Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identities Exposed How Design Flaws in Authentication Solutions May Compromise Your Privacy.

Published byRoger Walters Modified over 7 years ago

Similar presentations

Presentation on theme: "Identities Exposed How Design Flaws in Authentication Solutions May Compromise Your Privacy."— Presentation transcript:

1 Identities Exposed How Design Flaws in Authentication Solutions May Compromise Your Privacy

2 David Johansson About Me
Started working as a security consultant in 2007 Building security solutions (e.g., SAML 2.0 IdP) Helping others design and build secure software Based in London since 3 years, working for Cigital (now part of Synopsys)

3 What if Everyone knows who you are?
Your Privacy What if Everyone knows who you are?

4 Would you walk around everywhere showing your passport openly?
Your Privacy Would you walk around everywhere showing your passport openly? In the digital world, it could well happen without you ever knowing…

5 Digital Identities Name Issuer Validity Also contains: Serial number
Information binding it to the subject Forgery protection, etc.

6 National Electronic ID
In Sweden we have national electronic IDs Used for online authentication/signing Government e-services, Online banks, etc. Contains PII Full name, Date of birth, Personal identity number (NIN/SSN-equivalent) Based on client certificates protected by custom software

7 Please Update Your Software!
In 2013, a letter was sent out to around 500,000 individuals in Sweden Urged users to update their electronic ID software Why such a drastic action? Imagine Microsoft’s “Patch Tuesdays” being delivered by Royal Mail…

8 1 Million Identities Exposed
Possible to enumerate certificates by calling plugin through JavaScript No user interaction needed, no need of previous authentication Any site could silently identify you – even if you were using proxies, TOR network, etc. document.iID.EnumProperty('Certificate','0') About 1 million users affected, of which: ~500,000 private individuals (electronic ID) ~400,000 healthcare professionals

9 Was this just an odd software error?
The Privacy Problem Was this just an odd software error? Or is there a problem with privacy in authentication solutions in general?

10 Authentication Solutions
Privacy Requirements

11 But does this protect users’ privacy?
Security vs. Privacy Security is considered an important aspect when designing authentication: Password policies Multi-factor authentication Protect passwords in transit and at rest Prevent brute-force attacks Prevent replay attacks, etc. But does this protect users’ privacy?

12 [Privacy] User Stories
As a user, I want to know who I communicate with before I authenticate myself so that I avoid revealing my identity to unknown entities.

13 [Privacy] User Stories
As a user, I want to know when I authenticate so that I only reveal my identity when I intend to do so.

14 [Privacy] User Stories
As a user, I want to know and control what information I reveal when I authenticate so that I only reveal information about myself that I intend to share with the other party.

15 [Privacy] User Stories
As a user, I want to know that only the intended recipient can see my identity when I authenticate so that I don’t expose my identity to others listening in on the conversation.

16 Privacy Requirements [Privacy] User Story Privacy Requirement
Know who I communicate with Know when I authenticate Know and control what information I reveal Know that only the intended recipient can see my identity System authenticates before user Explicit or implicit approval of authentication Explicit or implicit approval of which identity data to share Secure transmission of identity data Translated into privacy requirements: The system must prove its identity before the end user authenticates. (The order of authentication is important, e.g. the server should authenticate itself before the user and not vice versa.) The user must be notified when authentication takes place and explicitly or implicitly approve that his/her identity is revealed to the other entity. The user must be notified about what information is shared during authentication and explicitly or implicitly approve that this information is shared with the other entity. Identity information must be protected from eavesdroppers during authentication, e.g., be encrypted or only transmitted through an encrypted channel.

17 SSL/TLS Client Certificate Authentication
Privacy Issues in SSL/TLS Client Certificate Authentication

18 SSL/TLS Mutual Authentication
Client and server wants to establish a secure connection Server may ask for client certificate during SSL/TLS handshake Are the privacy requirements for clients fulfilled in SSL/TLS?

19 TLS Client Privacy - Round 1: Internet Explorer vs. Chrome
Demo 1: The Browser Bug

20 Chrome’s Privacy Error
Client Spoofed Server Client Hello Server Hello Server Certificate Server Key Exchange* Certificate Request Server Hello Done Forged (invalid) server certificate No warning in browser Client Certificate Client Key Exchange Certificate Verify ChangeCipherSpec Backup slide in case of issues with live demo Browser validates certificate and displays warning after handshake completes Client sends certificate to spoofed server The user is warned of the certificate error, but the identity of the client is already exposed. Finished *Server Key Exchange is only sent when more than the server certificate is needed for the key exchange, e.g. ephemeral Diffie-Hellman.

21 Privacy - Round 1: Microsoft IE 1 – 0 Google Chrome
And the winner is… Privacy - Round 1: Microsoft IE 1 – 0 Google Chrome Wait, not so fast! Internet Explorer used to do the same… …and in fact all browsers can be fooled!

22 The real www.example.com
SSL/TLS Privacy Flaw Client My Spoofed Server The real Client Hello Use the real site’s public certificate Spoofed server identifies itself as the legitimate server Server Hello Server Certificate Certificate Request Server Hello Done Pick cipher with static RSA key exchange*, e.g., TLS_RSA_WITH_AES_256_CBC_SHA SSL/TLS only validates server’s possession of the private key for Server Key Exchange messages For many ciphers, only implicit validation is done (i.e., encryption fails, bad MAC) Malicious servers can exploit this by choosing an appropriate cipher suite, i.e., one that doesn’t require additional key material, such as TLS_RSA_WITH_AES_256_CBC_SHA Client Certificate Client Key Exchange Certificate Verify ChangeCipherSpec Client authenticates to spoofed server The SSL/TLS connection then fails, but the identity of the client is already exposed. Finished *Server Key Exchange message is not required for static RSA key exchange - > no explicit validation of server’s private key possession.

23 Demo 2: The TLS Privacy Flaw
TLS Client Privacy - Round 2: All Your Identities Are Belong To Us Demo 2: The TLS Privacy Flaw

24 Active Attacks This protocol flaw can be exploited in active attacks to expose identities through client certificates For example, inject hidden iFrame with HTTPS URL in any plain HTTP response Intercept TLS handshake for HTTPS request and request client certificate Browser prompts user or may even send client certificate without user’s knowledge

25 Passive Eavesdropping
Server Client Client Hello Server Hello Server Certificate Server Key Exchange* Certificate Request Server Hello Done Client Certificate Client Key Exchange Certificate Verify ChangeCipherSpec Finished Another privacy issue in SSL/TLS is that client certificates are sent in plaintext during the handshake before the encryption begins. Any passive eavesdropper on a network connection can read identity data from client certificates during TLS connection setup. Eavesdropping on network communication Plaintext Ciphertext *Server Key Exchange is only sent when more than the server certificate is needed for the key exchange, e.g. ephemeral Diffie-Hellman.

26 SSL/TLS Mutual Authentication
Privacy RequirementS System authenticates before user Explicit or implicit approval of authentication Explicit or implicit approval of which identity data to share Secure transmission of identity data Privacy requirements are not fulfilled in SSL/TLS Mutual Authentication.

27 TLS 1.3 Privacy Improvements
The draft of TLS 1.3 contains several improvements to privacy Explicit verification of server’s key possession CertificateVerify: signature over entire handshake Encrypts communication before sending client certificate However, TLS 1.3 is still work in progress and will likely take time before widely supported For now, avoid storing PII in client certificates used with TLS

28 Passive authentication requests in
SAML 2.0 SSO

29 SAML Web Browser SSO

30 SSO within an Organization
App App IdP App App App We typically have some level of trust for all applications within our organization

31 SSO across Organizations
IdP Trust App App Trust Trust? App App App App App

32 Passive AuthnRequest Privacy requirement not met
A Boolean value. If "true", the identity provider and the user agent itself MUST NOT visibly take control of the user interface from the requester and interact with the presenter in a noticeable fashion. If a value is not provided, the default is "false".

33 Users’ privacy often neglected
Conclusions Users’ privacy often neglected Secure authentication doesn’t necessarily mean that privacy is protected Several solutions have privacy flaws Protect your users’ privacy Privacy requirements must be considered when designing authentication solutions

34 (Whitepaper on TLS privacy issues to be released soon…)
Questions? (Whitepaper on TLS privacy issues to be released soon…)

Download ppt "Identities Exposed How Design Flaws in Authentication Solutions May Compromise Your Privacy."

Similar presentations

Web security: SSL and TLS

Web security: SSL and TLS
CP3397 ECommerce.

CP3397 ECommerce.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Secure Socket Layer.

Secure Socket Layer.
Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.

Apr 2, 2002Mårten Trolin1 Previous lecture On the assignment Certificates and key management –Obtaining a certificate –Verifying a certificate –Certificate.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET)
Secure Socket Layer (SSL)

Secure Socket Layer (SSL)
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Types of Electronic Infection

Types of Electronic Infection
1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.

1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.

Similar presentations

Ads by Google