Token Binding Protocol
   HOME

TheInfoList



Click Here for Items Related To - Token Binding Protocol
OR:
Token Binding Protocol on:   [Wikipedia]   [Google]   [Amazon]

Token Binding is a proposed standard for a Transport Layer Security (TLS)
extension Extension, extend or extended may refer to: Mathematics Logic or set theory * Axiom of extensionality * Extensible cardinal * Extension (model theory) * Extension (predicate logic), the set of tuples of values that satisfy the predicate * E ...
that aims to increase TLS security by using
cryptographic Cryptography, or cryptology (from grc, , translit=kryptós "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adve ...
certificates on both ends of the TLS connection. Current practice often depends on bearer tokens, which may be lost or stolen. Bearer tokens are also vulnerable to man-in-the-middle attacks or
replay attacks A replay attack (also known as a repeat attack or playback attack) is a form of network attack in which valid data transmission is maliciously or fraudulently repeated or delayed. This is carried out either by the originator or by an adversary wh ...
. In contrast, bound tokens are established by a
user agent In computing, a user agent is any software, acting on behalf of a user, which "retrieves, renders and facilitates end-user interaction with Web content". A user agent is therefore a special kind of software agent. Some prominent examples of us ...
that generates a private-public key pair per target server, providing the public key to the server, and thereafter proving possession of the corresponding private key on every TLS connection to the server. Token Binding is an evolution of the Transport Layer Security Channel ID (previously known as Transport Layer Security – Origin Bound Certificates (TLS-OBC)) extension. Industry participation is widespread with standards contributors including
Microsoft Microsoft Corporation is an American multinational technology corporation producing computer software, consumer electronics, personal computers, and related services headquartered at the Microsoft Redmond campus located in Redmond, Washing ...
,
Google Google LLC () is an American multinational technology company focusing on search engine technology, online advertising, cloud computing, computer software, quantum computing, e-commerce, artificial intelligence, and consumer electronics. ...
,
PayPal PayPal Holdings, Inc. is an American multinational financial technology company operating an online payments system in the majority of countries that support online money transfers, and serves as an electronic alternative to traditional paper ...
, Ping Identity, and Yubico. Browser support remains limited, however. Only Microsoft Edge has support for token binding.


IETF standards

The following group of
IETF The Internet Engineering Task Force (IETF) is a standards organization for the Internet and is responsible for the technical standards that make up the Internet protocol suite (TCP/IP). It has no formal membership roster or requirements and a ...
RFC RFC may refer to: Computing * Request for Comments, a memorandum on Internet standards * Request for change, change management * Remote Function Call, in SAP computer systems * Rhye's and Fall of Civilization, a modification for Sid Meier's Civ ...
s and
Internet Draft An Internet Draft (I-D) is a document published by the Internet Engineering Task Force (IETF) containing preliminary technical specifications, results of networking-related research, or other technical information. Often, Internet Drafts are int ...
s comprise a set of interrelated specifications for implementing different aspects of the Token Binding standard. * ''The Token Binding Protocol Version 1.0''. Allows client/server applications to create long-lived, uniquely identifiable TLS bindings spanning multiple TLS sessions and connections. Applications are then enabled to cryptographically bind security tokens to the TLS layer, preventing token export and replay attacks. To protect privacy, the Token Binding identifiers are only conveyed over TLS and can be reset by the user at any time. * ''Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation''. Extension for the negotiation of Token Binding protocol version and key parameters. * ''Token Binding over HTTP''. A collection of mechanisms that allow HTTP servers to cryptographically bind security tokens (such as cookies and OAuth tokens) to TLS connections. * ''Token Binding for Transport Layer Security (TLS) Version 1.3 Connections''. This companion document defines a backwards compatible way to negotiate Token Binding on TLS 1.3 connections. * ''HTTPS Token Binding with TLS Terminating Reverse Proxies''. Defines
HTTP header The Hypertext Transfer Protocol (HTTP) is an application layer protocol in the Internet protocol suite model for distributed, collaborative, hypermedia information systems. HTTP is the foundation of data communication for the World Wide Web, w ...
fields that enable a TLS terminating
reverse proxy In computer networks, a reverse proxy is the application that sits in front of back-end applications and forwards client (e.g. browser) requests to those applications. Reverse proxies help increase scalability, performance, resilience and securi ...
to convey information to a backend server about the validated Token Binding Message received from a client, which enables that backend server to bind, or verify the binding of, cookies and other security tokens to the client's Token Binding key. This facilitates the reverse proxy and backend server functioning together as though they are a single logical server side deployment of HTTPS Token Binding. Related IETF draft standard: * ''OAuth 2.0 Token Binding''. Enables OAuth 2.0 implementations to apply Token Binding to Access Tokens, Authorization Codes, Refresh Tokens, JWT Authorization Grants, and JWT Client Authentication. This cryptographically binds these tokens to a client's Token Binding key pair, possession of which is proven on the TLS connections over which the tokens are intended to be used. This use of Token Binding protects these tokens from man-in-the-middle and token export and replay attacks.


Related standards

The use of TLS Token Binding allows for more robust web authentication. Several web authentication standards developed by standards bodies outside of IETF are adopting the draft standards. * ''Draft
OpenID OpenID is an open standard and decentralized authentication protocol promoted by the non-profit OpenID Foundation. It allows users to be authenticated by co-operating sites (known as relying parties, or RP) using a third-party identity provider ...
Connect Connect may refer to: Music Albums *Connect (album), ''Connect'' (album), an album by Australian rock band Sick Puppies *''Connect'', album by Mark Farina *''Tha Connect'', a 2009 album by Willy Northpole *''Connect'', a 2009 album by Dave Schu ...
Token Bound Authentication 1.0''. OpenID Connect (OIDC) is a simple identity layer on top of the OAuth 2.0 protocol. OIDC enables Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable, REST-like manner. The OIDC Token Bound Authentication specification enables OIDC implementations to apply Token Binding to the OIDC ID Token. This cryptographically binds the ID Token to the TLS connection over which the authentication occurred. This use of Token Binding protects the authentication flow from man-in-the-middle and token export and replay attacks. * ''
W3C The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 and led by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working to ...
Proposed Recommendation for Web Authentication: An API for accessing Public Key Credentials''. Web Authentication (
WebAuthn Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface fo ...
), an interface for public-key authentication of users to web-based applications and services, supports Token Binding.


References


External links


Token Binding at BrowserAuth.net

Token Binding Presentation at Identiverse 2018
* {{cite web , url=https://wiki.oasis-open.org/security/SamlHoKWebSSOProfile , title=SAML V2.0 Holder-of-Key Web Browser SSO Profile , last1=Klingenstein , first1=Nate , last2=Scavo , first2=Tom , date=August 10, 2010 , publisher=OASIS , access-date=August 23, 2018
OAuth 2.0 Token Binding Blog
Security Transport Layer Security Internet Standards