A Secure Cookie Protocol

1
A Secure Cookie Protocol
Alex X. LiuDepartment of Computer SciencesThe
University of Texas at AustinCo-authors Jason
M. Kovacs (UT), Chin-Tser Huang (Univ. of South
Carolina), Mohamed G. Gouda (UT)
2
HTTP is stateless

• Request/
• response

3
Web Application is Stateful

• Shopping
• cart

4

• Web
• Authentication

5
Cookie

• Cookie data that records state of clients
• Cookies need to be secure

Browser
Server
first request(user/password)
verify user/password
response(cookie)
subsequent request(cookie)
verify cookie if necessary, create a new cookie
Response(new cookie)

6
Security Requirements of Cookies

• Authentication
• Login phase verify client by password
• Subsequent-requests phase verify client by
  cookie
• Confidentiality
• Observation only server need to read cookie
  content!
• Low-level only server and client can read cookie
  content
• High-level only server can read cookie content
• Integrity
• Detect modified cookies
• Anti-replay
• Detect stolen cookies

7
Efficiency Requirements

• No database lookup in verifying a cookie

8
State of the art

• Fus cookie schemeFu et al. 2001
• Three security problems
• Lack of confidentiality
• Replay attacks
• Volume attacks

user nameexpiration
timedata HMAC( user nameexpiration timedata,
server key )
9
Confidentiality
user nameexpiration
timedata HMAC( user nameexpiration timedata,
server key )

• Lack of high-level confidentiality.
• Use server key?
• Xu et al. 2002 store 1 key/user in database
• Database lookup is inefficient
• Park Sandhu 2000 store unique key in cookie
• Problem public key cryptography is inefficient
• Our solution use
• HMAC( user nameexpiration time, server key
  )
• as the encryption key

10
Replay attacks
user nameexpiration
time(data)k HMAC( user nameexpiration
timedata, server key ) k HMAC( user
nameexpiration time, server key )

• To launch replay attacks
• Steal someones cookie (using Trojans, worms,
  etc)
• Replay the cookie
• Our Solution make cookie session dependent

user nameexpiration
time(data)k HMAC( user nameexpiration
timedatasession key, server key ) k HMAC(
user nameexpiration time, server key )
11
Volume attacks
user nameexpiration
time(data)k HMAC( user nameexpiration
timedatasession key, server key ) k HMAC(
user nameexpiration time, server key )

• Same server key for all cookies not safe
• Fu 2001 suggests to change server keys
  periodically
• For some cookies, we have to verify twice
• Our Solution replace server key by encryption key

user nameexpiration
time(data)k HMAC( user nameexpiration
timedatasession key, k ) k HMAC( user
nameexpiration time, server key )
12
Implementation

• Keyed-hash msg auth code HMAC-SHA1
• Encryption Rijndael-256 algorithm
• Server key 160 bits
• HMAC-SHA1 output 320 bits
• Implemented 5 protocols
• Insecure cookie protocol
• Fus cookie protocol with low-level
  confidentiality
• Our cookie protocol with low-level
  confidentiality
• Fus cookie protocol with high-level
  confidentiality
• Our cookie protocol with high-level
  confidentiality
• Fus cookie protocol with high-level
  confidentiality use the server key to encrypt
  data

13
Setup

• Server medium-load server, 2.4 GHz Celeron,
  512MB RAM, Windows server 2003 standard edition,
  IIS 6.0, PHP 4.3.10, MySQL 2.23
• Client 2.8 GHz Pentium 4, 512 MB RAM, Red Hat
  3.0
• Link dedicated gigabit link, RRT0.9ms
• Server creates a new cookie for each request
• End-to-end latency
• (1) time for transferring request with cookie to
  server
• (2) time for verifying the cookie
• (3) time for creating a new cookie
• (4) time for transferring response with new
  cookie to client

14
Results impacts on client
15
Results impacts on server
16
Contributions

• Discover 3 problems in state-of-art cookie
  protocol
• Propose a cookie protocol that solves those
  problems
• Conduct performance evaluation and comparison
• Conclusion
• Security better
• Performance close