Random Cookie Protocol, a New Solution to Prevent Against Session Cookie Hijacking
Total Page:16
File Type:pdf, Size:1020Kb
Date of acceptance Grade Instructor Random Cookie protocol, a new solution to prevent against session cookie hijacking Qijia Zeng Helsinki May 4, 2016 UNIVERSITY OF HELSINKI Department of Computer Science HELSINGIN YLIOPISTO HELSINGFORS UNIVERSITET UNIVERSITY OF HELSINKI Tiedekunta Fakultet Faculty Laitos Institution Department Faculty of Science Department of Computer Science Tekijä Författare Author Qijia Zeng Työn nimi Arbetets titel Title Random Cookie protocol, a new solution to prevent against session cookie hijacking Oppiaine Läroämne Subject Computer Science Työn laji Arbetets art Level Aika Datum Month and year Sivumäärä Sidoantal Number of pages May 4, 2016 56 pages + 0 appendices Tiivistelmä Referat Abstract With the rapid development of information technology, the network is playing a more and more important role in our life and penetrate to every corner of our life, such as responsible for comput- ing and transacting in business industries, and make great contribution for social communication. However, at the same time, more and more network attacks appears and seriously endanger the security of network. Including the threads for wired network and wireless network. In this thesis, we rst talk about network security, including wired network security and wireless security, we discuss the current threads and attacks we face for the wired network and wireless network, then we introduced the current solution for these threads and attacks.At last,we demonstrate the whole process of session cookie hijacking by manually perform it.We proposed our solution which called random cookie protocol, and we did experiments to compare the performance with HTTP. ACM Computing Classication System (CCS): A.1 [Introductory and Survey], I.7.m [Document and text processing] Avainsanat Nyckelord Keywords layout, summary, list of references Säilytyspaikka Förvaringsställe Where deposited Muita tietoja övriga uppgifter Additional information ii Contents 1 Introduction 1 2 Network security 2 2.1 Wired network . 3 2.2 Wireless network . 4 2.3 Type of network attacks . 4 2.3.1 Eavesdropping . 5 2.3.2 Data Modication . 5 2.3.3 Identity Spoong . 5 2.3.4 Man in the Middle . 6 2.3.5 Denial-of-Service Attack . 6 3 Web session authentication 7 3.1 HTTP cookies . 7 3.2 Dierence between cookie and session . 8 3.3 Cookie mechanism . 9 3.4 The functions of Cookie . 10 3.5 Session mechanism . 11 3.6 The comparison between cookie and session . 11 3.7 The session hijacking thread . 12 4 Current solution for session hijacking 13 4.1 HTTPS . 14 4.2 URL . 17 4.3 HTTPS . 18 4.4 Secure communication . 19 4.4.1 Encryption key delivery . 20 4.4.2 Data encryption . 20 iii 4.5 HTTPS protect against hijacking . 21 4.5.1 Performance impact . 21 4.5.2 HTTPS limitations . 24 4.5.3 XSS(cross-site scripting) . 26 4.5.4 CSRF(cross-site request forgery) . 27 4.6 One-time cookies . 30 4.7 Sessonlock . 34 4.7.1 Session secret generation . 35 4.7.2 Session secret transmission . 36 4.7.3 Session authentication . 36 4.7.4 Rolling code . 38 4.8 VPN . 40 4.8.1 Pros and cons . 42 5 Random Cookie protocol 43 5.1 The demonstration of session cookie hijacking . 43 5.2 Desired goals . 46 5.3 Design . 48 5.4 Formal description . 49 5.5 Security analysis . 51 5.6 Experiments and results . 52 6 Conclusion 53 References 54 1 1 Introduction With the rapid development of information technology, the network is playing a more and more important role in our life and penetrate to every corner of our life, such as responsible for computing and transacting in business industries, and make great contribution for social communication. However, at the same time, more and more network attacks appears and seriously endanger the security of network. Including the threads for wired network and wireless network. Now the use of cookie for storing short and important data is reaching to a universal level, such as session id, by keeping the session id for the session in web browser, can help web server to keep the status for this session with web browser, thus can avoid users to input username and password for every access to web server. However, the traditional HTTP protocol does not provide any security service, and the session cookie is transmitted over network in a plain way, this may cause the risk of being stolen by network adversaries, and we call this attack as session cookie hijacking. Now, some solutions to prevent against session cookie hijacking has been proposed like HTTPS, sessonlock protocol, however, although these solutions can provide some security for session cookie, they have their shortcoming on other aspects, like for HTTPS, it provide authentication, integration and condentiality services, however, as it require expensive computing, lots of website just deploy it for the login page, and leave other pages under HTTP, and thus can give network adversaries chances to lunch network attacks. In order to prevent against session cookie hijacking, in this thesis, we proposed a protocol called random cookie protocol, this method by using hash algorithm to generate a unique session cookie for every communication, once the session cookie is veried by web server, a new session cookie will be generated for next time use, so even if the session cookie is stolen by network adversaries, we don't need to worry about that because the session cookie is expired when it is veried by web server and can not be reused any more. Based on the random cookie protocol, we conducted some experiments to analyze its performance compared with normal HTTP protocol, the result revealed that although the performance of random cookie protocol is less than HTTP protocol, however, the dierence of performance is slightly and can be acceptable, and we think the bonus of security guarantee is worth enough to oset the slight less performance. So the rest of the thesis is like the following: in section 2, we discussed the network security, including the wired network security and wireless network security. In 2 section 3, we discussed web session, and some related concepts include what is cookie and session, the principle of cookie and session, and the session cookie hijacking, next we introduced the current solution for session cookie hijacking in section 4, such as HTTPS, sessionlock, one-time cookie and VPN, and also talked about their pros and cons. Follow by section 5, we give the demonstration of session cookie hijacking, and we proposed a new solution called random cookie project for session cookie hijacking in section6. Finally in section 6, we conclude the whole thesis. 2 Network security Network plays a very critical role in our world. With the rapid development of information technology, network technology has become more and more sophisti- cated and has become an essential part of our modern life in this information era. It has penetrated into every corners of our life, and take responsibility for many important areas like conducting computations and transactions in business indus- tries, or communications in government operations. However, threads always have afterward nature, when network technology is increasingly matured and popular among people's life, some networks attacks has appeared and some network secu- rity incidents has occurred and caused huge loss to companies and consumers. For example, in 2014 a security vulnerability called OpenSSL has been detected. The cause of OpenSSL is due to the failure of checking the boundary value of user's input before using the input as parameters when call memcpy() function. This security vulnerability is severe and cause the leakage of network user accounts and other privacy of network users. An other serious network security incident is the leakage of eBay data. In May 22th 2014, eBay suddenly required almost 128 millions eBay active users to reset their passwords for their eBay accounts as hackers can obtain passwords, telephone numbers, home addresses or other privacy of eBay users from eBay website. Although later eBay claimed the database which has been hacked and the information leaked didn't contain nancial data such as credit card num- ber, and won't cause huge loss for users, however, the increasingly network security incidents has began to gain people's attentions, and network security is becoming a frequent research topic. Network security refer to some operations or measurements that designed to protect network, more specically, that is by some activities based on certain policy to ensure the reliability, condentiality, integrity and safety of net- work, and prevent or stop a variety of network threads from entering or spreading the network. With the shift of type of network from wired network to wireless net- 3 work, the type of network thread is changed and new network thread appears by the time pass, and the network security protection mechanism is also changed. In the below, we will talk about the hardwired network security and wireless network security, among these, we will focus on the wireless LAN and discuss the type of WLAN attack. 2.1 Wired network Figure 1: Wired Network By the shape of network, we can categorize network as wired network and wire- less network. Decades ago before the popular of wireless network, the traditional network is wired network. Dierent from wireless network, the wired network has its own physical shape, and each network components such as hosts or switches are connected by cables. From the Figure 1[Gun10] we can see that a wired network has its own physical scope, the desktop PC, printers and switches are connected by cables. at the entry of wired network with the Internet, a rewall is deployed 4 here to protect the wired network, so wired network is usually protected by re- walls.