词条 | Token Binding |
释义 |
Token Binding is a proposed standard for a Transport Layer Security (TLS) extension that aims to increase TLS security by using cryptographic certificates on both ends of the TLS connection. Current practice often depends on bearer tokens,[1] which may be lost or stolen. Bearer tokens are also vulnerable to man-in-the-middle attacks or replay attacks. In contrast, bound tokens are established by a user agent that generates a private-public key pair per target server, providing the public key to the server, and thereafter proving possession of the corresponding private key on every TLS connection to the server. Token Binding is an evolution of the Transport Layer Security Channel ID (previously known as Transport Layer Security – Origin Bound Certificates (TLS-OBC)) extension. Industry participation is widespread with standards contributors including Microsoft[2], Google[3], PayPal, Ping Identity, and Yubico. Browser support remains limited, however. Only the Microsoft Edge browser has support for token binding.[4] IETF standardsThe following group of IETF RFCs and Internet Drafts comprise a set of interrelated specifications for implementing different aspects of the Token Binding standard.
Related IETF draft standard:
Related standardsThe use of TLS Token Binding allows for more robust web authentication. Several web authentication standards developed by standards bodies outside of IETF are adopting the draft standards.
References1. ^{{cite web|url=https://tools.ietf.org/html/rfc6750|title=The OAuth 2.0 Authorization Framework: Bearer Token Usage|author1=M. Jones, Microsoft |author2=D. Hardt, Independent|website=IETF Tools|publisher=Internet Engineering Task Force|accessdate=23 August 2018}} 2. ^{{cite web|url=https://cloudblogs.microsoft.com/enterprisemobility/2018/08/21/its-time-for-token-binding/|title=It's Time for Token Binding|author1=Alex Simons|website=Microsoft Enterprise Mobility + Security|publisher=Microsoft|accessdate=23 August 2018|date=2018-08-21}} 3. ^{{cite web|url=https://www.google.com/chrome/privacy/whitepaper.html#tls|title=Google Chrome Privacy Whitepaper|website=Google|accessdate=23 August 2018}} 4. ^{{cite web |title=Introducing Token Binding |url=https://docs.microsoft.com/en-us/windows-server/security/token-binding/introducing-token-binding |publisher=Microsoft |accessdate=15 January 2019 |date=8 November 2016}} 5. ^{{cite IETF |url=https://datatracker.ietf.org/doc/rfc8471/ |title=The Token Binding Protocol Version 1.0 |author1=A. Popov, Ed. |author2=M. Nystroem |author3=D. Balfanz |author4=J. Hodges |website=IETF Tools |publisher=IETF |accessdate=22 January 2019 |rfc=8471}} 6. ^{{cite IETF |url=https://datatracker.ietf.org/doc/rfc8472/ |title=Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation |author1=A. Popov, Ed. |author2=M. Nystroem |author3=D. Balfanz |website=IETF Tools |publisher=IETF |accessdate=22 January 2019 |rfc=8472}} 7. ^{{cite IETF |url=https://datatracker.ietf.org/doc/rfc8473/ |title=Token Binding over HTTP |author1=A. Popov |author2=M. Nystroem |author3=D. Balfanz, Ed. |author4=N. Harper |author5=J. Hodges |website=IETF Tools |publisher=IETF |accessdate=22 January 2019 |rfc=8473}} 8. ^{{cite IETF |last=Harper |first=N. |title=Token Binding for Transport Layer Security (TLS) Version 1.3 Connections |url=https://datatracker.ietf.org/doc/draft-ietf-tokbind-tls13/ |publisher=IETF |accessdate=22 January 2019 |draft=draft-ietf-tokbind-tls13}} 9. ^{{cite IETF |url=https://tools.ietf.org/html/draft-ietf-tokbind-ttrp |title=HTTPS Token Binding with TLS Terminating Reverse Proxies |last=Campbell |first=B. |website=IETF Tools |publisher=IETF |accessdate=22 January 2019 |draft=draft-ietf-tokbind-ttrp}} 10. ^{{cite IETF |url=https://tools.ietf.org/html/draft-ietf-oauth-token-binding |title=OAuth 2.0 Token Binding |first1=M. |last1=Jones |first2=B. |last2=Campbell |first3=J. |last3=Bradley |first4=W. |last4=Denniss |website=IETF Tools |publisher=IETF |accessdate=22 January 2019 |draft=draft-ietf-oauth-token-binding}} 11. ^{{cite web|url=https://openid.net/specs/openid-connect-token-bound-authentication-1_0.html|title=OpenID Connect Token Bound Authentication|author1=M. Jones, Microsoft|author2=J. Bradley, Yubico|publisher=OpenID Foundation|accessdate=23 August 2018|author3=B. Campbell, Ping Identity}} 12. ^{{cite web |url=https://www.w3.org/TR/webauthn/ |title=Web Authentication: An API for accessing Public Key Credentials |author1=Dirk Balfanz, Google |author2=Alexei Czeskis, Google |publisher=World Wide Web Consortium |accessdate=23 August 2018 |author3=Jeff Hodges, PayPal |author4=J.C. Jones, Mozilla |author5=Michael B. Jones, Microsoft |author6=Akshay Kumar, Microsoft |author7=Angelo Liao, Microsoft |author8=Rolf Lindemann, Nok Nok Labs |author9=Emil Lundberg, Yubico |author10=Vijay Bharadwaj, Microsoft |author11=Arnar Birgisson, Google |author12=Hubert Le Van Gong, PayPal |author13=Christiaan Brand, Google |author14=Adam Langley, Google |author15=Giridhar Mandyam, Qualcomm |author16=Mike West, Google |author17=Jeffrey Yasskin, Google}} External Links
3 : Security|Transport Layer Security|Internet Standards |
随便看 |
|
开放百科全书收录14589846条英语、德语、日语等多语种百科知识,基本涵盖了大多数领域的百科知识,是一部内容自由、开放的电子版国际百科全书。