Konrad Lohse: Unterschied zwischen den Versionen

Aus IT-Forensik Wiki
(Die Seite wurde neu angelegt: „Master Thesis, Hochschule Wismar, November 2021 Autor: Konrad Lohse Titel: '''Untersuchung zur Sicherheit von Protokollen mit clientseitiger Passwortverarbei…“)
 
Keine Bearbeitungszusammenfassung
Zeile 12: Zeile 12:


Investigation into the Security of Protocols with Client-side Password Processing and Optional Multi-factor Authentication
Investigation into the Security of Protocols with Client-side Password Processing and Optional Multi-factor Authentication
This thesis investigates security properties of account management protocols for identity providers with a focus on web applications. These include the following protocol functions: Account registration, logins, sessions, changing and resetting of credentials, account deletion. When using passwords for authentication, the backend usually has to perform resource-intensive hashing. The thesis examines the possibilities and implications for relocating hashing to the frontend. For this purpose, di􏰁erent protocol variants with client-side password processing are discussed and an optimized protocol is constructed. To increase the security level of password-based authentication, an optional multi-factor authentication can be added. The thesis considers their integration as well as properties and possible uses of symmetric and asymmetric techniques. Effects of the changed identity management protocol flows are evaluated: The thesis subjects the protocol designs to threat modeling to assess vulnerabilities. Practicability is examined by means of tests, for which a prototypical reference implementation is developed.
This thesis investigates security properties of account management protocols for identity providers with a focus on web applications. These include the following protocol functions: Account registration, logins, sessions, changing and resetting of credentials, account deletion. When using passwords for authentication, the backend usually has to perform resource-intensive hashing. The thesis examines the possibilities and implications for relocating hashing to the frontend. For this purpose, different protocol variants with client-side password processing are discussed and an optimized protocol is constructed. To increase the security level of password-based authentication, an optional multi-factor authentication can be added. The thesis considers their integration as well as properties and possible uses of symmetric and asymmetric techniques. Effects of the changed identity management protocol flows are evaluated: The thesis subjects the protocol designs to threat modeling to assess vulnerabilities. Practicability is examined by means of tests, for which a prototypical reference implementation is developed.


[[Media:MT_KLohse.pdf|Download PDF-Dokument]]
[[Media:MT_KLohse.pdf|Download PDF-Dokument]]
 
[[Media:Präsentation_OHoffmann.pdf|Download Folien zur Präsentation als PDF-Dokument]]

Version vom 10. November 2021, 11:38 Uhr

Master Thesis, Hochschule Wismar, November 2021

Autor: Konrad Lohse

Titel: Untersuchung zur Sicherheit von Protokollen mit clientseitiger Passwortverarbeitung und optionaler Mehrfaktorauthenti􏰂zierung

Abstrakt: Die vorliegende Thesis untersucht Sicherheitseigenschaften von Protokollen zum Account-Management eines Identity-Providers mit Fokus auf Webanwendungen. Diese umfassen folgende Protokollfunktionen: Account-Registrierung, Logins, Sessions, Änderung und Zurücksetzung von Anmeldedaten, Account-Löschung. Beim Einsatz von Passwörtern zur Authentifizzierung muss klassischerweise das Backend ein ressourcenintensives Hashing ausführen. Die Thesis untersucht Möglichkeiten und Implikationen zur Verlagerung des Hashings in das Frontend. Hierzu werden verschiedene Protokollvarianten mit clientseitiger Passwortverarbeitung disku- tiert sowie ein optimiertes Protokoll konstruiert. Zur Steigerung des Sicherheitsni- veaus passwortbasierter Authentifizierung ist eine optionale Mehrfaktorauthentifizierung ergänzbar. Die Thesis betrachtet ihre Integration sowie Eigenschaften und Verwendungsmöglichkeiten symmetrischer und asymmetrischer Verfahren. Auswirkungen der veränderten Protokollabläufe zum Identity-Management werden evaluiert: Die Thesis unterzieht die Protokollentwürfe einem Threat-Modelling zur Beurteilung von Schwachstellen. Die Praktikabilität wird anhand von Tests überprüft, wozu eine prototypische Referenz-Implementierung erfolgt.


Abstract

Investigation into the Security of Protocols with Client-side Password Processing and Optional Multi-factor Authentication This thesis investigates security properties of account management protocols for identity providers with a focus on web applications. These include the following protocol functions: Account registration, logins, sessions, changing and resetting of credentials, account deletion. When using passwords for authentication, the backend usually has to perform resource-intensive hashing. The thesis examines the possibilities and implications for relocating hashing to the frontend. For this purpose, different protocol variants with client-side password processing are discussed and an optimized protocol is constructed. To increase the security level of password-based authentication, an optional multi-factor authentication can be added. The thesis considers their integration as well as properties and possible uses of symmetric and asymmetric techniques. Effects of the changed identity management protocol flows are evaluated: The thesis subjects the protocol designs to threat modeling to assess vulnerabilities. Practicability is examined by means of tests, for which a prototypical reference implementation is developed.

Download PDF-Dokument