BeamAuth
Two-Factor Web Auth
  with a Bookmark
         Ben Adida
     Harvard University

    CCS 2007 – Alexandria, VA
 ...
Can we improve
 web security without
upgrading the browser?
Sad State of Web Auth
Sad State of Web Auth
Sad State of Web Auth
Sad State of Web Auth
SSO makes things worse
SSO makes things worse
SSO makes things worse
SSO makes things worse
SSO makes things worse
Update the Browser
- Dynamic Security Skins [DT2005]
  secure password-based key exchange
  new browser chrome to auth web...
Can We Do Something Now?
Can We Do Something Now?



     HTTP
Can We Do Something Now?


  HTML & JavaScript

       HTTP
Can We Do Something Now?

  Application Code

  HTML & JavaScript

       HTTP
Can We Do Something Now?

  Application Code

  HTML & JavaScript

       HTTP
Can We Do Something Now?
                      - The web is a (limited) platform
  Application Code

  HTML & JavaScript

...
Can We Do Something Now?
                      - The web is a (limited) platform
  Application Code
                      ...
Can We Do Something Now?
                      - The web is a (limited) platform
  Application Code
                      ...
Can We Do Something Now?
                           - The web is a (limited) platform
  Application Code
                 ...
The General Idea
Setup
Phase




Login
Phase
The General Idea
Setup                      OpenID
Phase                      Server

          Alice




Login
Phase
The General Idea
Setup             proof of identity   OpenID
Phase                                 Server

          Alic...
The General Idea
Setup             proof of identity   OpenID
Phase                                 Server

          Alic...
The General Idea
Setup                  proof of identity   OpenID
Phase                                      Server

    ...
The General Idea
Setup                  proof of identity   OpenID
Phase                                      Server

    ...
The General Idea
Setup                  proof of identity   OpenID
Phase                                      Server

    ...
The General Idea
Setup                  proof of identity   OpenID
Phase                                      Server

    ...
The General Idea
Setup                  proof of identity      OpenID
Phase                                         Server...
Let’s Build this Button!
Let’s Build this Button!
- Browser add-on
 not an easy solution for most users
 complexity of add-on across browsers
 sign...
Let’s Build this Button!
- Browser add-on
 not an easy solution for most users
 complexity of add-on across browsers
 sign...
JavaScript Bookmarks
JavaScript Bookmarks
javascript:document.location=‘http://del.icio.us/
add?u=’ + encodeURIComponent(document.location);
JavaScript Bookmarks
javascript:document.location=‘http://del.icio.us/
add?u=’ + encodeURIComponent(document.location);


...
JavaScript Bookmarks
javascript:document.location=‘http://del.icio.us/
add?u=’ + encodeURIComponent(document.location);


...
JavaScript Bookmarks
javascript:document.location=‘http://del.icio.us/
add?u=’ + encodeURIComponent(document.location);


...
JavaScript Bookmarks
javascript:document.location=‘http://del.icio.us/
add?u=’ + encodeURIComponent(document.location);


...
JavaScript Bookmarks
javascript:document.location=‘http://del.icio.us/
add?u=’ + encodeURIComponent(document.location);


...
The URL Fragment Identifier

  http://site.com/page#paragraph
The URL Fragment Identifier

    http://site.com/page#paragraph



 - used to designate a portion of a page
    browser scr...
The URL Fragment Identifier

    http://site.com/page#paragraph



 - used to designate a portion of a page
    browser scr...
The URL Fragment Identifier

    http://site.com/page#paragraph



 - used to designate a portion of a page
    browser scr...
Fragment in a Bookmark


         http://login.com/login#[benadida|8x34202]
Fragment in a Bookmark


                       http://login.com/login#[benadida|8x34202]

var hash = document.location.ha...
The BeamAuth Ritual
The BeamAuth Ritual
The BeamAuth Ritual
The BeamAuth Ritual
The BeamAuth Ritual
The BeamAuth Ritual
The BeamAuth Ritual
The BeamAuth Ritual
Attacks
- Trick User into Not Clicking Bookmark
  password compromised, token safe.
- Lock User into Site
  password compr...
Comparison to
 Long-Lasting Cookies
- Second-channel setup – though long-
  lasting cookies could do the same thing there....
BeamAuth: Summary

-   Bookmark as second authentication factor
-   Token delivered via a separate channel (email)
-   Use...
Can we do more?
- The fragment identifier might be
  used for more tricks.
- JavaScript bookmarks
  may be useful for secur...
Questions?
           ben@eecs.harvard.edu

http://ben.adida.net/projects/beamauth/
Upcoming SlideShare
Loading in...5
×

BeamAuth - Two-Factor Web Authentication with a Bookmark

5,501

Published on

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,501
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
63
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

BeamAuth - Two-Factor Web Authentication with a Bookmark

  1. 1. BeamAuth Two-Factor Web Auth with a Bookmark Ben Adida Harvard University CCS 2007 – Alexandria, VA 30 October 2007
  2. 2. Can we improve web security without upgrading the browser?
  3. 3. Sad State of Web Auth
  4. 4. Sad State of Web Auth
  5. 5. Sad State of Web Auth
  6. 6. Sad State of Web Auth
  7. 7. SSO makes things worse
  8. 8. SSO makes things worse
  9. 9. SSO makes things worse
  10. 10. SSO makes things worse
  11. 11. SSO makes things worse
  12. 12. Update the Browser - Dynamic Security Skins [DT2005] secure password-based key exchange new browser chrome to auth web site. - PwdHash [RJMBM2005] domain-specific password pre-processing. - MS CardSpace change the entire auth infrastructure built into the operating system.
  13. 13. Can We Do Something Now?
  14. 14. Can We Do Something Now? HTTP
  15. 15. Can We Do Something Now? HTML & JavaScript HTTP
  16. 16. Can We Do Something Now? Application Code HTML & JavaScript HTTP
  17. 17. Can We Do Something Now? Application Code HTML & JavaScript HTTP
  18. 18. Can We Do Something Now? - The web is a (limited) platform Application Code HTML & JavaScript HTTP
  19. 19. Can We Do Something Now? - The web is a (limited) platform Application Code - Can we build better security in the application layer? HTML & JavaScript HTTP
  20. 20. Can We Do Something Now? - The web is a (limited) platform Application Code - Can we build better security in the application layer? HTML & JavaScript - Maybe by hijacking certain HTTP features for security purposes? (Active Cookies, Subspace, ...)
  21. 21. Can We Do Something Now? - The web is a (limited) platform Application Code - Can we build better security in the application layer? HTML & JavaScript - Maybe by hijacking certain HTTP features for security purposes? (Active Cookies, Subspace, ...) Goal: preventing easy phishing
  22. 22. The General Idea Setup Phase Login Phase
  23. 23. The General Idea Setup OpenID Phase Server Alice Login Phase
  24. 24. The General Idea Setup proof of identity OpenID Phase Server Alice Login Phase
  25. 25. The General Idea Setup proof of identity OpenID Phase Server Alice token Login Phase
  26. 26. The General Idea Setup proof of identity OpenID Phase Server Alice token Login Click Your BeamAuth Phase Login Button
  27. 27. The General Idea Setup proof of identity OpenID Phase Server Alice token Login Click Your BeamAuth Phase Login Button
  28. 28. The General Idea Setup proof of identity OpenID Phase Server Alice token Username benadida Login Click Your Password BeamAuth Phase Login Button log in
  29. 29. The General Idea Setup proof of identity OpenID Phase Server Alice token Username benadida Login Click Your Password BeamAuth Phase ********** Login Button log in log in
  30. 30. The General Idea Setup proof of identity OpenID Phase Server Alice token Username benadida Login Click Your Welcome, Password BeamAuth Phase Ben Adida. ********** Login Button log in log in
  31. 31. Let’s Build this Button!
  32. 32. Let’s Build this Button! - Browser add-on not an easy solution for most users complexity of add-on across browsers significant trust delegated to the login site
  33. 33. Let’s Build this Button! - Browser add-on not an easy solution for most users complexity of add-on across browsers significant trust delegated to the login site - Bookmark Delicious, etc. use bookmarks as buttons can we do the same for security? BookMark Auth = BM Auth = BeamAuth
  34. 34. JavaScript Bookmarks
  35. 35. JavaScript Bookmarks javascript:document.location=‘http://del.icio.us/ add?u=’ + encodeURIComponent(document.location);
  36. 36. JavaScript Bookmarks javascript:document.location=‘http://del.icio.us/ add?u=’ + encodeURIComponent(document.location); javascript:beamauth_token(‘x737csd23’);
  37. 37. JavaScript Bookmarks javascript:document.location=‘http://del.icio.us/ add?u=’ + encodeURIComponent(document.location); javascript:beamauth_token(‘x737csd23’);
  38. 38. JavaScript Bookmarks javascript:document.location=‘http://del.icio.us/ add?u=’ + encodeURIComponent(document.location); javascript:beamauth_token(‘x737csd23’); javascript: if (document.location.hostname == ‘myopenid.com’){ beamauth_token(‘x737csd23’); }
  39. 39. JavaScript Bookmarks javascript:document.location=‘http://del.icio.us/ add?u=’ + encodeURIComponent(document.location); javascript:beamauth_token(‘x737csd23’); javascript: if (document.location.hostname == ‘myopenid.com’){ beamauth_token(‘x737csd23’); }
  40. 40. JavaScript Bookmarks javascript:document.location=‘http://del.icio.us/ add?u=’ + encodeURIComponent(document.location); javascript:beamauth_token(‘x737csd23’); javascript: if (document.location.hostname == ‘myopenid.com’){ beamauth_token(‘x737csd23’); } Cannot trust the JavaScript Computing Base
  41. 41. The URL Fragment Identifier http://site.com/page#paragraph
  42. 42. The URL Fragment Identifier http://site.com/page#paragraph - used to designate a portion of a page browser scrolls to the appropriate location.
  43. 43. The URL Fragment Identifier http://site.com/page#paragraph - used to designate a portion of a page browser scrolls to the appropriate location. - never sent over the network but accessible from JavaScript
  44. 44. The URL Fragment Identifier http://site.com/page#paragraph - used to designate a portion of a page browser scrolls to the appropriate location. - never sent over the network but accessible from JavaScript - navigation between fragments does not cause a page reload.
  45. 45. Fragment in a Bookmark http://login.com/login#[benadida|8x34202]
  46. 46. Fragment in a Bookmark http://login.com/login#[benadida|8x34202] var hash = document.location.hash; if (hash != ‘’) { // parse the hash, get username and token process_beamauth_hash(hash); // clear the hash from the URL document.location.replace(‘/login’); }
  47. 47. The BeamAuth Ritual
  48. 48. The BeamAuth Ritual
  49. 49. The BeamAuth Ritual
  50. 50. The BeamAuth Ritual
  51. 51. The BeamAuth Ritual
  52. 52. The BeamAuth Ritual
  53. 53. The BeamAuth Ritual
  54. 54. The BeamAuth Ritual
  55. 55. Attacks - Trick User into Not Clicking Bookmark password compromised, token safe. - Lock User into Site password compromised, token safe. - Maliciously Replace Bookmark password compromised, token safe. - Pharming all compromised. - “Drag-and-Drop” Attack all compromised on Firefox.
  56. 56. Comparison to Long-Lasting Cookies - Second-channel setup – though long- lasting cookies could do the same thing there. - Synchronization across browsers using existing bookmark-sync tools. - Better behavior for non-SSL sites
  57. 57. BeamAuth: Summary - Bookmark as second authentication factor - Token delivered via a separate channel (email) - Use the fragment identifier to store token - Tweaked Login Ritual: whisk users to safety
  58. 58. Can we do more? - The fragment identifier might be used for more tricks. - JavaScript bookmarks may be useful for security. - Security in the app layer: help evolve the browser platform without anticipating all security requirements. generalize concept of site-specific extension?
  59. 59. Questions? ben@eecs.harvard.edu http://ben.adida.net/projects/beamauth/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×