Web Server Design
Week 12
Old Dominion University
Department of Computer Science
CS 495/595 Spring 2010
Martin Klein <mklein@cs.odu.edu>
3/31/10
Problems with Basic
Authentication
• Password sent in clear
• Cannot authenticate the server to the client
– e.g. “phishing” attacks
– uid/passwd may be used at other sites too
Digest Authentication
• Does:
– securely transmit the password
– bi-directional authentication
• But does not protect the session!!!
– “https” uses 1 of:
• Transport Layer Security
– http://www.ietf.org/html.charters/tls-charter.html
• Secure Socket Layer
– http://web.archive.org/web/20080410061639/http://wp.netscape.
com/eng/ssl3/
Replay Attacks
• Eavesdrop on the unencrypted c/s conversation
• With basic, the bad guy has access to all URIs
protected with that u/p
• With digest:
– replay is limited to the resource the bad guy already
overheard
– the vulnerability “window” is determined by the nonce
value
• PUT/POST methods need stronger nonce values (e.g., onetime use) and/or qop=auth-int
Multiple Authentication Schemes
• According to section 14.47 of RFC 2616 (and
section 4.6 of RFC 2617), a single “WWWAuthenticate” header can provide more than 1
challenge
– it is up to the client to choose the strongest challenge it
understands
– (n.b., I’m not sure how to do this with Apache; we will
not issue multiple challenges in our project)
RFC 2616, sec. 14.47:
… User agents are advised to take special care in parsing the WWWAuthenticate field value as it might contain more than one challenge,
or if more than one WWW-Authenticate header field is provided, the
contents of a challenge itself can contain a comma-separated list of
authentication parameters.
Dictionary Attacks
• Digest authentication offers no real protection against
poorly chosen passwords
– grabbing the nonce/response pair(s), eavesdropper can
quickly run through a dictionary of common passwords
trying to recreate the response
• Dictionary = {root,$user,$user$user,reverse($user),Spock,
Whorf,Gandalf,eagle,mustang,password,
mypassword,123,asdf,fluffy,fido,…}
• Make dictionary attacks harder with salt.
# user format = name:realm:md5(name:realm:password)
mklein:Colonial Place:53bbb5135e0f39c1eb54804a66a95f08
# user format = name:realm:md5(name:realm:password:salt):salt
mklein:Colonial Place:e65c90343b763abb9e442dd03ae79aac:12
Man in the Middle
• A corrupted proxy (or a “phishing” server) could
request your credentials:
– basic: now it has your passwd (good for all URIs)
– digest: it has authentication for a single URI
• The very existence of “basic” is a problem
– passwords are often shared among domains, realms,
auth methods
– client s/w & users have to be smart
Chosen Plaintext Attack
• MITM attacks (or phishing server) have control of
generating the nonce values
– knowing the original input makes cryptoanalysis a little
bit easier:
•
http://web.archive.org/web/19970607055704/http://www.rsa.com/rsalabs/pubs/cryptobytes/spring95/md5.htm
• “Cribs”
–
–
http://www.cs.miami.edu/~harald/enigma/
http://en.wikipedia.org/wiki/Cryptanalysis_of_the_Enigma
– client can counter w/ cnonce, since MITM will not
know what the original input was for the cnonce value
Batch Bruce Force Attacks
• Variation on the plaintext attack:
MITM/phisher collects multiple responses
from multiple users for the same nonce
• Time to find first passwd decreases by the
factor of the known nonce/response pairs
Precomputed Dictionary Attack
• Combination of dictionary + plaintext
• Compute a dictionary of (response,passwd)
pairs for the known nonce value(s)
• Computation can be done in parallel on
zombie machines
Password Files
• Even though the server (Apache) stores passwords
in the form of:
– user:realm:md5(user:realm:passwd)
• if the passwd file is compromised (e.g., filesystem
access), then the URIs in that realm are
compromised
– password does not need to be guessed
– treat this passwd file as if the passwds are in the clear
(unlike standard unix passwd file)