Google and Microsoft boffins playing nicely together to stop replay attacks in their tracks

Internet Engineering Task Force doc examines how to better protect authentication tokens


Google and Microsoft engineers have pooled their efforts to propose a protection against what are known as "replay attacks".

These occur when an attacker steals something like a victim's OAuth token and uses it to impersonate them to access otherwise secured resources.

The Token Binding Protocol is the next instalment in the Internet Engineering Task Force's (IETF's) years-old effort to rewrite the internet around user security.

Compared to bygone days, the 2018 user has pretty good security: the websites they visit can be protected with HTTPS, their logins can be protected with OAuth, and so on.

London bus photo, by Nando Machado Shutterstock

Alice, Bob and Verity, too. Yeah, everybody's got a story, pal

READ MORE

However, according to the recently published Request for Comments (FRC) 8471, the tokens that HTTPS and OAuth (and other protocols) store on the user machine offer a replay attack vector that needs handling.

Enter Microsoft's Andrei Popov and Magnus Nystroem, Googler Dirk Balfanz and W3C invited expert Jeff Hodges, authors of The Token Binding Protocol Version 1.0.

The RFC outlines a protocol that binds things like HTTPS security cookies and OAuth tokens to the TLS layer. The resulting encryption layer would prevent tokens from being exported by an attacker, and that would block replay attacks.

To establish token binding, the user agent would generate a private-public key pair for each "target" server – that is, the client presents its public key, and the handshake establishes a private key. This would happen for each TLS connection to that server.

As the RFC noted: "In order to successfully export and replay a bound security token, an attacker needs to also be able to use the client's private key; this is hard to do if the key is specially protected" – for example, if the key was generated in a hardware module.

The authors have designed the protocol to avoid adding round trips to the normal TLS handshake: it consists of a single message sent by the client proving possession of the asymmetric private key. If it checks OK, the server creates the binding with the ID contained in the client's message.

Exactly how the token is bound to the TLS layer, the RFC noted, will be specific to the application: the Token Binding ID or its cryptographic hash could be embedded in the security token, or could be maintained in a database mapping tokens to the binding IDs.

The RFC noted that there is one scenario in which a user is still vulnerable: the bound token could be accessible to malware on their machine. Their suggestion of using hardware modules (like security dongles) to generate the key was designed to guard against that.

The RFC also carried the recommendation that bound tokens need to be integrity-protected, so that attackers can't switch out a Token Binding ID for one of their own choosing without being detected.

The protocol RFC is backed by two other RFCs.

Popov, Nystroem and Balfanz put their names to RFC 8472, which defines a TLS extension using the Token Binding Protocol; and RFC 8473 (Popov, Nystroem, Balfanz, Hodges, and Google's Nick Harper) described how to apply the protocol to HTTP.

Token binding has only reached RFC stage for TLS 1.2, but this Internet Draft shows that TLS 1.3 isn't being ignored. ®


Other stories you might like

  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • Azure issues not adequately fixed for months, complain bug hunters
    Redmond kicks off Patch Tuesday with a months-old flaw fix

    Updated Two security vendors – Orca Security and Tenable – have accused Microsoft of unnecessarily putting customers' data and cloud environments at risk by taking far too long to fix critical vulnerabilities in Azure.

    In a blog published today, Orca Security researcher Tzah Pahima claimed it took Microsoft several months to fully resolve a security flaw in Azure's Synapse Analytics that he discovered in January. 

    And in a separate blog published on Monday, Tenable CEO Amit Yoran called out Redmond for its lack of response to – and transparency around – two other vulnerabilities that could be exploited by anyone using Azure Synapse. 

    Continue reading
  • I was fired for blowing the whistle on cult's status in Google unit, says contractor
    The internet giant, a doomsday religious sect, and a lawsuit in Silicon Valley

    A former Google video producer has sued the internet giant alleging he was unfairly fired for blowing the whistle on a religious sect that had all but taken over his business unit. 

    The lawsuit demands a jury trial and financial restitution for "religious discrimination, wrongful termination, retaliation and related causes of action." It alleges Peter Lubbers, director of the Google Developer Studio (GDS) film group in which 34-year-old plaintiff Kevin Lloyd worked, is not only a member of The Fellowship of Friends, the exec was influential in growing the studio into a team that, in essence, funneled money back to the fellowship.

    In his complaint [PDF], filed in a California Superior Court in Silicon Valley, Lloyd lays down a case that he was fired for expressing concerns over the fellowship's influence at Google, specifically in the GDS. When these concerns were reported to a manager, Lloyd was told to drop the issue or risk losing his job, it is claimed. 

    Continue reading
  • End of the road for biz living off free G Suite legacy edition
    Firms accustomed to freebies miffed that web giant's largess doesn't last

    After offering free G Suite apps for more than a decade, Google next week plans to discontinue its legacy service – which hasn't been offered to new customers since 2012 – and force business users to transition to a paid subscription for the service's successor, Google Workspace.

    "For businesses, the G Suite legacy free edition will no longer be available after June 27, 2022," Google explains in its support document. "Your account will be automatically transitioned to a paid Google Workspace subscription where we continue to deliver new capabilities to help businesses transform the way they work."

    Small business owners who have relied on the G Suite legacy free edition aren't thrilled that they will have to pay for Workspace or migrate to a rival like Microsoft, which happens to be actively encouraging defectors. As noted by The New York Times on Monday, the approaching deadline has elicited complaints from small firms that bet on Google's cloud productivity apps in the 2006-2012 period and have enjoyed the lack of billing since then.

    Continue reading
  • UK competition watchdog seeks to make mobile browsers, cloud gaming and payments more competitive
    Investigation could help end WebKit monoculture on iOS devices

    The United Kingdom's Competition and Markets Authority (CMA) on Friday said it intends to launch an investigation of Apple's and Google's market power with respect to mobile browsers and cloud gaming, and to take enforcement action against Google for its app store payment practices.

    "When it comes to how people use mobile phones, Apple and Google hold all the cards," said Andrea Coscelli, Chief Executive of the CMA, in a statement. "As good as many of their services and products are, their strong grip on mobile ecosystems allows them to shut out competitors, holding back the British tech sector and limiting choice."

    The decision to open a formal investigation follows the CMA's year-long study of the mobile ecosystem. The competition watchdog's findings have been published in a report that concludes Apple and Google have a duopoly that limits competition.

    Continue reading

Biting the hand that feeds IT © 1998–2022