Google Inc.

nharper@google.com

General Internet-Draft Negotiation of the Token Binding protocol is only defined for Transport Layer Security (TLS) versions 1.2 and earlier. Token Binding users may wish to use it with TLS 1.3; this document defines a backwards compatible way to negotiate Token Binding on TLS 1.3 connections.

Negotiating Token Binding using a TLS extension as described in is fairly straightforward, but is restricted to TLS 1.2 and earlier. Only one minor change is needed to use this extension to negotiate Token Binding on connections using TLS 1.3 and later. Instead of the server putting the “token_binding” extension in the ServerHello like in TLS 1.2, in TLS 1.3 the server puts it in EncryptedExtensions instead. This document also non-normatively provides a clarification for the definition of the TokenBinding.signature field from , since TLS 1.3 defines an alternate (but API-compatible) exporter mechanism to the one in used in .

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in .

In TLS 1.3, the “token_binding” TLS extension may be present only in ClientHello and EncryptedExtensions handshake messages. The format of the “token_binding” TLS extension remains the same as defined in . A client puts the “token_binding” TLS extension in its ClientHello to indicate its support for the Token Binding protocol. The client should follow the same rules for when to send this extension and the contents of its data as in section 2 of . Since the “token_binding” extension remains unchanged from TLS 1.2 to TLS 1.3 in the ClientHello, a client sending the “token_binding” extension in a TLS 1.3 ClientHello is backwards compatible with a server that only supports TLS 1.2. A server puts the “token_binding” TLS extension in the EncryptedExtensions message following its ServerHello to indicate support for the Token Binding protocol and to select protocol version and key parameters. The server includes the extension following the same rules as section 3 of , with the following changes: The “token_binding” TLS extension is in EncryptedExtensions instead of ServerHello. The server MUST NOT include both the “token_binding” extension and the “early_data” extension on the same connection.

requires that extensions define their interaction with 0-RTT. The “token_binding” extension MUST NOT be used with 0-RTT unless otherwise specified in another draft. A client MAY include both “early_data” and “token_binding” extensions in its ClientHello - this indicates that the client is willing to resume a connection and send early data (without Token Binding), or negotiate Token Binding on the connection and have early data rejected.

This non-normative section provides a clarification on the definition of the TokenBinding.signature field when used on a TLS 1.3 connection. defines the TokenBinding.signature field in terms of an exported keying material (EKM) value as defined in . provides an equivalent interface in section 7.5. For clarity, using the terminology from , the EKM used in section 3.3 of in TLS 1.3 is the exporter value (section 7.5 of ) computed with the following parameters: Secret: exporter_master_secret. label: The ASCII string “EXPORTER-Token-Binding” with no terminating NUL. context_value: No context value is supplied. key_length: 32 bytes. These are the same input values as specified in section 3.3 of .

The consideration regarding downgrade attacks in still apply here: The parameters negotiated in the “token_binding” extension are protected by the TLS handshake. An active network attacker cannot modify or remove the “token_binding” extension without also breaking the TLS connection. This extension cannot be used with 0-RTT data, so the concerns in about replay do not apply here.

In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. This document specifies a Transport Layer Security (TLS) extension for the negotiation of Token Binding protocol version and key parameters. This document specifies version 1.3 of the Transport Layer Security (TLS) protocol. TLS allows client/server applications to communicate over the Internet in a way that is designed to prevent eavesdropping, tampering, and message forgery. A number of protocols wish to leverage Transport Layer Security (TLS) to perform key establishment but then use some of the keying material for their own purposes. This document describes a general mechanism for allowing that. [STANDARDS-TRACK] This document specifies Version 1.0 of the Token Binding protocol. The Token Binding protocol allows client/server applications to create long-lived, uniquely identifiable TLS bindings spanning multiple TLS sessions and connections. Applications are then enabled to cryptographically bind security tokens to the TLS layer, preventing token export and replay attacks. To protect privacy, the Token Binding identifiers are only conveyed over TLS and can be reset by the user at any time.