| RFC 9729 | The Concealed HTTP Authentication Scheme | February 2025 |
| Schinazi, et al. | Standards Track | [Page] |
Most HTTP authentication schemes are probeable in the sense that it is possiblefor an unauthenticated client to probe whether an origin serves resources thatrequire authentication. It is possible for an origin to hide the fact that itrequires authentication by not generating Unauthorized status codes; however,that only works with non-cryptographic authentication schemes: cryptographicsignatures require a fresh nonce to be signed. Prior to this document, therewas no existing way for the origin to share such a nonce without exposing thefact that it serves resources that require authentication. This documentdefines a new non-probeable cryptographic authentication scheme.¶
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained athttps://www.rfc-editor.org/info/rfc9729.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
HTTP authentication schemes (seeSection 11 of [HTTP]) allow originsto restrict access for some resources to only authenticated requests. Whilethese schemes commonly involve a challenge where the origin asks the client toprovide authentication information, it is possible for clients to send suchinformation unprompted. This is particularly useful in cases where an originwants to offer a service or capability only to "those who know", while allothers are given no indication the service or capability exists. Such designsrely on an externally defined mechanism by which keys are distributed. Forexample, a company might offer remote employee access to company servicesdirectly via its website using their employee credentials or offer access tolimited special capabilities for specific employees while making discovering(or probing for) such capabilities difficult. As another example, members ofless well-defined communities might use more ephemeral keys to acquire accessto geography- or capability-specific resources, as issued by an entity whoseuser base is larger than the available resources can support (by having thatentity metering the availability of keys temporally or geographically).¶
While digital-signature-based HTTP authentication schemes already exist (e.g.,[HOBA]), they rely on the origin explicitly sending a freshchallenge to the client, to ensure that the signature input is fresh. Thatmakes the origin probeable as it sends the challenge to unauthenticatedclients. This document defines a new signature-based authentication scheme thatis not probeable.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED","MAY", and "OPTIONAL" in this document are to be interpreted asdescribed in BCP 14[RFC2119][RFC8174] when, and only when, theyappear in all capitals, as shown here.¶
This document uses the notation fromSection 1.3 of [QUIC].¶
Various examples in this document contain long lines that may be folded,as described in[RFC8792].¶
This document defines the "Concealed" HTTP authentication scheme. It usesasymmetric cryptography. Clients possess a key ID and a public/private keypair, and origin servers maintain a mapping of authorized key IDs to associatedpublic keys.¶
The client uses a TLS keying material exporter to generate data to be signed(seeSection 3) then sends the signature using the Authorization (orProxy-Authorization) header field (seeSection 11 of [HTTP]). The signatureand additional information are exchanged using authentication parameters (seeSection 4). Once the server receives these, it can check whether thesignature validates against an entry in its database of known keys. The servercan then use the validation result to influence its response to the client, forexample, by restricting access to certain resources.¶
When a client wishes to use the Concealed HTTP authentication scheme with arequest, itSHALL compute the authentication proof using a TLS keying materialexporter with the following parameters:¶
The label is set to "EXPORTER-HTTP-Concealed-Authentication".¶
The context is set to the structure described inSection 3.1.¶
The exporter output length is set to 48 bytes (seeSection 3.2).¶
Note that TLS 1.3 keying material exporters are defined inSection 7.5 of [TLS], while TLS 1.2 keying material exporters are defined in[KEY-EXPORT].¶
The TLS key exporter context is described inFigure 1, using thenotation fromSection 1.3 of [QUIC]:¶
Signature Algorithm (16), Key ID Length (i), Key ID (..), Public Key Length (i), Public Key (..), Scheme Length (i), Scheme (..), Host Length (i), Host (..), Port (16), Realm Length (i), Realm (..),
The key exporter context contains the following fields:¶
The signature scheme sent in thes Parameter (seeSection 4.4).¶
The key ID sent in thek Parameter (seeSection 4.1).¶
The public key used by the server to validate the signature provided by theclient. Its encoding is described inSection 3.1.1.¶
The scheme for this request, encoded using the format of the scheme portionof a URI as defined inSection 3.1 of [URI].¶
The host for this request, encoded using the format of the host portion of aURI as defined inSection 3.2.2 of [URI].¶
The port for this request, encoded in network byte order. Note that the portis either included in the URI or is the default port for the scheme in use;seeSection 3.2.3 of [URI].¶
The realm of authentication that is sent in the realm authenticationparameter (seeSection 11.5 of [HTTP]). If the realm authentication parameter isnot present, thisSHALL be empty. This document does not define a means for theorigin to communicate a realm to the client. If a client is not configured touse a specific realm, itSHALL use an empty realm andSHALL NOT send the realmauthentication parameter.¶
The Signature Algorithm and Port fields are encoded as unsigned 16-bit integersin network byte order. The Key ID, Public Key, Scheme, Host, and Realm fieldsare length-prefixed strings; they are preceded by a Length field thatrepresents their length in bytes. These length fields are encoded using thevariable-length integer encoding fromSection 16 of [QUIC] andMUST beencoded in the minimum number of bytes necessary.¶
Both the "Public Key" field of the TLS key exporter context (see above) and thea Parameter (seeSection 4.2) carry the same public key. The encoding ofthe public key is determined by the signature algorithm in use as follows:¶
The public key is an RSAPublicKey structure[PKCS1] encoded in DER[X.690]. BER encodings that are not DERMUST be rejected.¶
The public key is an UncompressedPointRepresentation structure defined inSection 4.2.8.2 of [TLS], using the curve specified by the SignatureScheme.¶
The public key is the byte string encoding defined in[EdDSA].¶
This document does not define the public key encodings for other algorithms. Inorder for a SignatureScheme to be usable with the Concealed HTTP authenticationscheme, its public key encoding needs to be defined in a corresponding document.¶
The key exporter output is 48 bytes long. Of those, the first 32 bytes are partof the input to the signature and the next 16 bytes are sent alongside thesignature. This allows the recipient to confirm that the exporter produces theright values. This is described inFigure 2, using the notation fromSection 1.3 of [QUIC]:¶
Signature Input (256), Verification (128),
The key exporter output contains the following fields:¶
This is part of the data signed using the client's chosen asymmetric privatekey (seeSection 3.3).¶
The verification is transmitted to the server using thev Parameter (seeSection 4.5).¶
Once the Signature Input has been extracted from the key exporter output (seeSection 3.2), it is prefixed with static data before being signed. The signatureis computed over the concatenation of:¶
A string that consists of octet 32 (0x20) repeated 64 times¶
The context string "HTTP Concealed Authentication"¶
A single 0 byte that serves as a separator¶
The Signature Input extracted from the key exporter output (seeSection 3.2)¶
For example, if the Signature Input has all its 32 bytes set to 01, the contentcovered by the signature (in hexadecimal format) would be:¶
2020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202048545450205369676E61747572652041757468656E7469636174696F6E000101010101010101010101010101010101010101010101010101010101010101
The purpose of this static prefix is to mitigate issues that could arise ifauthentication asymmetric keys were accidentally reused across protocols (eventhough this is forbidden, seeSection 8). This construction mirrors that ofthe TLS 1.3 CertificateVerify message defined inSection 4.4.3 of [TLS].¶
The resulting signature is then transmitted to the server using thepParameter (seeSection 4.3).¶
This specification defines the following authentication parameters.¶
All of the byte sequences below are encoded using base64url (seeSection 5 of [BASE64]) without quotes and without padding. In other words, thevalues of these byte-sequence authentication parametersMUST NOT include anycharacters other than ASCII letters, digits, dash, and underscore.¶
The integer below is encoded without a minus and without leading zeroes. Inother words, the value of this integer authentication parameterMUST NOTinclude any characters other than digits andMUST NOT start with a zero unlessthe full value is "0".¶
concealed-byte-sequence-param-value = *( ALPHA / DIGIT / "-" / "_" )concealed-integer-param-value = %x31-39 1*4( DIGIT ) / "0"
TheREQUIRED "k" (key ID) Parameter is a byte sequence that identifies whichkey the client wishes to use to authenticate. This is used by the backend topoint to an entry in a server-side database of known keys (seeSection 6.3).¶
TheREQUIRED "a" (public key) Parameter is a byte sequence that specifies thepublic key used by the server to validate the signature provided by the client.This avoids key confusion issues (see[SEEMS-LEGIT]). The encoding of thepublic key is described inSection 3.1.1.¶
TheREQUIRED "p" (proof) Parameter is a byte sequence that specifies the proofthat the client provides to attest to possessing the credential that matchesits key ID.¶
TheREQUIRED "s" (signature scheme) Parameter is an integer that specifies thesignature scheme used to compute the proof transmitted in thep Parameter.Its value is an integer between 0 and 65535 inclusive from the IANA "TLSSignatureScheme" registry maintained at<https://www.iana.org/assignments/tls-parameters>.¶
TheREQUIRED "v" (verification) Parameter is a byte sequence that specifies theverification that the client provides to attest to possessing the key exporteroutput (seeSection 3.2 for details). This avoids issues with signature schemeswhere certain keys can generate signatures that are valid for multiple inputs(see[SEEMS-LEGIT]).¶
For example, a client using the key ID "basement" and the signature algorithmEd25519[ED25519] could produce the following header field:¶
NOTE: '\' line wrapping per RFC 8792Authorization: Concealed \ k=YmFzZW1lbnQ, \ a=VGhpcyBpcyBh-HB1YmxpYyBrZXkgaW4gdXNl_GhlcmU, \ s=2055, \ v=dmVyaWZpY2F0aW9u_zE2Qg, \ p=QzpcV2luZG93c_xTeXN0ZW0zMlxkcml2ZXJz-ENyb3dkU\ 3RyaWtlXEMtMDAwMDAwMDAyOTEtMD-wMC0w_DAwLnN5cw
In this section, we subdivide the server role in two:¶
The "frontend" runs in the HTTP server that terminates the TLS or QUICconnection created by the client.¶
The "backend" runs in the HTTP server that has access to the database ofaccepted key identifiers and public keys.¶
In most deployments, we expect both the frontend and backend roles to beimplemented in a single HTTP origin server (as defined inSection 3.6 of [HTTP]). However, these roles can be split such that the frontend is an HTTPgateway (as defined inSection 3.7 of [HTTP]) and the backend is an HTTPorigin server.¶
If a frontend is configured to check the Concealed HTTP authentication scheme, itwill parse the Authorization (or Proxy-Authorization) header field. If theauthentication scheme is set to "Concealed", the frontendMUST validate thatall the required authentication parameters are present and can be parsedcorrectly as defined inSection 4. If any parameter is missing or failsto parse, the frontendMUST ignore the entire Authorization (orProxy-Authorization) header field.¶
The frontend then uses the data from these authentication parameters to computethe key exporter output, as defined inSection 3.2. The frontend then shares theheader field and the key exporter output with the backend.¶
If the frontend and backend roles are implemented in the same machine, this canbe handled by a simple function call.¶
If the roles are split between two separate HTTP servers, then the backendwon't be able to directly access the TLS keying material exporter from the TLSconnection between the client and frontend, so the frontend needs to explicitlysend it. This document defines the "Concealed-Auth-Export" request header fieldfor this purpose. The Concealed-Auth-Export header field's value is aStructured Field Byte Sequence (seeSection 3.3.5 of [STRUCTURED-FIELDS]) that contains the 48-byte key exporter output(seeSection 3.2), without any parameters. Note that Structured Field ByteSequences are encoded using the non-URL-safe variant of base64. For example:¶
NOTE: '\' line wrapping per RFC 8792Concealed-Auth-Export: :VGhpc+BleGFtcGxlIFRMU/BleHBvcn\ Rlc+BvdXRwdXQ/aXMgNDggYnl0ZXMgI/+h:
The frontendSHALL forward the HTTP request to the backend, including theoriginal unmodified Authorization (or Proxy-Authorization) header field and thenewly added Concealed-Auth-Export header field.¶
Note that, since the security of this mechanism requires the key exporteroutput to be correct, backends need to trust frontends to send it truthfully.This trust relationship is common because the frontend already needs access tothe TLS certificate private key in order to respond to requests. HTTP serversthat parse the Concealed-Auth-Export header fieldMUST ignore it unless theyhave already established that they trust the sender. Similarly, frontends thatsend the Concealed-Auth-Export header fieldMUST ensure that they do notforward any Concealed-Auth-Export header field received from the client.¶
Once the backend receives the Authorization (or Proxy-Authorization) headerfield and the key exporter output, it looks up the key ID in its database ofpublic keys. The backendSHALL then perform the following checks:¶
validate that all the required authentication parameters are present and canbe parsed correctly as defined inSection 4¶
ensure the key ID is present in the backend's database and maps to acorresponding public key¶
validate that the public key from the database is equal to the one in theAuthorization (or Proxy-Authorization) header field¶
validate that the verification field from the Authorization (orProxy-Authorization) header field matches the one extracted from the keyexporter output¶
verify the cryptographic signature as defined inSection 3.3¶
If all of these checks succeed, the backend can consider the request to beproperly authenticated and can reply accordingly (the backend can also forwardthe request to another HTTP server).¶
If any of the above checks fail, the backendMUST treat it as if theAuthorization (or Proxy-Authorization) header field was missing.¶
Servers that wish to introduce resources whose existence cannot be probed needto ensure that they do not reveal any information about those resources tounauthenticated clients. In particular, such serversMUST respond toauthentication failures with the exact same response that they would have usedfor nonexistent resources. For example, this can mean using HTTP status code404 (Not Found) instead of 401 (Unauthorized).¶
The authentication checks described above can take time to compute, and anattacker could detect use of this mechanism if that time is observable bycomparing the timing of a request for a known nonexistent resource to thetiming of a request for a potentially authenticated resource. Servers canmitigate this observability by slightly delaying responses to some nonexistentresources such that the timing of the authentication verification is notobservable. This delay needs to be carefully considered to avoid having thedelay itself leak the fact that this origin uses this mechanism at all.¶
Non-probeable resources also need to be non-discoverable for unauthenticatedusers. For example, if a server operator wishes to hide an authenticatedresource by pretending it does not exist to unauthenticated users, then theserver operator needs to ensure there are no unauthenticated pages with linksto that resource and no other out-of-band ways for unauthenticated users todiscover this resource.¶
This authentication scheme is only defined for uses of HTTP with TLS[TLS]. This includes any use of HTTP over TLS as typically used forHTTP/2[HTTP/2], or HTTP/3[HTTP/3] where the transport protocol uses TLS as itsauthentication and key exchange mechanism[QUIC-TLS].¶
Because the TLS keying material exporter is only secure for authentication whenit is uniquely bound to the TLS session[RFC7627], the Concealedauthentication scheme requires either one of the following properties:¶
The TLS version in use is greater than or equal to 1.3[TLS].¶
The TLS version in use is 1.2, and the extended master secret extension[RFC7627] has been negotiated.¶
ClientsMUST NOT use the Concealed HTTP authentication scheme on connections that donot meet one of the two properties above. If a server receives a request thatuses this authentication scheme on a connection that meets neither of the aboveproperties, the serverMUST treat the request as if the authentication were notpresent.¶
The Concealed HTTP authentication scheme allows a client to authenticate to anorigin server while guaranteeing freshness and without the need for the serverto transmit a nonce to the client. This allows the server to acceptauthenticated clients without revealing that it supports or expectsauthentication for some resources. It also allows authentication without theclient leaking the presence of authentication to observers due to cleartextTLS Client Hello extensions.¶
Since the freshness described above is provided by a TLS key exporter, it canbe as old as the underlying TLS connection. Servers can require betterfreshness by forcing clients to create new connections using mechanisms such asthe GOAWAY frame (seeSection 5.2 of [HTTP/3]).¶
The authentication proofs described in this document are not bound toindividual HTTP requests; if the key is used for authentication proofs onmultiple requests on the same connection, they will all be identical. Thisallows for better compression when sending over the wire, but it implies thatclient implementations that multiplex different security contexts over a singleHTTP connection need to ensure that those contexts cannot read each other'sheader fields. Otherwise, one context would be able to replay the Authorizationheader field of another. This constraint is met by modern web browsers. If anattacker were to compromise the browser such that it could access anothercontext's memory, the attacker might also be able to access the correspondingkey, so binding authentication to requests would not provide much benefit inpractice.¶
Authentication asymmetric keys used for the Concealed HTTP authenticationschemeMUST NOT be reused in other protocols. Even though we attempt tomitigate these issues by adding a static prefix to the signed data (seeSection 3.3), reusing keys could undermine the security guarantees of theauthentication.¶
Origins offering this scheme can link requests that use the same key.However, requests are not linkable across origins if the keys used are specificto the individual origins using this scheme.¶
IANA has registered the following entry inthe "HTTP Authentication Schemes" registry maintained at<https://www.iana.org/assignments/http-authschemes>:¶
IANA has registered the following entry inthe "TLS Exporter Labels" registry maintained at<https://www.iana.org/assignments/tls-parameters>:¶
IANA has registered the following entry inthe "Hypertext Transfer Protocol (HTTP) Field Name Registry" maintained at<https://www.iana.org/assignments/http-fields>:¶
The authors would like to thank many members of the IETF community, as thisdocument is the fruit of many hallway conversations. In particular, the authorswould like to thankDavid Benjamin,Reese Enghardt,Nick Harper,Dennis Jackson,Ilari Liusvaara,François Michel,Lucas Pardue,Justin Richer,Ben Schwartz,Martin Thomson, andChris A. Wood for their reviews and contributions. Themechanism described in this document was originally part of the first iterationof MASQUE[MASQUE-ORIGINAL].¶