Internet Security for embedded devices

By Emanuel Corthay - EPFL

HTTP Security: Digest Access Authentication

ABB

Network OSI Layers

ABB Switzerland Ltd, Corporate Research - 2 2002 ABB all rights reserved

We focus on the application layer : HTTP HyperText Transfer Protocol

ABB

SSL and IPsec vs DAA

SSL uses certificates:

Digest Access Authentication:

Provides server authentication, confidentiality and integrity Client authentication optional No configuration transparent

Password based, challengeresponse client authentication Optional Integrity protection and server authentication Use light MD5-hash one-way function Standard integrated in web servers and browsers

For large servers with many clients, strong cryptography

On the IP level, ideal for VPN Protect everything using TCP/IP Provides authentication, confidentiality and integrity Requires network based configuration

IPsec:
ABB Switzerland Ltd, Corporate Research - 3 2002 ABB all rights reserved

ABB

HTTP Hyper Text Transfer Protocol

Widely used to exchange text data accross different plateforms Used for the WWW on port 80 to exchange HTML files Standarized in the RFCs The current 1.1 version offers two authentication schemes; basic and digest
Protocol://destination-host/ressource

HTTP messages are composed of header-fields and entity (the payload)

ABB Switzerland Ltd, Corporate Research - 4 2002 ABB all rights reserved

ABB

Basic Access Authentication

Browser
GET /basic/ HTTP/1.1

Webserver

Password encoded in Base64; no encryption Sent in clear for every subsequent requests Sniffing compromises the password

Response 401; unauthorized WWW-authenticate: Basic realm="Basic Test Zone" HTTP GET Request with clear username and password: Authorization: Basic dGVzdDp0ZXN0
Response 200; OK <data>

ABB Switzerland Ltd, Corporate Research - 5 2002 ABB all rights reserved

ABB

Digest Access Authentication

Generates : cnonce counter nc URI and method Prompt user for username and password
realm, nonce

Browser

Communication channel

Web Server nonce generated

HTTP GET /protected/test.html Request

1 2
Response HTTP 401 unauthorized WWW-authenticate: Digest realm="DigestZone", nonce="3gw6ask", algorithm=MD5, domain="/protected/", qop="auth" <data> HTTP GET /protected/test.html Request Authorization: Digest username="Controler", realm="DigestZone", nonce="3gw6ask", uri="/protected/test.html", algorithm=MD5, response="65biad5s70de", qop=auth, nc=0001, cnonce="82c875dc" username, realm

Password Database lookup; MD5(username:realm:password)

response

nonce, cnonce, URI and method

Response HTTP 200 OK

MD5-hash
document

5
code 200

Authentication-Info: rspauth="d9260eef8e7", cnonce="82c875dc", nc=0001, qop=auth <data>

MD5-hash
response

response

ABB Switzerland Ltd, Corporate Research - 6 2002 ABB all rights reserved

Show document, update nc by 1 Prompt for username and password again Back to 3

HTTP GET /protected/test2.html Request

code 401

Authorization: Digest username="Controler", realm="DigestZone", nonce="3gw6ask", uri="/protected/test2.html", algorithm=MD5, response="4c5c93bc8747i", qop=auth, nc=0002, cnonce="72g4dsfs" Response HTTP 200 OK Authentication-Info: rspauth="g45sx4j65s1", cnonce="3gw6ask", nc=0002, qop=auth <data>

Match ?

No

200 OK Send document

Yes

401 unauthorized; Back to 2

<...> response = MD5[MD5(username:realm:password):nonce:nc:cnonce:qop:MD5(method:URI)]

ABB

Mutual authentication
Browser
Request document
once Challenge: n

Web Server

Authorization: resp onse Challenge: cnonce

ment: rspauth Acknowledge

ABB Switzerland Ltd, Corporate Research - 7 2002 ABB all rights reserved

rspauth = MD5[MD5(username:realm:password):nonce:nc:cnonce:qop:MD5( :URI)]

The server is authenticated Done via an acknowledgement ; the rspauth header-field MD5-digest calculated like the browser response

ABB

Integrity protection

DAA provides a way to protect the transmission integrity Quality Of Protection qop=auth-int (optional) A digest of the entity (payload) is included in the response Protect query sent via POST, queries with GET are already protected

Bidirectional with mutual authentication, protect the documents

response = MD5[MD5(username:realm:password):nonce:nc:cnonce:qop:MD5(method:URI:M D5{entity-body})]

ABB Switzerland Ltd, Corporate Research - 8 2002 ABB all rights reserved

GET /test.html?test&command=1 HTTP/1.1 rspauth = Host: 10.41.74.144 MD5[MD5(username:realm:password):nonce:nc:cnonce:qop:MD5(:URI:MD5{entity-body})] Connection: Keep-Alive Authorization: Digest username="test", realm="digest", qop="auth-int", algorithm="MD5", uri="/test.html?test&command=1", Like mutual authentication, not yet implemented in all the browsers nonce="tC/4qtSqAwA=fbc6ee7ad984a2ccd3f9011c646d1", nc=00004, and web servers cnonce="448e2f9bdd915b6bf", response="d93bf8645d2968867e3a270ff"

ABB

Replay attack

A request from an authenticated user is intercepted and replayed A specific request always includes:

Those fields are protected in the response hash, with the password An attacker must defeat:

The uri check The nc-counter check The nonce check

the requested uri the nonce from the server A request counter nc

The nonce validity can be limited to a single use, or to a time period

ABB Switzerland Ltd, Corporate Research - 9 2002 ABB all rights reserved

Authorization: Digest username="Controler", realm="DigestZone", nonce="3gw6ask", uri="/protected/test.html", algorithm=MD5, response="65biad5s70de", qop=auth, nc=0001, cnonce="82c875dc" response = MD5[MD5(username:realm:password):nonce:nc:cnonce:qop:MD5(method:URI)]

Implementation dependant A serious implementation reduces the risks of a replay attack to zero

ABB

Dictionary and brute force attack

Even if the password is protected, it is still possible to try and find it

Try with names and common words Variation of the username

An attacker can try all the possible passwords = long!

The password choice is critical!

response = MD5[MD5(test:test:?????):3gw6ask:0001:82c875dc:auth:MD5(GET:/test.htm)]
Authorization: Digest username=test", realm=test", nonce="3gw6ask", uri="/test.htm", algorithm=MD5, response="65biad5s70de", qop=auth, nc=0001, cnonce="82c875dc"

ABB Switzerland Ltd, Corporate Research - 10 2002 ABB all rights reserved

A password in a dictionnary is found within seconds A password with a mix of 8 numbers, upper/lower case characters is cracked in approximatively 702 years Example: My 2 sons Jean and Paul are great! M2sJaPag! With only 5 characters (lower case) 20 minutes Not as safe as SSL / IPsec

ABB

Man-in-the-middle attack

The attacker is between the client and the server The attacker can temper all or part of the communication without the user noticing it
Browser
HTTP GET /p r otecte d/test .html

Web Server
l Req st .htm te d/te c /pr ote uest

Req u est

ABB Switzerland Ltd, Corporate Research - 11 2002 ABB all rights reserved

Resp r ized o nse au tho 01 un ige st WWW HTTP 401 1 4 unau - auth :D HTTP thor iz e ntic o nse uthe nticate ate : B ed Resp -a asi c WW W HTT P GE 2 T Re qu es t, Auth est pa ss clea r use o riza Req u w tion : rnam html Basi o rd e an /test . <...> c dG d te d VzdD r otec : Dige st ..> 3 p0ZX ET /p n e" <. N0 TP G tho rizatio ia d5s70 d HT b Au ="65 ons e resp

GET HTTP

The browser can send basic authentication instead of digest The request can be modified The exchanged data can be modified

4
Username and password

Browsers should accept only digest and use visual clues Not possible with mutual authentication and integrity protection

ABB

Exploits and DoS

Exploit vulnerabilities in the program code Usually done using a bufferoverflow Everything the program has access to is compromised Most of the time, crash the server / client and lead to a DoS Solution includes frequent update and version dissimulation

Denial Of Service attacks the availability of the service Flood the server with requests Physical DoS Network outage

ABB Switzerland Ltd, Corporate Research - 12 2002 ABB all rights reserved

ABB

Server and client implementation

Apache 2.0.42

Mozilla 1.0.1 / Netscape 7.0

Support mutual authentication Nonce check time limited Strong uri check

Source available Keeps prompting the user Slow

RomPager 4.05

Internet Explorer 6.0.26

One time nonce

Different prompt for basic/DAA Sends wrong uri dangerous

ABB Switzerland Ltd, Corporate Research - 13 2002 ABB all rights reserved

Partial uri check

Not working for long uri

Opera 6.05

GoAhead 2.1.2

Support mutual authentication Picky on security

Source available

Nonce always valid - dangerous

No uri check - dangerous Parse errors

Not working with GoAhead

ABB

Server and client implementation

Clients Servers

Mozilla 1.0.1 Netscape 7.0 Slow Keeps prompting the user

Internet explorer 6.0.26 Sends wrong uri Different prompt for Basic/DAA

Opera 6.05 Requires a right domain field Mutual authentication

Apache 2.0.42
Mutual authentication

Digest auth tested

Digest auth tested Not working for GET + parameters Digest auth tested

Digest auth tested Requires valid domain Digest auth tested Not working for long GET + parameters Not working

RomPager 4.05
Good security, except for GET with parameters

Digest auth tested Not working for long GET + parameters Digest auth tested Not working for GET + parameters

GoAhead 2.1.2
Weak security Parsing errors
ABB Switzerland Ltd, Corporate Research - 14 2002 ABB all rights reserved

Digest auth tested

No integrity protection available Great differences in implementation quality

The perfect server / browser doesnt exist yet

Pressure must be applied on the developpers

ABB

Conclusion

DAA is

Available on client and servers

ABB Switzerland Ltd, Corporate Research - 15 2002 ABB all rights reserved

Light, but yet secure

Provides integrity protection and mutual authentication Do not provide confidentiality

Should be used wherever possible, even when used in conjunction with SSL and IPsec Systems using basic should be migrated to DAA

ABB

AB B