1. Copyright © 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ The OWASP Foundation OWASP & WASC AppSec 2007 Conference San Jose – Nov 2007 http://www.owasp.org/ http://www.webappsec.org/ The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics

2. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 2 Introduction  More and more organizations are examining PKI solutions (client cert authentication) to provide an answer to modern authentication threats  This presentation will examine the common notions about PKI in web applications and present various threats  This lecture is:  NOT going to reveal any flaws in RSA or Digital Signatures technology  IS going to present how poor implementation can allow hackers to work around it…

3. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 3 Agenda  Common Credential Theft Threats  Suggested PKI Authentication Solution  Attacks on PKI Implementation  Poor Application Integration  Trojans  PKI Phishing  Demo  Conclusion  Mitigation

4. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 4 Common Credentials Theft Threats  Phishing/Pharming  Malicious Links  DNS Hijacking  Trojan/Malware  Online Phishing Against OTP  Trojans  HTTP Monitoring  Key Loggers  XSS Attacks  Session Hijacking  XSS Based Phishing

5. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 5 Suggested Solution – PKI & Client Certs  PKI Authentication Combines:  Something you Have (Smartcard / Token)  Something you Know (PIN)  Some modern implementations are seeking to replace the PIN with biometric authentication  Authentication requires the physical device to be plugged in (Private key stored on device)  The combination of smart card, PIN, and the strength of RSA, is why many consider PKI authentication as hack proof.

6. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 6  The “Hack Proof” notion, urges organizations to switch to PKI based authentication at high costs  Financial Organizations  Many banks are deploying PKI authentication for customers  The solutions are considered so secure – that previous Phishing/Pharming warnings are removed!  Governments  Digital signatures are now legally valid  In some countries – they are considerably more abiding than normal signatures The PKI Lie – A Hack Proof Solution

7. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 7  PKI Authentication is not Hack Proof  Secure in Theory  Very strong encryption & authentication algorithms  Verified robust implementation (Common Criteria)  Fails in Practice: Integration of the solution with the surrounding environment may allow compromise  End Point Integration (PC/User)  Web Application Integration  Allows performing real time attacks The PKI (sad) Truth

8. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 8 Application Integration Flaws  Poor Authentication Verification by Application  Poor Session Integration  Relying on session information for authentication  No binding of application session and SSL session  XSS Vulnerabilities  Data Theft  Execution of Operations  Invocation of Signing Operations (if cached)  The sky is the limit…

9. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 9 Client Side Attacks – Trojans  Trojans - No #1 Pharming Technique  But also useful for direct data compromise

10. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 10 Client Side Attacks - Trojans  Complete takeover of smartcard / token  The Simple Way – Cached PIN  The Hard Way – Stealing & Using PIN  Step #1 – Obtaining PIN  Key Loggers  USB Sniffers (Encryption might be a problem…)  Driver Manipulation  Step #2 – Utilizing Card  GUI Based Macro (Visible to user…)  Direct DLL Access – Silent Mode

11. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007  One of the most prominent attacks today  “Surely solved by PKI…” (or not?) 11 Client Side Attacks - Phishing

12. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 12 Real Time PKI Phishing - Overview  Real Time Phishing provides a mean for overcoming the need of credentials theft.  Rather than being stolen, the credentials are used in real time, while the device is plugged  Once hijacked, the attacker can exploit the existing credentials using CSRF, Reflected XSS or other means  As common with other CSRF/XSS attacks, the user has little, if any, way of preventing this.

13. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 13 Real Time PKI Phishing - Analysis  The attack is performed by creating a faked site (much like regular Phishing attacks)  The site has no content, and contains 2 frames:  Frame I - Uses entire screen area and presents the real site  Frame II – Invisible, and is used for taking advantage of the logged on user  Utilizing cross domain techniques (CSRF, JavaScript inclusion, etc.) Frame II, already authenticated, is used to launch attacks

14. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 14 Real Time PKI Phishing - Flow  User follows link to malicious (Phished) site  The response includes an empty content HTML, as following: <IFRAME WIDTH=100% HEIGHT=100% NAME=REAL FRAMEBORDER=1 SRC=“http://www.myREALsite.com/”>

15. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 15 Real Time PKI Phishing – Flow (Cont’d)  The user is then presented with the Certificate selection – The user experience is IDENTICAL

16. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 16 Real Time PKI Phishing – Flow (Cont’d)  Once the user has logged on, the user is able to browser through the site  The malicious site is now able to perform navigation events on the 2 nd IFrame.  This allows execution of any operation in the site on behalf of the user

17. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 17 Real Time PKI Phishing  Demo…

18. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 18 Real Time PKI Phishing Limitations  Data Viewing – May not be possible (Cross Site Limitations)  Relies on CSRF Capabilities (Won’t work well in.Net…)  However – both limitations are easily bypassed with Reflected XSS  The Phishing site provides the persistency platform  XSS can then be used to access sensitive data  XSS can also be used to obtaining whatever random data required to overcome CSRF protection

19. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 19 Additional Real Time PKI Phishing Aspects  Proprietary ActiveX based authentication (As opposed to integrated browser certificates)  Identifying when the main frame has been successfully authenticated – can be performed using cross domain exploits (e.g. JS includes)  Man in the Middle Techniques  An Alternative to CSRF/XSS Attacks  Establish a connection with the client, and relay the challenge from the original server to the client.  Might generate some warnings, but users tend to ignore those…

20. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 20 Conclusion  Embedding PKI authentication in web applications is not a magic solution!  Trojans, Pharming, Phishing, CSRF, XSS, as well as other applications vulnerabilities, remain a significant concern  These problems must be addressed well before implementing client side certificates  With that said – client side certificates stored on secure physical device are still a very strong form of authentication

21. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 21 Mitigation  CSRF Protection – Massively discussed yesterday  XSS Protection – Massively discussed for the past few years…  Trojans Protection – Tricky (Requires taking the PC out of the equation…)  On-Device PIN Input & Verification  On-Device Biometric Verification  On-Device “OK” confirmation  Clean From-Device OS Boot (Might work with virtualization as well…)

22. OWASP & WASC AppSec 2007 Conference – San Jose – Nov 2007 22 Thank You! Questions?