A Secure Cookie Protocol Alex X. Liu

Download Report

Transcript A Secure Cookie Protocol Alex X. Liu

A Secure Cookie Protocol

Alex X. Liu Department of Computer Sciences The University of Texas at Austin Co-authors: Jason M. Kovacs (UT), Chin-Tser Huang (Univ. of South Carolina), Mohamed G. Gouda (UT)

Department of Computer Sciences The University of Texas at Austin

Request/ response

HTTP is stateless

Alex X. Liu The University of Texas at Austin 2

Web Application is Stateful

Shopping cart Alex X. Liu The University of Texas at Austin 3

Web Authentication Alex X. Liu The University of Texas at Austin 4

Cookie

Cookie: data that records state of clients

Browser Server verify user/password verify cookie; if necessary, create a new cookie  Cookies need to be secure Alex X. Liu The University of Texas at Austin 5

Security Requirements of Cookies

    Authentication ─ ─ Login phase: verify client by password Subsequent-requests phase: verify client by cookie Confidentiality ─ ─ ─ Observation: only server need to read cookie content!

Low-level: only server and client can read cookie content High-level: only server can read cookie content Integrity ─ Detect modified cookies Anti-replay ─ Detect stolen cookies Alex X. Liu The University of Texas at Austin 6

Efficiency Requirements

 No database lookup in verifying a cookie Alex X. Liu The University of Texas at Austin 7

State of the art

 Fu’s cookie scheme:[Fu et al. 2001] user name|expiration time|data| HMAC( user name|expiration time|data, server key )  Three security problems: ─ ─ ─ Lack of confidentiality Replay attacks Volume attacks Alex X. Liu The University of Texas at Austin 8

Confidentiality

     user name|expiration time|data| HMAC( user name|expiration time|data, server key ) Lack of high-level confidentiality.

Use server key?

[Xu et al. 2002]: store 1 key/user in database ─ Database lookup is inefficient [Park & Sandhu 2000]: store unique key in cookie ─ Problem: public key cryptography is inefficient Our solution: use HMAC( user name|expiration time, server key ) as the encryption key Alex X. Liu The University of Texas at Austin 9

Replay attacks

  user name|expiration time|(data)

k

| HMAC( user name|expiration time|data, server key )

k

= HMAC( user name|expiration time, server key ) To launch replay attacks ─ Steal someone’s cookie (using Trojans, worms, etc) ─ Replay the cookie Our Solution: make cookie session dependent user name|expiration time|(data)

k

| HMAC( user name|expiration time|data|

session key

, server key )

k

= HMAC( user name|expiration time, server key ) Alex X. Liu The University of Texas at Austin 10

Volume attacks

user name|expiration time|(data)

k

| HMAC( user name|expiration time|data|session key, server key )

k

= HMAC( user name|expiration time, server key )    Same server key for all cookies – not safe [Fu 2001] suggests to change server keys periodically ─ For some cookies, we have to verify twice Our Solution: replace server key by encryption key user name|expiration time|(data)

k

| HMAC( user name|expiration time|data|session key,

k

)

k

= HMAC( user name|expiration time, server key ) Alex X. Liu The University of Texas at Austin 11

Implementation

      Keyed-hash msg auth code: HMAC-SHA1 Encryption: Rijndael-256 algorithm Server key: 160 bits HMAC-SHA1 output: 320 bits Implemented 5 protocols: ─ ─ Insecure cookie protocol Fu’s cookie protocol with low-level confidentiality ─ ─ ─ Our cookie protocol with low-level confidentiality Fu’s cookie protocol with high-level confidentiality Our cookie protocol with high-level confidentiality Fu’s cookie protocol with high-level confidentiality: use the server key to encrypt data Alex X. Liu The University of Texas at Austin 12

Setup

     Server: medium-load server, 2.4 GHz Celeron, 512MB RAM, Windows server 2003 standard edition, IIS 6.0, PHP 4.3.10, MySQL 2.23

Client: 2.8 GHz Pentium 4, 512 MB RAM, Red Hat 3.0

Link: dedicated gigabit link, RRT=0.9ms

Server creates a new cookie for each request End-to-end latency: ─ ─ ─ ─ (1) time for transferring request with cookie to server (2) time for verifying the cookie (3) time for creating a new cookie (4) time for transferring response with new cookie to client Alex X. Liu The University of Texas at Austin 13

Results: impacts on client

Alex X. Liu

70 60 50 40 Insecure Cookie Protocol Fu's Cookie Protocol with Low-level Confidentiality Our Cookie Protocol with Low-level Confidentiality Fu's Cookie Protocol with High-level Confidentiality Our Cookie Protocol with High-level Confidentiality 45.36

45.89

42.66

43 39.11

30 20 10 0

The University of Texas at Austin 14

Results: impacts on server

7 6 5 Insecure Cookie Protocol Fu's Cookie Protocol with Low-level Confidentiality Our Cookie Protocol with Low-level Confidentiality Fu's Cookie Protocol with High-level Confidentiality Our Cookie Protocol with High-level Confidentiality 4.24

3.99

4 3 2 1 0 0.75

1.74

1.89

Alex X. Liu The University of Texas at Austin 15

Contributions

 Discover 3 problems in state-of-art cookie protocol  Propose a cookie protocol that solves those problems  Conduct performance evaluation and comparison  Conclusion: ─ ─ Security: better Performance: close Alex X. Liu The University of Texas at Austin 16