PieterKas
commented
1 year ago Different options for this mitigation:
- User supplied session data or user supplied session binding.
- Authorization device session data?
- External session binding.
- Data driven session binding.
- Application session binding.
- Out of band session binding.
- Session metadata.
- Application layer session binding.
- QR or user code binding.
- Binding using out-of-band data.
Settled on proposal #10.
Also double check proximity section for similar mitigations.
Following the discussion during OSW 2023, we (@giadas and I) propose some mitigations that could be implemented to further reduce the risks of CDCP attacks. These mitigations are extracted and adapted from our publications:
Marco Pernpruner, Roberto Carbone, Silvio Ranise, and Giada Sciarretta. 2020. The Good, the Bad and the (Not So) Ugly of Out-of-Band Authentication with eID Cards and Push Notifications: Design, Formal and Risk Analysis. In Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy (CODASPY '20). Association for Computing Machinery, New York, NY, USA, 223–234. https://doi.org/10.1145/3374664.3375727.
Marco Pernpruner, Roberto Carbone, Giada Sciarretta, and Silvio Ranise. 2023. An Automated Multi-Layered Methodology to Assist the Secure and Risk-Aware Design of Multi-Factor Authentication Protocols. In IEEE Transactions on Dependable and Secure Computing (TDSC). https://doi.org/10.1109/TDSC.2023.3296210.
Bind QR Code to User Info
In the User-Transferred Session Data Pattern, users could be requested to insert an identifying information on the Initiating Device to start the authorization process; this piece of information is inserted into the QR code and verified by the Authorizing Device during the authorization process. In general, the identifying information could be any attribute retrievable by the Authorizing Device during the authorization process. This contributes to reducing the attack surface by restricting non-targeted attacks.
For instance, in the Italian context, we use the serial number of the user's eID card as identifying information; after interacting with the eID card, the Authorizing Device is able to verify that the value contained in the QR code (i.e., that inserted by the user) matches the real attribute extracted from the eID card.
Limitations: The identifying information could be captured through phishing and used to launch an attack; the additional step could reduce the usability level of the protocol.
Effect on attacks (Table 1):
disrupt.