the initiator is authenticated and the context
is ready for use. No output token is emitted. Security context
flags are set as for the acceptor context.
4.2. Mutual authentication
Mutual authentication allows the acceptor to be authenticated to the
initiator. The mechanism SHALL set the mutual_state security context
flag (GSS_C_MUTUAL_FLAG) to TRUE if mutual authentication succeeded.
Support for mutual authentication is OPTIONAL.
The base protocol is extended as follows to support this:
Howard & Williams Expires June 12, 2014 [Page 12]
Internet-Draft BrowserID SASL & GSS-API December 2013
4.2.1. Initiator mutual authentication context token
If the initiator requested the mutual_state flag, it sends in its
request assertion an "opts" claim (see Section 6.1.9) containing the
"ma" value. It also includes a nonce (see Section 6.1.7) in order to
bind the initiator and acceptor assertions.
4.2.2. Acceptor mutual authentication context token
If the acceptor has a private key and certificate available and the
initiator indicated it desired mutual authentication by including the
"ma" protocol option, the acceptor signs the response using a private
key rather than the RP Response Key (RRK). The response includes the
nonce from the initiator's assertion. The acceptor MUST reject
requests for mutual authentication lacking a nonce.
While the response is a backed assertion, in order to take advantage
of existing keying infrastructures BrowserID certificates MUST NOT be
included in the backed assertion. Rather, an X.509 certificate SHALL
be included as a value for the "x5c" header parameter in the
assertion (see [I-D.ietf-jose-json-web-signature] 4.1.6). The
certificate MUST be valid for signing.
[[anchor3: We don't want to burden the initiator with having to
implement both methods of authenticating acceptors, and given that
initiators and acceptors both will generally need a PKIX
implementation, and given that acceptors will need a PKIX credential
for TLS, and that there is as yet no standard protocol for automatic
provisioning of BrowserID credentials for servers, using PKIX to
authenticate the server seems to be the easiest way to go.]]
4.2.3. Initiator mutual authentication context completion
The initiator verifies the assertion signature and that the nonce
matches, and validates the certificate chain according to [RFC5280].
Initiators MUST authenticate the service name using the matching
rules below:
o A service-name EKU from the registry defined by [I-D.zhu-pku2u];
id-kpServerAuth maps to the "http" service
o A spn expressed as a KRB5PrincipalName in the id-pkinit-san
otherName SAN (see [RFC4556] Section 3.2.2; the realm is ignored)
o A service-name expressed as a SRVName SAN (see [RFC4985])
Howard & Williams Expires June 12, 2014 [Page 13]
Internet-Draft BrowserID SASL & GSS-API December 2013
o Optionally, an out-of-band binding to the certificate
If there are no EKUs, or a single EKU containing id-kp-
anyExtendedKeyUsage, and no SAN containing the service name is
present, then all service names match. If a SAN containing the
service name is present, then any EKUs are ignored.
If the the host component of the service name (service-host) is not
expressed in a SAN as specified above, it MUST be present as a value
for the dNSName SAN or as the least significant Common Name RDN.
Note only the id-pkinit-san or SRVName SANs provide the ability to
authenticate the a service name containing a service-specific
component.
4.2.4. Acceptor certificate advertisement
[I-D.zhu-negoex] may be used to advertise acceptor certificates.
If the acceptor supports mutual authentication, it MAY include its
certificate and any additional certificates inside a backed assertion
with an empty payload as output for GSS_Query_meta_data(). The
"assertion" is prefixed with the two byte token identifier "M,".
Upon receiving this, the initiator MAY validate the certificate or
fingerprint, or present either to the initiator before committing to
authenticate.
The NegoEx signing key is the output of GSS_Pseudo_random() (see
Section 7.7) with an input of GSS_C_PRF_KEY_FULL and "gss-browserid-
negoex-initiator" or "gss-browserid-negoex-acceptor" (without
quotes), depending on the party generating the signature.
The NegoEx authentication scheme is the binary encoding of the
following hexadecimal string:
535538008647F5BC624BD8076949F0
where the third byte (zero above) is set to the [RFC3961] encryption
type for the selected mechanism. The authentication scheme for
encryption types greater than 255 is not specified here.
There is currently no initiator-sent metadata defined and acceptors
should ignore any sent. The metadata is advisory and the initiator
is free to ignore it.
[[anchor4: Delete this section as NegoEx will likely not be
progressed.]]
Howard & Williams Expires June 12, 2014 [Page 14]
Internet-Draft BrowserID SASL & GSS-API December 2013
4.3. Fast re-authentication
Fast re-authentication allows a security context to be established
using a secret key derived from the initial certificate-signed ECDH
key agreement.
The re-authentication assertion is signed with a HMAC using the
Authenticator Root Key (ARK) (see Section 7.5), rather than a
initiator principal's BrowserID certificate.
Support for fast re-authentication is OPTIONAL and is indicated by
the acceptor returning a ticket in the response assertion.
4.3.1. Ticket generation
If the acceptor supports re-authentication, the following steps are
added to Section 4.1.2:
1. A unique, opaque ticket identifier is generated.
2. The acceptor creates a JSON object containing the ticket
identifier and expiry time and returns it in the response to the
initiator (see Section 6.2.5).
The acceptor must be able to use the ticket identifier to securely
retrieve the subject, issuer, audience, expiry time, ARK and any
other relevant properties of the original security context. One
implementation choice may be to use the ticket identifier as a key
into a dictionary containing this information. Another would be to
encrypt this information in a long-term secret only known to the
acceptor and encode the resulting cipher-text in the opaque ticket
identifier.
The ticket expiry time by default SHOULD match the initiator's
certificate expiry, however it MAY be configurable so the ticket
expires before or after the certificate.
The initiator MAY cache tickets, along with the ARK, received from
the acceptor in order to re-authenticate to it at a future time.
4.3.2. Initiator re-authentication context token
The initiator looks in its ticket cache for an unexpired ticket for
the desired acceptor. If none is found, the normal certificate-based
authentication flow is performed, otherwise:
Howard & Williams Expires June 12, 2014 [Page 15]
Internet-Draft BrowserID SASL & GSS-API December 2013
1. The initiator generates a re-authentication assertion containing:
the name of the acceptor (see Section 6.1.1), an expiry time (see
Section 6.1.2) and/or the current time (see Section 6.1.3),
optional channel binding information (see Section 6.1.6), a
random nonce (see Section 6.1.7), and the ticket identifier (see
Section 6.1.8).
2. The initiator signs the re-authentication assertion with the ARK,
using the hash algorithm associated with the original context key
(see Section 10.1; HS256 is specified for the encryption types
referenced in this document).
3. The re-authentication assertion is packed into a backed
assertion. The certificate count is zero as the assertion is
signed with an established symmetric key.
4. The initiator generates an Authenticator Session Key (ASK) (see
Section 7.6) which is used to verify the response and derive the
CRK.
[[anchor5: Question: do we want an option to do an ECDH session key
exchange in the fast re-auth case? If we had a GSS req_flag for
requesting perfect forward security (PFS) then we would want to have
this option.]]
4.3.3. Acceptor re-authentication context token
1. The acceptor unpacks the re-authentication assertion and
retrieves the ARK, ticket expiry time, mutual authentication
state and any other properties (such as the initiator name)
associated with the ticket identifier.
2. The acceptor validates that the ticket and re-authentication
assertion have not expired.
3. The acceptor verifies the assertion using the ARK.
4. The acceptor generates the ASK (see Section 7.6) and derives the
RRK and CRK from this (see Section 7.3 and Section 7.4,
respectively).
5. The acceptor generates a response and signs and returns it. Note
that, unlike the certificate-based mutual authentication case,
the nonce need not be echoed back as the ASK (and thus the RRK)
is cryptographically bound to the nonce.
If the ticket cannot be found, or the authentication fails, the
acceptor SHOULD return a REAUTH_FAILED error, permitting the
Howard & Williams Expires June 12, 2014 [Page 16]
Internet-Draft BrowserID SASL & GSS-API December 2013
initiator to recover and fallback to generating a BrowserID
assertion. It MAY also include its local timestamp (see
Section 6.2.1) so that the initiator can perform clock skew
compensation.
4.3.4. Interaction with mutual authentication
The mutual authentication state of a re-authenticated context is
transitive. The initiator and acceptor MUST NOT set the mutual_state
flag for a re-authenticated context unless the original context was
mutually authenticated.
As such, the mutual authentication state of the original context must
be associated with the ticket.
4.3.5. Ticket renewal
Normally, re-authentication tickets are only issued when the
initiator authenticated with a certificate-signed assertion.
Acceptors MAY issue a new ticket with an expiry beyond the ticket
lifetime when the initiator used a re-authentication assertion. The
issuing of new tickets MUST be subject to a policy that prevents them
from being renewed indefinitely.
4.4. Extra round-trip (XRT) option
The extra round-trip (XRT) option adds an additional round trip to
the context token exchange. It allows the initiator to prove
knowledge of the Context Master Key (CMK) (see Section 7.2) by
sending an additional token signed in a key derived from the CMK and
an acceptor-issued challenge. Support for the XRT option is OPTIONAL
in the acceptor and REQUIRED in the initiator. The initiator is
allowed to not request it, but MUST perform XRT if the acceptor
requires it.
(Note that the term "extra round trip" is something of a misnomer; it
only adds an additional token to the context token exchange. It is
anticipated however that this mechanism will most commonly be used
with pseudo-mechanisms or application protocols that require an even
number of tokens.)
4.4.1. Initiator XRT advertisement
The initiator may advertise to the acceptor that it desires the XRT
option by sending in its request assertion an "opts" claim (see
Section 6.1.9) containing the "xrt" value. This option MUST be set
if the caller requested GSS_C_DCE_STYLE (see [RFC4757]). Otherwise,
the setting of this option is implementation dependent.
Howard & Williams Expires June 12, 2014 [Page 17]
Internet-Draft BrowserID SASL & GSS-API December 2013
4.4.2. Acceptor XRT advertisement
If the initiator requested the XRT option and the acceptor supports
it, or the acceptor requires it, the acceptor sends a "jti" claim
(see Section 6.2.6) in the response assertion containing a random
base 64 URL encoded value. This value MUST be at least 64 bits in
length. The acceptor then returns GSS_C_CONTINUE_NEEDED to indicate
that an additional context token is expected from the initiator.
4.4.3. Initiator XRT context token
If the acceptor indicated support for the XRT option by including a
"jti" claim in its response, then the initiator sends an additional
context token to the acceptor. This token contains the initiator
context token ID concatenated with a backed assertion with zero
certificates and an empty payload, signed using the XRTK (see
Section 7.6.1).
4.4.4. Acceptor XRT context token validation
The acceptor MUST validate the XRT context token by first validating
the context token ID, and then verifying the assertion signature with
the XRTK. The acceptor SHOULD reject XRT context tokens with a
certificate count greater than zero. Unknown claims in the assertion
payload MUST be ignored. The acceptor then returns GSS_C_COMPLETE to
the caller.
The acceptor MAY avoid using a replay cache when this option is in
effect.
4.4.5. Interaction with message protection services
When the XRT option is in effect, the XRTK is used instead of the CMK
to derive the Context Root Key (CRK) (see Section 7.4). Per-message
tokens MUST have the AcceptorSubkey flag set (see [RFC4121] Section
4.2.2).