Closed Bug 532127 Opened 15 years ago Closed 8 years ago

Implementation Proposal for Mutual HTTP authentication protocol

Categories

(Core :: Networking: HTTP, enhancement)

Product:
Core
Component:
Networking: HTTP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: y.oiwa, Assigned: y.oiwa)

References

Details

Attachments

(2 files, 2 obsolete files)

A patch to the network portion of the main Mozilla code.
38.91 KB, patch
Details | Diff | Splinter Review
The extension part which implements the protocol.
364.93 KB, patch
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; ja; rv:1.9.0.15) Gecko/2009101600 Firefox/3.0.15
Build Identifier: 

This patch is to implement HTTP Mutual access authentication protocol,
which we are currently proposing to IETF HTTP Working group.
  http://tools.ietf.org/html/draft-oiwa-http-mutualauth

Mutual authentication protocol is a protocol which implements
password-based strong access authentication.  This protocol provides
true mutual authentication between HTTP clients and servers using
simple password-based authentication.  It is designed on top of
generic HTTP authentication architecture (RFC 2617).

Unlike Basic and Digest HTTP access authentication protocol, the
protocol ensures that the server knows the user's entity (encrypted
password) upon successful authentication.  This prevents common
phishing attacks: phishing attackers cannot convince users that the
user has been authenticated to the genuine website. Furthermore, even
when user has been authenticated against an illegitimate server, the
server can not gain any bit of information about user's passwords.

Currently, the draft protocol specification is submitted to the
IETF as an Internet Draft;  it is available both from IETF and
from our project homepage.  We also have an Apache module for this
protocol, which can be downloaded from our project page.
For trial, we put an implementation of Firefox with this patch
applied in our project page, too.

This patch consists of three parts:

  1. an extension to the C-language part of network-layer
     implementation, adding interfaces for implementing (2) below.
     To implement authentication in an add-on layer, we need several
     additional interfaces for communication between them
     (e.g. session management and hooks).

     Current our implementation is somewhat specific to our protocol:
     we think it can be generalized.

  2. an add-on module implemented in XPI layer for the Mutual
     authentication protocol.  Most of the work is done in this
     level.  Cryptographic computations are done in a DLL in
     this module.

  3. a new user interface for authentication.  To ensure (a) the
     authentication UI is not affected by the page content from
     malicious phishers, and (b) to show the result of a mutual
     authentication, we propose a new UI for this, separately from
     conventional authentication methods.  We also use this UI for
     supporting non-modal optional authentication (see specs for
     details.)

To implement this protocol, at least part 1 (or generalized one)
have to be incorporated to the main code of the Mozilla browsers.
Other parts can either be built-in or be an add-on.

This proposal will be an answer for several existing bug IDs for
phishing and authentication issues:  further information is
posted on a web page specific for this bug-id:
  http://www.rcis.aist.go.jp/special/MutualAuth/software/mozilla/
This page contains the following resources:

  - links to related bug IDs
  - possible things to be considered (known issues)
  - materials (posters and paper abstracts) describing the proposed
    protocol and UI design
  - link to the trial implementation and trial website
  - more things to be added...

We believe the protocol is useful, and ask considerations for
including this to future (e.g. 3.7 or 4.0?) releases of Firefox.

Reproducible: Always
Assignee: nobody → y.oiwa
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

    
    

    
  
A bug on cache management, which has been found during implementing these patches,
has been submitted as a separate bug 533412.
That bug affects both existing (Basic/Digest) and new authentication mechanisms,
if 401 response bodies are processed as documents.

As this proposal always processes 401 responses when user/pass are not available,
the bug 533412 "must" be fixed for this bug-id.  (for Basic/Digest, it SHOULD.)
I added that bug as a dependency.

The patch above contains a partial workaround for bug 533412,
which is to be removed once that is fixed.
Depends on: 533412

    
    

    
  


  
A patch to the network portion of the main Mozilla code.
Obsoletes attachment 415413 [details] [diff] [review].

    
    

    
  


  
The extension part which implements the protocol.
Obsoletes attachment 415414 [details] [diff] [review].

    
    

    
  
These patches (538896 and 538897) are for Firefox 3.6.17.

    
  

        Attachment #415413 -
        Attachment is obsolete: true

    
  

        Attachment #415414 -
        Attachment is obsolete: true
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: