Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Dbsc(e) #67

Merged
merged 49 commits into from
Sep 19, 2024
Merged

Dbsc(e) #67

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
49 commits
Select commit Hold shift + click to select a range
70d8d7b
Draft for DBSC(E)
sameerag Aug 9, 2024
5beef49
Update IDP with Public Local Key Helper Flow
sameerag Aug 9, 2024
d8bdefa
Update IDP=RP case
sameerag Aug 9, 2024
421c8bf
Update IDP with Private Local Key Helper
sameerag Aug 9, 2024
aca33c3
Update TOC
sameerag Aug 9, 2024
06cc8d0
Update folder name
sameerag Aug 9, 2024
5c7a614
Update highlevel design
sameerag Aug 12, 2024
e170890
Update name
sameerag Aug 12, 2024
2b8b246
Update folder name
sameerag Aug 12, 2024
dcacb11
Update high level design and some text
sameerag Aug 15, 2024
ced647c
Undo auto formatting changes
sameerag Aug 16, 2024
75d4258
Add DBSC(E) section
sameerag Aug 16, 2024
20c0b06
Correct typos
sameerag Aug 16, 2024
9659fc4
Update nonce and clock-skew desc
sameerag Aug 16, 2024
4146174
Address feedback on wording
sameerag Aug 16, 2024
874b514
Address feedback
sameerag Aug 19, 2024
8ed3c80
Address feedback
sameerag Aug 19, 2024
c9e6774
Addressing feedback
sameerag Aug 24, 2024
4b167e0
Addressing feedback
sameerag Aug 26, 2024
960ef9a
Move key generation definitions to overview.
sameerag Aug 26, 2024
fdacec8
Update TOC
sameerag Aug 26, 2024
e7af10d
Address feedback
sameerag Aug 27, 2024
6925b97
Update DBSCE/Overview.md
sameerag Aug 27, 2024
fd96c66
Add draft notice for KeyGeneration file
sameerag Aug 27, 2024
72e7297
Merge branch 'dbsc-e' of https://github.com/sameerag/dbsc into dbsc-e
sameerag Aug 27, 2024
8f4ba80
Update introduction
sameerag Aug 27, 2024
8f519da
Update nonce for Public Local Key Helper case
sameerag Aug 27, 2024
009221e
Update PrivateLocalKeyHelper with generic headers
sameerag Aug 27, 2024
2358c87
Rework diagrams
sameerag Aug 28, 2024
7bc3745
Add more precision to Why DBSC(E) section , add platform proposals
sameerag Aug 28, 2024
b319b66
Address wording and add `DRAFT` for Private local key helper
sameerag Aug 29, 2024
45c04dd
Address feedback, reword some of the key gen specifics
sameerag Sep 4, 2024
82e7f5f
Update Private local key helper section
sameerag Sep 4, 2024
c6509de
Refine binding statement and binding key desc
sameerag Sep 4, 2024
12ae206
Minor edit on language, feedback
sameerag Sep 5, 2024
12a70ac
Update editable links
sameerag Sep 6, 2024
ccb2684
Add line separators
sameerag Sep 6, 2024
bf2ca85
Adding TOC under the right section
sameerag Sep 6, 2024
c7c23dc
Update nonce and private local key helper specifics
sameerag Sep 12, 2024
8aeda9f
Update mac local key helper
sameerag Sep 12, 2024
94874ff
Update language for publicKey and thumbprint, mac updates
sameerag Sep 13, 2024
79d1e74
Update text on use cases, remove txt files
sameerag Sep 16, 2024
0af8c43
Update local key helper android
sameerag Sep 16, 2024
9616a67
removed follow up texts - will track offline
sameerag Sep 16, 2024
04a65c2
Add missing image, address few comments.
sameerag Sep 18, 2024
93f0948
Move the IDP==RP section to appendix for clarity.
sameerag Sep 19, 2024
062b0d0
Remove SVG in Appendix to avoid clutter
sameerag Sep 19, 2024
18c44e5
Fix a typo, clarify text
sameerag Sep 19, 2024
bcbb500
Merge remote-tracking branch 'upstream/main' into dbsc-e
sameerag Sep 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions DBSCE/DBSC(E).svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
53 changes: 53 additions & 0 deletions DBSCE/DBSC(E).txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@

participant "<color:#blue>Attestation Service" as s
participant "<color:#blue>LocalKeyHelper/TPM" as t
participant "Browser" as b
participant "Server\n<color:#blue>RP/IDP" as w

autonumber 1
b->w: sign-in flow
w->b: <color:#blue>302\nSec-Session-GenerateKey: \nRPUrl, IDPUrl, challenge=nonce, extraParams...\n\nSec-Session-HelperIdList: \n[HelperId1, HelperId2, ..], HelperCacheTime
note over b:<color:#blue>browser pre-generates keys\nbased on headers\n\n<color:#blue>currentHelperId=\nevaluate policy for \n(Server, [HelperId1, HelperId2...])
b->t: request create keypair \n<color:#blue>(serverUrl,challenge,extraParams?)\n pre generates key and attestation
t->t: <color:#blue>generateKey()
note over t: For Enterprise, this call will be platform\nbased & generates device attestation
t->s: <color:#blue>generateBindingStatement\n(publicKey, AIK, challenge)
s->t: <color:#blue>BindingStatement\n{challenge, thumbprint(publicKey), extraClaims}
t->b: return public key &\n<color:#blue>BindingStatement\n{challenge, thumbprint(publicKey), extraClaims?..}
note over b: <color:#blue>Cache the key for server
b->w: <color:#blue>Load sign-in\nSec-Session-Keys: KeyId,\nBinding Statement\n{challenge, thumbprint(publicKey), extraClaims...}
w->w: <color:#blue>validate signature on the \nbinding statement and challenge\nstore thumbprint, KeyId
w->b: 200 w/signed-in content, response includes header to start secure session. \nHeader: ""Sec-Session-Registration: session_identifier=..., challenge=..."",\n<color:#blue>KeyId, extraParams</color>\n(challenge required for private key proof of possession)
note over b: browser initiates session binding\nbased on header presence
note over b: create JWT w/challenge
b->t:request sign JWT \n<color:#blue>(challenge,public key, extraParams?..)
t->b: return JWT signature
b->w: POST /securesession/startsession \n\n""{"alg":..., "typ":"JWT", ...}{...,"key":"<public_key>"}""
note over w: store public key, establish session\n<color:#blue>validate the JWT
w->b: 200 w/cookie and session ID\nbody includes scope of cookies (origin + path)\n\nheader: ""Set-Cookie: auth_cookie""\nbody: ""{"session_identifier":...}""
==Some time passes...==
note over b: user clicks link for path /somecontent
b->b: check if origin+path requires bound cookie
alt bound cookie not required
b->w: GET /somecontent
w->b: 200 w/content
else bound cookie required
b->b: check if required cookies exist
alt required cookie present and not expired
b->w: GET /somecontent
w->b: 200 w/content
else required cookie missing or expired
note over b: request deferred while we get cookies...
b->w: GET /securesession/refresh \nheader: ""Sec-Session-Id: [session ID]""
w->b:401\n\nHeader: ""Sec-Session-Challenge: session_identifier=..., challenge=...""\n<color:#blue>"extraParams":<custom..>}""
note over b: create JWT w/challenge
b->t:request sign JWT\n<color:#blue>challenge, extraParams...
t->b: return JWT signature
b->w: GET /securesession/refresh \nheader: ""Sec-Session-Response: [JWT]""
note over w: validate proof of possesion
w->b:200 w/cookie and session ID\nbody includes scope of cookies (origin + path)\n\nheader: ""Set-Cookie: auth_cookie""\nbody: ""{"session_identifier":...}""
note over b: secure session established, resume\noriginal request
b->w: GET /somecontent
w->b: 200 w/some content
end
end
1 change: 1 addition & 0 deletions DBSCE/DeviceRegistration.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
10 changes: 10 additions & 0 deletions DBSCE/DeviceRegistration.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
title Device registration

autonumber 1
participant "Device registration client" as D
participant "Attestation service" as A

note over D, A: Provisioning ...
D->>A: Register device (DeviceKey, AIK for KG, AIK for TPM, AIK for Software)
A->>D: 200 OK

1 change: 1 addition & 0 deletions DBSCE/IDPCallsPrivateLocalKeyHelper.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
92 changes: 92 additions & 0 deletions DBSCE/IDPCallsPrivateLocalKeyHelper.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
title IdP calls a private Local Key Helper

autonumber 1
participant "Relying Party" as W
participant "IdP" as I
participant "Browser" as B
participant "Local Key Helper" as P

note over W, P: IdP life...
B->>I: Any request
I->>B: Any response\nSec-Session-HelperIdList: [HelperId1, HelperId2], HelperCacheTime
B->>B: Cache HelperId for IDPURL for HelperCacheTime

note over W, P: Sign in...
W->>B: Start sign in (302)\nSec-Session-Registration: path, RPChallenge,... \nSec-Session-GenerateKey: RPURL, IDPURL, extraParams
B->>B: Check for cached HelperId for IDPURL

alt Cached HelperId present (99.99% cases)

B->>B: currentHelperId = Evaluate policy for (IdP, [HelperId1, HelperId2...])

B->>P: Pre-gen key and attest (RPURL, IDPURL, extraParams...)

P->>P: Generate Key

loop For each device
P->>P: create binding statement S(publicKey, AIK)
end

P->>B: Return: KeyId, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]
B->>B: Remember this key is for RP (and maybe path)

B->>I: Load sign-in (follow the 302)\n\nx-ms-RefreshTokenCredential1{nonce}\nx-ms-DeviceCredential1{nonce}\nx-ms-RefreshTokenCredential2{nonce}\nx-ms-DeviceCredential2{nonce} ...\n\nSec-Session-BindingInfo: KeyId, PublicKey, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]

opt nonce is stale
I->>B: 302 to IdP with qs parameter sso_nonce=new_nonce\nSec-Session-GenerateKey: RPURL, IDPURL, extraParams
B->>I: Load sign-in\n\nx-ms-RefreshTokenCredential1{new_nonce}\nx-ms-DeviceCredential1{new_nonce}\nx-ms-RefreshTokenCredential2{new_nonce}\nx-ms-DeviceCredential2{new_nonce} ...\n\nSec-Session-BindingInfo: KeyId, PublicKey, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]
end

else No cached HelperId present


B->>I: Load sign-in (follow the 302)\n\nx-ms-RefreshTokenCredential1{nonce}\nx-ms-DeviceCredential1{nonce}\nx-ms-RefreshTokenCredential2{nonce}\nx-ms-DeviceCredential2{nonce} ... \n\nSec-Session-HelperDiscoveryNeeded: RPURL, IDPURL, extraParams

note over I, B: No binding info present, but the reequest has GenerratKey, so IdP issues helper id list

I->>B: 302 to IdP with qs parameter sso_nonce=new_nonce\n\nSec-Session-GenerateKey: RPURL, IDPURL, extraParams\nSec-Session-HelperIdList: [HelperId1, HelperId2], HelperCacheTime
B->>B: Cache HelperId for IDPURL for HelperCacheTime

B->>B: currentHelperId = Evaluate policy for (IdP, [HelperId1])
B->>P: Pre-gen key and attest (RPURL, IDPURL, extraParams...)

P->>P: Generate Key

loop For each device
P->>P: create binding statement S(publicKey, AIK)
end

P->>B: Return: KeyId, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]
B->>B: Remember this key is for RP (and maybe path)

B->>I: Load sign-in\n\nx-ms-RefreshTokenCredential1{new_nonce}\nx-ms-DeviceCredential1{new_nonce}\n x-ms-RefreshTokenCredential2{new_nonce}\n x-ms-DeviceCredential2{new_nonce} ... \n\nSec-Session-BindingInfo: KeyId, PublicKey, \narray of binding statements [BindingStatement1 {extraClaims....}, \nBindingStatement2 {extraCalims...}]


end

opt SSO information is not sufficient
I->>B: Sign in ceremony
B->>I: Sign done
end

I->>B: Authorization code, KeyId


note over W, B: Since DBSC session has been initialized already for RP, browser needs to generate JWT on redirect back
B->>P: Request Sign JWT (path, RPChallenge, extraParams)
P->>B: Return JWT Signature
note over W, B: JWT is appended by the browser before returning the response from IDP back to the RP
B->>W: Authorization code, KeyId, JWT
W->>I: (confidential client request) redeem authorization code
I->>W: (confidential client response) return id_token
W->>W: parse id_token and validate binding, match with the JWT from the previous
W->>B: Bound AuthCookie

note over W, P: Refresh DBSC...
B->>W: GET /securesession/refresh (sessionID)
W->>B: Challenge, **extraParams**
B->>P: Request Sign JWT (sessionID, RPChallenge, **extraParams**)
P->>B: Return JWT Signature
B->>W: GET /securesession/refresh (JWT)
W->>W: Validate JWT (w/public key on file)
W->>B: AuthCookie
1 change: 1 addition & 0 deletions DBSCE/IDPCallsPublicLocalKeyHelper.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
48 changes: 48 additions & 0 deletions DBSCE/IDPCallsPublicLocalKeyHelper.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
title IdP calls a public Local Key Helper

autonumber 1
participant "Relying Party" as W
participant "IdP" as I
participant "Browser" as B
participant "Local Key Helper" as P
participant "AttestationService" as A

note over W, A: Sign in...
W->>B: Start sign in (302)
B->>I: Load sign-in (follow the 302)

I->>B: Sec-Session-GenerateKey: \nRPUrl, IDPUrl, challenge=nonce, extraParams...\n\nSec-Session-HelperIdList: \n[HelperId1, HelperId2], HelperCacheTime
B->>B: currentHelperId = \nEvaluate policy for (IdP, [HelperId1, HelperId2,...])
B->>P: Pre-gen key and \nattest (RPUrl, IDPUrl, \nchallenge=nonce, extraParams...)

P->>P: Generate Key

P->>A: Get Binding Statement \n(publicKey, AIK, challenge=nonce)
A->>P: Return binding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
P->>B: KeyId, \nReturn binding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
B->>B: Remember this key is for RP (and maybe path)
B->>I: Sec-Session-Keys: KeyId, \nBinding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
I->>I: validate signature on the binding statement \n& nonce, store thumbprint

I->>B: Sign in ceremony
B->>I: Sign done

I->>B: Auth tokens (with thumbprint), \nKeyId
B->>W: Auth tokens (with thumbprint), \nKeyId

note over W, A: Initiate DBSC ...
W->>B: StartSession \n(challenge=nonce, token?, KeyId?, **extraParams...**)
B->>P: Request Sign JWT \n(uri, challenge=nonce,\n token?, keyId?, **extraParams...**)
P->>B: Return JWT Signature
B->>W: POST /securesession/startsession (JWT, tokens)
W->>W: Validate JWT, \n(w/ match thumbprint \nin the tokens)
W->>B: AuthCookie

note over W, A: Refresh DBSC...
B->>W: GET /securesession/refresh (sessionID)
W->>B: Challenge, **extraParams...**
B->>P: Request Sign JWT (sessionID, **extraParams...**)
P->>B: Return JWT Signature
B->>W: GET /securesession/refresh (JWT)
W->>W: Validate JWT \n(w/public key on file)
W->>B: AuthCookie
1 change: 1 addition & 0 deletions DBSCE/IDPSameAsRP-CallsPublicLocalKeyHelper.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
45 changes: 45 additions & 0 deletions DBSCE/IDPSameAsRP-CallsPublicLocalKeyHelper.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
title IdP same as RP, calls a public Local Key Helper

autonumber 1
participant "Relying Party" as W
participant "IdP" as I
participant "Browser" as B
participant "Local Key Helper" as P
participant "AttestationService" as A

note over W, A: Sign in...
W->>B: Start sign in (302) \n\nSec-Session-GenerateKey: \nRPUrl, IDPUrl, challenge=nonce, extraParams...\n\nSec-Session-HelperIdList: \n[HelperId1, HelperId2], HelperCacheTime

B->>B: currentHelperId = \nEvaluate policy for (IdP, [HelperId1, HelperId2,...])
B->>P: Pre-gen key and \nattest (RPUrl, IDPUrl, challenge=nonce, extratParams...)

P->>P: Generate Key

P->>A: Get Binding Statement \n (publicKey, AIK, challenge=nonce)
A->>P: Return binding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
P->>B: KeyId, \nReturn binding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
B->>B: Remember this key is for RP (and maybe path)
B->>I: Load sign-in \nSec-Session-Keys: KeyId, \nBinding statement \n{ nonce, thumbprint(publicKey), extraClaims... }
I->>I: validate signature \non the binding statement and nonce, \nstore thumbprint

I->>B: Sign in ceremony
B->>I: Sign done

I->>W: API(Auth tokens with thumbprint, KeyId)

note over W, A: Initiate DBSC ...
W->>B: 200 OK \nSec-Session-Registration: \npath, RPChallenge, token?, KeyId, extraParams
B->>P: Request Sign JWT (uri, challenge, token?, keyId?, **extraParams...**)
P->>B: Return JWT Signature
B->>W: POST /securesession/startsession (JWT, tokens)
W->>W: Validate JWT, \n(w/ match thumbprint in the tokens)
W->>B: AuthCookie

note over W, A: Refresh DBSC...
B->>W: GET /securesession/refresh (sessionID)
W->>B: Challenge, **extraParams...**
B->>P: Request Sign JWT (sessionID, **extraParams...**)
P->>B: Return JWT Signature
B->>W: GET /securesession/refresh (JWT)
W->>W: Validate JWT (w/public key on file)
W->>B: AuthCookie
Loading