Channel Binding Tokens (CBTs)

Channel Binding Tokens (CBTs) are a security mechanism used to enhance the protection of the authentication process, particularly in preventing Man-in-the-Middle (MitM) attack|man-in-the-middle (MITM) attacks. A CBT is a token or piece of data that binds the security of two separate protocols, typically an application layer protocol like HTTP Protocol|HTTP with a lower-level transport layer protocol like TLS (Transport Layer Security).

CBTs are used to "bind" a high-level authentication process (such as Kerberos Authentication|Kerberos or NTLM authentication) to a specific secure channel or session (like a TLS session). The main purpose of CBTs is to prevent MITM attacks where an attacker intercepts and relays credentials from one channel to another unauthorized channel. With CBTs, the server can verify that the credentials are being presented in the correct, secured session.

By tying the authentication process to a specific encrypted channel, CBTs ensure that authentication tokens cannot be hijacked or replayed in a different context or session.

When a client initiates a secure session (such as a TLS connection), a unique token representing that session is generated. During the authentication phase (like when a user logs in using Kerberos), this unique session token (CBT) is included in the authentication process. The server, upon receiving the authentication request, checks the CBT against the current session. If they match, it confirms that the authentication request is valid and not being relayed or manipulated by an attacker.

A web application configured to use CBTs will require that any HTTP-based authentication is accompanied by a token that matches the current TLS session, thus preventing an attacker from intercepting and using the authentication credentials in a different session. During a TLS handshake, a CBT is generated and later used in the authentication process to ensure that the authentication is happening over the same secure channel.