Master Thesis
Total Page:16
File Type:pdf, Size:1020Kb
Master Thesis Developing a framework for secure authentication of Web and Mobile apps Knut Erik Hildre Thesis submitted for the degree of Master in Informatics: programming and system architecture 60 credits Department of Informatics Faculty of mathematics and natural sciences UNIVERSITY OF OSLO Spring 2020 Master Thesis Developing a framework for secure authentication of Web and Mobile apps Knut Erik Hildre © 2020 Knut Erik Hildre Master Thesis http://www.duo.uio.no/ Printed: Reprosentralen, University of Oslo Abstract In recent years, methods normally used for authentication has become more and more insecure. Especially the use of static passwords is heading towards its downfall. To help increase the security in authentication, we will create a framework implementing modern authentication solutions using dynamic passwords and public-key cryptography. These methods remove some of the obvious flaws which occur in static password authentication. The two biggest weaknesses that are removed by using these methods are the vulnerabilities of a simple and static password that is never changing, as well as the storing of a shared secret on the server-side. However, depending on what type of client application is being developed, different possibilities regarding software and hardware are supported. Our task is therefore to create a universal authentication framework, which offers different authentication solutions for multiple client applications and devices, depending on what is being used. This includes support for web, native, and desktop applications. In addition to this, we will introduce Risk-Based Authentication, and discuss how it can be used to add additional security to an authentication process. i Contents 1 Introduction 1 1.1 Motivation . .1 1.2 Contribution . .2 1.3 Research questions . .2 1.4 Overview of chapters . .3 2 Client application technologies 4 2.1 Different types of client applications . .4 2.1.1 Progressive web applications . .5 2.1.2 Native applications . .5 2.1.3 Hybrid applications . .6 2.2 Comparing the different application types . .6 2.2.1 Progressive web application vs native application . .6 2.2.2 Compare hybrid and native applications . .8 2.2.3 Compare progressive web applications and hybrid applications . .9 3 Authentication technology 10 3.1 Different authentication technologies . 10 3.1.1 Static Password authentication . 10 3.1.2 Dynamic Password authentication . 11 ii 3.1.3 Asymmetric cryptography authentication . 13 3.1.4 Possible attacks on authentication methods . 14 3.1.5 Universal Second Factor (U2F) . 15 3.1.6 UAF . 16 3.1.7 FIDO2 . 17 3.2 Singe Sign-On solution . 20 3.3 Federation protocol . 20 3.3.1 OAuth 2.0 . 21 3.3.2 OpenID Connect and SAML 2.0 . 21 3.3.3 Conclusion Federation protocol vs FIDO2 . 22 3.4 Entities involved in the authentication protocols . 23 3.4.1 Relying party . 23 3.4.2 Identity Provider . 23 3.4.3 Client . 23 3.4.4 External authenticator . 24 3.4.5 Platform authenticator . 24 3.5 Risk-based authentication . 25 4 Requirements 26 4.1 Functional requirements . 26 4.2 Non-functional requirements . 27 5 Design 28 5.1 Overview of all actors . 28 5.1.1 Authenticators . 29 5.1.2 Client device . 30 5.1.3 Client applications . 32 5.1.4 Server side application . 33 iii 5.1.5 Server . 34 5.2 Framework . 35 5.2.1 Authentication methods . 35 5.2.2 Framework, designing a solution . 36 5.2.3 Risk-based authentication . 43 6 Implementation 45 6.1 Backend language . 45 6.2 Framework implementation . 46 6.2.1 Explanation of the FIDO2 implementation . 46 6.3 OTP implementation . 60 6.4 RBA . 63 6.5 External library implementations . 63 7 Evaluation 64 7.1 Test cases . 64 7.1.1 Test case 1a: Register an external authenticator for a user on a PC. In our case, it will be a YubiKey 5 NFC. 64 7.1.2 Test case 2a: Login using the user and authentication method from test case 1 . 70 7.1.3 Test case 2b: What happens behind the scenes . 71 7.1.4 Test case 2: Register a user using a mobile device. In our case, it will be a Motorola g8 plus . 72 7.1.5 Test case 3: How does OTP WORK? . 73 7.1.6 Test case 4: How does the Risk-Based Authentication work? . 75 7.2 Evaluation . 76 7.2.1 Functional requirements . 76 7.2.2 Non-functional requirements . 77 iv 8 Conclusion 80 8.1 Summary . 80 8.2 Future work . 82 v List of Figures 3.1 Symmetric cryptography as second factor . 13 3.2 U2F building blocks . 16 3.3 UAF building blocks . 17 3.4 FIDO2 building blocks . 18 3.5 Federation flow . 22 5.1 Architecture overview . 28 5.2 Authenticators overview . 30 5.3 Client device overview . 30 5.4 Client application overview . 32 5.5 Server application overview . 33 5.6 Server overview . 34 5.7 OTP flow . 37 5.8 Registration flow WebAuthn/FIDO2 . 39 5.9 Registration flow WebAuthn/FIDO2 . 42 6.1 Structure of a createCredentialOptions object . 47 6.2 Supported algorithms . 49 6.3 Supported algorithms . 50 6.4 Structure of verifying a response from user 1 . 52 6.5 BaseVerify . 53 vi 6.6 Structure of verifying a response from user 2 . 54 6.7 Structure of verifying a response from user 3 . 55 6.8 Structure of assertionOptions object . 56 6.9 Structure of verifying a response from user 1 . 58 6.10 Structure of verifying a response from user 2 . 59 6.11 Structure of verifying a response from user . 61 6.12 Generation of secret key . 62 6.13 Method for sending the mail . 62 7.1 Before adding FIDO2 authentication . 64 7.2 Asking for an external key to be inserted . 65 7.3 A pin is required by the external key . 65 7.4 Console CredentialCreateOptions . 67 7.5 Console the created Credential Object . 68 7.6 Console the created Credential Object . 68 7.7 The stored fido2 credentials 1 . 69 7.8 The stored fido2 credentials 2 . 69 7.9 The assertion option object . 70 7.10 The assertion option object . 70 7.11 The assertion option object . 71 7.12 The assertion option object . 72 7.13 The response verified . 72 7.14 The authentication options offered to the mobile device . 73 7.15 OTP as 2FA . 74 7.16 the users with their OTP and IP . 75 7.17 The two pages that RBA redirects the user to . 75 7.18 FIDO Platform/Browser Support . 76 vii Chapter 1 Introduction 1.1 Motivation In society today, static passwords are still commonly used. Studies show that most people use less than five passwords for all accounts, and 50% of those have not changed their password in the last five years. It also shows that 39% of adults use the same passwords for multiple online accounts. 25% admits to using less secure passwords because they are easier to remember, and 49% of adults write down their password on paper[1]. This makes for an attractive target for attackers. In 2017 the Verizon Data Breach Report showed that 81% of hacking- related breaches are due to either stolen or weak passwords [2]. One of the main weaknesses of authentication based on static passwords is that the password is a shared secret, meaning it is known to both the user and the server. Unless you use second factor or multi-factor authentication, this means that the hacker has the capability to fully impersonate you with this information. Due to these types of incidents, companies now need to take a second look at how to secure their users. In recent years, there has been a significant increase in websites losing consumer data to hackers. Account takeover by bad actors has resulted in losses above 5 billion, and leading customer-facing companies like Google have experienced massive security breaches [3]. Therefore two-way authentication has become more and more popular to increase the security in different services that require some kind of authentication. Luckily, we already have several initiatives for more secure and/or convenient authentication, such as U2F, UAF, WebAuthN, and more. However, different types of client applications (desktop vs. mobile, Web application vs. progressive Web application vs. hybrid application vs. native application) offer different hard- and software possibilities (e.g. fingerprint reader, USB token, secure hardware; iOS vs. Android). This makes the development of universal authentication solutions difficult. 1 1.2 Contribution The task of this thesis is a systematic analysis of the current state of art in authentication for different application types. Further, a universal authentication framework that supports multiple different authentication methods shall be developed. The most important authentication features will be the implementation of authentication solutions that do not rely on the use of static passwords. These are solutions that involve dynamic passwords or cryptography as a replacement. This will give the developer a lot of new options for a good and secure authentication process for future developments of applications. It will also give the developer freedom when it comes to which solutions they want to use for the specific application being developed. We will develop this framework with the intent to make it possible for a developer to use it in any kind of application development. This means that it should be accessible both when creating web and native applications. Lastly, we will implement some basic tools for risk-based authentication to further improve the security of the authentication. This information can help the authentication process analyze whether there are any irregularities to the login attempt.