Presentation is loading. Please wait.

Presentation is loading. Please wait.

BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park.

Published byRalf McDaniel Modified over 8 years ago

Similar presentations

Presentation on theme: "BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park."— Presentation transcript:

1 BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park

2 Table of Contents  Introduction  Goals  BeamAuth Basic  BeamAuth Protocol  Example  Attacks  Summary 2

3 Web Authentication Security  Passive Sniffing  Attack caused by insecure wi-fi AP, unswitched local wired networks, or corporate proxies  Social Engineering  Technique based on specific attribute of human decision-making  Example : Phishing, Pharming  Desktop compromise  Desktop PC compromised with malware  Zero guarantee of any security Introduction 1/2 3

4 Fragment Identifier  Purpose  Used to designate a portion of a page  Web browsers scroll to the appropriate location.  Example  http://example.org/stuff#paragraph4  Characteristics  Web browsers never send it over the network.  Page is not reloaded during navigation between fragment identifiers. Introduction 2/2 4

5 Goals  Safely remaining credentials against many type of phishing attack (Social Engineering)  Only requiring server-side deployment  Building better security in the application layer 5

6 URL Fragment Identifier  The resolution of a fragment identifier  Example : http://hostname/rest/of/url#fragment_id  Procedure  Connecting to host hostname on port 80  Requesting /rest/of/url and rendering the HTML page  Scrolling the viewport to the position indicated by fragment_id if it exists  Fragment ID is never sent over the network.  Navigation  Navigation between fragments within the same URL does not cause a page reload. BeamAuth Basic 1/2 6

7 JavaScript Features  Variable and method for fragments  JavaScript variable for the fragment identifier  Window.location.hash  Updating the URL  Window.location.replace()  Source Code var hash = document.location.hash; if( hash != ‘’ ) { // parse the hash, get username and token parse_beamauth_hash( hash ); // clear the hash from the URL document.location.replace( ‘/login’ ); } BeamAuth Basic 2/2 7

8 General Idea BeamAuth Protocol 1/4 8

9 Setup Phase  Registering ID and password  Authenticating a user by using a second channel authentication mechanism like an email mail-back  Clicking on this verification URL in email  Example https://site.com/confirm?vc=  Web page which user reaches provides her with a link.  Adding the link as a bookmark  https://site.com/get-bookmark#[username|secret_token]  bookmark_link.href = ‘https://site.com/login’ + window.location.hash; BeamAuth Protocol 2/4 9

10 Re-Initialization  When is Re-Initialization required?  Deleting user’s BeamAuth bookmark by mistake  Using several web browsers  Using multiple computers  Solutions  Instructing a user to keep the signup email  Using bookmark synchronization tools BeamAuth Protocol 3/4 10

11 Mechanism  How to hide a token from users  A BeamAuth login page contains JavaScript.  This script regularly polls the value of fragment ID.  After reading it, the poller updates the URL by calling replace().  How to use a token for authentication  HMAC the password with the secret token.  Login page securely submits this resulting credential to the server. BeamAuth Protocol 4/4 11

12 Registration Example 1/7 12

13 Second Channel Authentication Example 2/7 13

14 Setting Up a Bookmark Example 3/7 14

15 Adding a Bookmark Example 4/7 15

16 BeamAuth Authentication Example 5/7 16

17 Inputting a Password Example 6/7 17

18 Authentication Completion Example 7/7 18

19 Attacks (1/2)  Phishing with a deceitful URL  In case of unsophisticated phishing attack  Password is compromised, and token is safe.  Overriding page unload  User can no longer login, but token is safe.  Malicious bookmark replacement  Using a spoofed email  Token and password are safe.  Explicit bookmark theft  Token is compromised, and password can be compromised via phishing. 19

20 Attacks (2/2)  Attacking the email account  Token is compromised, and password can be compromised via phishing.  Using the victim’s computer  Token is compromised, and password can be compromised via phishing.  Pharming inattentive users  Sending down malicious code that reads fragment ID  All compromised  Malware and client compromise  All compromised 20

21 Summary  The BeamAuth uses  Bookmark as the second authentication factor.  Token delivered via a separate channel. (email)  Fragment identifier to store token. 21

Download ppt "BeamAuth : Two-Factor Web Authentication with a Bookmark 14 th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Internet Security Protocols

Internet Security Protocols
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Administrative  Philosophy  Class survey  Grading  Proposal (5 points max)  Small projects (10 points each max)  Project (40 points max)  Presentation.

Administrative  Philosophy  Class survey  Grading  Proposal (5 points max)  Small projects (10 points each max)  Project (40 points max)  Presentation.
Phishing – Read Behind The Lines Veljko Pejović

Phishing – Read Behind The Lines Veljko Pejović
Administrative  Philosophy  Class survey  Grading  Project  Presentation.

Administrative  Philosophy  Class survey  Grading  Project  Presentation.
Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.

Performed by:Gidi Getter Svetlana Klinovsky Supervised by:Viktor Kulikov 08/03/2009.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Georgy Melamed Eran Stiller

Georgy Melamed Eran Stiller
Varun Sharma Security Engineer | ACE Team | Microsoft Information Security

Varun Sharma Security Engineer | ACE Team | Microsoft Information Security
Chapter 10 Publishing and Maintaining Your Web Site.

Chapter 10 Publishing and Maintaining Your Web Site.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.

1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.
Server-side Scripting Powering the webs favourite services.

Server-side Scripting Powering the webs favourite services.

Similar presentations

Ads by Google