rfc9729.md.original   rfc9729.md 
--- ---
title: The Concealed HTTP Authentication Scheme title: The Concealed HTTP Authentication Scheme
docname: draft-ietf-httpbis-unprompted-auth-latest docname: draft-ietf-httpbis-unprompted-auth-latest
submissiontype: IETF submissiontype: IETF
number: number: 9729
date: date: 2025-02
consensus: true consensus: true
v: 3 v: 3
category: std category: std
wg: HTTPBIS wg: HTTPBIS
area: "Web and Internet Transport" area: "Web and Internet Transport"
venue:
group: HTTP
type: Working Group
home: https://httpwg.org/
mail: ietf-http-wg@w3.org
arch: https://lists.w3.org/Archives/Public/ietf-http-wg/
repo: https://github.com/httpwg/http-extensions/labels/unprompted-auth
latest: "https://httpwg.org/http-extensions/draft-ietf-httpbis-unprompted-auth
.html"
github-issue-label: unprompted-auth
keyword: keyword:
- secure - secure
- tunnels - tunnels
- masque - masque
- http-ng - http-ng
author: author:
- -
ins: D. Schinazi ins: D. Schinazi
name: David Schinazi name: David Schinazi
org: Google LLC org: Google LLC
skipping to change at line 52 skipping to change at line 43
uri: https://guardianproject.info uri: https://guardianproject.info
- -
ins: J. Hoyland ins: J. Hoyland
name: Jonathan Hoyland name: Jonathan Hoyland
org: Cloudflare Inc. org: Cloudflare Inc.
email: jonathan.hoyland@gmail.com email: jonathan.hoyland@gmail.com
normative: normative:
RFC8792: RFC8792:
X.690: X.690:
target: https://www.itu.int/rec/T-REC-X.690
title: "Information technology - ASN.1 encoding Rules: Specification of Basi c Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encodin g Rules (DER)" title: "Information technology - ASN.1 encoding Rules: Specification of Basi c Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encodin g Rules (DER)"
date: 2021-02 date: 2021-02
author: author:
org: ITU-T org: ITU-T
seriesinfo: seriesinfo:
ISO/IEC 8824-1:2021 ITU-T: Recommendation X690
ISO/IEC: 8825-1:2021
informative: informative:
H2: H2:
=: RFC9113 =: RFC9113
display: HTTP/2 display: HTTP/2
H3: H3:
=: RFC9114 =: RFC9114
display: HTTP/3 display: HTTP/3
SEEMS-LEGIT: SEEMS-LEGIT:
title: "Seems Legit: Automated Analysis of Subtle Attacks on Protocols That Use Signatures" title: "Seems Legit: Automated Analysis of Subtle Attacks on Protocols That Use Signatures"
skipping to change at line 85 skipping to change at line 78
surname: Cremers surname: Cremers
name: Cas Cremers name: Cas Cremers
- -
initials: K. initials: K.
surname: Cohn-Gordon surname: Cohn-Gordon
name: Katriel Cohn-Gordon name: Katriel Cohn-Gordon
- -
initials: R. initials: R.
surname: Sasse surname: Sasse
name: Ralf Sasse name: Ralf Sasse
date: 2019 date: 2019-11
refcontent: refcontent:
- "CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security" - "CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security"
- "pp. 21652180" - "pp. 2165-2180"
seriesinfo: seriesinfo:
DOI: 10.1145/3319535.3339813 DOI: 10.1145/3319535.3339813
--- abstract --- abstract
Most HTTP authentication schemes are probeable in the sense that it is possible Most HTTP authentication schemes are probeable in the sense that it is possible
for an unauthenticated client to probe whether an origin serves resources that for an unauthenticated client to probe whether an origin serves resources that
require authentication. It is possible for an origin to hide the fact that it require authentication. It is possible for an origin to hide the fact that it
requires authentication by not generating Unauthorized status codes, however requires authentication by not generating Unauthorized status codes; however,
that only works with non-cryptographic authentication schemes: cryptographic that only works with non-cryptographic authentication schemes: cryptographic
signatures require a fresh nonce to be signed. Prior to this document, there signatures require a fresh nonce to be signed. Prior to this document, there
was no existing way for the origin to share such a nonce without exposing the was no existing way for the origin to share such a nonce without exposing the
fact that it serves resources that require authentication. This document fact that it serves resources that require authentication. This document
defines a new non-probeable cryptographic authentication scheme. defines a new non-probeable cryptographic authentication scheme.
--- middle --- middle
# Introduction {#introduction} # Introduction {#introduction}
HTTP authentication schemes (see {{Section 11 of !HTTP=RFC9110}}) allow origins HTTP authentication schemes (see {{Section 11 of !HTTP=RFC9110}}) allow origins
to restrict access for some resources to only authenticated requests. While to restrict access for some resources to only authenticated requests. While
these schemes commonly involve a challenge where the origin asks the client to these schemes commonly involve a challenge where the origin asks the client to
provide authentication information, it is possible for clients to send such provide authentication information, it is possible for clients to send such
information unprompted. This is particularly useful in cases where an origin information unprompted. This is particularly useful in cases where an origin
wants to offer a service or capability only to "those who know" while all wants to offer a service or capability only to "those who know", while all
others are given no indication the service or capability exists. Such designs others are given no indication the service or capability exists. Such designs
rely on an externally-defined mechanism by which keys are distributed. For rely on an externally defined mechanism by which keys are distributed. For
example, a company might offer remote employee access to company services example, a company might offer remote employee access to company services
directly via its website using their employee credentials, or offer access to directly via its website using their employee credentials or offer access to
limited special capabilities for specific employees, while making discovering limited special capabilities for specific employees while making discovering
(or probing for) such capabilities difficult. As another example, members of (or probing for) such capabilities difficult. As another example, members of
less well-defined communities might use more ephemeral keys to acquire access less well-defined communities might use more ephemeral keys to acquire access
to geography- or capability-specific resources, as issued by an entity whose to geography- or capability-specific resources, as issued by an entity whose
user base is larger than the available resources can support (by having that user base is larger than the available resources can support (by having that
entity metering the availability of keys temporally or geographically). entity metering the availability of keys temporally or geographically).
While digital-signature-based HTTP authentication schemes already exist (e.g., While digital-signature-based HTTP authentication schemes already exist (e.g.,
{{?HOBA=RFC7486}}), they rely on the origin explicitly sending a fresh {{?HOBA=RFC7486}}), they rely on the origin explicitly sending a fresh
challenge to the client, to ensure that the signature input is fresh. That challenge to the client, to ensure that the signature input is fresh. That
makes the origin probeable as it sends the challenge to unauthenticated makes the origin probeable as it sends the challenge to unauthenticated
clients. This document defines a new signature-based authentication scheme that clients. This document defines a new signature-based authentication scheme that
is not probeable. is not probeable.
## Conventions and Definitions {#conventions} ## Conventions and Definitions {#conventions}
{::boilerplate bcp14-tagged} {::boilerplate bcp14-tagged}
This document uses the notation from {{Section 1.3 of !QUIC=RFC9000}}. This document uses the notation from {{Section 1.3 of !QUIC=RFC9000}}.
# The Concealed Authentication Scheme Various examples in this document contain long lines that may be folded,
as described in [RFC8792].
# The Concealed HTTP Authentication Scheme
This document defines the "Concealed" HTTP authentication scheme. It uses This document defines the "Concealed" HTTP authentication scheme. It uses
asymmetric cryptography. Clients possess a key ID and a public/private key asymmetric cryptography. Clients possess a key ID and a public/private key
pair, and origin servers maintain a mapping of authorized key IDs to associated pair, and origin servers maintain a mapping of authorized key IDs to associated
public keys. public keys.
The client uses a TLS keying material exporter to generate data to be signed The client uses a TLS keying material exporter to generate data to be signed
(see {{client}}) then sends the signature using the Authorization (or (see {{client}}) then sends the signature using the Authorization (or
Proxy-Authorization) header field (see {{Section 11 of HTTP}}). The signature Proxy-Authorization) header field (see {{Section 11 of HTTP}}). The signature
and additional information are exchanged using authentication parameters (see and additional information are exchanged using authentication parameters (see
{{auth-params}}). Once the server receives these, it can check whether the {{auth-params}}). Once the server receives these, it can check whether the
signature validates against an entry in its database of known keys. The server signature validates against an entry in its database of known keys. The server
can then use the validation result to influence its response to the client, for can then use the validation result to influence its response to the client, for
example by restricting access to certain resources. example, by restricting access to certain resources.
# Client Handling {#client} # Client Handling {#client}
When a client wishes to use the Concealed HTTP authentication scheme with a When a client wishes to use the Concealed HTTP authentication scheme with a
request, it SHALL compute the authentication proof using a TLS keying material request, it SHALL compute the authentication proof using a TLS keying material
exporter with the following parameters: exporter with the following parameters:
* the label is set to "EXPORTER-HTTP-Concealed-Authentication" * The label is set to "EXPORTER-HTTP-Concealed-Authentication".
* the context is set to the structure described in {{context}} * The context is set to the structure described in {{context}}.
* the exporter output length is set to 48 bytes (see {{output}}) * The exporter output length is set to 48 bytes (see {{output}}).
Note that TLS 1.3 keying material exporters are defined in {{Section 7.5 of Note that TLS 1.3 keying material exporters are defined in {{Section 7.5 of
TLS}}, while TLS 1.2 keying material exporters are defined in TLS}}, while TLS 1.2 keying material exporters are defined in
{{!KEY-EXPORT=RFC5705}}. {{!KEY-EXPORT=RFC5705}}.
## Key Exporter Context {#context} ## Key Exporter Context {#context}
The TLS key exporter context is described in {{fig-context}}, using the The TLS key exporter context is described in {{fig-context}}, using the
notation from {{Section 1.3 of QUIC}}: notation from {{Section 1.3 of QUIC}}:
~~ ~~~
Signature Algorithm (16), Signature Algorithm (16),
Key ID Length (i), Key ID Length (i),
Key ID (..), Key ID (..),
Public Key Length (i), Public Key Length (i),
Public Key (..), Public Key (..),
Scheme Length (i), Scheme Length (i),
Scheme (..), Scheme (..),
Host Length (i), Host Length (i),
Host (..), Host (..),
Port (16), Port (16),
Realm Length (i), Realm Length (i),
Realm (..), Realm (..),
~~ ~~~
{: #fig-context title="Key Exporter Context Format"} {: #fig-context title="Key Exporter Context Format"}
The key exporter context contains the following fields: The key exporter context contains the following fields:
Signature Algorithm: Signature Algorithm:
: The signature scheme sent in the `s` Parameter (see {{parameter-s}}). : The signature scheme sent in the `s` Parameter (see {{parameter-s}}).
Key ID: Key ID:
skipping to change at line 219 skipping to change at line 215
of a URI as defined in {{Section 3.1 of !URI=RFC3986}}. of a URI as defined in {{Section 3.1 of !URI=RFC3986}}.
Host: Host:
: The host for this request, encoded using the format of the host portion of a : The host for this request, encoded using the format of the host portion of a
URI as defined in {{Section 3.2.2 of URI}}. URI as defined in {{Section 3.2.2 of URI}}.
Port: Port:
: The port for this request, encoded in network byte order. Note that the port : The port for this request, encoded in network byte order. Note that the port
is either included in the URI, or is the default port for the scheme in use; is either included in the URI or is the default port for the scheme in use;
see {{Section 3.2.3 of URI}}. see {{Section 3.2.3 of URI}}.
Realm: Realm:
: The realm of authentication that is sent in the realm authentication : The realm of authentication that is sent in the realm authentication
parameter ({{Section 11.5 of HTTP}}). If the realm authentication parameter is parameter (see {{Section 11.5 of HTTP}}). If the realm authentication parameter is
not present, this SHALL be empty. This document does not define a means for the not present, this SHALL be empty. This document does not define a means for the
origin to communicate a realm to the client. If a client is not configured to origin to communicate a realm to the client. If a client is not configured to
use a specific realm, it SHALL use an empty realm and SHALL NOT send the realm use a specific realm, it SHALL use an empty realm and SHALL NOT send the realm
authentication parameter. authentication parameter.
The Signature Algorithm and Port fields are encoded as unsigned 16-bit integers The Signature Algorithm and Port fields are encoded as unsigned 16-bit integers
in network byte order. The Key ID, Public Key, Scheme, Host, and Realm fields in network byte order. The Key ID, Public Key, Scheme, Host, and Realm fields
are length prefixed strings; they are preceded by a Length field that are length-prefixed strings; they are preceded by a Length field that
represents their length in bytes. These length fields are encoded using the represents their length in bytes. These length fields are encoded using the
variable-length integer encoding from {{Section 16 of QUIC}} and MUST be variable-length integer encoding from {{Section 16 of QUIC}} and MUST be
encoded in the minimum number of bytes necessary. encoded in the minimum number of bytes necessary.
### Public Key Encoding {#public-key-encoding} ### Public Key Encoding {#public-key-encoding}
Both the "Public Key" field of the TLS key exporter context (see above) and the Both the "Public Key" field of the TLS key exporter context (see above) and the
`a` Parameter (see {{parameter-a}}) carry the same public key. The encoding of `a` Parameter (see {{parameter-a}}) carry the same public key. The encoding of
the public key is determined by the Signature Algorithm in use as follows: the public key is determined by the signature algorithm in use as follows:
RSASSA-PSS algorithms: RSASSA-PSS algorithms:
: The public key is an RSAPublicKey structure {{!PKCS1=RFC8017}} encoded in DER : The public key is an RSAPublicKey structure {{!PKCS1=RFC8017}} encoded in DER
{{X.690}}. BER encodings which are not DER MUST be rejected. {{X.690}}. BER encodings that are not DER MUST be rejected.
ECDSA algorithms: ECDSA algorithms:
: The public key is a UncompressedPointRepresentation structure defined in : The public key is an UncompressedPointRepresentation structure defined in
{{Section 4.2.8.2 of TLS}}, using the curve specified by the SignatureScheme. {{Section 4.2.8.2 of TLS}}, using the curve specified by the SignatureScheme.
EdDSA algorithms: EdDSA algorithms:
: The public key is the byte string encoding defined in {{!EdDSA=RFC8032}}. : The public key is the byte string encoding defined in {{!EdDSA=RFC8032}}.
This document does not define the public key encodings for other algorithms. In This document does not define the public key encodings for other algorithms. In
order for a SignatureScheme to be usable with the Concealed HTTP authentication order for a SignatureScheme to be usable with the Concealed HTTP authentication
scheme, its public key encoding needs to be defined in a corresponding document. scheme, its public key encoding needs to be defined in a corresponding document.
## Key Exporter Output {#output} ## Key Exporter Output {#output}
The key exporter output is 48 bytes long. Of those, the first 32 bytes are part The key exporter output is 48 bytes long. Of those, the first 32 bytes are part
of the input to the signature and the next 16 bytes are sent alongside the of the input to the signature and the next 16 bytes are sent alongside the
signature. This allows the recipient to confirm that the exporter produces the signature. This allows the recipient to confirm that the exporter produces the
right values. This is described in {{fig-output}}, using the notation from right values. This is described in {{fig-output}}, using the notation from
{{Section 1.3 of QUIC}}: {{Section 1.3 of QUIC}}:
~~ ~~~
Signature Input (256), Signature Input (256),
Verification (128), Verification (128),
~~ ~~~
{: #fig-output title="Key Exporter Output Format"} {: #fig-output title="Key Exporter Output Format"}
The key exporter output contains the following fields: The key exporter output contains the following fields:
Signature Input: Signature Input:
: This is part of the data signed using the client's chosen asymmetric private : This is part of the data signed using the client's chosen asymmetric private
key (see {{computation}}). key (see {{computation}}).
Verification: Verification:
skipping to change at line 298 skipping to change at line 294
## Signature Computation {#computation} ## Signature Computation {#computation}
Once the Signature Input has been extracted from the key exporter output (see Once the Signature Input has been extracted from the key exporter output (see
{{output}}), it is prefixed with static data before being signed. The signature {{output}}), it is prefixed with static data before being signed. The signature
is computed over the concatenation of: is computed over the concatenation of:
* A string that consists of octet 32 (0x20) repeated 64 times * A string that consists of octet 32 (0x20) repeated 64 times
* The context string "HTTP Concealed Authentication" * The context string "HTTP Concealed Authentication"
* A single 0 byte which serves as a separator * A single 0 byte that serves as a separator
* The Signature Input extracted from the key exporter output (see {{output}}) * The Signature Input extracted from the key exporter output (see {{output}})
For example, if the Signature Input has all its 32 bytes set to 01, the content For example, if the Signature Input has all its 32 bytes set to 01, the content
covered by the signature (in hexadecimal format) would be: covered by the signature (in hexadecimal format) would be:
~~ ~~~
2020202020202020202020202020202020202020202020202020202020202020 2020202020202020202020202020202020202020202020202020202020202020
2020202020202020202020202020202020202020202020202020202020202020 2020202020202020202020202020202020202020202020202020202020202020
48545450205369676E61747572652041757468656E7469636174696F6E 48545450205369676E61747572652041757468656E7469636174696F6E
00 00
0101010101010101010101010101010101010101010101010101010101010101 0101010101010101010101010101010101010101010101010101010101010101
~~ ~~~
{: #fig-sig-example title="Example Content Covered by Signature"} {: #fig-sig-example title="Example Content Covered by Signature"}
The purpose of this static prefix is to mitigate issues that could arise if The purpose of this static prefix is to mitigate issues that could arise if
authentication asymmetric keys were accidentally reused across protocols (even authentication asymmetric keys were accidentally reused across protocols (even
though this is forbidden, see {{security}}). This construction mirrors that of though this is forbidden, see {{security}}). This construction mirrors that of
the TLS 1.3 CertificateVerify message defined in {{Section 4.4.3 of TLS}}. the TLS 1.3 CertificateVerify message defined in {{Section 4.4.3 of TLS}}.
The resulting signature is then transmitted to the server using the `p` The resulting signature is then transmitted to the server using the `p`
Parameter (see {{parameter-p}}). Parameter (see {{parameter-p}}).
# Authentication Parameters {#auth-params} # Authentication Parameters {#auth-params}
This specification defines the following authentication parameters. This specification defines the following authentication parameters.
All of the byte sequences below are encoded using base64url (see {{Section 5 of All of the byte sequences below are encoded using base64url (see {{Section 5 of
!BASE64=RFC4648}}) without quotes and without padding. In other words, the !BASE64=RFC4648}}) without quotes and without padding. In other words, the
values of these byte-sequence authentication parameters MUST NOT include any values of these byte-sequence authentication parameters MUST NOT include any
characters other than ASCII letters, digits, dash and underscore. characters other than ASCII letters, digits, dash, and underscore.
The integer below is encoded without a minus and without leading zeroes. In The integer below is encoded without a minus and without leading zeroes. In
other words, the value of this integer authentication parameter MUST NOT other words, the value of this integer authentication parameter MUST NOT
include any characters other than digits, and MUST NOT start with a zero unless include any characters other than digits and MUST NOT start with a zero unless
the full value is "0". the full value is "0".
Using the syntax from {{!ABNF=RFC5234}}: Using the syntax from {{!ABNF=RFC5234}}:
~~ ~~~ abnf
concealed-byte-sequence-param-value = *( ALPHA / DIGIT / "-" / "_" ) concealed-byte-sequence-param-value = *( ALPHA / DIGIT / "-" / "_" )
concealed-integer-param-value = %x31-39 1*4( DIGIT ) / "0" concealed-integer-param-value = %x31-39 1*4( DIGIT ) / "0"
~~ ~~~
{: #fig-param title="Authentication Parameter Value ABNF"} {: #fig-param title="Authentication Parameter Value ABNF"}
## The k Parameter {#parameter-k} ## The k Parameter {#parameter-k}
The REQUIRED "k" (key ID) Parameter is a byte sequence that identifies which The REQUIRED "k" (key ID) Parameter is a byte sequence that identifies which
key the client wishes to use to authenticate. This is used by the backend to key the client wishes to use to authenticate. This is used by the backend to
point to an entry in a server-side database of known keys, see {{backend}}. point to an entry in a server-side database of known keys (see {{backend}}).
## The a Parameter {#parameter-a} ## The a Parameter {#parameter-a}
The REQUIRED "a" (public key) Parameter is a byte sequence that specifies the The REQUIRED "a" (public key) Parameter is a byte sequence that specifies the
public key used by the server to validate the signature provided by the client. public key used by the server to validate the signature provided by the client.
This avoids key confusion issues (see {{SEEMS-LEGIT}}). The encoding of the This avoids key confusion issues (see {{SEEMS-LEGIT}}). The encoding of the
public key is described in {{public-key-encoding}}. public key is described in {{public-key-encoding}}.
## The p Parameter {#parameter-p} ## The p Parameter {#parameter-p}
The REQUIRED "p" (proof) Parameter is a byte sequence that specifies the proof The REQUIRED "p" (proof) Parameter is a byte sequence that specifies the proof
that the client provides to attest to possessing the credential that matches that the client provides to attest to possessing the credential that matches
its key ID. its key ID.
## The s Parameter {#parameter-s} ## The s Parameter {#parameter-s}
The REQUIRED "s" (signature) Parameter is an integer that specifies the The REQUIRED "s" (signature scheme) Parameter is an integer that specifies the
signature scheme used to compute the proof transmitted in the `p` Parameter. signature scheme used to compute the proof transmitted in the `p` Parameter.
Its value is an integer between 0 and 65535 inclusive from the IANA "TLS Its value is an integer between 0 and 65535 inclusive from the IANA "TLS
SignatureScheme" registry maintained at SignatureScheme" registry maintained at
<[](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-sig naturescheme)>. <[](https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-sig naturescheme)>.
## The v Parameter {#parameter-v} ## The v Parameter {#parameter-v}
The REQUIRED "v" (verification) Parameter is a byte sequence that specifies the The REQUIRED "v" (verification) Parameter is a byte sequence that specifies the
verification that the client provides to attest to possessing the key exporter verification that the client provides to attest to possessing the key exporter
output (see {{output}} for details). This avoids issues with signature schemes output (see {{output}} for details). This avoids issues with signature schemes
where certain keys can generate signatures that are valid for multiple inputs where certain keys can generate signatures that are valid for multiple inputs
(see {{SEEMS-LEGIT}}). (see {{SEEMS-LEGIT}}).
# Example {#example} # Example {#example}
For example, the key ID "basement" authenticating using Ed25519 For example, a client using the key ID "basement" and the signature algorithm
{{?ED25519=RFC8410}} could produce the following header field: Ed25519 {{?ED25519=RFC8410}} could produce the following header field:
~~ http-message ~~~ http-message
NOTE: '\' line wrapping per RFC 8792 NOTE: '\' line wrapping per RFC 8792
Authorization: Concealed \ Authorization: Concealed \
k=YmFzZW1lbnQ, \ k=YmFzZW1lbnQ, \
a=VGhpcyBpcyBh-HB1YmxpYyBrZXkgaW4gdXNl_GhlcmU, \ a=VGhpcyBpcyBh-HB1YmxpYyBrZXkgaW4gdXNl_GhlcmU, \
s=2055, \ s=2055, \
v=dmVyaWZpY2F0aW9u_zE2Qg, \ v=dmVyaWZpY2F0aW9u_zE2Qg, \
p=QzpcV2luZG93c_xTeXN0ZW0zMlxkcml2ZXJz-ENyb3dkU\ p=QzpcV2luZG93c_xTeXN0ZW0zMlxkcml2ZXJz-ENyb3dkU\
3RyaWtlXEMtMDAwMDAwMDAyOTEtMD-wMC0w_DAwLnN5cw 3RyaWtlXEMtMDAwMDAwMDAyOTEtMD-wMC0w_DAwLnN5cw
~~ ~~~
{: #fig-hdr-example title="Example Header Field"} {: #fig-hdr-example title="Example Header Field"}
# Server Handling # Server Handling
In this section, we subdivide the server role in two: In this section, we subdivide the server role in two:
* the "frontend" runs in the HTTP server that terminates the TLS or QUIC * The "frontend" runs in the HTTP server that terminates the TLS or QUIC
connection created by the client. connection created by the client.
* the "backend" runs in the HTTP server that has access to the database of * The "backend" runs in the HTTP server that has access to the database of
accepted key identifiers and public keys. accepted key identifiers and public keys.
In most deployments, we expect the frontend and backend roles to both be In most deployments, we expect both the frontend and backend roles to be
implemented in a single HTTP origin server (as defined in {{Section 3.6 of implemented in a single HTTP origin server (as defined in {{Section 3.6 of
HTTP}}). However, these roles can be split such that the frontend is an HTTP HTTP}}). However, these roles can be split such that the frontend is an HTTP
gateway (as defined in {{Section 3.7 of HTTP}}) and the backend is an HTTP gateway (as defined in {{Section 3.7 of HTTP}}) and the backend is an HTTP
origin server. origin server.
## Frontend Handling ## Frontend Handling
If a frontend is configured to check the Concealed authentication scheme, it If a frontend is configured to check the Concealed HTTP authentication scheme, i t
will parse the Authorization (or Proxy-Authorization) header field. If the will parse the Authorization (or Proxy-Authorization) header field. If the
authentication scheme is set to "Concealed", the frontend MUST validate that authentication scheme is set to "Concealed", the frontend MUST validate that
all the required authentication parameters are present and can be parsed all the required authentication parameters are present and can be parsed
correctly as defined in {{auth-params}}. If any parameter is missing or fails correctly as defined in {{auth-params}}. If any parameter is missing or fails
to parse, the frontend MUST ignore the entire Authorization (or to parse, the frontend MUST ignore the entire Authorization (or
Proxy-Authorization) header field. Proxy-Authorization) header field.
The frontend then uses the data from these authentication parameters to compute The frontend then uses the data from these authentication parameters to compute
the key exporter output, as defined in {{output}}. The frontend then shares the the key exporter output, as defined in {{output}}. The frontend then shares the
header field and the key exporter output with the backend. header field and the key exporter output with the backend.
## Communication between Frontend and Backend ## Communication Between Frontend and Backend
If the frontend and backend roles are implemented in the same machine, this can If the frontend and backend roles are implemented in the same machine, this can
be handled by a simple function call. be handled by a simple function call.
If the roles are split between two separate HTTP servers, then the backend If the roles are split between two separate HTTP servers, then the backend
won't be able to directly access the TLS keying material exporter from the TLS won't be able to directly access the TLS keying material exporter from the TLS
connection between the client and frontend, so the frontend needs to explictly connection between the client and frontend, so the frontend needs to explicitly
send it. This document defines the "Concealed-Auth-Export" request header field send it. This document defines the "Concealed-Auth-Export" request header field
for this purpose. The Concealed-Auth-Export header field's value is a for this purpose. The Concealed-Auth-Export header field's value is a
Structured Field Byte Sequence (see {{Section 3.3.5 of Structured Field Byte Sequence (see {{Section 3.3.5 of
!STRUCTURED-FIELDS=RFC8941}}) that contains the 48-byte key exporter output !STRUCTURED-FIELDS=RFC9651}}) that contains the 48-byte key exporter output
(see {{output}}), without any parameters. Note that Structured Field Byte (see {{output}}), without any parameters. Note that Structured Field Byte
Sequences are encoded using the non-URL-safe variant of base64. For example: Sequences are encoded using the non-URL-safe variant of base64. For example:
~~ http-message ~~~ http-message
NOTE: '\' line wrapping per RFC 8792 NOTE: '\' line wrapping per RFC 8792
Concealed-Auth-Export: :VGhpc+BleGFtcGxlIFRMU/BleHBvcn\ Concealed-Auth-Export: :VGhpc+BleGFtcGxlIFRMU/BleHBvcn\
Rlc+BvdXRwdXQ/aXMgNDggYnl0ZXMgI/+h: Rlc+BvdXRwdXQ/aXMgNDggYnl0ZXMgI/+h:
~~ ~~~
{: #fig-int-hdr-example title="Example Concealed-Auth-Export Header Field"} {: #fig-int-hdr-example title="Example Concealed-Auth-Export Header Field"}
The frontend SHALL forward the HTTP request to the backend, including the The frontend SHALL forward the HTTP request to the backend, including the
original unmodified Authorization (or Proxy-Authorization) header field and the original unmodified Authorization (or Proxy-Authorization) header field and the
newly added Concealed-Auth-Export header field. newly added Concealed-Auth-Export header field.
Note that, since the security of this mechanism requires the key exporter Note that, since the security of this mechanism requires the key exporter
output to be correct, backends need to trust frontends to send it truthfully. output to be correct, backends need to trust frontends to send it truthfully.
This trust relationship is common because the frontend already needs access to This trust relationship is common because the frontend already needs access to
the TLS certificate private key in order to respond to requests. HTTP servers the TLS certificate private key in order to respond to requests. HTTP servers
skipping to change at line 485 skipping to change at line 481
* validate that the public key from the database is equal to the one in the * validate that the public key from the database is equal to the one in the
Authorization (or Proxy-Authorization) header field Authorization (or Proxy-Authorization) header field
* validate that the verification field from the Authorization (or * validate that the verification field from the Authorization (or
Proxy-Authorization) header field matches the one extracted from the key Proxy-Authorization) header field matches the one extracted from the key
exporter output exporter output
* verify the cryptographic signature as defined in {{computation}} * verify the cryptographic signature as defined in {{computation}}
If all of these checks succeed, the backend can consider the request to be If all of these checks succeed, the backend can consider the request to be
properly authenticated, and can reply accordingly (the backend can also forward properly authenticated and can reply accordingly (the backend can also forward
the request to another HTTP server). the request to another HTTP server).
If any of the above checks fail, the backend MUST treat it as if the If any of the above checks fail, the backend MUST treat it as if the
Authorization (or Proxy-Authorization) header field was missing. Authorization (or Proxy-Authorization) header field was missing.
## Non-Probeable Server Handling ## Non-Probeable Server Handling
Servers that wish to introduce resources whose existence cannot be probed need Servers that wish to introduce resources whose existence cannot be probed need
to ensure that they do not reveal any information about those resources to to ensure that they do not reveal any information about those resources to
unauthenticated clients. In particular, such servers MUST respond to unauthenticated clients. In particular, such servers MUST respond to
authentication failures with the exact same response that they would have used authentication failures with the exact same response that they would have used
for non-existent resources. For example, this can mean using HTTP status code for nonexistent resources. For example, this can mean using HTTP status code
404 (Not Found) instead of 401 (Unauthorized). 404 (Not Found) instead of 401 (Unauthorized).
The authentication checks described above can take time to compute, and an The authentication checks described above can take time to compute, and an
attacker could detect use of this mechanism if that time is observable by attacker could detect use of this mechanism if that time is observable by
comparing the timing of a request for a known non-existent resource to the comparing the timing of a request for a known nonexistent resource to the
timing of a request for a potentially authenticated resource. Servers can timing of a request for a potentially authenticated resource. Servers can
mitigate this observability by slightly delaying responses to some non-existent mitigate this observability by slightly delaying responses to some nonexistent
resources such that the timing of the authentication verification is not resources such that the timing of the authentication verification is not
observable. This delay needs to be carefully considered to avoid having the observable. This delay needs to be carefully considered to avoid having the
delay itself leak the fact that this origin uses this mechanism at all. delay itself leak the fact that this origin uses this mechanism at all.
Non-probeable resources also need to be non-discoverable for unauthenticated Non-probeable resources also need to be non-discoverable for unauthenticated
users. For example, if a server operator wishes to hide an authenticated users. For example, if a server operator wishes to hide an authenticated
resource by pretending it does not exist to unauthenticated users, then the resource by pretending it does not exist to unauthenticated users, then the
server operator needs to ensure there are no unauthenticated pages with links server operator needs to ensure there are no unauthenticated pages with links
to that resource, and no other out-of-band ways for unauthenticated users to to that resource and no other out-of-band ways for unauthenticated users to
discover this resource. discover this resource.
# Requirements on TLS Usage # Requirements on TLS Usage
This authentication scheme is only defined for uses of HTTP with TLS This authentication scheme is only defined for uses of HTTP with TLS
{{!TLS=RFC8446}}. This includes any use of HTTP over TLS as typically used for {{!TLS=RFC8446}}. This includes any use of HTTP over TLS as typically used for
HTTP/2 {{H2}}, or HTTP/3 {{H3}} where the transport protocol uses TLS as its HTTP/2 {{H2}}, or HTTP/3 {{H3}} where the transport protocol uses TLS as its
authentication and key exchange mechanism {{?QUIC-TLS=RFC9001}}. authentication and key exchange mechanism {{?QUIC-TLS=RFC9001}}.
Because the TLS keying material exporter is only secure for authentication when Because the TLS keying material exporter is only secure for authentication when
it is uniquely bound to the TLS session {{!RFC7627}}, the Concealed it is uniquely bound to the TLS session {{!RFC7627}}, the Concealed
authentication scheme requires either one of the following properties: authentication scheme requires either one of the following properties:
* The TLS version in use is greater or equal to 1.3 {{TLS}}. * The TLS version in use is greater than or equal to 1.3 {{TLS}}.
* The TLS version in use is 1.2 and the Extended Master Secret extension * The TLS version in use is 1.2, and the extended master secret extension
{{RFC7627}} has been negotiated. {{RFC7627}} has been negotiated.
Clients MUST NOT use the Concealed authentication scheme on connections that do Clients MUST NOT use the Concealed HTTP authentication scheme on connections tha t do
not meet one of the two properties above. If a server receives a request that not meet one of the two properties above. If a server receives a request that
uses this authentication scheme on a connection that meets neither of the above uses this authentication scheme on a connection that meets neither of the above
properties, the server MUST treat the request as if the authentication were not properties, the server MUST treat the request as if the authentication were not
present. present.
# Security Considerations {#security} # Security Considerations {#security}
The Concealed HTTP authentication scheme allows a client to authenticate to an The Concealed HTTP authentication scheme allows a client to authenticate to an
origin server while guaranteeing freshness and without the need for the server origin server while guaranteeing freshness and without the need for the server
to transmit a nonce to the client. This allows the server to accept to transmit a nonce to the client. This allows the server to accept
authenticated clients without revealing that it supports or expects authenticated clients without revealing that it supports or expects
authentication for some resources. It also allows authentication without the authentication for some resources. It also allows authentication without the
client leaking the presence of authentication to observers due to clear-text client leaking the presence of authentication to observers due to cleartext
TLS Client Hello extensions. TLS Client Hello extensions.
Since the freshness described above is provided by a TLS key exporter, it can Since the freshness described above is provided by a TLS key exporter, it can
be as old as the underlying TLS connection. Servers can require better be as old as the underlying TLS connection. Servers can require better
freshness by forcing clients to create new connections using mechanisms such as freshness by forcing clients to create new connections using mechanisms such as
the GOAWAY frame (see {{Section 5.2 of H3}}). the GOAWAY frame (see {{Section 5.2 of H3}}).
The authentication proofs described in this document are not bound to The authentication proofs described in this document are not bound to
individual HTTP requests; if the key is used for authentication proofs on individual HTTP requests; if the key is used for authentication proofs on
multiple requests on the same connection, they will all be identical. This multiple requests on the same connection, they will all be identical. This
allows for better compression when sending over the wire, but implies that allows for better compression when sending over the wire, but it implies that
client implementations that multiplex different security contexts over a single client implementations that multiplex different security contexts over a single
HTTP connection need to ensure that those contexts cannot read each other's HTTP connection need to ensure that those contexts cannot read each other's
header fields. Otherwise, one context would be able to replay the Authorization header fields. Otherwise, one context would be able to replay the Authorization
header field of another. This constraint is met by modern Web browsers. If an header field of another. This constraint is met by modern web browsers. If an
attacker were to compromise the browser such that it could access another attacker were to compromise the browser such that it could access another
context's memory, the attacker might also be able to access the corresponding context's memory, the attacker might also be able to access the corresponding
key, so binding authentication to requests would not provide much benefit in key, so binding authentication to requests would not provide much benefit in
practice. practice.
Authentication asymmetric keys used for the Concealed HTTP authentication Authentication asymmetric keys used for the Concealed HTTP authentication
scheme MUST NOT be reused in other protocols. Even though we attempt to scheme MUST NOT be reused in other protocols. Even though we attempt to
mitigate these issues by adding a static prefix to the signed data (see mitigate these issues by adding a static prefix to the signed data (see
{{computation}}), reusing keys could undermine the security guarantees of the {{computation}}), reusing keys could undermine the security guarantees of the
authentication. authentication.
Origins offering this scheme can link requests that use the same key. Origins offering this scheme can link requests that use the same key.
However, requests are not linkable across origins if the keys used are specific However, requests are not linkable across origins if the keys used are specific
to the individual origins using this scheme. to the individual origins using this scheme.
# IANA Considerations {#iana} # IANA Considerations {#iana}
## HTTP Authentication Schemes Registry {#iana-schemes} ## HTTP Authentication Schemes Registry {#iana-schemes}
This document, if approved, requests IANA to register the following entry in IANA has registered the following entry in
the "HTTP Authentication Schemes" Registry maintained at the "HTTP Authentication Schemes" registry maintained at
<[](https://www.iana.org/assignments/http-authschemes)>: <[](https://www.iana.org/assignments/http-authschemes)>:
Authentication Scheme Name: Authentication Scheme Name:
: Concealed : Concealed
Reference: Reference:
: This document : RFC 9729
Notes: Notes:
: None : None
{: spacing="compact"} {: spacing="compact"}
## TLS Keying Material Exporter Labels {#iana-exporter-label} ## TLS Keying Material Exporter Labels {#iana-exporter-label}
This document, if approved, requests IANA to register the following entry in IANA has registered the following entry in
the "TLS Exporter Labels" registry maintained at the "TLS Exporter Labels" registry maintained at
<[](https://www.iana.org/assignments/tls-parameters#exporter-labels)>: <[](https://www.iana.org/assignments/tls-parameters#exporter-labels)>:
Value: Value:
: EXPORTER-HTTP-Concealed-Authentication : EXPORTER-HTTP-Concealed-Authentication
DTLS-OK: DTLS-OK:
: N : N
Recommended: Recommended:
: Y : Y
Reference: Reference:
: This document : RFC 9729
{: spacing="compact"} {: spacing="compact"}
## HTTP Field Name ## HTTP Field Name
This document, if approved, requests IANA to register the following entry in IANA has registered the following entry in
the "Hypertext Transfer Protocol (HTTP) Field Name" registry maintained at the "Hypertext Transfer Protocol (HTTP) Field Name Registry" maintained at
<[](https://www.iana.org/assignments/http-fields/http-fields.xhtml)>: <[](https://www.iana.org/assignments/http-fields/http-fields.xhtml)>:
Field Name: Field Name:
: Concealed-Auth-Export : Concealed-Auth-Export
Status: Status:
: permanent : permanent
Structured Type: Structured Type:
: Item : Item
Reference: Reference:
: This document : RFC 9729
Comments: Comments:
: None : None
{: spacing="compact"} {: spacing="compact"}
--- back --- back
# Acknowledgments {#acknowledgments} # Acknowledgments {#acknowledgments}
{:numbered="false"} {:numbered="false"}
 End of changes. 63 change blocks. 
76 lines changed or deleted 71 lines changed or added

This html diff was produced by rfcdiff 1.48.