OpenToken

This document describes OpenToken (OTK), a format for the lightweight, secure, cross-application exchange of key-value pairs between applications that use HTTP (see ) as the transport protocol. The format is designed primarily for use as an HTTP cookie (see ) or query parameter, but can also be used in other scenarios that require a compact, application-neutral token. The OpenToken technology is not designed to encapsulate formal identity assertions (for which see ) or authentication credentials (for which see ). Instead, OpenToken is designed to encapsulate basic name-value pairs for exchange between applications that use HTTP as the transport protocol. Consider the example of a web application that receives information from an end user via a web browser and subsequently shares that information with a backend system such as a single-sign-on (SSO) application.

| SSO app | +---------+ (OTK) +---------+ ]]> Naturally the web application or the single-sign-on application could exchange the same information with other applications (e.g., billing, customer service, enterprise resource planning) or push the information back to the end user via an HTTP cookie. The end user could also share that same information with other web applications (e.g., the web application could store the information on the end user's browser via an HTTP cookie, which could be shared with other applications). The use of a consistent data format enables a more seamless exchange of information between applications (e.g., by removing the need to translate between different application-specific data formats).

The following keywords are to be interpreted as described in : "MUST", "SHALL", "REQUIRED"; "MUST NOT", "SHALL NOT"; "SHOULD", "RECOMMENDED"; "SHOULD NOT", "NOT RECOMMENDED"; "MAY", "OPTIONAL".

The OpenToken format is specified in the following table.

The following notes apply to the foregoing token parameters: The datatype for the version identifier, cipher suite identifier, IV length, and Key Info length is unsigned byte. The initialization vector (IV) has a maximum length of 255 bytes. This field is OPTIONAL and MAY have a length of 0 (IV length) to indicate that no IV is available for this token. For details about initialization vectors, see . The payload is a series of key-value pairs, as described under . The payload has a maximum (compressed) length of 64k bytes. While this format supports a payload of 64k bytes, deployment scenarios that pass the token using HTTP (either as a query parameter or cookie) SHOULD limit the token length to less than 4k for optimal compatibility. The used in this version of OpenToken is based on the SHA-1 hashing algorithm specified in . See for further information about the security characteristics of this algorithm. The Key Info field provides a place to store meta-data describing the key used to encrypt the payload. For example, it can contain a cryptographic hash of the key, or some other identifier, so that the token recipient can select the appropriate key for decryption. This field is OPTIONAL and MAY have a length of 0 (Key Info length) to indicate that no meta-data is available for this token. Given the limited scope of applicability and the desire for a lightweight exchange format, OpenToken uses a binary format rather than a more generic data-description language such as or .

Generating an OTK involves the following steps: Generate the payload. Select a cipher suite and generate a corresponding IV. Initialize an using the SHA-1 algorithm specified in and the following data (order is significant): OTK version Cipher suite value IV value (if present) Key Info value (if present) Payload length (2 bytes, network order) Update the SHA-1 HMAC (from the previous step) using the clear-text payload. Compress the payload using the DEFLATE specification in accordance with and . Encrypt the compressed payload using the selected cipher suite. Construct the binary structure representing the OTK; place the MAC, IV, key info and cipher-text within the structure. Base 64 encode the entire binary structure, following the rules in Section 4 of and ensuring that the padding bits are set to zero. Replace all Base 64 padding characters "=" with "*" (RFC 4648 does not account for the problems that Base64 padding causes when used as a cookie; this step corrects that issue).

Processing an OTK involves the following steps: Replace the "*" padding characters (see Encoding section, step 9) with standard Base 64 "=" characters. Base 64 decode the OTK, following the rules in Section 4 of and ensuring that the padding bits are set to zero. Validate the OTK header literal and version. Extract the Key Info (if present) and select a key for decryption. Decrypt the payload cipher-text using the selected cipher suite. Decompress the decrypted payload, in accordance with and . Initialize an using the SHA-1 algorithm specified in and the following data (order is significant): OTK version Cipher suite value IV value (if present) Key Info value (if present) Payload length (2 bytes, network order) Update the HMAC from the previous step with the clear-text payload (after decompressing). Compare the HMAC from step 8 with the HMAC received in the OTK. If they do not match, halt processing. Process the payload.

The token payload contains key-value pairs, as described under . These data pairs are used to describe the token presenter and can vary from application to application. In the interest of basic interoperability when exchanging an OTK, there is a small set of standardized data pairs.

The following rules apply: All datetimes MUST be calculated relative to UTC (i.e., no timezone offsets). The predefined key-value pairs MUST NOT be used for any purpose other than what is defined above and SHOULD be included with all issued OTKs.

A cipher suite groups a cryptographic cipher with a specific key size, cipher mode, and padding scheme. This grouping provides a convenient way of representing these inter-dependent options and also helps the implementor understand the exact cryptographic requirements for a given OTK.

Note: The Null cipher is meant only for testing purposes. It MUST NOT be used in production environments, since the payload would be passed in the clear. When using the Null cipher, the SHA-1 MAC value MUST be replaced with a standard SHA-1 hash of the uncompressed payload. For cipher suites that do not require an IV, the IV length MAY be zero. For information regarding PKCS #5 padding, see .

OTK uses a simple, line-based format for encoding the key-value pairs in the payload. The format is encoded with UTF-8 and thus is guaranteed to support the transport of multi-byte characters. The syntax for an OpenToken is defined as follows using the Augmented Backus-Naur Form as specified in .

The following rules apply: Key names might not be unique. OpenToken supports multiple values for a key name by simply adding another key-value pair. Key names are case-sensitive. It is RECOMMENDED that all key names be lowercase and use hyphens to separate "words". If the value for a key is or includes a Uniform Resource Identifier (URI), the characters "&" and "=" SHOULD be percent-encoded according to the rules specified in .

It is important to ensure interoperability across tokens generated by different implementations/languages. The following test cases can be used to test an implementation and ensure that it generates properly encoded tokens. These tests are not exhaustive, but do cover the basic cipher suites. For each test case, the key that was used to generate the output is included in base64 encoding. The generated token is also base64 encoded, as specified above. Each token has two name-value pairs present:

Note: In the following test data, the tokens are wrapped across two lines to fit and the "\" character is used to denote the point of line wrapping.

Recent research has shown that in select cases it is possible to compromise the hashes produced by the SHA-1 hashing algorithm (see ). However, the use to which SHA-1 is put in OpenToken, coupled with employment of a symmetric cipher key, will likely minimize the applicability of the attacks described in the literature. Furthermore, current estimates suggest that even with the recently-discovered attack, it would still take one year of computing by a government-sized entity to produce a collision. Tokens SHOULD be exchanged over a secure transport (e.g., HTTP Over TLS as described in ) to minimize the possibility that a token can be intercepted by a man-in-the-middle.