Morellian Analysis for Browsers:
Making Web Authentication
Stronger With Canvas Fingerprinting
Pierre Laperdrix, Gildas Avoine, Benoit Baudry, Nick Nikiforakis
DIMVA 2019
Introduction –Web attacks and data breaches
•Attacks on the web happen more and more frequently and are getting bigger.
2
Introduction –Web attacks and data breaches
•Attacks on the web happen more and more frequently and are getting bigger.
2
Introduction –Web attacks and data breaches
•Attacks on the web happen more and more frequently and are getting bigger.
2
Protecting an account
with just a password is
not enough.
Introduction –The need for multi-factor authentication
•Low adoption of multi-factor authentication
•A 2017 survey from Duo Security indicated that more than half of Americans never heard
of 2FA before.
•A talk in January 2018 revealed that less than 10% of Gmail users have 2FA enabled.
3
Introduction –The need for multi-factor authentication
•Low adoption of multi-factor authentication
•A 2017 survey from Duo Security indicated that more than half of Americans never heard
of 2FA before.
•A talk in January 2018 revealed that less than 10% of Gmail users have 2FA enabled.
•Problems: education gap towards the benefits of 2FA/MFA, usability issues that
come with having it activated.
3
Introduction –The need for multi-factor authentication
•Low adoption of multi-factor authentication
•A 2017 survey from Duo Security indicated that more than half of Americans never heard
of 2FA before.
•A talk in January 2018 revealed that less than 10% of Gmail users have 2FA enabled.
•Problems: education gap towards the benefits of 2FA/MFA, usability issues that
come with having it activated.
•There is a need for a technical solution that bridges the gap between the
insufficiency of passwords and the low onboarding of 2FA.
3
Introduction –The need for multi-factor authentication
•Low adoption of multi-factor authentication
•A 2017 survey from Duo Security indicated that more than half of Americans never heard
of 2FA before.
•A talk in January 2018 revealed that less than 10% of Gmail users have 2FA enabled.
•Problems: education gap towards the benefits of 2FA/MFA, usability issues that
come with having it activated.
•There is a need for a technical solution that bridges the gap between the
insufficiency of passwords and the low onboarding of 2FA.
3
Can browser fingerprinting be a
viable alternative?
Introduction - Internet in 2019 4
Introduction - Internet in 2019 4
Introduction - Internet in 2019 4
Introduction - Internet in 2019 4
Introduction - Internet in 2019 4
A bigger and richer web
•Audio
•Video
•3D rendering
•Real-time communications
•Web payments
•Virtual reality
…
Introduction - Internet in 2019 4
A bigger and richer web
•Audio
•Video
•3D rendering
•Real-time communications
•Web payments
•Virtual reality
…
1995 2019
Browser:
Netscape
Language: Fr
Browser: Chrome v74
OS: Linux
Screen:
1920x1080
Language: Fr
Timezone
: GMT+1
Graphic card: GTX 1080Ti
…
Browser
Introduction - Internet in 2019 4
A bigger and richer web
•Audio
•Video
•3D rendering
•Real-time communications
•Web payments
•Virtual reality
…
1995 2019
Browser:
Netscape
Language: Fr
Browser: Chrome v74
OS: Linux
Screen:
1920x1080
Language: Fr
Timezone
: GMT+1
Graphic card: GTX 1080Ti
…
Browser
What happens when we start collecting all the
information available in a web browser?
Introduction - Definition of browser fingerprinting
Definitions
•A browser fingerprint is a set of information related to a user’s device
from the hardware to the operating system to the browser and its
configuration.
•Browser fingerprinting refers to the process of collecting information
through a web browser to build a fingerprint of a device.
5
Introduction - Example of a browser fingerprint 6
Attribute
Value
User agent
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:66.0) Gecko/20100101
Firefox/66.0
HTTP headers
text/html, application/
xhtml+xml, application/xml;q=0.9,*/*;q=0.8 gzip,
deflate,
br en-US,en;q=0.5
Plugins
Plugin 0: QuickTime Plug
-in 7.6.6; libtotem-narrowspace-plugin.so; Plugin
1: Shockwave Flash; Shockwave Flash 26.0 r0; libflashplayer.so.
Fonts
Century Schoolbook, Source Sans Pro Light,
DejaVu Sans Mono, Bitstream
Vera Serif, URW Palladio L,
Bitstream Vera Sans Mono, Bitstream
Vera Sans,
...
Platform Linux x86_64
Screen resolution
1920x1080x24
Timezone
-
480 (UTC+8)
OS
Linux 3.14.3
-200.fc20.x86 32-bit
WebGL vendor
NVIDIA Corporation
WebGL renderer
GeForce GTX 650
Ti/PCIe/SSE2
Canvas
Using fingerprinting for authentication 7
User
authenticated
Login/Password Browser fingerprint
Using fingerprinting for authentication 7
User
authenticated
Login/Password Browser fingerprint
?
Using fingerprinting for authentication - Avoiding pitfalls
One major problem: what if the user’s fingerprint is stolen (i.e. collected)?
Fingerprints can be manipulated in JavaScript. An attacker can send any information
to the authentication server.
8
Using fingerprinting for authentication - Avoiding pitfalls
One major problem: what if the user’s fingerprint is stolen (i.e. collected)?
Fingerprints can be manipulated in JavaScript. An attacker can send any information
to the authentication server.
8
FP
Using fingerprinting for authentication - Avoiding pitfalls
One major problem: what if the user’s fingerprint is stolen (i.e. collected)?
Fingerprints can be manipulated in JavaScript. An attacker can send any information
to the authentication server.
8
FP
Modified
FP
Modified
FP
Modified
FP
Modified
FP
Modified
FP
Modified
FP
Using fingerprinting for authentication - Avoiding pitfalls
One major problem: what if the user’s fingerprint is stolen (i.e. collected)?
Fingerprints can be manipulated in JavaScript. An attacker can send any information
to the authentication server.
An attacker can also try to reconstruct the environment of his victim to bypass
verification.
8
FP
Modified
FP
Modified
FP
Modified
FP
Modified
FP
Modified
FP
Modified
FP
Using fingerprinting for authentication - Avoiding pitfalls
One major problem: what if the user’s fingerprint is stolen (i.e. collected)?
Traditional fingerprinting scripts always collect the same attributes.
9
What is the
user agent?
What is the
language?
What is the
browser?
What is the list
of plugins?
What is the list
of fonts?
What is the
screen
resolution?
What is the
timezone?
What is
platform?
Are cookies
enabled?
≈20 questions
…
A look into the past
Giovanni Morelli (1816-1891)
•Studied medicine and taught
anatomy
•Identified the characteristic
"hands" of painters through
scrutiny of minor details in
paintings
10
Using canvas fingerprinting for authentication 11
User
authenticated
Login/Password Canvas fingerprint
Focus on canvas fingerprinting 12
Example from the AmIUnique.org website
Focus on canvas fingerprinting 12
1
Example from the AmIUnique.org website
Focus on canvas fingerprinting 12
1
2
Example from the AmIUnique.org website
Focus on canvas fingerprinting 12
1
2
3
Example from the AmIUnique.org website
Focus on canvas fingerprinting 12
1
2
3
Example from the AmIUnique.org website
Using canvas fingerprinting for authentication
Use the Canvas API as a drawing board for a morellian analysis.
13
Using canvas fingerprinting for authentication
Use the Canvas API as a drawing board for a morellian analysis.
•Dynamic
13
Draw an
orange
rectangle of
size 63x45 at
position (7,89)
Render the string
“stnalpehtretlaw”
with a size 30pt at
position (1337,42)
with the font Arial
in purple
Draw a green
circle with a
circumference
of 24 pixels at
position (4,8)
Using canvas fingerprinting for authentication
Use the Canvas API as a drawing board for a morellian analysis.
•Dynamic
13
Draw an
orange
rectangle of
size 63x45 at
position (7,89)
Render the string
“stnalpehtretlaw”
with a size 30pt at
position (1337,42)
with the font Arial
in purple
Draw a green
circle with a
circumference
of 24 pixels at
position (4,8)
Draw an
orange
rectangle of
size 63x45 at
position (7,89)
Draw a blue
rectangle of
size 2x2 at
position (2,2)
Draw a yellow
rectangle of
size 33x44 at
position
(55,66)
Render the string
“fingerprinting”
with a size 26pt at
position (45,54)
with the font
Georgia in red
Draw a blue
circle with a
circumference
of 22 pixels at
position (42,8)
Using canvas fingerprinting for authentication
Use the Canvas API as a drawing board for a morellian analysis.
•Dynamic
13
Draw an
orange
rectangle of
size 63x45 at
position (7,89)
Render the string
“stnalpehtretlaw”
with a size 30pt at
position (1337,42)
with the font Arial
in purple
Draw a green
circle with a
circumference
of 24 pixels at
position (4,8)
Draw an
orange
rectangle of
size 63x45 at
position (7,89)
Draw a blue
rectangle of
size 2x2 at
position (2,2)
Draw a yellow
rectangle of
size 33x44 at
position
(55,66)
Render the string
“fingerprinting”
with a size 26pt at
position (45,54)
with the font
Georgia in red
Draw a blue
circle with a
circumference
of 22 pixels at
position (42,8)
Incredibly high number
of questions
Generation of a new
test at each connection
Using canvas fingerprinting for authentication
Use the Canvas API as a drawing board for a morellian analysis.
•Dynamic
13
•Hard to spoof
Draw an
orange
rectangle of
size 63x45 at
position (7,89)
Render the string
“stnalpehtretlaw”
with a size 30pt at
position (1337,42)
with the font Arial
in purple
Draw a green
circle with a
circumference
of 24 pixels at
position (4,8)
Draw an
orange
rectangle of
size 63x45 at
position (7,89)
Draw a blue
rectangle of
size 2x2 at
position (2,2)
Draw a yellow
rectangle of
size 33x44 at
position
(55,66)
Render the string
“fingerprinting”
with a size 26pt at
position (45,54)
with the font
Georgia in red
Draw a blue
circle with a
circumference
of 22 pixels at
position (42,8)
Incredibly high number
of questions
Generation of a new
test at each connection
Hardware
OS
Browser
Our challenge-response system 14
Server Client
Bootstrapping phase
Our challenge-response system 14
Server Client
1
Generating a
new canvas
challenge c1
“Cwm fjordbank glyphs vext quiz,
\ud83d\ude03” RGB(4,8,15)
Bootstrapping phase
Our challenge-response system 14
Server Client
“Cwm fjordbank glyphs vext quiz,
\ud83d\ude03” RGB(4,8,15)
2
Sending the
challenge c1
to the client
Bootstrapping phase
Our challenge-response system 14
Server Client
OS
Browser
Fonts
GPU
Drivers
3
Rendering
the canvas
image
Bootstrapping phase
Our challenge-response system 14
Server Client
OS
Browser
Fonts
GPU
Drivers
3
Rendering
the canvas
image
Bootstrapping phase
Our challenge-response system 14
Server Client
OS
Browser
Fonts
GPU
Drivers
4
Sending the
response r1
to the server
Bootstrapping phase
Our challenge-response system 14
Server Client
OS
Browser
Fonts
GPU
Drivers
5
Storing both
the challenge
c1 and the
response r1
Bootstrapping phase
“Cwm fjordbank glyphs vext quiz,
\ud83d\ude03” RGB(4,8,15)
Our challenge-response system 15
Server Client
Connection phase
Our challenge-response system 15
Server Client
1
Retrieving
c1 and r1
from the
previous
connection
“Cwm fjordbank glyphs vext quiz,
\ud83d\ude03” RGB(4,8,15)
Connection phase
Our challenge-response system 15
Server Client
“Cwm fjordbank glyphs vext quiz,
\ud83d\ude03” RGB(4,8,15)
2
Sending the
challenge c1
to the client
Connection phase
Our challenge-response system 15
Server Client
OS
Browser
Fonts
GPU
Drivers
3
Rendering
the canvas
image
Connection phase
Our challenge-response system 15
Server Client
OS
Browser
Fonts
GPU
Drivers
3
Rendering
the canvas
image
Connection phase
Our challenge-response system 15
Server Client
OS
Browser
Fonts
GPU
Drivers
4
Sending the
response r1
to the server
Connection phase
Our challenge-response system 15
Server Client
OS
Browser
Fonts
GPU
Drivers
5
Verifying that
the client’s
answer r1
matches the
one from the
previous
connection
Connection phase
Our challenge-response system 15
Server Client
OS
Browser
Fonts
GPU
Drivers
Connection phase
6
If the rendering is verified,
we generate and send a new
challenge c2
Our challenge-response system 15
Server Client
OS
Browser
Fonts
GPU
Drivers
Connection phase
Our challenge-response system 15
Server Client
OS
Browser
Fonts
GPU
Drivers
Connection phase
“SyNnEP88TON” RGB(4,8,15)
“24tAoB897” RGB (16,23,42)…
Our challenge-response system 15
Server Client
OS
Browser
Fonts
GPU
Drivers
Connection phase
“SyNnEP88TON” RGB(4,8,15)
“24tAoB897” RGB (16,23,42)…
7
Storing both the
challenge c2 and the
response r2 for the
next connection
Our challenge-response system 15
Server Client
OS
Browser
Fonts
GPU
Drivers
Connection phase
Loop n°1 with c1,r1: verify
the current connection
Loop n°2 with c2,r2: verify
the next connection
Analysis of our system
Incredible diversity of challenges
•Extensive testing to tune canvas fingerprinting for authentication
16
Phase 1 Phase 2 Phase 3
Analysis of our system
Incredible diversity of challenges
17
Parameter
Description
Number of combinations
String content
[A
-Z] [a-z] [0-9]
62^10
Size
From
size 30 to 78
49
Rotation
Precision up to the tenth digit
360
°x10 = 3600
Color with gradients
RGB color model encoded on
8 bits
((2^8)^3)^2 = 2^48
Shadow color
RGB color model encoded on
8 bits
2^24
Shadow strength
From 0 to 50
51
Analysis of our system
Incredible diversity of challenges
•62^10 x 49 x 3600 x 2^48 x 2^24 x 51 ≈ 2^154 challenges
•2.3x10^50 bits of space with an average of 10kb per response
17
Parameter
Description
Number of combinations
String content
[A
-Z] [a-z] [0-9]
62^10
Size
From
size 30 to 78
49
Rotation
Precision up to the tenth digit
360
°x10 = 3600
Color with gradients
RGB color model encoded on
8 bits
((2^8)^3)^2 = 2^48
Shadow color
RGB color model encoded on
8 bits
2^24
Shadow strength
From 0 to 50
51
Analysis of our system
Great diversity of results
•Many different responses for the exact
same set of instructions
18
Analysis of our system
Great diversity of results
•Many different responses for the exact
same set of instructions
•Protection against configuration
recovery
18
1 single
rendering
More than 1
rendering
?
Analysis of our system
Great diversity of results
•Many different responses for the exact
same set of instructions
•Protection against configuration
recovery
18
Distribution of
groups with identical
fingerprints
(1,111,819 devices)
1 single
rendering
More than 1
rendering
?
Analysis of our system
Great diversity of results
•Many different responses for the exact
same set of instructions
•Protection against configuration
recovery
•Having the same device as your victim
does not guarantee that it can
reproduce the expected rendering
with stolen credentials.
18
Distribution of
groups with identical
fingerprints
(1,111,819 devices)
Analysis of our system
Attacks blocked or mitigated by our scheme
•Replay attack
•MITM or relay attacks
•Preplay attack (collecting all possible values beforehand)
•Guessing or building the right response
•Configuration recovery
19
Privacy risks associated with fingerprinting
•In this work, canvas fingerprinting is used in a first-party context to
augment authentication.
•It complements the use of traditional cookies as an extra layer of
protection but it does not provide websites with any additional linking
power (we collect only randomly generated canvas fingerprints ).
20
Traditional fingerprinting Our scheme with canvas fingerprinting
