enhancing web browsing security on public terminals using mobile composition richard sharp &...
TRANSCRIPT
Enhancing Web Browsing Security on Public Terminals Using Mobile Composi-
tion
Richard Sharp & Anil Madhavapeddy, Roy Want & Trevor PeringACM MobiSys’08
2008. 10. 16.Ahn Jung-Sang
2
Content
• Introduction
• System Overview
• Security Model
• Technical Details
• Performance Evaluation
• Conclusion
3
Introduction
• Crimeware– Malicious software to facilitate illegal activity
• Stealing identities, Committing fraud– Key-logger, Screen-grabber
• Most prevalent crimeware
• Current web security model– HTTPS/SSL
• Protects data when transmission between client & server• Cannot preserve data in untrusted user PC
4
Introduction
• Split-Trust Browsing– Combination of 2 devices
• General purpose networked PC (untrusted)• Personal trusted device
– Linked together as device composition• USB, Bluetooth, Wireless, Etc..
– Security-critical operations are performed in device.• Using its display & keypad for I/O• Information entered in device cannot be read by PC
– Thwarting PC-based key-loggers
5
System Overview
Untrusted PC TrustedPersonal Device
Browser
RDC Agent Browser
Internet
Web Server
6
System Overview
• RDC (Remote Device Communication) Agent– Forward message
• between web server & personal device• With encryption & decryption
– Session key is known only to server & device• Crimeware on PC is unable to read
• Two separate Internet connections– Not means that establish an additional Internet connec-
tion– Tunnel data between server & device over PC’s connec-
tion
• Assumption– Web applications have been written explicitly to support
split-trust browsing
7
Security Model
• Threat Model– Attacker’s motivation: to steal information
• Passive monitoring attacks: recording everything from PC• Active injection attacks: injecting malicious data packets
into PC– PC-based browser is untrustworthy
• Security Policy Model• 1. Communication channel between server & device must
be authenticated & encrypted.• 2. All security-sensitive form must be filled by the device.• 3. All security-sensitive information must be displayed only
on the device.• 4. Web app. must not allow submission from device to be
replayed.• 5. All security-critical operations must be initiated by the
device.
8
Security Model
• Property 5– All security-critical operations must be initiated by the
device– Example
• Charlie says to Bob “Please sign the following authorization to transfer $100 from your account to Alice’s account”
• But paper says only “I authorize the money transfer”• Bob signs the paper, and Charlie takes it to bank• Charlie says to cashier “Here’s the authorization to transfer
all funds from Bob’s account to my account”– Text of conformation must specify fully the action being
initiated.
9
Security Model
• Property 4– Web application must not allow form submission mes-
sages from device to be replayed• Must not accept data arising from the same form submis-
sion– Why? - consider the following attack
• On-line banking sends a form asking to confirm money transfer
• When user submits the form, the PC records submit mes-sage
• Attacker may maliciously initiate another money transfer, and replay the user’s previous confirmation message to complete
10
Technical Details
• Architecture– Trusted personal device: cell phone (Motorola E680)
• Connected using Bluetooth• Runs a simple cHTML browser
– Web browser: Firefox– RDC agent: implemented as a Firefox browser extension– Embedded message: AES-encrypted, Base64
11
Technical Details
• Embedding Split-Trust in HTML– Meta tag specifies that this page contains embedded
messages
– Form contains hidden field that stores value attribute
– The name attribute associates form field with event
12
Technical Details
• RDC Agent– Run as a Firefox browser extension– Written in combination of JavaScript & XML– First checks for the meta tag
• If present, uses the DOM API to check if there are any ‘rdc-’ prefixed hyperlink tag
• For each hyperlink tags, an event listener is added with a callback function
– Forwards its associated message to the personal device
13
Technical Details
• RDC Agent– Authentication and Key Exchange
• Negotiation of a session key uses SSHv2• diffie-hellman-group1-sha1 with RSA host keys
– Start with meta tag with name=“kex-init”
14
Technical Details
• Components on the Cell Phone– Crypto Layer
• Cross-compiled• Open source GNU Multi-Precision Arithmetic Library
(libGMP)• Open source AES implementation
– cHTML browser• Unable to interface this system with phone’s built-in
browser• Implemented a simple cHTML browser as a Java MIDP app.
– Interfaces with Crypto layer via a loopback TCP connection
15
Technical Details
• Dealing with Forms
– When user clicks <a> tag• RDC forwards ‘rdc-onClick-0-msg’ to personal device.• This message contains encrypted cHTML content + form
field• The phone relays message back to RDC in its HTML reponse• This triggers the RDC to poll the phone for user’s response
16
Technical Details
– When user select ‘submit’ in phone’s browser• Crypto layer encrypts user input• Return it to RDC-agent in an HTTP response• RDC agent inserts it into value attribute named ‘rdc-…-re-
sponse’– Crimeware may swap the message other name
• Encrypted message contains a set of (<fieldname>, <in-put>)
• Avoiding Replay Attacks– Nonce & timestamp– Phone’s browser automatically copies this into response
message– Then web application checks
• It has not seen the nonce before• The response is timely
17
Performance Evaluation
• Measured the latency between server and device– Message is encrypted using AES with 1024-bit key &
Base64– Message length is 850 byte
• Expect that most messages are smaller than this
18
Conclusion
• Crimeware is becoming a serious problem– The current web security model
• Protects data as it is transmitted between server & client• But doesn’t prevent crimeware attacks in end-point client
• Split-trust browsing through mobile composition– Allows users to combine their PC with trusted personal
device– Security-critical operations are performed in device
19
Discussion
• Mobile application is installed on the untrusted terminal– Service providers have to modify their applications
• What makes a personal device trusted?– The best case is specifically designed personal device
but..– How about PDA & cell phone?
• Usability issues– Links that causes new content to appear on the device
• Highlighted background?– Stick the personal device on the side of PC monitor