I saw an article this morning that Google is planning on exposing an API in Chrome to tie cookies to a user's machine via public key cryptography and the TPM.
I humbly submit what I think as a much simpler approach that _should_ work across all modern browsers and can be done today:
Secure Session Cookie Scheme Using JWT and Web Crypto API
1. Key Generation and Storage:
- Generate an ECDSA key pair using the Web Crypto API, set to 'unextractable'.
- Store the keys in IndexedDB for persistent and secure client-side storage.
2. Initial Authentication:
- The browser signs a message (a nonce or predetermined data) with the private key.
- Send the signed message and public key to the server.
3. Server-Side Verification and JWT Creation:
- Server verifies the signature with the public key.
- Upon verification, create a JWT embedding the browser’s public key.
4. JWT for Subsequent Requests:
- Browser signs the JWT with the private key for future requests.
- Server verifies request signatures using the public key in the JWT.
5. Session Security:
- Interception of JWT is not a threat without the corresponding private key.
- The 'unextractable' key property prevents direct theft from the browser.
6. Renewal and Expiration:
- Implement expiration for JWTs.
- New key pairs for key rotation/renewal and repeating initial authentication process.
This approach uses cryptographic signatures and JWTs for secure sessions, significantly reducing session hijacking risks by tying authenticated requests to the possession of a secure private key in the user's browser.
These are some libraries I built to help work with WebCrypto and IndexedDB. If you'd like to contribute to them, I'd love the help and extra sets of eyes!
I humbly submit what I think as a much simpler approach that _should_ work across all modern browsers and can be done today:
Secure Session Cookie Scheme Using JWT and Web Crypto API
1. Key Generation and Storage:
2. Initial Authentication: 3. Server-Side Verification and JWT Creation: 4. JWT for Subsequent Requests: 5. Session Security: 6. Renewal and Expiration: This approach uses cryptographic signatures and JWTs for secure sessions, significantly reducing session hijacking risks by tying authenticated requests to the possession of a secure private key in the user's browser.These are some libraries I built to help work with WebCrypto and IndexedDB. If you'd like to contribute to them, I'd love the help and extra sets of eyes!
https://github.com/JWally/EZindexDB
https://github.com/JWally/EZindexDB