[Cryptography] Better than passwords and cookies

Paul Hoffman paul.hoffman at vpnc.org
Mon Mar 17 18:17:29 EDT 2014

On Mar 17, 2014, at 2:00 PM, Nico Williams <nico at cryptonector.com> wrote:

> On Mon, Mar 17, 2014 at 9:56 AM, Jerry Leichter <leichter at lrw.com> wrote:
>> On Mar 17, 2014, at 8:43 AM, Thierry Moreau <thierry.moreau at connotech.com> wrote:
>>>> Am I missing something obvious here?
>>> Maybe you merely (re-)invented the HTML cookie holding the client private key.
>> An HTML cookie isn't bound to the end-to-end connection context.  A MITM simply passes it through.  The signed information I'm suggesting the client send *is* bound to that context, and isn't subject to this trivial vulnerability.
> https://www.usenix.org/system/files/conference/usenixsecurity12/sec12-final162.pdf
> http://tools.ietf.org/html/draft-balfanz-tls-channelid-01
> http://tools.ietf.org/html/draft-balfanz-tls-obc-01
> http://www.ietf.org/proceedings/82/slides/tls-1.pdf
> ...
> The idea is: you generate an ephemeral client keypair (and cert) for
> every "origin" and you use it to "authenticate" the client in TLS, the
> server then binds that public key into the web cookies it sets when
> you login (with a typical username&password form, or whatever else),
> and then every time you use the same cookies the server verifies that
> the TLS user credentials you used match what's bound into the cookies.
> This provides protection against cookie theft/compromise.

The OBC work kind of died, but we have many of the ideas in

More information about the cryptography mailing list