BetterAuth: Web Authentication Revisited Martin Johns, Sebastian Lekies, Bastian Braun, Benjamin Flesch In ACSAC 2012 2013/01/08 A.C. ADL.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

AUTHENTICATION AND KEY DISTRIBUTION
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Cryptography and Network Security
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Deeper Security Analysis of Web-based Identity Federation Apurva Kumar IBM Research – India.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Attacking Session Management Juliette Lessing
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Online Security Tuesday April 8, 2003 Maxence Crossley.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
CSCI 6962: Server-side Design and Programming
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
Remotely authenticating against the Service Framework.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
UICC UICC is a smart card used in mobile terminals in GSM and UMTS networks It provides the authentication with the networks secure storage crypto algorithms.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Working with Cookies Managing Data in a Web Site Using JavaScript Cookies* *Check and comply with the current legislation regarding handling cookies.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Networks QUME 185 Introduction to Computer Applications.
The Battle Against Phishing: Dynamic Security Skins Rachna Dhamija and J.D. Tygar U.C. Berkeley.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Chapter 8 Cookies And Security JavaScript, Third Edition.
OMash: Enabling Secure Web Mashups via Object Abstractions Steven Crites, Francis Hsu, Hao Chen (UC Davis) ACM Conference on Computer and Communications.
Robust Defenses for Cross-Site Request Forgery
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Shibboleth: An Introduction
Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.
Building Secure Web Applications With ASP.Net MVC.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Cross-site request forgery Collin Jackson CS 142 Winter 2009.
Front end (user interfaces) Facilitating the user‘s interaction with the SandS services and processes I. Mlakar, D. Ceric, A. Lipaj Valladolid, 17/12/2014.
Cookies Lack Integrity: Real-World Implications
Web Application (In)security Note: Unless noted differently, all scanned figures were from the textbook, Stuttard & Pinto, 2011.
Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.
Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
9.2 SECURE CHANNELS JEJI RAMCHAND VEDULLAPALLI. Content Introduction Authentication Message Integrity and Confidentiality Secure Group Communications.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.
1 Example security systems n Kerberos n Secure shell.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
Secure Sockets Layer (SSL)
Cross-Site Forgery
Cross Site Request Forgery New Attacks and Defenses
Presentation transcript:

BetterAuth: Web Authentication Revisited Martin Johns, Sebastian Lekies, Bastian Braun, Benjamin Flesch In ACSAC /01/08 A.C. ADL

Outline 2013/01/08 A.C. ADL Introduction BetterAuth Protocol Design Implementation Evaluation Conclusion

Web Authentication Process 1. Initial authentication – user provides ID and password – the browser create an HTTP request to the server 2. Authentication tracking – use HTTP cookies to maintain an authenticated state 2013/01/08 A.C. ADL

REVISIT DOCUMENTED CLASSES OF WEB ATTACKS

Network-Based Issues SSL Stripping [ref][ref] 2013/01/08 A.C. ADL Several CAs’ internal systems have been compromised

Other Issues Cookie-Based Authentication Tracking Issues – Session hijacking through cookie theft – Session Fixation – Cross-site Request Forgery – Clickjacking Phishing – no straight forward technical solution, as long as the passwords are still sent over the wire 2013/01/08 A.C. ADL

Current State Exposes Numerous Security Shortcomings Existing measures have to be explicitly introduced and are realized at different positions and abstraction levels within the application architecture The basic interaction pattern is still susceptible to phishing attacks the current scheme requires sending the password to the server as part of each login process 2013/01/08 A.C. ADL

PROTOCOL DESIGN

High-level Overview Two steps, implemented as subprotocols: – Initial mutual authentication protocol the browser and the server jointly generate a per-session, shared secret used for further authentication tracking – Authentication tracking scheme every further request from the browser to the server is signed using the freshly generated shared secret if the request satisfies certain criteria 2013/01/08 A.C. ADL

Sending Password via Wire is Dangerous PAKE (Password-Authenticated Key Exchange) protocol – allows two parties who share knowledge of a password to mutually authenticate each other and establish a shared key 2013/01/08 A.C. ADL

Adopted PAKE Protocol In this paper, we adopt the draft-oiwa-http- mutualauth-10draft-oiwa-http- mutualauth-10 – currently under active standardization by the IETF – designed as an extension to the HTTP protocol Mainly 3 Steps – Initial Handshake – Key exchange – Mutual authentication 2013/01/08 A.C. ADL

PAKE Workflow 2013/01/08 A.C. ADL http communication Cryptographic values SPK: Server-side Partial Key BPK: Client-side Partial key SSK: Diffie-Hellmann key generated by using the SPK and BPK

Authentication Tracking 2013/01/08 A.C. ADL Ensure both the authenticity as well as the integrity of the received requests – SSK serve as the basis for authentication tracking Realized by Keyed-Hashing for Message Authentication (HMACs) [RFC2104][RFC2104] – all further requests have to attach a correct HMAC signature to be recognized as authenticated

HMAC Workflow 2013/01/08 A.C. ADL sender receiver SSK e.g., For GET requests, the URL in a normalized form and selected request headers are signed as a MAC

Context-Dependent Authentication In-application authentication tracking – BetterAuth only signs outgoing requests if the request’s origin is already in an authenticated state with the server – inflexible to cater to all existing usage patterns of the Web public interface 2013/01/08 A.C. ADL

Public Interfaces A public interface is a URL to which external sites are allowed to navigate in an authenticated state (e.g., for posting to social sharing sites ) – a Web application’s public interfaces are communicated to the browser during the initial key exchange 2013/01/08 A.C. ADL

Which Requests to Sign 1. Test If the target URL points to a valid domain – a valid SSK app key could be found in the key storage If the request is entitled to be signed – the request was generated in the origin of the authenticated application – the target of the request contained in the public interfaces 2. Action Normalize the request data – create an HMAC signature using SSK app Attach the resulting request signature in an Authorization header to the request 2013/01/08 A.C. ADL

IMPLEMENTATION Native Implementation JavaScript Implementation 2013/01/08 A.C. ADL

Native Implementation Firefox extension – hooks itself as an observer into the browser’s rendering process intercepts the BetterAuth-Enabled form to initialize authentication – custom attribute data-purpose= “betterauth” signs the outgoing request if the request origin is valid 2013/01/08 A.C. ADL

JavaScript Implementation Replace native navigation operations – execute the initial authentication handshake – sign every outgoing requests by JavaScript before they are sent to the server Main elements: – a dedicated form handling the initial authentication – a request signing component – a dedicated page loader object for page transitions 2013/01/08 A.C. ADL

Isolating the Key Material A separate subdomain only contains static JavaScript dedicated to handling and storing the signing key – postMessage API two browser documents are able to communicate across domain boundaries in a secure manner postMessage(message, targetOrigin) origin checking, prevents potential abuse 2013/01/08 A.C. ADL

Domain Isolated Key Handling 2013/01/08 A.C. ADL

EVALUATION Security Evaluation Network-based attacks Other Issues Performance Evaluation Limitation 2013/01/08 A.C. ADL

Network-based attacks Sniffing attacks are powerless – neither passwords nor authentication tokens are transmitted over the network Man-in-the-middle attacks are mitigated – due to the mutual authentication properties SSL stripping attacks or CA breaches have no effect – BetterAuth does not rely on the security of an underlying SSL/TLS connection 2013/01/08 A.C. ADL

Other Issues Session hijacking and fixation attacks do not apply – no authentication cookie CSRF attacks are mitigated – crossdomain requests are treated as unauthenticated by default Phishing attacks are bound to fail – the password never leaves the browser 2013/01/08 A.C. ADL

JavaScript Implementation Performance 2013/01/08 A.C. ADL times in ms, averaged over ten runs

Limitations The protection of the password can be circumvented by the attacker on the GUI-level – the user can be tricked into entering his password in non-BetterAuth form field Limited protection against Clickjacking – the public interfaces should still be protected with anti-framing measures 2013/01/08 A.C. ADL

Conclusion BetterAuth : a mutual Web authentication protocol – spans the full authentication lifecycle – allows a pure JavaScript fallback for browsers which do not support the proposed scheme natively – significantly improves the susceptibility of the authentication process to known threats 2013/01/08 A.C. ADL