Abstract
Several research works attempt to replace simple authentication schemes, where the cryptographic digest of a plaintext password is stored at the server. Those proposals are based on more elaborate schemes, such as PAKE-based protocols. However, in practice, only a very limited amount of applications in the web use such schemes. The reason for this limited deployment is perhaps their complexity as far as the cryptography involved is concerned. Today, even the most successful web applications use text-based passwords, which are simply hashed and stored at the server. This has broad implications for both the service and the user. Essentially, the users are forced to reveal their plain passwords for both registering and authenticating with a service.
In this paper, we attempt to make it easier for any web service to a) enable easily advanced authentication schemes, and b) switch from one scheme to another. More precisely, we design and realize auth.js, a framework that allows a web application to offer advanced authentication that leverages sophisticated techniques compared to typical cryptographically hashed text-based passwords. In fact, auth.js can be easily enabled in all web applications and supports traditional passwords – however, once enabled, switching to a more elaborate scheme is straight forward. auth.js leverages advanced cryptographic primitives, which can be used for implementing strong authentication, such as PAKE and similar solutions, by ensuring that all cryptographic primitives are trusted and executed using the browser’s engine. For this, we extend Mozilla Crypto with more cryptographic primitives, such as scrypt and the edwards25519 elliptic curve. Finally, we evaluate auth.js with real web applications, such as WordPress.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
To be precise, WordPress has three default authentication methods: one using username and password, one using email and password and one using a cookie.
References
Keybase.io. https://keybase.io/
Keybase.io Login API Documentation. https://keybase.io/docs/api/1.0/call/login
Keybase.io Signup API Documentation. https://keybase.io/docs/api/1.0/call/signup
Supercop Benchmarking Tool. https://bench.cr.yp.to/supercop.html
Tarsnap Scrypt 1.3.0. https://www.tarsnap.com/scrypt/scrypt-1.3.0.tgz
Abu-Nimeh, S., Chen, T., Alzubi, O.: Malicious and spam posts in online social networks. Computer 44(9), 23–28 (2011)
Aertsen, M., et al.: How to bring HTTPS to the masses? Measuring issuance in the first year of let’s encrypt (2017)
Alkaldi, N., Renaud, K.: Why do people adopt, or reject, smartphone password managers? (January 2016)
Aumasson, J.P., Neves, S., Wilcox-O’Hearn, Z., Winnerlein, C.: BLAKE2: simpler, smaller, fast as MD5. In: Jacobson, M., Locasto, M., Mohassel, P., Safavi-Naini, R. (eds.) Applied Cryptography and Network Security. ACNS 2013. Lecture Notes in Computer Science, vol. 7954. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38980-1_8
Bellovin, S.M., Merritt, M.: Encrypted key exchange: password-based protocols secure against dictionary attacks. In: Proceedings 1992 IEEE Computer Society Symposium on Research in Security and Privacy, pp. 72–84. IEEE (1992)
Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-23951-9_9
Biryukov, A., Dinu, D., Khovratovich, D.: Argon2: new generation of memory-hard functions for password hashing and other applications. In: 2016 IEEE European Symposium on Security and Privacy (EuroS P), pp. 292–302 (2016)
Costello, C., Longa, P.: Four\(\mathbb{Q}\): four-dimensional decompositions on a \(\mathbb{Q}\)-curve over the Mersenne Prime. In: Iwata, T., Cheon, J.H. (eds.) ASIACRYPT 2015. LNCS, vol. 9452, pp. 214–235. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-48797-6_10
Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings of the Symposium on Usable Privacy and Security, SOUPS (2006)
Hardt, D.E.: The OAuth 2.0 authorization framework. Internet Requests for Comments (October 2012)
Hofstede, N., Bleeken, N.V.D.: Using the W3C WebCrypto API for document signing (2013)
Manousis, A., Ragsdale, R., Draffin, B., Agrawal, A., Sekar, V.: Shedding light on the adoption of let’s encrypt. CoRR, abs/1611.00469 (2016)
Percival, C.: Stronger key derivation via sequential memory-hard functions (2009)
Provos, N., Mazieres, D.: A future-adaptable password scheme. In: USENIX Annual Technical Conference, FREENIX Track, pp. 81–91 (1999)
Microsoft SEAL (release 3.4): Microsoft Research, Redmond, WA (October 2019). https://github.com/Microsoft/SEAL
Thomas, K., Grier, C., Song, D., Paxson, V.: Suspended accounts in retrospect: an analysis of twitter spam. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, IMC 2011, pp. 243–258. Association for Computing Machinery, New York (2011)
Wu, T.D., et al.: The secure remote password protocol. In: NDSS, vol. 98, pp. 97–111. Citeseer (1998)
Zhang, Z., Wang, Y., Yang, K.: Strong authentication without temper-resistant hardware and application to federated identities (January 2020)
Acknowledgments
We thank the anonymous reviewers for helping us to improve the final version of this paper. This work was supported by the European Union’s Horizon 2020 research and innovation programme under grant agreements No. 786669 (ReAct), No. 830929 (CyberSec4Europe), and No. 826278 (SERUMS), and by the RESTART programmes of the research, technological development and innovation of the Research Promotion Foundation, under grant agreement ENTERPRISES/0916/0063 (PERSONAS).
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Christou, N., Athanasopoulos, E. (2020). auth.js: Advanced Authentication for the Web. In: Saracino, A., Mori, P. (eds) Emerging Technologies for Authorization and Authentication. ETAA 2020. Lecture Notes in Computer Science(), vol 12515. Springer, Cham. https://doi.org/10.1007/978-3-030-64455-0_3
Download citation
DOI: https://doi.org/10.1007/978-3-030-64455-0_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-64454-3
Online ISBN: 978-3-030-64455-0
eBook Packages: Computer ScienceComputer Science (R0)