Download presentation
Presentation is loading. Please wait.
1
Some more on user- authentication
2
A web-page which requires that the user be logged-in Page is here: http://csweb.ucc.ie/cs1064/jabowen/IPSC/cs4408/frontPage.php User's login status is verified by sending a cookie <?php if ($_COOKIE["loginCookie"]) {?> This is secured content You can only see this content because you are logged in <?php } else {?> Access forbidden You cannot see secure content unless you are logged in. Login <?php } ?>
![A web-page which requires that the user be logged-in Page is here: User s login status is verified by sending a cookie < php if ($_COOKIE[ loginCookie ]) { > This is secured content You can only see this content because you are logged in < php } else { > Access forbidden You cannot see secure content unless you are logged in.](http://images.slideplayer.com./14/4433005/slides/slide_2.jpg "Login < php } >.")
3
When user tries to see this page without being logged-in:
4
Suppose user clicks Login hotlink:
5
Suppose required username is bob and required password is dylan. Suppose user logs in correctly
6
User is told he has logged-in correctly and can now click on a link to go to the desired page
7
Suppose user clicks on link to front page He can now see the secured content
8
The login.php program In this simple program, only one user- name and password are accepted In reality, –there would be a database of user-names and passwords –different users would have different login cookies
9
The login.php program <?php ob_start(); if ((!$_POST["userName"]) || (!$_POST["password"])) {?> "> User name: Password: Login <?php } else {$userName=$_POST["userName"]; $password=$_POST["password"]; if (($userName=='bob') && ($password=='dylan')) {setcookie("loginCookie","$userName",time()+3600); ?> You are logged in for 60 minutes Click here for front page <?php } else {?> Incorrect username or password <?php } ob_end_flush(); ?>
![The login.php program < php ob_start(); if ((!$_POST[ userName ]) || (!$_POST[ password ])) { > > User name: Password: Login < php } else {$userName=$_POST[ userName ]; $password=$_POST[ password ]; if (($userName== bob ) && ($password== dylan )) {setcookie( loginCookie , $userName ,time()+3600); > You are logged in for 60 minutes Click here for front page < php } else { > Incorrect username or password < php } ob_end_flush(); >](http://images.slideplayer.com./14/4433005/slides/slide_9.jpg "The login.php program < php ob_start(); if ((!$_POST[ userName ]) || (!$_POST[ password ])) { > > User name: Password: Login < php } else {$userName=$_POST[ userName ]; $password=$_POST[ password ]; if (($userName== bob ) && ($password== dylan )) {setcookie( loginCookie , $userName ,time()+3600); > You are logged in for 60 minutes Click here for front page < php } else { > Incorrect username or password < php } ob_end_flush(); >")
10
What the cookie looks like in the cookie jar:
11
Danger with previous scheme Users' passwords are sent in the clear Somebody sniffing packets on the internet could steal a user's password Indeed, somebody could forge a cookie
12
Protecting passwords First, we will address the issue of protecting passwords Later, we will address the issue of protecting cookies
13
Encrypting passwords To avoid theft of passwords, we could require that, when they are sent over the internet, they are passed in encrypted form One commonly-user encryption technique is called MD5 We could send the MD5 encryptions of passwords over the internet For this, the login page would have to use MD5
14
MD5 MD5 is a hashing algorithm developed in 1991, when its predecessor, MD4, was found to be insecure In 1996, a flaw was found with the design of MD5; While it was not a clearly fatal weakness, cryptographers began to recommend using other algorithms, such as SHA-1 –recent claims suggest that SHA-1 has been broken, however) In 2004, more serious flaws were discovered making further use of the MD5 algorithm for security purposes questionable At present, however, MD5 is still widely used But expect it to be replaced in the near future
15
MD5 continued MD5 takes a string and returns a 128-bit hash value which is derived from the string Usually, these 128 bits are represented as 32 hex-digits MD5("The quick brown fox jumps over the lazy dog") = 9e107d9d372bb6826bd81d3542a419d6 Even a small change in the message will (with overwhelming probability) result in a completely different hash For example changing d to c in the above message produces MD5("The quick brown fox jumps over the lazy cog") = 1055d3e698d289f2af8663725127bd4b
16
Implementations of MD5 PHP –an implementation of MD5 is provided in the PHP library of string functions: string md5 ( string str ) Javascript: –no implementation of MD5 is built into the language; –however, an implementation is available in this file http://www.cs.ucc.ie/j.bowen/usefulResources/md5.js The function is called string hex_md5( string str )
17
login2.php (part 1) function encodePassword() {loginForm.password.value=hex_md5(loginForm.password.value); } <?php if ( (!$_POST["userName"]) || (!$_POST["password"]) ) {?> " > User name: Password: Login <?php }
![login2.php (part 1) function encodePassword() {loginForm.password.value=hex_md5(loginForm.password.value); } < php if ( (!$_POST[ userName ]) || (!$_POST[ password ]) ) { > > User name: Password: Login < php }](http://images.slideplayer.com./14/4433005/slides/slide_17.jpg "login2.php (part 1) function encodePassword() {loginForm.password.value=hex_md5(loginForm.password.value); } < php if ( (!$_POST[ userName ]) || (!$_POST[ password ]) ) { > > User name: Password: Login < php }")
18
login2.php (part 2) else {$userName=$_POST["userName"]; $password=$_POST["password"]; if ( ($userName=="bob") && ( $password== md5("dylan") ) ) { setcookie("loginCookie","bob",time()+3600); ?> You are logged in for 60 minutes Click here for front page <?php } else {?>Incorrect login <?php } } ob_end_flush(); ?>
![login2.php (part 2) else {$userName=$_POST[ userName ]; $password=$_POST[ password ]; if ( ($userName== bob ) && ( $password== md5( dylan ) ) ) { setcookie( loginCookie , bob ,time()+3600); > You are logged in for 60 minutes Click here for front page < php } else { >Incorrect login < php } } ob_end_flush(); >](http://images.slideplayer.com./14/4433005/slides/slide_18.jpg "login2.php (part 2) else {$userName=$_POST[ userName ]; $password=$_POST[ password ]; if ( ($userName== bob ) && ( $password== md5( dylan ) ) ) { setcookie( loginCookie , bob ,time()+3600); > You are logged in for 60 minutes Click here for front page < php } else { >Incorrect login < php } } ob_end_flush(); >")
19
This is better, but... Somebody who is sniffing packets could simply steal the MD5-encrypted password and use that
20
4408 2 dec 2005
21
Make theft pointless There will always be packet-sniffing thieves The only defence against them is to make what they can steal worthless to them We can do this by making encoded passwords valid for only a short time We do this by using a nonce-word in such messages –a nonce word is 'a word coined and used only for a particular occasion'
22
login3.php (part 1) function encodePassword() {loginForm.password.value= hex_md5(loginForm.password.value+loginForm.nonceWord.value); } <?php if ( (!$_POST["userName"]) || (!$_POST["password"]) ) {$now=getdate(); $now=$now["year"].$now["month"].$now["mday"].$now["hours"].$now["minutes"]; $nonceWord=md5("someSecretWord".$now); ?><form name=loginForm method="post" action=" "> "> User name: Password: Login <?php }
![login3.php (part 1) function encodePassword() {loginForm.password.value= hex_md5(loginForm.password.value+loginForm.nonceWord.value); } < php if ( (!$_POST[ userName ]) || (!$_POST[ password ]) ) {$now=getdate(); $now=$now[ year ].$now[ month ].$now[ mday ].$now[ hours ].$now[ minutes ]; $nonceWord=md5( someSecretWord .$now); ><form name=loginForm method= post action= > > User name: Password: Login < php }](http://images.slideplayer.com./14/4433005/slides/slide_22.jpg "login3.php (part 1) function encodePassword() {loginForm.password.value= hex_md5(loginForm.password.value+loginForm.nonceWord.value); } < php if ( (!$_POST[ userName ]) || (!$_POST[ password ]) ) {$now=getdate(); $now=$now[ year ].$now[ month ].$now[ mday ].$now[ hours ].$now[ minutes ]; $nonceWord=md5( someSecretWord .$now); ><form name=loginForm method= post action= > > User name: Password: Login < php }")
23
login3.php (part 2) else { $userName=$_POST["userName"]; $password=$_POST["password"]; $nonceWord=$_POST["nonceWord"]; if ( ($userName=="bob") && ($password== md5("dylan".$nonceWord)) ) { setcookie("loginCookie","bob",time()+3600); ?> You are logged in for 60 minutes Click here for front page <?php } else {?>Incorrect login <?php } } ob_end_flush(); ?>
![login3.php (part 2) else { $userName=$_POST[ userName ]; $password=$_POST[ password ]; $nonceWord=$_POST[ nonceWord ]; if ( ($userName== bob ) && ($password== md5( dylan .$nonceWord)) ) { setcookie( loginCookie , bob ,time()+3600); > You are logged in for 60 minutes Click here for front page < php } else { >Incorrect login < php } } ob_end_flush(); >](http://images.slideplayer.com./14/4433005/slides/slide_23.jpg "login3.php (part 2) else { $userName=$_POST[ userName ]; $password=$_POST[ password ]; $nonceWord=$_POST[ nonceWord ]; if ( ($userName== bob ) && ($password== md5( dylan .$nonceWord)) ) { setcookie( loginCookie , bob ,time()+3600); > You are logged in for 60 minutes Click here for front page < php } else { >Incorrect login < php } } ob_end_flush(); >")
24
Can't someone just steal the nonce-word as well as the encrypted password ? Yes, but... The trick is to impose a time-limit on the acceptability of each nonce-word
25
login4.php (part 1) function encodePassword() {loginForm.password.value= hex_md5(loginForm.password.value+loginForm.nonceWord.value); } <?php function fresh($nonceWord) {$now=getdate(); $now=$now["year"].$now["month"].$now["mday"].$now["hours"].$now["minutes"]; $currentNonceWord=md5("someSecretWord".$now); if ($nonceWord == $currentNonceWord) { return 1; } else { return false; } }
![login4.php (part 1) function encodePassword() {loginForm.password.value= hex_md5(loginForm.password.value+loginForm.nonceWord.value); } < php function fresh($nonceWord) {$now=getdate(); $now=$now[ year ].$now[ month ].$now[ mday ].$now[ hours ].$now[ minutes ]; $currentNonceWord=md5( someSecretWord .$now); if ($nonceWord == $currentNonceWord) { return 1; } else { return false; } }](http://images.slideplayer.com./14/4433005/slides/slide_25.jpg "login4.php (part 1) function encodePassword() {loginForm.password.value= hex_md5(loginForm.password.value+loginForm.nonceWord.value); } < php function fresh($nonceWord) {$now=getdate(); $now=$now[ year ].$now[ month ].$now[ mday ].$now[ hours ].$now[ minutes ]; $currentNonceWord=md5( someSecretWord .$now); if ($nonceWord == $currentNonceWord) { return 1; } else { return false; } }")
26
login4.php (part 2) if ( (!$_POST["userName"]) || (!$_POST["password"]) ) {$now=getdate(); $now=$now["year"].$now["month"].$now["mday"].$now["hours"].$now["minutes"]; $nonceWord=md5("someSecretWord".$now); ?> <form name=loginForm method="post" action=" "> "> You have one minute to login User name: Password: <button type=button onClick="encodePassword();loginForm.submit();">Login <?php }
![login4.php (part 2) if ( (!$_POST[ userName ]) || (!$_POST[ password ]) ) {$now=getdate(); $now=$now[ year ].$now[ month ].$now[ mday ].$now[ hours ].$now[ minutes ]; $nonceWord=md5( someSecretWord .$now); > <form name=loginForm method= post action= > > You have one minute to login User name: Password: <button type=button onClick= encodePassword();loginForm.submit(); >Login < php }](http://images.slideplayer.com./14/4433005/slides/slide_26.jpg "login4.php (part 2) if ( (!$_POST[ userName ]) || (!$_POST[ password ]) ) {$now=getdate(); $now=$now[ year ].$now[ month ].$now[ mday ].$now[ hours ].$now[ minutes ]; $nonceWord=md5( someSecretWord .$now); > <form name=loginForm method= post action= > > You have one minute to login User name: Password: <button type=button onClick= encodePassword();loginForm.submit(); >Login < php }")
27
login4.php (part 3) else {$userName=$_POST["userName"]; $password=$_POST["password"]; $nonceWord=$_POST["nonceWord"]; if (fresh($nonceWord)) { if ( ($userName=="bob") && ($password== md5("dylan".$nonceWord)) ) { setcookie("loginCookie","bob",time()+3600); ?> You are logged in for 60 minutes Click here for front page <?php } else {?>Incorrect login <?php } } else {?> Unacceptable delay You took too long to fill in the login form ">Try again <?php } } ob_end_flush();?>
![login4.php (part 3) else {$userName=$_POST[ userName ]; $password=$_POST[ password ]; $nonceWord=$_POST[ nonceWord ]; if (fresh($nonceWord)) { if ( ($userName== bob ) && ($password== md5( dylan .$nonceWord)) ) { setcookie( loginCookie , bob ,time()+3600); > You are logged in for 60 minutes Click here for front page < php } else { >Incorrect login < php } } else { > Unacceptable delay You took too long to fill in the login form >Try again < php } } ob_end_flush(); >](http://images.slideplayer.com./14/4433005/slides/slide_27.jpg "login4.php (part 3) else {$userName=$_POST[ userName ]; $password=$_POST[ password ]; $nonceWord=$_POST[ nonceWord ]; if (fresh($nonceWord)) { if ( ($userName== bob ) && ($password== md5( dylan .$nonceWord)) ) { setcookie( loginCookie , bob ,time()+3600); > You are logged in for 60 minutes Click here for front page < php } else { >Incorrect login < php } } else { > Unacceptable delay You took too long to fill in the login form >Try again < php } } ob_end_flush(); >")
28
Login form produced by login4.php
29
User completes, within 1 minute, the form produced by login4.php
30
Because he filled form in correctly and quickly, user's credentials are accepted
31
A different, slower, user
32
He fills in form correctly, but too slowly
33
User's credentials are not accepted because the nonce word had become stale
34
But, couldn't someone just steal the cookie? Yes, but similarly MD5 encryption and nonce-words can be used to reduce the usefulness of stealing cookies However, at this stage, it might be worthwhile considering the use of SSL
35
Back to HTTP user- authentication
36
What’s wrong with Basic authentication? Basic authentication is insecure The username and password are sent unencrypted across the internet Anybody who is “sniffing” packets can steal this information
37
Digest Authentication In this technique, the password is never sent “in the clear” It is always sent in an encrypted form At present, the form of encryption used is called MD5 The technique is similar to that which we have just seen used in our home-made login system
Similar presentations
