Department of Computer Sciences The University of Texas at Austin A Secure Cookie Protocol Alex X. Liu Department of Computer Sciences The University of Texas at Austin Co-authors: Jason M. Kovacs (UT), Chin-Tser Huang (Univ. of South Carolina), Mohamed G. Gouda (UT)
16
Embed
Department of Computer Sciences The University of Texas at Austin A Secure Cookie Protocol Alex X. Liu Department of Computer Sciences The University of.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Department of Computer Sciences
The University of Texas at Austin
A Secure Cookie Protocol
Alex X. LiuDepartment of Computer SciencesThe University of Texas at Austin
Co-authors: Jason M. Kovacs (UT), Chin-Tser Huang (Univ. of South Carolina), Mohamed G. Gouda (UT)
Alex X. Liu The University of Texas at Austin 2
HTTP is stateless
Request/
response
Alex X. Liu The University of Texas at Austin 3
Web Application is Stateful
Shoppingcart
Alex X. Liu The University of Texas at Austin 4
WebAuthentication
Alex X. Liu The University of Texas at Austin 5
Cookie Cookie: data that records state of
clients
Cookies need to be secure
first request(user/password)
subsequent request(cookie)
response(cookie)
Response(new cookie)
…
verify user/password
verify cookie; if necessary, create a new cookie
Browser Server
Alex X. Liu The University of Texas at Austin 6
Security Requirements of Cookies
Authentication─ Login phase: verify client by password─ Subsequent-requests phase: verify client by cookie
Confidentiality─ Observation: only server need to read cookie content!─ Low-level: only server and client can read cookie content─ High-level: only server can read cookie content
Integrity─ Detect modified cookies
Anti-replay─ Detect stolen cookies
Alex X. Liu The University of Texas at Austin 7
Efficiency Requirements
No database lookup in verifying a cookie
Alex X. Liu The University of Texas at Austin 8
State of the art Fu’s cookie scheme:[Fu et al. 2001]
Three security problems:─ Lack of confidentiality─ Replay attacks─ Volume attacks
user name|expiration time|data|HMAC( user name|expiration time|data, server key )
Alex X. Liu The University of Texas at Austin 9
Confidentiality
Lack of high-level confidentiality. Use server key? [Xu et al. 2002]: store 1 key/user in database
─ Database lookup is inefficient
[Park & Sandhu 2000]: store unique key in cookie─ Problem: public key cryptography is inefficient
Our solution: use HMAC( user name|expiration time, server key ) as the encryption key
user name|expiration time|data|HMAC( user name|expiration time|data, server key )
Alex X. Liu The University of Texas at Austin 10
Replay attacks
To launch replay attacks─ Steal someone’s cookie (using Trojans, worms, etc)─ Replay the cookie
Our Solution: make cookie session dependent
user name|expiration time|(data)k|HMAC( user name|expiration time|data, server key )k= HMAC( user name|expiration time, server key )
user name|expiration time|(data)k|HMAC( user name|expiration time|data|session key, server key )k= HMAC( user name|expiration time, server key )
Alex X. Liu The University of Texas at Austin 11
Volume attacks
Same server key for all cookies – not safe [Fu 2001] suggests to change server keys periodically
─ For some cookies, we have to verify twice
Our Solution: replace server key by encryption key
user name|expiration time|(data)k|HMAC( user name|expiration time|data|session key, server key )k= HMAC( user name|expiration time, server key )
user name|expiration time|(data)k|HMAC( user name|expiration time|data|session key, k )k= HMAC( user name|expiration time, server key )
512MB RAM, Windows server 2003 standard edition, IIS 6.0, PHP 4.3.10, MySQL 2.23
Client: 2.8 GHz Pentium 4, 512 MB RAM, Red Hat 3.0
Link: dedicated gigabit link, RRT=0.9ms Server creates a new cookie for each request End-to-end latency:
─ (1) time for transferring request with cookie to server─ (2) time for verifying the cookie─ (3) time for creating a new cookie─ (4) time for transferring response with new cookie to client
Alex X. Liu The University of Texas at Austin 14
Results: impacts on client
39.1142.66 43
45.36 45.89
0
10
20
30
40
50
60
70C
lien
t: a
vera
ge la
ten
cy o
ver
SS
L (
ms)
Insecure Cookie Protocol
Fu's Cookie Protocol with Low-level Confidentiality
Our Cookie Protocol with Low-level Confidentiality
Fu's Cookie Protocol with High-level Confidentiality
Our Cookie Protocol with High-level Confidentiality
Alex X. Liu The University of Texas at Austin 15
Results: impacts on server
0.75
1.741.89
3.994.24
0
1
2
3
4
5
6
7
Ser
ver:
ave
rage
pro
cess
ing
tim
e:
veri
fyin
g a
cook
ie +
cre
atin
g a
cook
ie (
ms)
Insecure Cookie Protocol
Fu's Cookie Protocol with Low-level Confidentiality
Our Cookie Protocol with Low-level Confidentiality
Fu's Cookie Protocol with High-level Confidentiality
Our Cookie Protocol with High-level Confidentiality
Alex X. Liu The University of Texas at Austin 16
Contributions
Discover 3 problems in state-of-art cookie protocol
Propose a cookie protocol that solves those problems