Department of Computer Sciences The University of Texas at Austin A Secure Cookie Protocol Alex X. Liu Department of Computer Sciences The University of.

Department of Computer Sciences

The University of Texas at Austin

A Secure Cookie Protocol

Alex X. LiuDepartment of Computer SciencesThe University of Texas at Austin

Co-authors: Jason M. Kovacs (UT), Chin-Tser Huang (Univ. of South Carolina), Mohamed G. Gouda (UT)

Alex X. Liu The University of Texas at Austin 2

HTTP is stateless

Request/

response

Alex X. Liu The University of Texas at Austin 3

Web Application is Stateful

Shoppingcart

Alex X. Liu The University of Texas at Austin 4

WebAuthentication

Alex X. Liu The University of Texas at Austin 5

Cookie Cookie: data that records state of

clients

Cookies need to be secure

first request(user/password)

subsequent request(cookie)

response(cookie)

Response(new cookie)

…

verify user/password

verify cookie; if necessary, create a new cookie

Browser Server

Alex X. Liu The University of Texas at Austin 6

Security Requirements of Cookies

Authentication─ Login phase: verify client by password─ Subsequent-requests phase: verify client by cookie

Confidentiality─ Observation: only server need to read cookie content!─ Low-level: only server and client can read cookie content─ High-level: only server can read cookie content

Integrity─ Detect modified cookies

Anti-replay─ Detect stolen cookies

Alex X. Liu The University of Texas at Austin 7

Efficiency Requirements

No database lookup in verifying a cookie

Alex X. Liu The University of Texas at Austin 8

State of the art Fu’s cookie scheme:[Fu et al. 2001]

Three security problems:─ Lack of confidentiality─ Replay attacks─ Volume attacks

user name|expiration time|data|HMAC( user name|expiration time|data, server key )

Alex X. Liu The University of Texas at Austin 9

Confidentiality

Lack of high-level confidentiality. Use server key? [Xu et al. 2002]: store 1 key/user in database

─ Database lookup is inefficient

[Park & Sandhu 2000]: store unique key in cookie─ Problem: public key cryptography is inefficient

Our solution: use HMAC( user name|expiration time, server key ) as the encryption key

user name|expiration time|data|HMAC( user name|expiration time|data, server key )

Alex X. Liu The University of Texas at Austin 10

Replay attacks

To launch replay attacks─ Steal someone’s cookie (using Trojans, worms, etc)─ Replay the cookie

Our Solution: make cookie session dependent

user name|expiration time|(data)k|HMAC( user name|expiration time|data, server key )k= HMAC( user name|expiration time, server key )

user name|expiration time|(data)k|HMAC( user name|expiration time|data|session key, server key )k= HMAC( user name|expiration time, server key )

Alex X. Liu The University of Texas at Austin 11

Volume attacks

Same server key for all cookies – not safe [Fu 2001] suggests to change server keys periodically

─ For some cookies, we have to verify twice

Our Solution: replace server key by encryption key

user name|expiration time|(data)k|HMAC( user name|expiration time|data|session key, server key )k= HMAC( user name|expiration time, server key )

user name|expiration time|(data)k|HMAC( user name|expiration time|data|session key, k )k= HMAC( user name|expiration time, server key )

Alex X. Liu The University of Texas at Austin 12

Implementation Keyed-hash msg auth code: HMAC-SHA1 Encryption: Rijndael-256 algorithm Server key: 160 bits HMAC-SHA1 output: 320 bits Implemented 5 protocols:

─ Insecure cookie protocol─ Fu’s cookie protocol with low-level confidentiality─ Our cookie protocol with low-level confidentiality─ Fu’s cookie protocol with high-level confidentiality─ Our cookie protocol with high-level confidentiality

Fu’s cookie protocol with high-level confidentiality: use the server key to encrypt data

Alex X. Liu The University of Texas at Austin 13

Setup Server: medium-load server, 2.4 GHz Celeron,

512MB RAM, Windows server 2003 standard edition, IIS 6.0, PHP 4.3.10, MySQL 2.23

Client: 2.8 GHz Pentium 4, 512 MB RAM, Red Hat 3.0

Link: dedicated gigabit link, RRT=0.9ms Server creates a new cookie for each request End-to-end latency:

─ (1) time for transferring request with cookie to server─ (2) time for verifying the cookie─ (3) time for creating a new cookie─ (4) time for transferring response with new cookie to client

Alex X. Liu The University of Texas at Austin 14

Results: impacts on client

39.1142.66 43

45.36 45.89

0

10

20

30

40

50

60

70C

lien

t: a

vera

ge la

ten

cy o

ver

SS

L (

ms)

Insecure Cookie Protocol

Fu's Cookie Protocol with Low-level Confidentiality

Our Cookie Protocol with Low-level Confidentiality

Fu's Cookie Protocol with High-level Confidentiality

Our Cookie Protocol with High-level Confidentiality

Alex X. Liu The University of Texas at Austin 15

Results: impacts on server

0.75

1.741.89

3.994.24

0

1

2

3

4

5

6

7

Ser

ver:

ave

rage

pro

cess

ing

tim

e:

veri

fyin

g a

cook

ie +

cre

atin

g a

cook

ie (

ms)

Insecure Cookie Protocol

Fu's Cookie Protocol with Low-level Confidentiality

Our Cookie Protocol with Low-level Confidentiality

Fu's Cookie Protocol with High-level Confidentiality

Our Cookie Protocol with High-level Confidentiality

Alex X. Liu The University of Texas at Austin 16

Contributions

Discover 3 problems in state-of-art cookie protocol

Propose a cookie protocol that solves those problems

Conduct performance evaluation and comparison

Conclusion:─ Security: better─ Performance: close