Internet-Draft | Privacy Pass Authentication | January 2022 |
Pauly, et al. | Expires 4 August 2022 | [Page] |
This document defines an HTTP authentication scheme that can be used by clients to redeem Privacy Pass tokens with an origin. It can also be used by origins to challenge clients to present an acceptable Privacy Pass token.¶
This note is to be removed before publishing as an RFC.¶
Source for this draft and an issue tracker can be found at https://github.com/tfpauly/privacy-proxy.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 4 August 2022.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Privacy Pass tokens are unlinkable authenticators that can be used to anonymously authorize a client (see [I-D.ietf-privacypass-architecture]). A client possessing such a token is able to prove that it was able to get a token issued by a token issuer -- based on some check from a token issuer, such as authentication or solving a CAPTCHA -- without allowing the relying party redeeming the client's token (the origin) to link it with issuance flow.¶
Different types of authenticators, using different token issuance protocols, can be used as Privacy Pass tokens.¶
This document defines a common HTTP authentication scheme ([RFC7235]), PrivateToken, that allows clients to redeem various kinds of Privacy Pass tokens.¶
Clients and relying parties interact using this scheme to perform the token challenge and token redemption flow. Clients use a token issuance protocol to actually fetch tokens to redeem.¶
In addition to working with different token issuance protocols, this scheme supports both interactive (online challenges) and non-interactive (pre-fetched) token redemption, as well as the ability to scope a token to a specific resource or origin. Relying parties that request and redeem tokens can choose a specific kind of token, as appropriate for its use case. For example, non-interactive token redemption that is not scoped to a specific origin can be used as a replacement for CAPTCHAs, as exemplified by the original Privacy Pass work [DGSTV18].¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
This document uses the following terms to refer to various roles and functions in the Privacy Pass architecture:¶
Token redemption is performed using HTTP Authentication ([RFC7235]), with the scheme "PrivateToken". Origins challenge clients to present a token from a specific issuer (Section 2.1). Once a client has received a token from that issuer, or already has a valid token available, it presents the token to the origin (Section 2.2).¶
Origins send a token challenge to Clients in an "WWW-Authenticate" header with the "PrivateToken" scheme. This challenge includes a TokenChallenge message, along with information about what keys to use when requesting a token from the issuer.¶
The TokenChallenge message has the following structure:¶
struct { uint16_t token_type; opaque issuer_name<1..2^16-1>; opaque redemption_nonce<0..32>; opaque origin_name<0..2^16-1>; } TokenChallenge;¶
The structure fields are defined as follows:¶
When used in an authentication challenge, the "PrivateToken" scheme uses the following attributes:¶
Clients can ignore the challenge if the token-key is invalid or otherwise untrusted.¶
Origins MAY also include the standard "realm" attribute, if desired. Issuance protocols MAY require other attributes.¶
As an example, the WWW-Authenticate header could look like this:¶
WWW-Authenticate: PrivateToken challenge=abc..., token-key=123...¶
Upon receipt of this challenge, a client uses the message and keys in the issuance protocol indicated by the token_type. If the TokenChallenge has a token_type the client does not recognize or support, it MUST NOT parse or respond to the challenge.¶
Note that it is possible for the WWW-Authenticate header to include multiple challenges, in order to allow the Client to fetch a batch of multiple tokens for future use.¶
For example, the WWW-Authenticate header could look like this:¶
WWW-Authenticate: PrivateToken challenge=abc..., token-key=123..., PrivateToken challenge=def..., token-key=234...¶
The output of the issuance protocol is a token that corresponds to the origin's challenge (see Section 2.1). A token is a structure that begins with a two-octet field that indicates a token type, which MUST match the token_type in the TokenChallenge structure.¶
struct { uint16_t token_type; uint8_t nonce[32]; uint8_t context[32]; uint8_t token_key_id[Nid]; uint8_t authenticator[Nk]; } Token;¶
The structure fields are defined as follows:¶
The authenticator value in the Token structure is computed over the token_type, nonce, context, and token_key_id fields.¶
When used for client authorization, the "PrivateToken" authentication scheme defines one parameter, "token", which contains the base64url-encoded Token struct. All unknown or unsupported parameters to "PrivateToken" authentication credentials MUST be ignored.¶
Clients present this Token structure to Origins in a new HTTP request using the Authorization header as follows:¶
Authorization: PrivateToken token=abc...¶
For token types that support public verifiability, origins verify the token authenticator using the public key of the issuer, and validate that the signed message matches the concatenation of the client nonce and the hash of a valid TokenChallenge. For interactive tokens, origins store the nonces of previous TokenChallenge structures in order to validate uniqueness. A TokenChallenge MAY be bound to a specific HTTP session with client, but origins can also accept tokens for valid challenges in new sessions. For non-interactive tokens, origins SHOULD implement some form of double spend prevention that prevents a token with the same nonce from being redeemed twice. This prevents clients from "replaying" tokens for previous challenges.¶
If a client is unable to fetch a token, it MUST react to the challenge as if it could not produce a valid Authorization response.¶
Clients initiate the issuance protocol using a challenge, a randomly generated nonce, and a public key for the issuer. The issuance protocol itself can be any interactive protocol between client, issuer, or other parties that produces a valid authenticator over the client's input, subject to the following security requirements.¶
When used in contexts like websites, origins that challenge clients for tokens need to consider how to optimize their interaction model to ensure a good user experience.¶
Tokens challenges can be performed without explicit user involvement, depending on the issuance protocol. If tokens are scoped to a specific origin, there is no need for per-challenge user interaction. Note that the issuance protocol may separately involve user interaction if the client needs to be newly validated.¶
The use of interactive tokens can add user-perceivable latency, since such tokens cannot be pre-fetched. Origins need not block useful work on token authentication. Instead, token authentication can be used in similar ways to CAPTCHA validation today, but without the need for user interaction. If issuance is taking a long time, a website could show an indicator that it is waiting, or fall back to another method of user validation.¶
An origin MUST NOT issue more than one interactive challenge for a given token type and issuer per client request. If an origin issues a large number of challenges, such as more than once for each request, this can indicate that the origin is either not functioning correctly or is trying to attack or overload the client or issuance server. In such cases, a client MUST ignore redundant token challenges for the same request and SHOULD alert the user if possible.¶
Origins MAY include multiple challenges, where each challenge refers to a different issuer or a different token type, to allow clients to choose a preferred issuer or type.¶
The security properties of token challenges vary depending on whether the challenge is interactive or not, as well as whether the challenge is per-origin or not. For example, non-interactive, cross-origin tokens can be replayed from one party by another, as shown below.¶
Interactive token challenges require clients to obtain matching tokens when challenged, rather than presenting a token that was obtained in the past. This means that issuance and redemption events will occur at approximately the same time. For example, if a client is challenged for an interactive token at time T1 and then subsequently obtains a token at time T2, a colluding issuer and origin can link this to the same client if T2 is unique to the client. This linkability is less feasible as the number of issuance events at time T2 increases. Depending on the "max-age" token challenge attribute, clients MAY try to augment the time between getting challenged then redeeming a token so as to make this sort of linkability more difficult. For more discussion on correlation risks between token issuance and redemption, see [I-D.ietf-privacypass-architecture].¶
Applications SHOULD constrain tokens to a single origin unless the use case can accommodate such replay attacks.¶
All random values in the challenge and token MUST be generated using a cryptographically secure source of randomness.¶
This document registers the "PrivateToken" authentication scheme in the "Hypertext Transfer Protocol (HTTP) Authentication Scheme Registry" established by [RFC7235].¶
Authentication Scheme Name: PrivateToken¶
The "Token Type" registry lists identifiers for issuance protocols defined for use with the Privacy Pass token authentication scheme. These identifiers are two-byte values, so the maximum possible value is 0xFFFF = 65535.¶
Template:¶
The initial contents for this registry are defined in the table below.¶
Value | Name | Publicly Verifiable | Public Metadata | Private Metadata | Nk | Nid | Reference |
---|---|---|---|---|---|---|---|
0x0000 | (reserved) | N/A | N/A | N/A | N/A | N/A | N/A |