210 likes | 335 Views
BeamAuth : Two-Factor Web Authentication with a Bookmark. 14 th ACM Conference on Computer and Communications Security Ben Adida. Presenter : SJ Park. Table of Contents. Introduction Goals BeamAuth Basic BeamAuth Protocol Example Attacks Summary. Introduction 1/2.
E N D
BeamAuth : Two-Factor Web Authentication with a Bookmark 14th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park
Table of Contents • Introduction • Goals • BeamAuth Basic • BeamAuth Protocol • Example • Attacks • Summary
Introduction 1/2 Web Authentication Security • Passive Sniffing • Attack caused by insecure wi-fi AP, unswitched local wired networks, or corporate proxies • Social Engineering • Technique based on specific attribute of human decision-making • Example : Phishing, Pharming • Desktop compromise • Desktop PC compromised with malware • Zero guarantee of any security
Introduction 2/2 Fragment Identifier • Purpose • Used to designate a portion of a page • Web browsers scroll to the appropriate location. • Example • http://example.org/stuff#paragraph4 • Characteristics • Web browsers never send it over the network. • Page is not reloaded during navigation between fragment identifiers.
Goals • Safely remaining credentials against many type of phishing attack (Social Engineering) • Only requiring server-side deployment • Building better security in the application layer
BeamAuth Basic 1/2 URL Fragment Identifier • The resolution of a fragment identifier • Example : http://hostname/rest/of/url#fragment_id • Procedure • Connecting to host hostname on port 80 • Requesting /rest/of/urland rendering the HTML page • Scrolling the viewport to the position indicated by fragment_id if it exists • Fragment ID is never sent over the network. • Navigation • Navigation between fragments within the same URL does not cause a page reload.
BeamAuth Basic 2/2 JavaScript Features • Variable and method for fragments • JavaScript variable for the fragment identifier • Window.location.hash • Updating the URL • Window.location.replace() • Source Code var hash = document.location.hash; if( hash != ‘’ ) { // parse the hash, get username and token parse_beamauth_hash( hash ); // clear the hash from the URL document.location.replace( ‘/login’ ); }
BeamAuth Protocol 1/4 General Idea
BeamAuth Protocol 2/4 Setup Phase • Registering ID and password • Authenticating a user by using a second channel authentication mechanism like an email mail-back • Clicking on this verification URL in email • Examplehttps://site.com/confirm?vc=<verification_code> • Web page which user reaches provides her with a link. • Adding the link as a bookmark • https://site.com/get-bookmark#[username|secret_token] • bookmark_link.href = ‘https://site.com/login’ + window.location.hash;
BeamAuth Protocol 3/4 Re-Initialization • When is Re-Initialization required? • Deleting user’s BeamAuth bookmark by mistake • Using several web browsers • Using multiple computers • Solutions • Instructing a user to keep the signup email • Using bookmark synchronization tools
BeamAuth Protocol 4/4 Mechanism • How to hide a token from users • A BeamAuth login page contains JavaScript. • This script regularly polls the value of fragment ID. • After reading it, the poller updates the URL by calling replace(). • How to use a token for authentication • HMAC the password with the secret token. • Login page securely submits this resulting credential to the server.
Example 1/7 Registration
Example 2/7 Second Channel Authentication
Example 3/7 Setting Up a Bookmark
Example 4/7 Adding a Bookmark
Example 5/7 BeamAuth Authentication
Example 6/7 Inputting a Password
Example 7/7 Authentication Completion
Attacks (1/2) • Phishing with a deceitful URL • In case of unsophisticated phishing attack • Password is compromised, and token is safe. • Overriding page unload • User can no longer login, but token is safe. • Malicious bookmark replacement • Using a spoofed email • Token and password are safe. • Explicit bookmark theft • Token is compromised, and password can be compromised via phishing.
Attacks (2/2) • Attacking the email account • Token is compromised, and password can be compromised via phishing. • Using the victim’s computer • Token is compromised, and password can be compromised via phishing. • Pharming inattentive users • Sending down malicious code that reads fragment ID • All compromised • Malware and client compromise • All compromised
Summary • The BeamAuth uses • Bookmark as the second authentication factor. • Token delivered via a separate channel. (email) • Fragment identifier to store token.