| Internet-Draft | SURADAR | April 2026 |
| Rampalli | Expires 27 October 2026 | [Page] |
This document defines SURADAR (Subsurface Undertow RADAR), an HTTP authentication scheme in which each request is authenticated by a one-time HMAC tag derived from a shared seed, the current time band, and the full request context (method, path, organisation, scope, and body). Unlike bearer-token schemes, a captured SURADAR token is cryptographically bound to exactly one request and cannot be reused, replayed, or re-scoped. The protocol requires zero per-request handshakes, produces 48-byte tokens, and relies solely on HMAC-SHA-256 and SHA-256 -- no asymmetric cryptography.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 27 October 2026.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Existing HTTP authentication mechanisms -- Bearer tokens [RFC6750], JSON Web Tokens [RFC7519], OAuth 2.0 [RFC6749], and HTTP Message Signatures [RFC9421] -- authenticate the caller but not the request. A valid token for one endpoint is equally valid for any other endpoint within its scope, for any request body, until the token expires. This creates a class of attacks where a stolen or intercepted token can be reused for unintended purposes.¶
SURADAR addresses this by deriving a unique one-time key for each request from:¶
The resulting token is valid for exactly one HTTP request, at one endpoint, with one scope, within one time window, with exactly the body that was sent.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
| Symbol | Definition |
|---|---|
| S | Shared seed (32 bytes) |
| RSK | Root Server Key (32 bytes) |
| T | Time band index: floor(unix_seconds / TBandSeconds) |
| TBandSeconds | Time band width (default: 30) |
| TBandSkew | Adjacent bands accepted (default: 1) |
| ctx | Context fingerprint: SHA-256(method || 0x00 || path || 0x00 || orgID || 0x00 || scope) |
| K1 | Partial key: HMAC-SHA-256(S, T_bytes || ctx) |
| R | Client nonce: 16 random bytes |
| K | Full one-time key: HMAC-SHA-256(K1, R) |
| sig | Request authenticator: HMAC-SHA-256(K, body) |
| token | Wire encoding: base64url(R || sig) -- 64 chars, 48 bytes |
| || | Byte concatenation |
| 0x00 | Null byte separator |
The enrollment phase establishes a shared seed S between client and server. It occurs once per client over an authenticated channel.¶
Client Server |--- [authenticated channel] ------------>| | clientID, orgID, pubKey | | enrollNonce = rand(16) | | S = HMAC-SHA-256(RSK, clientID || enrollNonce) | encrypted_S = XOR(S, SHA-256(pubKey))| |<-- enrollNonce, encrypted_S ------------| | S = XOR(encrypted_S, SHA-256(privKey)) | Store S in secure keychain | Server stores: (clientID, orgID, enrollNonce) Server NEVER stores S¶
Each HTTP request is independently authenticated with no additional roundtrips.¶
Client Server | T = floor(now / 30) | | ctx = SHA-256(method||0x00||path||0x00||orgID||0x00||scope) | K1 = HMAC-SHA-256(S, T_bytes || ctx) | | R = rand(16) | | K = HMAC-SHA-256(K1, R) | | sig = HMAC-SHA-256(K, body) | | zero(K1, K) | | token = base64url(R || sig) | |--- HTTP request with headers: --------->| | X-SURADAR-Auth: <token> | | X-SURADAR-Client: <clientID> | | X-SURADAR-TBand: <T> | | S' = HMAC-SHA-256(RSK, clientID || enrollNonce) | ctx' = SHA-256(method||0x00||path||0x00||orgID||0x00||scope) | K1' = HMAC-SHA-256(S', T_bytes || ctx') | K' = HMAC-SHA-256(K1', R_from_token) | | verify: sig == HMAC-SHA-256(K', body)| | replay_check(T, ctx, R) | | zero(K1', K') | |<-- 200 OK or 401 Unauthorized ---------|¶
The client MUST authenticate via an existing mechanism (OAuth 2.0, mutual TLS, or a one-time enrollment token) before requesting seed enrollment. The enrollment channel MUST be protected by TLS.¶
The server generates a 16-byte enrollment nonce using a cryptographically secure pseudorandom number generator (CSPRNG) [RFC4086]:¶
enrollNonce = CSPRNG(16) S = HMAC-SHA-256(RSK, clientID || enrollNonce)¶
The RSK MUST be stored in a hardware security module (HSM) or equivalent secure storage. The server MUST NOT store S. The server stores the tuple (clientID, orgID, enrollNonce).¶
The server delivers the seed to the client encrypted under the client's public key:¶
encrypted_S = XOR(S, SHA-256(clientPubKey))¶
The client recovers S:¶
S = XOR(encrypted_S, SHA-256(privKey))¶
Alternative delivery mechanisms (e.g., direct TLS-protected transport, envelope encryption) are permitted provided confidentiality and integrity of S are maintained.¶
The client MUST store S in one of the following:¶
The client MUST NOT store S in plaintext on disk or in environment variables.¶
The RSK MUST be stored in an HSM or secrets manager. RSK rotation is supported: the server MUST accept tokens derived from the previous RSK for a grace period equal to NonceTTL (default: 90 seconds) after rotation. During this period, both old and new RSK values are tried during verification.¶
The client computes the time band index:¶
T = floor(unix_seconds / TBandSeconds)¶
T is encoded as an 8-byte big-endian unsigned integer (T_bytes).¶
The context fingerprint binds the token to the specific request:¶
ctx = SHA-256(method || 0x00 || path || 0x00 || orgID || 0x00 || scope)¶
Null byte (0x00) separators prevent field boundary ambiguity. For example, without separators, method="GETX" path="Y" and method="GET" path="XY" would produce the same hash input.¶
K1 = HMAC-SHA-256(S, T_bytes || ctx)¶
K1 MUST be zeroed from memory immediately after K is derived.¶
The client generates a 16-byte random nonce:¶
R = CSPRNG(16)¶
K = HMAC-SHA-256(K1, R)¶
K MUST be zeroed from memory immediately after the signature is computed.¶
sig = HMAC-SHA-256(K, body)¶
For requests with no body (e.g., GET), body is the empty byte string. K MUST be zeroed after this step.¶
token = base64url_no_pad(R || sig)¶
R is 16 bytes and sig is 32 bytes, producing 48 bytes total, which encodes to exactly 64 base64url characters (no padding) per Section 5 of [RFC4648].¶
The client sets the following HTTP headers on the request:¶
| Header | Value |
|---|---|
| X-SURADAR-Auth | token (64 base64url characters) |
| X-SURADAR-Client | clientID |
| X-SURADAR-TBand | T (decimal integer) |
The server extracts X-SURADAR-Auth, X-SURADAR-Client, and X-SURADAR-TBand from the request. If any header is absent, the server MUST respond with HTTP 401 Unauthorized.¶
The server computes T_server = floor(now / TBandSeconds) and checks:¶
|T_client - T_server| <= TBandSkew¶
If the time band is outside the acceptable skew window, the server MUST reject the request with HTTP 401.¶
The server looks up enrollNonce for the given clientID, then re-derives the seed:¶
S' = HMAC-SHA-256(RSK, clientID || enrollNonce)¶
During RSK rotation, the server MUST attempt verification with both the current and previous RSK values.¶
The server recomputes the context fingerprint and key chain from the actual HTTP request (method, path, orgID looked up from the client record, scope from application context):¶
ctx' = SHA-256(method || 0x00 || path || 0x00 || orgID || 0x00 || scope) K1' = HMAC-SHA-256(S', T_bytes || ctx') K' = HMAC-SHA-256(K1', R_from_token)¶
The server MUST NOT use any client-supplied values for method, path, or orgID in this computation.¶
expected = HMAC-SHA-256(K', body) valid = constant_time_equal(sig_from_token, expected)¶
The comparison MUST use a constant-time equality function to prevent timing side-channel attacks. K' MUST be zeroed after use.¶
Replay checking MUST occur after HMAC verification succeeds. This ordering prevents an attacker from poisoning the nonce store with garbage tuples.¶
The server checks the tuple (T, ctx, R) against the nonce store. If the tuple is already present, the request is a replay and MUST be rejected with HTTP 401.¶
The nonce store entry TTL MUST be at least (TBandSkew + 1) * TBandSeconds seconds. With defaults, this is (1 + 1) * 30 = 60 seconds. A default of 90 seconds is RECOMMENDED to account for clock drift.¶
The nonce store provides a single operation:¶
Check(T, ctx, R) -> OK | REPLAY¶
The store MUST be concurrent-safe. Entries MUST expire after NonceTTL seconds (default: 90).¶
A Bloom filter implementation is RECOMMENDED for single-server deployments. The following parameters provide approximately 0.01% false positive rate:¶
The implementation uses dual-rotating filters: the active filter receives new entries, while the previous filter is kept for the duration of NonceTTL before being cleared and rotated.¶
Hash functions for the Bloom filter are derived from SHA-256 of the (T, ctx, R) tuple by splitting the 256-bit output into segments.¶
For distributed deployments, a Redis SETNX with TTL equal to NonceTTL is RECOMMENDED:¶
key = "suradar:nonce:" || hex(SHA-256(T || ctx || R)) result = SETNX(key, 1) EXPIRE(key, NonceTTL)¶
If SETNX returns 0 (key already exists), the request is a replay.¶
This document registers the following HTTP header fields:¶
The attacker is assumed to be able to observe network traffic (despite TLS, e.g., via compromised middlebox), capture tokens, and attempt to reuse them. The attacker cannot obtain the shared seed S or the Root Server Key RSK.¶
A captured token reveals R (not secret) and sig. The attacker cannot derive K without K1, cannot derive K1 without S, and cannot derive S without RSK. The blast radius of a stolen SURADAR token is exactly one request -- the request for which it was generated.¶
The scope is embedded in ctx, which is embedded in the K1 derivation. Changing the scope changes ctx, which changes K1, which changes K, which changes sig. An attacker cannot re-scope a captured token -- this is a cryptographic guarantee, not a policy check.¶
The HMAC signature covers the full request body. Any modification to the body invalidates the signature.¶
The replay check occurs after HMAC verification. An attacker who sends garbage tokens cannot poison the nonce store because those tokens will fail HMAC verification before the nonce is recorded.¶
Implementations MUST use constant-time comparison for HMAC verification. Implementations MUST zero all key material (K1, K) immediately after use to limit the window for memory-disclosure attacks.¶
| Material | Lifetime | Storage |
|---|---|---|
| RSK | Long-lived, rotatable | HSM / Vault |
| S | Client lifetime | OS keychain |
| K1 | ~microseconds | Memory only |
| K | ~microseconds | Memory only |
| R | Single request | Transmitted then discarded |
Both client and server clocks SHOULD be synchronized via NTP or an equivalent protocol. The TBandSkew parameter (default: 1) allows for minor clock drift by accepting tokens from adjacent time bands.¶
K1 is derived from the time band T. Once a time band expires, the corresponding K1 cannot be recomputed without the seed S and the exact time band value. Past tokens are unrecoverable without the R values, which are ephemeral and not stored by the server after replay checking.¶
| Property | RFC 9421 | SURADAR |
|---|---|---|
| Key per request | Same key | Unique key |
| Context in key | No (in signature input) | Yes (in key derivation) |
| Body coverage | Optional | Always |
| Token size | Variable (large) | Fixed (48 bytes) |
| Asymmetric support | Yes | No |
| Replay prevention | Not specified | Built-in |
This document requests registration of the following HTTP authentication scheme in the "HTTP Authentication Scheme Registry" established by [RFC9421]:¶
This document requests registration of the following HTTP header fields in the "Hypertext Transfer Protocol (HTTP) Field Name Registry":¶
IANA is requested to create a new registry titled "SURADAR Algorithm Registry" with the following initial entry, under the registration policy of Specification Required [RFC8126]:¶
| Algorithm Name | HMAC Function | Hash Function | Reference |
|---|---|---|---|
| SURADAR-SHA256 | HMAC-SHA-256 | SHA-256 | This document |
Input parameters:¶
method = "GET" path = "/api/v1/findings" orgID = "acme-corp" scope = "api:read"¶
Concatenated input (hex):¶
474554 # "GET" 00 # separator 2f6170692f76312f66696e64696e6773 # "/api/v1/findings" 00 # separator 61636d652d636f7270 # "acme-corp" 00 # separator 6170693a72656164 # "api:read"¶
Context fingerprint:¶
ctx = SHA-256(above) = e3b7a0... (implementors: compute from the above byte sequence)¶
Input parameters:¶
seed = 0x0102030405060708090a0b0c0d0e0f10
1112131415161718191a1b1c1d1e1f20 (32 bytes)
clientID = "ci-runner-01"
orgID = "acme-corp"
method = "GET"
path = "/api/v1/findings"
scope = "api:read"
body = "" (empty)
unix_ts = 1709769600
TBandSeconds = 30
R = 0xdeadbeefdeadbeefdeadbeefdeadbeef (16 bytes, fixed for test)
¶
Derivation steps:¶
T = floor(1709769600 / 30) = 56992320
T_bytes = 0x0000000003660000 (8-byte big-endian)
ctx = SHA-256("GET" || 0x00 || "/api/v1/findings" || 0x00
|| "acme-corp" || 0x00 || "api:read")
K1 = HMAC-SHA-256(seed, T_bytes || ctx)
K = HMAC-SHA-256(K1, R)
sig = HMAC-SHA-256(K, "")
token = base64url_no_pad(R || sig)
¶
Implementors MUST verify that their implementation produces identical intermediate values at each step.¶
Implementations in different languages MUST produce byte-identical output for identical inputs. In particular:¶
| Attack | Bearer | JWT | JWT+JTI | SURADAR |
|---|---|---|---|---|
| Token Replay | VULN | VULN | RESIST | RESIST |
| Scope Escalation | VULN | VULN | VULN | RESIST |
| Cross-Org Abuse | VULN | VULN | VULN | RESIST |
| Body Tampering | VULN | VULN | VULN | RESIST |
| Method Swap | VULN | VULN | VULN | RESIST |
| Path Swap | VULN | VULN | VULN | RESIST |
| Stolen Token Blast | VULN | VULN | VULN | RESIST |
| Score | 0/7 | 0/7 | 2/7 | 7/7 |
Benchmarks measured on Apple M3, Go 1.26.1, single-threaded, 1000 iterations, median values:¶
| Metric | Bearer | JWT | JWT+JTI | SURADAR |
|---|---|---|---|---|
| Generation | 729 ns | 1024 ns | 1024 ns | 1298 ns |
| Verification | 52 ns | 1107 ns | 1868 ns | 1630 ns |
| Token size | 32 B | 195 B | 236 B | 82 B |
| Security score | 0/7 | 0/7 | 2/7 | 7/7 |