ISG Distance Learning Weekend Conference 2011 Website Credential Storage and Two-Factor Web Authentication with a Java SIM Sunday 11th September 2011 Jon Hart, Network and Systems Manager, Information Security Group Royal Holloway University of London [email protected] http://www.scc.rhul.ac.uk/ Introduction and Acknowledgements • MSc dissertation • Smart Card Centre – Dr Kostas Markantonakis ([email protected]) – Dr Keith Mayes ([email protected]) • Telefónica Europe plc (O2) – Development SIM cards Overview 1. 2. 3. 4. 5. 6. 7. 8. 9. The problem with passwords Why use a mobile phone and SIM for authentication? The Proposed schemes System architecture Web credential storage and authentication (Scheme 1) Two-factor OTP authentication (Scheme 2) Security Analysis Conclusions Practical implementation and a demonstration The problem with passwords • Password proliferation – Exponential growth in the number of (web-based) e-commerce, entertainment and social networking services in the last decade – Many of these services authenticate a user by a username and password – How many passwords does the typical web user need to manage? • 15 years ago, perhaps one or two? • Me: About 40.. Perhaps I’m not typical! • Survey in 2001 suggests 15 on a daily basis • Some users report having in excess of 100 accounts! The problem with passwords • Research by Adams and Sasse report that the average user can typically only use 4 or 5 unrelated password successfully • User coping strategies – Use the same (or similar) passwords on multiple web site – Recent Sophos survey has showed that 81% of users use do this! – Users may not realise that by reusing password on multiple sites the security of a well protected account is only as good as that of the poorly protected account. Described as the “Domino Effect” by Blakes Ives etc. al. Example: Rockyou.com – Users also often choose poor passwords that are easier to remember.. The problem with passwords – solutions? • Use a password manager – A web browser plugin or software application that enables passwords to be stored in a database on a users computer or the internet – Default passwords managers supplied with IE and Firefox fail to adequately protect users credentials from Trojan’s or other users of the computer – Online password managers would appear to be a good solution, however reliant on vendors claims about security • Alternatives – E.g. Single Sign On (SSO) - OpenID, Windows Live ID (.NET passport), SPP (Gouda et. al) – May require trust in third-party – Require significant changes to server infrastructure, slow adoption – Most websites still use password and use is likely to continue for the foreseeable future Two-factor authentication • Two-factor authentication – Typically used by financial institutions – User enters something they know (username/password) and something they have – often a One Time Password (OTP) from a hardware token or reader • Not all card readers are compatible (users may require multiple readers/tokens) • Other implementations in software (on mobile phone) or use SMS to provide OTPs Summary • Proliferation of passwords required for an ever increasing number of internet services – Problem of choosing and remembering a large number of secure passwords – PC based password managers may not be secure or require trust in third party – Alternative solutions require significant changes to web server infrastructure and/or trust in third party • Two-Factor authentication – Inconvenience of often incompatible two-factor authentication tokens or readers – Software implementations subject to Trojans – SMS implementations subject to eavesdropping / hijack of subscribers number Why use a mobile phone and SIM for authentication? • Mobile phone – Portable, ubiquitous, high user acceptance – No need to carry additional hardware tokens – Theft is likely to be reported immediately • SIM Card – Secure tamper resistance device – Can be easily transferred between handsets as required – Java SIM enables Java Applets to be developed to run on SIM card • Applets are firewalled • Applet lifecycle well defined • Applet can generate keys (e.g. RSA key pair) when applet loaded • Network operator has control of SIM and applets on SIM • Why not software app on the phone (Java MIDP, Symbian, Android, iPhone etc..)? – Phone operating system vulnerabilities, Trojans. Introduction • Propose two distinct authentication schemes, both using a mobile phone and SIM:Scheme 1 (Password authentication management) • Enables authentication credentials (username + password) to be stored and securely retrieved from a mobile handset and SIM • Main goal is to provide secure storage of authentication credentials, with minimal changes to existing infrastructure, i.e. it should work with existing web servers without any significant services • Should not require any special hardware on the user’s PC Scheme 2 (One-Time passwords) • A more secure scheme using One-Time Passwords (OTPs) generated within the SIM • For web services requiring an enhanced level of authentication, i.e. financial institutions • May optionally be used with Scheme 1, i.e. (storage of username + password and a OTP) System Architecture • SIM Application Toolkit (SAT) Applet The SAT Java Applet executes on the users SIM card. The applet provides credential storage and authentication services for the two authentication schemes. • Web Browser Extension (WBE) The WBE extension integrates into the users web browser, and receives credentials stored on the SAT Applet and enters them into the web page logon fields. • SMS Gateway Server (SMSGS) The SMSGS role is to translate mobile network SMS messages to and from the SAT applet to HTTPS commands that are sent over a TCP/IP based network. SMS messages are sent using secure GSM 03.48 Scheme 1 - Web credential storage and authentication Web credentials are stored on the user’s SIM card. The credentials are requested on-demand when a user visits a website requesting authentication. The protocol starts with a one off-initialisation step that sets up authentication and encryption keys for the remainder of the protocol. The user installs the WBE on a host PC and chooses a username U and passphrase P, from which an authentication hash AUTH and symmetric key WBE-SYM are created in volatile memory: WBE-SYM = h(P||U) AUTH = h (WBE-SYM) The above hashes are created using a collision resistant hash function such as SHA-256. WBE-SYM is used by the SAT applet to send credentials to the WBE. AUTH is used to authenticate the user to the SMSGS. Scheme 1 - Web credential storage and authentication (Initialisation phase) Web credentials are stored on the user’s SIM card. The credentials are requested on-demand when a user visits a website requesting authentication. Subscriber Handset + SIM and installed SAT applet SMS Gateway Server (SMSGS) Client web browser and Web Browser Extension (WBE) <User1, AUTH, N> <User2, AUTH, N> (PublicKeyRequest) (1.2) Confirm With PIN (U||AUTH||N) (1.1) (SAT-PUB) (SAT-PUB) (1.3) PKSAT-PUB(WBE-SYM) (1.4) PKSAT-PUB(WBE-SYM) PIN OK Store Key A istosent from the WBE to the(1.1) SMSGS to associate the username with The SAT applet responds to message (1.2) withSMSGS thekey, applets RSA public key SAT-PUB Inmessage response the receipt of message the stores a permanent user The WBE responds withby the WBE-SYM symmetric enciphered under theU SAT Message (1.4) followed PIN confirmation completes the initialisation phase. To mobile number N of inthe a database maintained by the (1.1)identified record in its database and sends athe message tohas theSMSGS. SAT created applet by mobile applet’s RSA via the SMSGS gateway. (1.4) and forwards itkey, via SMSGS WBE. (1.3) recap, at the end this phase ato user account been on the SMSGS and number requestingwith the the applet sends the WBE its RSA public key. (1.2) has beenN,associated user’s mobile number. A symmetric key has also be exchanged between the WBE and SAT applet. The initialisation phase is only carried out when the WBE passphrase is initially set or subsequently changed. Scheme 1 - Web credential storage and authentication (Login phase) Web credentials are stored on the user’s SIM card. The credentials are requested on-demand when a user visits a website requesting authentication. Subscriber Handset + SIM and installed SAT applet SMS Gateway Server (SMSGS) Client web browser and Web Browser Extension (WBE) <User1, AUTH, N> <User2, AUTH, N> (U||AUTH||S) (1.5) Confirm PIN PIN OK Send/Store credentials (GetCredential||S) (1.6) EWBE-SYM(CRED_UID||CRED_PWD) EWBE-SYM(CRED_UID||CRED_PWD) (1.7) The credentials are then enciphered the checks previous exchanged symmetric keyand WBEOn receipt of message (1.6) the may SATwith applet the internal credential Following initialisation the WBE request a user’s credentials for a webstore page by SYM and confirmation sent to the WBE. (1.7). supplying the username (derived with fromthe passphrase P; as following byU, theauthentication user enteringhash their AUTH PIN, responds user’s website credential before) and username the website CRED_UID hostnameand S to password the SMSGS. CRED_PWD. (1.5 and 1.6) If no credentials are On receipt of message the WBE deciphers the credentials currently stored the user(1.7) is given the opportunity to enter them. received using the preshared symmetric key and enters them into the web page logon form. This completes the protocol run. System Architecture • Authentication Server (AS) Third party institution operated AS. The AS shares an institution generated subscriber specific secret key with each subscribers SAT applet. The institution and SAT applet are the only two entities that share this secret Scheme 2 – Two-factor authentication scheme OTP password based challenge-response based scheme, where the SIM generates a response to a random challenge sent by the authentication institution Subscriber Handset + SIM and installed SAT applet SMS Gateway Server (SMSGS) Authentication Server (AS) SubsKey1 SubsKey2 If AS identity is stored Confirm with PIN PIN PIN OK PIN OK Send store AS response identity and seeding key PKSAT-PUB (AS-IDENTITY ||AS-RAND) ||AS-SEED) PK SAT-PUB(AS-IDENTITY ||AS-SEED) (2.1) PKSAT-PUB (2.2) SAT-PUB(AS-IDENTITY ||AS-RAND) MACAS-SEED(AS-RAND) MACAS-SEED(AS-RAND) (2.3) The SAT applet AS’s identity AS-IDENTITY and seeding key after Following thestarts onestores off-initialisation above, the AS authenticate user SIM AS receives message (2.3) and compares it may with a sends locally generated expected protocol with the a one off-initialisation step thatthen the AS OTP seeding key to decrypts message (2.2) using its private RSA key and ifaaAS-SEED, seedand value has confirming this with the user on the for handset by requesting aasks PIN. when requested by the Web Sever (WS), example tothe authenticate athe login, orRSA approve a response. If theaction SAT applet matches the expected response user and SIM the SAT applet. (The seeding keywith is enciphered under SAT applets public key, are been previously stored for anresponse AS identity AS-IDENTITY then to enter transaction. Anotherwise authentication message is the sent from AS to SAT applet. (2.2)run. authenticated, the authentication fails. Thisthe marks thethe end of the protocol SAT-PUB, in the same way as in previous scheme. The seeding key their PIN toobtained confirm the authentication. AS-SEED is the thenSAT sent to thegenerates SAT applet along withto the identity AS-IDENTITY Where AS-RAND is aapplet random number from a good and unpredictable source ofusing a If confirmed a response theAS’s challenge AS-RAND, randomness. keyed MAC function. (2.3) Security Analysis - 1 • RSA public key – use by both authentication schemes to exchange symmetric encryption keys used later on in the protocol • RSA private key – generated internally within the SIM, no external method provide to retrieve • NOTE: PKI is not implemented to verify the authenticity of the SIM’s public RSA key • Web authentication credentials are entered into the handset, and are only stored on the SIM • Credentials are encrypted – before they leave the SIM applet with the symmetric key of the destination entity. • End-to-end encryption and protection of credentials should the SMSGS be compromised • To guard against eavesdropping, man-in-the-middle and relay attacks: – Secure GSM 03.48 SMS – HTTPS (SSL/TLS) Security Analysis - 2 • Security of WBE? – May be vulnerable to screen scrapers, malicious plug-ins, Trojans as it does not operate within a secure environment – Same risks apply when entering credentials directly into the browser • For the two-factor authentication scheme each AS shares a user specific individual secret key with the SIM only. As a result, if an AS were compromised only the keys owned by that AS would be vulnerable • Both methods implement a PIN lockout function on the SAT applet to prevent exhaustive PIN search should the handset be lost or stolen Conclusions • Two novel authentication schemes presented Web credential storage and authentication • Does not require any modification to existing websites and reduces the risk of password re-use as a user no longer needs to remember their credentials for individual websites and can choose a more secure or ever randomly generated password • Protection against phishing attacks • Acknowledged that as the scheme still uses existing form based password authentication it is still subject to attacks in the web browser on this authentication method Two-factor authentication • Provides and enhanced level of authentication as the user’s SIM is authenticated in realtime using a random challenge generated by the authenticating parties AS • A single SIM could therefore replace the multiple and often incompatible OTP tokens and card readers Conclusions – Future work • Implement generation of passwords on the SIM • What happens if a SIM breaks or is stolen? – Currently all data and keys lost • A challenge to the wider scale implementation is network operators ownership and control of the SIM – Use a JAVA MIDP applet on the phone to implement UI functionality, but store credentials on the SIM (using a lightweight SAT applet or writing data directly to the SIM file system) – Security of MIDP applets not guaranteed as they execute within phone OS • Compromise security for accessibility? Practical implementation GSM modem GSM 03.48 Secure SMS SMS Response messages Mobile Equipment U(SIM) with SAT applet installed Forwarded Response Commands Request Commands HTTPS HTTPS Kannel SMS gateway Web Server PHP scripts Client web browser Web Browser Extension (WBE) SMS Gateway Server (SMSGS) Authentication Server (AS) • SMSGS implemented using broadband modem, to send and receive SMS messages and PHP web scripts to implement SMSGS application logic • PHP scripts hosted on Apache web server with mySQL database back-end for storage of data • Kannel open source SMS/WAP gateway used to send and receive SMS network messages – Almost complete control over bit and bytes in SMS headers, enabling ability to send and received GSM 03.48 secure SMS messages Practical implementation • SAT applet developed using Gemalto Developer Studio – Integrated Development Environment (IDE) – SIM emulator – Phone Emulator – SMS server simulator – Debugging and testing Practical implementation • Web Browser Extension (WBE) – Developed for Firefox, but could have been done in Internet Explorer or any one of the other popular browsers that supports extensions – Key technologies in Firefox extension development • XML User Interface Language (XUL) • Document Object Module • JavaScript • Together known as AJAX (Asynchronous JavaScript and XML) – WBE scan pages for login fields, characterised by a page containing a field with an HTML input field followed by an HTML password field, also copes with multiple forms on a single page. Demonstration • SAT applet loaded onto development SIM card using SIM alliance loader (< 10KB size) • Handset is a Nokia N95, also tested on much older handsets – Video 1: Authenticating against RHUL Outlook Web Access – Video 2: Adding a new set of credentials to the SIM for googlemail Questions? Any questions? Jon Hart M.Sc. M.Eng. MIET Information Security Group, Royal Holloway University of London (: +44 (0)1784 443111 *: [email protected] Website Credential Storage and Two-Factor Web Authentication with a Java SIM Sunday 11th September 2011