dos and don ts of client authentication on the web
play

Dos and Donts of Client Authentication on the Web Kevin Fu - PowerPoint PPT Presentation

Mar 09, 2023 •120 likes •1.12k views

Dos and Donts of Client Authentication on the Web Kevin Fu UMass-Amherst Department of Computer Science www.cs.umass.edu Based on USENIX Security 2001 paper by same name. Versions of this talk were given several times. History on:

  1. Dos and Don’ts of Client Authentication on the Web Kevin Fu UMass-Amherst Department of Computer Science www.cs.umass.edu Based on USENIX Security 2001 paper by same name. Versions of this talk were given several times. History on: http://www.cs.umass.edu/~kevinfu/talks.html

  4. What this talk is about • Improving the security of client authentication on the Web

  5. Where are we now? • We have HTTP authentication

  6. Where are we now? • We have HTTP authentication • We’ve had SSL for nearly a decade

  7. Where are we now? • We have HTTP authentication • We’ve had SSL for nearly a decade • Client authentication should be easy, right?

  8. Many Web sites get it wrong Site Security problem WSJ.com crypto misuse, secret key exposed tiffany.com SQL injection opentable.com guessable user IDs cooking.com guessable user IDs SprintPCS.com leaks authenticator in plaintext FatBrain.com predictable session ID HighSchoolAlumni.com circumvent password authentication PerformanceBike.com predictable session ID ihateshopping.net circumvent password authentication

  10. Toolkits are vulnerable too Toolkit Security problem BlueMartini missing authentication check Allaire ColdFusion predictable session IDs, LCNG ArsDigita ACS signs ambiguous messages Jakarta TomCat predictable session IDs, random seed PHP session IDs based on time of day

  11. How is it done? So how do Web sites implement user authentication?

  12. Cookies: what are they? • A Web server can store key/value pairs on a client • The browser resends cookies in subsequent requests to the server • Cookies can implement login sessions

  13. Sample cookie domain .wsj.com Path /cgi SSL? FALSE Expiration 941452067 Variable name fastlogin Value bitdiddleMaRdw2J1h6Lfc

  14. Cookies for login sessions Web browser Web server POST /login.cgi 1

  15. Cookies for login sessions Web browser Web server POST /login.cgi 1 "Welcome in" Web page Set − Cookie: authenticator 2

  16. Cookies for login sessions Web browser Web server POST /login.cgi 1 "Welcome in" Web page Set − Cookie: authenticator 2 GET /restricted/index.html Cookie: authenticator 3

  17. Cookies for login sessions Web browser Web server POST /login.cgi 1 "Welcome in" Web page Set − Cookie: authenticator 2 GET /restricted/index.html Cookie: authenticator 3 Content of restricted page 4

  18. What adversaries do we fear? Active adversary Passive adversary Interrogative adversary • Adaptively query a server • Eavesdrop on traf fi c • Modify/inject traf fi c, man-in-the-middle attack A system must AT LEAST protect against the interrogative adversary!

  19. Interrogative adversary • Adaptively query a Web server a reasonable number of times • Treat server as an oracle for an adaptive chosen message attack • Extremely limited, but surprisingly powerful

  20. Types of breaks • Replay • Existential forgery • Selective forgery • Total break

  21. The cookie crumbles... Many Web sites that have invented their own homebrew cookie-based authentication schemes.

  22. Case studies of Web authentication • Lack of cryptography: HighSchoolAlumni.com • Trusting user input: Instant Shop • Leaking secrets: SprintPCS.com • Predictable sequence numbers: FatBrain.com • Missing authentication check: BlueMartini • Misuse of cryptography: WSJ.com

  25. Lack of cryptography • Site: HighSchoolAlumni.com • Problem: No cryptographic authentication • Adversary: Interrogative • Break: Universal forgery • Today: Sold to another reunion site

  27. Instant Shop: What’s inside < form action=commit sale.cgi > < input type=hidden name=item1 value=10 > Batteries $10 < input type=hidden name=item2 value=99 > Biology textbook $99 < input type=hidden name=item3 value=25 > Britney Spears CD $25 < input type=submit > Con fi rm purchase < /form >

  28. Instant Shop: Malicious user < form action=commit sale.cgi > < input type=hidden name=item1 value=0 > Batteries $10 < input type=hidden name=item2 value=0 > Biology textbook $99 < input type=hidden name=item3 value=0 > Britney Spears CD $25 < input type=submit > Con fi rm purchase < /form >

  29. Trusting user input • Site: Instant Shop • Problem: Server trusts users not to modify HTML variables • Adversary: Interrogative • Today: Out of business

  32. Leaking secrets • Site: SprintPCS.com • Problem: Secure content can leak through plaintext channels • Adversary: Eavesdropper • Break: Replay • Today: A leading provider of mobile phone service...

  35. FatBrain URL authenticator Start: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=attacker@mit.edu&p2=540555758 Try: https://www.fatbrain.com/HelpAccount.asp? ! t=0&p1=victim@mit.edu&p2=540555757 Target: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=victim@mit.edu&p2=540555752

  36. FatBrain URL authenticator Start: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=attacker@mit.edu&p2=540555758 Try: https://www.fatbrain.com/HelpAccount.asp? ! t=0&p1=victim@mit.edu&p2=540555756 Target: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=victim@mit.edu&p2=540555752

  37. FatBrain URL authenticator Start: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=attacker@mit.edu&p2=540555758 Try: https://www.fatbrain.com/HelpAccount.asp? ! t=0&p1=victim@mit.edu&p2=540555755 Target: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=victim@mit.edu&p2=540555752

  38. FatBrain URL authenticator Start: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=attacker@mit.edu&p2=540555758 Try: https://www.fatbrain.com/HelpAccount.asp? ! t=0&p1=victim@mit.edu&p2=540555754 Target: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=victim@mit.edu&p2=540555752

  39. FatBrain URL authenticator Start: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=attacker@mit.edu&p2=540555758 Try: https://www.fatbrain.com/HelpAccount.asp? ! t=0&p1=victim@mit.edu&p2=540555753 Target: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=victim@mit.edu&p2=540555752

  40. FatBrain URL authenticator Start: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=attacker@mit.edu&p2=540555758 Try: https://www.fatbrain.com/HelpAccount.asp? " t=0&p1=victim@mit.edu&p2=540555752 Target: https://www.fatbrain.com/HelpAccount.asp? t=0&p1=victim@mit.edu&p2=540555752

  41. Predictable sequence numbers • Site: FatBrain.com • Problem: Customer can determine the authenticator for any other user • Adversary: Interrogative • Break: Selective forgery • Today: Acquired by Barnes & Noble

  42. FatBrain response “It’s frustrating that programmers ... continue to fall prey to the same old tricks. Simple problems like lazy sequence numbers and buffer over fl ows in most cases can be easily eliminated if we as programmers would be a little vigilant about sound design and solid code reviews. I just *love* being at work on a Friday at midnight managing unscheduled production releases. :)”

  43. Missing authentication check • Sites: saks fi fthavenue.com, kohls.com, iomega.com, et al • Problem: Customers can download order history of all users • Adversary: Interrogative • Break: Universal forgery • Today: The sites have added the check

  44. BlueMartini: missing authentication check https://www.saks fi fthavenue.com/ POST /myaccount/order history new.jsp HTTP/1.0 Host: www.saks fi fthavenue.com bmForm=order history new& bmHidden=VIEW ORDER <> & VIEW ORDER <> orh id=12366456

  46. WSJ.com login process • User enters name and password • If the password is correct, WSJ.com issues a cookie • User surfs to restricted content and attaches cookie • If the cookie is authentic, WSJ.com returns content

  47. WSJ.com analysis • Design: cookie = { user, MACk (user) } • Reality: cookie = user + UNIX-crypt (user + server secret)

  48. WSJ.com analysis cont. username crypt() Output Authenticator cookie bitdiddl MaRdw2J1h6Lfc bitdiddlMaRdw2J1h6Lfc bitdiddle MaRdw2J1h6Lfc bitdiddleMaRdw2J1h6Lfc • Usernames matching fi rst 8 characters have same authenticator • No expiration

  49. Obtaining the server secret? • Adaptive chosen message attack • Perl script queried WSJ with invalid cookies • Runs in max 128 × 8 queries rather than intended 128 8 (1024 vs. 72057594037927936) • 1 sec/query yields 17 minutes vs. 10 9 years • The key is “March20”

  50. How our attack works Secret guess username crypt input worked? " bitdiddl bitdiddl

  51. How our attack works Secret guess username crypt input worked? " bitdiddl bitdiddl ! A bitdidd bitdiddA

  52. How our attack works Secret guess username crypt input worked? " bitdiddl bitdiddl ! B bitdidd bitdiddB

  53. How our attack works Secret guess username crypt input worked? " bitdiddl bitdiddl ! C bitdidd bitdiddC

  54. How our attack works Secret guess username crypt input worked? " bitdiddl bitdiddl ! D bitdidd bitdiddD

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication

TLS 1.3 Client Authentication Andrei Popov, Microsoft Corp. Issue 1: TLS Client Authentication After the Handshake The user navigates to the sites landing page, no client authentication required. Eventually, the user requests a

69 views • 6 slides
Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant

Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant

Beyond Trust PostgreSQL Client Authentication Christoph Mnch-Tegeder 2ndQuadrant http://www.2ndquadrant.com/ 2017-02-05 Part I Authentication Why Authentication? Too complicated Nobody knows my database Nobody will attack us

813 views • 39 slides
CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID

CLIENT INITIATED BACKCHANNEL AUTHENTICATION CIBA? CIBA is an authentication flow like OpenID Connect. However, unlike OpenID Connect, there is direct Relying Party to OpenID Provider communication without redirects through the user's browser.

505 views • 17 slides
User Authentication using the Client Principle Object Presented By: Chris Longo User

User Authentication using the Client Principle Object Presented By: Chris Longo User

User Authentication using the Client Principle Object Presented By: Chris Longo User Authentication using the Client Principle Object Agenda What is the Client Principal Object? Why is it useful? How do I implement the CP Object?

697 views • 36 slides
Symcon Cloud Connect Cloud Connect Authentication Connect Client Goals Main goal: Building a

Symcon Cloud Connect Cloud Connect Authentication Connect Client Goals Main goal: Building a

Symcon Cloud Connect Cloud Connect Authentication Connect Client Goals Main goal: Building a reverse proxy tunneling service with an embedded SSH server and MySQL authentication Stretch goals: Beautifully rendered statistics dashboard

273 views • 4 slides
Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation

Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation

Troubleshooting Grid authentication from the client side By Adriaan van der Zee RP1 presentation 2009-02-04 Contents The Grid @NIKHEF The project Grid components and interactions X.509 certificates, proxies and delegations

257 views • 13 slides
Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication

Chair of Network Architectures and Services TUM Department of Informatics Technical University of Munich (TUM) Push Away Your Privacy: Precise User Tracking Based on TLS Client Certificate Authentication Matthias Wachs, Quirin Scheitle, and

462 views • 14 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
Moving to client-side hashing for online authentication Enka Blanchard 1 Xavier Coquand 2 Ted

Moving to client-side hashing for online authentication Enka Blanchard 1 Xavier Coquand 2 Ted

Moving to client-side hashing for online authentication Enka Blanchard 1 Xavier Coquand 2 Ted Selker 3 Digitrust, Loria, Universit e de Lorraine, www.koliaza.com Bsecure, Paris University of Maryland, Baltimore County 9th International

1.02k views • 18 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @ Security Evaluation Kudelski Security Lab @ Kudelski IoT Embedded systems Hardware attacks security research Glitch / EM Reverse

889 views • 51 slides
Client puzzles for denial-of-service resistant authentication Joint work with Juan Gonzalez,

Client puzzles for denial-of-service resistant authentication Joint work with Juan Gonzalez,

Client puzzles for denial-of-service resistant authentication Joint work with Juan Gonzalez, Lakshmi Kuppusamy, Jothi Rangasamy, Douglas Stebila, Suriadi Suriadi Colin Boyd Information Security Institute Queensland University of Technology

560 views • 32 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20

370 views • 33 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
On the Relationship of Defeasible Argumentation and Answer Set Programming Matthias Thimm

On the Relationship of Defeasible Argumentation and Answer Set Programming Matthias Thimm

On the Relationship of Defeasible Argumentation and Answer Set Programming Matthias Thimm Gabriele Kern-Isberner Technische Universit at Dortmund May 29, 2008 Thimm, Kern-Isberner (TU Dortmund) DeLP and ASP May 29, 2008 1 / 21 Outline

589 views • 34 slides
Refinement trees: Calculi, Tools and Applications Mihai Codescu and Till Mossakowski DFKI GmbH

Refinement trees: Calculi, Tools and Applications Mihai Codescu and Till Mossakowski DFKI GmbH

Refinement trees: Calculi, Tools and Applications Mihai Codescu and Till Mossakowski DFKI GmbH Bremen 31.08.2011, CALCO 2011 Stepwise Refinement Start with a requirement specification SP 0 which only fixes the expected properties of the

1.02k views • 38 slides
Computing Cores for Existential Rules with the Standard Chase and ASP Markus Krtzsch

Computing Cores for Existential Rules with the Standard Chase and ASP Markus Krtzsch

Computing Cores for Existential Rules with the Standard Chase and ASP Markus Krtzsch Knowledge-Based Systems, TU Dresden Rules are simple, but what do they mean? R 1 : father ( x y ) male ( y ) R 2 : person ( x ) v father (

586 views • 27 slides
Embedding ASP in mobile systems: discussion and preliminary implementation Francesco Calimeri

Embedding ASP in mobile systems: discussion and preliminary implementation Francesco Calimeri

Introduction The embASP Framework An embASP Specialization DLVfit Related Work Conclusions References Embedding ASP in mobile systems: discussion and preliminary implementation Francesco Calimeri Davide Fusc` a Stefano Germano Simona Perri

380 views • 37 slides
More ASP.NET Page model, Session State, Data Binding Today ASP.NET review Page model

More ASP.NET Page model, Session State, Data Binding Today ASP.NET review Page model

More ASP.NET Page model, Session State, Data Binding Today ASP.NET review Page model Session State Data Binding and List-Bound controls Shopping Cart Demo Review: Example Web Form &lt;%@ Page language=&quot;c#&quot;

367 views • 10 slides
Technology for Multilingual Communications TermWeb 3.9 The most powerful terminology management

Technology for Multilingual Communications TermWeb 3.9 The most powerful terminology management

Technology for Multilingual Communications TermWeb 3.9 The most powerful terminology management system on the market Web-based Open Easy Visuals and architecture administration sounds TermWeb in brief Multilingual, Multimedia

403 views • 14 slides
A Case for Flash Memory SSD in A Case for Flash Memory SSD in A Case for Flash Memory SSD in

A Case for Flash Memory SSD in A Case for Flash Memory SSD in A Case for Flash Memory SSD in

SIGMOD 08 08 SIGMOD SIGMOD08 A Case for Flash Memory SSD in A Case for Flash Memory SSD in A Case for Flash Memory SSD in Enterprise Database Applications Enterprise Database Applications Enterprise Database Applications

480 views • 27 slides
Composition and Interoperation of Rules Enrico Pontelli and Tran Cao Son Chitta Baral

Composition and Interoperation of Rules Enrico Pontelli and Tran Cao Son Chitta Baral

Composition and Interoperation of Rules Enrico Pontelli and Tran Cao Son Chitta Baral Department of Computer Science Computer Science and Engineering New Mexico State University Arizona State University Department of Computer Science

638 views • 19 slides

More recommend