Transcript A Secure Cookie Protocol Alex X. Liu
A Secure Cookie Protocol
Alex X. Liu Department of Computer Sciences The University of Texas at Austin Co-authors: Jason M. Kovacs (UT), Chin-Tser Huang (Univ. of South Carolina), Mohamed G. Gouda (UT)
Department of Computer Sciences The University of Texas at Austin
Request/ response
HTTP is stateless
Alex X. Liu The University of Texas at Austin 2
Web Application is Stateful
Shopping cart Alex X. Liu The University of Texas at Austin 3
Web Authentication Alex X. Liu The University of Texas at Austin 4
Cookie
Cookie: data that records state of clients
Browser Server verify user/password verify cookie; if necessary, create a new cookie Cookies need to be secure Alex X. Liu The University of Texas at Austin 5
Security Requirements of Cookies
Authentication ─ ─ Login phase: verify client by password Subsequent-requests phase: verify client by cookie Confidentiality ─ ─ ─ Observation: only server need to read cookie content!
Low-level: only server and client can read cookie content High-level: only server can read cookie content Integrity ─ Detect modified cookies Anti-replay ─ Detect stolen cookies Alex X. Liu The University of Texas at Austin 6
Efficiency Requirements
No database lookup in verifying a cookie Alex X. Liu The University of Texas at Austin 7
State of the art
Fu’s cookie scheme:[Fu et al. 2001] user name|expiration time|data| HMAC( user name|expiration time|data, server key ) Three security problems: ─ ─ ─ Lack of confidentiality Replay attacks Volume attacks Alex X. Liu The University of Texas at Austin 8
Confidentiality
user name|expiration time|data| HMAC( user name|expiration time|data, server key ) Lack of high-level confidentiality.
Use server key?
[Xu et al. 2002]: store 1 key/user in database ─ Database lookup is inefficient [Park & Sandhu 2000]: store unique key in cookie ─ Problem: public key cryptography is inefficient Our solution: use HMAC( user name|expiration time, server key ) as the encryption key Alex X. Liu The University of Texas at Austin 9
Replay attacks
user name|expiration time|(data)
k
| HMAC( user name|expiration time|data, server key )
k
= HMAC( user name|expiration time, server key ) To launch replay attacks ─ Steal someone’s cookie (using Trojans, worms, etc) ─ Replay the cookie Our Solution: make cookie session dependent user name|expiration time|(data)
k
| HMAC( user name|expiration time|data|
session key
, server key )
k
= HMAC( user name|expiration time, server key ) Alex X. Liu The University of Texas at Austin 10
Volume attacks
user name|expiration time|(data)
k
| HMAC( user name|expiration time|data|session key, server key )
k
= HMAC( user name|expiration time, server key ) Same server key for all cookies – not safe [Fu 2001] suggests to change server keys periodically ─ For some cookies, we have to verify twice Our Solution: replace server key by encryption key user name|expiration time|(data)
k
| HMAC( user name|expiration time|data|session key,
k
)
k
= HMAC( user name|expiration time, server key ) Alex X. Liu The University of Texas at Austin 11
Implementation
Keyed-hash msg auth code: HMAC-SHA1 Encryption: Rijndael-256 algorithm Server key: 160 bits HMAC-SHA1 output: 320 bits Implemented 5 protocols: ─ ─ Insecure cookie protocol Fu’s cookie protocol with low-level confidentiality ─ ─ ─ Our cookie protocol with low-level confidentiality Fu’s cookie protocol with high-level confidentiality Our cookie protocol with high-level confidentiality Fu’s cookie protocol with high-level confidentiality: use the server key to encrypt data Alex X. Liu The University of Texas at Austin 12
Setup
Server: medium-load server, 2.4 GHz Celeron, 512MB RAM, Windows server 2003 standard edition, IIS 6.0, PHP 4.3.10, MySQL 2.23
Client: 2.8 GHz Pentium 4, 512 MB RAM, Red Hat 3.0
Link: dedicated gigabit link, RRT=0.9ms
Server creates a new cookie for each request End-to-end latency: ─ ─ ─ ─ (1) time for transferring request with cookie to server (2) time for verifying the cookie (3) time for creating a new cookie (4) time for transferring response with new cookie to client Alex X. Liu The University of Texas at Austin 13
Results: impacts on client
Alex X. Liu
70 60 50 40 Insecure Cookie Protocol Fu's Cookie Protocol with Low-level Confidentiality Our Cookie Protocol with Low-level Confidentiality Fu's Cookie Protocol with High-level Confidentiality Our Cookie Protocol with High-level Confidentiality 45.36
45.89
42.66
43 39.11
30 20 10 0
The University of Texas at Austin 14
Results: impacts on server
7 6 5 Insecure Cookie Protocol Fu's Cookie Protocol with Low-level Confidentiality Our Cookie Protocol with Low-level Confidentiality Fu's Cookie Protocol with High-level Confidentiality Our Cookie Protocol with High-level Confidentiality 4.24
3.99
4 3 2 1 0 0.75
1.74
1.89
Alex X. Liu The University of Texas at Austin 15
Contributions
Discover 3 problems in state-of-art cookie protocol Propose a cookie protocol that solves those problems Conduct performance evaluation and comparison Conclusion: ─ ─ Security: better Performance: close Alex X. Liu The University of Texas at Austin 16