exploring software and hardware security

The current article discusses the problems of authentication schemes that are used by websites and browsers while the user logs in to a website.

The following topics will be covered:

• Conventional user and website authentication model
• Weak points of password based authentication
• Weak points of website authentication
• Alternative ways for user authentication in websites

Note that by the term “conventional” we mean the most popularly used authentication scheme – username/password.

Conventional user authentication model

Conventional authentication scheme for websites and users is based on two steps:

• User’s internet browser authenticates the website with PKI (through SSL)
• Website authenticates the user with username and password

Currently most websites require only username and password for user authentication although it’s obvious that the data they are storing on web servers and their services require much stronger security than the passwords can provide.

Weak points of password based authentication

Passwords are prone to many attacks, such as:

• Weak passwords
  • Although there are many recommendations for constructing more secure pass phrases – these recommendations don’t provide the desired effect as the users usually give higher priority to the factor of remembering the password rather than making it secure

• Social Engineering based attacks
  • Passwords are usually designed around personal characteristics of the user (names, birthdays), their friends or relatives
  • This makes easy to retrieve a password by doing basic social engineering
  • Users tend to write their passwords on a paper and keep it somewhere close to the computer

• Phishing attacks
  • User’s credentials (username and password) can be obtained by conducting phishing attacks. Those will be discussed in details later in this article.

• Pharming attacks
  • The concept is very similar to phishing attack. The following link provides thorough explanation of this type of attack:
    http://en.wikipedia.org/wiki/Pharming

• Malware steals the password
  • Man in the browser malware can easily obtain user’s password after it is submitted to the HTML form
  • Keyloggers can easily obtain user’s password while it is being entered in a password field
  • Man in the middle malwares can easily obtain these passwords (this is true if SSL is not used for website authentication)

It’s also important to mention that passwords provide only “something you know” authentication factor and if this knowledge is stolen – the attacker can have access to any data and operation that the user has access to.

Having all these said it’s obvious that password based authentication cannot remain the primary scheme for websites which keep sensitive information about users or provide valuable services (like financial or privacy related).

Weak points of website authentication

Although PKI based SSL authentication provides a very strong trust, while visiting websites, there is still one issue which remains unresolved for internet users and websites. This is the problem of phishing. The user, who enters a website, doesn’t pay enough attention to the website’s name and thus can be prone to obvious attacks.

The browser developers didn’t yet invent a proper way to notify the user about website identity (identity can be the website name, something else describing it uniquely… can you think a better way to identify a website than the URL?) she is entering to. For example if you see a link with name “pEypal.com” you may probably not notice it, treat it as “paypal.com” ad just trust it. This is actually what phishing attacks are based on.

In my opinion this problem has two major points. The first is in the browser and the second – in website’s identity.

• Browser developers must convince the user to always pay attention to the website’s identity (currently URL) they are visiting to
• Websites (or Web) must invent a new approach for website identity

So the fact is that although website authentication is based on the strongest cryptographic algorithms and protocols – it is still not perfect. Let’s discuss here how phishing attacks work.

• Attacker creates a website with a similar name that the original one (like for paypal.com it would be smth like peypal.com)
• Attacker sends some message (email) to the user from Paypal’s name and asks the user to enter www.peypal.com for more information.
• Peypal.com has a very similar user interface as paypal.com and the user likely won’t notice that this is not the real paypal.com
• The user provides her username and password, peypal.com first stores this info internally and then redirects this information to the original paypal.com
• User is logged in paypal.com and has no doubt that his credentials have been stolen
• Refer to the following resource for more information about these popular attacks:
  http://en.wikipedia.org/wiki/Phishing

Alternative ways of user authentication by websites

In spite of the weaknesses we have mentioned for password based authentication it’s still the most popular authentication scheme used by everyone in the Web – financial institutions, social websites, emails, etc. Of course the reason behind this is not that website developers are not aware of these problems. The problem is that secure alternative approaches require a specialized hardware or software which the users are not willing to buy and install.

The security of user authentication model could be significantly strengthen by integrating specialized hardware such as OTP (One time password) tokens, PKCS#11 tokens, biometric devices (although these still have privacy related problems), corresponding software components. However these hardware tokens cost money and the users, as a rule, are not willing to pay for them – even if it doesn’t cost much. Users also don’t want to download and install software components (applications, browser plugins) for this purpose, because they don’t trust these applications. So how this problem can be solved?

I think the only way to solve it is to use the power that ODMs have. ODMs have a full control of the hardware and software that is being installed by default on laptops or PCs. If they decide to integrate a hardware token (and accompanying software) on laptops by default – the abovementioned problem would be solved automatically. Users would obtain a much higher level of security with such systems.

A good example of such hardware token is a fingerprint device which is already in its way to become a mainstream for laptop market.

Let’s summarize the list of alternative ways that hardware tokens or software components can provide for better user authentication:

• Hardware tokens with OTP support
  • RSA SecureID, Vasco, Yubico, etc

• Cryptographic tokens which support PKCS#11
  • The website could completely support PKI and provide each user with a certificate
  • The private key of user would be embedded in a PKCS#11 enabled hardware token
  • In this case two side SSL would be established between the user’s machine and website when the hardware token is connected to the system
  • Additional factor would be added to authentication scheme if this hardware token generated RSA signature only when, for example, the user provides pre-enrolled biometrics (such as swipes a valid finger)

• Special software could be installed on the user’s machine and provide a better authentication for users
  • As it was mentioned before the problem with this solution is that users usually don’t want to download and install unknown software from web