On Token Binding
This is a post I wrote a while back based on a twitter thread of the same topic. Edited for clarity. Note that this is quite old at this point and as announcements go is a bit out of date.
If you haven’t heard we’re lighting up Token Binding on all our important services. Azure AD is one of the first to take advantage of this. Check out what Alex and Pamela have to say on the topic.
One of the most important of these improvements is the Token Binding family of specifications which is now well on its way towards final ratification at the Internet Engineering Task Force (IETF). (If you want to learn more about token binding, watch this great presentation by Brian Campbell.)
At Microsoft, we believe that the Token Binding can greatly improve the security of both enterprise and consumer scenarios by making high identity and authentication assurance broadly and simply accessible to developers around the world.
Given how positive we believe this impact can be, we have been and continue to be deeply committed to working with the community for creation and adoption of the token binding family of specifications.
Now that the specifications are close to ratification, I’d like to issue two calls to action:
- Begin experimenting with token binding and planning your deployments.
- Contact your browser and software vendors, asking them to ship token binding implementations soon if they aren’t already.
I happen to own Token Binding in Windows and I have some thoughts on the matter as well…
So how does Windows use token binding? I should be working on some other things, but I'm procrastinating, so… here's a thread. https://t.co/HxWir8fU8k
The biggest use case right now is when you're Azure AD-joining your device. We bind your tokens to your device so they aren't portable.
This is a mitigation that's born from Kerberos TGT weaknesses. That means you still get SSO, but without risk of lateral movements by attackers.
The cool thing about our design is that you can store the token binding keys in Key Guard, which is a hypervisor (VSM) key isolation service. Meaning the keys are protected by another secure VM on your host.
If you've ever run mimikatz, you know it can be trivial to steal TGTs. Comparatively, to steal AAD tokens, now you need to steal the token, and steal the token binding key.
Well, that's great but what about when you aren't using AADJ? We also support token binding in ADFS. That means any hybrid or federated scenarios can be protected.
All of this hinges on browser support. Edge (and IE even) has supported this on Windows 10 since the early Threshold days. Our HTTP stack too — that means any app using standard Windows networking and HTTP can benefit.
As a developer you might wonder, so what? Well, if you support token binding, you immediately benefit from platform protection of session cookies, access tokens, refresh tokens, etc. This reduces the impact from XSS, open redirects, malware on box, etc.
But what about the downsides?
First, it's a roundtrip. That means no 0-RTT.
Second, you can't share cookies/tokens. This is the whole point.
Third, proxies are assholes. They either don't understand and break, or strip token binding. Grrrrrrr.
These are frankly reasonable trade offs if you're concerned with security.
There are other ways you can guarantee this sort of protection too. Client certificates were the original proof of possession mechanism, but they suuuuuuuuuck when rolling out at scale.
And there are ways you *can't* guarantee this sort of protection. WebCrypto was proposed, but besides not being transparent to the developer (who now has to write crypto-related code), it relies on code that can be executed by an attacker. Whoops.
In order to provide useful guarantees, tokens/cookies must be bound at the channel level, outside of what an attacker can control. The stack so far is
Machine *we're here*
Suppose that's not good enough?
FIDO gives you one more level, which is a *portable* hardware token.
Anyway, thanks for reading through the ramblings of your favorite token binding PM. There's a thread going on within the Google camp about removing token binding from chrome. I hope they don't. Let them know if you think it should stay. https://t.co/mReD7pnFNr