Research Center for Information Security (RCIS) National Institute of Advanced Industrial Science and Technology (AIST)

PAKE-based mutual HTTP for preventing attacks

Yutaka Oiwa, Hiromitsu Takagi, Hajime Watanabe – RCIS, AIST / Hirofumi Suzuki – Yahoo! Japan Our proposal Protocol details new mutual authentication protocol for Based on ISO-defined variant of PAKE Web systems which is protocol (ISO 11770-4 KAM3) Secure is combined with hostname as “weak secret” to prevent MITM attack. detecting phishing websites reliably –Both users and servers are authenticated π = H (password, host, …) no password information leaks Computational cost similar to TLS for false websites Single public-key op. for 1st access - offline dictionary attack impossible A few hash op. for 2nd access & more ( DIGEST auth, PwdHash: >20 chars required for password secrecy) GET / HTTP/1.1 GET / HTTP/1.1 Host: www.example.com Host: www.example.com Easy to use HTTP/1.1 401 Authentication required HTTP/1.1 401 Authentication required WWW-Authenticate: Mutual algorithm=iso11770-4-dl-2048, WWW-Authenticate: Mutual algorithm=iso11770-4-dl-2048, validation=host, realm="Protected Contents", validation=host, realm="Protected Contents", stale=0 stale=0 using human-memorable only Content-Type: text/html; charset="ISO-8859-1" Content-Type: text/html; charset="ISO-8859-1" Content-Length: 5163 Content-Length: 5163 ……… no need for personal secret storage ……… GET / HTTP/1.1 GET / HTTP/1.1 Host: www.example.com Host: www.example.com ( TLS client auth., password reminders) Authorization: Mutual algorithm=iso11770-4-dl-2048, Authorization: Mutual algorithm=iso11770-4-dl-2048, validation=host, user=foobar, validation=host, user=foobar, wa=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx wa=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Generic HTTP/1.1 401 Authentication required HTTP/1.1 401 Authentication required WWW-Authenticate: Mutual sid=yyyyyyyy, WWW-Authenticate: Mutual sid=yyyyyyyy, wb=zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz, wb=zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz, nc-max=1024, nc-window=64, time=300, path=“/” no whitelist ( EV SSL) nc-max=1024, nc-window=64, time=300, path=“/” Content-Length: 0 Content-Length: 0 GET / HTTP/1.1 GET / HTTP/1.1 no blacklist ( IE/Firefox phishing warnings) Host: www.example.com Host: www.example.com Authorization: Mutual sid=yyyyyyyy, nc=0, Authorization: Mutual sid=yyyyyyyy, nc=0, oa=wwwwwwwwwwwwwwww not site-specific oa=wwwwwwwwwwwwwwww HTTP/1.1 200 OK HTTP/1.1 200 OK Authentication-Info: Mutual sid=yyyyyyyy, Authentication-Info: Mutual sid=yyyyyyyy, ob=vvvvvvvvvvvvvvvv ob=vvvvvvvvvvvvvvvv ★ Content-Type: text/html; charset="ISO-8859-1" Aiming for long-term solution: Content-Type: text/html; charset="ISO-8859-1" Content-Length: 7043 Content-Length: 7043 ……… future replacement for form-based auth. ………

Four possible phishing attacks: UI consideration 1. steal user’s password sent Entry field must be protected from 2. imitate successful login image-based forgeries - to steal user’s privacy data afterwards no popup dialog ( BASIC/DIGEST auth.) 3. check password’s validity e.g. use the chrome area (see above) by forwarding it to the genuine site (man-in-the-middle attack) Auth. status must be indicated 4. hijack user’s sessions to prevent imitated auth. success Current status Technology Plugin for Apache server implemented Adopting PAKE for Web authentication Firefox-based browser implemented Mutual auth. with weak secret (password) Both available as open-source software Password information is not leaked at all – Offline dictionary attack impossible Internet-Draft submitted to IETF Naturally extending RFC2617 “draft-oiwa-http-mutualauth-04.txt” Drop-in replacement for BASIC/DIGEST Field trials Replacement for form-based Our project website (see below) authentication in web applications Yahoo! Japan Auction Trial site (in 2008) Relying on TLS for secrecy of payload Distribution of open-source modules – Assume transport/DNS security Future Work Host-name based detection of phishing Standardization of the protocol avoiding man-in-the-middle phishing Propose an integration to Mozilla etc.

Project URL: https://www.rcis.aist.go.jp/special/MutualAuth/