nach oben

Tipp

Weitere Kapitel dieses Buchs durch Wischen aufrufen

Erschienen in:

Kapitel lesen Erstes Kapitel lesen

2023 | OriginalPaper | Buchkapitel

Protecting FIDO Extensions Against Man-in-the-Middle Attacks

verfasst von : Andre Büttner, Nils Gruschka

Erschienen in: Emerging Technologies for Authorization and Authentication

Verlag: Springer Nature Switzerland

Einloggen

Abstract

FIDO authentication has many advantages over password-based authentication, since it relies on proof of possession of a security key. It eliminates the need to remember long passwords and, in particular, is resistant to phishing attacks. Beyond that, the FIDO protocols consider protocol extensions for more advanced use cases such as online transactions. FIDO extensions, however, are not well protected from Man-in-the-Middle (MitM) attacks. This is because the specifications require a secure transport between client and server, but there exists no end-to-end protection between server and authenticator.

In this paper, we discuss MitM scenarios in which FIDO extensions may be intercepted. We further propose an application-layer security protocol based on the CBOR Object Signing and Encryption (COSE) standard to mitigate these threats. This protocol was verified in a formal security evaluation using ProVerif and, finally, implemented in a proof-of-concept.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel The Measurable Environment as Nonintrusive Authentication Factor on the Example of WiFi Beacon Frames

Nächstes Kapitel Authentication, Authorization, and Selective Disclosure for IoT Data Sharing Using Verifiable Credentials and Zero-Knowledge Proofs

https://github.com/Digital-Security-Lab/protecting-fido-extensions-proverif.

https://github.com/Digital-Security-Lab/protecting-fido-extensions-poc.

https://github.com/abuettner/cose-lib.

Akter, S., Chellappan, S., Chakraborty, T., Khan, T.A., Rahman, A., Al Islam, A.A.: Man-in-the-middle attack on contactless payment over NFC communications: design implementation, experiments and detection. IEEE Trans. Depend. Secur. Comput. 18, 3012–3023 (2020) CrossRef

Arshad, S., Kharraz, A., Robertson, W.: Include me out: in-browser detection of malicious third-party content inclusions. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 441–459. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_26 CrossRef

Barbosa, M., Boldyreva, A., Chen, S., Warinschi, B.: Provable security analysis of FIDO2. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12827, pp. 125–156. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84252-9_5 CrossRef

Bianchi, A., Corbetta, J., Invernizzi, L., Fratantonio, Y., Kruegel, C., Vigna, G.: What the app is that? Deception and countermeasures in the android user interface. In: 2015 IEEE Symposium on Security and Privacy, pp. 931–948. IEEE (2015)

Blanchet, B.: Modeling and verifying security protocols with the applied pi calculus and ProVerif. Found. Trends® Priv. Secur. 1(1–2), 1–135 (2016)

Bormann, C., Hoffman, P.E.: Concise Binary Object Representation (CBOR). RFC 8949, December 2020. https://doi.org/10.17487/RFC8949, https://rfc-editor.org/rfc/rfc8949.txt

Bui, T., Rao, S.P., Antikainen, M., Bojan, V.M., Aura, T.: Man-in-the-machine: exploiting ill-secured communication inside the computer. In: 27th USENIX Security Symposium (USENIX Security 2018), pp. 1511–1525 (2018)

Büttner, A., Gruschka, N.: Enhancing FIDO Transaction Confirmation with Structured Data Formats. In: Norsk IKT-konferanse for forskning og utdanning. No. 3 (2021)

Büttner, A., Nguyen, H.V., Gruschka, N., Lo Iacono, L.: Less is often more: header whitelisting as semantic gap mitigation in HTTP-based software systems. In: Jøsang, A., Futcher, L., Hagen, J. (eds.) SEC 2021. IAICT, vol. 625, pp. 332–347. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-78120-0_22 CrossRef

10.

Dougan, T., Curran, K.: Man in the browser attacks. Int. J. Amb. Comput. Intell. (IJACI) 4(1), 29–39 (2012) CrossRef

11.

Feng, H., Li, H., Pan, X., Zhao, Z.: A formal analysis of the FIDO UAF protocol. In: Proceedings of 28th Network And Distributed System Security Symposium (NDSS) (2021)

12.

Fernandes, E., et al.: Android UI deception revisited: attacks and defenses. In: Grossklags, J., Preneel, B. (eds.) FC 2016. LNCS, vol. 9603, pp. 41–59. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-662-54970-4_3 CrossRef

13.

FIDO Alliance: FIDO Transaction Confirmation White Paper. Technical report, August 2020. https://media.fidoalliance.org/wp-content/uploads/2020/08/FIDO-Alliance-Transaction-Confirmation-White-Paper-08-18-DM.pdf

14.

FIDO Alliance: Fido alliance metadata service (2021). https://fidoalliance.org/metadata/

15.

FIDO Alliance: Fido alliance specifications overview (2021). https://fidoalliance.org/specifications/

16.

FIDO Alliance: History of fido alliance (2021). https://fidoalliance.org/overview/history/

17.

Frymann, N., Gardham, D., Kiefer, F., Lundberg, E., Manulis, M., Nilsson, D.: Asynchronous remote key generation: an analysis of Yubico’s proposal for W3C WebAuthn. In: Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security, pp. 939–954 (2020)

18.

Gil, O.: Web cache deception attack. Black Hat USA 2017 (2017)

19.

Google: Fido2 API for android (2020). https://developers.google.com/identity/fido/android/native-apps

20.

Group, W.W.A.W.: Web authentication (webauthn) (2020). https://www.iana.org/assignments/webauthn/webauthn.xhtml

21.

Jakkal, V.: The passwordless future is here for your microsoft account (2021). https://www.microsoft.com/security/blog/2021/09/15/the-passwordless-future-is-here-for-your-microsoft-account/

22.

Kumar, A., Jones, J., Hodges, J., Jones, M., Lundberg, E.: Web authentication: an API for accessing public key credentials - level 2. In: W3C recommendation, W3C, April 2021. https://www.w3.org/TR/2021/REC-webauthn-2-20210408/

23.

Kunke, J., Wiefling, S., Ullmann, M., Lo Iacono, L.: Evaluation of account recovery strategies with fido2-based passwordless authentication. In: Roßnagel, H., Schunck, C.H., Mödersheim, S. (eds.) Open Identity Summit 2021, pp. 59–70. Gesellschaft für Informatik e.V, Bonn (2021)

24.

Lahmadi, A., Duque, A., Heraief, N., Francq, J.: MitM attack detection in BLE networks using reconstruction and classification machine learning techniques. In: Koprinska, I., et al. (eds.) ECML PKDD 2020. CCIS, vol. 1323, pp. 149–164. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-65965-3_10 CrossRef

25.

Landrock, P., Pedersen, T.: WYSIWYS?-What you see is what you sign? Inf. Secur. Techn. Rep. 3(2), 55–61 (1998) CrossRef

26.

Linhart, C., Klein, A., Heled, R., Steve, O.: HTTP Request Smuggling (2005). https://www.cgisecurity.com/lib/HTTP-Request-Smuggling.pdf

27.

McGruer, S., Solomakhin, R.: Secure Payment Confirmation. In: W3C working draft, W3C, August 2021. https://www.w3.org/TR/2021/WD-secure-payment-confirmation-20210831/

28.

Owens, K., Anise, O., Krauss, A., Ur, B.: user perceptions of the usability and security of smartphones as FIDO2 roaming authenticators. In: Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021), pp. 57–76 (2021)

29.

Pfeffer, K., et al.: On the usability of authenticity checks for hardware security tokens. In: 30th USENIX Security Symposium (USENIX Security 2021) (2021)

30.

Porter, J.: Safari to support password-less logins via face id and touch id later this year (2020). https://www.theverge.com/2020/6/24/21301509/apple-safari-14-browser-face-touch-id-logins-webauthn-fido2

31.

Raspberry Pi Ltd: Raspberry Pi Documentation - Raspberry Pi Pico (2022). https://www.raspberrypi.com/documentation/microcontrollers/raspberry-pi-pico.html

32.

Rescorla, E.: The Transport Layer Security (TLS) Protocol Version 1.3. RFC 8446, August 2018. https://doi.org/10.17487/RFC8446, https://rfc-editor.org/rfc/rfc8446.txt

33.

Schaad, J.: CBOR Object Signing and Encryption (COSE). RFC 8152, July 2017. https://doi.org/10.17487/RFC8152, https://rfc-editor.org/rfc/rfc8152.txt

34.

Selander, G., Mattsson, J.P., Palombini, F.: Ephemeral Diffie-Hellman Over COSE (EDHOC). Internet-Draft draft-ietf-lake-edhoc-12, Internet Engineering Task Force, October 2021. https://datatracker.ietf.org/doc/html/draft-ietf-lake-edhoc-12. (work in Progress)

35.

Sun, D.Z., Mu, Y., Susilo, W.: Man-in-the-middle attacks on secure simple pairing in Bluetooth standard V5. 0 and its countermeasure. Pers. Ubiquit. Comput. 22(1), 55–67 (2018) CrossRef

36.

Wendlandt, D., Andersen, D.G., Perrig, A.: Perspectives: improving ssh-style host authentication with multi-path probing. In: USENIX Annual Technical Conference, vol. 8, pp. 321–334 (2008)

37.

Xu, P., Sun, R., Wang, W., Chen, T., Zheng, Y., Jin, H.: SDD: a trusted display of FIDO2 transaction confirmation without trusted execution environment. Future Gener. Comput. Syst. 125, 32–40 (2021) CrossRef

38.

Zhang, Y., Wang, X., Zhao, Z., Li, H.: Secure display for FIDO transaction confirmation. In: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, pp. 155–157 (2018)

39.

Zhang, Z., Diao, W., Hu, C., Guo, S., Zuo, C., Li, L.: An empirical study of potentially malicious third-party libraries in Android apps. In: Proceedings of the 13th ACM Conference on Security and Privacy in Wireless and Mobile Networks, pp. 144–154 (2020)

Titel: Protecting FIDO Extensions Against Man-in-the-Middle Attacks
verfasst von: Andre Büttner
Nils Gruschka
Verlag: Springer Nature Switzerland
Buch: Emerging Technologies for Authorization and Authentication
Print ISBN: 978-3-031-25466-6

Electronic ISBN: 978-3-031-25467-3

Copyright-Jahr: 2023
DOI: https://doi.org/10.1007/978-3-031-25467-3_5

Springer Professional

Tipp

Weitere Kapitel dieses Buchs durch Wischen aufrufen

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"

Premium Partner