[websec] Smart Cookies
Trevor Perrin <trevp@trevp.net> Mon, 22 July 2013 08:02 UTC
Return-Path: <trevp@trevp.net>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B347711E80E0 for <websec@ietfa.amsl.com>; Mon, 22 Jul 2013 01:02:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ChcPB0MgKFaV for <websec@ietfa.amsl.com>; Mon, 22 Jul 2013 01:02:28 -0700 (PDT)
Received: from mail-wi0-f177.google.com (mail-wi0-f177.google.com [209.85.212.177]) by ietfa.amsl.com (Postfix) with ESMTP id 0913121F826B for <websec@ietf.org>; Mon, 22 Jul 2013 01:02:22 -0700 (PDT)
Received: by mail-wi0-f177.google.com with SMTP id ey16so1552496wid.16 for <websec@ietf.org>; Mon, 22 Jul 2013 01:02:21 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=Apk3OWduTqhkS2nZw5dnNKFBta7C4pEYHXo0nTyBiJc=; b=XyMXn/qHeRQq+z4Sr5xBmqAh1dmgSC+evaukZQ90BTD+QY+8N3UYTpmr3FTJ7Hdv5E 3mxb77Cn5/IJj4NHPQ8r9jZz+BlTngvukRhPn+wS/MNRA3M5o+RDU+l6qAeREM3wJSaR 9IJtsGM8T/O4xwXj29Ej6hMoY92ZU3E8DC9DJVSUDMwUT7QXwocXnUAH58xFNDyZ9b0s KFbUwPWVe6t/eYMpG5GwHmGpTWLhGGiqA+Vz7YwqrhwBne0IEDfD7YhP/LHgwOhispAL 6+nHeA9StylFi37HiUcu0v+YeKnk7OaKFdfFaOfX5Q9XoghoBjrLRevFThQP99LZ0uhk u1TA==
MIME-Version: 1.0
X-Received: by 10.194.83.195 with SMTP id s3mr18973473wjy.82.1374480141382; Mon, 22 Jul 2013 01:02:21 -0700 (PDT)
Received: by 10.216.212.9 with HTTP; Mon, 22 Jul 2013 01:02:21 -0700 (PDT)
X-Originating-IP: [12.178.131.2]
Date: Mon, 22 Jul 2013 01:02:21 -0700
Message-ID: <CAGZ8ZG1-dQescF-dpS+dYVd8yNA9VySBZ+HZO=8iuG68taqkDg@mail.gmail.com>
From: Trevor Perrin <trevp@trevp.net>
To: IETF WebSec WG <websec@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQk45lHl/c9/Ate8MYay5Ubqm/iqeUA/rH978QqILD2dv71987hXJl6CUMklTwFthJQJzO6r
Subject: [websec] Smart Cookies
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jul 2013 08:02:37 -0000
Hi, Here's an attempt to combine the benefits of a couple cookie proposals. I'm curious what people think... "Smart cookies" ============= Rationale ---------- The "Origin Cookie" proposal seems a good solution to cookie scoping. The "ChannelID" proposal seems a good approach to the "bearer token" problem, but requires on-the-wire TLS changes and a client signature for all TLS connections. Smart cookies combine the benefits of both proposals, and don't require TLS changes or client signatures. Smart cookies are bound to the Origin, and cannot be read or written from other Origins. Smart cookies are also cryptographically bound to two TLS connections: 1) The TLS connection on which the server set the cookie 2) The TLS connection on which the client is returning the cookie This binding is done by a cryptographic "MAC" sent from browser to server along with each smart cookie. The "smart" attribute ---------------------- Smart cookies are set the same way as normal cookies, but have an additional "smart" attribute: Set-Cookie: session=123; secure; smart; Smart cookies SHALL only be set from HTTPS connections. The "domain" attribute MUST be omitted, and the "secure" attribute MUST be present. Smart cookies are backwards-compatible. Older browsers ignore the "smart" attribute, and return it as a regular cookie. A smart cookie aware browser does two extra things: (1) The smart cookie is bound to the Origin that set it. The smart cookie is only returned to that Origin. The smart cookie can only be overwritten by that Origin. If a smart cookie is being returned, any cookies with the same name stored in parent domains are ignored. (2) When returning a smart cookie, the browser returns an associated MAC, e.g. Cookie: session=123 Smart-Cookie-MAC: session=lMVoh17EQNE1Rd6nT+hh6A== MAC calculation ---------------- The MAC is calculated as follows: - cookie_str: HTTP Request line for cookie ("Cookie: session=123") - cookie_key: 32 byte secret key derived from the TLS master secret for the connection on which the server sent the cookie. - cookie_binding: 32 byte value derived from the TLS master secret for the connection on which the client is returning the cookie. (The key and binding values are derived using RFC 5705 with labels "smart_cookie_key" and "smart_cookie_binding".) MAC = HMAC-SHA256(cookie_key, cookie_binding || cookie_str)[0:16] Key handling ------------- The browser can easily calculate the key and binding values for every TLS connection. For every smart cookie the browser receives in a TLS connection, the browser stores the connection's cookie_key with the cookie. For every smart cookie returned to the server in a TLS connection, the browser uses the cookie's key along with the connection's binding value to calculate the MAC. The cookie_key values are secrets which the browser MUST never send over the network, or make accessible to javascript. Advertising support -------------------- Browsers MUST advertise support for smart cookies in every HTTP Request with "Smart-Cookies: true". This lets the website allow legacy clients to use old cookies, while requiring smart cookies for capable clients so they are protected from cookie forcing. Misc ----- * A website can have stateless smart cookies by including the cookie_key in the cookie, and encrypting the cookie to itself. On receiving such a cookie, the website will decrypt it, then check its MAC. * A website could ignore the MAC values, and just use smart cookies for their origin-binding properties. * An attacker who somehow observes a transmitted smart cookie and MAC can't replay it on a different TLS connection (as it's tied to its connection's binding value), and can't calculate the MAC for a different connection without the cookie_key. Trevor
- [websec] Smart Cookies Trevor Perrin
- Re: [websec] Smart Cookies Tobias Gondrom
- Re: [websec] Smart Cookies Trevor Perrin
- Re: [websec] Smart Cookies Joseph Bonneau
- Re: [websec] Smart Cookies Trevor Perrin
- Re: [websec] Smart Cookies Joseph Bonneau
- Re: [websec] Smart Cookies Trevor Perrin
- Re: [websec] Smart Cookies Tobias Gondrom
- Re: [websec] Smart Cookies Trevor Perrin
- Re: [websec] Smart Cookies Phillip Hallam-Baker