Abstract
User authentication to a server is typically done by presenting a username and a password in some protected form to the server, and having the server verify that those credentials correspond to an identity previously registered and authorized for access. It is crucial that attackers never get access to operational passwords, which typically is achieved by encryption in transit, or through a challenge-response protocol between the client and server computer platforms. However, these mechanisms do not protect passwords at the moment when they are entered into the client computer, which leaves the password exposed to attacks by malware on the client. We present a method for protecting passwords from being exposed on client platforms. The method is an extension of the well-known HTTP Digest Access Authentication which is a challenge-response protocol specified as part of HTTP. The method relies on an external mostly offline personal authentication device called OffPAD which communicates with the client platform. We show how the presented authentication scheme increases security as well as enhances usability with regard to identity management. In addition to describing the OffPAD device, we argue that the HTTP Digest Access Authentication standard does not conform to today’s best practices, and suggest improvements.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)
AlFayyadh, B., et al.: Improving Usability of Password Management with Standardized Password Policies. In: Rosenberger, C., Achemlal, M. (eds.) Proceedings of the 7th Conference on Network and Information Systems Security (SAR-SSI), pp. 38–45 (2012) ISBN: 978-2-9542630-0-7
Berners-Lee, T., Fielding, R., Frystyk, H.: Hypertext Transfer Protocol–HTTP/1.0. RFC 1945 (Informational). Internet Engineering Task Force (May 1996), http://www.ietf.org/rfc/rfc1945.txt
Fielding, R., et al.: Hypertext Transfer Protocol–HTTP/1.1. RFC 2616. Updated by RFCs 2817, 5785, 6266. Internet Engineering Task Force (June 1999), http://www.ietf.org/rfc/rfc2616.txt
Franks, J., et al.: An Extension to HTTP: Digest Access Authentication. RFC 2069. Obsoleted by RFC 2617. Internet Engineering Task Force (January 1997), http://www.ietf.org/rfc/rfc2069.txt
Franks, J., et al.: HTTP Authentication: Basic and Digest Access Authentication. RFC 2617. Internet Engineering Task Force (June 1999), http://www.ietf.org/rfc/rfc2617.txt
Gosney, J.: Password Cracking HPC. Rump session, Passwords (December 12, 2012), http://passwords12.at.ifi.uio.no/Jeremi_Gosney_Password_Cracking_HPC_Passwords12.pdf (visited on December 17, 2012)
Gourley, D., Totty, B.: HTTP: The Definitive Guide. O’Reilly & Associates, Inc. (2002)
Jøsang, A.: Identity Management and Trusted Interaction in Internet and Mobile Computing. IET Information Security (in press, 2013)
Jøsang, A., Pope, S.: User Centric Identity Management. In: AusCERT Conference 2005 (2005)
Inc. Juniper Networks. Juniper Mobile Threat Report 2011. Tech. rep. Juniper Networks, Inc. (2011)
Kaliski, B.: PKCS #5: Password-Based Cryptography Specification Version 2.0. RFC 2898 (Informational). Internet Engineering Task Force (September 2000), http://www.ietf.org/rfc/rfc2898.txt
Laurie, B., Singer, A.: Choose the red pill and the blue pill: a position paper. In: Proceedings of the 2008 Workshop on New Security Paradigms, pp. 127–133. ACM (2009)
Mannan, M., van Oorschot, P.C.: Leveraging personal devices for stronger password authentication from untrusted computers. Journal of Computer Security 19(4), 703–750 (2011)
Morris, R., Thompson, K.: Password Security: A Case History. Communications of the ACM 22, 594–597 (1979)
MozillaZine. Password Manager - MozillaZine Knowledge Base. (December 2011), http://kb.mozillazine.org/Password_Manager (visited on December 18, 2012)
Panda Security PandaLabs. PandaLabs Quarterly Report (June 2012), http://press.pandasecurity.com/wp-content/uploads/2012/08/Quarterly-Report-PandaLabs-April-June-2012.pdf (visited on November 01, 2012)
Percival, C.: Stronger Key Derivation Via Sequential Memory-Hard Functions. In: BSDCan 2009: The Technical BSD Conference (2009)
Sasaki, Y., Aoki, K.: Finding Preimages in Full MD5 Faster Than Exhaustive Search. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 134–152. Springer, Heidelberg (2009)
Sasse, M.A., Flechais, I.: Usable Security Why Do We Need It? How Do We Get It? In: Security and Usability: Designing Secure Sys Tems that People Can Use, pp. 13–30. O’Reilly Books (2005)
Stajano, F.: Pico: No More Passwords! In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 IFIP International Federation for Information Processing
About this paper
Cite this paper
Klevjer, H., Varmedal, K.A., Jøsang, A. (2013). Extended HTTP Digest Access Authentication. In: Fischer-Hübner, S., de Leeuw, E., Mitchell, C. (eds) Policies and Research in Identity Management. IDMAN 2013. IFIP Advances in Information and Communication Technology, vol 396. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-37282-7_7
Download citation
DOI: https://doi.org/10.1007/978-3-642-37282-7_7
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-37281-0
Online ISBN: 978-3-642-37282-7
eBook Packages: Computer ScienceComputer Science (R0)