Requirements and Analysis of Extended HTTP Digest Access Authentication

Authenticating to an online service is usually done by providing a username and password in some protected form so that the server can verify that those credentials correspond to a registered identity authorised for access. For the average Internet user, managing one’s online identities is challenging. Nearly every password protected web service advises its users to come up with a sufficiently complex password, which is not to be used elsewhere. As the number of associations with online services increases, so too does the number of online identities that the user has to remember. Identity overload is one of the greatest challenges for Internet users. The result may be that the user reuses difficult passwords for those of his online accounts that protect high value information, and uses passwords that are easily remembered (and easily guessed) for the protection of lower value information. The main goal of this thesis is to investigate local user-centric identity management and propose a simple, secure and user friendly authentication mechanism. The mechanism relies on an external offline personal authentication device called “OffPAD”, which acts as a trusted platform external to the terminal. From this device, the user may authenticate to services and manage his online identities. We argue that the approach of handling critical actions on an external secure device provides increased security and usability with regard to both the authentication process itself, as well as the storage and handling of identities. The OffPAD device can be used to automatically authenticate its holder to any supported web service to which he or she is registered. We will present an extension of the HTTP Digest Access Authentication scheme that facilitates unobtrusive and automated authentication, while still adhering to password policies. We will look at how we can increase security and suggest improvements for modernizing the (ageing) digest authentication standard in particular, with regard to storage and handling of credentials. We will also discuss how identity management can be more user-centric, thus user friendly, alleviating the cognitive load of managing passwords. HTTP Digest Access Authentication is used as the authentication scheme in every example and in the prototype implementation. It was selected for its simplicity, extendibility and abilities: especially its ability to function with both clear text and hashed user credentials at the endpoints.

[1]  Audun Jøsang,et al.  Extended HTTP Digest Access Authentication , 2013, IDMAN.

[2]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[3]  Abe Singer,et al.  Choose the red pill and the blue pill: a position paper , 2008, NSPW '08.

[4]  Kent A. Varmedal,et al.  Cognitive Entity Authentication with Petname Systems , 2013 .

[5]  Yu Sasaki,et al.  Finding Preimages in Full MD5 Faster Than Exhaustive Search , 2009, EUROCRYPT.

[6]  Pekka Nikander,et al.  Weak Authentication: How to Authenticate Unknown Principals without Trusted Parties , 2002, Security Protocols Workshop.

[7]  William E. Burr,et al.  Recommendation for Password-Based Key Derivation Part 1: Storage Applications , 2010 .

[8]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[9]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[10]  Audun Jøsang,et al.  Usability and Privacy in Identity Management Architectures , 2007, ACSW.

[11]  Burton S. Kaliski,et al.  PKCS #5: Password-Based Cryptography Specification Version 2.0 , 2000, RFC.

[12]  Colin Percival STRONGER KEY DERIVATION VIA SEQUENTIAL MEMORY-HARD FUNCTIONS , 2009 .

[13]  Xiaoyun Wang,et al.  How to Break MD5 and Other Hash Functions , 2005, EUROCRYPT.

[14]  A. Jøsang,et al.  User Centric Identity Management , 2005 .

[15]  Roy T. Fielding,et al.  Hypertext Transfer Protocol - HTTP/1.0 , 1996, RFC.

[16]  Dieter Gollmann Computer Security (3. ed.) , 2011 .

[17]  Paul C. van Oorschot,et al.  Leveraging personal devices for stronger password authentication from untrusted computers , 2011, J. Comput. Secur..

[18]  M. Angela Sasse,et al.  Users are not the enemy , 1999, CACM.

[19]  Frank Stajano,et al.  The Quest to Replace Passwords: A Framework for Comparative Evaluation of Web Authentication Schemes , 2012, 2012 IEEE Symposium on Security and Privacy.

[20]  Leonardo Vidal Batista,et al.  A multibiometric access control architecture for continuous authentication , 2010, 2010 IEEE International Conference on Intelligence and Security Informatics.

[21]  Marc Stevens,et al.  Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate , 2009, CRYPTO.

[22]  Ken Thompson,et al.  Password security: a case history , 1979, CACM.

[23]  Virtual Bridged,et al.  IEEE Standards for Local and Metropolitan Area Networks: Specification for 802.3 Full Duplex Operation , 1997, IEEE Std 802.3x-1997 and IEEE Std 802.3y-1997 (Supplement to ISO/IEC 8802-3: 1996/ANSI/IEEE Std 802.3, 1996 Edition).

[24]  Frank Stajano Pico: No More Passwords! , 2011, Security Protocols Workshop.

[25]  Audun Jøsang,et al.  Improving Usability of Password Management with Standardized Password Policies , 2012 .

[26]  Lawrence C. Stewart,et al.  An Extension to HTTP : Digest Access Authentication , 1997, RFC.

[27]  Anshu Aggarwal,et al.  HTTP: The Definitive Guide , 2002 .

[28]  Nils Kalstad Svendsen,et al.  Cracking Associative Passwords , 2012, NordSec.