Do - PowerPoint PPT Presentation

About This Presentation

Title:

Do

Description:

input type=hidden name=item3 value=25 Britney Spears CD $25 ... Fat Brain. Problem: Customer can determine the. authenticator for any other user ... – PowerPoint PPT presentation

Number of Views:97

Avg rating:3.0/5.0

Slides: 76

Provided by: CC280

Learn more at: https://www.cse.sc.edu

Category:

more less

Transcript and Presenter's Notes

Title: Do

1
Dos and Donts of Client Authentication on the
Web
Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster
MIT Laboratory for Computer Science
http//cookies.lcs.mit.edu
Presenters
Vaibhav Gowadia Cory Calmbacher
2
Goal

Identify common mistakes in web authentication
and recommend secure authentication protocol.

3
Outline

Security Objectives
Security Requirements
Limitations
Proposed Design
Case Studies
Evaluation

4
Security Objectives

Authentication
Confidentiality
Privacy

5
What requires authentication?

Clients want to ensure that only authorized
people can access and modify personal information
that they share with Web sites.
Web sites want to ensure that only authorized
users have access to the services and content it
provides.

6
What requires confidentiality?

Online Brokerages
Auction sites
Banks
Online merchants

7
What requires privacy?
8
Outline

Security Objectives
Security Requirements
Limitations
Proposed Design
Case Studies
Evaluation

9
Security Requirements

Secure Authentication
Granularity
Secure against attacks

10
Secure Authentication

Cryptography
Proper use of existing cryptographic tools
preferred over designing new scheme
Passwords
Primary means of authentication today
Authenticators
Tokens presented by client to gain access to
system

11
Use Cryptography Appropriately

Use the appropriate amount of security
Do not be inventive
Do not rely on the secrecy of a protocol
Understand the properties of cryptographic tools
Do not compose security schemes

12
Protect Passwords

Limit exposure of passwords
Prohibit guessable password
Reauthenticate before changing passwords

13
Handling of Authenticators

Make authenticators unforgeable
Protect authenticators that must be secret
Limit lifetime of authenticators
Bind authenticators to addresses
Avoid using persistent cookies

14
Granularity

Fine-grained
Useful if specific authorization or
accountability of user is required
Coarse-grained

15
Fine Grained
16
Happy Gilmore
17
CLICK
18
(No Transcript)
19
Granularity

Fine-grained
Useful if specific authorization or
accountability of user is required
Coarse-grained
Useful if partial user anonymity is desired

20
Coarse Grained
21
Attacks

Goal of adversary Break an authentication
scheme faster than by brute force
Types
Existential forgery
Forge authenticator for at least one user
Selective forgery
Forge authenticator for any chosen user
Replay attack
Total break
Recovery of secret key used to mint
authenticators

22
Adversaries

Interrogative Adversary
Can query a Web server, but not see traffic
Bases next query on previous query results
Eavesdropping Adversary
Can see traffic, but not modify
Active Adversary
Can see and modify all traffic

23
Outline

Security Objectives
Security Requirements
Limitations
Proposed Design
Case Studies
Evaluation

24
Security Model Limitations

Performance
Higher security implies lower performance
User Acceptability
Non-confrontational
Deployability
Use protocols and technologies commonly available

25
Deployability

Cannot rely on hardware token systems (such as
smart card readers)
Limit reliance on computation
ActiveX
Java
JavaScript
SSL
Cookies!

26
What are Cookies?

Text file stored on clients hard drive
Contains information about visitors to a website
(such as username and preferences)
Types
Persistent Cookies
Stored on computer indefinitely (unless user
deletes)
Ephemeral / Temporary Cookie
Stored in browsers memory and disappears when
user
closes browser

27
Outline

Security Objectives
Security Requirements
Limitations
Proposed Design
Case Studies
Evaluation

28
Web-based Authentication
29
Web-based Authentication
Is ltusername,passwordgt valid ?
Server
User
Login Procedure
30
Web-based Authentication
Is Authenticator valid ?
Server
User
Subsequent Requests
31
Features of Authenticator

Personalizable
Stateless verification
Server controls lifetime
Can refer to session info on server

32
Cookie Recipe

Ingredients
Expiration Time
Data (Optional Non-confidential info)
Procedure
expdatadigestMAC(exp data)

33
Note

This recipe does not require session identifiers,
i.e. state is O(1)
Maintaining session IDs is O(n)
Session identifiers requires synchronized,
duplicated data between servers

34
Cookie Example

domain .wsj.com
Path /cgi
SSL? FALSE
Expiration 941452067
Variable name fastlogin
Value bitdiddleMaRdw2J1h6Lfc

35
Cookie Validation

Authentication
Server recalculates MAC
Revocation mechanism
Not provided

36
Security Analysis

Forging Authenticator
Solution MAC
Cookie hijacking
Solution SSL
Brute force Key Search
Solution Key rotation

37
Outline

Security Objectives
Security Requirements
Limitations
Proposed Design
Case Studies
Evaluation

38
Case Studies
Vulnerability Website
No cryptography www.highschoolalumni.com
Trusting user input www.instant-shop.com
Leaking secrets www.sprintpcs.com
Predictable SNs www.fatbrain.com
Misuse of cryptography www.wsj.com
39
High School Alumni
40
High School Alumni
41
High School Alumni

Problem No cryptographic authentication
Adversary Interrogative
Break Universal forgery
Today Sold to another reunion site

42
Instant Shop
43
Instant Shop Whats Inside

ltform actioncommit sale.cgigt
ltinput typehidden nameitem1 value10gt Batteries
10
ltinput typehidden nameitem2 value99gt Biology
textbook 99
ltinput typehidden nameitem3 value25gt Britney
Spears CD 25
ltinput typesubmitgt Confirm purchase
lt/formgt

44
Instant Shop Whats Inside

ltform actioncommit sale.cgigt
ltinput typehidden nameitem1 value0gt Batteries
10
ltinput typehidden nameitem2 value0gt Biology
textbook 99
ltinput typehidden nameitem3 value0gt Britney
Spears CD 25
ltinput typesubmitgt Confirm purchase
lt/formgt

45
Instant Shop

Problem Server trusts users not to modify HTML
variables
Adversary Interrogative
Today Out of business

46
Sprint PCS
47
Sprint PCS
48
Sprint PCS

Problem Secure content can leak through
plaintext channels
Adversary Eavesdropper
Break Replay

49
Fat Brain
50
Fat Brain
51
Fat Brain

Starthttps//www.fatbrain.com/HelpAccount.asp?
t0p1fubob_at_mit.edup2540555758
Try https//www.fatbrain.com/HelpAccount.asp?
t0p1nobob_at_mit.edup2540555757
Target https//www.fatbrain.com/HelpAccount.asp?
t0p1nobob_at_mit.edup2540555752

52
Fat Brain

Starthttps//www.fatbrain.com/HelpAccount.asp?
t0p1fubob_at_mit.edup2540555758
Try https//www.fatbrain.com/HelpAccount.asp?
t0p1nobob_at_mit.edup2540555756
Target https//www.fatbrain.com/HelpAccount.asp?
t0p1nobob_at_mit.edup2540555752

53
Fat Brain

Starthttps//www.fatbrain.com/HelpAccount.asp?
t0p1fubob_at_mit.edup2540555758
Try https//www.fatbrain.com/HelpAccount.asp?
t0p1nobob_at_mit.edup2540555755
Target https//www.fatbrain.com/HelpAccount.asp?
t0p1nobob_at_mit.edup2540555752

54
Fat Brain

Starthttps//www.fatbrain.com/HelpAccount.asp?
t0p1fubob_at_mit.edup2540555758
Try https//www.fatbrain.com/HelpAccount.asp?
t0p1nobob_at_mit.edup2540555754
Target https//www.fatbrain.com/HelpAccount.asp?
t0p1nobob_at_mit.edup2540555752

55
Fat Brain

Starthttps//www.fatbrain.com/HelpAccount.asp?
t0p1fubob_at_mit.edup2540555758
Try https//www.fatbrain.com/HelpAccount.asp?
t0p1nobob_at_mit.edup2540555753
Target https//www.fatbrain.com/HelpAccount.asp?
t0p1nobob_at_mit.edup2540555752

56
Fat Brain

Starthttps//www.fatbrain.com/HelpAccount.asp?
t0p1fubob_at_mit.edup2540555758
Try https//www.fatbrain.com/HelpAccount.asp?
t0p1nobob_at_mit.edup2540555752
Target https//www.fatbrain.com/HelpAccount.asp?
t0p1nobob_at_mit.edup2540555752

57
Fat Brain

Problem Customer can determine the
authenticator for any other user
Adversary Interrogative
Break Selective forgery

58
Wall Street Journal
59
Wall Street Journal (WSJ)

Design cookie user, MACk(user)

Reality
cookie user UNIX-crypt (user
server secret)

60
Wall Street Journal (WSJ)

Problems
Usernames matching first 8 characters have same
authenticator
No expiration
Adversary
Interrogative
Break
Universal forgery

61
Obtaining server secret (WSJ)

Chosen message attack
Runs in max 128x8 queries rather than
intended 1288 queries.

62
How attack works

Secret guess username crypt input worked?
bitdiddl
bitdiddl

63
How attack works

Secret guess username crypt input worked?
bitdiddl
bitdiddl
A bitdidd bitdiddA

64
How attack works

Secret guess username crypt input worked?
bitdiddl
bitdiddl
B bitdidd bitdiddB

65
How attack works

Secret guess username crypt input worked?
bitdiddl
bitdiddl
C bitdidd bitdiddC

66
How attack works

Secret guess username crypt input worked?
bitdiddl
bitdiddl
D bitdidd bitdiddD

67
How attack works

Secret guess username crypt input
worked?
bitdiddl
bitdiddl
D bitdidd bitdiddD
U bitdid bitdidDU
D bitdi
bitdiDUD
E bitd
bitdDUDE
0 bit
bitDUDE0
0 bi
biDUDE00
7 B
bDUDE007

68
Outline

Security Objectives
Security Requirements
Limitations
Proposed Design
Case Studies
Evaluation

69
Performance Evaluation
Crypt HMAC-SHA1
Input 8 bytes 2 byte salt 27 bytes 20 byte key
Avg. Time 8.08 ?sec 41.4 ?sec
Requests 5000 Amount of data retrieved 400
bytes
70
Performance Evaluation
1493
Connections/ second
11
71
Comparison