4WWW95: CCI-based
Web security
authors:
Common Client Interface (CCI):
today, multiple solutions are available to increase security in the Web,
e.g. S-HTTP,
message digest,
Kerberos based systems,
SSL and PCT, DCE-Web and so on. while a
diversity of methods and protocols may be desirable for various reasons, we may
end up in a situation, where we need multiple browsers, one for each set of
security mechanisms it supports.
instead of adding each new security feature to the browser itself, CCI is a
new approach which adds application layer support to the client. a well defined
interface allows to call other applications from the client, including security
applications. if a new security algorithm is introduced, the browser does not
need to be modified, instead, it simply calls the corresponding application via
the CCI.
in the approach presented, they used PGP ("Pretty Good Privacy")
to handle data encryption, signature verification and so on. in this PGP-CCI
approach, they introduced HTTP extensions similar to S-HTTP and new HTML anchor
attributes. no chances have to be made to the code of neither the server nor
the client, all that is necessary is the addition of the new proposed MIME type
Content-type: application/x-pgp
the PGP-CCI protocol:
to handle the application/x-pgp content-types, the PGP-CCI application
registers with the browser to receive all requests for URLs with the HTTP
protocol and to handle all application/x-www-pgp-response content-types.
hyperlinks pointing to documents that shall be retrieved using PGP-CCI
contain special attributes, such as the server's public key ID, if the request
should be encrypted, signed or both and so on.
a request for a document using PGP-CCI is processed as follows:
- the browser passes the HTTP request to the CCI application as it would
normally send it to the server.
- the CCI application applies the proper security enhancements to the
request as defined by the attributes in the URL.
- the CCI application encapsulates the original request with a generic HTTP
request and passes it back to the browser for retrieval on the network.
- the server uses PGP to decrypt and/or verify the signature on the
encapsulated request. if the request was not properly authorized, the server
sends back an "unauthorized" (message 401) response.
if the request passed the authorization correctly, it sends back an
"application/x-www-pgp-response" which might be encrypted and/or
signed using the session key contained in the client's request.
- if the server's respond is "unauthorized", the browser will
display the server's HTML error message.
- the CCI application uses PGP to decrypt and/or verify the signature of the
server's response, then it passes the plain text of the HTTP response to the
browser. the browser processes this response as it would handle any HTTP
response.
the proposed new hyperlink attributes for PGP-CCI include:
- PGPPUBKEYID (required)
this attribute identifies the public key of the server at the other end of the
hyperlink.
- PGPUSER (optional)
the full PGP username of the server.
- PGPPUBKEYBLOCK (optional)
the server may include its public keyblock in the anchor.
- PGPMODE (optional)
this attribute includes values indicating whether the HTTP request should be
signed, encrypted or both.
this is an example of a PGP-CCI hyperlink:
<A HREF="http://www.topsecret.org/wherever/whatever.html"
PGPUSER="Topsecret Web Server <www@topsecret.org>"
PGPPUBKEYID="E9B2BB1D"
PGPMODE="request-signed,request-encrypted"
> this is a secure link </A>
CCI functions:
the commands used by PGP-CCI are based on
- Spyglass' Software Development
Interface (SDI) and include the following functions:
- RegisterViewer: (TO browser)
to handle PGP-enhanced documents, the PGP-CCI application registers to view all
documents with application/x-pgp MIME types. for the PGP-CCI protocol, the CCI
application registers to handle application/x-www-pgp-response content types.
- RegisterProtocol: (TO browser)
the PGP-CCI application registers to handle all requests for URLs with protocol
HTTP in order to trap requests to be pre-processed.
- OpenURL: (FROM browser)
if a CCI application is registered to handle a requested URL's protocol, the
browser uses this command to pass on the request to the CCI application.
- OpenURL: (TO browser)
this function is used by the CCI application to tell the browser to fetch a
document specified by the URL argument.
- ViewDocData/File: (FROM browser)
if a CCI application has registered as a viewer for the content-type of a
received document, the browser uses these commands to pass the CCI application
the data to be viewed.
security consideration:
potential attacks may be divided into two categories:
- network-based attacks related to the security
protocol:
any attacker who attempts to impersonate a desired Web server will either be
detected before the request is sent or will be easily identified after the
response. to decrypt/encrypt requests or to provide a signed or encrypted
response, the attacker would have to posses the private key corresponding to
the public key ID in the hyperlink.
the main defense mechanism against these types of attacks is PGP's handling of
public keys. if an attacker attempts to fool the client into using the
attacker's public key which is not in the user's keyring, the PGP-CCI
application asks that the user acknowledge the use of an untrusted key.
- attacks on the CCI communications between the browser and the PGP-CCI
application:
the communication between the CCI application and the browser is based on local
temporary files. therefore the security of this communication is highly
dependent upon the security of the operating system of the client system.
for more information, see
current
version of this paper.
back to 4WWW95 main document.
4WWW95 CCI-based Web security / 28-jan-1999 (ra) /
reto ambühler
!!! Dieses Dokument stammt aus dem
ETH Web-Archiv und wird nicht mehr gepflegt !!!
!!! This document is stored in the
ETH Web archive and is no longer maintained !!!