1 / 11

Web Server Design Week 12

Web Server Design Week 12. Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein <mklein@cs.odu.edu> 3/31/10. Problems with Basic Authentication. Password sent in clear Cannot authenticate the server to the client e.g. “phishing” attacks

mala
Download Presentation

Web Server Design Week 12

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Server DesignWeek 12 Old Dominion University Department of Computer Science CS 495/595 Spring 2010 Martin Klein <mklein@cs.odu.edu> 3/31/10

  2. Problems with Basic Authentication • Password sent in clear • Cannot authenticate the server to the client • e.g. “phishing” attacks • uid/passwd may be used at other sites too

  3. Digest Authentication • Does: • securely transmit the password • bi-directional authentication • But does not protect the session!!! • “https” uses 1 of: • Transport Layer Security • http://www.ietf.org/html.charters/tls-charter.html • Secure Socket Layer • http://web.archive.org/web/20080410061639/http://wp.netscape.com/eng/ssl3/

  4. Replay Attacks • Eavesdrop on the unencrypted c/s conversation • With basic, the bad guy has access to all URIs protected with that u/p • With digest: • replay is limited to the resource the bad guy already overheard • the vulnerability “window” is determined by the nonce value • PUT/POST methods need stronger nonce values (e.g., one-time use) and/or qop=auth-int

  5. Multiple Authentication Schemes • According to section 14.47 of RFC 2616 (and section 4.6 of RFC 2617), a single “WWW-Authenticate” header can provide more than 1 challenge • it is up to the client to choose the strongest challenge it understands • (n.b., I’m not sure how to do this with Apache; we will not issue multiple challenges in our project) RFC 2616, sec. 14.47: … User agents are advised to take special care in parsing the WWW- Authenticate field value as it might contain more than one challenge, or if more than one WWW-Authenticate header field is provided, the contents of a challenge itself can contain a comma-separated list of authentication parameters.

  6. Dictionary Attacks • Digest authentication offers no real protection against poorly chosen passwords • grabbing the nonce/response pair(s), eavesdropper can quickly run through a dictionary of common passwords trying to recreate the response • Dictionary = {root,$user,$user$user,reverse($user),Spock, Whorf,Gandalf,eagle,mustang,password, mypassword,123,asdf,fluffy,fido,…} • Make dictionary attacks harder with salt. # user format = name:realm:md5(name:realm:password) mklein:Colonial Place:53bbb5135e0f39c1eb54804a66a95f08 # user format = name:realm:md5(name:realm:password:salt):salt mklein:Colonial Place:e65c90343b763abb9e442dd03ae79aac:12

  7. Man in the Middle • A corrupted proxy (or a “phishing” server) could request your credentials: • basic: now it has your passwd (good for all URIs) • digest: it has authentication for a single URI • The very existence of “basic” is a problem • passwords are often shared among domains, realms, auth methods • client s/w & users have to be smart

  8. Chosen Plaintext Attack • MITM attacks (or phishing server) have control of generating the nonce values • knowing the original input makes cryptoanalysis a little bit easier: • http://web.archive.org/web/19970607055704/http://www.rsa.com/rsalabs/pubs/cryptobytes/spring95/md5.htm • “Cribs” • http://www.cs.miami.edu/~harald/enigma/ • http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma • client can counter w/ cnonce, since MITM will not know what the original input was for the cnonce value

  9. Batch Bruce Force Attacks • Variation on the plaintext attack: MITM/phisher collects multiple responses from multiple users for the same nonce • Time to find first passwd decreases by the factor of the known nonce/response pairs

  10. Precomputed Dictionary Attack • Combination of dictionary + plaintext • Compute a dictionary of (response,passwd) pairs for the known nonce value(s) • Computation can be done in parallel on zombie machines

  11. Password Files • Even though the server (Apache) stores passwords in the form of: • user:realm:md5(user:realm:passwd) • if the passwd file is compromised (e.g., filesystem access), then the URIs in that realm are compromised • password does not need to be guessed • treat this passwd file as if the passwds are in the clear (unlike standard unix passwd file)

More Related