department of computer sciences the university of texas at austin a secure cookie protocol alex x....
Post on 21-Dec-2015
214 views
TRANSCRIPT
Department of Computer Sciences
The University of Texas at Austin
A Secure Cookie Protocol
Alex X. LiuDepartment of Computer SciencesThe University of Texas at Austin
Co-authors: Jason M. Kovacs (UT), Chin-Tser Huang (Univ. of South Carolina), Mohamed G. Gouda (UT)
Alex X. Liu The University of Texas at Austin 5
Cookie Cookie: data that records state of
clients
Cookies need to be secure
first request(user/password)
subsequent request(cookie)
response(cookie)
Response(new cookie)
…
verify user/password
verify cookie; if necessary, create a new cookie
Browser Server
Alex X. Liu The University of Texas at Austin 6
Security Requirements of Cookies
Authentication─ Login phase: verify client by password─ Subsequent-requests phase: verify client by cookie
Confidentiality─ Observation: only server need to read cookie content!─ Low-level: only server and client can read cookie content─ High-level: only server can read cookie content
Integrity─ Detect modified cookies
Anti-replay─ Detect stolen cookies
Alex X. Liu The University of Texas at Austin 7
Efficiency Requirements
No database lookup in verifying a cookie
Alex X. Liu The University of Texas at Austin 8
State of the art Fu’s cookie scheme:[Fu et al. 2001]
Three security problems:─ Lack of confidentiality─ Replay attacks─ Volume attacks
user name|expiration time|data|HMAC( user name|expiration time|data, server key )
Alex X. Liu The University of Texas at Austin 9
Confidentiality
Lack of high-level confidentiality. Use server key? [Xu et al. 2002]: store 1 key/user in database
─ Database lookup is inefficient
[Park & Sandhu 2000]: store unique key in cookie─ Problem: public key cryptography is inefficient
Our solution: use HMAC( user name|expiration time, server key ) as the encryption key
user name|expiration time|data|HMAC( user name|expiration time|data, server key )
Alex X. Liu The University of Texas at Austin 10
Replay attacks
To launch replay attacks─ Steal someone’s cookie (using Trojans, worms, etc)─ Replay the cookie
Our Solution: make cookie session dependent
user name|expiration time|(data)k|HMAC( user name|expiration time|data, server key )k= HMAC( user name|expiration time, server key )
user name|expiration time|(data)k|HMAC( user name|expiration time|data|session key, server key )k= HMAC( user name|expiration time, server key )
Alex X. Liu The University of Texas at Austin 11
Volume attacks
Same server key for all cookies – not safe [Fu 2001] suggests to change server keys periodically
─ For some cookies, we have to verify twice
Our Solution: replace server key by encryption key
user name|expiration time|(data)k|HMAC( user name|expiration time|data|session key, server key )k= HMAC( user name|expiration time, server key )
user name|expiration time|(data)k|HMAC( user name|expiration time|data|session key, k )k= HMAC( user name|expiration time, server key )
Alex X. Liu The University of Texas at Austin 12
Implementation Keyed-hash msg auth code: HMAC-SHA1 Encryption: Rijndael-256 algorithm Server key: 160 bits HMAC-SHA1 output: 320 bits Implemented 5 protocols:
─ Insecure cookie protocol─ Fu’s cookie protocol with low-level confidentiality─ Our cookie protocol with low-level confidentiality─ Fu’s cookie protocol with high-level confidentiality─ Our cookie protocol with high-level confidentiality
Fu’s cookie protocol with high-level confidentiality: use the server key to encrypt data
Alex X. Liu The University of Texas at Austin 13
Setup Server: medium-load server, 2.4 GHz Celeron,
512MB RAM, Windows server 2003 standard edition, IIS 6.0, PHP 4.3.10, MySQL 2.23
Client: 2.8 GHz Pentium 4, 512 MB RAM, Red Hat 3.0
Link: dedicated gigabit link, RRT=0.9ms Server creates a new cookie for each request End-to-end latency:
─ (1) time for transferring request with cookie to server─ (2) time for verifying the cookie─ (3) time for creating a new cookie─ (4) time for transferring response with new cookie to client
Alex X. Liu The University of Texas at Austin 14
Results: impacts on client
39.1142.66 43
45.36 45.89
0
10
20
30
40
50
60
70C
lien
t: a
vera
ge la
ten
cy o
ver
SS
L (
ms)
Insecure Cookie Protocol
Fu's Cookie Protocol with Low-level Confidentiality
Our Cookie Protocol with Low-level Confidentiality
Fu's Cookie Protocol with High-level Confidentiality
Our Cookie Protocol with High-level Confidentiality
Alex X. Liu The University of Texas at Austin 15
Results: impacts on server
0.75
1.741.89
3.994.24
0
1
2
3
4
5
6
7
Ser
ver:
ave
rage
pro
cess
ing
tim
e:
veri
fyin
g a
cook
ie +
cre
atin
g a
cook
ie (
ms)
Insecure Cookie Protocol
Fu's Cookie Protocol with Low-level Confidentiality
Our Cookie Protocol with Low-level Confidentiality
Fu's Cookie Protocol with High-level Confidentiality
Our Cookie Protocol with High-level Confidentiality