LiteSession
Create Session Tokens that are Resilient to Misuse and Highjacking
This library is inspired by research A Secure Cookie Protocol paper by Liu et.al which advocates for tokens that do not need to be stored in a database and are also resistant to a whole class of attacks on session tokens including attacks like Volume attacks
, Denning-Sacco Attack
and stealing session tokens
.
LiteSession is a token generator for secure tokens that can be used in HTTP authentication headers, cookies, in place of Json Web Tokens, in IoT and anywhere else where secure tokens are needed for communication between clients and servers. It provides Keyed-Hash Message Authentication tokens with associated client data in either encrypted (default settings) or unencrypted form.
The symmetric encryption used is ChaCha8
which is good enough, refer to the paper Too Much Crypto by Jean-Philippe Aumasson which shows that the encryption scheme is accurate while still yielding about 2.5 times the speed of its increased round ChaCha20
option. ChaCha8
is also lightweight and fast even without hardware acceleration allowing it to be used even on devices with low CPU and RAM resources.
The algorithm is as follows:
identifier | issued | expiry | (data)k | nonce | ConfidentialityMode | Blake3HMAC( identifier | issued | expiration | data | session key, k)
where `k = Blake3HMAC(identifier | issued | expiry | ConfidentialityMode, sk)
The security design used for HMAC and Encryption are:
- TAI64N - handles issued time down to the nanosecond without the need to handle leap seconds and timezones.
- ChaCha8 - handles symetric encryption of the data to prevent it from being read by a party other than the server that issued the token.
- Blake3 - a crazy fast non-cryptographic hashing algorithm used in keyed-mode to act as the Keyed-Hash Message Authentication Code
- Nanorand - used as a cryptographically secure random number generator (CSPRNG) with
ChaCha
mode enabled - Secrecy - used to hold the keys or token in memory to prevent them from being logged by logging tools, cloning and being moved around.
The steps to generate the token:
-
Generate a
random identifier
-
Generate an
issued time
andexpiry time
in nanoseconds accuracy -
Generate the
encryption key
to encrypt the data portion of the token using algorithmk = Blake3HMAC(identifier | issued | expiry | ConfidentialityMode, sk)
- Create an empty string
encryption_key
- Append
identifier
toencryption_key
- Append
issued
toencryption_key
- Append
expiry
toencryption_key
- Append
ConfidentialityMode
toencryption_key
- Perform a HMAC function to the
encryption_key
using Blake3 in keyed mode and theserver_key
as the key - Return the result of the Blake3 operation above in
hex
or as astring
- Create an empty string
-
Encrypt the data using
ChaCha8
encryption using the Blake3Hash above as the encryption key -
Return the encrypted data and
nonce
-
Perform a Blake3Hmac on
identifier | issued | expiry | (data)k | nonce | ConfidentialityMode
-
Generate the token:
- Create an empty string called
token
- Append
identifier
totoken
- Append
issued
totoken
- Append
expiry
totoken
- Append
encrypted data
totoken
- Append
nonce
totoken
- Append
ConfidentialityMode
totoken
- Append
Blake3Hmac
totoken
- Return the token as a string or hex
- The token generated is in the format
identifier⊕issued⊕expiry⊕ciphertext⊕nonce⊕confidentiality⊕hmac
Verifying the token takes the following steps
-
Check if the token structure is valid
-
Destructure the token into its component fields
-
Compare the
expiry
to the server'scurrent time
and returnSessionExpired
as theTokenOutcome
-
Compute the encryption key as follows:
k=HMAC(identifier | issued | expiry | ConfidentialityMode, sk)
-
Decrypt the encrypted data using
k
. -
Compute
Blake3HMAC(identifier |issued | expiry | ciphertext | nonce | ConfidentialityMode | session key, k),
-
Return
TokenOutcome::TokenAuthetic
if the token matches orTokenOutcome::TokenRejected
if the token does not matchNOTES:
The
Blake3
algorithm is used inkeyed
mode where the key is a32byte/256bit
in length TheChaCha8
algorithm takes a32byte/256bit
key and12byte/96bit nonce
International Atomic Time(TAI)
is used for nanosecond accuracy and not having to deal with leap seconds and timezones Using thesession key
preventsvolume
andDenning-Sacco
attacks