Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.

Published byCecily Ball Modified over 8 years ago

Similar presentations

Presentation on theme: "Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales."— Presentation transcript:

1 Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales

2 2 Overview Web client authentication Limitations Requirements Security models Interrogative Adversary Hints for designing a secure client authentication scheme Analysis of the scheme

3 3 Introduction Client authentication: a common requirement Many schemes are very weak Home-made Careless implementation Misunderstanding of how different tools work Balance between usability and security Lack of a client authentication infrastructure Lack of control over user interfaces

4 4 Client Authentication and Limitations Client authentication: The problem Client side Server side For this paper: Client authentication: “proving the identity of a client (or user) to a server on the Web”. Sources of confusion Authentication vs. confidentiality

5 5 Practical Limitations Deployability Technology must be widely deployed HTTP is stateless and sessionles Client must provide authentication token Useful but high overhead Javascript, Flash, Schockwave… User Acceptability Performance SSL: computational cost of initial handshaking

6 6 Types of Breaks Breaks Existential Forgery Forge authenticator for at least one user Example: subscription services Selective Forgery Forge authenticator for a particular user Must construct a new authenticator Total Break Most serious Recovery of a key used to mint authenticators

7 7 Types of Adversaries Interrogative Adversary Can make queries of a Web server Adaptively choose next query Adaptive chosen message attack Eavesdropping Adversary Can sniff the network Replay authenticators Active Adversary Can see and modify traffic between client and server Man-in-the-middle attack

8 8 Hints for Web Client Authentication Use Cryptography Appropriately Protect Passwords Handle Authenticators Carefully

9 9 Use cryptography appropriately Appropriate amount of security Keep It Simple, Stupid Do not be inventive Designers should be security experts Do not rely on the secrecy of a protocol Vulnerable to exposure Understand the properties of cryptographic tools Example: Crypt() Do not compose security schemes Hard to foresee the effects

10 10 Crypt()

11 11 Protect Passwords Limit exposure Don’t send it back to the user (much less in the clear) Authenticate using SSL vs. HTTP Prohibit guessable passwords No dictionary passwords Reauthenticate before changing passwords Avoid replay attack

12 12 Handle authenticators carefully Make authenticators unforgeable highschoolalumni.com If using keys as session identifier: should be cryptographically random Protect from tampering (MAC) Protect authenticators that must be secret Authenticator as cookie Sent by SSL Don’t forget the flag! (SprintPCS) Authenticator as part of URL

13 13 Handle authenticators carefully (cont.) Avoid using persistent cookies Persistent vs. ephemeral cookies Cookie files on the web Limit the lifetime of authenticators Encrypt the timestamp Secure binding limits the damage from stolen authenticators Bind authenticators to specific network addresses Increases the difficulty of a replay attack

14 14 Their Design Provides request and content authentication Stateless Secure against interrogative adversary On top of SSL: secure against an active adversary

15 15 Their Design (cont.)

16 16 Their Design (cont.) Cookie Recipe exp=t&data=s&digest=MAC k (exp=t&data=s) Requires non-malleable MAC  HMAC-MD5  HMAC-SHA1 Timestamp tradeoffs

17 17 Authentication and Revocation Authentication →retrieve cookie’s timestamp. If valid, →recalculate the MAC in the digest Revocation Relies expiration timestamp Revoke all authenticators rotate server key

18 18 Security Analysis Forging Authenticators Adversary tries to forge a new authenticator Adversary tries to extend authenticator capabilities Modify expiration Modify data string Adversary fails Used non-malleable MAC Verifier cannot be calculated by adversary without the key

19 19 Security Analysis (cont.) Authenticator hijacking Eavesdropping adversary can perform a replay attack Limited duration attack As long as the expiration SSL can provide confidentiality Eavesdropper fails Brute force Cannot get the key to hash function from the cyphertext Rotate the key

20 20 Implementation Performance

21 21 Conclusion Client authentication is commonly required Many schemes are weak Authors propose a set of simple hints Appropriate use of cryptography Passwords must be protected Authenticators must be protected Authors’ design secure against interrogator adversary Also against active adversary if on top of SSL

22 22 Any questions?

Download ppt "Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales."

Similar presentations

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.

Client Puzzles A Cryptographic Defense Against Connection Depletion Attacks Most of slides come from Ari Juels and John Brainard RSA Laboratories.
CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 22 Jonathan Katz.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 12 Jonathan Katz.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,

1 © NOKIA MitM.PPT/ 6/2/2015 / Kaisa Nyberg (NRC/MNW), N.Asokan (NRC/COM) The Insecurity of Tunnelled Authentication Protocols N. ASOKAN, VALTTERI NIEMI,
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Feb 25, 2003Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

Similar presentations

Ads by Google