The Internet Engineering Task Force (IETF) – the organization that develops and promotes Internet standards – this week approved three new standards designed to improve the security of authentication tokens against "replay attacks". Authentication tokens, or token, are used on all online services. When a person logs into their Google or Facebook account, an authentication token is generated and stored in a cookie file of the user's browser. When the user accesses the Google or Facebook site again, instead of asking the user to re-enter their credentials, the user's browser gives the site the user's authentication token. But the user's tokens Authentication is not only used with browser cookies and websites. They are also used in the context of the OAuth protocol, the JSON Web Token (JWT) standard and a large number of public or private libraries implementing token authentication, often used with APIs and enterprise software solutions. Hackers have long understood that they can steal these tokens instead of user login and password. This allows you to connect to the service without having to know a password. Such attacks are known as "replay attacks", or "replay attacks" in English. Protecting token authentication systems This week, thanks to input from engineers at Google, Microsoft and Kings Mountain Systems, the IETF has officially approved three new standards to protect token authentication systems: RFC 4871 – Token Binding Protocol Version 1.0RFC 4872 – Transport Layer Security (TLS) Extension for Token Binding Protocol NegotiationRFC 4873 – Token Binding over HTTP (Token Binding over HTTP) These three standards aim to add an extra layer of security for the process of generating and negotiating a new access / authentication token. The general idea is to create a connection between the user's device and the token, so even if an attacker manages to save a token, he will not be able to run a replay attack unless he uses the same app or the configuration of the machine on which the token was created. At the technical level, according to RFC 4871, this can be done via the client device that generates a private and public key pair. The optimal scenario would be that both keys are generated inside a secure hardware module, such as the TPM (Trusted Platform Module) of a PC, intrinsically linking the private key to the hardware. These two keys (the private key stored on the user's PC and a public key for a remote server) are then used to sign and encrypt parts of the executed negotiation steps before generating the real authentication token, which gives a token value that depends of the hardxware on which it was created. In theory, it looks awesome. As the vast majority of web traffic is now encrypted, the new Token Binding protocol has been specially designed around the TLS connection process that precedes establishing a TLS encrypted session. The protocol's authors say that they designed the token binding process to avoid adding extra round trips to the initial TLS process, which means there will be no extra work on the existing servers. .Brand and server updates will be needed to support the three new RFC standards, said ZDNet Tal Be'ery, co-founder and director of security research at KZen Networks.The researcher also pointed out that the new Token binding protocol is not necessarily limited to linking tokens at the hardware level alone, but can also work and securely bind tokens at the software level, meaning that it can be implemented almost everywhere. "It can be used by anything that communicates and needs to maintain a session" said Tal Be'ery. "This also includes IoT (Internet of Things) devices." Currently, the Token Binding protocol has been designed around TLS 1.2, but it will also be modified to work with the new TLS 1.3.
Article "IETF approves new internet standards to secure authentication tokens" translated and adapted by ZDNet.fr