[enhancement] Validation Service & Agent with Double Challenges #447
Description
[enhancement] Validation Service & Agent
- Separated from [integrity.js][WIP] Optional double encryption for integrity #310 to show the updated status
- In addition to the above description, more robust security is achieved via double challanges that minimize the lifetime of the secret keys, which attackers would try to steal.
Shortened Lifetime of Keys
| Version | 0.4.0-alpha.62 | Design at #310 | Design at this issue with Double Challenges |
|---|---|---|---|
| htmlHash lifetime | > 4 weeks | > 4 weeks | several seconds |
| _traverse browserHash lifetime | 4 weeks (not used) |
4 weeks | several seconds |
| Connect browserHash lifetime | 4 weeks (not used) |
4 weeks | one time |
- The lifetime of 4 weeks is the release cycle of major version browsers
- htmlHash without challenges is constant for the same web app version
Status Summary - Design and Implementation in Progress
- Validation with double challenges - basic features are working but error handling is fragile
- Selection of challenge1 whose browserHash has been calculated via Agent browser
- Generation and handing of challange2 on each user request
- Agent with challenge1 (1st challenge) - basic features are working but error handling is fragile
- Validation X (The compoent name is subject to change) - prototyping in progress
- Different features in addition to agent scheduling are being considered
Feature Summary
Threat Models
- Replay Attacks
- Memory Scan Attacks
- MITM Attacks
- Man-in-the-Browser Attacks
- Social Engineering Attacks
Main Features
- Validation of browsers via challenges to make the lifetime of the secret keys as short as possible
- Validation Agent browsers to automatically generate the keys
- More robustness against different attack vectors
- TBD
Expected Components
- Integrity Service (integrityService.js) - enhanced to support validation of browsers
- Validation Service (validationService.js) - implemented as an HTTP/2 server with node:http2 (not spdy)
- [NEW] Agent Client - launch the app page in a new tab to generate new keys
- TBD
Detailed Status
- TBD