Search

BeamAuth - Two-Factor Web Authentication with a Bookmark

Loading...

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

6 comments

Comments 1 - 6 of 6 previous next Post a comment

  • + guest23ed19 guest23ed19 6 months ago
    Find all you need to know about dog food and breed information at http://www.dogbreedss.org
  • + guest2bae8f guest2bae8f 11 months ago
    Visite Online-Flash-Game.com and play online games, online game, flash games, free online game, free online games, flash game!
  • + guest2bae8f guest2bae8f 11 months ago
    Visite Online-Flash-Game.com and play online games, online game, flash games, free online game, free online games, flash game!
  • + guest9c8764e4 guest9c8764e4 11 months ago
    We supply [url=http://www.wowgold1000.com]Cheap WoW Gold[/url], [url=http://www.wowgoldvip.com/news_list.asp]WoW Gold[/url] for wow players, you can [url=http://www.wowgold1000.com]Buy Wow Gold[/url],[url=http://www.wowgold800.com]wow power leveling[/url],and [url=http://www.wowgold1000.com]World of Warcraft Gold[/url] server here, cheap [url=http://www.wowgoldme.com]WoW Gold[/url] always waiting for you!
  • + guest9c8764e4 guest9c8764e4 11 months ago
    In wow gold players buy wow gold create cheap wow gold a character world of warcraft gold and fast wow gold adventure age of conan gold through aoc gold the ffxi gil, warhammer gold missions, runescape gold blowing tibia gold things swg credits up lotro gold and 2moons dil,maple story mesos bullets, to eve isk name lineage 2 adena but a eq2 plat few wow power leveling things. Generally wow power leveling, if you’ve power leveling seen world of warcraft power leveling it in wow leveling a matrix power leveling film wow gold chances buy wow gold are cheap wow gold you can world of warcraft gold do it wow power leveling in the power leveling game. This wow gold is cheap wow gold excellent news buy wow gold for the vast power leveling mob wow powerleveling of people wow power leveling who cheap power leveling have wow gold always buy wow gold wanted to cheap wow gold experience world of warcraft gold the power leveling matrix wow powerleveling and do wow power leveling their cheap power leveling part power leveling in helping wow powerleveling the wow power leveling people cheap power leveling of Zion. Or wow gold even buy wow gold for those cheap wow gold people world of warcraft gold who wow gold were secretly wow geld sympathetic wow gold kaufen to the billig wow gold Machines, or those wow gold who found cheap wow gold the Merovingian buy wow gold charming bolts nuts and were nut and bolt secretly rooting for his Exiles throughout the film. wow gold
  • + gueste8c4c1 gueste8c4c1 2 years ago
    wow power leveling,wow powerleveling,world of warcraft power leveling,honor power leveling,Professions power leveling,wow gold,world of warcraft gold,lotro power leveling,lotro powerleveling.vb so7cqm
Post a comment
Embed Video
Edit your comment Cancel

Notes on slide 1

1 Favorite

BeamAuth - Two-Factor Web Authentication with a Bookmark - Presentation Transcript

  1. BeamAuth Two-Factor Web Auth with a Bookmark Ben Adida Harvard University CCS 2007 – Alexandria, VA 30 October 2007
  2. Can we improve web security without upgrading the browser?
  3. Sad State of Web Auth
  4. Sad State of Web Auth
  5. Sad State of Web Auth
  6. Sad State of Web Auth
  7. SSO makes things worse
  8. SSO makes things worse
  9. SSO makes things worse
  10. SSO makes things worse
  11. SSO makes things worse
  12. Update the Browser - Dynamic Security Skins [DT2005] secure password-based key exchange new browser chrome to auth web site. - PwdHash [RJMBM2005] domain-specific password pre-processing. - MS CardSpace change the entire auth infrastructure built into the operating system.
  13. Can We Do Something Now?
  14. Can We Do Something Now? HTTP
  15. Can We Do Something Now? HTML & JavaScript HTTP
  16. Can We Do Something Now? Application Code HTML & JavaScript HTTP
  17. Can We Do Something Now? Application Code HTML & JavaScript HTTP
  18. Can We Do Something Now? - The web is a (limited) platform Application Code HTML & JavaScript HTTP
  19. Can We Do Something Now? - The web is a (limited) platform Application Code - Can we build better security in the application layer? HTML & JavaScript HTTP
  20. Can We Do Something Now? - The web is a (limited) platform Application Code - Can we build better security in the application layer? HTML & JavaScript - Maybe by hijacking certain HTTP features for security purposes? (Active Cookies, Subspace, ...)
  21. Can We Do Something Now? - The web is a (limited) platform Application Code - Can we build better security in the application layer? HTML & JavaScript - Maybe by hijacking certain HTTP features for security purposes? (Active Cookies, Subspace, ...) Goal: preventing easy phishing
  22. The General Idea Setup Phase Login Phase
  23. The General Idea Setup OpenID Phase Server Alice Login Phase
  24. The General Idea Setup proof of identity OpenID Phase Server Alice Login Phase
  25. The General Idea Setup proof of identity OpenID Phase Server Alice token Login Phase
  26. The General Idea Setup proof of identity OpenID Phase Server Alice token Login Click Your BeamAuth Phase Login Button
  27. The General Idea Setup proof of identity OpenID Phase Server Alice token Login Click Your BeamAuth Phase Login Button
  28. The General Idea Setup proof of identity OpenID Phase Server Alice token Username benadida Login Click Your Password BeamAuth Phase Login Button log in
  29. The General Idea Setup proof of identity OpenID Phase Server Alice token Username benadida Login Click Your Password BeamAuth Phase ********** Login Button log in log in
  30. The General Idea Setup proof of identity OpenID Phase Server Alice token Username benadida Login Click Your Welcome, Password BeamAuth Phase Ben Adida. ********** Login Button log in log in
  31. Let’s Build this Button!
  32. Let’s Build this Button! - Browser add-on not an easy solution for most users complexity of add-on across browsers significant trust delegated to the login site
  33. Let’s Build this Button! - Browser add-on not an easy solution for most users complexity of add-on across browsers significant trust delegated to the login site - Bookmark Delicious, etc. use bookmarks as buttons can we do the same for security? BookMark Auth = BM Auth = BeamAuth
  34. JavaScript Bookmarks
  35. JavaScript Bookmarks javascript:document.location=‘http://del.icio.us/ add?u=’ + encodeURIComponent(document.location);
  36. JavaScript Bookmarks javascript:document.location=‘http://del.icio.us/ add?u=’ + encodeURIComponent(document.location); javascript:beamauth_token(‘x737csd23’);
  37. JavaScript Bookmarks javascript:document.location=‘http://del.icio.us/ add?u=’ + encodeURIComponent(document.location); javascript:beamauth_token(‘x737csd23’);
  38. JavaScript Bookmarks javascript:document.location=‘http://del.icio.us/ add?u=’ + encodeURIComponent(document.location); javascript:beamauth_token(‘x737csd23’); javascript: if (document.location.hostname == ‘myopenid.com’){ beamauth_token(‘x737csd23’); }
  39. JavaScript Bookmarks javascript:document.location=‘http://del.icio.us/ add?u=’ + encodeURIComponent(document.location); javascript:beamauth_token(‘x737csd23’); javascript: if (document.location.hostname == ‘myopenid.com’){ beamauth_token(‘x737csd23’); }
  40. JavaScript Bookmarks javascript:document.location=‘http://del.icio.us/ add?u=’ + encodeURIComponent(document.location); javascript:beamauth_token(‘x737csd23’); javascript: if (document.location.hostname == ‘myopenid.com’){ beamauth_token(‘x737csd23’); } Cannot trust the JavaScript Computing Base
  41. The URL Fragment Identifier http://site.com/page#paragraph
  42. The URL Fragment Identifier http://site.com/page#paragraph - used to designate a portion of a page browser scrolls to the appropriate location.
  43. The URL Fragment Identifier http://site.com/page#paragraph - used to designate a portion of a page browser scrolls to the appropriate location. - never sent over the network but accessible from JavaScript
  44. The URL Fragment Identifier http://site.com/page#paragraph - used to designate a portion of a page browser scrolls to the appropriate location. - never sent over the network but accessible from JavaScript - navigation between fragments does not cause a page reload.
  45. Fragment in a Bookmark http://login.com/login#[benadida|8x34202]
  46. Fragment in a Bookmark http://login.com/login#[benadida|8x34202] var hash = document.location.hash; if (hash != ‘’) { // parse the hash, get username and token process_beamauth_hash(hash); // clear the hash from the URL document.location.replace(‘/login’); }
  47. The BeamAuth Ritual
  48. The BeamAuth Ritual
  49. The BeamAuth Ritual
  50. The BeamAuth Ritual
  51. The BeamAuth Ritual
  52. The BeamAuth Ritual
  53. The BeamAuth Ritual
  54. The BeamAuth Ritual
  55. Attacks - Trick User into Not Clicking Bookmark password compromised, token safe. - Lock User into Site password compromised, token safe. - Maliciously Replace Bookmark password compromised, token safe. - Pharming all compromised. - “Drag-and-Drop” Attack all compromised on Firefox.
  56. Comparison to Long-Lasting Cookies - Second-channel setup – though long- lasting cookies could do the same thing there. - Synchronization across browsers using existing bookmark-sync tools. - Better behavior for non-SSL sites
  57. BeamAuth: Summary - Bookmark as second authentication factor - Token delivered via a separate channel (email) - Use the fragment identifier to store token - Tweaked Login Ritual: whisk users to safety
  58. Can we do more? - The fragment identifier might be used for more tricks. - JavaScript bookmarks may be useful for security. - Security in the app layer: help evolve the browser platform without anticipating all security requirements. generalize concept of site-specific extension?
  59. Questions? ben@eecs.harvard.edu http://ben.adida.net/projects/beamauth/

+ benadidabenadida, 3 years ago

custom

3492 views, 1 favs, 2 embeds more stats

More info about this document

CC Attribution-ShareAlike LicenseCC Attribution-ShareAlike License

Go to text version

  • Total Views 3492
    • 3453 on SlideShare
    • 39 from embeds
  • Comments 6
  • Favorites 1
  • Downloads 43
Most viewed embeds
  • 38 views on http://benlog.com
  • 1 views on http://www.benlog.com

more

All embeds
  • 38 views on http://benlog.com
  • 1 views on http://www.benlog.com

less

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate. If needed, use the feedback form to let us know more details.

Cancel
File a copyright complaint
Having problems? Go to our helpdesk?

Categories

-->
Search
RSS Feed
What's new?

© 2009 SlideShare Inc. All Rights Reserved