[http-state] SCS and new cookie-value encoding

tho <tho@koanlogic.com> Fri, 25 February 2011 08:07 UTC

Return-Path: <tho@koanlogic.com>
X-Original-To: http-state@core3.amsl.com
Delivered-To: http-state@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 2FEFA3A6936 for <http-state@core3.amsl.com>; Fri, 25 Feb 2011 00:07:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.501
X-Spam-Level: ***
X-Spam-Status: No, score=3.501 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, IP_NOT_FRIENDLY=0.334, J_CHICKENPOX_43=0.6, MIME_QP_LONG_LINE=1.396, RDNS_NONE=0.1, SARE_RECV_IP_069060096=1.666]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id 9UciwOPiAxNU for <http-state@core3.amsl.com>; Fri, 25 Feb 2011 00:07:37 -0800 (PST)
Received: from gonzo.koanlogic.com (unknown []) by core3.amsl.com (Postfix) with ESMTP id 130213A681C for <http-state@ietf.org>; Fri, 25 Feb 2011 00:07:36 -0800 (PST)
Received: from [] (port=61926 helo=[]) by sp2844.serverpronto.com with esmtpsa (TLS-1.0:RSA_AES_128_CBC_SHA:16) (Exim 4.50) id 1PssiY-0003Ks-Oj; Fri, 25 Feb 2011 03:08:20 -0500
From: tho <tho@koanlogic.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Fri, 25 Feb 2011 09:07:11 +0100
Message-Id: <54DFC6B8-7DE9-4976-9AAA-6A36634CA6A1@koanlogic.com>
To: http-state@ietf.org
Mime-Version: 1.0 (Apple Message framework v1082)
X-Mailer: Apple Mail (2.1082)
X-SA-Exim-Mail-From: tho@koanlogic.com
X-Spam-DCC: :
X-Spam-Pyzor: Reported 0 times.
X-SA-Exim-Version: 4.2 (built Thu, 03 Mar 2005 10:44:12 +0100)
X-SA-Exim-Scanned: Yes (on sp2844.serverpronto.com)
Cc: Todd A Ouska <todd@yassl.com>, Lorenzo Cavallaro <lorenzo.cavallaro@gmail.com>, Steven Dorigotti <stewy@koanlogic.com>, tat@koanlogic.com, David Wagner <daw@cs.berkeley.edu>
Subject: [http-state] SCS and new cookie-value encoding
X-BeenThere: http-state@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Discuss HTTP State Management Mechanism <http-state.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/http-state>
List-Post: <mailto:http-state@ietf.org>
List-Help: <mailto:http-state-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/http-state>, <mailto:http-state-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Feb 2011 08:07:38 -0000

Hello all,

I greatly appreciate the newly proposed cookie-value encoding, as it can make a slimmer SCS.

We can now pack up the five fields together in one only cookie by using a non-base64 char (e.g. '|') as field separator, like this:


which is a much better solution in terms of:
- protocol and browser friendliness;
- API simplification;
- free choice of cookie naming;
at nearly no cost, except a small reduction of space for state data (still about 3.5KB.)

In the meantime we have had some really valuable feedback from David Wagner for fixing the HMAC computation which was buggy in the published version of the draft.

This is to say that the -00 will soon be made obsolete by a new version which will include such changes and more precise algorithm description based on the implementation experience we've gained so far.

In the meanwhile I'm asking the http-state WG the following question: 
is the whole "authenticated/encrypted cookie" matter worth being adopted as a working item by the group or not ?

My biased opinion is, of course, yes :) at least for the following reasons:
1) there exist real-world use cases where such technique is the only available option (e.g. embedded web servers on severely constrained hardware);
2) there exist real-world use cases where such technique would be a valuable option compared to others (e.g. multi instantiated web apps that would otherwise need a way to synchronize the application state information);
3) anyone facing the same problem would need to reinvent the same wheel, perhaps incorrectly from a cryptographic standpoint (see our HMAC computation bug).
4) there is one important shift in cookie semantics when the cookie producer is not the owner of the cookie bits that is worth making explicit to implementers/users of this facility (see section 7.2.2. of SCS-00);
5) there are security advantages in using SCS over plain cookies at a quite negligible cost -- just some fast symmetric key encryption and HMAC'ing -- which would make SCS an ad-interim fix for some of the cookie model vulnerabilities (e.g. session brute forcing).

Ok I.m here, let me know :)
Bye, t.