1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
|
<pre>Independent Submission S. Barbato
Request for Comments: 6896 S. Dorigotti
Category: Informational T. Fossati, Ed.
ISSN: 2070-1721 KoanLogic
March 2013
<span class="h1">SCS: KoanLogic's Secure Cookie Sessions for HTTP</span>
Abstract
This memo defines a generic URI and HTTP-header-friendly envelope for
carrying symmetrically encrypted, authenticated, and origin-
timestamped tokens. It also describes one possible usage of such
tokens via a simple protocol based on HTTP cookies.
Secure Cookie Session (SCS) use cases cover a wide spectrum of
applications, ranging from distribution of authorized content via
HTTP (e.g., with out-of-band signed URIs) to securing browser
sessions with diskless embedded devices (e.g., Small Office, Home
Office (SOHO) routers) or web servers with high availability or load-
balancing requirements that may want to delegate the handling of the
application state to clients instead of using shared storage or
forced peering.
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This is a contribution to the RFC Series, independently of any other
RFC stream. The RFC Editor has chosen to publish this document at
its discretion and makes no statement about its value for
implementation or deployment. Documents approved for publication by
the RFC Editor are not a candidate for any level of Internet
Standard; see <a href="./rfc5741#section-2">Section 2 of RFC 5741</a>.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
<a href="http://www.rfc-editor.org/info/rfc6896">http://www.rfc-editor.org/info/rfc6896</a>.
<span class="grey">Barbato, et al. Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and the IETF Trust's Legal
Provisions Relating to IETF Documents
(<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document.
<span class="grey">Barbato, et al. Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-4">4</a>
<a href="#section-2">2</a>. Requirements Language ...........................................<a href="#page-4">4</a>
<a href="#section-3">3</a>. SCS Protocol ....................................................<a href="#page-5">5</a>
<a href="#section-3.1">3.1</a>. SCS Cookie Description .....................................<a href="#page-5">5</a>
<a href="#section-3.1.1">3.1.1</a>. ATIME ...............................................<a href="#page-6">6</a>
<a href="#section-3.1.2">3.1.2</a>. DATA ................................................<a href="#page-6">6</a>
<a href="#section-3.1.3">3.1.3</a>. TID .................................................<a href="#page-7">7</a>
<a href="#section-3.1.4">3.1.4</a>. IV ..................................................<a href="#page-7">7</a>
<a href="#section-3.1.5">3.1.5</a>. AUTHTAG .............................................<a href="#page-7">7</a>
<a href="#section-3.2">3.2</a>. Crypto Transform ...........................................<a href="#page-8">8</a>
<a href="#section-3.2.1">3.2.1</a>. Choice and Role of the Framing Symbol ...............<a href="#page-8">8</a>
<a href="#section-3.2.2">3.2.2</a>. Cipher Set ..........................................<a href="#page-9">9</a>
<a href="#section-3.2.3">3.2.3</a>. Compression .........................................<a href="#page-9">9</a>
<a href="#section-3.2.4">3.2.4</a>. Cookie Encoding .....................................<a href="#page-9">9</a>
<a href="#section-3.2.5">3.2.5</a>. Outbound Transform ..................................<a href="#page-9">9</a>
<a href="#section-3.2.6">3.2.6</a>. Inbound Transform ..................................<a href="#page-10">10</a>
<a href="#section-3.3">3.3</a>. PDU Exchange ..............................................<a href="#page-12">12</a>
<a href="#section-3.3.1">3.3.1</a>. Cookie Attributes ..................................<a href="#page-12">12</a>
<a href="#section-3.3.1.1">3.3.1.1</a>. Expires ...................................<a href="#page-12">12</a>
<a href="#section-3.3.1.2">3.3.1.2</a>. Max-Age ...................................<a href="#page-12">12</a>
<a href="#section-3.3.1.3">3.3.1.3</a>. Domain ....................................<a href="#page-13">13</a>
<a href="#section-3.3.1.4">3.3.1.4</a>. Secure ....................................<a href="#page-13">13</a>
<a href="#section-3.3.1.5">3.3.1.5</a>. HttpOnly ..................................<a href="#page-13">13</a>
<a href="#section-4">4</a>. Key Management and Session State ...............................<a href="#page-13">13</a>
<a href="#section-5">5</a>. Cookie Size Considerations .....................................<a href="#page-15">15</a>
<a href="#section-6">6</a>. Acknowledgements ...............................................<a href="#page-15">15</a>
<a href="#section-7">7</a>. Security Considerations ........................................<a href="#page-15">15</a>
<a href="#section-7.1">7.1</a>. Security of the Cryptographic Protocol ....................<a href="#page-15">15</a>
<a href="#section-7.2">7.2</a>. Impact of the SCS Cookie Model ............................<a href="#page-16">16</a>
<a href="#section-7.2.1">7.2.1</a>. Old Cookie Replay ..................................<a href="#page-16">16</a>
<a href="#section-7.2.2">7.2.2</a>. Cookie Deletion ....................................<a href="#page-17">17</a>
<a href="#section-7.2.3">7.2.3</a>. Cookie Sharing or Theft ............................<a href="#page-18">18</a>
<a href="#section-7.2.4">7.2.4</a>. Session Fixation ...................................<a href="#page-18">18</a>
<a href="#section-7.3">7.3</a>. Advantages of SCS over Server-Side Sessions ...............<a href="#page-19">19</a>
<a href="#section-8">8</a>. References .....................................................<a href="#page-20">20</a>
<a href="#section-8.1">8.1</a>. Normative References ......................................<a href="#page-20">20</a>
<a href="#section-8.2">8.2</a>. Informative References ....................................<a href="#page-20">20</a>
<a href="#appendix-A">Appendix A</a>. Examples ..............................................<a href="#page-22">22</a>
<a href="#appendix-A.1">A.1</a>. No Compression ............................................<a href="#page-22">22</a>
<a href="#appendix-A.2">A.2</a>. Use Compression ...........................................<a href="#page-22">22</a>
<span class="grey">Barbato, et al. Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
This memo defines a generic URI and HTTP-header-friendly envelope for
carrying symmetrically encrypted, authenticated, and origin-
timestamped tokens.
It is generic in that it does not force any specific format upon the
authenticated information, which makes SCS tokens flexible, easy, and
secure to use in many different scenarios.
It is URI and HTTP header friendly, as it has been explicitly
designed to be compatible with both the ABNF "token" syntax [<a href="./rfc2616" title=""Hypertext Transfer Protocol -- HTTP/1.1"">RFC2616</a>]
(the one used for, e.g., Set-Cookie and Cookie headers) and the path
or query syntax of HTTP URIs.
This memo also describes one possible usage of such tokens via a
simple protocol based on HTTP cookies that allows the establishment
of "client mode" sessions. This is not their sole possible use.
While no other operational patterns are outlined here, it is expected
that SCS tokens may be easily employed as a building block for other
types of HTTP-based applications that need to carry in-band secured
information.
When SCS tokens are used to implement client-mode cookie sessions,
the SCS implementer must fully understand the security implications
entailed by the act of delegating the whole application state to the
client (browser). In this regard, some hopefully useful security
considerations have been collected in <a href="#section-7.2">Section 7.2</a>. However, please
note that they may not cover all possible scenarios; therefore, they
must be weighed carefully against the specific application threat
model.
An SCS server may be implemented within a web application by means of
a user library that exposes the core SCS functionality and leaves
explicit control over SCS tokens to the programmer, or transparently,
by hiding a "diskless session" facility behind a generic session API
abstraction, for example. SCS implementers are free to choose the
model that best suits their needs.
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Requirements Language</span>
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [<a href="./rfc2119" title=""Key words for use in RFCs to Indicate Requirement Levels"">RFC2119</a>].
<span class="grey">Barbato, et al. Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. SCS Protocol</span>
The SCS protocol defines:
o the SCS cookie structure and encoding (<a href="#section-3.1">Section 3.1</a>);
o the cryptographic transformations involved in SCS cookie creation
and verification (<a href="#section-3.2">Section 3.2</a>);
o the HTTP-based PDU exchange that uses the Set-Cookie and Cookie
HTTP headers (<a href="#section-3.3">Section 3.3</a>);
o the underlying key management model (<a href="#section-4">Section 4</a>).
Note that the PDU is transmitted to the client as an opaque data
block; hence, no interpretation nor validation is necessary. The
single requirement for client-side support of SCS is cookie
activation on the user agent. The origin server is the sole actor
involved in the PDU manipulation process, which greatly simplifies
the crypto operations -- especially key management, which is usually
a pesky task.
In the following sections, we assume S to be one or more
interchangeable HTTP server entities (e.g., a server pool in a load-
balanced or high-availability environment) and C to be the client
with a cookie-enabled browser or any user agent with equivalent
capabilities.
<span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. SCS Cookie Description</span>
S and C exchange a cookie (<a href="#section-3.3">Section 3.3</a>) whose cookie value consists
of a sequence of adjacent non-empty values, each of which is the 'URL
and Filename safe' Base64 encoding [<a href="./rfc4648" title=""The Base16, Base32, and Base64 Data Encodings"">RFC4648</a>] of a specific SCS field.
(Hereafter, the encoded and raw versions of each SCS field are
distinguished based on the presence, or lack thereof, of the 'e'
prefix in their name, e.g., eATIME and ATIME.)
Each SCS field is separated by its left and/or right sibling by means
of the %x7c ASCII character (i.e., '|'), as follows:
<span class="grey">Barbato, et al. Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
scs-cookie = scs-cookie-name "=" scs-cookie-value
scs-cookie-name = token
scs-cookie-value = eDATA "|" eATIME "|" eTID "|" eIV "|" eAUTHTAG
eDATA = 1*base64url-character
eATIME = 1*base64url-character
eTID = 1*base64url-character
eIV = 1*base64url-character
eAUTHTAG = 1*base64url-character
Figure 1
Confidentiality is limited to the application-state information
(i.e., the DATA field), while integrity and authentication apply to
the entire cookie value.
The following subsections describe the syntax and semantics of each
SCS cookie field.
<span class="h4"><a class="selflink" id="section-3.1.1" href="#section-3.1.1">3.1.1</a>. ATIME</span>
Absolute timestamp relating to the last read or write operation
performed on session DATA, encoded as a HEX string holding the number
of seconds since the UNIX epoch (i.e., since 00:00:00, Jan 1 1970).
This value is updated with each client contact and is used to
identify expired sessions. If the delta between the received ATIME
value and the current time on S is larger than a predefined
"session_max_age" (which is chosen by S as an application-level
parameter), a session is considered to be no longer valid, and is
therefore rejected.
Such an expiration error may be used to force user logout from an
SCS-cookie-based session, or hooked in the web application logic to
display an HTML form requiring revalidation of user credentials.
<span class="h4"><a class="selflink" id="section-3.1.2" href="#section-3.1.2">3.1.2</a>. DATA</span>
Block of encrypted and optionally compressed data, possibly
containing the current session state. Note that no restriction is
imposed on the cleartext structure: the protocol is completely
agnostic as to inner data layout.
Generally speaking, the plaintext is the "normal" cookie that would
have been exchanged by S and C if SCS had not been used.
<span class="grey">Barbato, et al. Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
<span class="h4"><a class="selflink" id="section-3.1.3" href="#section-3.1.3">3.1.3</a>. TID</span>
This identifier is equivalent to a Security Parameter Index (SPI) in
a Data Security SA [<a href="./rfc3740" title=""The Multicast Group Security Architecture"">RFC3740</a>]) and consists of an ASCII string that
uniquely identifies the transform set (keys and algorithms) used to
generate this SCS cookie.
SCS assumes that a key-agreement/distribution mechanism exists for
environments in which S consists of multiple servers that provide a
unique external identifier for each transform set shared amongst pool
members.
Such a mechanism may safely downgrade to a periodic key refresh, if
there is only one server in the pool and the key is generated in
place -- i.e., it is not handled by an external source.
However, when many servers act concurrently upon the same pool, a
more sophisticated protocol, whose specification is out of the scope
of the present document, must be devised (ideally, one that is able
to handle key agreement for dynamic peer groups in a secure and
efficient way, e.g., [<a href="#ref-CLIQUES" title=""Cliques: A New Approach to Group Key Agreement"">CLIQUES</a>] or [<a href="#ref-Steiner" title=""Diffie-Hellman Key Distribution Extended to Group Communication"">Steiner</a>]).
<span class="h4"><a class="selflink" id="section-3.1.4" href="#section-3.1.4">3.1.4</a>. IV</span>
Initialization Vector used for the encryption algorithm (see
<a href="#section-3.2">Section 3.2</a>).
In order to avoid providing correlation information to a possible
attacker with access to a sample of SCS cookies created using the
same TID, the IV MUST be created randomly for each SCS cookie.
<span class="h4"><a class="selflink" id="section-3.1.5" href="#section-3.1.5">3.1.5</a>. AUTHTAG</span>
Authentication tag that is based on the plain string concatenation of
the base64url-encoded DATA, ATIME, TID, and IV fields and is framed
by the "|" separator (see also the definition of the Box() function
in <a href="#section-3.2">Section 3.2</a>):
AUTHTAG = HMAC(base64url(DATA) "|"
base64url(ATIME) "|"
base64url(TID) "|"
base64url(IV))
Note that, from a cryptographic point of view, the "|" character
provides explicit authentication of the length of each supplied
field, which results in a robust countermeasure against splicing
attacks.
<span class="grey">Barbato, et al. Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
<span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Crypto Transform</span>
SCS could potentially use any combination of primitives capable of
performing authenticated encryption. In practice, an
encrypt-then-MAC approach [<a href="#ref-Kohno" title=""Building Secure Cryptographic Transforms, or How to Encrypt and MAC"">Kohno</a>] with encryption utilizing the
Cipher Block Chaining (CBC) mode and Hashed Message Authentication
Code (HMAC) [<a href="./rfc2104" title=""HMAC: Keyed- Hashing for Message Authentication"">RFC2104</a>] authentication was chosen.
The two algorithms MUST be associated with two independent keys.
The following conventions will be used in the algorithm description
(Sections <a href="#section-3.2.5">3.2.5</a> and <a href="#section-3.2.6">3.2.6</a>):
o Enc/Dec(): block encryption/decryption functions (<a href="#section-3.2.2">Section 3.2.2</a>);
o HMAC(): authentication function (<a href="#section-3.2.2">Section 3.2.2</a>);
o Comp/Uncomp(): compression/decompression functions
(<a href="#section-3.2.3">Section 3.2.3</a>);
o e/d(): cookie-value encoding/decoding functions (<a href="#section-3.2.4">Section 3.2.4</a>);
o RAND(): random number generator [<a href="./rfc4086" title=""Randomness Requirements for Security"">RFC4086</a>];
o Box(): string boxing function. It takes an arbitrary number of
base64url-encoded strings and returns the string obtained by
concatenating each input in the exact order in which they are
listed, separated by the "|" char. For example:
Box("akxI", "MTM", "Hadvo") = "akxI|MTM|Hadvo".
<span class="h4"><a class="selflink" id="section-3.2.1" href="#section-3.2.1">3.2.1</a>. Choice and Role of the Framing Symbol</span>
Note that the adoption of "|" as the framing symbol in the Box()
function is arbitrary: any char allowed by the cookie-value ABNF in
[<a href="./rfc6265" title=""HTTP State Management Mechanism"">RFC6265</a>] is safe to be used as long it has empty intersection with
the base64url alphabet.
It is also worth noting that the role of the framing symbol, which
provides an implicit length indicator for each of the atoms, is key
to the accuracy and security of SCS.
This is especially relevant when the authentication tag is computed
(see <a href="#section-3.1.5">Section 3.1.5</a>). More specifically, the explicit inclusion of
the framing symbol within the HMAC input seals the integrity of the
blob as a whole together with each of its composing atoms in their
exact position.
<span class="grey">Barbato, et al. Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
This feature makes the protocol robust against attacks aimed at
disrupting the security of SCS PDUs by freely moving boundaries
between adjacent atoms.
<span class="h4"><a class="selflink" id="section-3.2.2" href="#section-3.2.2">3.2.2</a>. Cipher Set</span>
Implementers MUST support at least the following algorithms:
o AES-CBC-128 for encryption [<a href="#ref-NIST-AES" title=""Advanced Encryption Standard (AES)"">NIST-AES</a>];
o HMAC-SHA1 with a 128-bit key for authenticity and integrity,
which appear to be sufficiently secure in a broad range of use cases
([<a href="#ref-Bellare" title=""New Proofs for NMAC and HMAC: Security Without Collision-Resistance"">Bellare</a>] [<a href="./rfc6194" title=""Security Considerations for the SHA-0 and SHA-1 Message-Digest Algorithms"">RFC6194</a>]), are widely available, and can be implemented
in a few kilobytes of memory, providing an extremely valuable feature
for constrained devices.
One should consider using larger cryptographic key lengths (192- or
256-bit) according to the actual security and overall system
performance requirements.
<span class="h4"><a class="selflink" id="section-3.2.3" href="#section-3.2.3">3.2.3</a>. Compression</span>
Compression, which may be useful or even necessary when handling
large quantities of data, is not compulsory (in such a case, Comp/
Uncomp is replaced by an identity matrix). If this function is
enabled, the DEFLATE [<a href="./rfc1951" title=""DEFLATE Compressed Data Format Specification version 1.3"">RFC1951</a>] format MUST be supported.
Some advice to SCS users: compression should not be enabled when
handling relatively short and entropic state, such as pseudorandom
session identifiers. Instead, large and quite regular state blobs
could get a significant boost when compressed.
<span class="h4"><a class="selflink" id="section-3.2.4" href="#section-3.2.4">3.2.4</a>. Cookie Encoding</span>
SCS cookie values MUST be encoded using the alphabet that is URL and
filename safe (i.e., base64url) defined in <a href="#section-5">Section 5</a> of Base64
[<a href="./rfc4648" title=""The Base16, Base32, and Base64 Data Encodings"">RFC4648</a>]. This encoding is very widespread, falls smoothly into the
encoding rules defined in <a href="./rfc6265#section-4.1.1">Section 4.1.1 of [RFC6265]</a>, and can be
safely used to supply SCS-based authorization tokens within a URI
(e.g., in a query string or straight into a path segment).
<span class="h4"><a class="selflink" id="section-3.2.5" href="#section-3.2.5">3.2.5</a>. Outbound Transform</span>
The output data transformation, as seen by the server (the only actor
that explicitly manipulates SCS cookies), is illustrated by the
pseudocode in Figure 2.
<span class="grey">Barbato, et al. Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
1. IV := RAND()
2. ATIME := NOW
3. DATA := Enc(Comp(plain-text-cookie-value), IV)
4. AUTHTAG := HMAC(Box(e(DATA), e(ATIME), e(TID), e(IV)))
Figure 2
A new Initialization Vector is randomly picked (step 1). As
previously mentioned (<a href="#section-3.1.4">Section 3.1.4</a>), this step is necessary to avoid
providing correlation information to an attacker.
A new ATIME value is taken as the current timestamp according to the
server clock (step 2).
Since the only user of the ATIME field is the server, it is
unnecessary for it to be synchronized with the client -- though it
needs to use a fairly stable clock. However, if multiple servers are
active in a load-balancing configuration, clocks SHOULD be
synchronized to avoid errors in the calculation of session expiry.
The plaintext cookie value is then compressed (if needed) and
encrypted by using the key-set identified by TID (step 3).
If the length of (compressed) state is not a multiple of the block
size, its value MUST be filled with as many padding bytes of equal
value as the pad length -- as defined by the scheme given in <a href="./rfc5652#section-6.3">Section</a>
<a href="./rfc5652#section-6.3">6.3 of [RFC5652]</a>.
Then, the authentication tag, which encompasses each SCS field (along
with lengths and relative positions), is computed by HMAC'ing the
"|"-separated concatenation of their base64url representations using
the key-set identified by TID (step 4).
Finally, the SCS-cookie-value is created as follows:
scs-cookie-value = Box(e(DATA), e(ATIME), e(TID), e(IV),
e(AUTHTAG))
<span class="h4"><a class="selflink" id="section-3.2.6" href="#section-3.2.6">3.2.6</a>. Inbound Transform</span>
The inbound transformation is described in Figure 3. Each of the
'e'-prefixed names shown has to be interpreted as the
base64url-encoded value of the corresponding SCS field.
<span class="grey">Barbato, et al. Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
0. If (split_fields(scs-cookie-value) == ok)
1. tid' := d(eTID)
2. If (tid' is available)
3. tag' := d(eAUTHTAG)
4. tag := HMAC(Box(eDATA, eATIME, eTID, eIV))
5. If (tag = tag')
6. atime' := d(eATIME)
7. If (NOW - atime' <= session_max_age)
8. iv' := d(eIV)
data' := d(eDATA)
9. state := Uncomp(Dec(data', iv'))
10. Else discard PDU
11. Else discard PDU
12. Else discard PDU
13. Else discard PDU
Figure 3
First, the inbound scs-cookie-value is broken into its component
fields, which MUST be exactly 5, and each at least the minimum length
specified in Figure 3 (step 0). In case any of these preliminary
checks fails, the PDU is discarded (step 13); else, TID is decoded to
allow key-set lookup (step 1).
If the cryptographic credentials (encryption and authentication
algorithms and keys identified by TID) are unavailable (step 12), the
inbound SCS cookie is discarded since its value has no chance to be
interpreted correctly. This may happen for several reasons: e.g., if
a device without storage has been reset and loses the credentials
stored in RAM, if a server pool node desynchronizes, or in case of a
key compromise that forces the invalidation of all current TIDs, etc.
When a valid key-set is found (step 2), the AUTHTAG field is decoded
(step 3) and the (still) encoded DATA, ATIME, TID, and IV fields are
supplied to the primitive that computes the authentication tag (step
4).
If the tag computed using the local key-set matches the one carried
by the supplied SCS cookie, we can be confident that the cookie
carries authentic material; otherwise, the SCS cookie is discarded
(step 11).
Then the age of the SCS cookie (as deduced by ATIME field value and
current time provided by the server clock) is decoded and compared to
the maximum time-to-live (TTL) defined by the session_max_age
parameter.
<span class="grey">Barbato, et al. Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
If the "age" check passes, the DATA and IV fields are finally decoded
(step 8), so that the original plaintext data can be extracted from
the encrypted, and optionally compressed, blob (step 9).
Note that steps 5 and 7 allow any altered packets or expired sessions
to be discarded, hence avoiding unnecessary state decryption and
decompression.
<span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. PDU Exchange</span>
SCS can be modeled in the same manner as a typical store-and-forward
protocol in which the endpoints are S, consisting of one or more HTTP
servers and the client C, an intermediate node used to "temporarily"
store the data to be successively forwarded to S.
In brief, S and C exchange an immutable cookie data block
(<a href="#section-3.1">Section 3.1</a>): the state is stored on the client at the first hop and
then restored on the server at the second, as in Figure 4.
1. dump-state:
S --> C
Set-Cookie: ANY_COOKIE_NAME=KrdPagFes_5ma-ZUluMsww|MTM0...
Expires=...; Path=...; Domain=...;
2. restore-state:
C --> S
Cookie: ANY_COOKIE_NAME=KrdPagFes_5ma-ZUluMsww|MTM0...
Figure 4
<span class="h4"><a class="selflink" id="section-3.3.1" href="#section-3.3.1">3.3.1</a>. Cookie Attributes</span>
In the following subsections, a series of recommendations is provided
in order to maximize SCS PDU fitness in the generic cookie ecosystem.
<span class="h5"><a class="selflink" id="section-3.3.1.1" href="#section-3.3.1.1">3.3.1.1</a>. Expires</span>
If an SCS cookie includes an Expires attribute, then the attribute
MUST be set to a value consistent with session_max_age.
For maximum compatibility with existing user agents, the timestamp
value MUST be encoded in <a href="./rfc1123">rfc1123</a>-date format, which requires a
4-digit year.
<span class="h5"><a class="selflink" id="section-3.3.1.2" href="#section-3.3.1.2">3.3.1.2</a>. Max-Age</span>
Since not all User Agents (UAs) support this attribute, it MUST NOT
be present in any SCS cookie.
<span class="grey">Barbato, et al. Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
<span class="h5"><a class="selflink" id="section-3.3.1.3" href="#section-3.3.1.3">3.3.1.3</a>. Domain</span>
SCS cookies MUST include a Domain attribute compatible with
application usage.
A trailing '.' MUST NOT be present in order to minimize the
possibility of a user agent ignoring the attribute value.
<span class="h5"><a class="selflink" id="section-3.3.1.4" href="#section-3.3.1.4">3.3.1.4</a>. Secure</span>
This attribute MUST always be asserted when SCS sessions are carried
over a Transport Layer Security (TLS) channel.
<span class="h5"><a class="selflink" id="section-3.3.1.5" href="#section-3.3.1.5">3.3.1.5</a>. HttpOnly</span>
This attribute SHOULD always be asserted.
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Key Management and Session State</span>
This specification provides some common recommendations and practices
relevant to cryptographic key management.
In the following, the term 'key' references both encryption and HMAC
keys.
o The key SHOULD be generated securely following the randomness
recommendations in [<a href="./rfc4086" title=""Randomness Requirements for Security"">RFC4086</a>];
o the key SHOULD only be used to generate and verify SCS PDUs;
o the key SHOULD be replaced regularly as well as any time the
format of SCS PDUs or cryptographic algorithms changes.
Furthermore, to preserve the validity of active HTTP sessions upon
renewal of cryptographic credentials (whenever the value of TID
changes), an SCS server MUST be capable of managing at least two
transforms contemporarily: the currently instantiated one and its
predecessor.
Each transform set SHOULD be associated with an attribute pair,
"refresh" and "expiry", which is used to identify the exposure limits
(in terms of time or quantity of encrypted and/or authenticated
bytes, etc.) of related cryptographic material.
<span class="grey">Barbato, et al. Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
In particular, the "refresh" attribute specifies the time limit for
substitution of transform set T with new material T'. From that
moment onwards, and for an amount of time determined by "expiry", all
new sessions will be created using T', while the active T-protected
ones go through a translation phase in which:
o the inbound transformation authenticates and decrypts/decompresses
using T (identified by TID);
o the outbound transformation encrypts/compresses and authenticates
using T'.
T' {not valid yet} |---------------------|----------------
| translation stage |
T ----------------|---------------------| {no longer valid}
refresh refresh + expiry
Figure 5
As shown in Figure 5, the duration of the HTTP session MUST fit
within the lifetime of a given transform set (i.e., from creation
time until "refresh" + "expiry").
In practice, this should not be an obstacle because the longevity of
the two entities (HTTP session and SCS transform set) should differ
by one or two orders of magnitude.
An SCS server may take this into account by determining the duration
of a session adaptively according to the expected deletion time of
the active T, or by setting the "expiry" value to at least the
maximum lifetime allowed by an HTTP session.
Since there is also only one refresh attribute in situations with
more than one key (e.g., one for encryption and one for
authentication) within the same T, the smallest value is chosen.
It is critical for the correctness of the protocol that in case
multiple equivalent SCS servers are used in a pool, all of them share
the same view of time (see also <a href="#section-3.2.5">Section 3.2.5</a>) and keying material.
As far as the latter is concerned, SCS does not mandate the use of
any specific key-sharing mechanism, and will keep working correctly
as long as the said mechanism is able to provide a single, coherent
view of the keys shared by pool members -- while conforming to the
recommendations given in this section.
<span class="grey">Barbato, et al. Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Cookie Size Considerations</span>
In general, SCS cookies are bigger than their plaintext counterparts.
This is due to the following reasons:
o inflation of the Base64 encoding of state data (approximately 1.4
times the original size, including the encryption padding);
o the fixed size increment (approximately 80/90 bytes) caused by SCS
fields and framing overhead.
While the former is a price the user must always pay proportionally
to the original data size, the latter is a fixed quantum, which can
be huge on small amounts of data but is quickly absorbed as soon as
data becomes big enough.
The following table compares byte lengths of SCS cookies (with a
four-byte TID) and corresponding plaintext cookies in a worst-case
scenario, i.e., when no compression is in use (or applicable).
plain | SCS
-------+-------
11 | 128
102 | 256
285 | 512
651 | 1024
1382 | 2048
2842 | 4096
The largest uncompressed cookie value that can be safely supplied to
SCS is about 2.8 KB.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Acknowledgements</span>
We would like to thank Jim Schaad, David Wagner, Lorenzo Cavallaro,
Willy Tarreau, Tobias Gondrom, John Michener, Sean Turner, Barry
Leiba, Robert Sparks, Stephen Farrell, Stewart Bryant, and Nevil
Brownlee for their valuable feedback on this document.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. Security Considerations</span>
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. Security of the Cryptographic Protocol</span>
From a cryptographic architecture perspective, the described
mechanism can be easily traced to an "encode then encrypt-then-MAC"
scheme (Encode-then-EtM) as described in [<a href="#ref-Kohno" title=""Building Secure Cryptographic Transforms, or How to Encrypt and MAC"">Kohno</a>].
<span class="grey">Barbato, et al. Informational [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
Given a "provably-secure" encryption scheme and MAC (as for the
algorithms mandated in <a href="#section-3.2.2">Section 3.2.2</a>), the authors of [<a href="#ref-Kohno" title=""Building Secure Cryptographic Transforms, or How to Encrypt and MAC"">Kohno</a>]
demonstrate that their composition results in a secure authenticated
encryption scheme.
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. Impact of the SCS Cookie Model</span>
The fact that the server does not own the cookie it produces, gives
rise to a series of consequences that must be clearly understood when
one envisages the use of SCS as a cookie provider and validator for
his/her application.
In the following subsections, a set of different attack scenarios
(together with corresponding countermeasures where applicable) are
identified and analyzed.
<span class="h4"><a class="selflink" id="section-7.2.1" href="#section-7.2.1">7.2.1</a>. Old Cookie Replay</span>
SCS doesn't address replay of old cookie values.
In fact, there is nothing that assures an SCS application about the
client having returned the most recent version of the cookie.
As with "server-side" sessions, if an attacker gains possession of a
given user's cookies -- via simple passive interception or another
technique -- he/she will always be able to restore the state of an
intercepted session by representing the captured data to the server.
The ATIME value, along with the session_max_age configuration
parameter, allows SCS to mitigate the chances of an attack (by
forcing a time window outside of which a given cookie is no longer
valid) but cannot exclude it completely.
A countermeasure against the "passive interception and replay"
scenario can be applied at transport/network level using the anti-
replay services provided by e.g., Secure Socket Layer/Transport Layer
Security (SSL/TLS) [<a href="./rfc5246" title=""The Transport Layer Security (TLS) Protocol Version 1.2"">RFC5246</a>] or IPsec [<a href="./rfc4301" title=""Security Architecture for the Internet Protocol"">RFC4301</a>].
A native solution is not in scope with the security properties
inherent to an SCS cookie. Hence, an application wishing to be
replay-resistant must put in place some ad hoc mechanism to prevent
clients (both rogue and legitimate) from (a) being able to replay old
cookies as valid credentials and/or (b) getting any advantage by
replaying them.
<span class="grey">Barbato, et al. Informational [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
The following illustrate some typical use cases:
o Session inactivity timeout scenario (implicit invalidation): use
the session_max_age parameter if a global setting is viable, else
place an explicit TTL in the cookie (e.g.,
validity_period="start_time, duration") that can be verified by
the application each time the client presents the SCS cookie.
o Session voidance scenario (explicit invalidation): put a randomly
chosen string into each SCS cookie (cid="$(random())") and keep a
list of valid session cids against which the SCS cookie presented
by the client can be checked. When a cookie needs to be
invalidated, delete the corresponding cid from the list. The
described method has the drawback that, in case a non-permanent
storage is used to archive valid cids, a reboot/restart would
invalidate all sessions (it can't be used when |S| > 1).
o One-shot transaction scenario (ephemeral): this is a variation on
the previous theme when sessions are consumed within a single
request/response. Put a nonce="$(random())" within the state
information and keep a list of not-yet-consumed nonces in RAM.
Once the client presents its cookie credential, the embodied nonce
is deleted from the list and will be therefore discarded whenever
replayed.
o TLS binding scenario: the server application must run on TLS, be
able to extract information related to the current TLS session,
and store it in the DATA field of the SCS cookie itself [<a href="./rfc5056" title=""On the Use of Channel Bindings to Secure Channels"">RFC5056</a>].
The establishment of this secure channel binding prevents any
third party from reusing the SCS cookie, and drops its value
altogether after the TLS session is terminated -- regardless of
the lifetime of the cookie. This approach suffers a scalability
problem in that it requires each SCS session to be handled by the
same client-server pair. However, it provides a robust model and
an affordable compromise when security of the session is
exceptionally valuable (e.g., a user interacting with his/her
online banking site).
It is worth noting that in all but the latter scenario, if an
attacker is able to use the cookie before the legitimate client gets
a chance to, then the impersonation attack will always succeed.
<span class="h4"><a class="selflink" id="section-7.2.2" href="#section-7.2.2">7.2.2</a>. Cookie Deletion</span>
A direct and important consequence of the missing owner role in SCS
is that a client could intentionally delete its cookie and return
nothing.
<span class="grey">Barbato, et al. Informational [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
The application protocol has to be designed so there is no incentive
to do so, for instance:
o it is safe for the cookie to represent some kind of positive
capability -- the possession of which increases the client's
powers;
o it is not safe to use the cookie to represent negative
capabilities -- where possession reduces the client's powers -- or
for revocation.
Note that this behavior is not equivalent to cookie removal in the
"server-side" cookie model, because in case of missing cookie backup
by other parties (e.g., the application using SCS), the client could
simply make it disappear once and for all.
<span class="h4"><a class="selflink" id="section-7.2.3" href="#section-7.2.3">7.2.3</a>. Cookie Sharing or Theft</span>
Just like with plain cookies, SCS doesn't prevent sharing (both
voluntary and illegitimate) of cookies between multiple clients.
In the context of voluntary cookie sharing, using HTTPS only as a
separate secure transport provider is useless: in fact, client
certificates are just as shareable as cookies. Instead, using some
form of secure channel binding (as illustrated in <a href="#section-7.2.1">Section 7.2.1</a>) may
cancel this risk.
The risk of theft could be mitigated by securing the wire (e.g., via
HTTPS, IPsec, VPN, etc.), thus reducing the opportunity of cookie
stealing to a successful attack on the protocol endpoints.
In order to reduce the attack window on stolen cookies, an
application may choose to generate cookies whose lifetime is upper
bounded by the browsing session lifetime (i.e., by not attaching an
Expires attribute to them.)
<span class="h4"><a class="selflink" id="section-7.2.4" href="#section-7.2.4">7.2.4</a>. Session Fixation</span>
Session fixation vulnerabilities [<a href="#ref-Kolsec" title=""Session Fixation Vulnerability in Web-based Applications"">Kolsec</a>] are not addressed by SCS.
A more sophisticated protocol involving active participation of the
UA in the SCS cookie manipulation process would be needed: e.g., some
form of challenge/response exchange initiated by the server in the
HTTP response and replied to by the UA in the next chained HTTP
request.
<span class="grey">Barbato, et al. Informational [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
Unfortunately, the present specification, which is based on
[<a href="./rfc6265" title=""HTTP State Management Mechanism"">RFC6265</a>], sees the UA as a completely passive actor whose role is to
blindly paste the cookie value set by the server.
Nevertheless, the SCS cookies wrapping mechanism may be used in the
future as a building block for a more robust HTTP state management
protocol.
<span class="h3"><a class="selflink" id="section-7.3" href="#section-7.3">7.3</a>. Advantages of SCS over Server-Side Sessions</span>
Note that all the above-mentioned vulnerabilities also apply to plain
cookies, making SCS at least as secure, but there are a few good
reasons to consider its security level enhanced.
First of all, the confidentiality and authentication features
provided by SCS protect the cookie value, which is normally plaintext
and tamperable.
Furthermore, neither of the common vulnerabilities of server-side
sessions (session identifier (SID) prediction and SID brute-forcing)
can be exploited when using SCS, unless the attacker possesses
encryption and HMAC keys (both current ones and those relating to the
previous set of credentials).
More in general, no slicing nor altering operations can be done over
an SCS PDU without controlling the cryptographic key-set.
<span class="grey">Barbato, et al. Informational [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. References</span>
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Normative References</span>
[<a id="ref-NIST-AES">NIST-AES</a>] National Institute of Standards and Technology, "Advanced
Encryption Standard (AES)", FIPS PUB 197, November 2001,
<<a href="http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf">http://csrc.nist.gov/publications/fips/fips197/</a>
<a href="http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf">fips-197.pdf</a>>.
[<a id="ref-RFC1951">RFC1951</a>] Deutsch, P., "DEFLATE Compressed Data Format
Specification version 1.3", <a href="./rfc1951">RFC 1951</a>, May 1996.
[<a id="ref-RFC2104">RFC2104</a>] Krawczyk, H., Bellare, M., and R. Canetti, "HMAC: Keyed-
Hashing for Message Authentication", <a href="./rfc2104">RFC 2104</a>,
February 1997.
[<a id="ref-RFC2119">RFC2119</a>] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", <a href="https://www.rfc-editor.org/bcp/bcp14">BCP 14</a>, <a href="./rfc2119">RFC 2119</a>, March 1997.
[<a id="ref-RFC2616">RFC2616</a>] Fielding, R., Gettys, J., Mogul, J., Frystyk, H.,
Masinter, L., Leach, P., and T. Berners-Lee, "Hypertext
Transfer Protocol -- HTTP/1.1", <a href="./rfc2616">RFC 2616</a>, June 1999.
[<a id="ref-RFC4086">RFC4086</a>] Eastlake, D., Schiller, J., and S. Crocker, "Randomness
Requirements for Security", <a href="https://www.rfc-editor.org/bcp/bcp106">BCP 106</a>, <a href="./rfc4086">RFC 4086</a>, June 2005.
[<a id="ref-RFC4648">RFC4648</a>] Josefsson, S., "The Base16, Base32, and Base64 Data
Encodings", <a href="./rfc4648">RFC 4648</a>, October 2006.
[<a id="ref-RFC5652">RFC5652</a>] Housley, R., "Cryptographic Message Syntax (CMS)",
STD 70, <a href="./rfc5652">RFC 5652</a>, September 2009.
[<a id="ref-RFC6194">RFC6194</a>] Polk, T., Chen, L., Turner, S., and P. Hoffman, "Security
Considerations for the SHA-0 and SHA-1 Message-Digest
Algorithms", <a href="./rfc6194">RFC 6194</a>, March 2011.
[<a id="ref-RFC6265">RFC6265</a>] Barth, A., "HTTP State Management Mechanism", <a href="./rfc6265">RFC 6265</a>,
April 2011.
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Informative References</span>
[<a id="ref-Bellare">Bellare</a>] Bellare, M., "New Proofs for NMAC and HMAC: Security
Without Collision-Resistance", 2006.
[<a id="ref-CLIQUES">CLIQUES</a>] Steiner, M., Tsudik, G., and M. Waidner, "Cliques: A New
Approach to Group Key Agreement", 1996.
<span class="grey">Barbato, et al. Informational [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
[<a id="ref-Kohno">Kohno</a>] Kohno, T., Palacio, A., and J. Black, "Building Secure
Cryptographic Transforms, or How to Encrypt and MAC",
2003.
[<a id="ref-Kolsec">Kolsec</a>] Kolsec, M., "Session Fixation Vulnerability in Web-based
Applications", 2002.
[<a id="ref-RFC3740">RFC3740</a>] Hardjono, T. and B. Weis, "The Multicast Group Security
Architecture", <a href="./rfc3740">RFC 3740</a>, March 2004.
[<a id="ref-RFC4301">RFC4301</a>] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", <a href="./rfc4301">RFC 4301</a>, December 2005.
[<a id="ref-RFC5056">RFC5056</a>] Williams, N., "On the Use of Channel Bindings to Secure
Channels", <a href="./rfc5056">RFC 5056</a>, November 2007.
[<a id="ref-RFC5246">RFC5246</a>] Dierks, T. and E. Rescorla, "The Transport Layer Security
(TLS) Protocol Version 1.2", <a href="./rfc5246">RFC 5246</a>, August 2008.
[<a id="ref-Steiner">Steiner</a>] Steiner, M., Tsudik, G., and M. Waidner, "Diffie-Hellman
Key Distribution Extended to Group Communication", 1996.
<span class="grey">Barbato, et al. Informational [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Examples</span>
The examples in this section have been created using the 'scs' test
tool bundled with LibSCS, a free and opensource reference
implementation of the SCS protocol that can be found at
(<a href="http://github.com/koanlogic/libscs">http://github.com/koanlogic/libscs</a>).
<span class="h3"><a class="selflink" id="appendix-A.1" href="#appendix-A.1">A.1</a>. No Compression</span>
The following parameters:
o Plaintext cookie: "a state string"
o AES-CBC-128 key: "123456789abcdef"
o HMAC-SHA1 key: "12345678901234567890"
o TID: "tid"
o ATIME: 1347265955
o IV:
\xb4\xbd\xe5\x24\xf7\xf6\x9d\x44\x85\x30\xde\x9d\xb5\x55\xc9\x4f
produce the following tokens:
o DATA: DqfW4SFqcjBXqSTvF2qnRA
o ATIME: MTM0NzI2NTk1NQ
o TID: OHU7M1cqdDQt
o IV: tL3lJPf2nUSFMN6dtVXJTw
o AUTHTAG: AznYHKga9mLL8ioi3If_1iy2KSA
<span class="h3"><a class="selflink" id="appendix-A.2" href="#appendix-A.2">A.2</a>. Use Compression</span>
The same parameters as above, except ATIME and IV:
o Plaintext cookie: "a state string"
o AES-CBC-128 key: "123456789abcdef"
o HMAC-SHA1 key: "12345678901234567890"
o TID: "tid"
<span class="grey">Barbato, et al. Informational [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc6896">RFC 6896</a> SCS March 2013</span>
o ATIME: 1347281709
o IV:
\x1d\xa7\x6f\xa0\xff\x11\xd7\x95\xe3\x4b\xfb\xa9\xff\x65\xf9\xc7
produce the following tokens:
o DATA: PbE-ypmQ43M8LzKZ6fMwFg-COrLP2l-Bvgs
o ATIME: MTM0NzI4MTcwOQ
o TID: akxIKmhbMTE8
o IV: HadvoP8R15XjS_up_2X5xw
o AUTHTAG: A6qevPr-ugHQChlr_EiKYWPvpB0
In both cases, the resulting SCS cookie is obtained via ordered
concatenation of the produced tokens, as described in <a href="#section-3.1">Section 3.1</a>.
Authors' Addresses
Stefano Barbato
KoanLogic
Via Marmolada, 4
Vitorchiano (VT), 01030
Italy
EMail: tat@koanlogic.com
Steven Dorigotti
KoanLogic
Via Maso della Pieve 25/C
Bolzano, 39100
Italy
EMail: stewy@koanlogic.com
Thomas Fossati (editor)
KoanLogic
Via di Sabbiuno 11/5
Bologna, 40136
Italy
EMail: tho@koanlogic.com
Barbato, et al. Informational [Page 23]
</pre>
|
