1 / 21

BeamAuth : Two-Factor Web Authentication with a Bookmark

BeamAuth : Two-Factor Web Authentication with a Bookmark. 14 th ACM Conference on Computer and Communications Security Ben Adida. Presenter : SJ Park. Table of Contents. Introduction Goals BeamAuth Basic BeamAuth Protocol Example Attacks Summary. Introduction 1/2.

elan
Download Presentation

BeamAuth : Two-Factor Web Authentication with a Bookmark

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BeamAuth : Two-Factor Web Authentication with a Bookmark 14th ACM Conference on Computer and Communications Security Ben Adida Presenter : SJ Park

  2. Table of Contents • Introduction • Goals • BeamAuth Basic • BeamAuth Protocol • Example • Attacks • Summary

  3. Introduction 1/2 Web Authentication Security • Passive Sniffing • Attack caused by insecure wi-fi AP, unswitched local wired networks, or corporate proxies • Social Engineering • Technique based on specific attribute of human decision-making • Example : Phishing, Pharming • Desktop compromise • Desktop PC compromised with malware • Zero guarantee of any security

  4. Introduction 2/2 Fragment Identifier • Purpose • Used to designate a portion of a page • Web browsers scroll to the appropriate location. • Example • http://example.org/stuff#paragraph4 • Characteristics • Web browsers never send it over the network. • Page is not reloaded during navigation between fragment identifiers.

  5. Goals • Safely remaining credentials against many type of phishing attack (Social Engineering) • Only requiring server-side deployment • Building better security in the application layer

  6. BeamAuth Basic 1/2 URL Fragment Identifier • The resolution of a fragment identifier • Example : http://hostname/rest/of/url#fragment_id • Procedure • Connecting to host hostname on port 80 • Requesting /rest/of/urland rendering the HTML page • Scrolling the viewport to the position indicated by fragment_id if it exists • Fragment ID is never sent over the network. • Navigation • Navigation between fragments within the same URL does not cause a page reload.

  7. BeamAuth Basic 2/2 JavaScript Features • Variable and method for fragments • JavaScript variable for the fragment identifier • Window.location.hash • Updating the URL • Window.location.replace() • Source Code var hash = document.location.hash; if( hash != ‘’ ) { // parse the hash, get username and token parse_beamauth_hash( hash ); // clear the hash from the URL document.location.replace( ‘/login’ ); }

  8. BeamAuth Protocol 1/4 General Idea

  9. BeamAuth Protocol 2/4 Setup Phase • Registering ID and password • Authenticating a user by using a second channel authentication mechanism like an email mail-back • Clicking on this verification URL in email • Examplehttps://site.com/confirm?vc=<verification_code> • Web page which user reaches provides her with a link. • Adding the link as a bookmark • https://site.com/get-bookmark#[username|secret_token] • bookmark_link.href = ‘https://site.com/login’ + window.location.hash;

  10. BeamAuth Protocol 3/4 Re-Initialization • When is Re-Initialization required? • Deleting user’s BeamAuth bookmark by mistake • Using several web browsers • Using multiple computers • Solutions • Instructing a user to keep the signup email • Using bookmark synchronization tools

  11. BeamAuth Protocol 4/4 Mechanism • How to hide a token from users • A BeamAuth login page contains JavaScript. • This script regularly polls the value of fragment ID. • After reading it, the poller updates the URL by calling replace(). • How to use a token for authentication • HMAC the password with the secret token. • Login page securely submits this resulting credential to the server.

  12. Example 1/7 Registration

  13. Example 2/7 Second Channel Authentication

  14. Example 3/7 Setting Up a Bookmark

  15. Example 4/7 Adding a Bookmark

  16. Example 5/7 BeamAuth Authentication

  17. Example 6/7 Inputting a Password

  18. Example 7/7 Authentication Completion

  19. Attacks (1/2) • Phishing with a deceitful URL • In case of unsophisticated phishing attack • Password is compromised, and token is safe. • Overriding page unload • User can no longer login, but token is safe. • Malicious bookmark replacement • Using a spoofed email • Token and password are safe. • Explicit bookmark theft • Token is compromised, and password can be compromised via phishing.

  20. Attacks (2/2) • Attacking the email account • Token is compromised, and password can be compromised via phishing. • Using the victim’s computer • Token is compromised, and password can be compromised via phishing. • Pharming inattentive users • Sending down malicious code that reads fragment ID • All compromised • Malware and client compromise • All compromised

  21. Summary • The BeamAuth uses • Bookmark as the second authentication factor. • Token delivered via a separate channel. (email) • Fragment identifier to store token.

More Related