Simple Authentication for the Web

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

Web Shift Booking System

Dating Portal showcase Copyright © 2007 Credentica Inc. All Rights Reserved. February 15th - 16th, 2007.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.

Two-Factor Authentication & Tools for Password Management August 29, 2014 Pang Chamreth, IT Development Innovations 1.

Access Control Methodologies

Lecture 23 Internet Authentication Applications

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

John R. Kasich, Governor Tracy J. Plouck, Director.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

Login Screen This is the Sign In page for the Dashboard Enter Id and Password to sign In New User Registration.

1 Lecture 18: Security issues specific to security key management services –privacy –integrity/authentication –nonrepudiation/plausible deniability.

Creating a Single Sign On Account. To create a Single Sign On ID please visit and select the option to create a new account.

IDENTITY MANAGEMENT Hoang Huu Hanh (PhD), OST – Hue University hanh-at-hueuni.edu.vn.

Employee Self Service (ESS) Version Employee Self Service  access from any computer  view their elected withholding, earnings summary, check.

VASP PREPAYMENT SYSTEM Training Module for CLIENTS.

1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.

Login Screen This is the Sign In page for the Dashboard New User Registration Enter Id and Password to sign In.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

JavaScript, Fourth Edition

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Encryption Cisco Ironport using Click here to begin Press the ‘F5’ Key to Begin.

Identity on Force.com & Benefits of SSO Nick Simha.

Chapter 13 Users, Groups Profiles and Policies. Learning Objectives Understand Windows XP Professional user accounts Understand the different types of.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 30, 2011.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.

Securing Passwords Against Dictionary Attacks Presented By Chad Frommeyer.

Wireless Authentication Using Remote Passwords Authors: Andrew Harding, Timothy W. van der Horst, and Kent E. Seamons Source: Proceedings of the first.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

ASSIGNMENT 2 Salim Malakouti. Ticketing Website  User submits tickets  Admins answer tickets or take appropriate actions.

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.

PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.

Employee Self Service (ESS) Version 2.15.

Employee Self Service Lite Version

Setting and Upload Products

Welcome! To the ETS – Create Client Account & Maintenance

Employee Self Service Lite Version

Employee Self Service Lite Version

Authentication & .htaccess

Cryptography and Network Security

Web Caching? Web Caching:.

How to Check if a site's connection is secure ?

Cross-Site Request Forgeries: Exploitation and Prevention

Employee Self Service (ESS) Version 2.20.

Using SSL – Secure Socket Layer

Password Reset Instructions

Configuring Internet-related services

This is the Sign In page for the Dashboard

FCL – Administration Tool

Cross Site Request Forgery (CSRF)

iSecurity Password-Reset Training

Presentation transcript:

Simple Authentication for the Web Tim van der Horst and Kent Seamons Internet Security Research Lab Brigham Young University SecureComm 2007 (Nice, France) ISRL Internet Security Research Lab http://isrl.cs.byu.edu

Introduction Users have too many passwords Potential Alternatives Encourages password reuse Leads to forgotten passwords Burdens users and administrators Potential Alternatives Password managers Generally lack portability Account-specific management Indirect Authentication Increased overhead and complexity Specialized identity provider PKI-based solutions, Liberty, Shibboleth, OpenID, etc.

Goals Make authentication more convenient, while at least maintaining the current level of security Remove the need for site specific passwords Simple for users to understand and use Easy for administrators to deploy and manage

Background Email-Based Password Reestablishment (EBPR) SAW’s Approach Many sites use email to reset passwords Secondary means to authenticate users Efficient and cost-effective Risks are manageable SAW’s Approach Remove site-specific passwords Improve the security and convenience of EBPR

How SAW Works Step 1: Step 2: Step 3: User Web Site I’m Alice Step 1: The user submits her email address Step 2: If her address is authorized, a random secret is generated and split into two shares Step 3: The user returns both tokens Manually: By clicking a link in the email Automatically: Using the SAW toolbar Tokens are: Short-lived Single-use From: SAW_TokenGenerator@securecomm.org To: student@some.edu Subject: [SAW-https://securecomm.org/login] ATemail=2fe32... Click on the link below ONLY if you recently initiated a request to log in to https://securecomm.org/login: https://securecomm.org/login?ATemail=2fe322492847eb5dea... User’s Email Provider

Alternatives to Email & Automation SAW can leverage other personal messaging mediums Instant messaging Text messaging Paging messaging Hybrid (e.g., email + IM) Automation SAW toolbar The original token can be split into n tokens Require m of n tokens to be returned Time to check for messages Total login time using email Total login time using IM Gmail Account 2.5s 4s <1s Private Account 1s 1.5s n/a

Threats Passive Eavesdropping Password Phishing Compromised Server An attacker must obtain both tokens AND submit them before the user If HTTPS is used on the login page the token sent directly to the user cannot be passively observed Password Phishing The only user information disclosed in a login is their email address SAW does not prevent users from divulging other sensitive information to a phishing site Compromised Server No user passwords to steal

Active Impersonation Attack Attacker Web Site I’m Alice Step 1: Attacker submits the victim’s email address Step 2: Server actions remain the same Attacker eavesdrops the emailed token Step 3: Attack submits both token to log in as the victim Sites that employ EBPR are also susceptible to a similar attack Prolific adoption of EBPR indicates that this is an acceptable risk Manageable Risk The hybrid approach can be used to increase the difficultly of an active impersonation attack Victim’s Email Provider

Advanced Features Sharing and Collaboration Client-based Delegation Client-side auditing

Sharing and Collaboration Specify the users that can have access Email addresses are cross-domain, unique identifiers Use SAW to allow users to prove ownership of their identifiers //Sample .htaccess file AuthBasic AuthType Basic AuthName “PrivateRealm” AuthUserFile c:\basic Require user timv respectablebusinessman seamons //Sample .htaccess file AuthSAW AuthType EBAC AuthName “PrivateRealm” Require user timv@cs.byu.edu 801-422-7893 kentseamons@gmail.com

Client-Based Delegation Allow clients to delegate access (authorized impersonation) Without sharing passwords Without modifying the service provider Accomplished through email forwarding rules Provides an up-to-date list of delegations Facilitates revocation

Client-Based Delegation Example Bob delegates access to Alice Step 1: Alice submits Bob’s email address Step 2: Server actions remain the same Bob’s email provider forwards the token to Alice Step 3: Alice submits both tokens Web Site X I’m Bob Forward tokens from Web Site X to Alice Bob’s Email Provider Alice’s Email Provider

Types of Client-Based Delegation Complete All tokens are forwarded Ideal for combining multiple user accounts Selective Only tokens from site X are forwarded to user Y Choose whether to forward an attempt to change the primary email registered at a site One-time Subset of selective delegation Instead of creating a forwarding rule, the delegator obtains valid authentication tokens and gives them to the delegate

Client-Side Auditing Provide the ability for the client to audit all authentication attempts without modifying the service provider Not possible in password-based approaches Available to SAW because all authentication attempts must pass through the user’s email account Available even when authority has been delegated Retain a copy of the forwarded messages

Summary of Benefits Convenient Secure No site-specific passwords Easy, secure sharing and collaboration Easily automated Web single sign-on No modification to email providers Unilateral deployment by web sites Secure Thwarts all passive attacks Raises the bar for active attackers Removes domino effect of password reuse Reduces attack surface for password phishing

Learn more about SAW Internet Security Research Lab http://isrl.cs.byu.edu