Session cookies for web applications [http://lwn.net/Articles/283383/]
By Jake Edge
May 21, 2008
Two weeks ago on this page, we reported on some Wordpress vulnerabilities that were caused by incorrectly generating authentication cookies. The article was a bit light on details about such cookies, so this follow-up hopes to remedy that. In addition, Steven Murdoch, who discovered both of the holes, recently presented a paper on a new cookie technique that provides some additional safeguards over other schemes.
兩周前在此頁上,我們報(bào)道了由不正確生成的身份驗(yàn)證 cookies 引起的一些 Wordpress 漏洞。那篇文檔對(duì)這些 cookies 的細(xì)節(jié)描述略少,這篇后續(xù)的文章希望能解決這個(gè)問題。另外,發(fā)現(xiàn)這些漏洞的 Steven Murdoch,最近發(fā)表了篇關(guān)于一種新的 cookie 技術(shù)的文章,文章提供了其他方案之`上`的一些額外保護(hù)措施。
HTTP is a stateless protocol which means that any application that wishes to track multiple requests as a single session must provide its own way to link those requests. This is typically done through cookies, which are opaque blobs of data that are stored by browsers. Cookies are sent to the browser as part of an HTTP response, usually after some kind of authentication is successful. The browser associates the cookie with the URL of the site so that it can send the cookie value back to the server on each subsequent request.
HTTP 是一種無狀態(tài)的協(xié)議,這意味著任何希望跟蹤多個(gè)請(qǐng)求作為單個(gè)會(huì)話的應(yīng)用程序,必須提供自己的方式來鏈接這些請(qǐng)求。這通常通過 cookies 來完成,cookies 是瀏覽器存儲(chǔ)的不透明的數(shù)據(jù)塊。通常,在某種身份認(rèn)證成功后,cookies 被作為一個(gè) HTTP 響應(yīng)的一部分發(fā)送給瀏覽器。瀏覽器把 cookie 和對(duì)應(yīng)網(wǎng)站的 URL 關(guān)聯(lián)起來,以便它可以在每個(gè)后續(xù)請(qǐng)求中回送 cookie 值到服務(wù)器。
Servers can then use the value as a key into some kind of persistent storage so that all requests that contain that cookie value are treated as belonging to a particular session. In particular, it represents that the user associated with that session has correctly authenticated. The cookie lasts until it expires or is deleted by the user. When that happens, the user must re-authenticate to get a new cookie which also starts a new session. Users find this annoying if it happens too frequently, so expirations are often quite long.
然后,服務(wù)器可以`用某種持久性存儲(chǔ)的鍵`使用該值,使得所有包含該 cookie 值的請(qǐng)求,被視為屬于同一個(gè)特定會(huì)話。特別是,它代表和該會(huì)話關(guān)聯(lián)的那個(gè)已經(jīng)正確通過身份驗(yàn)證的用戶。一個(gè) cookie 一直存在,直到過期或被用戶刪除。此時(shí),用戶必須重新進(jìn)行身份驗(yàn)證,獲取一個(gè)新 cookie,同時(shí)開始一個(gè)新會(huì)話。如果它發(fā)生的過于頻繁,會(huì)讓用戶感到惱人,所以到期時(shí)間通常相當(dāng)長。
If the user explicitly logs out of the application, any server-side resources that are being used to store state information can be freed, but that is often not the case. Users will generally just close their browser (or tab) while still being logged in. It is also convenient for users to be allowed multiple concurrent sessions, generally from multiple computers, which will cause the number of sessions stored to be larger, perhaps much larger, than the number of users.
如果用戶顯式地登出應(yīng)用程序,任何用來存儲(chǔ)狀態(tài)信息的服務(wù)器端資源會(huì)被釋放,但情況經(jīng)常不是這樣。用戶通常只是關(guān)閉他們的瀏覽器(或標(biāo)簽頁),當(dāng)仍在登錄狀態(tài)時(shí)。這也允許用戶方便地,從不同的計(jì)算機(jī)上使用多個(gè)并發(fā)會(huì)話。這將導(dǎo)致存儲(chǔ)更大的會(huì)話數(shù)量,也許比用戶數(shù)量大許多。
Applications could restrict the number of sessions allowed by a user, or ratchet the expiration value way down, but they typically do not for user convenience. This allows for a potential denial of service when an attacker creates so many sessions that the server runs out of persistent storage. For this reason, stateless session cookies [PDF][http://prisms.cs.umass.edu/~kevinfu/papers/webauth_tr.pdf] were created.
應(yīng)用程序可以限制允許一個(gè)用戶使用的會(huì)話數(shù),或者``,但它們通常不方便用戶使用。這允許一個(gè)潛在的拒絕服務(wù),當(dāng)一個(gè)攻擊者創(chuàng)建太多會(huì)話,以至于服務(wù)器用完持久性存儲(chǔ)時(shí)。出于這個(gè)原因,無狀態(tài)會(huì)話 cookies 被創(chuàng)建。
Stateless session cookies store all of the state information in the cookie itself, so that the server need not keep anything in the database, filesystem, or memory. The data in the cookie must be encoded in such a way that they cannot be forged, otherwise attackers could create cookies that allow them access they should not have. This is essentially where Wordpress went wrong. By not implementing stateless session cookies correctly, a valid cookie for one user could be modified into a valid cookie for a different user.
無狀態(tài)會(huì)話 cookies 把所有狀態(tài)信息存儲(chǔ)到 cookie 本身,使服務(wù)器不需要在數(shù)據(jù)庫、文件系統(tǒng)或內(nèi)存中保存任何信息。Cookie 中的數(shù)據(jù)必須以不能被偽造的方式編碼,否則攻擊者可以創(chuàng)建允許他們?cè)L問不應(yīng)該訪問內(nèi)容的 cookies 。實(shí)際上這就是 Wordpress 出問題的地方。由于沒有正確使用無狀態(tài)會(huì)話 cookies ,一個(gè)用戶的有效 cookie 可以被修改成另一個(gè)不同用戶的有效 cookie 。
A stateless session cookie has the state data and expiration "in the clear" followed by a secure hash (SHA-256 for example) of those same values along with a key known only by the server. When the server receives the cookie value, it can calculate the hash and if it matches, proceed to use the state information. Because the secret is not known, an attacker cannot create their own cookies with values of their choosing.
一個(gè)無狀態(tài)的會(huì)話 cookie 有狀態(tài)數(shù)據(jù)和明確的到期時(shí)間,后跟一個(gè)安全哈希值(例如 SHA-256),該哈希值和只有服務(wù)器知道的一個(gè)鍵`對(duì)應(yīng)`。當(dāng)服務(wù)器接收到 cookie 值,會(huì)計(jì)算哈希值,如果匹配,繼續(xù)使用其中的狀態(tài)信息。由于這個(gè)密鑰是未知的,攻擊者不能使用他們選擇的值創(chuàng)建自己的 cookies 。
The other side of that coin is that an attacker can create spoofed cookies if they know the secret. Murdoch wanted to extend the concept such that even getting access to the secret, through a SQL injection or other web application flaw, would not feasibly allow an attacker to create a spoofed cookie. The result is hardened stateless session cookies [PDF][http://www.cl.cam.ac.uk/~sjm217/papers/protocols08cookies.pdf].
硬幣的另一面是,如果攻擊者知道密鑰,可以創(chuàng)建欺騙性的 cookies 。Murdoch 希望擴(kuò)展概念,使得通過 SQL 注入或其它 web 應(yīng)用漏洞訪問密鑰后,攻擊者也無法創(chuàng)建一個(gè)欺騙性的 cookie。結(jié)果就是強(qiáng)化的無狀態(tài)會(huì)話 cookies 。
The basic idea behind the scheme is to add an additional field to stateless session cookies that corresponds to an authenticator generated when an account is first set up. This authenticator is generated from the password at account creation by iteratively calculating the cryptographic hash of the password and a long salt value.
該方案背后的基本思路是,給無狀態(tài)會(huì)話 cookie 增加一個(gè)額外的字段,這個(gè)字段和賬戶首次設(shè)置時(shí)生成的一個(gè)`身份驗(yàn)證器`對(duì)應(yīng)。身份驗(yàn)證器由創(chuàng)建賬戶時(shí)的密碼生成,生成方法是,迭代計(jì)算密碼的加密哈希和一個(gè)長 salt 值。
Salt is a random string—usually just a few characters long—that is added to a password before it gets hashed, then stored with the password in the clear. It is used to eliminate the use of rainbow tables to crack passwords. Hardened stateless session cookies use a 128-bit salt value, then repeatedly calculate HASH(prev|salt), where prev is the password the first time through and the hash value from the previous calculation on each subsequent iteration.
Salt 是一個(gè)隨機(jī)字符串——通常只有幾個(gè)字符長——它在被計(jì)算哈希值前添加到密碼中,然后以明文形式和密碼一起存儲(chǔ)。它是用來杜絕使用彩虹表破解密碼的。`硬化`的無狀態(tài)會(huì)話 cookies 使用128位 salt 值,然后迭代計(jì)算 HASH(prev|salt) , 其中 prev 在第一次迭代時(shí)是密碼,在以后每次迭代中是上次計(jì)算的 hash 值。
The number of iterations is large, 256 for example, but not a secret. Once that value is calculated, it is hashed one last time, without the salt, and then stored in the user table as the authenticator. When the cookie value is created after a successful authentication, only the output of the iterative hash itself is placed in the cookie, not the authenticator that is stored in the database. Cookie verification then must do the standard stateless session cookie hash verification, to ensure that the values have not been manipulated, then hash the value in the cookie to verify against authenticator in the database.
迭代次數(shù)是個(gè)大的值,例如256,但這不是保密的。值被計(jì)算出來后,再不使用 salt 哈希一次,然后作為身份驗(yàn)證器存儲(chǔ)到用戶表中。當(dāng) cookie 通過一次成功認(rèn)證被創(chuàng)建后,只有輸出的迭代哈希值被保存在 cookie 中,而不保存數(shù)據(jù)庫中的身份驗(yàn)證器。Cookie 驗(yàn)證必須進(jìn)行標(biāo)準(zhǔn)的無狀態(tài)會(huì)話 cookie 哈希驗(yàn)證,來確保值沒有被修改過,然后哈希 cookie 中的值和數(shù)據(jù)庫中的身份驗(yàn)證器對(duì)比。
If it sounds complicated, it is; the performance of doing 256 hashes is also an issue, but it does protect against the secret key being lost. Because an attacker cannot calculate a valid authenticator value to put in the cookie (doing so would require breaking SHA-256), they cannot create their own spoofed cookies.
如果這聽起來很復(fù)雜,確實(shí);進(jìn)行256次哈希的性能也是一個(gè)問題,但它確實(shí)能避免密鑰丟失。因?yàn)楣粽邿o法計(jì)算一個(gè)有效的用戶驗(yàn)證器放進(jìn) cookie 中(這樣做需要突破 SHA-256),所以他們不能創(chuàng)建自己的欺騙 cookie 。
While it is not clear that the overhead of all of these hash calculations is warranted, it is an interesting extension to the stateless session cookie scheme. In his paper, Murdoch mentions some variations that could be used to further increase the security of the technique.
目前尚不清楚所有這些哈希計(jì)算的開銷是否有必要,這是一個(gè)擴(kuò)展無狀態(tài)會(huì)話 cookie 的有趣方案。在他的文章中,Murdoch 提到了一些可以進(jìn)一步提高該技術(shù)安全性的變化。
---
后面沒看明白。
無狀態(tài)會(huì)話 cookie 中的密鑰可能被攻擊者獲取,authenticator 為什么不能被攻擊者獲取?獲取這兩個(gè)東西的難度有區(qū)別么?
---
TODO
| hash salt
| 彩虹表