RFC 2660
Network Working Group E. Rescorla
Request for Comments: 2660 RTFM, Inc.
Category: Experimental A. Schiffman
Terisa Systems, Inc.
August 1999
The Secure HyperText Transfer Protocol
Status of this Memo
This memo defines an Experimental Protocol for the Internet
community. It does not specify an Internet standard of any kind.
Discussion and suggestions for improvement are requested.
Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (1999). All Rights Reserved.
Abstract
This memo describes a syntax for securing messages sent using the
Hypertext Transfer Protocol (HTTP), which forms the basis for the
World Wide Web. Secure HTTP (S-HTTP) provides independently
applicable security services for transaction confidentiality,
authenticity/integrity and non-repudiability of origin.
The protocol emphasizes maximum flexibility in choice of key
management mechanisms, security policies and cryptographic algorithms
by supporting option negotiation between parties for each
transaction.
Table of Contents
1. Introduction .................................................. 3
1.1. Summary of Features ......................................... 3
1.2. Changes ..................................................... 4
1.3. Processing Model ............................................ 5
1.4. Modes of Operation .......................................... 6
1.5. Implementation Options ...................................... 7
2. Message Format ................................................ 7
2.1. Notational Conventions ...................................... 8
2.2. The Request Line ............................................ 8
2.3. The Status Line ............................................. 8
2.4. Secure HTTP Header Lines .................................... 8
2.5. Content .....................................................12
2.6. Encapsulation Format Options ................................13
Rescorla & Schiffman Experimental [Page 1]
RFC 2660 The Secure HyperText Transfer Protocol August 1999
2.6.1. Content-Privacy-Domain: CMS ...............................13
2.6.2. Content-Privacy-Domain: MOSS ..............................14
2.6.3. Permitted HTTP headers ....................................14
2.6.3.2. Host ....................................................15
2.6.3.3. Connection ..............................................15
3. Cryptographic Parameters ......................................15
3.1. Options Headers .............................................15
3.2. Negotiation Options .........................................16
3.2.1. Negotiation Overview ......................................16
3.2.2. Negotiation Option Format .................................16
3.2.3. Parametrization for Variable-length Key Ciphers ...........18
3.2.4. Negotiation Syntax ........................................18
3.3. Non-Negotiation Headers .....................................23
3.3.1. Encryption-Identity .......................................23
3.3.2. Certificate-Info ..........................................23
3.3.3. Key-Assign ................................................24
3.3.4. Nonces ....................................................25
3.4. Grouping Headers With SHTTP-Cryptopts .......................26
3.4.1. SHTTP-Cryptopts ...........................................26
4. New Header Lines for HTTP .....................................26
4.1. Security-Scheme .............................................26
5. (Retriable) Server Status Error Reports .......................27
5.1. Retry for Option (Re)Negotiation ............................27
5.2. Specific Retry Behavior .....................................28
5.3. Limitations On Automatic Retries ............................29
6. Other Issues ..................................................30
6.1. Compatibility of Servers with Old Clients ...................30
6.2. URL Protocol Type ...........................................30
6.3. Browser Presentation ........................................31
7. Implementation Notes ..........................................32
7.1. Preenhanced Data ............................................32
7.2. Note:Proxy Interaction ......................................34
7.2.1. Client-Proxy Authentication ...............................34
8. Implementation Recommendations and Requirements ...............34
9. Protocol Syntax Summary .......................................35
10. An Extended Example ..........................................36
Appendix: A Review of CMS ........................................40
Bibliography and References ......................................41
Security Considerations ..........................................43
Authors' Addresses ...............................................44
Full Copyright Statement..........................................45
Rescorla & Schiffman Experimental [Page 2]
RFC 2660 The Secure HyperText Transfer Protocol August 1999
1. Introduction
The World Wide Web (WWW) is a distributed hypermedia system which has
gained widespread acceptance among Internet users. Although WWW
browsers support other, preexisting Internet application protocols,
the native and primary protocol used between WWW clients and servers
is the HyperText Transfer Protocol (HTTP) [RFC-2616]. The ease of
use of the Web has prompted its widespread employment as a
client/server architecture for many applications. Many such
applications require the client and server to be able to authenticate
each other and exchange sensitive information confidentially. The
original HTTP specification had only modest support for the
cryptographic mechanisms appropriate for such transactions.
Secure HTTP (S-HTTP) provides secure communication mechanisms between
an HTTP client-server pair in order to enable spontaneous commercial
transactions for a wide range of applications. Our design intent is
to provide a flexible protocol that supports multiple orthogonal
operation modes, key management mechanisms, trust models,
cryptographic algorithms and encapsulation formats through option
negotiation between parties for each transaction.
1.1. Summary of Features
Secure HTTP is a secure message-oriented communications protocol
designed for use in conjunction with HTTP. It is designed to coexist
with HTTP's messaging model and to be easily integrated with HTTP
applications.
Secure HTTP provides a variety of security mechanisms to HTTP clients
and servers, providing the security service options appropriate to
the wide range of potential end uses possible for the World-Wide Web.
The protocol provides symmetric capabilities to both client and
server (in that equal treatment is given to both requests and
replies, as well as for the preferences of both parties) while
preserving the transaction model and implementation characteristics
of HTTP.
Several cryptographic message format standards may be incorporated
into S-HTTP clients and servers, particularly, but in principle not
limited to, [CMS] and [MOSS]. S-HTTP supports interoperation among a
variety of implementations, and is compatible with HTTP. S-HTTP
aware clients can communicate with S-HTTP oblivious servers and
vice-versa, although such transactions obviously would not use S-HTTP
security features.
S-HTTP does not require client-side public key certificates (or
public keys), as it supports symmetric key-only operation modes.
Rescorla & Schiffman Experimental [Page 3]
RFC 2660 The Secure HyperText Transfer Protocol August 1999
This is significant because it means that spontaneous private
transactions can occur without requiring individual users to have
an established public key. While S-HTTP is able to take advantage
of ubiquitous certification infrastructures, its deployment does
not require it.
S-HTTP supports end-to-end secure transactions, in contrast with the
original HTTP authorization mechanisms which require the client to
attempt access and be denied before the security mechanism is
employed. Clients may be "primed" to initiate a secure transaction
(typically using information supplied in message headers); this may
be used to support encryption of fill-out forms, for example. With
S-HTTP, no sensitive data need ever be sent over the network in the
clear.
S-HTTP provides full flexibility of cryptographic algorithms, modes
and parameters. Option negotiation is used to allow clients and
servers to agree on transaction modes (e.g., should the request be
signed or encrypted or both -- similarly for the reply?);
cryptographic algorithms (RSA vs. DSA for signing, DES vs.
RC2 for encrypting, etc.); and certificate selection
(please sign with your "Block-buster Video certificate").
S-HTTP attempts to avoid presuming a particular trust model, although
its designers admit to a conscious effort to facilitate
multiply-rooted hierarchical trust, and anticipate that principals may
have many public key certificates.
S-HTTP differs from Digest-Authentication, described in [RFC-2617] in
that it provides support for public key cryptography and consequently
digital signature capability, as well as providing confidentiality.
1.2. Changes
This document describes S-HTTP/1.4. It differs from the previous
memo in that it differs from the previous memo in its support of
the Cryptographic Message Syntax (CMS) [CMS], a successor to PKCS-7;
and hence now supports the Diffie-Hellman and the (NIST) Digital
Signature Standard cryptosystems. CMS used in RSA mode is bits on the
wire compatible with PKCS-7.
Rescorla & Schiffman Experimental [Page 4]
RFC 2660 The Secure HyperText Transfer Protocol August 1999
1.3. Processing Model
1.3.1. Message Preparation
The creation of an S-HTTP message can be thought of as a a function
with three inputs:
1. The cleartext message. This is either an HTTP message
or some other data object. Note that since the cleartext message
is carried transparently, headers and all, any version of HTTP
can be carried within an S-HTTP wrapper.
2. The receiver's cryptographic preferences and keying material.
This is either explicitly specified by the receiver or subject
to some default set of preferences.
3. The sender's cryptographic preferences and keying material.
This input to the function can be thought of as implicit
since it exists only in the memory of the sender.
In order to create an S-HTTP message, then, the sender integrates the
sender's preferences with the receiver's preferences. The result of
this is a list of cryptographic enhancements to be applied and keying
material to be used to apply them. This may require some user
intervention. For instance, there might be multiple keys available to
sign the message. (See Section 3.2.4.9.3 for more on this topic.)
Using this data, the sender applies the enhancements to the message
clear-text to create the S-HTTP message.
The processing steps required to transform the cleartext message into
the S-HTTP message are described in Sections 2 and 3. The processing
steps required to merge the sender's and receiver's preferences are
described in Sections 3.2.
1.3.2. Message Recovery
The recovery of an S-HTTP message can be thought of as a function of
four distinct inputs:
1. The S-HTTP message.
2. The receiver's stated cryptographic preferences and keying
material. The receiver has the opportunity to remember what
cryptographic preferences it provided in order for this
document to be dereferenced.
3. The receiver's current cryptographic preferences and
keying material.
4. The sender's previously stated cryptographic options.
The sender may have stated that he would perform certain
cryptographic operations in this message. (Again, see
sections 4 and 5 for details on how to do this.)
Rescorla & Schiffman Experimental [Page 5]
RFC 2660 The Secure HyperText Transfer Protocol August 1999
In order to recover an S-HTTP message, the receiver needs to read the
headers to discover which cryptographic transformations were
performed on the message, then remove the transformations using some
combination of the sender's and receiver's keying material, while
taking note of which enhancements were applied.
The receiver may also choose to verify that the applied enhancements
match both the enhancements that the sender said he would apply
(input 4 above) and that the receiver requested (input 2 above) as
well as the current preferences to see if the S-HTTP message was
appropriately transformed. This process may require interaction with
the user to verify that the enhancements are acceptable to the user.
(See Section 6.4 for more on this topic.)
1.4. Modes of Operation
Message protection may be provided on three orthogonal axes:
signature, authentication, and encryption. Any message may be signed,
authenticated, encrypted, or any combination of these (including no
protection).
Multiple key management mechanisms are supported, including
password-style manually shared secrets and public-key key exchange.
In particular, provision has been made for prearranged (in an earlier
transaction or out of band) symmetric session keys in order to send
confidential messages to those who have no public key pair.
Additionally, a challenge-response ("nonce") mechanism is provided to
allow parties to assure themselves of transaction freshness.
1.4.1. Signature
If the digital signature enhancement is applied, an appropriate
certificate may either be attached to the message (possibly along
with a certificate chain) or the sender may expect the recipient to
obtain the required certificate (chain) independently.
1.4.2. Key Exchange and Encryption
In support of bulk encryption, S-HTTP defines two key transfer
mechanisms, one using public-key enveloped key exchange and another
with externally arranged keys.
In the former case, the symmetric-key cryptosystem parameter is
passed encrypted under the receiver's public key.
Rescorla & Schiffman Experimental [Page 6]
RFC 2660 The Secure HyperText Transfer Protocol August 1999
In the latter mode, we encrypt the content using a prearranged
session key, with key identification information specified on one of
the header lines.
1.4.3. Message Integrity and Sender Authentication
Secure HTTP provides a means to verify message integrity and sender
authenticity for a message via the computation of a Message
Authentication Code (MAC), computed as a keyed hash over the document
using a shared secret -- which could potentially have been arranged
in a number of ways, e.g.: manual arrangement or 'inband' key
management. This technique requires neither the use of public key
cryptography nor encryption.
This mechanism is also useful for cases where it is appropriate to
allow parties to identify each other reliably in a transaction
without providing (third-party) non-repudiability for the
transactions themselves. The provision of this mechanism is motivated
by our bias that the action of "signing" a transaction should be
explicit and conscious for the user, whereas many authentication
needs (i.e., access control) can be met with a lighter-weight
mechanism that retains the scalability advantages of public-key
cryptography for key exchange.
1.4.4. Freshness
The protocol provides a simple challenge-response mechanism, allowing
both parties to insure the freshness of transmissions. Additionally,
the integrity protection provided to HTTP headers permits
implementations to consider the Date: header allowable in HTTP
messages as a freshness indicator, where appropriate (although this
requires implementations to make allowances for maximum clock skew
between parties, which we choose not to specify).
1.5. Implementation Options
In order to encourage widespread adoption of secure documents for the
World-Wide Web in the face of the broad scope of application
requirements, variability of user sophistication, and disparate
implementation constraints, Secure HTTP deliberately caters to a
variety of implementation options. See Section 8 for implementation
recommendations and requirements.
2. Message Format
Syntactically, Secure HTTP messages are the same as HTTP, consisting
of a request or status line followed by headers and a body. However,
the range of headers is different and the bodies are typically
Rescorla & Schiffman Experimental [Page 7]
RFC 2660 The Secure HyperText Transfer Protocol August 1999
cryptographically enhanced.
2.1. Notational Conventions
This document uses the augmented BNF from HTTP [RFC-2616]. You should
refer to that document for a description of the syntax.
2.2. Request Line
In order to differentiate S-HTTP messages from HTTP messages and
allow for special processing, the request line should use the special
Secure" method and use the protocol designator "Secure-HTTP/1.4".
Consequently, Secure-HTTP and HTTP processing can be intermixed on
the same TCP port, e.g. port 80. In order to prevent leakage of
potentially sensitive information Request-URI should be "*". For
example:
Secure * Secure-HTTP/1.4
When communicating via a proxy, the Request-URI should be consist of
the AbsoluteURI. Typically, the rel path section should be replaced
by "*" to minimize the information passed to in the clear. (e.g.
http://www.terisa.com/*); proxies should remove the appropriate
amount of this information to minimize the threat of traffic
analysis. See Section 7.2.2.1 for a situation where providing more
information is appropriate.
2.3. The Status Line
S-HTTP responses should use the protocol designator "Secure-
HTTP/1.4". For example:
Secure-HTTP/1.4 200 OK
Note that the status in the Secure HTTP response line does not
indicate anything about the success or failure of the unwrapped HTTP
request. Servers should always use 200 OK provided that the Secure
HTTP processing is successful. This prevents analysis of success or
failure for any request, which the correct recipient can determine
from the encapsulated data. All case variations should be accepted.
2.4. Secure HTTP Header Lines
The header lines described in this section go in the header of a
Secure HTTP message. All except 'Content-Type' and 'Content-Privacy-
Domain' are optional. The message body shall be separated from the
header block by two successive CRLFs.
Rescorla & Schiffman Experimental [Page 8]
RFC 2660 The Secure HyperText Transfer Protocol August 1999
All data and fields in header lines should be treated as case
insensitive unless otherwise specified. Linear whitespace [RFC-822]
should be used only as a token separator unless otherwise quoted.
Long header lines may be line folded in the style of [RFC-822].
This document refers to the header block following the S-HTTP
request/response line and preceding the successive CRLFs collectively
as "S-HTTP headers".
2.4.1. Content-Privacy-Domain
The two values defined by this document are 'MOSS' and 'CMS'. CMS
refers to the privacy enhancement specified in section 2.6.1. MOSS
refers to the format defined in [RFC-1847] and [RFC-1848].
2.4.2. Content-Type for CMS
Under normal conditions, the terminal encapsulated content (after all
privacy enhancements have been removed) would be an HTTP message. In
this case, there shall be a Content-Type line reading:
Content-Type: message/http
The message/http content type is defined in RFC-2616.
If the inner message is an S-HTTP message, then the content type
shall be 'application/s-http'. (See Appendix for the definition of
this.)
It is intended that these types be registered with IANA as MIME
content types.
The terminal content may be of some other type provided that the type
is properly indicated by the use of an appropriate Content-Type
header line. In this case, the header fields for the encapsulation of
the terminal content apply to the terminal content (the 'final
headers'). But in any case, final headers should themselves always be
S-HTTP encapsulated, so that the applicable S-HTTP/HTTP headers are
never passed unenhanced.
S-HTTP encapsulation of non-HTTP data is a useful mechanism for
passing pre-enhanced data (especially presigned data) without
requiring that the HTTP headers themselves be pre-enhanced.
Rescorla & Schiffman Experimental [Page 9]
RFC 2660 The Secure HyperText Transfer Protocol August 1999
2.4.3. Content-Type for MOSS
The Content-Type for MOSS shall be an acceptable MIME content type
describing the cryptographic processing applied. (e.g.
multipart/signed). The content type of the inner content is described
in the content type line corresponding to that inner content, and for
HTTP messages shall be 'message/http'.
2.4.4. Prearranged-Key-Info
This header line is intended to convey information about a key which
has been arranged outside of the internal cryptographic format. One
use of this is to permit in-band communication of session keys for
return encryption in the case where one of the parties does not have
a key pair. However, this should also be useful in the event that the
parties choose to use some other mechanism, for instance, a one-time
key list.
This specification defines two methods for exchanging named keys,
Inband, Outband. Inband indicates that the session key was exchanged
previously, using a Key-Assign header of the corresponding method.
Outband arrangements imply that agents have external access to key
materials corresponding to a given name, presumably via database
access or perhaps supplied immediately by a user from keyboard input.
The syntax for the header line is:
Prearranged-Key-Info =
"Prearranged-Key-Info" ":" Hdr-Cipher "," CoveredDEK "," CoverKey-ID
CoverKey-ID = method ":" key-name
CoveredDEK = *HEX
method = "inband" | "outband"
While chaining ciphers require an Initialization Vector (IV) [FIPS-
81] to start off the chaining, that information is not carried by
this field. Rather, it should be passed internal to the cryptographic
format being used. Likewise, the bulk cipher used is specified in
this fashion.
should be the name of the block cipher used to encrypt
the session key (see section 3.2.4.7)
is the protected Data Encryption Key (a.k.a. transaction
key) under which the encapsulated message was encrypted. It should be
appropriately (randomly) generated by the sending agent, then
encrypted under the cover of the negotiated key (a.k.a. session key)
using the indicated header cipher, and then converted into hex.
Rescorla & Schiffman Experimental [Page 10]
RFC 2660 The Secure HyperText Transfer Protocol August 1999
In order to avoid name collisions, cover key namespaces must be
maintained separately by host and port.
Note that some Content-Privacy-Domains, notably likely future
revisions of MOSS and CMS may have support for symmetric key
management.
The Prearranged-Key-Info field need not be used in such
circumstances. Rather, the native syntax is preferred. Keys
exchanged with Key-Assign, however, may be used in this situation.
2.4.5. MAC-Info
This header is used to supply a Message Authenticity Check, providing
both message authentication and integrity, computed from the message
text, the time (optional -- to prevent replay attack), and a shared
secret between client and server. The MAC should be computed over the
encapsulated content of the S-HTTP message. S-HTTP/1.1 defined that
MACs should be computed using the following algorithm ('||' means
concatenation):
MAC = hex(H(Message||[