Dos and Don'ts of Client Authentication on the Web
Total Page:16
File Type:pdf, Size:1020Kb
Dos and Don'ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster fubob, sit, kendras, feamster ¡ @mit.edu MIT Laboratory for Computer Science http://cookies.lcs.mit.edu/ Abstract the client authentication of two systems, gained unautho- rized access on eight, and extracted the secret key used Client authentication has been a continuous source of to mint authenticators from one. problems on the Web. Although many well-studied tech- This is perhaps surprising given the existing client niques exist for authentication, Web sites continue to use authentication mechanisms within HTTP [16] and extremely weak authentication schemes, especially in SSL/TLS [11], two well-studied mechanisms for provid- non-enterprise environments such as store fronts. These ing authentication secure against a range of adversaries. weaknesses often result from careless use of authentica- However, there are many reasons that these mechanisms tors within Web cookies. Of the twenty-seven sites we are not suitable for use on the Web at large. Lack of investigated, we weakened the client authentication on a central infrastructure such as a public-key infrastruc- two systems, gained unauthorized access on eight, and ture or a uniform Kerberos [41] contributes to the pro- extracted the secret key used to mint authenticators from liferation of weak schemes. We also found that many one. Web sites would design their own authentication mecha- nism to provide a better user experience. Unfortunately, We provide a description of the limitations, require- designers and implementers often do not have a back- ments, and security models specific to Web client authen- ground in security and, as a result, do not have a good tication. This includes the introduction of the interrog- understanding of the tools at their disposal. Because of ative adversary, a surprisingly powerful adversary that this lack of control over user interfaces and unavailability can adaptively query a Web site. of a client authentication infrastructure, Web sites con- We propose a set of hints for designing a secure client tinue to reinvent weak home-brew client authentication authentication scheme. Using these hints, we present the schemes. design and analysis of a simple authentication scheme Our goal is to provide designers and implementers secure against forgeries by the interrogative adversary. with a clear framework within which to think about and In conjunction with SSL, our scheme is secure against build secure Web client authentication systems. A key forgeries by the active adversary. contribution of this paper is to realize that the Web is par- ticularly vulnerable to adaptive chosen message attacks. 1 Introduction We call an adversary capable of performing these attacks an interrogative adversary. It turns out that for most sys- tems, every user is potentially an interrogative adversary. Client authentication is a common requirement for Despite having no special access to the network (in com- modern Web sites as more and more personalized and parison to the eavesdropping and active adversary), an in- access-controlled services move online. Unfortunately, terrogative adversary is able to significantly compromise many sites use authentication schemes that are extremely systems by adaptively querying a Web server. We believe weak and vulnerable to attack. These problems are most that, at a minimum, Web client authentication systems often due to careless use of authenticators stored on the should defend against this adversary. However, with this client. We observed this in an informal survey of authen- minimum security, sites may continue to be vulnerable to tication mechanisms used by various popular Web sites. attacks such as eavesdropping, server impersonation, and Of the twenty-seven sites we investigated, we weakened stream tampering. Currently, the best defense against such attacks is to use SSL with some form of client au- This research was supported by a USENIX scholars fellowship and was originally published in the Proceedings of the 10th USENIX Security thentication; see Rescorla [37] for more information on Symposium. Washington, D.C., August, 2001. the security and proper uses of SSL. 1 In Section 2, we describe the limitations, require- The client generally speaks to the server using the Hy- ments, and security models to consider in designing Web pertext Transfer Protocol (HTTP [14]). This may be spo- client authentication. Using these descriptions, we cod- ken over any transport mechanism but is typically either ify the principles underlying the strengths and weak- TCP or SSL. Since HTTP is a stateless, sessionless pro- nesses of existing systems as a set of hints in Section 3. tocol, the client must provide an authentication token or As an example, we design a simple and flexible authenti- authenticator with each request. cation scheme in Section 4. We implemented this scheme and analyzed its security and performance; we present Computation allows the browser to transform inputs these findings in Sections 5 and 6. Section 7 compares before sending them to the server. This computation may the work in this paper to prior and related work. We con- be in a strictly defined manner, such as in HTTP Digest clude with a summary of our results in Section 8. authentication [16] and SSL, or it may be much more flexible. Flexible computation is available via Javascript, Java, Tcl, ActiveX, Flash, and Shockwave. Depending 2 Security models and definitions on the application, these technologies could perhaps as- sist in the authentication process. However, most of these Clients want to ensure that only authorized people can technologies have high startup overhead and mediocre access and modify personal information that they share performance. As a result, users may choose to disable with Web sites. Similarly, Web sites want to ensure that these technologies. Also, these extensions may not be only authorized users have access to the services and available on all operating systems and architectures. Any content it provides. Client authentication addresses the standard authentication scheme should be as portable and needs of both parties. lightweight as possible, and therefore require few or no browser extensions. Thus for today’s use, any authenti- Client authentication involves proving the identity of cation scheme should avoid using client computation for a client (or user) to a server on the Web. We will use deployability reasons. If absolutely necessary, Javascript the term “authentication” to refer to this problem. Server and Java are commonly supported. authentication, the task of authenticating the server to the Client state allows the client’s browser to store and client, is also important but is not the focus this paper. reuse authenticators. However, storage space may be very limited. In the most limited case, the browser In this section, we present an overview of the security can only store passwords associated with realms (as in models and definitions relevant in client authentication. HTTP Basic authentication [16]). A more flexible form We begin by describing the practical limitations of a Web of storage which is commonly available in browsers is authentication system. This is followed by a discussion the cookie [25, 32]. Cookies allow a server store a value of common requirements. We then characterize types of on a client. In subsequent HTTP requests, the client breaks and adversaries. automatically includes the cookie value. A number of attributes can control how long cookies are kept and to 2.1 Practical limitations which servers they are sent. In particular, the server may request that the client discard the cookie immediately Web authentication is primarily a practical problem of or keep it until a specified time. The server may also deployability, user acceptability, and performance. request that the client only return the cookie to certain hosts, domains, ports, URLs, or only over secure trans- Deployability ports. Cookies are the most widely deployed mechanism for maintaining client state. Web authentication protocols differ from traditional User acceptability authentication protocols in part because of the limited in- terface offered by the Web. The goal is to develop an au- Web sites must also consider user acceptability. Be- thentication system by using the protocols and technolo- cause sites want to attract many users, the client authenti- gies commonly available in today’s Web browsers and cation must be as non-confrontational as possible. Users servers. Authentication schemes for the Internet at large will be discouraged by schemes requiring work such as cannot rely on technology not widely deployed. For ex- installing a plug-in or clicking away dialog boxes. ample, Internet kiosks today do not have smart card read- Performance ers. Similarly, home consumers currently have little in- centive to purchase smart card readers or other hardware Stronger security protocols generally cost more in per- token systems. formance. Service providers naturally want to respond 2 to as many requests as possible. Cryptographic solutions authentication is further blurred by the practice of current will usually degrade server performance. Authentication browsers of displaying a single padlock whose meaning should not needlessly consume valuable server resources is ambiguous. such as memory and clock cycles. With current technol- ogy, SSL becomes unattractive because of the computa- Typically, servers choose to provide confidentiality tional cost of its initial handshaking. for only certain special data by using SSL. For exam- ple, financial data require confidentiality. Sites that deal 2.2 Server security requirements with such information, online brokerages, may be auc- tion sites (e.g., ebay.com), banks and other financial The goals of a server’s authentication system depend service providers (e.g., etrade.com), or online mer- on the strength and granularity of authentication desired. chants (e.g., FatBrain.com). Granularity refers to the fact that some servers identify individual users throughout a session, while others iden- Another issue commonly associated with authentica- tify users only during the first request. A fine-grained tion is user privacy.