Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.

Slides:



Advertisements
Similar presentations
Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.
Advertisements

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Online Security Tuesday April 8, 2003 Maxence Crossley.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
CMSC 414 Computer and Network Security Lecture 21 Jonathan Katz.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
11/18/2003University of South Carolina 1 Do’s and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster MIT Laboratory.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 13 Jonathan Katz.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.
Remotely authenticating against the Service Framework.
Guomin Yang et al. IEEE Transactions on Wireless Communication Vol. 6 No. 9 September
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
Chapter 21 Distributed System Security Copyright © 2008.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Strong Security for Distributed File Systems Group A3 Ka Hou Wong Jahanzeb Faizan Jonathan Sippel.
Authentication 3: On The Internet. 2 Readings URL attacks
1 Lecture 9: Cryptographic Authentication objectives and classification one-way –secret key –public key mutual –secret key –public key establishing session.
Digital Signatures, Message Digest and Authentication Week-9.
Attacks Overview Nguyen Cao Dat 1. BK TP.HCM Outline  Cryptographic Attacks ▫ Frequency analysis ▫ Brute force attack ▫ Meet-in-the-middle attack ▫ Birthday.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Ch. 7 -Attacking Session Management Latasha A. Gibbs CSCE 813 – Internet Security, Fall 2012 College of Engineering and Computing University of South Carolina.
Key Management Network Systems Security Mort Anvari.
Lecture 11 Overview. Digital Signature Properties CS 450/650 Lecture 11: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
SPEAKER: HONG-JI WEI DATE: Efficient and Secure Anonymous Authentication Scheme with Roaming Used in Mobile Networks.
Introduction to Network Systems Security Mort Anvari.
Lecture 9 Overview. Digital Signature Properties CS 450/650 Lecture 9: Digital Signatures 2 Unforgeable: Only the signer can produce his/her signature.
Fall 2006CS 395: Computer Security1 Key Management.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
Cryptography CSS 329 Lecture 13:SSL.
1 Cryptography CSS 329 Lecture 12: Kerberos. 2 Lecture Outline Kerberos - Overview - V4 - V5.
Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke1 Database architecture and security Workshop 4.
Fourth Edition by William Stallings Lecture slides by Lawrie Brown
Cryptography and Network Security Chapter 14 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Web Server Management: Securing Access to Web Servers Jon Warbrick University of Cambridge Computing Service.
Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.
The Two “Auth-” Operations
Secure Sockets Layer (SSL)
Originally by Yu Yang and Lilly Wang Modified by T. A. Yang
Using SSL – Secure Socket Layer
CSE 4095 Transport Layer Security TLS
The Secure Sockets Layer (SSL) Protocol
Presentation transcript:

Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales

2 Overview Web client authentication Limitations Requirements Security models Interrogative Adversary Hints for designing a secure client authentication scheme Analysis of the scheme

3 Introduction Client authentication: a common requirement Many schemes are very weak Home-made Careless implementation Misunderstanding of how different tools work Balance between usability and security Lack of a client authentication infrastructure Lack of control over user interfaces

4 Client Authentication and Limitations Client authentication: The problem Client side Server side For this paper: Client authentication: “proving the identity of a client (or user) to a server on the Web”. Sources of confusion Authentication vs. confidentiality

5 Practical Limitations Deployability Technology must be widely deployed HTTP is stateless and sessionles Client must provide authentication token Useful but high overhead Javascript, Flash, Schockwave… User Acceptability Performance SSL: computational cost of initial handshaking

6 Types of Breaks Breaks Existential Forgery Forge authenticator for at least one user Example: subscription services Selective Forgery Forge authenticator for a particular user Must construct a new authenticator Total Break Most serious Recovery of a key used to mint authenticators

7 Types of Adversaries Interrogative Adversary Can make queries of a Web server Adaptively choose next query Adaptive chosen message attack Eavesdropping Adversary Can sniff the network Replay authenticators Active Adversary Can see and modify traffic between client and server Man-in-the-middle attack

8 Hints for Web Client Authentication Use Cryptography Appropriately Protect Passwords Handle Authenticators Carefully

9 Use cryptography appropriately Appropriate amount of security Keep It Simple, Stupid Do not be inventive Designers should be security experts Do not rely on the secrecy of a protocol Vulnerable to exposure Understand the properties of cryptographic tools Example: Crypt() Do not compose security schemes Hard to foresee the effects

10 Crypt()

11 Protect Passwords Limit exposure Don’t send it back to the user (much less in the clear) Authenticate using SSL vs. HTTP Prohibit guessable passwords No dictionary passwords Reauthenticate before changing passwords Avoid replay attack

12 Handle authenticators carefully Make authenticators unforgeable highschoolalumni.com If using keys as session identifier: should be cryptographically random Protect from tampering (MAC) Protect authenticators that must be secret Authenticator as cookie Sent by SSL Don’t forget the flag! (SprintPCS) Authenticator as part of URL

13 Handle authenticators carefully (cont.) Avoid using persistent cookies Persistent vs. ephemeral cookies Cookie files on the web Limit the lifetime of authenticators Encrypt the timestamp Secure binding limits the damage from stolen authenticators Bind authenticators to specific network addresses Increases the difficulty of a replay attack

14 Their Design Provides request and content authentication Stateless Secure against interrogative adversary On top of SSL: secure against an active adversary

15 Their Design (cont.)

16 Their Design (cont.) Cookie Recipe exp=t&data=s&digest=MAC k (exp=t&data=s) Requires non-malleable MAC  HMAC-MD5  HMAC-SHA1 Timestamp tradeoffs

17 Authentication and Revocation Authentication →retrieve cookie’s timestamp. If valid, →recalculate the MAC in the digest Revocation Relies expiration timestamp Revoke all authenticators rotate server key

18 Security Analysis Forging Authenticators Adversary tries to forge a new authenticator Adversary tries to extend authenticator capabilities Modify expiration Modify data string Adversary fails Used non-malleable MAC Verifier cannot be calculated by adversary without the key

19 Security Analysis (cont.) Authenticator hijacking Eavesdropping adversary can perform a replay attack Limited duration attack As long as the expiration SSL can provide confidentiality Eavesdropper fails Brute force Cannot get the key to hash function from the cyphertext Rotate the key

20 Implementation Performance

21 Conclusion Client authentication is commonly required Many schemes are weak Authors propose a set of simple hints Appropriate use of cryptography Passwords must be protected Authenticators must be protected Authors’ design secure against interrogator adversary Also against active adversary if on top of SSL

22 Any questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.