This document introduces a POCOP mechanism based on nested, chained HMACs constructions to provide chained authenticity and integrity protection.
Bearer tokens are vulnerable at rest and in transit when an attacker is able to intercept a token to illegally access private information. In order to mitigate some of the risk associated with bearer tokens, proof-of-chain-of-possession may be used to authenticate the token. Chain-of-possession token is a chronological tamper-resistant record of all its possessors and the changes that have been made to it.
The MACfinal value is calculated starting with HMAC root key Kroot and the first message m1, each MAC value being used as the HMAC key for the next message.
MACfinal = HMAC(...HMAC(HMAC(Kroot, m1), m2,), ...mn)
Google Macaroons are based on this construction.
The MACfinal value is calculated starting with the first HMAC key K1 and the root message mroot, each MAC value being used as the HMAC message for the next Key.
MACfinal = HMAC(Kn, ...HMAC(K2, HMAC(K1, mroot)))
This construction provides the basis of the POCOP mechanism.
MACfinal = HMAC(Kn, ...HMAC(HMAC(K2, HMAC(HMAC(K1, m1), m2)), ...mn))
Example of client chaining with RS_1 and RS_2:
MACfinal = HMAC(KRS_2, HMAC(HMAC(KRS_1, HMAC(HMAC(Kclient, mclient), mRS_1)), mRS_2))
broken down into individual MACs
MAC = HMAC(Kclient, mclient)
MAC = HMAC(MAC, mRS_1)
MAC = HMAC(KRS_1, MAC)
MAC = HMAC(MAC, mRS_2)
MACfinal = HMAC(KRS_2, MAC)
This complex construction with multiple messages and multiple keys is applicable to the JWT format.
MACAS = HMAC(KAS, NONCEAS || mAS)
*
MACAS = HMAC(Kclient, MACAS)
MACclient = HMAC(Kclient, MACAS || NONCEclient || mclient)
*
MACclient = HMAC(KRS_1, MACclient)
MACRS_1 = HMAC(KRS_1, MACclient || NONCERS_1 || mRS_1)
*
MACRS_1 = HMAC(KRS_2, MACRS_1)
MACfinal = HMAC(KRS_2, MACRS_1 || NONCERS_2 || mRS_2)
Nested, chained complex HMACs constructions applied on tokens, tickets, cookies and macaroons may be used to implement both new authorization protocols and to enhance existing ones.
The Chained-MACs-with-Multiple-Keys construction is used as the basis of the POCOP token mechanism.
The root message of the token must contain:
-
The random NONCE to prevent replay attack.
-
The claim that identifies who created the token.
-
The timestamp of when the token was issued.
The claims can be chained using the Chained-MACs-with-Multiple-Messages construction. The complex combination of Chained-MACs-with-Multiple-Messages and Chained-MACs-with-Multiple-Keys constructions forms a basis of the Chained Credentials-Based Authorization mechanism.
...
Credits go to WG - User-Managed Access and Google Research Publications.