morellian analysis for browsers making web authentication
play

Morellian Analysis for Browsers: Making Web Authentication Stronger - PowerPoint PPT Presentation

Morellian Analysis for Browsers: Making Web Authentication Stronger With Canvas Fingerprinting Pierre Laperdrix , Gildas Avoine, Benoit Baudry, Nick Nikiforakis DIMVA 2019 In Introduction Web attacks and data breaches 2 Attacks on the


  1. Morellian Analysis for Browsers: Making Web Authentication Stronger With Canvas Fingerprinting Pierre Laperdrix , Gildas Avoine, Benoit Baudry, Nick Nikiforakis DIMVA 2019

  2. In Introduction – Web attacks and data breaches 2 • Attacks on the web happen more and more frequently and are getting bigger.

  3. In Introduction – Web attacks and data breaches 2 • Attacks on the web happen more and more frequently and are getting bigger.

  4. In Introduction – Web attacks and data breaches 2 • Attacks on the web happen more and more frequently and are getting bigger. Protecting an account with just a password is not enough.

  5. In Introduction – The need for multi-factor authentication 3 • Low adoption of multi-factor authentication • A 2017 survey from Duo Security indicated that more than half of Americans never heard of 2FA before. • A talk in January 2018 revealed that less than 10% of Gmail users have 2FA enabled.

  6. In Introduction – The need for multi-factor authentication 3 • Low adoption of multi-factor authentication • A 2017 survey from Duo Security indicated that more than half of Americans never heard of 2FA before. • A talk in January 2018 revealed that less than 10% of Gmail users have 2FA enabled. • Problems: education gap towards the benefits of 2FA/MFA, usability issues that come with having it activated.

  7. In Introduction – The need for multi-factor authentication 3 • Low adoption of multi-factor authentication • A 2017 survey from Duo Security indicated that more than half of Americans never heard of 2FA before. • A talk in January 2018 revealed that less than 10% of Gmail users have 2FA enabled. • Problems: education gap towards the benefits of 2FA/MFA, usability issues that come with having it activated. • There is a need for a technical solution that bridges the gap between the insufficiency of passwords and the low onboarding of 2FA.

  8. In Introduction – The need for multi-factor authentication 3 • Low adoption of multi-factor authentication • A 2017 survey from Duo Security indicated that more than half of Americans never heard of 2FA before. • A talk in January 2018 revealed that less than 10% of Gmail users have 2FA enabled. • Problems: education gap towards the benefits of 2FA/MFA, usability issues that come with having it activated. • There is a need for a technical solution that bridges the gap between the insufficiency of passwords and the low onboarding of 2FA. Can browser fingerprinting be a viable alternative?

  9. In Introduction - In Internet in in 2019 4

  10. In Introduction - In Internet in in 2019 4

  11. In Introduction - In Internet in in 2019 4

  12. In Introduction - In Internet in in 2019 4

  13. In Introduction - In Internet in in 2019 4 A bigger and richer web • Audio • Video • 3D rendering • Real-time communications • Web payments • Virtual reality …

  14. In Introduction - In Internet in in 2019 4 A bigger and richer web Browser 1995 2019 Browser: Netscape Browser: Chrome v74 • Audio Language: Fr OS: Linux • Video Screen: 1920x1080 • 3D rendering Language: Fr • Real-time communications Timezone: GMT+1 • Web payments Graphic card: GTX 1080Ti • Virtual reality … …

  15. In Introduction - In Internet in in 2019 4 A bigger and richer web Browser 1995 2019 Browser: Netscape Browser: Chrome v74 • Audio Language: Fr OS: Linux • Video Screen: 1920x1080 • 3D rendering Language: Fr • Real-time communications Timezone: GMT+1 • Web payments Graphic card: GTX 1080Ti • Virtual reality … … What happens when we start collecting all the information available in a web browser?

  16. In Introduction - Defi finition of f browser fi fingerprinting 5 Definitions • A browser fingerprint is a set of information related to a user’s device from the hardware to the operating system to the browser and its configuration. • Browser fingerprinting refers to the process of collecting information through a web browser to build a fingerprint of a device.

  17. In Introduction - Example of f a browser fi fingerprint 6 Attribute Value User agent Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:66.0) Gecko/20100101 Firefox/66.0 HTTP headers text/html, application/xhtml+xml, application/xml;q=0.9,*/*;q=0.8 gzip, deflate, br en-US,en;q=0.5 Plugins Plugin 0: QuickTime Plug-in 7.6.6; libtotem-narrowspace-plugin.so; Plugin 1: Shockwave Flash; Shockwave Flash 26.0 r0; libflashplayer.so. Fonts Century Schoolbook, Source Sans Pro Light, DejaVu Sans Mono, Bitstream Vera Serif, URW Palladio L, Bitstream Vera Sans Mono, Bitstream Vera Sans, ... Platform Linux x86_64 Screen resolution 1920x1080x24 Timezone -480 (UTC+8) OS Linux 3.14.3-200.fc20.x86 32-bit WebGL vendor NVIDIA Corporation WebGL renderer GeForce GTX 650 Ti/PCIe/SSE2 Canvas

  18. Using fi fingerprinting for auth thentication 7 User authenticated Login/Password Browser fingerprint

  19. Using fi fingerprinting for auth thentication 7 ? User authenticated Login/Password Browser fingerprint

  20. Using fi fingerprinting for auth thentication - Avoiding pit itfalls 8 One major problem: what if the user’s fingerprint is stolen (i.e. collected)?  Fingerprints can be manipulated in JavaScript. An attacker can send any information to the authentication server.

  21. Using fi fingerprinting for auth thentication - Avoiding pit itfalls 8 One major problem: what if the user’s fingerprint is stolen (i.e. collected)?  Fingerprints can be manipulated in JavaScript. An attacker can send any information to the authentication server. FP

  22. Using fi fingerprinting for auth thentication - Avoiding pit itfalls 8 One major problem: what if the user’s fingerprint is stolen (i.e. collected)?  Fingerprints can be manipulated in JavaScript. An attacker can send any information to the authentication server. Modified FP Modified Modified FP FP FP Modified Modified FP FP Modified FP

  23. Using fi fingerprinting for auth thentication - Avoiding pit itfalls 8 One major problem: what if the user’s fingerprint is stolen (i.e. collected)?  Fingerprints can be manipulated in JavaScript. An attacker can send any information to the authentication server. Modified FP Modified Modified FP FP FP Modified Modified FP FP Modified FP  An attacker can also try to reconstruct the environment of his victim to bypass verification.

  24. Using fi fingerprinting for auth thentication - Avoiding pit itfalls 9 One major problem: what if the user’s fingerprint is stolen (i.e. collected)?  Traditional fingerprinting scripts always collect the same attributes. What is the What is the What is the user agent? language? browser? What is the list What is the list What is the of plugins? of fonts? screen resolution? What is the What is Are cookies timezone? platform? enabled? … ≈20 questions

  25. A lo look in into th the past 10 Giovanni Morelli (1816-1891) • Studied medicine and taught anatomy • Identified the characteristic "hands" of painters through scrutiny of minor details in paintings

  26. Using canvas fi fingerprinting for auth thentication 11 User authenticated Login/Password Canvas fingerprint

  27. Focus on canvas fi fingerprinting 12 Example from the AmIUnique.org website

  28. Focus on canvas fi fingerprinting 12 Example from the AmIUnique.org website 1

  29. Focus on canvas fi fingerprinting 12 Example from the AmIUnique.org website 1 2

  30. Focus on canvas fi fingerprinting 12 Example from the AmIUnique.org website 1 2 3

  31. Focus on canvas fi fingerprinting 12 Example from the AmIUnique.org website 1 2 3

  32. Using canvas fi fingerprinting for auth thentication 13 Use the Canvas API as a drawing board for a morellian analysis.

  33. Using canvas fi fingerprinting for auth thentication 13 Use the Canvas API as a drawing board for a morellian analysis. • Dynamic Draw an Render the string Draw a green orange “ stnalpehtretlaw ” circle with a rectangle of with a size 30pt at circumference size 63x45 at position (1337,42) of 24 pixels at position (7,89) with the font Arial position (4,8) in purple

  34. Using canvas fi fingerprinting for auth thentication 13 Use the Canvas API as a drawing board for a morellian analysis. • Dynamic Draw a blue Render the string Draw a blue circle with a “fingerprinting” rectangle of circumference with a size 26pt at size 2x2 at of 22 pixels at position (45,54) position (2,2) position (42,8) with the font Draw an Draw an Render the string Georgia in red Draw a green orange orange “ stnalpehtretlaw ” circle with a rectangle of rectangle of with a size 30pt at circumference size 63x45 at size 63x45 at position (1337,42) of 24 pixels at position (7,89) Draw a yellow position (7,89) with the font Arial position (4,8) rectangle of in purple size 33x44 at position (55,66)

Recommend


More recommend