do’s and don’ts of client authentication on the web

11/18/2003University of South Carolina1

Do’s and Don’ts of Client Authentication on the Web

Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster

MIT Laboratory for Computer Sciencehttp://cookies.lcs.mit.edu

Presenters:Vaibhav GowadiaCory Calmbacher

http://cookies.lcs.mit.edu/


Goal

Identify common mistakes in web authentication and recommend secure authentication protocol.


Outline

Security Objectives Security Requirements Limitations Proposed Design Case Studies Evaluation


Security Objectives

Authentication Confidentiality Privacy


What requires authentication?

Clients want to ensure that only authorized people can access and modify personal information that they share with Web sites.

Web sites want to ensure that only authorized users have access to the services and content it provides.


What requires confidentiality?

Online Brokerages

Auction sites

Banks

Online merchants


What requires privacy?


Outline



Security Requirements

Secure Authentication Granularity Secure against attacks


Secure Authentication Cryptography

Proper use of existing cryptographic tools preferred over designing new scheme

PasswordsPrimary means of authentication today

AuthenticatorsTokens presented by client to gain access to system


Use Cryptography Appropriately Use the appropriate amount of security Do not be inventive Do not rely on the secrecy of a protocol Understand the properties of

cryptographic tools Do not compose security schemes


Protect Passwords

Limit exposure of passwords Prohibit guessable password Reauthenticate before changing passwords


Handling of Authenticators

Make authenticators unforgeable Protect authenticators that must be

secret Limit lifetime of authenticators Bind authenticators to addresses Avoid using persistent cookies


Granularity

Fine-grainedUseful if specific authorization or accountability of user is required

Coarse-grained


Fine Grained

11/18/2003University of South Carolina16 Happy Gilmore


CLICK


Granularity

Fine-grainedUseful if specific authorization or accountability of user is required

Coarse-grainedUseful if partial user anonymity is desired


Coarse Grained


Attacks

Goal of adversary: Break an authentication scheme faster than by brute force

Types: Existential forgery

Forge authenticator for at least one user Selective forgery

Forge authenticator for any chosen user Replay attack Total break

Recovery of secret key used to mint authenticators


Adversaries

Interrogative Adversary Can query a Web server, but not see traffic Bases next query on previous query results

Eavesdropping AdversaryCan see traffic, but not modify

Active AdversaryCan see and modify all traffic


Outline



Security Model Limitations

PerformanceHigher security implies lower performance

User AcceptabilityNon-confrontational

DeployabilityUse protocols and technologies commonly available


Deployability

Cannot rely on hardware token systems (such as smart card readers)

Limit reliance on computationActiveXJavaJavaScriptSSL

Cookies!


What are Cookies?

Text file stored on client’s hard drive

Contains information about visitors to a website (such as username and preferences)

Types:• Persistent Cookies:

Stored on computer indefinitely (unless user deletes)• Ephemeral / Temporary Cookie:

Stored in browser’s memory and disappears when usercloses browser


Outline



Web-based Authentication



User

1. Username, Password

Is <username,password

> valid ?

2. Authentication Token

Server

Login Procedure



User

Is Authenticato

r valid ?

3. Request, Auth Token

4. Content

Server

Subsequent Requests


Features of Authenticator

Personalizable Stateless verification Server controls lifetime Can refer to session info on server


Cookie Recipe

IngredientsExpiration TimeData (Optional: Non-confidential info)

Procedureexp=&data=&digest=MAC(exp=

&data=)


Note

This recipe does not require session identifiers, i.e. #state is O(1)

Maintaining session ID’s is O(n) Session identifiers requires synchronized,

duplicated data between servers


Cookie Example

domain .wsj.comPath /cgiSSL? FALSEExpiration 941452067Variable name fastloginValue bitdiddleMaRdw2J1h6Lfc


Cookie Validation

Authentication:Server recalculates MAC

Revocation mechanism:Not provided


Security Analysis

Forging AuthenticatorSolution: MAC

Cookie hijackingSolution: SSL

Brute force Key SearchSolution: Key rotation


Outline



Case Studies

Vulnerability Website

No cryptography www.highschoolalumni.com

Trusting user input www.instant-shop.com

Leaking secrets www.sprintpcs.com

Predictable SN’s www.fatbrain.com

Misuse of cryptography www.wsj.com


High School Alumni


High School Alumni

Problem: No cryptographic authentication Adversary: Interrogative Break: Universal forgery Today: Sold to another reunion site


Instant Shop


Instant Shop: What’s Inside

<form action=commit sale.cgi><input type=hidden name=item1 value=10> Batteries $10 <input type=hidden name=item2 value=99> Biology textbook $99 <input type=hidden name=item3 value=25> Britney Spears CD $25 <input type=submit> Confirm purchase </form>


Instant Shop: What’s Inside

<form action=commit sale.cgi><input type=hidden name=item1 value=0> Batteries $10 <input type=hidden name=item2 value=0> Biology textbook $99 <input type=hidden name=item3 value=0> Britney Spears CD $25 <input type=submit> Confirm purchase </form>


Instant Shop

Problem: Server trusts users not to modify HTML variables

Adversary: Interrogative Today: Out of business


Sprint PCS


Sprint PCS

Problem: Secure content can leak through plaintext channels

Adversary: Eavesdropper Break: Replay


Fat Brain


Fat Brain

Start:https://www.fatbrain.com/HelpAccount.asp? t=0&[email protected]&p2=540555758

Try: https://www.fatbrain.com/HelpAccount.asp? t=0&[email protected]&p2=540555757

Target: https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555752


Fat Brain





Fat Brain

Problem: Customer can determine theauthenticator for any other user

Adversary: Interrogative Break: Selective forgery


Wall Street Journal


Wall Street Journal (WSJ)

Design: cookie = {user, MACk(user)}

Reality: cookie = user + UNIX-crypt (user + server secret)


Wall Street Journal (WSJ)

Problems:Usernames matching first 8 characters

have same authenticatorNo expiration

Adversary:Interrogative

Break:Universal forgery


Obtaining server secret (WSJ)

Chosen message attack Runs in max 128x8 queries rather than

intended 1288 queries.


How attack works

Secret guess username crypt input worked? bitdiddl bitdiddl


How attack works

Secret guess username crypt input worked? bitdiddl bitdiddl A bitdidd bitdiddA


How attack works

Secret guess username crypt input worked? bitdiddl bitdiddl B bitdidd bitdiddB


How attack works

Secret guess username crypt input worked? bitdiddl bitdiddl C bitdidd bitdiddC


How attack works

Secret guess username crypt input worked? bitdiddl bitdiddl D bitdidd bitdiddD


How attack works

Secret guess username crypt input worked? bitdiddl bitdiddl D bitdidd bitdiddDU bitdid bitdidDUD bitdi bitdiDUDE bitd bitdDUDE0 bit bitDUDE00 bi biDUDE007 B bDUDE007


Outline



Performance Evaluation

Crypt HMAC-SHA1

Input 8 bytes + 2 byte salt

27 bytes +20 byte key

Avg. Time 8.08 sec 41.4 sec

# Requests = 5000Amount of data retrieved = 400 bytes


Performance Evaluation

0200400600800

1000120014001600

HTTP SSL

Connections/second

11

1493


Comparison

Plain HTTP HTTP with basic authentication Always-authenticated FastCGI script


Do’s

Use standard protocols and technologies available

Use appropriate level of security Prohibit guessable passwords Limit exposure of passwords Limit lifetime of authenticators Sign what you mean!


Don’ts

Do not rely on the secrecy of protocol Avoid using persistent cookies Do not store session identifiers in

cookie Do not trust browser to expire cookies Do not trust client side data


References

Amazon http://www.amazon.com Ameritrade http://www.ameritrade.com Bank of America http://www.bankofamerica.com BellSouth http://home.bellsouth.net CNN Money http://money.cnn.com/services/portfolio/ Ebay http://www.ebay.com McCintosh Gourmet http://www.mcintoshgourmet.com/ MSN http://www.msn.com/ NetIQ http://www.netiq.com/ PBS http://pbskids.org/sesame/ USAirways http://www.usairways.com Yahoo http://mail.yahoo.com


Questions?

Enjoy your cookies

But Beware the Cookie Monster

do’s and don’ts of client authentication on the web

Documents