Wave Systems Corp. (fka WAVXQ)

[Genz2]

IETF approves new internet standards to secure authentication tokens

https://www.zdnet.com/article/ietf-approves-new-internet-standards-to-secure-authentication-tokens/

New IETF standards aim to protect authentication tokens against replay attacks.

The Internet Engineering Task Force (IETF) --the organization that develops and promotes Internet standards-- has approved three new standards this week designed to improve the security of authentication tokens against "replay attacks."

Authentication tokens are used everywhere online these days. When a person logs into his Google or Facebook account, an authentication token is generated and stored in a cookie file inside the user's browser.

When the user accesses the Google or Facebook site, instead of asking the user to enter his/her credentials again, the user's browser gives the website the user's authentication token.

But authentication tokens haven't only been used with browser cookies and websites. They are also used inside the OAuth protocol, the JSON Web Token (JWT) standard, and a slew of public or private libraries implementing token-based authentication, often used with APIs and enterprise software solutions.

Hackers have figured out a long time ago that they could steal these tokens instead of users' passwords and access accounts without the need to know a password. Such attacks are known as "replay attacks."

This week, with contributions from Google, Microsoft, and Kings Mountain Systems engineers, the IETF has formally approved three new standards meant to protect token-based authentication systems:
•RFC 8471 - The Token Binding Protocol Version 1.0
•RFC 8472 - Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation
•RFC 8473 - Token Binding over HTTP

These three standards are meant to add an extra layer of security for the process of generating and negotiating a new access/authentication token.

The general idea is to create a connection between the user's device and the token, so even if an attacker manages to record a token, he won't be able to execute a replay attack unless he was using the same exact device or device configuration the token was created on.

At the technical level, according to RFC 4871, this can be done by the client's device generating a pair of a private and public key. The optimal scenario would be if both keys were generated inside a secure hardware module, such as a PC's TPM (Trusted Platform Module), intrinsically linking the private key with the hardware.

These two keys (the private key stored on the user's PC and a public key for a remote server) are then used to sign and encrypt parts of the negotiation steps executed before generating the actual authentication token, resulting in a hardware-dependent token value.

In theory, this sounds great.

Since the vast majority of web traffic today is encrypted, the new Token Binding protocol has been specifically designed around the TLS handshake process that happens before an TLS encrypted session is established.

The protocol's authors say they've designed the token binding process to avoid adding extra round trips to the TLS handshake process, meaning there won't be any unnecessary performance hit to existing servers.

Updates to browsers and servers will be needed in order to support the three RFCs, Tal Be'ery, Co-Founder and Security Research Manager at KZen Networks, told ZDNet in an interview.

The researcher also pointed out that the new Token Binding protocol is not necessarily limited to binding tokens at the hardware level alone, and can also work and securely bind tokens at the software level, meaning it can be implemented almost anywhere.

"It can be used by anything that communicates and needs to maintain a session," Be'ery said. "That includes IoT devices as well."

Currently, the Token Binding protocol has been designed around TLS 1.2, but it will also be modified to work with the newer TLS 1.3.
=================================================================
This one use of the TPM could incentivize millions of people to use their TPM in their computers. People using their TPMs in this instance should be using TPM management software. (like Wave ESC or ETS). imo. These two software products from Wave would appear to have value after an article like this! TPM (Hardware Security) and ESC/ETS (Software Security) is better security than software alone! imo.
=================================================================
https://www.wavesys.com/products/embassy-security-center

Key Features:

Easy security compliance
• When your endpoints are secure and reporting is in place, you’ve got compliance covered

Data protection
• Configure your VPN so that only authorized machines can access it from the outside
• Multi-factor authentication options include any combination of individual passwords, a master password, biometrics, smart cards, or a TPM PKI certificate
• Easy backup and recovery of TPM keys in case of malfunction of the TPM, motherboard, or hard drive
• Enables hardware-based pre-boot authentication to the encrypted hard drive (if equipped)

Simplicity
• Central management of security policies at the machine and user levels via our EMBASSY Remote Administration Server
• Deploy TPMs from multiple manufacturers using a single management system
• Deploy SEDs in minutes that integrate seamlessly with single sign-on (SSO) to Windows and Windows password synchronization

No compromises
• More security without more passwords to remember
• Your devices will perform just the same—our software makes them safer, not slower

Windows 8 Compatibility

• Compatible with Windows 8.1, 8, 7 and Vista operating systems – manage mixed environments from one console


• ESC supports Windows 8 Pro & Enterprise tablets so the same tools can secure all your enterprise endpoints


Application development
• Accelerate your application development, determine compatibility of your application and the TPM by using Wave’s Cryptographic Service Provider or Key Storage Provider, both included with the Embassy Security Center