]> KoanLogic

Via Marmolada, 4 Vitorchiano (VT) 01030 Italy tat@koanlogic.com

KoanLogic

Via Maso della Pieve 25/C Bolzano 39100 Italy stewy@koanlogic.com

KoanLogic

Via di Sabbiuno 11/5 Bologna 40136 Italy +39 051 644 82 68 tho@koanlogic.com

General Internet Engineering Task Force HTTP Secure Cookies This document provides an overview of SCS, a small cryptographic protocol layered on top of the HTTP cookie facility, that allows its users to produce and consume authenticated and encrypted cookies, as opposed to usual cookies, which are un-authenticated and sent in clear text. An interesting property, rising naturally from the given confidentiality and authentication properties, is that by using SCS cookies, it is possible to avoid storing the session state material on the server side altogether. In fact, an SCS cookie presented by the user agent to the origin server can always be validated (i.e. possibly recognized as self-produced, untampered material) and, as such, be used to safely restore application state. Hence, typical use cases may include devices with little or no storage offering some functionality via an HTTP interface, as well as web applications with high availability or load balancing requirements which would prefer to handle application state without the need to synchronize the pool through shared storage or peering. Nevertheless, its security properties allow SCS to be used whenever the privacy and integrity of cookies is a concern, by paying an affordable price in terms of increased cookie size, additional CPU clock cycles needed by the symmetric key encryption and HMAC algorithms, and related key management, which can be made a nearly transparent task.

SCS is a small cryptographic protocol layered on top of the HTTP cookie facility , that allows its users to produce and consume authenticated and encrypted cookies, as opposed to usual cookies, which are un-authenticated and sent in clear text. By having a non-tamperable proof of authorship attached, each SCS cookie can always be validated by the originator, making it possible for a server to handle clients' session state without the need to store it locally. In fact, an SCS enabled server could completely delegate the application state storage to the client (e.g. a web browser) and use it, in all respects, as a remote storage device. The result of the cryptographic transformations applied to state data can be used to ensure that its information authenticity and confidentiality attributes are the same as if they were stored privately on server-side. The no-storage requirement, which is the key design constraint of SCS, makes it an ideal candidate in the following settings: devices with little or no storage -- typically embedded devices which provide functionality such as software updates, configuration, device monitoring, etc. via an HTTP interface; web applications with high availability or load balancing requirements, which may delegate handling of the application state to clients instead of using shared storage or forced peering, to enhance overall parallelism. It is worth noting that a peculiar difference between SCS, when used in strict no-storage mode, and usual "server-side" cookie sessions arises as soon as we carefully consider the roles of the playing entities. In the "server-side" model, the server acts a triple role as the "generator", the "owner", and the "verifier" of cookie credentials. Instead, a server implementing SCS in no-storage mode, acts the "generator" and "verifier" roles only -- the "owner" being inapplicable for obvious reasons. In all respects, the Server grants the custody of the generated cookie to the Client, whose trust model needs to be taken into consideration when designing applications that use SCS this way. The consequences of such discrepancy (e.g. deliberate deletion of a cookie, explicit privilege revocation, etc.) will be analyzed in . An SCS server can be implemented within a web application by means of a user library that exposes the core SCS functionality and leaves explicit control over SCS cookies to the programmer, or transparently, by hiding, for example, a "diskless session" facility behind a generic session API abstraction. SCS implementers are free to choose the model that best suites their needs.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in .

The SCS protocol defines: the SCS cookie structure and encoding (); the cryptographic transformations involved in SCS cookie creation and verification (); the HTTP-based PDU exchange (). the underlying key management model (). Note that the PDU is transmitted to the client as an opaque data block, hence no interpretation nor validation is necessary. The single requirement for client-side support of SCS is cookie activation on the user agent. The origin server is sole actor involved in the PDU manipulation process, which greatly simplifies the crypto operations -- especially key management, which is usually a pesky task. In the following sections we assume S to be one or more interchangeable HTTP server entities (e.g. a server pool in a load-balanced or high-availability environment) and C to be the client with a cookie-enabled browser, or any user agent with equivalent capabilities.

S and C exchange a cookie (), whose cookie-value consists of a sequence of adjacent non-empty values, each of which is the Base-64 encoding of a specific SCS field, separated by its left and/or right sibling by means of the %x7c ASCII character (i.e. '|'), as follows:

Confidentiality is limited to the application state information (i.e. the DATA field), while integrity and authentication apply to the entire cookie-value. The following subsections describe the syntax and semantics of each SCS cookie field.

Absolute timestamp relating to the last read or write operation performed on session DATA, encoded as a HEX string holding the number of seconds since UNIX epoch (i.e. since 00:00:00, Jan 1 1970.) This value is updated with each client contact and is used to identify expired sessions. If the delta between the received ATIME value and the current time on S, is larger than a predefined "session_max_age" (which is chosen by S as an application-level parameter), a session is considered to be no longer valid, and is therefore rejected. Such an expiration error may be used to force user logout from an SCS cookie based session, or hooked in the web application logics to the display of a HTML form asking re-validation of user credentials.

Block of encrypted and optionally compressed data, possibly containing the current session state. Note that no restriction is imposed on clear text structure: the protocol is completely agnostic as to inner data layout. Generally speaking, the plain text is the "normal" cookie that would have been exchanged by S and C if SCS wasn't used.

This identifier is equivalent to a SPI in a Data Security SA ) and consists of an ASCII string that uniquely identifies the transform set (keys and algorithms) used to generate this SCS cookie. SCS assumes that a key-agreement/distribution mechanism exists for environments in which S consists of multiple servers (a simple key-refresh in case |S|=1), which provides a unique external identifier for each transform set shared amongst pool members.

Initialization Vector used for the encryption algorithm (). In order to avoid providing correlation information to a possible attacker with access to a sample of SCS cookies created using the same TID, the IV MUST be created randomly for each SCS cookie.

Authentication tag based on the concatenation of DATA, ATIME, TID and IV fields encoded in Base-64, framed by the "|" separator:

Note that, from a cryptographic point of view, the "|" character provides explicit authentication of the length of each supplied field, which results in a robust countermeasure against splicing attacks.

SCS could potentially use any combination of primitives capable of performing authenticated encryption. In practice an encrypt-then-mac approach with CBC-mode encryption and HMAC authentication was chosen. The two algorithms MUST be associated with two independent keys. The following conventions will be used in the algorithm description ( and ): Enc/Dec(): block encryption/decryption functions (); HMAC(): authentication function (); Comp/Uncomp(): compression/decompression functions (); e/d(): cookie value encoding/decoding functions (); ||: concatenation operator, i.e. "|" char; RAND(): random number generator .

Implementors MUST support at least the following algorithms: AES-CBC-128 for encryption; HMAC-SHA1 with a 128 bit key for authenticity and integrity, which appear to be sufficiently secure in a wide range of use cases , are widely available, and can be implemented in a few kilobytes of memory, providing an extremely valuable feature in constrained devices. One should consider using larger cryptographic key lengths (192 or 256 bit) according to the actual security and overall system performance requirements.

Compression, which may be useful or even necessary when handling large quantities of data, is not compulsory (in such case Comp/Uncomp are replaced by an identity matrix). If this function is enabled, DEFLATE format MUST be supported. Some advice to SCS users: compression should not be enabled when handling relatively short and entropic state such as pseudo random session identifiers. Instead, large and quite regular state blobs could get a significant boost when compressed.

Base-64 is used for encoding/decoding of SCS cookie values. It is very wide-spread, and falls smoothly into the encoding rules defined in Section 4.1.1 of .

The output data transformation as seen by the server (the only actor which explicitly manipulates SCS cookies) is illustrated by the pseudo-code in .

A new Initialization Vector is randomly picked (step 1.). As previouslty mentioned () this step is necessary to avoid providing correlation information to an attacker. A new ATIME value is taken as the current timestamp according to the server clock (step 2.). Since the only user of the ATIME field is the server, it is unnecessary for it to be synchronized with the client -- though it needs to be a fairly stable clock. However, if multiple servers are active in a load-balancing configuration, clocks SHOULD be synchronized to avoid errors in the calculation of session expiry. The plain text cookie value is then compressed (if needed) and encrypted by using the keyset identified by TID (step 3.). If the length of (compressed) state is not a multiple of the block size, its value MUST be filled with as many padding bytes of equal value as the pad length -- as defined in the scheme of Section 6.3 of . Then the authentication tag, which encompasses each SCS field (along with lengths, and relative positions) is computed by HMAC'ing the "|"-separated concatenation of their base64 representations using the keyset identified by TID (step 4.). Finally the SCS cookie-value is created as follows: scs-cookie-value = e(DATA)||e(ATIME)||e(TID)||e(IV)||e(tag)

The inbound transformation is described in .

First of all, the inbound scs-cookie-value is broken into its component fields (step 0.), and TID is decoded to allow keyset lookup (step 1.). If the cryptographic credentials (encryption and authentication algorithms and keys identified by TID) are unavailable (step 12.), the inbound SCS cookie is discarded as its value has no chance to be interpreted correctly. This may happen for several reasons: e.g., if a device without storage has been reset and loses the credentials stored in RAM, if a server pool node desynchronizes, or in case of a key compromise that forces the invalidation of all current TID's, etc. When a valid keyset is found (step 2.), the AUTHTAG field is decoded (step 3.) and the (still) encoded DATA, ATIME, TID and IV fields are supplied to the primitive that computes the authentication tag (step 4.). If the tag computed using the local keyset matches the one carried by the supplied SCS cookie, we can be confident that the cookie carries authentic material; otherwise the SCS cookie is discarded (step 11.). Then the age of the SCS cookie (as deduced by ATIME field value and current time provided by the server clock) is decoded and compared to the maximum time-to-live defined by the session_max_age parameter. In case the "age" check is passed, the DATA and IV fields are finally decoded (step 8.), so that the original plain text data can be extracted from the encrypted and optionally compressed blob (step 9.). Note that steps 5. and 7. allow any altered packets or expired sessions to be discarded, hence avoiding unnecessary state decryption and decompression.

SCS can be modeled in the same manner as a typical store-and-forward protocol, in which the endpoints are S, consisting of one or more HTTP servers, and the client C, an intermediate node used to "temporarily" store the data to be successively forwarded to S. In brief, S and C exchange an immutable cookie data block (): the state is stored on the client at the first hop and then restored on the server at the second, as in .

C Set-Cookie: ANY_COOKIE_NAME=BO2zHC0tRg76axnguyuK5g==|MTI5... Expires=...; Path=...; Domain=...; 2. restore-state: C --> S Cookie: ANY_COOKIE_NAME=BO2zHC0tRg76axnguyuK5g==|MTI5... ]]>

In the following sub paragraphs a series of recommendations is provided in order to maximize SCS PDU fitness in the generic cookie ecosystem.

SCS cookies MUST include an Expires attribute which shall be set to a value consistent with session_max_age. For maximum compatibility with existing user agents the timestamp value MUST be encoded in rfc1123-date format which requires a 4-digit year.

Since not all UAs support this attribute, it MUST NOT be present in any SCS cookie.

SCS cookies MUST include a Domain attribute compatible with application usage. A trailing '.' MUST NOT be present in order to minimize the possibility of a user agent ignoring the attribute value.

This attribute MUST always be asserted when SCS sessions are carried over a TLS channel.

This specification provides some common recommendations and praxis relevant to cryptographic key management. In the following, the term 'key' references both encryption and HMAC keys. The key SHOULD be generated securely following the randomness recommendations in ; the key SHOULD only be used to generate and verify SCS PDUs; the key SHOULD be replaced regularly as well as any time the format of SCS PDUs or cryptographic algorithms changes. Furthermore, to preserve the validity of active HTTP sessions upon renewal of cryptographic credentials (whenever the value of TID changes), an SCS server MUST be capable of managing at least two transforms contemporarily: the currently instantiated one, and its predecessor. Each transform set SHOULD be associated with an attribute pair: "refresh" and "expiry", which is used to identify the exposure limits (in terms of time or quantity of encrypted and/or authenticated bytes, etc) of related cryptographic material. In particular, the "refresh" attribute specifies the time limit for substitution of transform set T with new material T'. From that moment onwards, and for an amount of time determined by "expiry", all new sessions will be created using T', while the active T-protected ones go through a translation phase in which: the inbound transformation authenticates and decrypts/decompresses using T (identified by TID); the outbound transformation encrypts/compresses and authenticates using T'.

As shown in , the duration of the HTTP session MUST fit within the lifetime of a given transform set (i.e. from creation time until "refresh" + "expiry"). In practice, this should not be an obstacle because the longevity of the two entities (HTTP session and SCS transform set) should differ by one or two orders of magnitude. An SCS server may take this into account by determining the duration of a session adaptively according to the expected deletion time of the active T, or by setting the "expiry" value to at least the maximum lifetime allowed by an HTTP session. Since there is only one refresh attribute also in situations with more than one key (e.g. one for encryption and one for authentication) within the same T, the smallest value is chosen.

In general, SCS cookies are bigger than their plain text counterparts. This is due to a couple of different factors: inflation of the Base-64 encoding of the state data (approx. 1.4 times the original size, including the encryption padding), and the fixed size increment (approx. 80/90 bytes) due to SCS fields and framing overhead. While the former is a price the user must always pay proportionally to the original data size, the latter is a fixed quantum, which can be huge on small amounts of data, but is quickly absorbed as soon as data becomes big enough. The following table compares byte lengths of SCS cookies (with a four bytes' TID) and corresponding plain text cookies in a worst case scenario, i.e. when no compression is in use (or applicable).

The largest uncompressed cookie value that can be safely supplied to SCS is about 2.8KB.

We would like to thank David Wagner and Lorenzo Cavallaro for their valuable feedback on this document.

This memo includes no request to IANA.

From a cryptographic architecture perspective, the described mechanism can be easily traced to an Encode-then-EtM scheme described in . Given a "provably-secure" encryption scheme and MAC (as for the algorithms mandated in ), Kohno et al. demonstrate that their composition results in a secure authenticated encryption scheme.

The fact that the server does not own the cookie it produces, gives rise to a series of consequences that must be clearly understood when one envisages the use of SCS as a cookie provider and validator for his/her application. In the following paragraphs, a set of different attack scenarios (together with corresponding countermeasures where applicable) are identified and analyzed.

SCS doesn't address replay of old cookie values. In fact, there is nothing that guarantees an SCS application about the client having returned the most recent version of the cookie. As with "server-side" sessions, if an attacker gains possession of a given user's cookies - via simple passive interception or another technique - he/she will always be able to restore the state of an intercepted session by representing the captured data to the server. The ATIME value along with the session_max_age configuration parameter allow SCS to mitigate the chances of an attack (by forcing a time window outside of which a given cookie is no longer valid), but cannot exclude it completely. A countermeasure against the "passive interception and replay" scenario can be applied at transport/network level using the anti-replay services provided by e.g., SSL/TLS or IPsec. Anyway, a generic solution is still out of scope: an SCS application wishing to be replay-resistant must put in place some ad hoc mechanism to prevent clients (both rogue and legitimate) from (a) being able to replay old cookies as valid credentials and/or (b) getting any advantage by replaying them. In the following, some typical use cases are illustrated: Session inactivity timeout scenario (implicit invalidation): use the session_max_age parameter if a global setting is viable, else place an explicit TTL in the cookie (e.g. validity_period="start_time, duration") that can be verified by the application each time the Client presents the SCS cookie. Session voidance scenario (explicit invalidation): put a randomly chosen string into each SCS cookie (cid="$(random())") and keep a list of valid session cid's against which the SCS cookie presented by the client can be checked. When a cookie needs to be invalidated, delete the corresponding cid from the list. The described method has the drawback that, in case a non-permanent storage is used to archive valid cid's, a reboot/restart would invalidate all sessions (It can't be used when |S| > 1). One-shot transaction scenario (ephemeral): this is a variation on the previous theme when sessions are consumed within a single request/response. Put a nonce="$(random())" within the state information and keep a list of not-yet-consumed nonces in RAM. Once the client presents its cookie credential, the embodied nonce is deleted from the list and will be therefore discarded whenever replayed. It may be noteworthy that despite the chances of preventing replay in some well established circumstances by using aforementioned mechanisms, if the attacker is able to use the cookie before the legitimate client gets a chance to, then the impersonation attack will always succeed.

A direct, and important, consequence of the missing owner role in SCS is that a client could intentionally delete its cookie and return nothing. The application protocol has to be designed so there is no incentive to do so, for instance: it is safe for the cookie to represent some kind of positive capability - the possession of which increases the client's powers; It is not safe to use the cookie to represent negative capabilities - where possession reduces the client's powers-, or for revocation. Note that this behavior is not equivalent to cookie removal in the "server-side" cookie model, because in case of missing cookie backup by other parties (e.g. the application using SCS), the Client could simply make it disappear once and for all.

Just like with plain cookies, SCS doesn't prevent sharing (both voluntary and illegitimate) of cookies between multiple clients. In the context of voluntary cookie sharing, using HTTPS is useless: Client certificates are just as shareable as cookies, hence equivalently to the "server-side" cookie model, there seems to be no way to prevent this threat. The theft could be mitigated by securing the wire (e.g. via HTTPS, IPsec, VPN, ...), thus reducing the opportunity of cookie stealing to a successful attack on the protocol endpoints.

Session fixation vulnerabilities are not addressed by SCS. A more sophisticated protocol involving an active participation by the UA in the SCS cookie manipulation would be needed: e.g. some form of challange-response exchange initiated by the Server on the HTTP response and replied by the UA on the next chained HTTP request. Unfortunately the present specification which bases on sees the UA as a completely passive character, whose role is to blindly paste the cookie value set by the Server. Nevertheless, the SCS cookies wrapping mechanism may be used in the future as a building block for a more robust HTTP state management protocol.

Note that all the abovementioned vulnerabilities also apply to plain cookies, making SCS at least as secure, but there are a few good reasons to consider its security level enhanced. First of all, the confidentiality and authentication features provided by SCS protects the cookie-value which is normally plain text and tamperable. Furthermore, none of the common vulnerabilities of server-side sessions (SID prediction, SID brute forcing) can be exploited when using SCS, unless the attacker possesses encryption and HMAC keys (both current ones and those relating to the previous set of credentials). More generally no slicing nor altering operations can be done over an SCS PDU without controlling the cryptographic keyset.

&RFC2119; &RFC4648; &RFC1951; &RFC4086; &RFC2104; &RFC5652; &RFC6265; &RFC5246; &RFC3740; &RFC4301;

The examples in this section have been created using the 'scs' test tool bundled with LibSCS, a free and opensource reference implementation of the SCS protocol that can be found at .

The following parameters: Test CREF inline comment Plain text cookie: "a state string" AES-CBC-128 key: "cipher key" HMAC-SHA1 key: "hmac key" TID: "tid" ATIME: 1323898800 IV: \xd1\x02\xfc\xca\xbf\x05\x03\xb1\xf4\x4f\x1f\xfd\x6d\x12\x5c\x66 produce the following tokens: DATA: GJRz3N0cuPKTumCqjtVjgw== ATIME: MTMyMzg5ODgwMA== TID: dGlk IV: 0QL8yr8FA7H0Tx/9bRJcZg== AUTHTAG: ktKOYXnTjrCzXgxGH//dWXUZAJ8=

The same parameters as above, except ATIME and IV: Plain text cookie: "a state string" AES-CBC-128 key: "cipher key" HMAC-SHA1 key: "hmac key" TID: "tid" ATIME: 1323899388 IV:\x72\x6f\x00\x2e\x4c\xf3\x6d\xfd\xf1\x1f\x92\xcf\x12\x8e\xe7\x8b produce the following tokens: DATA: XaLWZDoFmv9vYF8wYYYxeXtCkUYAwbzpCfBWBzAy3Y8= ATIME: MTMyMzg5OTM4OA== TID: dGlk IV: cm8ALkzzbf3xH5LPEo7niw== AUTHTAG: K/rig5ZxGz/aGPQkyAb8JRMcTUY= In both cases, the resulting SCS cookie is obtained via ordered concatenation of the produced tokens, as described in .