]> Google LLC

1600 Amphitheatre Parkway Mountain View CA 94043 United States of America dschinazi.ietf@gmail.com

Guardian Project

david@guardianproject.info https://guardianproject.info

Applications and Real-Time HTTPBIS secure tunnels masque http-ng Existing HTTP authentication mechanisms are probeable in the sense that it is possible for an unauthenticated client to probe whether an origin serves resources that require authentication. It is possible for an origin to hide the fact that it requires authentication by not generating Unauthorized status codes, however that only works with non-cryptographic authentication schemes: cryptographic schemes (such as signatures or message authentication codes) require a fresh nonce to be signed, and there is no existing way for the origin to share such a nonce without exposing the fact that it serves resources that require authentication. This document proposes a new non-probeable cryptographic authentication scheme. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the HTTP Working Group mailing list (), which is archived at . Source for this draft and an issue tracker can be found at .

Introduction Existing HTTP authentication mechanisms are probeable in the sense that it is possible for an unauthenticated client to probe whether an origin serves resources that require authentication. It is possible for an origin to hide the fact that it requires authentication by not generating Unauthorized status codes, however that only works with non-cryptographic authentication schemes: cryptographic schemes (such as signatures or message authentication codes) require a fresh nonce to be signed, and there is no existing way for the origin to share such a nonce without exposing the fact that it serves resources that require authentication. This document proposes a new non-probeable cryptographic authentication scheme. There are scenarios where servers may want to expose the fact that authentication is required for access to specific resources. This is left for future work.

Conventions and Definitions The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. This document uses the Augmented BNF defined in and updated by along with the "#rule" extension defined in . The rules below are defined in and . quoted-string = token = token68 = oid = ]]>

Computing the Authentication Proof This document only defines Transport Authentication for uses of HTTP with TLS. This includes any use of HTTP over TLS as typically used for HTTP/2, or HTTP/3 where the transport protocol uses TLS as its authentication and key exchange mechanism . The user agent leverages a TLS keying material exporter to generate a nonce which can be signed using the user-id's key. The keying material exporter uses a label that starts with the characters "EXPORTER-HTTP-Transport-Authentication-" (see for the labels and contexts used by each scheme). The TLS keying material exporter is used to generate a 32-byte key which is then used as a nonce.

Header Field Definition The "Transport-Authentication" header allows a user agent to authenticate with an origin server. The authentication is scoped to the HTTP request associated with this header.

The u Directive The OPTIONAL "u" (user-id) directive specifies the user-id that the user agent wishes to authenticate. It is encoded using Base64 ().

The p Directive The OPTIONAL "p" (proof) directive specifies the proof that the user agent provides to attest to possessing the credential that matches its user-id. It is encoded using Base64 ().

The a Directive The OPTIONAL "a" (algorithm) directive specifies the algorithm used to compute the proof transmitted in the "p" directive.

Transport Authentication Schemes The Transport Authentication Framework allows defining Transport Authentication Schemes, which specify how to authenticate user-ids. This documents defined the "Signature" and "HMAC" schemes.

Signature The "Signature" Transport Authentication Scheme uses asymmetric cyptography. User agents possess a user-id and a public/private key pair, and origin servers maintain a mapping of authorized user-ids to their associated public keys. When using this scheme, the "u", "p", and "a" directives are REQUIRED. The TLS keying material export label for this scheme is "EXPORTER-HTTP-Transport-Authentication-Signature" and the associated context is empty. The nonce is then signed using the selected asymmetric signature algorithm and transmitted as the proof directive. For example, the user-id "john.doe" authenticating using Ed25519 could produce the following header (lines are folded to fit):

HMAC The "HMAC" Transport Authentication Scheme uses symmetric cyptography. User agents possess a user-id and a secret key, and origin servers maintain a mapping of authorized user-ids to their associated secret key. When using this scheme, the "u", "p", and "a" directives are REQUIRED. The TLS keying material export label for this scheme is "EXPORTER-HTTP-Transport-Authentication-HMAC" and the associated context is empty. The nonce is then HMACed using the selected HMAC algorithm and transmitted as the proof directive. For example, the user-id "john.doe" authenticating using HMAC-SHA-512 could produce the following header (lines are folded to fit):

Intermediary Considerations Since Transport Authentication authenticates the underlying transport by leveraging TLS keying material exporters, it cannot be transparently forwarded by HTTP intermediaries. HTTP intermediaries that support this specification will validate the authentication received from the client themselves, then inform the upstream HTTP server of the presence of valid authentication using some other mechanism.

Security Considerations Transport Authentication allows a user-agent to authenticate to an origin server while guaranteeing freshness and without the need for the server to transmit a nonce to the user agent. This allows the server to accept authenticated clients without revealing that it supports or expects authentication for some resources. It also allows authentication without the user agent leaking the presence of authentication to observers due to clear-text TLS Client Hello extensions.

IANA Considerations

Transport-Authentication Header Field This document will request IANA to register the following entry in the "HTTP Field Name" registry maintained at <>:

Field Name:

Transport-Authentication

Template:

None

Status:

provisional (permanent if this document is approved)

Reference:

This document

Comments:

None

Transport Authentication Schemes Registry This document, if approved, requests IANA to create a new "HTTP Transport Authentication Schemes" Registry. This new registry contains strings and is covered by the First Come First Served policy from . Each entry contains an optional "Reference" field. It initially contains the following entries:

• Signature
• HMAC

The reference for both is this document.

TLS Keying Material Exporter Labels This document, if approved, requests IANA to register the following entries in the "TLS Exporter Labels" registry maintained at https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels

• EXPORTER-HTTP-Transport-Authentication-Signature
• EXPORTER-HTTP-Transport-Authentication-HMAC

Both of these entries are listed with the following qualifiers:

DTLS-OK:

N

Recommended:

Y

Reference:

This document

References Normative References The Hypertext Transfer Protocol (HTTP) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. This document describes the overall architecture of HTTP, establishes common terminology, and defines aspects of the protocol that are shared by all versions. In this definition are core protocol elements, extensibility mechanisms, and the "http" and "https" Uniform Resource Identifier (URI) schemes. This document updates RFC 3864 and obsoletes RFCs 2818, 7231, 7232, 7233, 7235, 7538, 7615, 7694, and portions of 7230. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Internet technical specifications often need to define a formal syntax. Over the years, a modified version of Backus-Naur Form (BNF), called Augmented BNF (ABNF), has been popular among many Internet specifications. The current specification documents ABNF. It balances compactness and simplicity with reasonable representational power. The differences between standard BNF and ABNF involve naming rules, repetition, alternatives, order-independence, and value ranges. This specification also supplies additional rule definitions and encoding for a core lexical analyzer of the type common to several Internet specifications. [STANDARDS-TRACK] This document extends the base definition of ABNF (Augmented Backus-Naur Form) to include a way to specify US-ASCII string literals that are matched in a case-sensitive manner. This document describes a Uniform Resource Name (URN) namespace that contains Object Identifiers (OIDs). This memo provides information for the Internet community. A number of protocols wish to leverage Transport Layer Security (TLS) to perform key establishment but then use some of the keying material for their own purposes. This document describes a general mechanism for allowing that. [STANDARDS-TRACK] This document describes the commonly used base 64, base 32, and base 16 encoding schemes. It also discusses the use of line-feeds in encoded data, use of padding in encoded data, use of non-alphabet characters in encoded data, use of different encoding alphabets, and canonical encodings. [STANDARDS-TRACK] Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA). To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry. This is the third edition of this document; it obsoletes RFC 5226. Informative References This document describes how Transport Layer Security (TLS) is used to secure QUIC. This document specifies algorithm identifiers and ASN.1 encoding formats for elliptic curve constructs using the curve25519 and curve448 curves. The signature algorithms covered are Ed25519 and Ed448. The key agreement algorithms covered are X25519 and X448. The encoding for public key, private key, and Edwards-curve Digital Signature Algorithm (EdDSA) structures is provided. Federal Information Processing Standard, FIPS

Acknowledgments The authors would like to thank many members of the IETF community, as this document is the fruit of many hallway conversations. Using the OID for the signature and HMAC algorithms was inspired by Signature Authentication in IKEv2.