Web Server Design Week 13

Web Server DesignWeek 12

Old Dominion University

Department of Computer Science

CS 495/595 Spring 2010

Martin Klein <mklein@cs.odu.edu>

3/31/10

Problems with BasicAuthentication

•Password sent in clear

•Cannot authenticate the server to the client

–e.g. “phishing” attacks

–uid/passwd may be used at other sites too

Digest Authentication

•Does:

–securely transmit the password

–bi-directional authentication

•But does not protect the session!!!

–“https” uses 1 of:

•Transport Layer Security

–http://www.ietf.org/html.charters/tls-charter.html

•Secure Socket Layer

–http://web.archive.org/web/20080410061639/http://wp.netscape.com/eng/ssl3/

Replay Attacks

•Eavesdrop on the unencrypted c/s conversation

•With basic, the bad guy has access to all URIsprotected with that u/p

•With digest:

–replay is limited to the resource the bad guy alreadyoverheard

–the vulnerability “window” is determined by the noncevalue

•PUT/POST methods need stronger nonce values (e.g., one-time use) and/or qop=auth-int

Multiple Authentication Schemes

•According to section 14.47 of RFC 2616 (andsection 4.6 of RFC 2617), a single “WWW-Authenticate” header can provide more than 1challenge

–it is up to the client to choose the strongest challenge itunderstands

–(n.b., I’m not sure how to do this with Apache; we willnot issue multiple challenges in our project)

RFC 2616, sec. 14.47:

… User agents are advised to take special care in parsing the WWW-

Authenticate field value as it might contain more than one challenge,

or if more than one WWW-Authenticate header field is provided, the

contents of a challenge itself can contain a comma-separated list of

authentication parameters.

Dictionary Attacks

•Digest authentication offers no real protection againstpoorly chosen passwords

–grabbing the nonce/response pair(s), eavesdropper canquickly run through a dictionary of common passwordstrying to recreate the response

•Dictionary = {root,$user,$user$user,reverse($user),Spock,Whorf,Gandalf,eagle,mustang,password,mypassword,123,asdf,fluffy,fido,…}

•Make dictionary attacks harder with salt.

# user format = name:realm:md5(name:realm:password)

mklein:Colonial Place:53bbb5135e0f39c1eb54804a66a95f08

# user format = name:realm:md5(name:realm:password:salt):salt

mklein:Colonial Place:e65c90343b763abb9e442dd03ae79aac:12

Man in the Middle

•A corrupted proxy (or a “phishing” server) couldrequest your credentials:

–basic: now it has your passwd (good for all URIs)

–digest: it has authentication for a single URI

•The very existence of “basic” is a problem

–passwords are often shared among domains, realms,auth methods

–client s/w & users have to be smart

Chosen Plaintext Attack

•MITM attacks (or phishing server) have control ofgenerating the nonce values

–knowing the original input makes cryptoanalysis a littlebit easier:

•http://web.archive.org/web/19970607055704/http://www.rsa.com/rsalabs/pubs/cryptobytes/spring95/md5.htm

•“Cribs”

–http://www.cs.miami.edu/~harald/enigma/

–http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma

– client can counter w/ cnonce, since MITM will notknow what the original input was for the cnonce value

Batch Bruce Force Attacks

•Variation on the plaintext attack:MITM/phisher collects multiple responsesfrom multiple users for the same nonce

•Time to find first passwd decreases by thefactor of the known nonce/response pairs

Precomputed Dictionary Attack

•Combination of dictionary + plaintext

•Compute a dictionary of (response,passwd)pairs for the known nonce value(s)

•Computation can be done in parallel onzombie machines

Password Files

•Even though the server (Apache) stores passwordsin the form of:

–user:realm:md5(user:realm:passwd)

•if the passwd file is compromised (e.g., filesystemaccess), then the URIs in that realm arecompromised

–password does not need to be guessed

–treat this passwd file as if the passwds are in the clear(unlike standard unix passwd file)