morellian analysis for browsers making web authentication
play

Morellian Analysis for Browsers: Making Web Authentication Stronger - PowerPoint PPT Presentation

Oct 13, 2023 •273 likes •945 views

Morellian Analysis for Browsers: Making Web Authentication Stronger With Canvas Fingerprinting Pierre Laperdrix , Gildas Avoine, Benoit Baudry, Nick Nikiforakis DIMVA 2019 In Introduction Web attacks and data breaches 2 Attacks on the

  1. Morellian Analysis for Browsers: Making Web Authentication Stronger With Canvas Fingerprinting Pierre Laperdrix , Gildas Avoine, Benoit Baudry, Nick Nikiforakis DIMVA 2019

  2. In Introduction – Web attacks and data breaches 2 • Attacks on the web happen more and more frequently and are getting bigger.

  3. In Introduction – Web attacks and data breaches 2 • Attacks on the web happen more and more frequently and are getting bigger.

  4. In Introduction – Web attacks and data breaches 2 • Attacks on the web happen more and more frequently and are getting bigger. Protecting an account with just a password is not enough.

  5. In Introduction – The need for multi-factor authentication 3 • Low adoption of multi-factor authentication • A 2017 survey from Duo Security indicated that more than half of Americans never heard of 2FA before. • A talk in January 2018 revealed that less than 10% of Gmail users have 2FA enabled.

  6. In Introduction – The need for multi-factor authentication 3 • Low adoption of multi-factor authentication • A 2017 survey from Duo Security indicated that more than half of Americans never heard of 2FA before. • A talk in January 2018 revealed that less than 10% of Gmail users have 2FA enabled. • Problems: education gap towards the benefits of 2FA/MFA, usability issues that come with having it activated.

  7. In Introduction – The need for multi-factor authentication 3 • Low adoption of multi-factor authentication • A 2017 survey from Duo Security indicated that more than half of Americans never heard of 2FA before. • A talk in January 2018 revealed that less than 10% of Gmail users have 2FA enabled. • Problems: education gap towards the benefits of 2FA/MFA, usability issues that come with having it activated. • There is a need for a technical solution that bridges the gap between the insufficiency of passwords and the low onboarding of 2FA.

  8. In Introduction – The need for multi-factor authentication 3 • Low adoption of multi-factor authentication • A 2017 survey from Duo Security indicated that more than half of Americans never heard of 2FA before. • A talk in January 2018 revealed that less than 10% of Gmail users have 2FA enabled. • Problems: education gap towards the benefits of 2FA/MFA, usability issues that come with having it activated. • There is a need for a technical solution that bridges the gap between the insufficiency of passwords and the low onboarding of 2FA. Can browser fingerprinting be a viable alternative?

  9. In Introduction - In Internet in in 2019 4

  10. In Introduction - In Internet in in 2019 4

  11. In Introduction - In Internet in in 2019 4

  12. In Introduction - In Internet in in 2019 4

  13. In Introduction - In Internet in in 2019 4 A bigger and richer web • Audio • Video • 3D rendering • Real-time communications • Web payments • Virtual reality …

  14. In Introduction - In Internet in in 2019 4 A bigger and richer web Browser 1995 2019 Browser: Netscape Browser: Chrome v74 • Audio Language: Fr OS: Linux • Video Screen: 1920x1080 • 3D rendering Language: Fr • Real-time communications Timezone: GMT+1 • Web payments Graphic card: GTX 1080Ti • Virtual reality … …

  15. In Introduction - In Internet in in 2019 4 A bigger and richer web Browser 1995 2019 Browser: Netscape Browser: Chrome v74 • Audio Language: Fr OS: Linux • Video Screen: 1920x1080 • 3D rendering Language: Fr • Real-time communications Timezone: GMT+1 • Web payments Graphic card: GTX 1080Ti • Virtual reality … … What happens when we start collecting all the information available in a web browser?

  16. In Introduction - Defi finition of f browser fi fingerprinting 5 Definitions • A browser fingerprint is a set of information related to a user’s device from the hardware to the operating system to the browser and its configuration. • Browser fingerprinting refers to the process of collecting information through a web browser to build a fingerprint of a device.

  17. In Introduction - Example of f a browser fi fingerprint 6 Attribute Value User agent Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0 HTTP headers text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 gzip, deflate, br en-US,en;q=0.5 Plugins Plugin 0: QuickTime Plug-in 7.6.6; libtotem-narrowspace-plugin.so; Plugin 1: Shockwave Flash; Shockwave Flash 26.0 r0; libflashplayer.so. Fonts Century Schoolbook, Source Sans Pro Light, DejaVu Sans Mono, Bitstream Vera Serif, URW Palladio L, Bitstream Vera Sans Mono, Bitstream Vera Sans, ... Platform Linux x86_64 Screen resolution 1920x1080x24 Timezone -480 (UTC+8) OS Linux 3.14.3-200.fc20.x86 32-bit WebGL vendor NVIDIA Corporation WebGL renderer GeForce GTX 650 Ti/PCIe/SSE2 Canvas

  18. Using fi fingerprinting for auth thentication 7 User authenticated Login/Password Browser fingerprint

  19. Using fi fingerprinting for auth thentication 7 ? User authenticated Login/Password Browser fingerprint

  20. Using fi fingerprinting for auth thentication - Avoiding pit itfalls 8 One major problem: what if the user’s fingerprint is stolen (i.e. collected)?  Fingerprints can be manipulated in JavaScript. An attacker can send any information to the authentication server.

  21. Using fi fingerprinting for auth thentication - Avoiding pit itfalls 8 One major problem: what if the user’s fingerprint is stolen (i.e. collected)?  Fingerprints can be manipulated in JavaScript. An attacker can send any information to the authentication server. FP

  22. Using fi fingerprinting for auth thentication - Avoiding pit itfalls 8 One major problem: what if the user’s fingerprint is stolen (i.e. collected)?  Fingerprints can be manipulated in JavaScript. An attacker can send any information to the authentication server. Modified FP Modified Modified FP FP FP Modified Modified FP FP Modified FP

  23. Using fi fingerprinting for auth thentication - Avoiding pit itfalls 8 One major problem: what if the user’s fingerprint is stolen (i.e. collected)?  Fingerprints can be manipulated in JavaScript. An attacker can send any information to the authentication server. Modified FP Modified Modified FP FP FP Modified Modified FP FP Modified FP  An attacker can also try to reconstruct the environment of his victim to bypass verification.

  24. Using fi fingerprinting for auth thentication - Avoiding pit itfalls 9 One major problem: what if the user’s fingerprint is stolen (i.e. collected)?  Traditional fingerprinting scripts always collect the same attributes. What is the What is the What is the user agent? language? browser? What is the list What is the list What is the of plugins? of fonts? screen resolution? What is the What is Are cookies timezone? platform? enabled? … ≈20 questions

  25. A lo look in into th the past 10 Giovanni Morelli (1816-1891) • Studied medicine and taught anatomy • Identified the characteristic "hands" of painters through scrutiny of minor details in paintings

  26. Using canvas fi fingerprinting for auth thentication 11 User authenticated Login/Password Canvas fingerprint

  27. Focus on canvas fi fingerprinting 12 Example from the AmIUnique.org website

  28. Focus on canvas fi fingerprinting 12 Example from the AmIUnique.org website 1

  29. Focus on canvas fi fingerprinting 12 Example from the AmIUnique.org website 1 2

  30. Focus on canvas fi fingerprinting 12 Example from the AmIUnique.org website 1 2 3

  31. Focus on canvas fi fingerprinting 12 Example from the AmIUnique.org website 1 2 3

  32. Using canvas fi fingerprinting for auth thentication 13 Use the Canvas API as a drawing board for a morellian analysis.

  33. Using canvas fi fingerprinting for auth thentication 13 Use the Canvas API as a drawing board for a morellian analysis. • Dynamic Draw an Render the string Draw a green orange “ stnalpehtretlaw ” circle with a rectangle of with a size 30pt at circumference size 63x45 at position (1337,42) of 24 pixels at position (7,89) with the font Arial position (4,8) in purple

  34. Using canvas fi fingerprinting for auth thentication 13 Use the Canvas API as a drawing board for a morellian analysis. • Dynamic Draw a blue Render the string Draw a blue circle with a “fingerprinting” rectangle of circumference with a size 26pt at size 2x2 at of 22 pixels at position (45,54) position (2,2) position (42,8) with the font Draw an Draw an Render the string Georgia in red Draw a green orange orange “ stnalpehtretlaw ” circle with a rectangle of rectangle of with a size 30pt at circumference size 63x45 at size 63x45 at position (1337,42) of 24 pixels at position (7,89) Draw a yellow position (7,89) with the font Arial position (4,8) rectangle of in purple size 33x44 at position (55,66)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

An Analysis of Private Browsing Modes in Modern Browsers

An Analysis of Private Browsing Modes in Modern Browsers

Stanford Computer Security Lab An Analysis of Private Browsing Modes in Modern Browsers Gaurav Aggarwal, Elie Bursztein, Collin Jackson, Dan Boneh Usenix

653 views • 40 slides
Users and security Authentication Making sure a user is who they say they are ...on

Users and security Authentication Making sure a user is who they say they are ...on

Users and security Authentication Making sure a user is who they say they are ...on every request! Authorization Making sure a user can only get to information they are supposed to see Making sure a user can only perform

801 views • 30 slides
Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr)

Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr)

Print Books with Browsers Designing books in browsers using Paged.js Julie Blanc (@julieblancfr) Digital Publishing Summit May 26, 2019 Automated typesetting and pagination for print Make PDF outputs of HTML contents from browsers Flux

823 views • 67 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies

Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies

Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies Iskander Sanchez-Rola, Igor Santos, Davide Balzarotti Extensions Browser extensions are the most popular technique currently available to extend the

722 views • 38 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Cryptographic Protocols: Making the Network Secured Debdeep Mukhopadhyay IIT Kharagpur

Cryptographic Protocols: Making the Network Secured Debdeep Mukhopadhyay IIT Kharagpur

Cryptographic Protocols: Making the Network Secured Debdeep Mukhopadhyay IIT Kharagpur Protocols Key Agreement Authentication: Group Authentication Key Agreement and Authentication Key Agreement and authentication with key

411 views • 9 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication Nashad Safa Rei Safavi-Naini Siamak Shahandashti 2 Outline Device, Implicit

Authentication Nashad Safa Rei Safavi-Naini Siamak Shahandashti 2 Outline Device, Implicit

Privacy-Preserv rving Im Implicit Authentication Nashad Safa Rei Safavi-Naini Siamak Shahandashti 2 Outline Device, Implicit Authentication Usage patterns, authentication decision making Cost: privacy! Our Basic Protocol

547 views • 17 slides
stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication

stateless analysis of a cryptographic protocol emina torlak february 22, 2005 authentication to be nobody-but-yourselfin a world which is doing its best to make you everybody else - e e cummings authentication: verifying the

490 views • 15 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri

EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri

EAP-SIM Security Analysis Mobility Solutions Keyspace and Mutual Authentication Weaknesses Uri Blumenthal (analysis done by Sarvar Patel) Member of Technical Staff EAP-SIM Draft and its Security Claims Current EAP-SIM provides

342 views • 7 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch

Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch

ECE590 Computer and Information Security Fall 2019 User Authentication and Access Control Tyler Bletsch Duke University User Authentication Determining if a user is who they say they are before giving them access. 2 The four means of

1.02k views • 70 slides
TLS Fingerprinting Techniques Zlatina Gancheva advised by Patrick Sattler, Lars Wstrich Friday

TLS Fingerprinting Techniques Zlatina Gancheva advised by Patrick Sattler, Lars Wstrich Friday

Chair of Network Architectures and Services Department of Informatics Technical University of Munich TLS Fingerprinting Techniques Zlatina Gancheva advised by Patrick Sattler, Lars Wstrich Friday 24 th January, 2020 Chair of Network

2.56k views • 20 slides
Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints Pierre

Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints Pierre

Beauty and the Beast: Diverting modern web browsers to build unique browser fingerprints Pierre Laperdrix, Walter Rudametkin, Benoit Baudry 2/19 Example of a fingerprint Attribute Value User agent Mozilla/5.0 (X11; Linux i686; rv:25.0)

215 views • 19 slides
RDKit (cheminformatics) Neo4j Integration Mentors: Christian Pilger (BASF) Presenter - Evgeny

RDKit (cheminformatics) Neo4j Integration Mentors: Christian Pilger (BASF) Presenter - Evgeny

RDKit (cheminformatics) Neo4j Integration Mentors: Christian Pilger (BASF) Presenter - Evgeny Sorokin Greg Landrum (RDKit) Stefan Armbruster (Neo4j) Motivation Neo4j = useful tool to map knowledge Chemical/pharmaceutical R&D:

726 views • 14 slides
VISABIO : French Biometric Visa System 1 CONTENTS Lessons learnt from the BIODEV 1 Pilot

VISABIO : French Biometric Visa System 1 CONTENTS Lessons learnt from the BIODEV 1 Pilot

VISABIO : French Biometric Visa System 1 CONTENTS Lessons learnt from the BIODEV 1 Pilot Project The VISABIO project : Perimeter, schedule, challenges Toward the future : connecting to the VIS project and automates at the border,

297 views • 13 slides
Homomorphic Sketches Shrinking Big Data without Sacrificing Structure Andrew McGregor University

Homomorphic Sketches Shrinking Big Data without Sacrificing Structure Andrew McGregor University

Homomorphic Sketches Shrinking Big Data without Sacrificing Structure Andrew McGregor University of Massachusetts ?=? Can test whether two n bit files are identical by comparing O(log n) bit fingerprints of each file. ? ? More generally,

721 views • 24 slides
Mi#ga#ng Browser Fingerprint Tracking: Mul#-level Reconfigura#on

Mi#ga#ng Browser Fingerprint Tracking: Mul#-level Reconfigura#on

Mi#ga#ng Browser Fingerprint Tracking: Mul#-level Reconfigura#on and Diversifica#on Pierre Laperdrix, Walter Rudametkin, Benoit Baudry Seams May, 19th

638 views • 25 slides
A Critical Evaluation of Website Fingerprinting Attacks Marc Juarez 1 Sadia Afroz 2 Gunes Acar 1

A Critical Evaluation of Website Fingerprinting Attacks Marc Juarez 1 Sadia Afroz 2 Gunes Acar 1

A Critical Evaluation of Website Fingerprinting Attacks Marc Juarez 1 Sadia Afroz 2 Gunes Acar 1 Claudia Diaz 1 Rachel Greenstadt 3 1 KU Leuven, ESAT/COSIC and iMinds, Leuven, Belgium 2 UC Berkeley, US 3 Drexel University, US CCS 2014, Scottsdale,

687 views • 49 slides

More recommend