Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Michael B. Jones Identity Standards Architect at Microsoft

Published byNaomi Rose Modified over 7 years ago

Similar presentations

Presentation on theme: "Dr. Michael B. Jones Identity Standards Architect at Microsoft"— Presentation transcript:

1 Token Binding Standards and Applications: Securing what were previously bearer tokens
Dr. Michael B. Jones Identity Standards Architect at Microsoft Brian Campbell Distinguished Engineer at Ping Identity May 10, 2017

2 The Problem With Bearer Tokens
One truth and a lie

3 Token Binding Solution
Token Binding enables data structures to be cryptographically bound to a particular TLS channel Making them no longer bearer tokens Prevents them from being used in unintended ways Data structures that can be Token Bound include: Browser cookies, ID Tokens, access tokens, refresh tokens, authorization codes Presentation will discuss: Token Binding mechanisms Kinds of threats they mitigate Current deployment status

4 IETF Token Binding Specifications

5 Hello! Do you like my extension?

6 Do you support Token Binding?
TLS Handshake Key Parameters: (0) rsa2048_pkcs1.5 rsa2048_pss ecdsap256 Also need extenstions: Extended Master Secret Renegotiation Indication Client Server ClientHello ... token_binding [24] token_binding_version [1,0] key_parameters_list [2,0] ServerHello ... token_binding [24] token_binding_version [1,0] key_parameters_list [2]

7 Token Binding over HTTPS
HTTP Request Client GET /stuff HTTP/1.1 Host: example.com Sec-Token-Binding: AIkAAgBBQLgtRpWFPN66kxhxGrtaKrzcMtHw7HV8 yMk_-MdRXJXbDMYxZCWnCASRRrmHHHL5wmpP3bhYt0ChRDbsMapfh_QAQ N1He3Ftj4Wa_S_fzZVns4saLfj6aBoMSQW6rLs19IIvHze7LrGjKyCfPT KXjajebxp-TLPFZCc0JTqTY5_0MBAAAA Server Encoded Token Binding Message (1 or more) Token Bindings Type (provided / referred) Token Binding ID (key type and public key) Signature over type, key type, and EKM (TLS Exported Keying Material) Extensions Proves possession of the private key on the TLS connection Keys are long-lived and span TLS connections

8 Browser cookies low hanging fruit
secure HttpOnly

9 Binding Cookies Server associates Token Binding ID with cookie & checks on subsequent use Augments existing authentication and session mechanisms Transparent to users Deployment can be phased in

10 What about federation? Relying Party (RP) Identity Provider (IDP)
There’s an HTTP response header for that! Tells the browser that it should reveal the Token Binding ID used between itself and the RP (referred) in addition to the one used between itself and the IDP (provided). Relying Party (RP) Identity Provider (IDP) GET / HTTP/1.1 Host: idp.example.com Sec-Token-Binding: ARIAAgBBQB-XOPf5ePlf7ikATiAFEGOS503 lPmRfkyymzdWwHCxl0njjxC3D0E_OVfBNqrIQxzIfkF7tWby2Zfya E6XpwTsAQBYqhFX78vMOgDX_Fd_b2dlHyHlMmkIz8iMVBY_reM98O UaJFz5IB7PG9nZ11j58LoG5QhmQoI9NXYktKZRXxrYAAAECAEFAdU FTnfQADkn1uDbQnvJEk6oQs38L92gv-KO-qlYadLoDIKe2h53hSiK wIP98iRj_unedkNkAMyg9e2mY4Gp7WwBAeDUOwaSXNz1e6gKohwN4 SAZ5eNyx45Mh8VI4woL1BipLoqrJRoK6dxFkWgHRMuBROcLGUj5Pi OoxybQH_Tom3gAA HTTP/ Found Location: Include-Referred-Token-Binding-ID: true Browser Token bindings for both TLS connections conveyed

11 Token Binding for OpenID Connect
Utilizes the Include-Referred-Token-Binding-ID header Binds the ID Token to the Token Binding ID the browser uses between itself and the Relying Party Uses token binding hash “tbh” member of the confirmation claim “cnf”

12 “Demo” Showing a bound: ID Token SSO Session Cookie Relying Party (RP)
Showing a bound: ID Token SSO Session Cookie Relying Party (RP) Identity Provider (IDP) Browser

13 Unauthenticated access request to RP is redirected for SSO

14 Authentication request to the IDP

15 ID Token delivered to RP

16 Authenticated access to RP
© 2015 Brian Campbell

17 “Demo” Finished

18 OAuth Token Binding Access tokens with referred Token Binding ID
Refresh tokens with provided Token Binding ID Authorization codes via PKCE Native app clients Web server clients

19 The Landscape Three IETF Token Binding specs soon to be RFCs
Drafts supported in: Edge, IE, and Chrome (others?) On Google servers since January .NET Framework 4.6 (for server side) Open Source OpenSSL ( Apache ( NGINX ( Java (Brian Campbell has mods he plans to submit…) OpenID Connect Token Bound Authentication spec maturing Online Token Binding demo available OAuth 2.0 Token Binding spec also maturing Brian working on spec for TLS terminating reverse proxies

20 Privacy Considerations
Token Binding is not a supercookie or new tracking mechanism Client generates a unique key pair per effective top-level domain + 1 (eTLD+1) E.g., example.com, and etc.example.com share binding but not example.org or example.co.uk Same scoping rules and privacy implications as cookies

21 Where can I participate & learn more?
Online Token Binding Demo IETF Token Binding mailing list IETF OAuth mailing list OpenID Enhanced Authentication Profile (EAP) mailing list My blog me

Download ppt "Dr. Michael B. Jones Identity Standards Architect at Microsoft"

Similar presentations

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Prabath Siriwardena | Johann Nallathamby.

Prabath Siriwardena | Johann Nallathamby.
Draft-popov-token-binding-00 Andrei Popov, Microsoft Corp.

Draft-popov-token-binding-00 Andrei Popov, Microsoft Corp.
1 IETF OAuth Proof-of-Possession Hannes Tschofenig.

1 IETF OAuth Proof-of-Possession Hannes Tschofenig.
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.

1 Trillion Azure AD authentications since the release of the service 50 M Office 365 users active every month >1 Billion authentications every.
OpenID Connect Update and Discussion Mountain View Summit – September 12, 2011 Mike Jones – Microsoft John Bradley – Independent Nat Sakimura – Nomura.

OpenID Connect Update and Discussion Mountain View Summit – September 12, 2011 Mike Jones – Microsoft John Bradley – Independent Nat Sakimura – Nomura.
The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.

The Design and Implementation of an OpenID-Enabled PKI Kevin Bauer University of Colorado Supervisor: Dhiva Muruganantham.
Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.

Health IT RESTful Application Programming Interface (API) Security Considerations Transport & Security Standards Workgroup March 18, 2015.
SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.

SAML-based Delegation in Shibboleth Scott Cantor Internet2/The Ohio State University.
SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.

SASL-SAML update Klaas Wierenga Kitten WG 9-Nov-2010.
Secure Socket Layer (SSL)

Secure Socket Layer (SSL)
SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21, 2014 1.

SIP OAuth Rifaat Shekh-Yusef IETF 90, SIPCore WG, Toronto, Canada July 21,
Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.

Observations from the OAuth Feature Survey Mike Jones March 14, 2013 IETF 86.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
Securing Angular Apps Brian Noyes

Securing Angular Apps Brian Noyes
Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.

Esri UC 2014 | Demo Theater | Using ArcGIS Online App Logins in Node.js James Tedrick.

Similar presentations

Ads by Google