tags:

views:

209

answers:

4
+4  Q: 

Can you spot a vulnerability in my authentication protocol?

Some time ago we needed a solution for Single Sign On authentication between multiple web services. At least at that time we considered OpenID protocol too complicated and we were not convinced about the Ruby on Rails plugins for it. Therefore we designed a protocol of our own instead of implementing an OpenID provider and OpenID consumers.

I have two questions:

  1. Was it a bad thing not to create our own OpenID provider and setup our OpenID consumers accept only it? Public login or registration are not allowed and we wanted to keep authentication simple.

  2. Can you spot a crucial error or a vulnerability in the following design?

If you as a commune can approve this design, I will consider extracting this code into a Ruby on Rails plugin.

Please look at the flowchart and sequence diagram.

Details:

Authentication Provider ("AP"):

  • Central service which holds all data about the users.
  • Only one "AP" exists in this setup.
  • It could be possible to have multiple "AP"s, but that should not be relevant in this context.
  • "AP" knows each "S" beforehand.

Authentication Client (Service "S"):

  • There exists several internal and external web services.
  • Each service knows "AP" and its public key beforehand.

Actor ("A"):

  • The end user who authenticates herself with AP by a username and password
  • May request directly any URI of "S" or "AP" prior to her login

Connections between "A", "S" and "AP" are secured by HTTPS.

Authentication logic described briefly:

These are a description for the graphical flowchart and sequence diagram which were linked at the top of this post.

1) Auth Provider "AP"

  • "AP" makes a server-to-server HTTP POST request to "S" to get a nonce.
  • "AP" generates an authentication token.
  • Authentication token is an XML entity which includes:
    • an expiration date (2 minutes from now),
    • the previously requested nonce (to prevent replay),
    • identifying name of "S" (token for Service_1 is not good for Service_2),
    • information about the end user.
  • Authentication token is encrypted with AES256 and the encryption key and initialization vector are signed by AP's private RSA key.
  • Resulting strings ("data", "key" and "iv") are first Base64 encoded and then URL encoded to allow them be delivered in the URL query string.
  • End user "A" is HTTP-redirected to service "S" (HTTPS GET request).

2) Service "S"

  • Receives authentication token in URL parameters from user agent.
  • Decrypts authentication token with AP's pre-shared public key.
  • Accepts one authentication token only once (token includes a nonce which is valid only once).
  • Checks that identifying name in authentication token corresponds to service's name.
  • Checks that authentication token is not expired.

Remarks:

It is not a problem if somebody else can also decrypt the authentication token, because it contains no confidential information about the user. However, it is crucial that nobody else than AP is able to generate a valid authentication token. Therefore the RSA key pair is involved.

RSA private key is used only for signing the token, because it cannot encrypt data which is longer than the actual key length. Therefore AES is used for encryption.

Since the authentication token is delivered as an HTTP GET request, it will be stored e.g. in Apache's log file. Using a disposable nonce and an expiration date should minimize the possibility of a replay attack. POST request would need an HTML page with a form which is submitted automatically by Javascript, which is why GET is used.

Service "S" generates a nonce only in a server-to-server API request. Therefore unauthenticated generation requests should not pose a DoS-vulnerability.

+3  A: 

Here are a few quick thoughts about question 1:

  • Designing a working security protocol is very hard, so on general principle I would favor using an existing one.

  • However, I appreciate that OpenID might not have been very established at the time. Also OpenID is still relatively new and might not have all of its limitations figured out yet.

  • Still, you'd be using OpenID in a restricted scenario where the big issue of OpenID (involvement of multiple actors) doesn't come into play. You'd only be using the “technical core” of OpenID, which is easier to understand.

  • Your requirements and the overview of your protocol remind me of Kerberos. I'm also tempted to push towards LDAP + single sign on, but I don't know what concrete solutions exist for that.

  • A point in favor of your protocol is that you've taken the time to describe it in detail. Just that puts you above than most self-made security protocol designers!

Gilles  2010-08-17 14:40:46
Thank you for sharing your thoughts on OpenID! I am taking a look on OpenID microformats (http://microformats.org/wiki/openid-brainstorming) as well as Shibboleth, OAuth and LDAP for service authorization (or combined authorization+authentication). There also exists an interesting OpenID extension under development: http://wiki.openid.net/OpenID-and-OAuth-Hybrid-Extension
Petrus Repo  2010-08-18 14:12:59
+1  A: 

Do you really just sign AES key and then send encrypted token, RSA signature of key and then key-iv in PLAINTEXT?

It's a fail. Attacker can use this key to decrypt a token, change it in any needed way and encrypt back. Your server will never find a difference.

If you want to check token integrity, just make a hash of it and sign this hash. This is what hashes used for. No need to use encryption here.

blaze  2010-08-17 14:41:40
Oops, missed use of HTTPS. Then don't bother with AES/RSA at all, you can establish mutual Client-Server authentication in HTTPS, with certificates on both of them. It will be perfectly secure data pipe.
blaze  2010-08-18 05:25:30
Service "S" needs the actual XML-information contained in the token. Therefore it cannot be only a hash. However, "AP" encrypts the AES key and AES iv with its RSA private key, so the AES message cannot be changed or modified without knowing the RSA private key. Otherwise "S" will not be able to decrypt the AES key with the pre-shared RSA public key of "AP".
Petrus Repo  2010-08-18 09:32:26
After response of @tc I finally understood correctly what you wrote in the second chapter. This was a correct answer too!
Petrus Repo  2010-08-19 08:00:51
+2  A: 

In short I find this protocol to be over engineered in the wrong places and ultimately vulnerable to attack.

So What is the vulnerability?

End user "A" is HTTP-redirected to service "S" (HTTPS GET request).

This is likely to be a violation of OWASP A9. At no point can a user's session ID be passed over an insecure channel such as http. Even if the session id hasn't been authenticated yet, an attacker is patient he can sniff the wire looking for session id's and then periodically check if they have been authenticated and then use them to access your system.

"Complexity is the worst enemy of security."

--Bruce Schneier

Authentication token is encrypted with AES256 and the encryption key and initialization vector are signed by AP's private RSA key.

First of all RSA can be used to encrypt a message, so aes is unnecessary. HTTPS on the other hand is going to be more efficient and proven to be secure. I don't understand why you have to pass an authentication token to the client, when you already have a secure server-to-server communication channel. A server could just say "Hey someone has been redirected to me with this session id, what is his state information?". Its a matter of the weakest link in the chain, and your session id should be strong enough. This would require the session id to be sent as a GET or POST request by the client when the hand off occures which could open the door to Session Fixation. You could check the ip address before and after the handoff, sometimes the ip address of the client can change legitimately but the handoff is going to be a very narrow window in which this can happen, and most importantly it is stops Session Fixation altogether.

In general you should avoid re-inventing the wheal. Especially when it comes to security problems like this which have already been solved. Kerberos is beautiful especially if you need to tie in non-http authentication. Using LDAP for session management is another possibility.

Rook  2010-08-17 17:07:40
I need to clarify two points:1) Session ID is not passed between "AP" and "S". Instead, a disposable and signed authentication token is transferred over HTTPS from "AP" to "S" in URL's parameters by the browser. If an attacker can sniff the token over HTTPS, he can as well sniff the username and password.A token can be used only once. The session between the end user and "S" will be created only if "S" accepts the token (if it can decrypt token's AES key using "AP"'s RSA public key)."AP" and "S" cannot share the same session because they may be on different domains and different servers.
Petrus Repo  2010-08-18 09:06:17
2) RSA keypair can only encrypt a message which is not longer than the key length. With 1024-bit RSA key the maximum size of an encrypted message is (apparently) 117 bytes. Since the encrypted message is an XML entity, we could not have the possibility of it growing longer than the key length. Therefore the XML-message is encrypted symmetrically with AES, and AES's key is encrypted asymmetrically with RSA private key. Therefore, if "S" is able to decrypt the AES key using "AP":s pre-shared public key, the encrypted message must have been sent by "AP" and it's XML-contents can be trusted.
Petrus Repo  2010-08-18 09:08:40
HTTPS prevents sniffing, you can count on that. You are correct about RSA, but what cipher mode are you using with AES? Do you know how easy it is to mess this up? This still strikes me as a violation of the "weakest link in the chain". I don't see how this complex interaction is more secure than a simple cryptographic nonce to identify an individual browser. Servers can pass xml between each other, why expose your self to risk of brute force or a key being exposed or a problem with implementation? Cryptography should only be used when there is absolutely no other option.
Rook  2010-08-18 09:15:25
The authentication token is needed because the environment is distributed. There must first be an authenticated session with "AP" and the end user *before* there can be a session with "S" and the end user. There are multiple "S" services on different networks. I also have an academic interest on this subject. :) I will take a closer look on OpenID microformats and the relevance of Shibboleth, Kerberos and LDAP. Thank you for your answer!
Petrus Repo  2010-08-18 09:17:15
@Petrus Repo A wise cryptographer knows when cryptography isn't the right tool for the job.
Rook  2010-08-18 09:18:33
@Petrus Repo Cool, you should check out this wiki page: http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation . I also recommend grabbing a copy of "Piratical Cryptography", it has a few chapters devoted to symmetric ciphers because so much can go wrong. Very good reading material :)
Rook  2010-08-18 09:20:50
@Rook, I think that the conclusion could be, that instead of passing this XML entity via end users browser, it should be sent behind the scenes in a server-to-server communication - as you wrote. However, this was a thing we wanted to avoid (at that time), because there were multiple legacy systems and we did not want to refactor their implementation too much.
Petrus Repo  2010-08-18 09:21:49
+3  A: 

You're confusing authentication ("I am who I say I am") and authorization/access control ("I am allowed to access this"). You can just implement OAuth, and then query a server over HTTPS with "is this OAuth identity allowed to access me?". You don't have to worry about replay attacks, since you're using HTTPS.

"Security is hard, so I'll design my own."

Authentication token is encrypted with AES256 and the encryption key and initialization vector are signed by AP's private RSA key.

AES-256 and AES-192 have weak key schedules. But you're not using it for confidentiality; you're using it as some sort of "integrity" check. It doesn't work: Attacker gets a "signed" authentication token. Attacker recovers the key and IV. Attacker encrypts a different authentication token with the same key and IV, and uses the same "signature".

What's wrong with hashing it and signing the hash? Also note that if you're going to use custom signing, you need to be careful about padding (IIRC PKCS-whatever adds at least 11 bytes).

EDIT: And if you're using a cipher where you should be using a hash/MAC, you really shouldn't be designing a security protocol!

tc.  2010-08-19 02:44:15
You are right! "Attacker encrypts a different authentication token with the same key and IV, and uses the same 'signature'." Goddamnit, I have an inherently insecure design. Thank you for spotting this out!
Petrus Repo  2010-08-19 07:59:34
-1 aes256 is still a NIST approved algorithm, the attack is theoretical and there for a non issue. The IV must be transmitted with the message similar to WEP/WPA, no recovery necessary. Also the hash is unnecessary, a session id alone is good enough. So tell me, how do you like technicalities? At least my complaints actually apply to the question.
Rook  2010-08-20 00:17:17
@tc. also read about AES-CMAC.
Rook  2010-08-20 00:19:04
By "recover" I meant "decrypt" with the public key. Usually this is called "verifying", but that involves a verification step (check h(m) = d(sig)). A MAC is not what's required here, since AP and S don't have a shared secret. And Bruce Schneier recommends not using AES-256, which is good enough for me: http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
tc.  2010-08-20 15:39:53
Also, I'll state my (not very well) implied assertion: AES-128 is likely to provide better security for the forseeable future than AES-192 or AES-256. There's a trend for "theoretical" attacks to quickly become practical after a few years (just see MD5 and SHA-1, and even AES). And DES was only pulled nearly 8 years after it was publically cracked.
tc.  2010-08-20 15:51:23

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security