基於信任網域驗證之憑證檔案變更保護機制

Abstract

憑證檔案(Cookie)已是現今許多網站普遍採用之身分驗證及會話(Session)管理機制。在現行標準下，此機制並未提供完善的完整性保護，致使憑證檔案可能遭受兩個攻擊，分別為會話固定攻擊(session fixation)及憑證檔案逐出攻擊(cookie eviction)。這兩種攻擊起因於網路攻擊者可隱藏於可信任網站中的子網域內，導致基於子網域及主網域之間的信任關係遭到破壞所產生的安全性弱點。 本論文提出了一個基於信任網域驗證機制的方式，使得瀏覽器能夠驗證對於修改憑證檔案的要求，以阻擋未被授權的變更。藉由網站管理者將網站中的各個網域分成信任與不信任兩類，並將此資訊分別存到各個網域下，當瀏覽器收到對於憑證檔案的變更請求時，便可藉由此資訊來驗證請求網域是否為經過授權的網域。與其他相關研究不同的是，本論文可在不破壞原先功能的情況下，預防會話固定攻擊及憑證檔案逐出攻擊的發生。對於本論文提出的作法所產生的效能負擔及有效性在論文最後也進行了評估，結果顯示此機制並不會造成過於沉重的效能負擔。

HTTP Cookie is a well-known mechanism for the storage of session and authentication information. However, the current cookie standard does not provide robust integrity protection. Session fixation and cookie eviction are two famous attacks based on the lack of integrity protection for cookies. With cookie sharing technique, attackers at untrusted subdomains of a trusted web site can launch these attacks. This paper proposes a trusted domain verification scheme to equip browsers with the ability to identify unauthorized modifications of authentication cookies. Since web administrators can divide domains in a web site into trusted domains and untrusted domains respectively, browsers can block unauthorized accesses with this information. In contrast to the conventional schemes which can only detect attacks or restrict cookie sharing, trusted domain verification can prevent both session fixation and cookie eviction attacks without breaking the functionality of cookie sharing. The effectiveness and overhead of the proposed scheme is also evaluated.