I saw an article this morning that Google is planning on exposing an API in Chrome to tie cookies to a user's machine via public key cryptography and the TPM.
I humbly submit what I think as a much simpler approach that _should_ work across all modern browsers and can be done today:
Secure Session Cookie Scheme Using JWT and Web Crypto API
1. Key Generation and Storage:
- Generate an ECDSA key pair using the Web Crypto API, set to 'unextractable'.
- Store the keys in IndexedDB for persistent and secure client-side storage.
- The browser signs a message (a nonce or predetermined data) with the private key.
- Send the signed message and public key to the server.
- Server verifies the signature with the public key.
- Upon verification, create a JWT embedding the browser’s public key.
- Browser signs the JWT with the private key for future requests.
- Server verifies request signatures using the public key in the JWT.
- Interception of JWT is not a threat without the corresponding private key.
- The 'unextractable' key property prevents direct theft from the browser.
- Implement expiration for JWTs.
- New key pairs for key rotation/renewal and repeating initial authentication process.
These are some libraries I built to help work with WebCrypto and IndexedDB. If you'd like to contribute to them, I'd love the help and extra sets of eyes!
https://github.com/JWally/EZindexDB
https://github.com/JWally/EZindexDB
0