[websec] Session continuation mechanism -01
Phillip Hallam-Baker <hallam@gmail.com> Wed, 15 May 2013 01:36 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: websec@ietfa.amsl.com
Delivered-To: websec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A42321F8B2B for <websec@ietfa.amsl.com>; Tue, 14 May 2013 18:36:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u05Efy9ffOOl for <websec@ietfa.amsl.com>; Tue, 14 May 2013 18:36:37 -0700 (PDT)
Received: from mail-we0-x232.google.com (mail-we0-x232.google.com [IPv6:2a00:1450:400c:c03::232]) by ietfa.amsl.com (Postfix) with ESMTP id A209321F8651 for <websec@ietf.org>; Tue, 14 May 2013 18:36:36 -0700 (PDT)
Received: by mail-we0-f178.google.com with SMTP id q57so1053915wes.23 for <websec@ietf.org>; Tue, 14 May 2013 18:36:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:date:message-id:subject:from:to :content-type; bh=2rQKeCVlDDU+ABfMMVC7ZmExfsR240wMwRG+hrqP8Qk=; b=N1MIc+IWW8WpmoAIFJ1Pmk1dO7XD9a8mCe3LGeCCIa6OamKAh0ISSB9yyJGY8OTKVm L3/jSXgxeOFoRCNniIf7ulKqOWJT7MGTefoJLAATgnYqA6iWYY2dD0mBLWc0HcKIgfci iGuPbPd9wY1CXjOkLVmJdq3JuA3AK7Z1P1H7jUyxtoWMxr37F/dy6euWesI+5iymHFdc 0yl/3D3XDA1bd7lNexTqI4XM4XIK/YJGB3j5qPSpC3ZzsSz5YAK+nobNEIyJ9E4XfSZh J0NXFpaxSIOpv4w8tmoaNkV0KA5ha3BpKO6mPcm1SNt2Y3ZvVE6VlintaQl/KzINd/vv D4QA==
MIME-Version: 1.0
X-Received: by 10.194.243.170 with SMTP id wz10mr678664wjc.53.1368581795800; Tue, 14 May 2013 18:36:35 -0700 (PDT)
Received: by 10.194.162.8 with HTTP; Tue, 14 May 2013 18:36:35 -0700 (PDT)
Date: Tue, 14 May 2013 21:36:35 -0400
Message-ID: <CAMm+LwiBeHTMuP2VqZukaLp8njO0npskxRJw3fhryhKfs0ak=g@mail.gmail.com>
From: Phillip Hallam-Baker <hallam@gmail.com>
To: websec <websec@ietf.org>
Content-Type: multipart/alternative; boundary="089e0149411ac8eaef04dcb7c71a"
Subject: [websec] Session continuation mechanism -01
X-BeenThere: websec@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <websec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/websec>, <mailto:websec-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/websec>
List-Post: <mailto:websec@ietf.org>
List-Help: <mailto:websec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/websec>, <mailto:websec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 May 2013 01:36:38 -0000
I have just submitted an updated version of the session continuation draft. http://www.ietf.org/id/draft-hallambaker-httpsession-01.txt I didn't bring the first version to the list attention as I was not convinced all the parts really worked. I have since re-engineered the replay prevention mechanism and I think the result is more sensible. There is code, but this version is not tracking it (yet). I modified the examples to get the draft out the door so don't go checking it :-) The basic idea here is that this is a more or less drop in replacement for HTTP cookies but with much better security properties. To signal that it can accept session continuation in place of cookies, a client adds an Accept-Session header to a request. If the server accepts the offer of using session management it returns a response with a Set-Session header. After the context is set up, the client and server both add Session headers to request and response messages. The main change is on replay attack prevention which I now think needs to be different for requests and responses. Response replay attack prevention is easy. Just put a nonce in the request and the server returns in in the response. Problem solved. No need to keep any state or muck about with clocks. Request replay attack is trickier and I don't think we even want to try to do the job in HTTP, certainly not the whole job. If people want really solid request replay attack prevention for a Web service then they should write the code into their Web Service because HTTP does not have enough visibility into their transaction to know when the nonces should be there or not. The same mechanism could be extended to cover public key techniques (digital signatures). -- Website: http://hallambaker.com/
- [websec] Session continuation mechanism -01 Phillip Hallam-Baker