| Javascript Feeds RSS Feed Security Dashboard | SearchSecurity.com |
Although we give advice on how to perform client authentication on the Web, we certainly do not advocate having everyone design their own security systems. Rather, we hope that these hints will assist researchers and developers of Web client authentication and dissuade persons unfamiliar with security from implementing home-brew solutions.
The hints fall into three categories. Section 3.1
discusses the appropriate use of cryptography.
Section 3.2 explains why passwords must be
protected. Section 3.3 offers suggestions
on how to protect authenticators.
On the other hand, Open Market published their design and implementation [29], and Yahoo [47] provided us with the complete details of their authentication system. We believe these schemes are reasonably strong; for more details see the relevant sections of our technical report [18].
Instead of relying on the secrecy of the scheme, rely on the secrecy
of a well-selected set of keys. Ensure that the protocol is public so
that it can be reviewed for flaws and improved. This will lead to a
more secure system than a private protocol which appears undefeatable
but may in practice be fairly easy to break. If you are hesitant to
reveal the details of an authentication scheme, then it may be
vulnerable to attack by an interrogative adversary.
Understand the properties of cryptographic tools
When designing an authentication scheme, cryptographic tools are
critical. These include hash functions such as
SHA-1 [15], authentication codes like
HMAC [24], and higher-level protocols like
SSL [11]. The properties each tool must be understood.
For example, SSL alone does not provide user authentication. Although SSL can authenticate users with X.509 client certificates, commercial Web sites rarely use this feature because of PKI deployment problems. Instead, SSL is used to provide confidentiality for authentication tokens and data. However, confidentiality does not ensure authentication.
Misunderstanding the properties of SSL made FatBrain.com vulnerable to selective forgeries by an interrogative adversary. In an earlier scheme, their authenticator consisted of a username and a session identifier based on a global sequence number. Since this number was global, an interrogative adversary could guess the session identifier for a chosen victim and make an SSL request with this session identifier. Here, the use of SSL did not make the system secure.
A more detailed example comes from a misuse of a hash function. One commonly (and often incorrectly) used input-truncating hash function is the Unix crypt() function. It takes a string input and a two-character salt to create a thirteen-character hash [31]; it is believed to be almost as strong as the underlying cryptographic cipher, DES [44]. However, crypt() only considers the first eight characters of its string input. This truncation property must be taken into account when using it as a hash.
The original WSJ.com authentication system failed to do so, which made our break possible. Since the input to crypt() was the username concatenated with the server secret, the truncation property of crypt() meant that the secret would not be hashed if the username was at least eight characters long. This means authenticators for long usernames can be easily created, merely with knowledge of the username. Additionally, the algorithm will produce an identical authenticator for all usernames that match in the first eight characters. This can be seen in Figure 1.
 |
It is likely that WSJ.com expected this construction to act like a secure message authentication code (MAC). A message authentication code is a one-way function of both its input and a secret key that can be used to verify the integrity of the data [43]. The output of the function is deterministic and relatively short (usually sixteen to twenty bytes). This means that it can be recalculated to verify that the data has not been tampered with.
However, the WSJ.com authenticator was just a deterministic value which could always be computed from the first eight characters of the username and a fixed secret. While HTTP Basic authentication [16] (which uses no cryptography at all) is secure against an existential forgery of an interrogative adversary, the original WSJ.com scheme fell to a total break by the interrogative adversary.
Thus, when possible you should use a secure message authentication
code. Certain cryptographic constructions have subtle
weaknesses [31], so you should take great care in
choosing which algorithm to employ. We recommend the use of
HMAC-SHA1 [24]. This algorithm prevents many attacks known
to defeat simple constructions. However, as we will see in
Section 6, use of secure message authentication
code is more expensive than an input-truncating hash such as crypt().
Do not compose security schemes
It is difficult to determine the effects of composing two different
security systems. Breaking one may allow an adversary to break the
other. Worse, simply composing the schemes may have adverse
cryptographic side effects, even if the schemes are secure in
isolation. Menezes et al explain in remark 10.40 how using a single key
pair for multiple purposes can compromise security [31].
The use of a single key for authentication and confidentiality leads
to compromise of both if that key is stolen. On the other hand,
if separate keys are used, a break of the authentication will not
affect the confidentiality of past messages and vice versa.
FatBrain.com had two separate user authentication
systems. To purchase a book, a user entered a username and password
at the time of purchase. Future purchases required reauthentication.
The account management Web pages had a separate security scheme which
was stateful. After the user entered a username and password,
FatBrain established a session identifier in the URL path. In this
way, users could navigate to other parts of the account management
system without having to tediously re-enter the password.
Unfortunately, the security hole discussed in
Section 3.3 allowed an adversary to gain
access to the account management system for an arbitrary user by
guessing a valid session identifier. The account management system
includes an option to change a user's registered email address. By
changing the email address of a victim's account and then selecting
``mail me my password,'' an adversary could break into to the book
purchasing part of the system, despite the fact that it was secure in
isolation.
Even for non-secure Web sites, users should have the option to
authenticate over SSL. That is, users should not type passwords over
HTTP. Passwords sent over HTTP are visible to eavesdropping
adversaries sniffing the network and active adversaries impersonating
servers. Because users often have the same password on multiple
servers, a stolen password can be extremely damaging. To protect
against such attacks, a server could require users to conduct the
login over an SSL connection to provide confidentiality for the
password exchange; upon successful completion of the login exchange,
the server can then set a cookie with an unforgeable authenticator for
use over HTTP. The authenticator can be designed to limit the spread
of damage, whereas passwords can not.
Prohibit guessable passwords
Many Web sites advise users to choose memorable passwords such as
birthdays, names of friends or family, or social security numbers.
This is extremely poor advice, as such passwords are easily guessed by an
attacker who knows the user. Even without bad advice,
passwords are fairly guessable [33]. Thus,
servers ought to prohibit users from using any password found in a
dictionary; such passwords are vulnerable to dictionary attacks.
Servers can reduce the effectiveness of on-line dictionary attacks by
restricting the number of failed login attempts or requiring a short
time delay between login attempts.
Unfortunately, implementing this requirement will make a Web site less
appealing to use since it makes passwords harder to remember.
Reauthenticate before changing passwords
In security-sensitive operations such as password changing, a server
should require a user to reauthenticate. Otherwise, it may be
possible for an adversary to replay an authentication token and force
a password change, without actual knowledge of the current password.
Authenticators often contain keys that function as session identifiers. These identifiers should be cryptographically random; statistical randomness is not sufficient. The Allaire Cold Fusion Web server issues CFTOKEN session identifiers which come from a linear congruential number generator [2]. As described above, FatBrain.com used essentially a global sequence number. While these numbers may be appropriate for tracking users, it is possible for an adversary to deduce the next output, and hence the next valid session identifier. This may allow the adversary access the information of another user.
Authenticators may also contain other information that the system will accept to be true. Thus, they must also be protected from tampering. This is done by use of a message authentication code (MAC). Because message authentication codes require a secret key, only an entity with knowledge of the key can recreate a valid code. This makes the codes unforgeable since no adversary should possess the secret key. Use only strong cryptographic hash functions. Do not use CRC codes or other non-cryptographic hashes, as such functions are often trivial to break.
Relatedly, when combining multiple pieces of data to input into a
message authentication code, be sure to unambiguously separate the
components. Since most inputs are text, this can be done using some
character that is known not to appear in the input fragments. If
components are not clearly separated, multiple inputs can lead to the
same outputs. For example, "usernameaccess" could come from
"username" followed by "access" or "user" followed by
"nameaccess"; better to write "username&access" to ensure that the
interpretation is unambiguous. Of course, care must be taken to
prevent the username from containing an ampersand!
Protect authenticators that must be secret
Some systems believe that they are secure against eavesdropping adversaries
because they send their authenticators over SSL. However, a secure
transport is ineffective if the authenticators leak through plaintext
channels. We describe two ways that authenticators are sent over
SSL and mistakes which can lead to the authenticator leaking into
plaintext.
One method is to set the authenticator as a cookie. When doing so, it is usually appropriate to set the Secure flag on cookies sent over SSL. When set to true, this flag instructs a Web browser to send the cookie over SSL only. A number of SSL Web sites neglect to set this flag. This simple error can completely nullify the useful properties of SSL. For instance, customers of SprintPCS can view their account information and make equipment purchases online. To authenticate, a user enters a phone number and password over SSL. SprintPCS then sets a cookie which acts as an authenticator. Anyone with the cookie can log in as that user. The protocol so far is reasonably secure. However, because SprintPCS does not set the Secure flag on their authentication cookie, the authenticator travels in plaintext over HTTP whenever a user visits the main SprintPCS Web page. We believe that SprintPCS intended to protect against eavesdropping adversaries. Nevertheless, a eavesdropping adversary can access a victim's account with a replay because the cookie authenticator leaks over HTTP.
A second method of setting an authenticator is to include it as part of the URL. Though the HTTP 1.1 specification [14] recommends against this, it easy to do and sites still use this. The problem with this method is that it too can leak authenticators through plaintext channels. If a user follows a link from one page to another, the Web browser usually sends the Referer [sic] header. This field includes the URL of the page from which the current request originated. As described in Section 14.36 of the HTTP specification, the Referer field is normally used to allow a server to trace back-links for logging, caching, or maintenance purposes. However, if the URL of the linking page includes the authenticator, the server will receive a copy of the authenticator in the HTTP header. Section 15.1.3 of the specification recommends that clients should not include a Referer header in a non-secure HTTP request if the referring page was transferred with a secure protocol for exactly this reason. However, this is not a requirement; browsers such as Netscape and Lynx send the Referer header anyway without any warning.
This can be exploited via a cross-site scripting attack [9]. An adversary can cause a user to execute arbitrary code and offer the user a link from a secure URL including the authenticator (that appears legitimate) to a link of the adversary's choosing. If the user selects the link, the Referer field in the request may include the authenticator, making it available to a eavesdropping adversary. Worse, the link could point to the adversary's machine. Then no eavesdropping is necessary to capture the authenticator. If the attacker is clever and uses an SSL server to host the attack, most browsers will not indicate that anything untoward is happening since they only warn users about transitions from SSL to non-SSL links.
Therefore, be careful when setting authenticators in cookies and
follow the recommendation of the HTTP 1.1 specification by not using
authenticators in URLs.
Avoid using persistent cookies
A persistent cookie is written to a file on the user's system;
an ephemeral or temporary cookie is only stored in the
browser's memory and disappears when the user exits the browser. An
error in the way the browser or user handles the cookie file may make
it accessible over the Internet, exposing the user's cookies to anyone
who knows where to look. For instance, certain queries to search
engines can produce many cookie files accidentally placed on the
Web [18]. If a persistent cookie in a leaked file contains an
authenticator, an adversary can simply copy the cookie and break into
the user's account. In addition, if the user accesses the account
from a public system (say at a library or Internet café) and
receives a persistent authentication cookie on that system, any
subsequent user of that system can access the account. For these
reasons, persistent cookies should not be considered private. Do not
store authenticators in persistent cookies.
Limit the lifetime of authenticators
A good design must also gracefully handle the compromise of tokens
which are designed to be secret. To limit the amount of damage
a leaked authenticator can cause, limit its lifetime.
For authenticators that are stored in user cookies, do not rely on the cookie expiration field for secure expiration. Since the client is responsible for enforcing that expiration, a malicious client can set the lifetime arbitrarily. Netscape users can manually extend these expirations by simply editing a text file. We were able to indefinitely extend the lifetime of our WSJ.com cookie authenticator even though WSJ.com set the cookie to expire in 11 hours. This was not extremely alarming, but if an adversary stole a cookie (as described in Section 3.3), there would be no way to revoke the adversary's access. The problem was compounded because the cookie authenticator remained the same even if a user's password changed. This prevented the WSJ.com site from easily revoking access to a compromised account.
To prevent unauthorized cookie lifetime extensions, include a cryptographically unalterable timestamp in the value of the cookie, or store the expiration time in a user-inaccessible place on the server. Securely binding expirations to authenticators limits the damage caused by a stolen authenticator.
Note that an authenticator that is stored in a cookie can be replayed,
regardless of its expiration time, if it is leaked. By definition,
unless the client uses computation, the only thing it is capable of
doing to the cookie is to send it back to the server. If replay
prevention is desired, the authenticator must be kept confidential and
changed after each use. In that case, it might be necessary to record
recently received authenticators and verify that newly received
authenticators are not replays.
Bind authenticators to addresses
It can also be useful to tie authenticators to specific network
addresses. This helps protect against replay attacks by making it more
difficult for the adversary to successfully reuse the authenticator.
In addition to acquiring the authenticator, the adversary must appear
to originate from the same network address for which the authenticator
was minted. However, this may prematurely invalidate authenticators
issued to mobile DHCP users.
