By 
The ever-present dance between online convenience and security continues. Up until recently, having more convenience would usually mean less security, and viceversa. Cookies, those seemingly innocent browser snacks, offer usually a smoother and safer login experience, but also represent a target for hackers who exploit them.
Google’s Device Bound Session Credentials (DBSC) aims to address this vulnerability within Chrome, adding a layer of cryptographic complexity designed to make cookie theft a thing of the past. We hope, at least.
Cookie Theft
The convenience of cookies is undeniable. They save you from constantly re-entering login details for a determined time. Sadly, this convenience comes with a security risk as malware designed to snatch cookies, will lead to account compromise, allowing hackers to even bypass multi-factor authentication (MFA).
The Solution: DBSC and Cryptographic Binding
Device Bound Session Credentials (DBSC) aims to spoil the fun for cookie thieves. In order to disrupt the effectiveness of cookie-based account hijacking, this is achieved by cryptographically binding the authentication cookies to the specific device where they were generated.
This process needs a unique key pair created and securely stored within the device’s Trusted Platform Module (TPM). The private key, serves as the only means to decrypt and use the authentication cookie. And, even if attackers acquire a stolen cookie, it remains useless without access to the private key that is locked within the original device.
And now, once would ask “what happens if someone will steal the original device”
I would say, “are you my nephew?”, and “will we soon enough go down the rabbit-hole and discuss about why the universe was ever created?”. Good questions nevertheless, but with cybersecurity, nothing is 100% proof, and multi-layered approach will work in the majority of large scale hijacking.
Deeper Dive: Public Key Cryptography
As previously mentioned, DBSC leverages the power of public-key cryptography (PKC) to secure authentication cookies within Chrome. Let’s break down how this works step by step, with a simplified Python code example:
1. Key Pair Generation
|
1 2 3 4 5 6 7 8 9 10 |
import cryptography.hazmat def generate_key_pair(): private_key = cryptography.hazmat.primitives.asymmetric.rsa.generate_private_key( public_exponent=65537, key_size=2048 ) public_key = private_key.public_key() return private_key, public_key |
- During login, your device calls a function similar to
generate_key_pair(). - It creates a private key and its corresponding public key, likely using the RSA algorithm (although others are possible).
- The private key is securely stored in the device’s TPM.
- The public key is shared with the website.
2. Cookie Encryption
|
1 2 3 4 5 6 7 8 9 |
def encrypt_cookie(cookie_data, public_key): cipher = cryptography.hazmat.primitives.asymmetric.padding.OAEP( mgf=cryptography.hazmat.primitives.hashes.MGF1( cryptography.hazmat.primitives.hashes.SHA256()), algorithm=cryptography.hazmat.primitives.hashes.SHA256(), label=None ) encryptor = public_key.encrypt(cookie_data, cipher) return encryptor |
- The cookie data is encrypted using a function like encrypt_cookie().
- The encryption process uses the public key and robust padding schemes like OAEP for enhanced security.
This is a simplified illustration, the actual DBSC implementation usually turns out more complex, depending on the authentication method and choice of cryptographic algorithms.