Browser Models for Usable Authentication Protocols

In this paper we argue that the deployment of browser-based protocols that make use of Web 2.0 technologies bears risks, which are not thoroughly studied. We postulate that these protocols have to become part of rigorous security analysis as done with cryptographic protocols. However, analysis of browser-based protocols requires security models that take into account (i) the protocol definition, (ii) Web 2.0 languages in order to prevent corruption of web browsers, and (iii) user behavior. We sketch how real user behavior (based on empirical studies) may be incorporated in security models. 1 Position Statement The term Web 2.0 refers to a perceived second generation of web-based services that emphasize online collaboration and sharing among users in order to highlight an improved form of the World Wide Web (at least by some technology experts). Technically speaking, Web 2.0 may be expressed in terms of languages and protocols deployed that have become standard extensions of commodity web browsers. Thus, so-called zero-footprint web browsing that makes use of HTTP (triggered over SSL) and rudimentary HTML has become antiquated, since browser extensions such as Macromedia’s Flash and Adobe’s Reader are must-have requirements for improved users’ Internet experience. We will denote the languages providing Web 2.0 functionalities as higher order browser (HOB) languages and denote the protocols realized with these functionalities as higher order browser protocols. Examples include JavaScript and asynchronous XML (AJAX), and Simple Object Access Protocol (SOAP), respectively. HOB languages and protocols are used to implement, e.g., mashups, blogs, and multimedia streaming applications; however, these languages and protocols are also appealing for security critical web applications. A prominent example is Microsoft’s identity meta protocol Cardspace that deploys SOAP and XML security technologies in order to authenticate the user to a relying party (see for details [9]). We argue that the deployment of HOB (security) protocols bears risks, which are not thoroughly studied. We postulate that HOB protocols have to become part of rigorous security analysis as done with cryptographic protocols. This requires formal models. The cryptographic community proposes various approaches for modeling security of protocols: Some researchers use the formal methods approach that handles cryptographic primitives in terms of an abstract algebra. This approach allows to automate proofs by employing tools and methodologies, such as model checkers and theorem provers. Another approach—the computational approach—makes use of probability theory and complexity theory. Here cryptographic primitives are viewed as (interactive) algorithms on bit strings and protocols are defined by combining (Turing) machines running these algorithms. Based on these approaches, several models have been proposed, such as the Dolev-Yao model [4], Lynch model [8], Bellare-Rogaway model [1], Herzberg-Yoffe model [7], Pfitzmann-Waidner model [10], or the Universal Composability framework initiated by Canetti [2]. Common to these models is that protocol principals are assumed to be machines that follow a strict protocol definition. In the setting of HOB protocols, however, a human user is an active participant of the protocol. More precisely, the user is responsible for identifying a honest web site. Consider, for instance, a HOB authentication protocol running on top of SSL where the user has to enter his password into a web form designed with Flash. Then the user must intrinsicly ensure that it communicates to the real server. Unfortunately, the user’s protocol interface—the web browser—is a protocol-unaware principal [6] that may be partly controlled by HOB languages. For instance, in [5] the authors have shown that certain security indicators of web browser are deactivateable by HOB languages. Hence, we argue that analysis of HOB protocols requires security models that take into account (i) the protocol definition, (ii) HOB languages in order to prevent corruption of web browsers, and (iii) user behavior. Though in [6] first steps have been made towards a formal security model for browser-based protocols, the model is not appealing for Web 2.0 settings, since ideal assumptions on browser and user are made. The browser is assumed to be zero-footprint and the user is assumed to verify the server’s identity. The latter has recently gained much attention by the usable security community. In [3, 11] the authors conclude that averaged-skilled Internet users do not understand browser’s security indicators and SSL server authentication, i.e. one may not assume per se that the user authenticates the server.