Dos and Don’ts ofClient Authenticationon the WebKevin FuMIT Computer Science and AI LabWhat this talk is about• Improving the security of client authenticationon the WebWhere are we now?• We have HTTP authenticationWhere are we now?• We have HTTP authentication• We’ve had SSL for nearly a decadeWhere are we now?• We have HTTP authentication• We’ve had SSL for nearly a decade• Client authentication should be easy, right?Many Web sites get it wrongSite Security problemWSJ.com crypto misuse, secret key exposedtiffany.com SQL injectionopentable.com guessable user IDscooking.com guessable user IDsSprintPCS.com leaks authenticator in plaintextFatBrain.com predictable session IDHighSchoolAlumni.com circumvent password authenticationPerformanceBike.com predictable session IDihateshopping.net circumvent password authenticationToolkits are vulnerable tooToolkit Security problemBlueMartini missing authentication checkAllaire ColdFusion predictable session IDs, LCNGArsDigita ACS signs ambiguous messagesJakarta TomCat predictable session IDs, random seedPHP session IDs based on time of dayHow is it done?So how do Web sites implementuser authentication?Chris Rock on Web authenticationCookies: what are they?• A Web server can store key/value pairs on aclient• The browser resends cookies in subsequentrequests to the server• Cookies can implement login sessionsSample cookiedomain .wsj.comPath /cgiSSL? FALSEExpiration 941452067Variable name fastloginValue bitdiddleMaRdw2J1h6LfcCookies for login sessionsWeb serverPOST /login.cgiWeb browser1Cookies for login sessions1Web serverPOST /login.cgiWeb browserSet−Cookie: authenticator"Welcome in" Web page2Cookies for login sessions3Web serverPOST /login.cgiWeb browserSet−Cookie: authenticator"Welcome in" Web pageCookie: authenticatorGET /restricted/index.html21Cookies for login sessions4Web serverPOST /login.cgiWeb browserSet−Cookie: authenticator"Welcome in" Web pageCookie: authenticatorGET /restricted/index.htmlContent of restricted page213What adversaries do we fear?Active adversaryPassive adversaryInterrogative adversary• Adaptively query a server• Eavesdrop on traffic• Modify/inject traffic, man-in-the-middle attackA system must AT LEAST protect against theinterrogative adversary!Interrogative adversary• Adaptively query a Web server a reasonablenumber of times• Treat server as an oracle for an adaptivechosen message attack• Extremely limited, but surprisingly powerfulTypes of breaks• Replay• Existential forgery• Selective forgery• Total breakThe cookie crumbles...Many Web sites that have invented their ownhomebrew cookie-based authentication schemes.Case studies of Web authentication• Lack of cryptography:HighSchoolAlumni.com• Trusting user input: Instant Shop• Leaking secrets: SprintPCS.com• Predictable sequence numbers: FatBrain.com• Missing authentication check: BlueMartini• Misuse of cryptography: WSJ.comLack of cryptography• Site: HighSchoolAlumni.com• Problem: No cryptographic authentication• Adversary: Interrogative• Break: Universal forgery• Today: Sold to another reunion siteInstant Shop: What’s inside<form action=commit sale.cgi><input type=hidden name=item1 value=10>Batteries$10<input type=hidden name=item2 value=99>Biologytextbook $99<input type=hidden name=item3 value=25>BritneySpears CD $25<input type=submit>Confirm purchase</form>Instant Shop: Malicious user<form action=commit sale.cgi><input type=hidden name=item1 value=0>Batteries$10<input type=hidden name=item2 value=0>Biologytextbook $99<input type=hidden name=item3 value=0>BritneySpears CD $25<input type=submit>Confirm purchase</form>Trusting user input• Site: Instant Shop• Problem: Server trusts users not to modifyHTML variables• Adversary: Interrogative• Today: Out of businessLeaking secrets• Site: SprintPCS.com• Problem: Secure content can leak throughplaintext channels• Adversary: Eavesdropper• Break: Replay• Today: A leading provider of mobile phoneservice...FatBrain URL authenticatorStart: https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555758Try: https://www.fatbrain.com/HelpAccount.asp? ✘t=0&[email protected]&p2=540555757Target: https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555752FatBrain URL authenticatorStart: https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555758Try: https://www.fatbrain.com/HelpAccount.asp? ✘t=0&[email protected]&p2=540555756Target: https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555752FatBrain URL authenticatorStart: https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555758Try: https://www.fatbrain.com/HelpAccount.asp? ✘t=0&[email protected]&p2=540555755Target: https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555752FatBrain URL authenticatorStart: https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555758Try: https://www.fatbrain.com/HelpAccount.asp? ✘t=0&[email protected]&p2=540555754Target: https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555752FatBrain URL authenticatorStart: https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555758Try: https://www.fatbrain.com/HelpAccount.asp? ✘t=0&[email protected]&p2=540555753Target: https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555752FatBrain URL authenticatorStart: https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555758Try: https://www.fatbrain.com/HelpAccount.asp? ✔t=0&[email protected]&p2=540555752Target: https://www.fatbrain.com/HelpAccount.asp?t=0&[email protected]&p2=540555752Predictable sequence numbers• Site: FatBrain.com• Problem: Customer can determine theauthenticator for any other user• Adversary: Interrogative• Break: Selective forgery• Today: Acquired by Barnes & NobleFatBrain response“It’s frustrating that programmers ... continue tofall prey to the same old tricks. Simple problemslike lazy sequence numbers and buffer overflows inmost cases can be easily eliminated if we asprogrammers would be a little vigilant about sounddesign and solid code reviews. I just *love* beingat work on a Friday at midnight managingunscheduled production releases. :)”Missing authentication check• Sites: saksfifthavenue.com, kohls.com,iomega.com, et al• Problem: Customers can download orderhistory of all users• Adversary: Interrogative• Break: Universal
View Full Document
Unlocking...