Last Comment Bug 532127 - Implementation Proposal for Mutual HTTP authentication protocol
: Implementation Proposal for Mutual HTTP authentication protocol
Status: RESOLVED WONTFIX
:
Product: Core
Classification: Components
Component: Networking: HTTP (show other bugs)
: unspecified
: All All
: -- enhancement with 2 votes (vote)
: ---
Assigned To: Yutaka OIWA
:
Mentors:
Depends on: 533412
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-01 09:39 PST by Yutaka OIWA
Modified: 2016-02-04 13:19 PST (History)
15 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
A patch to the network portion of the main Mozilla code. (36.44 KB, patch)
2009-12-01 09:45 PST, Yutaka OIWA
no flags Details | Diff | Review
The extension part which implements the protocol. (354.31 KB, patch)
2009-12-01 09:46 PST, Yutaka OIWA
no flags Details | Diff | Review
A patch to the network portion of the main Mozilla code. (38.91 KB, patch)
2011-06-13 07:33 PDT, KIHARA, Boku
no flags Details | Diff | Review
The extension part which implements the protocol. (364.93 KB, patch)
2011-06-13 07:35 PDT, KIHARA, Boku
no flags Details | Diff | Review

Description Yutaka OIWA 2009-12-01 09:39:39 PST
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; ja; rv:1.9.0.15) Gecko/2009101600 Firefox/3.0.15
Build Identifier: 

This patch is to implement HTTP Mutual access authentication protocol,
which we are currently proposing to IETF HTTP Working group.
  http://tools.ietf.org/html/draft-oiwa-http-mutualauth

Mutual authentication protocol is a protocol which implements
password-based strong access authentication.  This protocol provides
true mutual authentication between HTTP clients and servers using
simple password-based authentication.  It is designed on top of
generic HTTP authentication architecture (RFC 2617).

Unlike Basic and Digest HTTP access authentication protocol, the
protocol ensures that the server knows the user's entity (encrypted
password) upon successful authentication.  This prevents common
phishing attacks: phishing attackers cannot convince users that the
user has been authenticated to the genuine website. Furthermore, even
when user has been authenticated against an illegitimate server, the
server can not gain any bit of information about user's passwords.

Currently, the draft protocol specification is submitted to the
IETF as an Internet Draft;  it is available both from IETF and
from our project homepage.  We also have an Apache module for this
protocol, which can be downloaded from our project page.
For trial, we put an implementation of Firefox with this patch
applied in our project page, too.

This patch consists of three parts:

  1. an extension to the C-language part of network-layer
     implementation, adding interfaces for implementing (2) below.
     To implement authentication in an add-on layer, we need several
     additional interfaces for communication between them
     (e.g. session management and hooks).

     Current our implementation is somewhat specific to our protocol:
     we think it can be generalized.

  2. an add-on module implemented in XPI layer for the Mutual
     authentication protocol.  Most of the work is done in this
     level.  Cryptographic computations are done in a DLL in
     this module.

  3. a new user interface for authentication.  To ensure (a) the
     authentication UI is not affected by the page content from
     malicious phishers, and (b) to show the result of a mutual
     authentication, we propose a new UI for this, separately from
     conventional authentication methods.  We also use this UI for
     supporting non-modal optional authentication (see specs for
     details.)

To implement this protocol, at least part 1 (or generalized one)
have to be incorporated to the main code of the Mozilla browsers.
Other parts can either be built-in or be an add-on.

This proposal will be an answer for several existing bug IDs for
phishing and authentication issues:  further information is
posted on a web page specific for this bug-id:
  http://www.rcis.aist.go.jp/special/MutualAuth/software/mozilla/
This page contains the following resources:

  - links to related bug IDs
  - possible things to be considered (known issues)
  - materials (posters and paper abstracts) describing the proposed
    protocol and UI design
  - link to the trial implementation and trial website
  - more things to be added...

We believe the protocol is useful, and ask considerations for
including this to future (e.g. 3.7 or 4.0?) releases of Firefox.

Reproducible: Always
Comment 1 Yutaka OIWA 2009-12-01 09:45:30 PST
Created attachment 415413 [details] [diff] [review]
A patch to the network portion of the main Mozilla code.
Comment 2 Yutaka OIWA 2009-12-01 09:46:53 PST
Created attachment 415414 [details] [diff] [review]
The extension part which implements the protocol.
Comment 3 Yutaka OIWA 2009-12-24 03:43:30 PST
A bug on cache management, which has been found during implementing these patches,
has been submitted as a separate bug 533412.
That bug affects both existing (Basic/Digest) and new authentication mechanisms,
if 401 response bodies are processed as documents.

As this proposal always processes 401 responses when user/pass are not available,
the bug 533412 "must" be fixed for this bug-id.  (for Basic/Digest, it SHOULD.)
I added that bug as a dependency.

The patch above contains a partial workaround for bug 533412,
which is to be removed once that is fixed.
Comment 4 KIHARA, Boku 2011-06-13 07:33:35 PDT
Created attachment 538896 [details] [diff] [review]
A patch to the network portion of the main Mozilla code.

A patch to the network portion of the main Mozilla code.
Obsoletes attachment 415413 [details] [diff] [review].
Comment 5 KIHARA, Boku 2011-06-13 07:35:08 PDT
Created attachment 538897 [details] [diff] [review]
The extension part which implements the protocol.

The extension part which implements the protocol.
Obsoletes attachment 415414 [details] [diff] [review].
Comment 6 KIHARA, Boku 2011-06-13 07:37:56 PDT
These patches (538896 and 538897) are for Firefox 3.6.17.

Note You need to log in before you can comment on or make changes to this bug.