Network Working Group S. Barbato Internet-Draft S. Dorigotti Expires: March 9, 2007 T. Fossati KoanLogic September 5, 2006 SCS: Secure Cookie Sessions for HTTP draft-barbato-scs-00 Status of this Memo By submitting this Internet-Draft, each author represents that any applicable patent or other IPR claims of which he or she is aware have been or will be disclosed, and any of which he or she becomes aware will be disclosed, in accordance with Section 6 of BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on March 9, 2007. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document provides an overview of SCS, a cryptographic protocol aimed at the protection of "client-side" HTTP sessions, i.e. sessions in which the application state is held entirely on the client in the form of cookies [10]. Barbato, et al. Expires March 9, 2007 [Page 1] Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006 1. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [1]. Barbato, et al. Expires March 9, 2007 [Page 2] Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006 2. Introduction SCS is a cryptographic protocol aimed at protecting "client-side" HTTP sessions, i.e. sessions in which the application state (for example, whether or not authentication credentials have been provided) is held by the client in the form of cookies [10]. SCS allows HTTP servers to handle application-level sessions in a completely stateless manner. The server delegates the application state storage to the client (browser) - which basically acts as a remote storage device. The cryptographic transformations are applied to the state data so that confidentiality and information authenticity attributes exchanged between parties have the same characteristics as for typical "server- side" sessions. The following are a few scenarios in which SCS can be used: 1. devices with little or no storage - typically embedded devices - which provide functionality such as software updates, configuration, device monitoring, etc. via an HTTP interface; 2. web applications with HA or load balancing requirements, which may delegate handling of the application state to clients instead of using shared storage or forced peering. Barbato, et al. Expires March 9, 2007 [Page 3] Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006 3. Protocol The SCS protocol defines: o a PDU, as a well-defined aggregate of cookies (Section 3.1); o cryptographic transformations which manipulate the PDU fields (Section 3.2); o the HTTP-based PDU exchange model (Section 3.3) Note that the PDU is transmitted to the client as an opaque data block and no interpretation or validation is necessary. The single requirement for client-side support of SCS is cookie activation on the browser, so only the server is involved in the PDU manipulation process. In the following sections we define S to be one or more interchangeable HTTP server entities (e.g. a server pool in a load- balanced or HA environment) and C to be the client with a cookie- enabled browser. 3.1. PDU Description S and C exchange the same PDU (Section 3.3), which consists of a set of cookies transformed into a single block by cryptographic functions. Confidentiality is limited to the application state information (i.e. SCS_DATA cookie), while integrity and authentication apply to the entire PDU. Cookie (name/value) length cannot exceed 4KB [10]. In practice, this is only an application state data limit, although one can use as many SCS_DATA cookies as required, where SCS_DATA{N} is the cookie containing the n'th payload section of the session data (already compressed and/or encrypted as required). 3.1.1. SCS_ATIME Timestamp relating to the last read or write operation performed on session data. This value is updated with each client contact operation and is used to identify expired sessions. A session is considered to be expired, and hence no longer valid, if the memorised SCS_ATIME timestamp is older than the predefined time value "session_max_age", which is chosen by S as an application-level parameter. Barbato, et al. Expires March 9, 2007 [Page 4] Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006 3.1.2. SCS_DATA Block of encrypted and optionally compressed data, containing session state, which may be stored as name=value pairs or with any other semantics intelligible by the server. If the total size of SCS_DATA exceeds 4KB, it is separated into N SCS_DATA{N} cookies, each 4KB in size and so that the concatenation of their values in the order of cookie name (1, 2, ..., N) yields the original SCS_DATA. The specification [10] suggests that browsers accept at least twenty cookies per server. It follows that the maximum size for the state data block (possibly compressed) is 64KB (16 * 4KB). 3.1.3. SCS_TID Unique identifier of the transform set (encryption and/or authentication keys and possible encryption, authentication and compression algorithms applied, etc.) used to generate this PDU. SCS assumes that a key-agreement/distribution mechanism exists for environments in which S consists of multiple servers (it may consist of a simple key-refresh in the case |S|=1), which provides a unique external identifier for each transform set defined and shared amongst pool members. This identifier (equivalent to a SPI in a Data Security SA [6]) is represented in the cookie value. 3.1.4. SCS_IV Initialisation Vector used for the encryption algorithm (Section 3.2). In order to avoid providing correlation information to a possible attacker with access to a sample of SCS PDUs, the IV MUST be created randomly for each PDU. 3.1.5. SCS_AUTHTAG Authentication tag based on the concatenation of SCS_ATIME, SCS_DATA, SCS_TID and SCS_IV. 3.2. Crypto Transform SCS could potentially use any combination primitives capable of performing authenticated encryption. In practice an encrypt-then-mac approach [12] with CBC-mode encryption and HMAC [8] autentication was chosen. The two algorithms MUST be associated with two independent keys. The possibility of using UMAC for authentication [9] was taken into consideration, but priority was given to space over performance: the nonce field transfer would require an extra cookie, therefore reducing the space reserved to state information by another 4KB. Barbato, et al. Expires March 9, 2007 [Page 5] Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006 The following conventions will be used in the algorithm description (Section 3.2.5 and Section 3.2.4) o Enc/Dec(): encryption/decryption functions (Section 3.2.1); o HMAC(): authentication function (Section 3.2.1); o Comp/Uncomp(): compression/decompression functions (Section 3.2.2); o e/d(): cookie value encoding/decoding functions (Section 3.2.3); o '||': concatenation operator; o RAND(): random number generator [5] 3.2.1. Cipher Suite Implementors MUST support at least the following algorithms: o AES-CBC-128 for encryption; o HMAC-SHA1 with a 128 bit key for authenticity and integrity, which appear to be sufficiently secure in a wide range of use cases [11] and are widely available. One should consider using larger cryptographic key lengths (192 or 256 bit) according to the actual security and overall system performance requirements. 3.2.2. Compression Compression, which may be useful or even necessary when handling large quantities of data, is not compulsory (in such case Comp/Uncomp are replaced by an identity matrix). DEFLATE [4] format support is recommended if this function is enabled. 3.2.3. Cookie Encoding base-64 [3] is used for encoding/decoding of cookie values. It is quite efficient in terms of space occupation and is very wide-spread. Barbato, et al. Expires March 9, 2007 [Page 6] Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006 3.2.4. Outbound Transform The output data transformation as seen by the server (the only actor which manipulates PDUs) is illustrated by the following pseudo-code: 1. iv = RAND() 2. atime = NOW 3. data = Enc(Comp(state)) 4. tag = HMAC(data||atime||tid||iv) NOW is defined as the current timestamp of the server clock. Since the only user of the atime field is the server, it is unnecessary for it to be synchronised with the client. However, if multiple servers are active in a load-balancing configuration, clocks SHOULD be synchronised to avoid errors in the calculation of session expiry. Hence the SCS PDU fields are created as follows: SCS_ATIME = e(atime) SCS_AUTHTAG = e(tag) SCS_DATA = e(data) SCS_TID = e(tid) SCS_IV = e(iv) 3.2.5. Inbound Transform The inbound transformation is described by the following: 1. If (tid is available) 2. data' = d($SCS_DATA) atime' = d($SCS_ATIME) tid' = d($SCS_TID) iv' = d($SCS_IV) tag' = d($SCS_AUTHTAG) 3. tag = HMAC(data'||atime'||tid'||iv') 4. If (tag == tag' && NOW - atime' <= session_max_age) 5. state = Uncomp(Dec(data')) 6. Else discard PDU 7. Else discard PDU If the cryptographic credentials (encryption and authentication keys identified by SCS_TID) are unavailable (step 7.), the inbound PDU cannot be interpreted correctly. This may happen for several reasons: for example, if a device without storage is resetted and loses the credentials stored in RAM, or if a server pool node desynchronises, etc. Note that step 4. allows any altered packets or expired sessions to Barbato, et al. Expires March 9, 2007 [Page 7] Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006 be discarded, hence avoiding unnecessary state decryption and decompression. 3.3. PDU Exchange SCS can be modelled in the same manner as a typical store-and-forward protocol, in which the endpoints are S, consisting of one or more HTTP servers and the client C, a median node used to "temporarily" store the data to be successively forwarded to S. In brief, S and C exchange an immutable cookie data block (Section 3.1): the state is stored on the client at the first hop and then restored on the server at the second, as follows: 1. dump-state: Set-Cookie: SCS_DATA=...; expires=...; path=...; domani=...; S --> --> C Set-Cookie: SCS_TID=...; expires=...; path=...; domain=...; ... 2. restore-state: Cookie: SCS_DATA=...; C --> Cookie: SCS_TID=...; --> S ... Barbato, et al. Expires March 9, 2007 [Page 8] Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006 4. Key Management and Session State This specification provides some common recommendations and praxis relevant to cryptographic key management: o the key SHOULD be generated securely following the randomness recommendations in [5]; o the key length SHOULD be at least 128 bits; o the key SHOULD only be used to generate and verify SCS PDUs; o the key SHOULD be replaced regularly as well as any time the format of SCS PDUs or cryptographic algorithms changes; Furthermore, to preserve the validity of active HTTP sessions upon renewal of cryptographic credentials (whenever the value of SCS_TID changes), a SCS server MUST be capabale of managing at least two transforms contemporarily: the currently instantiated one, and the predecessor. Each transform set is associated with an attribute pair: "refresh" and "expiry", which is used to identify the exposure limits (in terms of time or quantity of encrypted and/or authenticated bytes, etc) of related cryptographic material. In particular, the "refresh" attribute specifies the time limit for substitution of transform set T with new material T'. From that moment onwards, and for an amount of time determined by "expiry", all new sessions will be created using T', while the active T-protected ones go through a translation phase in which: o the inbound transformation authenticates and decrypts/decompresses using T (identified by SCS_TID); o the outbound transformation encrypts/compresses and authenticates using T' T' {not valid yet} |---------------------|---------------- | translation stage | T ----------------|---------------------| {no longer valid} refresh refresh + expiry Note that the duration of the HTTP session MUST fit within the lifetime of a given transform set (i.e. from creation time until "refresh" + "expiry"). In practice, this should not be an obstacle because the longevity of the two entities (HTTP session and SCS Barbato, et al. Expires March 9, 2007 [Page 9] Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006 transform set) should differ by one or two orders of magnitude. An SCS server may take this into account by determining the duration of a session adaptively according to the expected deletion time of the active T, or by setting the "expiry" value to at least the maximum lifetime allowed by an HTTP session. Since there is only one refresh attribute also in situations with more than one key (e.g. one for encryption and one for authentication) within the same T, the smallest value is chosen. Barbato, et al. Expires March 9, 2007 [Page 10] Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006 5. Security Considerations From a cryptographic architecture perspective, the described mechanism can be easily traced to an Encode-then-EtM scheme described in [12]. Given a "provably-secure" encryption scheme and MAC (as for the algorithms recommended in Section 3.2.1), [12] demonstrates that their composition results in a secure authenticated encryption scheme. 5.1. Server Side vs SCS None of the common vulnerabilities of server-side sessions (SID prediction, SID brute forcing, session fixation [13]) can be exploited when using SCS, unless the attacker posesses encryption and HMAC keys (both current ones and those relating to the previous set of credentials). However, there may still be some risk related to traffic interception and reuse aimed at gaining the privileges of the intercepted user (Replay Attack). In fact, as with server-side sessions, if an attacker gains posession of a given user's cookies - via simple passive interception or another technique - he/she will always be able to restore the state of an intercepted session by representing the captured data to the server. The SCS_ATIME cookie along with the session_max_age configuration parameter can be used to mitigate the chances of an attack (by forcing a time window outside of which a given cookie is no longer valid), but cannot exclude it completely. The only real countermeasures in this case can be taken at application level (for example, by inserting a nonce within the state information) or at transport/network level using SSL/TLS [2] or IPSEC [7]. Barbato, et al. Expires March 9, 2007 [Page 11] Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006 6. References 6.1. Normative References [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [2] Blake-Wilson, S., Nystrom, M., Hopwood, D., Mikkelsen, J., and T. Wright, "Transport Layer Security (TLS) Extensions", RFC 3546, June 2003. [3] Josefsson, S., "The Base16, Base32, and Base64 Data Encodings", RFC 3548, July 2003. [4] Deutsch, L., "DEFLATE Compressed Data Format Specification version 1.3", RFC 1951, May 1996. [5] Eastlake, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", RFC 4086, June 2005. [6] Hardjono, T. and B. Weis, "The Multicast Group Security Architecture", RFC 3740, March 2004. [7] Kent, S. and K. Seo, "Security Architecture for the Internet Protocol", RFC 4301, December 2005. [8] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-Hashing for Message Authentication", RFC 2104, February 1997. [9] Krovetz, T., "UMAC: Message Authentication Code using Universal Hashing", RFC 4418, March 2006. [10] Kristol, D. and L. Montulli, "HTTP State Management Mechanism", RFC 2965, October 2000. 6.2. Informative References [11] Bellare, M., "New Proofs for NMAC and HMAC: Security Without Collision-Resistance", IACR 2006/043, 2006. [12] Kohno, T., Palacio, A., and J. Black, "Building Secure Cryptographic Transforms, or How to Encrypt and MAC", IACR 2003/177, 2003. [13] Kolsec, M., "Session Fixation Vulnerability in Web-based Applications", 2002. Barbato, et al. Expires March 9, 2007 [Page 12] Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006 Authors' Addresses Stefano Barbato KoanLogic Via S. Maria Maggiore 117 Roma, RM 00185 Italy Email: barbato@koanlogic.com URI: http://www.koanlogic.com Steven Dorigotti KoanLogic Via Valvassori Peroni 84 Milano, MI 20133 Italy Email: dorigotti@koanlogic.com URI: http://www.koanlogic.com Thomas Fossati KoanLogic Via San Vitale 88 Bologna, BO 40125 Italy Email: fossati@koanlogic.com URI: http://www.koanlogic.com Barbato, et al. Expires March 9, 2007 [Page 13] Internet-Draft SCS: Secure Cookie Sessions for HTTP September 2006 Intellectual Property Statement The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79. Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr. The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org. Disclaimer of Validity This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Copyright Statement Copyright (C) The Internet Society (2006). This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights. Acknowledgment Funding for the RFC Editor function is currently provided by the Internet Society. Barbato, et al. Expires March 9, 2007 [Page 14]