[TLS] Addressing cookie theft (think BEAST) with channel bound cookies using TLS session IDs
Nico Williams <nico@cryptonector.com> Wed, 28 September 2011 20:08 UTC
Return-Path: <nico@cryptonector.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D48311E811A for <tls@ietfa.amsl.com>; Wed, 28 Sep 2011 13:08:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.59
X-Spam-Level:
X-Spam-Status: No, score=-2.59 tagged_above=-999 required=5 tests=[AWL=-0.613, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bBW9BM-co4d0 for <tls@ietfa.amsl.com>; Wed, 28 Sep 2011 13:08:02 -0700 (PDT)
Received: from homiemail-a26.g.dreamhost.com (caiajhbdcaib.dreamhost.com [208.97.132.81]) by ietfa.amsl.com (Postfix) with ESMTP id E170A11E8107 for <tls@ietf.org>; Wed, 28 Sep 2011 13:08:01 -0700 (PDT)
Received: from homiemail-a26.g.dreamhost.com (localhost [127.0.0.1]) by homiemail-a26.g.dreamhost.com (Postfix) with ESMTP id 7B531B8079 for <tls@ietf.org>; Wed, 28 Sep 2011 13:10:31 -0700 (PDT)
DomainKey-Signature: a=rsa-sha1; c=nofws; d=cryptonector.com; h=mime-version :date:message-id:subject:from:to:content-type; q=dns; s= cryptonector.com; b=lBv+SZo+B9RA+ykGHuBgw15ii5bCmwmRdh3K0SHdPJa2 W+hfxRt8O8GM1UyMw0J/c6kR9q6D8wSaelRmvuWwDbkQwvlzbjqLK/1cK4egabBw ZZFdwNtdHcHmWy+m9zwob9PIZSZyVeSglJKuK1QawWwWKFzHUMhBTA5rel0svAM=
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=cryptonector.com; h= mime-version:date:message-id:subject:from:to:content-type; s= cryptonector.com; bh=E7m7v1iBMTmYe+HHoMGwWQSlUwQ=; b=NGyFmV31bV7 c24rbn3kKG7/jsPP14L+nZj1WwO1WCn/m3nbEd4L3sOPG+R4eqbTjtozakH3DQk7 CyHmIDbFkUOVr0yJY/cmoORwW2UqW4TW6VhXMbBvnzl+EAPdeaE9e2Fp2a3os7gu ACTFyFOekcx5gAGqWqG3OC1bxe7mn1Bw=
Received: from mail-pz0-f50.google.com (mail-pz0-f50.google.com [209.85.210.50]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: nico@cryptonector.com) by homiemail-a26.g.dreamhost.com (Postfix) with ESMTPSA id 663CDB8057 for <tls@ietf.org>; Wed, 28 Sep 2011 13:10:12 -0700 (PDT)
Received: by pzk37 with SMTP id 37so22327343pzk.9 for <tls@ietf.org>; Wed, 28 Sep 2011 13:10:11 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.57.102 with SMTP id h6mr34640166pbq.7.1317240611786; Wed, 28 Sep 2011 13:10:11 -0700 (PDT)
Received: by 10.68.71.138 with HTTP; Wed, 28 Sep 2011 13:10:11 -0700 (PDT)
Date: Wed, 28 Sep 2011 15:10:11 -0500
Message-ID: <CAK3OfOjKwn16uKN44AjDDYoFxJwdghK=21zEKr6zSrp4gzATFQ@mail.gmail.com>
From: Nico Williams <nico@cryptonector.com>
To: tls@ietf.org
Content-Type: text/plain; charset="UTF-8"
Subject: [TLS] Addressing cookie theft (think BEAST) with channel bound cookies using TLS session IDs
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Sep 2011 20:08:02 -0000
A while back Dirk Balfanz proposed something he called "origin bound certificates" and "channel bound cookies". A lighter-weight alternative (i.e., involving no protocol changes) would be nice. Mine: use TLS session IDs as the channel binding. Suppose you have a server with a TLS stack that generates nice, large, [pseudo-]random TLS session IDs, and that supports session resumption (preferably with session tickets). Now have the app's login page bind the TLS session ID into the cookies it generates for the user's application session. So, if a cookie consists of E(app_service_key, username || app_session_data) now make it E(app_service_key, username || app_session_data || tls_session_id). Similarly for other cookie construction techniques. And, critically, change the cookie validation code to check that the TLS session ID of the connection over which a request was received matches the cookie's binding. This is a pure server-side fix for cookie theft attacks, including BEAST. Pre-requisites for this concept to be workable: - client support for TLS session resumption (preferably also with support for session tickets); - server (concentrator!) support for session resumption (preferably also with ...); - TLS session lifetimes matched to cookie lifetimes; - TLS session IDs must be exposed up the TLS and HTTP server-side stack (including any concentrators); - TLS servers that generate large session IDs (32 bytes is the max) using a suitable [P]RNG. Advantages: - purely server-side solution; - does minimal violence to web applications (only cookie generation and validation are affected); - can be deployed at any rate; - no standards-work is required because no protocols are modified (except, perhaps, in the form of a BCP that we might want to issue describing this, and maybe a new header by which the server can advertise that it's channel binding cookies); - some web server frameworks will probably be able to implement channel bound cookies transparently to the server application; - RFC5056-compliant. :) Disadvantages: - not all server stacks will meet the requirements listed above on day 1; - we may need a method for detecting clients that don't support session resumption, if there exist such clients (which I'm sure is true); however, if such detection can be done from, say, the user-agent string sent in an HTTPS request (say, the login form POST), at least we won't have a downgrade attack. Can this work? Or is my feverish imagination misleading me? I think it can work. Yes, there's a concern over collisions in the session ID space, but it's up to 256-bits. It suffices that attackers not have any way to force a TLS session's ID to match another's. So I don't think this is a concern. It'd be nice, too, if the server could advertise to the user-agent that its cookies are channel bound, so the user-agent can apply policy requiring channel bound cookies if it wishes. Nico --
- [TLS] Addressing cookie theft (think BEAST) with … Nico Williams
- Re: [TLS] Addressing cookie theft (think BEAST) w… Yoav Nir
- Re: [TLS] Addressing cookie theft (think BEAST) w… Nico Williams
- Re: [TLS] Addressing cookie theft (think BEAST) w… Michael D'Errico
- Re: [TLS] Addressing cookie theft (think BEAST) w… Marsh Ray
- Re: [TLS] Addressing cookie theft (think BEAST) w… Nico Williams
- Re: [TLS] Addressing cookie theft (think BEAST) w… Tom Ritter
- Re: [TLS] Addressing cookie theft (think BEAST) w… Nico Williams
- Re: [TLS] Addressing cookie theft (think BEAST) w… Martin Rex
- Re: [TLS] Addressing cookie theft (think BEAST) w… Steve Dispensa
- Re: [TLS] Addressing cookie theft (think BEAST) w… Nikos Mavrogiannopoulos
- Re: [TLS] Addressing cookie theft (think BEAST) w… Florian Weimer
- Re: [TLS] Addressing cookie theft (think BEAST) w… Nico Williams