Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
TokenBinding Specs@idcon mini Vol4
ritou
November 29, 2018
Technology
0
320
TokenBinding Specs@idcon mini Vol4
ritou
November 29, 2018
Tweet
Share
More Decks by ritou
See All by ritou
ritou
3
3.9k
ritou
1
5.1k
ritou
1
3.2k
ritou
3
740
ritou
11
4.8k
ritou
1
830
ritou
1
260
ritou
5
2.9k
ritou
12
13k
Other Decks in Technology
See All in Technology
humank
0
140
soracom
PRO
0
450
hatumeika
0
4.6k
higebu
1
260
hanafusa1991
0
630
himidev
6
3.6k
yujioshima
1
550
germsvel
1
190
443n0511
0
100
jukiya330
0
230
sosai
0
170
masahirokawahara
0
290
Featured
See All Featured
bkeepers
PRO
415
58k
paulrobertlloyd
72
3.9k
caitiem20
314
18k
jrom
120
7.4k
jakevdp
778
200k
mza
82
4.4k
marcelosomers
224
15k
qrush
288
19k
3n
169
23k
schacon
152
6.9k
tmm1
64
10k
mthomps
45
2.5k
Transcript
None
2018/11/29 idcon mini Vol.4 2
• rfc8471 • rfc8472 • rfc8473 2018/11/29 idcon mini Vol.4
3
• • • • • 2018/11/29 idcon mini Vol.4 4
(重要)TLSのバージョンについて ➢ https://tools.ietf.org/html/draft-ietf-tokbind- tls13-02 2018/11/29 idcon mini Vol.4 5
rfc8471 2018/11/29 idcon mini Vol.4 6
➢ version 1.0 of the Token Binding protocol ➢ the
format of the Token Binding protocol message the process of establishing a Token Binding the format of the Token Binding ID the process of validating a bound token 2018/11/29 idcon mini Vol.4 7
• プロトコル概要 • プロトコル内で扱われるメッ セージ • • 2018/11/29 idcon mini
Vol.4 8
• Bearer Token Sender Constrained Token • • • RFC8472
2018/11/29 idcon mini Vol.4 9
• • • RFC8473 • フェデレーションのユースケースについても考慮 2018/11/29 idcon mini Vol.4
10
• TokenBindingType • TokenBindingID • Signature • 2018/11/29 idcon mini
Vol.4 11
• • • referred_token_binding • Clientが別のServerに送るた めのTokenを要求 2018/11/29 idcon mini
Vol.4 12
• • • 2018/11/29 idcon mini Vol.4 13
• • • • EKM(Exported Key Material) from TLS Session
2018/11/29 idcon mini Vol.4 14
• • • • • 2018/11/29 idcon mini Vol.4 15
rfc8472 2018/11/29 idcon mini Vol.4 16
➢ Transport Layer Security (TLS) extension for the negotiation ➢
without introducing additional network round trips 2018/11/29 idcon mini Vol.4 17
• • 2018/11/29 idcon mini Vol.4 18
19 https://www.ipa.go.jp/security/ipg/documents/ipa-cryptrec-gl-3001-2.0.pdf
• 2018/11/29 idcon mini Vol.4 20
• • 2018/11/29 idcon mini Vol.4 21
• • • • 2018/11/29 idcon mini Vol.4 22
rfc8473 2018/11/29 idcon mini Vol.4 23
➢ collection of mechanisms that allow HTTP servers to cryptographically
bind security tokens ➢ how TokenBindingMessages are embedded in HTTP 2018/11/29 idcon mini Vol.4 24
• • • Federation ユースケース • 2018/11/29 idcon mini Vol.4
25
• • Sec-Token-Binding • 2018/11/29 idcon mini Vol.4 26
• • • • eTLD + 1 : example.com 2018/11/29
idcon mini Vol.4 27
• • • • 2018/11/29 idcon mini Vol.4 28
None
• • • Server1が発行したSecurityTokenをServer2が検証 するためには? 2018/11/29 idcon mini Vol.4 30
• • • • Token Consumer • Token Provider 2018/11/29
idcon mini Vol.4 31
32
• • • Include-Referred-Token-Binding-ID: true 2018/11/29 idcon mini Vol.4 33
TPにアクセスする際に、TC向けのTBIDに紐づくKey-Pair で作成した値を含む [{EKM2}Ks1,TBID1,referred_token_binding] 2018/11/29 idcon mini Vol.4 34
35
36 https://lepidum.co.jp/blog/2016-12-20/tokbind/
ritou
humank
soracom
hatumeika
higebu
hanafusa1991
himidev
yujioshima
germsvel
443n0511
jukiya330
sosai
masahirokawahara
bkeepers
paulrobertlloyd
caitiem20
jrom
jakevdp
mza
marcelosomers
qrush
3n
schacon
tmm1
mthomps
![TPにアクセスする際に、TC向けのTBIDに紐づくKey-Pair で作成した値を含む [{EKM2}Ks1,TBID1,referred_token_binding] 2018/11/29 idcon mini Vol.4 34](https://files.speakerdeck.com/presentations/a1152dd4f24d42479f7ac175ae27e605/slide_33.jpg){kind=link}
