Documente Academic
Documente Profesional
Documente Cultură
1, 2015 43
Reference to this paper should be made as follows: Sadqi, Y., Asimi, A. and
Asimi, Y. (2015) ‘A secure and efficient user authentication scheme for the
web’, Int. J. Internet Technology and Secured Transactions, Vol. 6, No. 1,
pp.43–63.
Biographical notes: Yassine Sadqi received his Master’s degree in the field of
Computer Science and Distributed Systems at the Ibn Zoher University, in
2012. He is currently a PhD candidate at the Ibn Zoher University, Agadir,
Morocco. His main field of research interest is web applications security,
network security and cryptography.
Ahmed Asimi received his PhD degree in Number Theory from the University
Mohammed V, Agdal, in 2001. He is a reviewer at the International Journal of
Network Security (IJNS). His research interest includes number theory, code
theory, and computer cryptology and security. He is a Full Professor of the
Faculty of Science at Agadir since 2008.
1 Introduction
Web applications have experienced a rapid and massive growth in popularity in the last
decade. We are able to obtain the desired services (online e-commerce, e-banking) using
mobile devices anytime anywhere. Since web applications are vulnerable, security
problems have become a more increasing concern for both webmasters and users
(Scambray et al., 2011).
Our focus is authentication on the web, a core component of any modern web
applications to prevent unauthorised access to users’ private resources (e.g., bank
accounts, users’ personal information). Our choice of web authentication as a target has
significant implications. In particular, authentication on the web differs from traditional
authentication in part, because of the web limited infrastructure for both client (web
browsers) and server sides (web applications platforms) (Fu et al., 2001). For example,
the stateless nature of the Hyper Text Transfer Protocol (HTTP) affects the overall design
of web authentication schemes. The HTTP server treats each request as an independent
transaction that is unrelated to any previous request (Sood et al., 2011). So, in each HTTP
request, the client needs to provide an authentication token to the web application.
Without this token, a user would have to reenter his/her authentication credentials (e.g.,
password) in each HTTP request. Moreover, on the web we cannot rely on technology
not widely deployed. For instance, most personal computers do not include a smart card
reader or other hardware token systems. Also, in Herley (2009) the authors concluded
that users are resistant to innovation that alters their behaviour, thus any complex or
additional steps than the conventional username/password are hard to adopt.
At first, personal websites employed the built-in ‘basic HTTP authentication
specification’ for password submission (Franks et al., 1999). The RFC 2617 defines the
‘digest’ scheme as an extension for HTTP/1.1. It is a security enhancement alternative
that avoids most serious flaws of basic HTTP authentication. However, digest does not
provide any security of the content and represents multiple security risks.
Currently due to ease of use, low cost, and flexibility, HTML-forms-over-TLS is the
widely adopted scheme used by web applications for users’ authentication (Manulis et al.,
2014). In this scheme, a typical authentication consists of three phases:
1 Login phase: First a user enters his/her identity and password in a HTML form, and
then the user’s browser sends these authentication credentials over a secure HTTPS
session.
2 Authentication phase: The web application validates the authentication credentials
(username and password). After successful authentication, the web application
associates a unique session identifier with that user, and sends it to the user’s
browser over the established server-authenticated HTTPS channel. Then the user’s
browser stores this authentication token.
A secure and efficient user authentication scheme for the web 45
3 Subsequent-requests: The user’s browser includes the stored session identifier with
each request to the web application.
Although this ubiquitous scheme relies on a secure channel to submit passwords and
authentication tokens, the scheme is still always vulnerable:
• Client side: We can include a wide range of identity thief attacks that target the client
(the user or the user’s browser) from the most basic such as guessing (e.g., brute
force and dictionary attacks) to more sophisticated methods such as phishing, session
credential theft, session fixation, and cross-site request forgery.
• Server side: This contains all problems with passwords storage and server
compromise attacks.
In theory, a straightforward alternative solution to the above problems is public key
cryptography rather than a shared secret (Czeskis et al., 2012). This class of cryptography
requires two different keys: one is public and the other is private. In the authentication
process, a client signs a message using its private key. The validation of this digital
signature via the associated client public key gives the server a strong reason to believe
that the login request was created by a legitimate client (Schneier, 1996). This is possible,
because public key cryptography assumes that the private key is only known to
its owner. In practice, while strong web authentication schemes based on public key
cryptography have been proposed, web applications continue to use the conventional
HTML-forms-over-TLS design, regardless of its known weaknesses. Recently, Bonneau
et al. (2012) demonstrated in a large study that most of these secure schemes are difficult
to use, and expensive to deploy (e.g., additional infrastructure requirements, poor user
experience). Web authentication experts acknowledge that the challenge is not how to
design more secure authentication scheme, but the real challenge is how to design secure
scheme that does not sacrifice usability and deployability (Bonneau et al. 2012; Czeskis
et al., 2012).
In this paper, we propose a new mutual authentication scheme that is efficient, and
strengthen authentication without sacrificing usability and depolaybility. The proposed
scheme spans the full authentication lifecycle, consisting of initial authentication, the
subsequent HTTP requests authentication, and the renewal phases. In that, we build
HTTP session management on a secure initial mutual authentication. This allows both an
efficient, consistent design as well as robust end-to-end security guarantees. The
reminder of this paper is organised as follows: Section 2 presents related work and their
shortcomings. Section 3 proposes our scheme. Section 4 provides comparative evaluation
and performance analysis of the proposed scheme. Section 5 concludes the paper.
In the rest of this paper, we denoted by:
Ui ith user
IDi unique identifier of user Ui
Pi password of user Ui
Salti cryptographic salt of user Ui
d web application domain name
46 Y. Sadqi et al.
RWi random value used at most once within the scope of a given session
generated by the web application for Ui
RBi random value used at most once within the scope of a given session
generated by the browser for Ui
USKi, UPKi asymmetric key pair for user Ui generated by the browser using a secure
asymmetric key generation algorithm
SSK web application private key
SPK web application public key certificate
PSKi pre-session key shared between Ui and the web application using HTTPS
SKi session key
X inew renewal of the parameter X
2 Related work
2.3 PhoneAuth
PhoneAuth relies on the user’s Smartphone in order to provide a second authentication
factor, and on the concept of origin bound certificate in order to detect and withstand man
in the middle attacks (Czeskis et al., 2012; Dietz et al., 2012). Unlike Persona that uses
the browser to generate a private/public key pair, PhoneAuth adds an additional device
(the user’s mobile phone) to provide secure user authentication. However, the reliance on
48 Y. Sadqi et al.
As discussed above, previous solutions are helpful to build strong authentication on the
web, but expose several shortcomings. In this section, we first overview the proposed
scheme, then we present the registration, login, initial mutual authentication,
subsequent-requests authentication, and renewal phases.
3.1 Overview
We propose a novel scheme that provides secure mutual authentication on the web,
without sacrificing usability and deployability. Our work leverages the following key
insights. First, learning from previous propositions failures, we conclude that any kind of
complexity in the process of authentication should be transparent from users. Second,
secure mutual and authentication on the web needs to rely on cryptographic primitives
(e.g., asymmetric/symmetric encryption, hash function, HMAC), which offer strong
mechanisms to guaranty data confidentiality, authenticity, and data integrity (Schneier,
1996).
The scheme of our proposal is composed of a client and server components. The
client component includes:
• Browser: A modern web browser that support HTTPS.
• Client cryptographic services: It must provide the following features:
a the asymmetric cryptography primitives
b the symmetric cryptography primitives
c the hash and HMAC functions primitives
d the key derivation function primitive such as PBKDF, which is specified in the
RFC 2898 (RSA Laboratories, 2000)
e the regeneration of random sequences.
• Client-side database: In the registration phase, Ui browser stores the following
authentication settings, which is used in the authentication phase:
a UIDi: It contains a unique identifier for a specific Ui account. For each Ui a
unique IDi exists in a specific web application. But a user can use the same IDi to
register in other web applications. We therefore choose to store the IDi hash value
concatenated with the web application’s domain name as the unique identifier:
UIDi = H(IDi || d).
A secure and efficient user authentication scheme for the web 49
• Salti: In the registration phase, the web application handles to regenerate Salti. We
can rely the generator of a Safe Cryptographic Salt presented in Asimi et al. (2015).
This salt is used with Pi to regenerate a symmetric encryption key MKi.
• ESKi: It represents the encrypted format of USKi to protect its confidently:
ESKi = SE(MKi, USKi).
• EPKi: It contains UPKi encrypted format: EPKi = SE(MKi, UPKi).
Table 1 Client-side Ui authentication settings
• Ui chooses an IDi.
• The browser:
a Computes UIDi = H(IDi || d).
b Verifies the existence of UIDi in its database. If it exists, the browser informs Ui
that he/she already has an account within this web application. If not sends IDi
to the web application.
• The web application verifies the existence of IDi. If it exists, the web application
sends an error message informing Ui to choose another identifier. Otherwise the web
application generates Salti and sends it to the browser.
• The browser provides Ui with a built-in password entry, because in our scheme the
browser does not need to send Pi to the web application. Pi is only used to compute
MKi.
• Ui enters his/her Pi.
• The browser:
a generates the pair USKi and UPKi
b sends UPKi over HTTPS to the web application
c computes MKi = PBKDF(Pi, Salti)
d encrypts both USKi and UPKi with MKi using a secure symmetric encryption
algorithm: ESKi = SE(MKi, USKi), EPKi = SE(MKi, UPKi).
e saves the authentication parameters associated to Ui: UIDi, ESKi, EPKi, and
Salti.
• The web application:
a generates RWi
b calculates SPKi as SUPKi = UPKi ⊕ SSK ⊕ RWi and SRi as SRi = RWi ⊕ H(SSK).
c saves Ui associated parameters: IDi, SDKi, and SRi.
A secure and efficient user authentication scheme for the web 51
In our scheme, we propose a secure replacement that is built on a shared session key
SKi agreed upon in the initial mutual authentication phase. The session key concept is a
compromise between the symmetric and asymmetric encryption to combine the two
techniques. Asymmetric algorithms allow overcoming the problems associated with key
exchange via a secure channel. However, these algorithms are much less efficient in
terms of computation time than symmetric algorithms (Schneier, 1996). The aim of this
phase is to include in each HTTP request from Ui browser to the web application after a
successful initial authentication with an HMAC digital signature based on SKi.
• After successful initial mutual authentication and the creation of SKi, in any
subsequent request to the web application, the browser:
a generates RBinew
b computes M 5i = RBinew ⊕ PSKi ⊕ UPK i , the HMAC digital signature of the
HTTP request: M 6i = HMAC ( SK i , url || RBinew || RWi new ), and sends then M5i,
M6i to the web application.
• The web application:
a computes RBinew = M 5i ⊕ PSK i ⊕ UPKi and
M 6′i = HMACs ( SK i , url || RBinew || RWi new )
b Compares M6i and M 6′i :
1 If the comparison is successful:
• The request is considered valid. Specifically, the authenticity and integrity
of the received requests are ensured.
• Sends the requested resource to Ui browser.
2 Otherwise, the request is cancelled and the web application redirects the
browser to the login phase.
(SKi). The goal is to open a secure communication channel allowing the renewal of all the
authentication settings in a secure environment. This phase proceeds as follows:
• The browser:
a Generates new user credentials UPK inew , USK inew
b Sends to the web application X i = SK ⊕ UPK i ⊕ UPKinew and
Yi = H ( SK || UPK i || UPK inew ).
d Updates Ui authentication settings: SUPK inew = UPK inew ⊕ SSK ⊕ RWi new ,
SRinew = RWi new ⊕ H ( SSK ).
• The browser:
a computes MKinew = PBKDF ( Pi new , Saltinew )
b encrypts both USK inew and UPK inew with MK inew : ESKi = SE ( MK inew , USK inew ),
EPK i = SE ( MK inew , UPKinew )
c updates the authentication parameters associated to Ui: ESK inew , EPK inew , and
Saltinew .
certificates
PhoneAuth
Our scheme
Our scheme
mobile mode
desktop mode
SSL/TLS client
S
S
S
N
N
N
U1: Memorywise-effortless
S
S
Y
Y
Y
N
U2: Scalable-for-users
S
S
Y
N
Y
Y
U3: Nothing-to-carry
N
N
N
Y
N
N
U4: Physically-effortless
Y
Y
Y
Y
N
Y
Usability
U5: Easy-to-learn
Y
Y
Y
Y
N
Y
U6: Easy-to-use
S
S
S
S
S
S
U7: Infrequent-errors
S
S
Y
Y
N
Y
U8: Easy-recovery-from-loss
S
Y
Y
Y
N
Y
D1: Accessible
S
Y
Y
Y
N
Y
D2: Negligible-cost-per-user
S
S
S
S
N
Y
D3: Server-compatible
S
S
S
S
Y
Y
D4: Browser-compatible
Deployability
N
N
N
Y
Y
D5: Mature
Y
Y
Y
Y
Y
Y
Y D6: Non-proprietary
Y
Y
Y
Y
N
S1: Resilient-to-Physical-observation
S
S
Y
Y
Y
Y
S2: Resilient-to-targeted-impersonation
S
Y
Y
Y
Y
N S3: Resilient-to-throttled-guessing
Y
Y
Y
Y
N
S4: Resilient-to-unthrottled-guessing
Y
Y
Y
N
Y
N
S5: Resilient-to-internal-observation
Y
Y
Y
Y
N
Y
S6: Resilient-to-leaks-from-other-verifiers
Security
Y
Y
Y
N
N
Y
S7: Resilient-to-phishing
Y
Y
Y
Y
Y
Y
S8: Resilient-to-theft
Notes: ‘Y’ means the benefit is provided, ‘N’ means not provided, while ‘S’ means the benefit is somewhat provided. For some scores, we disagree with the Czeskis et al. scoring.
Y
Y
N
N
Y
N
S9: No-trusted-third-party
Y
Y
Y
Y
Y
N
S10: Requiring-explicit-consent
Y
Y
N
N
Y
N
S11: Unlinkable
PhoneAuth, and Persona using Bonneau et al.’s evaluation framework
Comparative evaluation of our scheme against passwords, SSL/TLS client certificates, Table 3
57 A secure and efficient user authentication scheme for the web
58 Y. Sadqi et al.
Deployability. The essential part of depolyability assessment is to figure out how much
change would be required in current web infrastructure in order to widely adopt our
scheme. Passwords achieve all deployability benefits. And from Table 3, we can see that
all other schemes provide more deployability properties than SSL/TLS client certificate
authentication. This explains why this scheme is rarely used on the web, even after years
of its existence. We also note that in both modes our scheme is fairly deployable. One of
our main design goals was to develop an authentication scheme that allows most web
existing infrastructure to remain unchanged, while at the same time strengthening
authentication. Specifically, the proposed scheme somewhat satisfies D3 and D4, since it
requires minimum changes on the user’s browser and the web application. Similarly, our
scheme provides D1 and D2 in that our scheme is intended to be implemented using
existing technologies and standards.
Security. From Table 3, we can see that only our scheme (in both modes) satisfies all
the security requirements. While Czeskis et al. (2012) indicated that PhoneAuth provides
S9, we do not believe that this is the case. S9 requires no dependency over a third party
other than the user and the verifier. PhoneAuth depends on the user’s phone security,
which is a third party. In details the proposed scheme provides S1, S2, S3, S4, and S5
because, even after observing or guessing the correct Pi, the attacker cannot authenticate
unless he/she also steals Ui browser store, which holds: IDi, ESKi, EPKi, Salti. Our
scheme is resilient-to-leaks-from-other-verifiers (S6) because Ui has a key pair (USKi,
UPKi) and Salti per web application, so credentials are not recycled. Our scheme provides
S7 because the user’s browser never transmits on the clear UPKi, and Pi. Also, USKi is
never transmitted on the network nor stored on the clear (see Section 4 for details). It is
resilient-to-theft (S8) because possession of information stored in Ui browser’s
credentials store is insufficient (ESKi, EPKi, and Salti): the user Ui still needs to type
his/her IDi and Pi in the browser. Unlike PhoneAuth (Czeskis et al., 2012) that relies on
the user’s phone, our scheme is no-trusted-third-party (S9) as the security does not
depend on a third party other than the user’s browser and the web application. Our
scheme also offers S10 as Ui cannot be logged in automatically without entering his/her
account corresponding IDi and Pi. Our scheme is unlinkable (S11) because a specific user
Ui has a different authentication credentials for each web application. We note also that
all evaluated schemes improve security in comparison with passwords authentication. In
particular, the involvement of asymmetric cryptography and other cryptographic
primitives (such as hash functions, cryptographic salt, and symmetric/asymmetric
cryptography), which have the benefit of not exposing secrets to the eavesdropper which
could be used to impersonate the client to the web application. Also, when asymmetric
cryptography is used, the private key can be moved out of reach of thieving malware on
the client, perhaps using a hardware trusted platform module (TPM) (Yang et al., 2012).
However, our scheme is different compared to others. HTTPS is only used in the
registration phase. In our threat model we assume that no SSL/TLS man-in-the-middle
attack between the user’s browser and the web server during user’s registration. But the
security of our scheme is not depended on this assumption. The user’s Ui asymmetric key
pairs USKi, UPKi, and Pi, can all be considered as secret authentication parameters
(authentication credentials). These credentials are never transmitted nor stored as plain
text. The proposed scheme aims to provide authentication credentials (PWi, USKi, SKi,
RBi, RWi, and UPKi) with the following security services:
A secure and efficient user authentication scheme for the web 59
Confidentiality
Integrity Anti-replay
Over the network At rest
HTTPS, symmetric Symmetric One way hash Random nonce
and asymmetric cryptography, one way functions,
cryptography hash functions, asymmetric
cryptographic salt cryptography
Table 5
Y. Sadqi et al.
Schemes
Phase Mozilla Persona SSL/TLS client PhoneAuth
Our scheme
(Mozilla, 2011) certificate (IETF, 2008) (Czeskis et al., 2012)
Registration - 1TAKG + 1TCG 1THTTPS + + 2TAKG + 1TCG + 1TCV 1THTTPS + 1TAKG + 1TPPBKDF + 1TH
3TX + 2TSE + 1TS + 1TR
Login 1THTTPS + 1TAKG+ 2TCG 1TAE + 1TH 1THTTPS + 1TAKG + 1TCG + 1TCV + 4THMAC + 2TSE + 2TSD+ 2TH 2TAE + 2TSD + 2TH + 1TPBKDF + 1TK
+ 1TAE + 1TAD + 1TR + 2TX
Mutual and subsequent-requests 1THTTPS + 2TCV 1TAD + 1TH + 1TCV 1THTTPS + 1TSD + 1TAD + 1TH + 2THMAC + 2TX 2TAD + 2THMAC + 5TH + 2TR + 13TX
authentication
Notes: * TH: the time for performing a one-way hash function computation, THTTPS: the time for performing HTTPS computation, TX: the time for performing a exclusive-OR computation,
TAKG: the time for performing asymmetric key generation, TSE: the time for performing a symmetric encryption computation, TSD: the time for performing a symmetric
decryption computation, TAE: the time for performing a asymmetric encryption computation, TAD: the time for performing a asymmetric decryption computation,
THMAC: the time for performing a HMAC computation, TPBKDF: the time for performing a password based key derivation computation, TCG: the time for performing a
certification generation computation, TCV: the time for performing a certification verification computation, TS: the time for performing a salt generation, TR: the time for
performing a random nonce generation, TK: the time for performing a pre-session key generation.
Comparison of computational complexity among the schemes
A secure and efficient user authentication scheme for the web 61
5 Conclusions
References
Asimi, Y. et al. (2015) ‘New random generator of a safe cryptographic salt per session (RGSCS)’,
International Journal of Network Security, Vol. 18, No. 6, pp.1–11.
Bonneau, J. et al. (2012) ‘The quest to replace passwords: a framework for comparative evaluation
of web authentication schemes’, IEEE Symposium on Security and Privacy: Proceedings of
IEEE Symposium on Security and Privacy, pp.553–567, IEEE Computer Society, Washington,
DC, USA.
Cameron, K. and Jones, M.B. (2007) ‘Design rationale behind the identity metasystem
architecture’, ISSE/SECURE 2007 Securing Electronic Business Processes, pp.117–129,
Springer.
Czeskis, A. et al. (2012) ‘Strengthening user authentication through opportunistic cryptographic
identity assertions’, CCS’12: Proceedings of the 2012 ACM Conference on Computer and
Communications Security, pp.404–414, ACM, New York, USA.
Dacosta, I. et al. (2012) ‘One-time cookies: preventing session hijacking attacks with stateless
authentication tokens’, ACM Transactions on Internet Technology, Vol. 12, No. 1, pp.1–31.
Dietz, M. et al. (2012) ‘Origin-bound certificates: a fresh approach to strong client authentication
for the web’, The 21st USENIX Security Symposium: Proceedings of the 21st USENIX
conference on Security Symposium, pp.6–16, USENIX Association, Berkeley, CA, USA.
Franks, J. et al. (1999) ‘RFC 2617 – HTTP authentication: basic and digest access authentication’
[online] https://tools.ietf.org/html/rfc2617 (accessed 12 December 2014).
Fu, K. et al. (2001) ‘Dos and don’ts of client authentication on the web’, The 10th USENIX Security
Symposium: Proceedings of the 10th Conference on USENIX Security Symposium,
pp.251–268, USENIX Association.
Herley, C. (2009) ‘So long, and no thanks for the externalities: the rational rejection of security
advice by users’, NSPW’09: Proceedings of the 2009 Workshop on New Security Paradigms
Workshop, pp.133–144, ACM, New York, USA.
IETF (2008) RFC 5246 – The Transport Layer Security (TLS) Protocol Version 1.2 [online]
http://tools.ietf.org/html/rfc5246 (accessed 27 October 2014).
Liu, A.X., Kovacs, J.M. and Gouda, M.G. (2012) ‘A secure cookie scheme’, The International
Journal of Computer and Telecommunications Networking, Vol. 56, No. 6, pp.1723–1730.
Manulis, M., Stebila, D. and Denham, N. (2014) ‘Secure modular password authentication for the
web using channel bindings’, SSR 2014’: Proceedings of the 1st International Conference on
Research in Security Standardisation (SSR), pp.167–189, Springer , London, UK.
Marchesini, J., Smith, S.W. and Zhao, M. (2005) ‘Keyjacking: the surprising insecurity of
client-side SSL’, Computers & Security, Vol. 24, No. 2, pp.109–123.
Microsoft (n.d.) Introducing Windows CardSpace [online] http://msdn.microsoft.com/
en-us/library/aa480189.aspx (accessed 14 December 2014).
Mozilla (2011) Mozilla Persona [online] https://developer.mozilla.org/en-US/Persona
(accessed 26 October 2014).
RSA Laboratories (2000) RFC 2898 – PKCS #5: Password-Based Cryptography Specification
Version 2.0 [online] http://tools.ietf.org/html/rfc2898 (accessed 13 December 2014).
Sadqi, Y., Asimi, A. and Asimi, Y. (2014) ‘A lightweight and secure session management
protocol’, Lecture Notes in Computer Science (LNCS), Vol. 8593, pp.319–323.
Scambray, J., Liu, V. and Sima, C. (2011) Hacking Exposed Web Applications: Web Application
Security Secrets And Solutions, McGraw-Hill, New York.
A secure and efficient user authentication scheme for the web 63
Schneier, B. (1996) Applied Cryptography, 2nd ed., John Wiley & Sons, Hoboken.
Sood, S.K., Sarje, A.K. and Singh, K. (2011) ‘Inverse cookie-based virtual password authentication
protocol’, International Journal of Network Security, Vol. 13, No. 2, pp.98–108.
Yang, L., Ma, J-F. and Jiang, Q. (2012) ‘Mutual authentication scheme with smart cards and
password under trusted computing’, International Journal of Network Security, Vol. 14, No. 3,
pp.156–163.