HTTP: Peer ID Authentication #564
Conversation
|
I've update the spec with a couple changes:
|
http/peer-id-auth.md
Outdated
| * The client-chosen `challenge-server` SHOULD be at least 32 bytes. | ||
| * The client MUST use the same server-name as what is used for the TLS | ||
| session. | ||
| * If the client _only_ wants to authenticate the server and the server does |
There was a problem hiding this comment.
Can we make this a separate section?
Mutual Authentication
Client Only Authentication
Server Only Authentication
There was a problem hiding this comment.
That makes sense. Maybe an overview section and then separate sections for specifics.
http/peer-id-auth.md
Outdated
| Message To Sign in hex: | ||
| 126f726967696e3d6578616d706c652e636f6d3d636c69656e742d6368616c6c656e67653d7171717171717171717171717171717171717171717171717171717171717171717171717171717171716f3d366368616c6c656e67653d414141414141414141414141414141414141414141414141414141414141414141414141414141414141413d | ||
| ``` | ||
| 2. The server MUST verify the signature using the server name used in the TLS |
There was a problem hiding this comment.
How does the server get the client's public key corresponding to the peer id? I assume that's what the client is supposed to sign with to prove its peer id.
There was a problem hiding this comment.
Good point. If it can't be embedded in the peer id, the client/server should send it as a field in the header.
| Authorization: libp2p-PeerID peer-id=<string-representation-of-client-peer-id>, opaque=<opaque-from-server>, challenge-server=<base64-encoded-challenge-server>, sig=<base64-signature-bytes> | ||
| ``` | ||
|
|
||
| The `sig` param represents a signature over the parameters: |
There was a problem hiding this comment.
It would be nice to include the certificate (or public key?) hash, if possible. That way, if the client has some way of validating it they can not rely on the CA system and instead validate the certificate.
There was a problem hiding this comment.
This could be easy to do, but I'm not sure it would be used. The optimal solution here is to authenticate with some TLS exported key material (RFC 5705). That would bind the peer id to the TLS session and can happen with no additional round trips. If a peer can access the certificate they likely can access the key material exporter.
The only problem with this approach is that the key material exporters aren't yet exposed by browsers. But I expect that to change soon-ish as https://datatracker.ietf.org/doc/draft-ietf-httpbis-unprompted-auth/ gets published and implemented by browsers.
My thought here is to focus on the browser use case, and, if it would be used and useful, create a new spec for the exported key material scenario.
There was a problem hiding this comment.
The optimal solution here is to authenticate with some TLS exported key material (RFC 5705). That would bind the peer id to the TLS session and can happen with no additional round trips. If a peer can access the certificate they likely can access the key material exporter.
I agree, but that's likely harder to get at.
My thought here is to focus on the browser use case, and, if it would be used and useful, create a new spec for the exported key material scenario.
What about making the format extensible? I.e., allow the server to sign multiple things that can be extended later?
There was a problem hiding this comment.
I agree, but that's likely harder to get at.
Ah, I see. That's what that proposal is about. Nice!
There was a problem hiding this comment.
What about making the format extensible? I.e., allow the server to sign multiple things that can be extended later?
There is room in this spec to extend this later. A future version could for example define a new parameter that is passed by the client. Example: a SessionID parameter which is derived from keying material from the tls session just for this purpose, the server would check that it matches the expected SessionID it sees or fail the request.
There was a problem hiding this comment.
This has to be covered by a signature. I.e., either:
- It's covered by the client signature and the server refuses to authenticate if it doesn't match
- It's covered by the server's signature and the client rejects the authentication if it doesn't match.
I want to make sure there's some sane upgrade path where we can add support for this later.
There was a problem hiding this comment.
Yes, sorry. The signature MUST include the SessionID as part of the parameters it signs.
There was a problem hiding this comment.
Just to be clear with the example for a future extension here:
- Each side derives a
TLSSessionIDusing TLS' Keying Material exporters in a TBD way. - Each side passes that as a parameter to the
libp2p-PeerIDauth scheme. And includes it as parameter in the signature. - Each side MUST verify the provided
TLSSessionIDmatches the expected value (as well as verifying the signature as before). - Either side MUST fail the authentication if there is a mismatch.
Both sides need to sign and compare it.
http/peer-id-auth.md
Outdated
| - `hostname` | ||
| - `challenge-client` in its base64 encoded form. | ||
| - `challenge-client` |
There was a problem hiding this comment.
If possible, I'd sign everything the client sent us (basically, each step of the handshake should witness the previous step).
There was a problem hiding this comment.
This is what the client signs and the server has sent (challenge-client is the challenge for the client). The only thing here not signed that was sent by the server is opaque field. Why do you think that needs to be signed?
On the other side, the only thing the server doesn't sign is the returned opaque field as well. (and the string form of the peer id, but the server MUST verify that is equivalent/derived to/from the public key bytes we do sign)
There was a problem hiding this comment.
Would you prefer if the wording were changed to say something like "all parameters must be covered by the signature except for the opaque parameter, and the peer-id parameter (as it's covered by the public key bytes)"?
MarcoPolo
force-pushed
the
marco/http-peer-id-auth
branch
from
b14f109
to
24ef2bb
Compare
|
I'm considering making one more change to this spec: Allow the client to send a challenge in the initial request. This would allow the client to authenticate the server on the first round trip, and to send application data after only one round trip. It is similar in spirit to how the noise XX handshake works where the responder (server in our case) is authenticated after the first round trip. I can't think of any compelling reason to not allow this, and many reasons to support it. The main reason being that in cases you know you need to authenticate, it removes a round trip. Are there any compelling cases you can think of @Stebalien, @sukunrt, @aschmahmann? Essentially supporting this flow: sequenceDiagram
C->>S: challenge-server
S-->>C: challenge-client+server-sig [server authenticated]
C->>S: client-sig + application data [client authenticated]
S-->>C: resp
Alongside what is currently defined: sequenceDiagram
C->>S: initial request
S-->>C: challenge-client
C->>S: client-sig+challenge-server [client authenticated]
S-->>C: server-sig [server authenticated]
C->>S: application data
S-->>C: resp
|
|
I agree, the client should send its challenge in the first message. |
I've removed the peer id authentication scheme from the core spec of #508 for a couple reasons:
On 2, this is the first time we are doing a peer id auth scheme that relies on web PKI, and thus has slightly different security properties than what we've done in the past. Instead of tying a peer id to an underlying encrypted channel we are tying it to a domain name. If the client can't trust the domain name (e.g. has enterprise root CAs installed) then their connection can be mitmd. In practice I don't think this is a serious concern because:
go-libp2p implementation: libp2p/go-libp2p#2854