Network Working Group M. Thomson Internet-Draft Mozilla Intended status: Standards Track October 19, 2015 Expires: April 21, 2016 Message Encryption for Web Push draft-ietf-webpush-encryption-01 Abstract A message encryption scheme is described for the Web Push protocol. This scheme provides confidentiality and integrity for messages sent from an Application Server to a User Agent. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 21, 2016. Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Thomson Expires April 21, 2016 [Page 1] Internet-Draft Web Push Encryption October 2015 Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Notational Conventions . . . . . . . . . . . . . . . . . 3 2. Key Generation and Agreement . . . . . . . . . . . . . . . . 3 2.1. Diffie-Hellman Group Information . . . . . . . . . . . . 3 2.2. Key Distribution . . . . . . . . . . . . . . . . . . . . 4 3. Message Encryption . . . . . . . . . . . . . . . . . . . . . 4 4. Message Decryption . . . . . . . . . . . . . . . . . . . . . 5 5. Mandatory Group and Public Key Format . . . . . . . . . . . . 5 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 7. Security Considerations . . . . . . . . . . . . . . . . . . . 5 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 8.2. Informative References . . . . . . . . . . . . . . . . . 7 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction The Web Push protocol [I-D.thomson-webpush-protocol] is an intermediated protocol by necessity. Messages from an Application Server are delivered to a User Agent via a Push Service. +-------+ +--------------+ +-------------+ | UA | | Push Service | | Application | +-------+ +--------------+ +-------------+ | | | | Setup | | |<====================>| | | Provide Subscription | |-------------------------------------------->| | | | : : : | | Push Message | | Push Message |<---------------------| |<---------------------| | | | | This document describes how messages sent using this protocol can be secured against inspection or modification by a Push Service. Web Push messages are the payload of an HTTP message [RFC7230]. These messages are encrypted using an encrypted content encoding [I-D.thomson-http-encryption]. This document describes how this content encoding is applied and describes a recommended key management scheme. Thomson Expires April 21, 2016 [Page 2] Internet-Draft Web Push Encryption October 2015 For efficiency reasons, multiple users of Web Push often share a central agent that aggregates push functionality. This agent can enforce the use of this encryption scheme by applications that use push messaging. An agent that only delivers messages that are properly encrypted strongly encourages the end-to-end protection of messages. A web browser that implements the Web Push API [API] can enforce the use of encryption by forwarding only those messages that were properly encrypted. 1.1. Notational Conventions The words "MUST", "MUST NOT", "SHOULD", and "MAY" are used in this document. It's not shouting, when they are capitalized, they have the special meaning described in [RFC2119]. 2. Key Generation and Agreement For each new subscription that the User Agent generates for an application, it also generates an asymmetric key pair for use in Diffie-Hellman (DH) [DH] or elliptic-curve Diffie-Hellman (ECDH) [ECDH]. The public key for this key pair can then be distributed by the application to the Application Server along with the URI of the subscription. The private key MUST remain secret. This key pair is used with the Diffie-Hellman key exchange as described in Section 4.2 of [I-D.thomson-http-encryption]. A User Agent MUST generate and provide a public key for the scheme described in Section 5. The public key MUST be accompanied by a key identifier that can be used in the "keyid" parameter to identify which key is in use. Key identifiers need only be unique within the context of a subscription. 2.1. Diffie-Hellman Group Information As described in [I-D.thomson-http-encryption], use of Diffie-Hellman for key agreement requires that the receiver provide clear information about it's chosen group and the format for the "dh" parameter with each potential sender. This document only describes a single ECDH group and point format, described in Section 5. A specification that defines alternative groups or formats MUST provide a means of indicating precisely which group and format is in use for every public key that is provided. Thomson Expires April 21, 2016 [Page 3] Internet-Draft Web Push Encryption October 2015 2.2. Key Distribution The application using the subscription distributes the key identifier and public key along with other subscription information, such as the subscription URI and expiration time. The communication medium by which an application distributes the key identifier and public key MUST be confidentiality protected for the reasons described in [I-D.thomson-webpush-protocol]. Most applications that use push messaging have a pre-existing relationship with an Application Server. Any existing communication mechanism that is authenticated and provides confidentiality and integrity, such as HTTPS [RFC2818], is sufficient. 3. Message Encryption An Application Server that has the key identifier, public key, group and format information can encrypt a message for the User Agent. The Application Server generates a new DH or ECDH key pair in the same group as the value generated by the User Agent. From the newly generated key pair, the Application Server performs a DH or ECDH computation with the public key provided by the User Agent to find the shared secret. The Application Server then generates 16 octets of salt that is unique to the message. A random [RFC4086] salt is acceptable. These values are used to calculate the content encryption key as defined in Section 3.2 of [I-D.thomson-http-encryption]. The Application Server then encrypts the payload. Header fields are populated with URL-safe base-64 encoded [RFC4648] values: o the salt is added to the "salt" parameter of the Encryption header field; and o the public key for its DH or ECDH key pair is placed in the "dh" parameter of the Encryption-Key header field. An application server MUST encrypt a push message with a single record. This allows for a minimal receiver implementation that handles a single record. If the message is 4096 octets long, or longer, this means that the "rs" parameter MUST be set to a value that is longer than the encrypted push message length. Note that a push service is not required to support more than 4096 octets of payload body, which equates to 4080 octets of cleartext, so Thomson Expires April 21, 2016 [Page 4] Internet-Draft Web Push Encryption October 2015 the "rs" parameter can be omitted for messages that fit within this limit. An application server MUST NOT use other content encodings for push messages. In particular, content encodings that compress could result in leaking of push message contents. The Content-Encoding header field therefore has exactly one value, which is "aesgcm128". Multiple "aesgcm128" values are not permitted. An application server MUST include exactly one entry in each of the Encryption and Encryption-Key header fields. This allows the "keyid" parameter to be omitted from both header fields. An application server MUST NOT include a "key" parameter in the Encryption header field. 4. Message Decryption A User Agent decrypts messages are decrypted as described in [I-D.thomson-http-encryption]. The value of the "keyid" parameter is used to identify the correct key pair, if there is more than one possible value for the corresponding subscription. A receiver is not required to support multiple records. Such a receiver MUST check that the record size is large enough to contain the entire payload body in a single record. The "rs" parameter MUST NOT be exactly equal to the length of the payload body minus the length of the authentication tag (16 octets); that length indicates that the message has been truncated. 5. Mandatory Group and Public Key Format User Agents that enforce encryption MUST expose an elliptic curve Diffie-Hellman share on the P-256 curve [FIPS186]. Public keys, such as are encoded into the "dh" parameter, MUST be in the form of an uncompressed point as described in [X.692]. 6. IANA Considerations This document has no IANA actions. 7. Security Considerations The security considerations of [I-D.thomson-http-encryption] describe the limitations of the content encoding. In particular, any HTTP header fields are not protected by the content encoding scheme. A User Agent MUST consider HTTP header fields to have come from the Push Service. An application on the User Agent that uses information Thomson Expires April 21, 2016 [Page 5] Internet-Draft Web Push Encryption October 2015 from header fields to alter their processing of a push message is exposed to a risk of attack by the Push Service. The timing and length of communication cannot be hidden from the Push Service. While an outside observer might see individual messages intermixed with each other, the Push Service will see what Application Server is talking to which User Agent, and the subscription they are talking about. Additionally, the length of messages could be revealed unless the padding provided by the content encoding scheme is used to obscure length. 8. References 8.1. Normative References [DH] Diffie, W. and M. Hellman, "New Directions in Cryptography", IEEE Transactions on Information Theory, V.IT-22 n.6 , June 1977. [ECDH] SECG, "Elliptic Curve Cryptography", SEC 1 , 2000, . [FIPS186] National Institute of Standards and Technology (NIST), "Digital Signature Standard (DSS)", NIST PUB 186-4 , July 2013. [I-D.thomson-http-encryption] Thomson, M., "Encrypted Content-Encoding for HTTP", draft- thomson-http-encryption-01 (work in progress), July 2015. [I-D.thomson-webpush-protocol] Thomson, M., Damaggio, E., and B. Raymor, "Generic Event Delivery Using HTTP Push", draft-thomson-webpush- protocol-00 (work in progress), April 2015. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/ RFC2119, March 1997, . [RFC4086] Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, DOI 10.17487/RFC4086, June 2005, . [X.692] ANSI, "Public Key Cryptography For The Financial Services Industry: The Elliptic Curve Digital Signature Algorithm (ECDSA)", ANSI X9.62 , 1998. Thomson Expires April 21, 2016 [Page 6] Internet-Draft Web Push Encryption October 2015 8.2. Informative References [API] Sullivan, B., Fullea, E., and M. van Ouwerkerk, "Web Push API", 2015, . [RFC2818] Rescorla, E., "HTTP Over TLS", RFC 2818, DOI 10.17487/ RFC2818, May 2000, . [RFC4648] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 4648, DOI 10.17487/RFC4648, October 2006, . [RFC7230] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing", RFC 7230, DOI 10.17487/RFC7230, June 2014, . Author's Address Martin Thomson Mozilla Email: martin.thomson@gmail.com Thomson Expires April 21, 2016 [Page 7]