session-continuation-spec.lyx

#LyX 2.0 created this file. For more info see http://www.lyx.org/
\lyxformat 413
\begin_document
\begin_header
\textclass docbook
\use_default_options true
\maintain_unincluded_children false
\begin_local_layout
Format 31

InsetLayout Flex:PI_Strict
    LyXType Custom
    HTMLTag div
    LabelString PI_Strict
End

InsetLayout Flex:PI
    LyXType Custom
    HTMLTag div
    LabelString PI
End

InsetLayout Flex:PI_SymRefs
    LyXType Custom
    HTMLTag div
    LabelString PI_SymRefs
End

InsetLayout Flex:PI_SortRefs
    LyXType Custom
    HTMLTag div
    LabelString PI_SortRefs
End

InsetLayout Flex:PI_TOC
    LyXType Custom
    HTMLTag div
    LabelString PI_TOC
End

InsetLayout Flex:PI_TOCIndent
    LyXType Custom
    HTMLTag div
    LabelString PI_TOCIndent
End

InsetLayout Flex:PI_TOCDepth
    LyXType Custom
    HTMLTag div
    LabelString PI_TOCDepth
End

InsetLayout Flex:PI_TOCNarrow
    LyXType Custom
    HTMLTag div
    LabelString PI_TOCNarrow
End

InsetLayout Flex:PI_TOCCompact
    LyXType Custom
    HTMLTag div
    LabelString PI_TOCCompact
End

InsetLayout Flex:PI_TOCAppendix
    LyXType Custom
    HTMLTag div
    LabelString PI_TOCAppendix
End

InsetLayout Flex:DocName
    LyXType Custom
    HTMLTag div
    LabelString DocName
End

InsetLayout Flex:IntendedStatus
    LyXType Custom
    HTMLTag div
    LabelString IntendedStatus
End

InsetLayout Flex:RFCNumber
    LyXType Custom
    HTMLTag div
    LabelString RFCNumber
End

InsetLayout Flex:IPR
    LyXType Custom
    HTMLTag div
    LabelString IPR
End

InsetLayout Flex:IETFArea
    LyXType Custom
    HTMLTag div
    LabelString IETFArea
End

InsetLayout Flex:IETFWorkingGroup
    LyXType Custom
    HTMLTag div
    LabelString IETFWorkingGroup
End

InsetLayout Flex:XML2RFCKeyword
    LyXType Custom
    HTMLTag div
    LabelString XML2RFCKeyword
End

InsetLayout Flex:TitleAbbrev
    LyXType Custom
    HTMLTag div
    LabelString TitleAbbrev
End

InsetLayout Flex:AuthorRole
    LyXType Custom
    HTMLTag div
    LabelString AuthRole
End

InsetLayout Flex:AuthorInitials
    LyXType Custom
    HTMLTag div
    LabelString AuthInitials
End

InsetLayout Flex:AuthorSurname
    LyXType Custom
    HTMLTag div
    LabelString AuthSurname
End

InsetLayout Flex:AuthorOrg
    LyXType Custom
    HTMLTag div
    LabelString AuthOrg
End

InsetLayout Flex:AuthorOrgAbbrev
    LyXType Custom
    HTMLTag div
    LabelString AuthOrgAbbrev
End

InsetLayout Flex:AuthorEmailAddr
    LyXType Custom
    HTMLTag div
    LabelString AuthEmailAddr
End

InsetLayout Flex:AuthorAddrStreet
    LyXType Custom
    HTMLTag div
    LabelString AuthAddrStreet
End

InsetLayout Flex:AuthorAddrCity
    LyXType Custom
    HTMLTag div
    LabelString AuthAddrCity
End

InsetLayout Flex:AuthorAddrRegion
    LyXType Custom
    HTMLTag div
    LabelString AuthAddrRegion
End

InsetLayout Flex:AuthorAddrCode
    LyXType Custom
    HTMLTag div
    LabelString AuthAddrCode
End

InsetLayout Flex:AuthorAddrCountry
    LyXType Custom
    HTMLTag div
    LabelString AuthAddrCountry
End

InsetLayout Flex:EntityXRef
    LyXType Custom
    HTMLTag div
    LabelString EntityXRef
End

InsetLayout Flex:BibXML
    LyXType Custom
    HTMLTag div
    LabelString BibXML
End

InsetLayout Flex:EmbeddedBibXML
    LyXType Custom
    HTMLTag div
    LabelString EmbeddedBibXML
End
\end_local_layout
\language english
\language_package default
\inputencoding auto
\fontencoding global
\font_roman cmr
\font_sans cmss
\font_typewriter cmtt
\font_default_family ttdefault
\use_non_tex_fonts false
\font_sc false
\font_osf false
\font_sf_scale 100
\font_tt_scale 100

\graphics default
\default_output_format default
\output_sync 0
\bibtex_command default
\index_command default
\paperfontsize default
\spacing single
\use_hyperref false
\papersize default
\use_geometry false
\use_amsmath 1
\use_esint 1
\use_mhchem 1
\use_mathdots 1
\cite_engine basic
\use_bibtopic false
\use_indices false
\paperorientation portrait
\suppress_date false
\use_refstyle 0
\index Index
\shortcut idx
\color #008000
\end_index
\secnumdepth 3
\tocdepth 3
\paragraph_separation indent
\paragraph_indentation default
\quotes_language english
\papercolumns 1
\papersides 1
\paperpagestyle default
\tracking_changes false
\output_changes false
\html_math_output 0
\html_css_as_file 0
\html_be_strict false
\end_header

\begin_body

\begin_layout Title
Hypertext Transport Protocol (HTTP) Session Continuation Protocol
\end_layout

\begin_layout Standard
\begin_inset Flex DocName
status open

\begin_layout Plain Layout
draft-williams-websec-session-continue-proto-00
\end_layout

\end_inset


\begin_inset Flex IPR
status open

\begin_layout Plain Layout
trust200902
\end_layout

\end_inset


\begin_inset Flex IntendedStatus
status open

\begin_layout Plain Layout
std
\end_layout

\end_inset


\begin_inset Flex TitleAbbrev
status open

\begin_layout Plain Layout
HTTP Session Problem
\end_layout

\end_inset


\begin_inset Flex IETFArea
status open

\begin_layout Plain Layout
Security Area
\end_layout

\end_inset


\begin_inset Flex XML2RFCKeyword
status open

\begin_layout Plain Layout
Internet-Draft
\end_layout

\end_inset


\begin_inset Flex PI
status open

\begin_layout Plain Layout
tocindent="no"
\end_layout

\end_inset


\begin_inset Flex PI
status open

\begin_layout Plain Layout
comments="yes"
\end_layout

\end_inset


\begin_inset Flex PI
status open

\begin_layout Plain Layout
inline="yes"
\end_layout

\end_inset


\end_layout

\begin_layout Author
Nicolas Williams
\begin_inset Flex AuthorOrg
status open

\begin_layout Plain Layout
Cryptonector, LLC
\end_layout

\end_inset


\begin_inset Flex AuthorOrgAbbrev
status open

\begin_layout Plain Layout
Cryptonector
\end_layout

\end_inset


\begin_inset Flex AuthorEmailAddr
status open

\begin_layout Plain Layout
nico@cryptonector.com
\end_layout

\end_inset


\end_layout

\begin_layout Abstract
One of the most often talked about problems in web security is 
\begin_inset Quotes eld
\end_inset

cookies
\begin_inset Quotes erd
\end_inset

.
 Web cookies are a method of associating requests with 
\begin_inset Quotes eld
\end_inset

sessions
\begin_inset Quotes erd
\end_inset

 that may have been authenticated somehow.
 Cookies are a form of bearer token that leave much to be desired.
 This document proposes a session 
\begin_inset Quotes eld
\end_inset

continuation
\begin_inset Quotes erd
\end_inset

 protocol for HyperText Transport Protocol (HTTP).
\end_layout

\begin_layout Standard
\begin_inset CommandInset toc
LatexCommand tableofcontents

\end_inset


\end_layout

\begin_layout Section
\begin_inset CommandInset label
LatexCommand label
name "sec:Introduction"

\end_inset

Introduction
\end_layout

\begin_layout Standard
The motivation for this protocol is described in 
\begin_inset Flex EntityXRef
status collapsed

\begin_layout Plain Layout
I-D.williams-websec-session-continue-prob
\end_layout

\end_inset

.
\end_layout

\begin_layout Standard
We define a protocol for cryptographic 
\begin_inset Quotes eld
\end_inset

session continuation
\begin_inset Quotes erd
\end_inset

 for HyperText Transport Protocol (HTTP) 
\begin_inset Flex EntityXRef
status collapsed

\begin_layout Plain Layout
RFC2616
\end_layout

\end_inset

.
 Session continuation is the act of binding an HTTP request to a 
\begin_inset Quotes eld
\end_inset

session
\begin_inset Quotes erd
\end_inset

.
 A 
\begin_inset Quotes eld
\end_inset

session
\begin_inset Quotes erd
\end_inset

 consists of all the HTTP requests by a given user (possibly an authenticated
 user, or possibly an anonymous user).
 This protocol is a cryptographic protocol that aims to meet all the requirement
s given in 
\begin_inset Flex EntityXRef
status collapsed

\begin_layout Plain Layout
I-D.williams-websec-session-continue-prob
\end_layout

\end_inset

.
\end_layout

\begin_layout Standard
The protocol consists of:
\end_layout

\begin_layout Itemize
a request header carrying a keyed Message Authentication Code (MAC) that
 proves possession of a shared session key (shared between the user and
 the server);
\end_layout

\begin_layout Itemize
a response header advertising a default session scope to clients;
\end_layout

\begin_layout Itemize
a session identification in the form of a URI;
\end_layout

\begin_layout Itemize
an optional facility for server-side statelessness by storing state on the
 client-side, encrypted in a secret key known to the server;
\end_layout

\begin_layout Itemize
a request header for requesting the establishment of a session;
\end_layout

\begin_layout Itemize
a response header for indicating the establishment of a session, and including
 a session URI and any optional state to be repeated by the client.
\end_layout

\begin_layout Subsection
Conventions used in this document
\end_layout

\begin_layout Standard
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
 "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are
 to be interpreted as described in 
\begin_inset Flex EntityXRef
status open

\begin_layout Plain Layout
RFC2119
\end_layout

\end_inset

.
\end_layout

\begin_layout Section
Session Keying
\end_layout

\begin_layout Standard
There are two methods for keying an HTTP session:
\end_layout

\begin_layout Itemize
session keys are output by HTTP authentication;
\end_layout

\begin_layout Itemize
or session keys are asserted by the client or the server;
\end_layout

\begin_layout Standard
For the key assertion method TLS with confidentiality protection is clearly
 REQUIRED for security.
 We've considered the possibility of using Diffie-Hellman key agreement
 or RSA key transport, but as that would duplicate functionality that is
 in TLS we consider that out of scope for the time being.
\end_layout

\begin_layout Standard
In either case a single session key is produced, and that is the only key
 utilized.
 Having a single key helps reduce session state size and protocol complexity,
 but we must (and do) distinguish key usage by prefixing a purpose indicator
 to the MAC input.
\end_layout

\begin_layout Standard
When keys are output by HTTP authentication there may be a key length mismatch.
 In this case a Key Derivation Function (KDF) 
\begin_inset Flex EntityXRef
status collapsed

\begin_layout Plain Layout
RFC5869
\end_layout

\end_inset

 is applied to generate the session key.
\end_layout

\begin_layout RevisionRemark
We could also use the TLS extractor to generate keys, but that would be
 an unnecessary complication and would provide very little additional value.
 Channel binding is achieved per-RFCs 5056 and 5929.
\end_layout

\begin_layout RevisionRemark
Should we have distinct session keys for request and response MACs? Probably,
 but it increases state size.
 Better to add a direction indicator to the MAC plaintext.
\end_layout

\begin_layout Subsection
Mixing HTTP and HTTPS
\end_layout

\begin_layout Standard
We expect that many sites will continue to mix HTTP and HTTPS for various
 reasons.
 To make this possible the MAC input will include a marker indicating HTTP
 or HTTPS.
\end_layout

\begin_layout Subsection
Authenticated Session Keying
\end_layout

\begin_layout Standard
When an HTTP client uses HTTP authentication, and the authentication mechanism
 used can establish a session key, then the client SHOULD request session
 initiation using a shared session key output by the HTTP authentication
 mechanism.
 The client MUST send the session initiation header concurrently with the
 last HTTP authentication message.
\end_layout

\begin_layout Subsubsection
HTTP/Negotiate Session Keying
\end_layout

\begin_layout RevisionRemark
Write text explaining how to use the GSS PRF to exchange keys when using
 HTTP/Negotiate
\end_layout

\begin_layout Subsubsection
Digest
\end_layout

\begin_layout RevisionRemark
Digest could output a session key.
 Do we want to bother? (Basic certainly can't, or we'd not want it to anyways.)
\end_layout

\begin_layout Subsection
Unauthenticated Session Keying
\end_layout

\begin_layout Standard
Sessions for unauthenticated users may appear to make little sense at first.
 This is useful, for example, and just as web cookies are, for tracking
 
\begin_inset Quotes eld
\end_inset

shopping carts
\begin_inset Quotes erd
\end_inset

 when a user is window shopping, so to speak.
\end_layout

\begin_layout Standard
For unauthenticated session initiation the client merely requests the creation
 of a session with an asserted session key, for lack of a better choice.
\end_layout

\begin_layout Section
Session Initiation
\end_layout

\begin_layout Standard
Sessions are always initiated by the client by including a Session-Init
 header in the client's request carrying the client's proposal for a session.
\end_layout

\begin_layout Standard
Servers that support sessions will respond by creating a session and returning
 a session ID URI.
\end_layout

\begin_layout Standard
The Session-Init proposal header's value consists of a comma-separated list
 of proposal parameters:
\end_layout

\begin_layout Standard
\begin_inset Float figure
wide false
sideways false
status open

\begin_layout Plain Layout
\begin_inset listings
inline false
status open

\begin_layout Plain Layout

   session-param = token "=" ( token | quoted-string )
\end_layout

\begin_layout Plain Layout

   Session-Init = 1#session-param
\end_layout

\end_inset


\end_layout

\begin_layout Plain Layout
\begin_inset Caption

\begin_layout Plain Layout
Session-Init request header
\end_layout

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
The following session parameters are defined:
\end_layout

\begin_layout Description
Key-Method The type of keying: 
\begin_inset Quotes eld
\end_inset

auth
\begin_inset Quotes erd
\end_inset

 (key will be output by HTTP authentication), 
\begin_inset Quotes eld
\end_inset

c-assert
\begin_inset Quotes erd
\end_inset

 (key is asserted in this Session-Init) or 
\begin_inset Quotes eld
\end_inset

s-assert
\begin_inset Quotes erd
\end_inset

 (the server is expected to assert a key).
 In the 
\begin_inset Quotes eld
\end_inset

auth
\begin_inset Quotes erd
\end_inset

 case the Session-Init MUST also carry a nonce and a MAC.
 This session-param MUST be present.
\end_layout

\begin_layout Description
Key The key that the client asserts, if the client asserts a key (Key-Method=c-a
ssert).
 This may also be included when Key-Method is 
\begin_inset Quotes eld
\end_inset

auth
\begin_inset Quotes erd
\end_inset

 in case the server's implementation of HTTP authentication does not output
 a key, but only when using HTTPS.
\end_layout

\begin_layout Description
Key-Length The length of the master session key, as a count of key bits,
 in base-10.
 The value MUST NOT be less than 96 or larger than 256.
 If absent the key length SHALL be 128 bits.
\end_layout

\begin_layout Description
MAC-Algs The MAC algorithms supported by the client.
 This document defines only 
\begin_inset Quotes eld
\end_inset

HMAC-SHA-1
\begin_inset Quotes erd
\end_inset

 (HMAC with SHA-1), 
\begin_inset Quotes eld
\end_inset

HMAC-SHA-1-96
\begin_inset Quotes erd
\end_inset

 (HMAC with SHA-1 and truncation to 96 bits), 
\begin_inset Quotes eld
\end_inset

HMAC-SHA256
\begin_inset Quotes erd
\end_inset

 (HMAC with SHA256), and 
\begin_inset Quotes eld
\end_inset

HMAC-SHA256-128
\begin_inset Quotes erd
\end_inset

 (HMAC with SHA256 and truncation to 128 bits).
 All of these use HMAC 
\begin_inset Flex EntityXRef
status collapsed

\begin_layout Plain Layout
RFC2104
\end_layout

\end_inset

.
 Clients and servers MUST support HMAC-SHA-1-96 and HMAC-SHA256-128.
 If absent the default value is 
\begin_inset Quotes eld
\end_inset

HMAC-SHA256-128
\begin_inset Quotes erd
\end_inset

.
\end_layout

\begin_layout Description
KDF-Algs A list of KDF algorithms.
 This is needed only when Key-Method is 
\begin_inset Quotes eld
\end_inset

auth
\begin_inset Quotes erd
\end_inset

.
 The following are specified here: 
\begin_inset Quotes eld
\end_inset

HKDF-SHA-1
\begin_inset Quotes erd
\end_inset

 (HKDF 
\begin_inset Flex EntityXRef
status collapsed

\begin_layout Plain Layout
RFC5869
\end_layout

\end_inset

 with SHA-1) and 
\begin_inset Quotes eld
\end_inset

HKDF-SHA256
\begin_inset Quotes erd
\end_inset

 (HKDF with SHA256).
 Clients and servers MUST support HKDF-SHA256.
 If absent and Key-Method is 
\begin_inset Quotes eld
\end_inset

auth
\begin_inset Quotes erd
\end_inset

 then the default value is HKDF-SHA256.
\end_layout

\begin_layout Description
Channel-Binding-Types A comma-separated list of channel binding 
\begin_inset Flex EntityXRef
status collapsed

\begin_layout Plain Layout
RFC5056
\end_layout

\end_inset

 types.
 Clients and servers MUST support 'tls-server-end-point' 
\begin_inset Flex EntityXRef
status collapsed

\begin_layout Plain Layout
RFC5929
\end_layout

\end_inset

 when using HTTPS.
 (Note the need to use quoted-string when the list has more than one item.)
 If absent the default is 'tls-server-end-point'.
\end_layout

\begin_layout Description
Nonce A 128-bit nonce, base64-encoded.
 This session-param MUST be present.
\end_layout

\begin_layout Description
Previous-Session-URI The URI of a previous session.
 See 
\begin_inset CommandInset ref
LatexCommand ref
reference "sec:Unauthenticated-to-Authenticated"

\end_inset

.
\end_layout

\begin_layout Description
Previous-Session-State The session state for the previous session, if any.
 See 
\begin_inset CommandInset ref
LatexCommand ref
reference "sec:Unauthenticated-to-Authenticated"

\end_inset

.
\end_layout

\begin_layout Description
Unprotected-Allowed If present the value MUST be 
\begin_inset Quotes eld
\end_inset

true
\begin_inset Quotes erd
\end_inset

, and indicates that HTTP and HTTPS are both allowed for this session.
 Otherwise only HTTPS is allowed for this session.
\end_layout

\begin_layout Standard
The server responds with a Session-Assign header:
\end_layout

\begin_layout Standard
\begin_inset Float figure
wide false
sideways false
status open

\begin_layout Plain Layout
\begin_inset listings
inline false
status open

\begin_layout Plain Layout

   session-params = 1#session-param
\end_layout

\begin_layout Plain Layout

   Session-Init-Value = <the value of the Session-Init header>
\end_layout

\begin_layout Plain Layout

   MAC-input = Session-Init-Value "," session-params
\end_layout

\begin_layout Plain Layout

   MAC = <base64-encoding of MAC taken over the MAC-input>
\end_layout

\begin_layout Plain Layout

   Session-Assign = session-params ["," MAC]
\end_layout

\end_inset


\end_layout

\begin_layout Plain Layout
\begin_inset Caption

\begin_layout Plain Layout
Session-Assign response header
\end_layout

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
The MAC is OPTIONAL when using HTTPS, REQUIRED otherwise.
\end_layout

\begin_layout Standard
The session-params for Session-Assign are:
\end_layout

\begin_layout Description
Key-Method If the client requested 
\begin_inset Quotes eld
\end_inset

auth
\begin_inset Quotes erd
\end_inset

 as the key method but the server's implementation of HTTP authentication
 could not output a key then this session-param MUST be present with a value
 of 
\begin_inset Quotes eld
\end_inset

c-assert
\begin_inset Quotes erd
\end_inset

 (if the client included a Key in its Session-Init) or 
\begin_inset Quotes eld
\end_inset

s-assert
\begin_inset Quotes erd
\end_inset

 (otherwise).
\end_layout

\begin_layout Description
Key The server-asserted key, if the client requested a server-asserted key.
\end_layout

\begin_layout Description
MAC-Alg The name of the MAC algorithm selected by the server from the client's
 proposal (REQUIRED).
\end_layout

\begin_layout Description
KDF-Alg The selected KDF algorithm (when the client's selected Key-Method
 is 
\begin_inset Quotes eld
\end_inset

auth
\begin_inset Quotes erd
\end_inset

).
\end_layout

\begin_layout Description
URI The URI of the session (REQUIRED).
\end_layout

\begin_layout Description
State Server-side state to be stored on the client (OPTIONAL).
 Note that servers MAY choose to store server-side state in cookies instead.
\end_layout

\begin_layout Description
Previous-Session Indicates whether the previous session was recognized and
 accepted (
\begin_inset Quotes eld
\end_inset

accepted
\begin_inset Quotes erd
\end_inset

), rejected (
\begin_inset Quotes eld
\end_inset

rejected
\begin_inset Quotes erd
\end_inset

), or unknown (
\begin_inset Quotes eld
\end_inset

unknown
\begin_inset Quotes erd
\end_inset

).
 This session-param MUST be present when the client's Session-Init had a
 Previous-Session-URI session-param.
\end_layout

\begin_layout Description
Host-Scope A DNS domainname (in A-label form) that the session can be used
 with.
 Multiple Scope parameters are allowed.
 If the domainname starts with a '.' then the session may be used with all
 server hosts whose domainnames are sub-domains of the given Host-Scope
 domainname.
 The server's fully-qualified hostname is always part of the session's host
 scope.
\end_layout

\begin_layout Section
\begin_inset CommandInset label
LatexCommand label
name "sec:Session-Scope:-Sharing"

\end_inset

Session Scope: Sharing Sessions Across Servers
\end_layout

\begin_layout Standard
A service might be composed of multiple related servers, each with a different
 hostname.
 As a result the service may require a client to use the same session across
 the service's component servers.
 We provide a mechanism by which the server may indicate a set of such servers
 to the client: the Host-Scope session-param in the server's Session-Assign
 response header.
\end_layout

\begin_layout Standard
[XXX We need a way to constrain this for privacy protection reasons.
 It's not yet clear how the client can judge which Host-Scope paramters
 to accept or ignore, only that must be allowed to do so.]
\end_layout

\begin_layout Standard
To facilitate interoperable session sharing across heterogeneous server
 implementations we define a session resource -named by its session URI-
 that can be obtained with a properly-authenticated GET by authorized entities.
 The session resource's representation is a application/json document type,
 containing a JSON-serialized associative array with the following REQUIRED
 keys:
\end_layout

\begin_layout Description
Master-Key The session's master key, base64-encoded.
\end_layout

\begin_layout Description
MAC-Alg The MAC algorithm for this session.
\end_layout

\begin_layout RevisionRemark
We probably want each server to see a different master key, in which case
 we probably want to use a KDF with the server's hostname as part of the
 salt.
\end_layout

\begin_layout RevisionRemark
We probably want to define some OPTIONAL keys for this object, such as 
\begin_inset Quotes eld
\end_inset

User
\begin_inset Quotes erd
\end_inset

, 
\begin_inset Quotes eld
\end_inset

User-URI
\begin_inset Quotes erd
\end_inset

, 
\begin_inset Quotes eld
\end_inset

HTTP-Auth-Scheme-Used
\begin_inset Quotes erd
\end_inset

, 
\begin_inset Quotes eld
\end_inset

HTTP-Auth-Scheme-<param>
\begin_inset Quotes erd
\end_inset

, and so on, as well as an application-specific namespace of keys (e.g., 
\begin_inset Quotes eld
\end_inset

App-<appname>
\begin_inset Quotes erd
\end_inset

 or 
\begin_inset Quotes eld
\end_inset

<URN>
\begin_inset Quotes erd
\end_inset

).
\end_layout

\begin_layout Section
\begin_inset CommandInset label
LatexCommand label
name "sec:Unauthenticated-to-Authenticated"

\end_inset

Unauthenticated to Authenticated Session Upgrade
\end_layout

\begin_layout Standard
A client might first establish an unauthenticated session then authenticate
 the user later.
 When authentication is done the client might wish to preserve any state
 associated with the preceding unauthenticated session.
 The client does this by sending a Session-Init at authentication time with
 a 'Previous-Session-URI' session-param and, if there was server-assigned
 session state, a 'Previous-Session-State' session-param.
\end_layout

\begin_layout Section
Session Continuation
\end_layout

\begin_layout Standard
Once a session is established the client binds requests to sessions as described
 here.
\end_layout

\begin_layout Standard
There are two cases: HTTPS and HTTP.
 In both cases the client adds a header
\end_layout

\begin_layout Standard
For the HTTPS case the client adds a 
\begin_inset Quotes eld
\end_inset

Session
\begin_inset Quotes erd
\end_inset

 header to its requests with the following content: the session identifier
 assigned by the server, a nonce generated by the client, and a MAC of the
 nonce and the TLS channel bindings.
\end_layout

\begin_layout Standard
The value of the Session header consists of a base64-encoded 128-bit nonce
 and a MAC, using the session's MAC algorithm, of the nonce and the channel
 binding, each base64-encoded then concatenated in that order:
\end_layout

\begin_layout Standard
\begin_inset Float figure
wide false
sideways false
status open

\begin_layout Plain Layout
\begin_inset listings
inline false
status open

\begin_layout Plain Layout

   CB = <base64-encoding of the channel bindings>
\end_layout

\begin_layout Plain Layout

   nonce = <base64-encoded 128-bit nonce>
\end_layout

\begin_layout Plain Layout

   new-state = ...
\end_layout

\begin_layout Plain Layout

   direction = "c2s" | "s2c"
\end_layout

\begin_layout Plain Layout

   prot-state = "protected" | "unprotected"
\end_layout

\begin_layout Plain Layout

   response-status = "" | "Invalid-MAC" |
\end_layout

\begin_layout Plain Layout

                     | "Session-expired" "Session-unknown"
\end_layout

\begin_layout Plain Layout

   MAC-input = direction "," prot-state "," nonce
\end_layout

\begin_layout Plain Layout

               "," CB "," status "," [new-state]
\end_layout

\begin_layout Plain Layout

   MAC = <base64encoded MAC taken over MAC-input>
\end_layout

\begin_layout Plain Layout

   Session = nonce "," response-status "," [new-state] "," MAC
\end_layout

\end_inset


\end_layout

\begin_layout Plain Layout
\begin_inset Caption

\begin_layout Plain Layout
Session header
\end_layout

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
Where the response must carry a Session header, the form of the value is
 the same as for requests.
\end_layout

\begin_layout Standard
The MAC is taken over a direction indicator, an indicator of whether TLS
 is used, the nonce, the channel bindings, and so on, as shown in Figure
 3.
 Only the server may assert new session state, and only the server indicates
 a response-status other than 
\begin_inset Quotes eld
\end_inset


\begin_inset Quotes erd
\end_inset

 (empty string).
\end_layout

\begin_layout Subsection
Session Validation and Error Handling
\end_layout

\begin_layout Standard
The receiver computes the same MAC using the sender's nonce (and new-state,
 if present, when the receiver is the client) and compares the resulting
 MAC to the MAC from the Session header.
\end_layout

\begin_layout Standard
If MAC validation of a request fails then the server MUST respond with a
 403 status code with a non-empty response-status int he Session-header.
 Error responses MUST include a Session header.
 If 403 response's Session header indicates 
\begin_inset Quotes eld
\end_inset

Invalid-MAC
\begin_inset Quotes erd
\end_inset

 then if the client had used HTTPS then the client SHOULD warn the user,
 otherwise the client SHOULD retry.
 If the 403 response's Session header indicates 
\begin_inset Quotes eld
\end_inset

Session-expired
\begin_inset Quotes erd
\end_inset

 then the client SHOULD renew the session (see 
\begin_inset CommandInset ref
LatexCommand ref
reference "sub:Session-Expiration-and"

\end_inset

).
 Otherwise the client must assume that the old session has been destroyed
 (e.g., because of a logout or server state data loss) and may establish a
 new session.
\end_layout

\begin_layout Standard
If MAC validation of a response fails the the client MUST act as though
 a 400 (bad request) had been sent instead.
 If the request was idempotent the client SHOULD retry, otherwise recovery
 is not specified.
\end_layout

\begin_layout Subsection
\begin_inset CommandInset label
LatexCommand label
name "sub:Session-Expiration-and"

\end_inset

Session Expiration and Renewal
\end_layout

\begin_layout Standard
If the server decides that a session is no longer valid then the server
 should respond with a 401 status code.
 The client should then re-authenticate or establish a new unauthenticated
 session, using the Previous-Session-URI and Previous-Session-State session-para
ms of the new Session-Init to indicate that the old session is being 
\begin_inset Quotes eld
\end_inset

renewed
\begin_inset Quotes erd
\end_inset

.
\end_layout

\begin_layout Subsection
Alternative: Define Session Scheme for WWW-Authenticate
\end_layout

\begin_layout Standard
One possibility that has some appeal would be to define a new HTTP authenticatio
n scheme called 
\begin_inset Quotes eld
\end_inset

Session
\begin_inset Quotes erd
\end_inset

 (say) and use that instead of the 
\begin_inset Quotes eld
\end_inset

Session
\begin_inset Quotes erd
\end_inset

 header defined above.
 The primary advantage to the WWW-Authenticate approach is that it fits
 the existing HTTP authentication framework, allowing a server to present
 to an application the user authentication information embedded in the session
 state as if the user were re-authenticated in each request.
 Session continuation can then be seen as a form of fast re-authentication.
\end_layout

\begin_layout Section
Logout
\end_layout

\begin_layout Standard
To logout the client SHOULD perform a DELETE of the session URI.
\end_layout

\begin_layout Section
Inquiring Session Status
\end_layout

\begin_layout Standard
The client MAY do a GET of the session URI.
 The semantics of the response body for this are not specified here.
 As explained in 
\begin_inset CommandInset ref
LatexCommand ref
reference "sec:Session-Scope:-Sharing"

\end_inset

, servers also may GET a session URI; see 
\begin_inset CommandInset ref
LatexCommand ref
reference "sec:Session-Scope:-Sharing"

\end_inset

 for more details.
\end_layout

\begin_layout Section
\begin_inset CommandInset label
LatexCommand label
name "sec:Analysis"

\end_inset

Analysis
\end_layout

\begin_layout Standard
Quite clearly this protocol meets requirements 1, 2, 3, 5, and 11 from 
\begin_inset Flex EntityXRef
status collapsed

\begin_layout Plain Layout
I-D.williams-websec-session-continue-prob
\end_layout

\end_inset

.
\end_layout

\begin_layout Standard
The security requirements are also met:
\end_layout

\begin_layout Description
requirement
\begin_inset space ~
\end_inset

4 The active cookie recovery attacks on TLS we consider are adaptive chosen
 plaintext attacks.
 These attacks depend on the cookies sent by the client being the same in
 every request.
 This protocol uses MAC of at least channel bindings data (which doesn't
 change for any one connection) salted (so to speak) with a nonce.
 This use of nonces causes the MAC sent to be different for each request,
 which defeats the known cookie recovery attacks on TLS.
 Note that we assume confidentiality protection from TLS; clients MUST NOT
 negotiate cipher suites that provide no confidentiality protection.
\end_layout

\begin_layout Description
requirement
\begin_inset space ~
\end_inset

6 This is clearly met by the use of a MAC keyed with a session key not available
 to attackers.
 This clearly depends on implementations having decent entropy sources,
 but this is no different than for TLS.
 Note, however, that insecure session initiation with key assertion is clearly
 insecure relative to passive attackers, as well as active attackers that
 can redirect packet flows so they can observe session initiation.
\end_layout

\begin_layout Description
requirement_7 This is clearly met by prefixing an indicator of whether TLS
 is used or not to the MAC input.
\end_layout

\begin_layout Description
requirement_8 The use of channel bindings as an input to the MAC meets this
 requirement.
\end_layout

\begin_layout Description
requirement_9 This requirement is clearly met by having DELETE of a session
 URI terminate a session.
 It is important that clients promptly destroy any remnant of deleted sessions'
 state so that servers get no benefit from not deleting sessions when the
 clients demand it.
\end_layout

\begin_layout Description
requirement_10 This is clearly met by using headers that proxies should
 pass unmodified.
\end_layout

\begin_layout Section
\begin_inset CommandInset label
LatexCommand label
name "sec:IANA-Considerations"

\end_inset

IANA Considerations
\end_layout

\begin_layout Standard
This document creates a number of new HTTP request and response headers.
 These headers will need to be added to the HTTP header registry: <TBD>.
\end_layout

\begin_layout Section
\begin_inset CommandInset label
LatexCommand label
name "sec:Security-Considerations"

\end_inset

Security Considerations
\end_layout

\begin_layout Standard
This session continuation protocol appears to meet the requirements outlined
 in 
\begin_inset Flex EntityXRef
status collapsed

\begin_layout Plain Layout
I-D.williams-websec-session-continue-prob
\end_layout

\end_inset

.
 [XXX Add analysis.
 In particular explain how MAC(CB + nonce) is sufficient to defeat BEAST
 and CRIME.]
\end_layout

\begin_layout Standard
This proposal meets security requirements from the problem statement 
\begin_inset Flex EntityXRef
status collapsed

\begin_layout Plain Layout
I-D.williams-websec-session-continue-prob
\end_layout

\end_inset

.
 See 
\begin_inset CommandInset ref
LatexCommand ref
reference "sec:Analysis"

\end_inset

 for details.
\end_layout

\begin_layout Standard
[...]
\end_layout

\begin_layout Section
Normative References
\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status collapsed

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "rfc2119"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex EmbeddedBibXML
status collapsed

\begin_layout Plain Layout
<reference anchor='I-D.williams-websec-session-continue-prob'> <front> <title>Hyp
ertext Transport Protocol (HTTP) Session Continuation: Problem Statement</title>
 <author initials='N.' surname='Williams' fullname='Nicolas Williams'> <organizat
ion /> </author> <date month='January' day='1' year='2013' /> <abstract><t>Abstr
act One of the most often talked about problems in web security is “cookies”.
 Web cookies are a method of associating requests with “sessions” that may
 have been authenticated somehow.
 Cookies are a form of bearer token that leave much to be desired.
 This document describes the session “continuation” problem for the HyperText
 Transport Protocol (HTTP).</t></abstract> </front> <seriesInfo name='Internet-Dr
aft' value='draft-williams-websec-session-continue-prob-00' /> <format type='TXT
' target='http://www.ietf.org/internet-drafts/draft-draft-williams-websec-session-
continue-prob-00.txt' /> </reference> 
\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "rfc2104"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2104.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "rfc2616"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2616.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "rfc5246"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "rfc5056"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5056.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "rfc5929"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5929.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "rfc5869"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5869.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Section
\begin_inset CommandInset label
LatexCommand label
name "sec:Normative-References"

\end_inset

Informative References
\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "rfc2617"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2617.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "rfc5849"
target "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5849.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "I-D.ietf-oauth-v2"
target "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-oauth-v2.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\begin_layout Standard
\begin_inset Flex BibXML
status open

\begin_layout Plain Layout
\begin_inset CommandInset href
LatexCommand href
name "I-D.hallambaker-httpintegrity"
target "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.hallambaker-httpintegrity.xml"

\end_inset


\end_layout

\end_inset


\end_layout

\end_body
\end_document