Internet DRAFT - draft-barbato-scs
draft-barbato-scs
Network Working Group S. Barbato
Internet-Draft S. Dorigotti
Expires: March 9, 2007 T. Fossati
KoanLogic
September 5, 2006
SCS: Secure Cookie Sessions for HTTP
draft-barbato-scs-00
Status of this Memo
By submitting this Internet-Draft, each author represents that any
applicable patent or other IPR claims of which he or she is aware
have been or will be disclosed, and any of which he or she becomes
aware will be disclosed, in accordance with Section 6 of BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 9, 2007.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
This document provides an overview of SCS, a cryptographic protocol
aimed at the protection of "client-side" HTTP sessions, i.e. sessions
in which the application state is held entirely on the client in the
form of cookies [10].
Barbato, et al. Expires March 9, 2007 [Page 1]
�
Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006
1. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [1].
Barbato, et al. Expires March 9, 2007 [Page 2]
�
Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006
2. Introduction
SCS is a cryptographic protocol aimed at protecting "client-side"
HTTP sessions, i.e. sessions in which the application state (for
example, whether or not authentication credentials have been
provided) is held by the client in the form of cookies [10].
SCS allows HTTP servers to handle application-level sessions in a
completely stateless manner.
The server delegates the application state storage to the client
(browser) - which basically acts as a remote storage device. The
cryptographic transformations are applied to the state data so that
confidentiality and information authenticity attributes exchanged
between parties have the same characteristics as for typical "server-
side" sessions.
The following are a few scenarios in which SCS can be used:
1. devices with little or no storage - typically embedded devices -
which provide functionality such as software updates,
configuration, device monitoring, etc. via an HTTP interface;
2. web applications with HA or load balancing requirements, which
may delegate handling of the application state to clients instead
of using shared storage or forced peering.
Barbato, et al. Expires March 9, 2007 [Page 3]
�
Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006
3. Protocol
The SCS protocol defines:
o a PDU, as a well-defined aggregate of cookies (Section 3.1);
o cryptographic transformations which manipulate the PDU fields
(Section 3.2);
o the HTTP-based PDU exchange model (Section 3.3)
Note that the PDU is transmitted to the client as an opaque data
block and no interpretation or validation is necessary. The single
requirement for client-side support of SCS is cookie activation on
the browser, so only the server is involved in the PDU manipulation
process.
In the following sections we define S to be one or more
interchangeable HTTP server entities (e.g. a server pool in a load-
balanced or HA environment) and C to be the client with a cookie-
enabled browser.
3.1. PDU Description
S and C exchange the same PDU (Section 3.3), which consists of a set
of cookies transformed into a single block by cryptographic
functions. Confidentiality is limited to the application state
information (i.e. SCS_DATA cookie), while integrity and
authentication apply to the entire PDU.
Cookie (name/value) length cannot exceed 4KB [10]. In practice, this
is only an application state data limit, although one can use as many
SCS_DATA cookies as required, where SCS_DATA{N} is the cookie
containing the n'th payload section of the session data (already
compressed and/or encrypted as required).
3.1.1. SCS_ATIME
Timestamp relating to the last read or write operation performed on
session data. This value is updated with each client contact
operation and is used to identify expired sessions. A session is
considered to be expired, and hence no longer valid, if the memorised
SCS_ATIME timestamp is older than the predefined time value
"session_max_age", which is chosen by S as an application-level
parameter.
Barbato, et al. Expires March 9, 2007 [Page 4]
�
Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006
3.1.2. SCS_DATA
Block of encrypted and optionally compressed data, containing session
state, which may be stored as name=value pairs or with any other
semantics intelligible by the server. If the total size of SCS_DATA
exceeds 4KB, it is separated into N SCS_DATA{N} cookies, each 4KB in
size and so that the concatenation of their values in the order of
cookie name (1, 2, ..., N) yields the original SCS_DATA. The
specification [10] suggests that browsers accept at least twenty
cookies per server. It follows that the maximum size for the state
data block (possibly compressed) is 64KB (16 * 4KB).
3.1.3. SCS_TID
Unique identifier of the transform set (encryption and/or
authentication keys and possible encryption, authentication and
compression algorithms applied, etc.) used to generate this PDU. SCS
assumes that a key-agreement/distribution mechanism exists for
environments in which S consists of multiple servers (it may consist
of a simple key-refresh in the case |S|=1), which provides a unique
external identifier for each transform set defined and shared amongst
pool members. This identifier (equivalent to a SPI in a Data
Security SA [6]) is represented in the cookie value.
3.1.4. SCS_IV
Initialisation Vector used for the encryption algorithm
(Section 3.2). In order to avoid providing correlation information
to a possible attacker with access to a sample of SCS PDUs, the IV
MUST be created randomly for each PDU.
3.1.5. SCS_AUTHTAG
Authentication tag based on the concatenation of SCS_ATIME, SCS_DATA,
SCS_TID and SCS_IV.
3.2. Crypto Transform
SCS could potentially use any combination primitives capable of
performing authenticated encryption. In practice an encrypt-then-mac
approach [12] with CBC-mode encryption and HMAC [8] autentication was
chosen. The two algorithms MUST be associated with two independent
keys.
The possibility of using UMAC for authentication [9] was taken into
consideration, but priority was given to space over performance: the
nonce field transfer would require an extra cookie, therefore
reducing the space reserved to state information by another 4KB.
Barbato, et al. Expires March 9, 2007 [Page 5]
�
Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006
The following conventions will be used in the algorithm description
(Section 3.2.5 and Section 3.2.4)
o Enc/Dec(): encryption/decryption functions (Section 3.2.1);
o HMAC(): authentication function (Section 3.2.1);
o Comp/Uncomp(): compression/decompression functions
(Section 3.2.2);
o e/d(): cookie value encoding/decoding functions (Section 3.2.3);
o '||': concatenation operator;
o RAND(): random number generator [5]
3.2.1. Cipher Suite
Implementors MUST support at least the following algorithms:
o AES-CBC-128 for encryption;
o HMAC-SHA1 with a 128 bit key for authenticity and integrity,
which appear to be sufficiently secure in a wide range of use cases
[11] and are widely available. One should consider using larger
cryptographic key lengths (192 or 256 bit) according to the actual
security and overall system performance requirements.
3.2.2. Compression
Compression, which may be useful or even necessary when handling
large quantities of data, is not compulsory (in such case Comp/Uncomp
are replaced by an identity matrix). DEFLATE [4] format support is
recommended if this function is enabled.
3.2.3. Cookie Encoding
base-64 [3] is used for encoding/decoding of cookie values. It is
quite efficient in terms of space occupation and is very wide-spread.
Barbato, et al. Expires March 9, 2007 [Page 6]
�
Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006
3.2.4. Outbound Transform
The output data transformation as seen by the server (the only actor
which manipulates PDUs) is illustrated by the following pseudo-code:
1. iv = RAND()
2. atime = NOW
3. data = Enc(Comp(state))
4. tag = HMAC(data||atime||tid||iv)
NOW is defined as the current timestamp of the server clock. Since
the only user of the atime field is the server, it is unnecessary for
it to be synchronised with the client. However, if multiple servers
are active in a load-balancing configuration, clocks SHOULD be
synchronised to avoid errors in the calculation of session expiry.
Hence the SCS PDU fields are created as follows:
SCS_ATIME = e(atime)
SCS_AUTHTAG = e(tag)
SCS_DATA = e(data)
SCS_TID = e(tid)
SCS_IV = e(iv)
3.2.5. Inbound Transform
The inbound transformation is described by the following:
1. If (tid is available)
2. data' = d($SCS_DATA)
atime' = d($SCS_ATIME)
tid' = d($SCS_TID)
iv' = d($SCS_IV)
tag' = d($SCS_AUTHTAG)
3. tag = HMAC(data'||atime'||tid'||iv')
4. If (tag == tag' && NOW - atime' <= session_max_age)
5. state = Uncomp(Dec(data'))
6. Else discard PDU
7. Else discard PDU
If the cryptographic credentials (encryption and authentication keys
identified by SCS_TID) are unavailable (step 7.), the inbound PDU
cannot be interpreted correctly. This may happen for several
reasons: for example, if a device without storage is resetted and
loses the credentials stored in RAM, or if a server pool node
desynchronises, etc.
Note that step 4. allows any altered packets or expired sessions to
Barbato, et al. Expires March 9, 2007 [Page 7]
�
Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006
be discarded, hence avoiding unnecessary state decryption and
decompression.
3.3. PDU Exchange
SCS can be modelled in the same manner as a typical store-and-forward
protocol, in which the endpoints are S, consisting of one or more
HTTP servers and the client C, a median node used to "temporarily"
store the data to be successively forwarded to S.
In brief, S and C exchange an immutable cookie data block
(Section 3.1): the state is stored on the client at the first hop and
then restored on the server at the second, as follows:
1. dump-state:
Set-Cookie: SCS_DATA=...;
expires=...; path=...;
domani=...;
S --> --> C
Set-Cookie: SCS_TID=...;
expires=...; path=...;
domain=...;
...
2. restore-state:
Cookie: SCS_DATA=...;
C --> Cookie: SCS_TID=...; --> S
...
Barbato, et al. Expires March 9, 2007 [Page 8]
�
Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006
4. Key Management and Session State
This specification provides some common recommendations and praxis
relevant to cryptographic key management:
o the key SHOULD be generated securely following the randomness
recommendations in [5];
o the key length SHOULD be at least 128 bits;
o the key SHOULD only be used to generate and verify SCS PDUs;
o the key SHOULD be replaced regularly as well as any time the
format of SCS PDUs or cryptographic algorithms changes;
Furthermore, to preserve the validity of active HTTP sessions upon
renewal of cryptographic credentials (whenever the value of SCS_TID
changes), a SCS server MUST be capabale of managing at least two
transforms contemporarily: the currently instantiated one, and the
predecessor.
Each transform set is associated with an attribute pair: "refresh"
and "expiry", which is used to identify the exposure limits (in terms
of time or quantity of encrypted and/or authenticated bytes, etc) of
related cryptographic material.
In particular, the "refresh" attribute specifies the time limit for
substitution of transform set T with new material T'. From that
moment onwards, and for an amount of time determined by "expiry", all
new sessions will be created using T', while the active T-protected
ones go through a translation phase in which:
o the inbound transformation authenticates and decrypts/decompresses
using T (identified by SCS_TID);
o the outbound transformation encrypts/compresses and authenticates
using T'
T' {not valid yet} |---------------------|----------------
| translation stage |
T ----------------|---------------------| {no longer valid}
refresh refresh + expiry
Note that the duration of the HTTP session MUST fit within the
lifetime of a given transform set (i.e. from creation time until
"refresh" + "expiry"). In practice, this should not be an obstacle
because the longevity of the two entities (HTTP session and SCS
Barbato, et al. Expires March 9, 2007 [Page 9]
�
Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006
transform set) should differ by one or two orders of magnitude.
An SCS server may take this into account by determining the duration
of a session adaptively according to the expected deletion time of
the active T, or by setting the "expiry" value to at least the
maximum lifetime allowed by an HTTP session.
Since there is only one refresh attribute also in situations with
more than one key (e.g. one for encryption and one for
authentication) within the same T, the smallest value is chosen.
Barbato, et al. Expires March 9, 2007 [Page 10]
�
Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006
5. Security Considerations
From a cryptographic architecture perspective, the described
mechanism can be easily traced to an Encode-then-EtM scheme described
in [12]. Given a "provably-secure" encryption scheme and MAC (as for
the algorithms recommended in Section 3.2.1), [12] demonstrates that
their composition results in a secure authenticated encryption
scheme.
5.1. Server Side vs SCS
None of the common vulnerabilities of server-side sessions (SID
prediction, SID brute forcing, session fixation [13]) can be
exploited when using SCS, unless the attacker posesses encryption and
HMAC keys (both current ones and those relating to the previous set
of credentials).
However, there may still be some risk related to traffic interception
and reuse aimed at gaining the privileges of the intercepted user
(Replay Attack). In fact, as with server-side sessions, if an
attacker gains posession of a given user's cookies - via simple
passive interception or another technique - he/she will always be
able to restore the state of an intercepted session by representing
the captured data to the server. The SCS_ATIME cookie along with the
session_max_age configuration parameter can be used to mitigate the
chances of an attack (by forcing a time window outside of which a
given cookie is no longer valid), but cannot exclude it completely.
The only real countermeasures in this case can be taken at
application level (for example, by inserting a nonce within the state
information) or at transport/network level using SSL/TLS [2] or IPSEC
[7].
Barbato, et al. Expires March 9, 2007 [Page 11]
�
Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006
6. References
6.1. Normative References
[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
Levels", BCP 14, RFC 2119, March 1997.
[2] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and
T. Wright, "Transport Layer Security (TLS) Extensions",
RFC 3546, June 2003.
[3] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings",
RFC 3548, July 2003.
[4] Deutsch, L., "DEFLATE Compressed Data Format Specification
version 1.3", RFC 1951, May 1996.
[5] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
Requirements for Security", RFC 4086, June 2005.
[6] Hardjono, T. and B. Weis, "The Multicast Group Security
Architecture", RFC 3740, March 2004.
[7] Kent, S. and K. Seo, "Security Architecture for the Internet
Protocol", RFC 4301, December 2005.
[8] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing
for Message Authentication", RFC 2104, February 1997.
[9] Krovetz, T., "UMAC: Message Authentication Code using Universal
Hashing", RFC 4418, March 2006.
[10] Kristol, D. and L. Montulli, "HTTP State Management Mechanism",
RFC 2965, October 2000.
6.2. Informative References
[11] Bellare, M., "New Proofs for NMAC and HMAC: Security Without
Collision-Resistance", IACR 2006/043, 2006.
[12] Kohno, T., Palacio, A., and J. Black, "Building Secure
Cryptographic Transforms, or How to Encrypt and MAC",
IACR 2003/177, 2003.
[13] Kolsec, M., "Session Fixation Vulnerability in Web-based
Applications", 2002.
Barbato, et al. Expires March 9, 2007 [Page 12]
�
Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006
Authors' Addresses
Stefano Barbato
KoanLogic
Via S. Maria Maggiore
117
Roma, RM 00185
Italy
Email: barbato@koanlogic.com
URI: http://www.koanlogic.com
Steven Dorigotti
KoanLogic
Via Valvassori Peroni
84
Milano, MI 20133
Italy
Email: dorigotti@koanlogic.com
URI: http://www.koanlogic.com
Thomas Fossati
KoanLogic
Via San Vitale
88
Bologna, BO 40125
Italy
Email: fossati@koanlogic.com
URI: http://www.koanlogic.com
Barbato, et al. Expires March 9, 2007 [Page 13]
�
Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006
Intellectual Property Statement
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in BCP 78 and BCP 79.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Disclaimer of Validity
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Copyright Statement
Copyright (C) The Internet Society (2006). This document is subject
to the rights, licenses and restrictions contained in BCP 78, and
except as set forth therein, the authors retain all their rights.
Acknowledgment
Funding for the RFC Editor function is currently provided by the
Internet Society.
Barbato, et al. Expires March 9, 2007 [Page 14]
�
