Authentication Nashad Safa Rei Safavi-Naini Siamak Shahandashti 2 - - PowerPoint PPT Presentation

authentication
SMART_READER_LITE
LIVE PREVIEW

Authentication Nashad Safa Rei Safavi-Naini Siamak Shahandashti 2 - - PowerPoint PPT Presentation

May 11, 2023 364 likes •548 views

Privacy-Preserv rving Im Implicit Authentication Nashad Safa Rei Safavi-Naini Siamak Shahandashti 2 Outline Device, Implicit Authentication Usage patterns, authentication decision making Cost: privacy! Our Basic Protocol

slide-1
SLIDE 1

Privacy-Preserv rving Im Implicit Authentication

Nashad Safa Rei Safavi-Naini Siamak Shahandashti

slide-2
SLIDE 2

ncl.ac.uk

Outline

  • Device, Implicit Authentication
  • Usage patterns, authentication decision making
  • Cost: privacy!
  • Our Basic Protocol
  • Preserves privacy against carrier, benign illegitimate users
  • Our Improved Protocol
  • Preserves privacy against malicious illegitimate users as well
  • Privacy Guarantees, Computation & Communication Cost
  • Concluding Remarks

IFIP SEC 2014

2

4 June 2014

slide-3
SLIDE 3

ncl.ac.uk

Implicit Authentication

  • Idea: authentication by device usage pattern
  • Implicit: does not need user interaction, runs in the background
  • Usage pattern is compared with history
  • If conforming: no action
  • If not conforming: user asked to provide the first factor for authentication
  • Result: legitimate user not burdened much, illegitimate user caught

IFIP SEC 2014

3

4 June 2014

Authentication Protocol Device Carrier

slide-4
SLIDE 4

ncl.ac.uk

Example Scenario

IFIP SEC 2014

4

  • 3. Authentication Protocol

App Server

4 June 2014

Jakobsson, Shi, Golle, Chow – USENIX 2009

slide-5
SLIDE 5

ncl.ac.uk

Storage of Usage Pattern History

Usage pattern history needs to be stored on the carrier side!

  • Otherwise, loss of device = loss of usage pattern history

= ability to mimic (physically or artificially) the usage pattern = loss of authentication security! = loss of privacy!

IFIP SEC 2014

5

4 June 2014

slide-6
SLIDE 6

ncl.ac.uk

Usage Pattern Data

  • 3 categories of usage pattern data:
  • 3rd party (App server / cloud) data: app usage pattern, app data, …
  • Carrier data: call, sms, data usage patterns, location pattern, …
  • Device data: WiFi usage pattern, sensor data, device usage pattern, …
  • Device (, 3rd party) data needs to be shared with carrier for effective

implicit authentication

  • We claim this is unnecessary!
  • and propose “privacy-preserving implicit authentication”
  • Idea: store encrypted usage pattern data

IFIP SEC 2014

6

4 June 2014

slide-7
SLIDE 7

ncl.ac.uk

User Profiles & Authentication

  • User profile: vector of features
  • Each feature belongs to a user-specific distribution
  • Feature distributions are approximated by feature history
  • On a new reading, a decision is made if it belongs to the distribution
  • Observation: often the distribution is

a collection of clusters e.g. based on time of day

IFIP SEC 2014

7

4 June 2014

slide-8
SLIDE 8

ncl.ac.uk

𝑦 +𝑒 −𝑒

A Simple Decision Maker

  • For a distribution 𝐸, calculate a measure of dispersion 𝑒
  • E.g. standard deviation, average absolute deviation (AAD)
  • On a new reading 𝑦, calculate the area under the distribution curve

between 𝑦 − 𝑒 and 𝑦 + 𝑒

  • This ‘similarity measure’ is between 0 and 1
  • Can be approximated by the number of points

recorded in the history

  • Only needs comparison, addition,

calculation of dispersion 𝑒

IFIP SEC 2014

8

4 June 2014

slide-9
SLIDE 9

ncl.ac.uk

Calculation in the Ciphertext Space

  • Homomorphic Encryption (HE): enables addition in ciphertext space
  • 𝐼. 𝐹𝑜𝑑 𝑏 + 𝑐 = 𝐼. 𝐹𝑜𝑑 𝑏 ⊕ 𝐼. 𝐹𝑜𝑑 𝑐
  • Hence, 𝐼. 𝐹𝑜𝑑 𝑑 ⋅ 𝑏 = 𝑑 ⊙ 𝐼. 𝐹𝑜𝑑(𝑏)
  • Comparison in the ciphertext space
  • Possible using homomorphic encryption, but needs interaction
  • Order-Preserving Symmetric Encryption (OPSE)
  • 𝑏 > 𝑐 ⇔ 𝑃𝑄. 𝐹𝑜𝑑 𝑏 > 𝑃𝑄. 𝐹𝑜𝑑 𝑐

IFIP SEC 2014

9 Boldyreva et al. EuroCrypt’09

4 June 2014

slide-10
SLIDE 10

ncl.ac.uk

Our Protocol: Idea, Pre-computation

Basic idea:

  • Device sends encrypted readings to carrier periodically, which are

stored on the carrier side as history: 𝐼. 𝐹𝑜𝑑 𝑤 𝑢𝑗 , 𝑃𝑄. 𝐹𝑜𝑑 𝑤 𝑢𝑗 Pre-computation:

  • Carrier finds order in history using order-preserving encryptions, finds

encrypted median, calculates average absolute deviation (AAD): 𝐼. 𝐹𝑜𝑑 𝐵𝐵𝐸 𝑤

IFIP SEC 2014

10

4 June 2014

slide-11
SLIDE 11

ncl.ac.uk

Our Protocol: Authentication, Update

Authentication:

  • Carrier calculates, sends them to device:

𝐼. 𝐹𝑜𝑑 𝑤 𝑢𝑗 − 𝐵𝐵𝐸 𝑤 , 𝐼. 𝐹𝑜𝑑 𝑤 𝑢𝑗 + 𝐵𝐵𝐸 𝑤

  • Device decrypts, calculates OP encryptions, sends back:

𝑃𝑄. 𝐹𝑜𝑑 𝑤 𝑢𝑗 − 𝐵𝐵𝐸 𝑤 , 𝑃𝑄. 𝐹𝑜𝑑 𝑤 𝑢𝑗 + 𝐵𝐵𝐸 𝑤

  • Carrier locates values, counts no. of ciphertexts within the range

Update:

  • If authentication succeeds (either implicit or explicit), update AAD
  • Only needs a few calculations to account for the difference

IFIP SEC 2014

11

4 June 2014

slide-12
SLIDE 12

ncl.ac.uk

Privacy of our Protocol

  • Definition based on secure two-party computation guarantees:
  • Device only learns AAD of history
  • Carrier only learns order of current reading compared to history
  • Proven our protocol secure against an honest-but-curious device, an

honest-but-curious carrier

  • User privacy is preserved against carrier
  • If device stolen or lost, user privacy preserved against illegitimate users, as

long as the device is not ‘hacked’

  • For ‘hacked’ devices, need to consider privacy against malicious devices

IFIP SEC 2014

12

4 June 2014

slide-13
SLIDE 13

ncl.ac.uk

Improving Security

  • To achieve security against malicious devices:
  • Device required to send a proof of knowledge of plaintext with the ciphertext

𝐼. 𝐹𝑜𝑑 𝑤 𝑢𝑗

  • Order-preserving encryption replaced by interaction with device to compare

ciphertexts

  • Compare 𝑃𝑄. 𝐹𝑜𝑑 𝑤 𝑢𝑗 ± 𝐵𝐵𝐸 𝑤

with history records via binary tree search

  • log ℓ rounds of interaction for a history of size ℓ
  • Proven our protocol secure against a malicious device
  • If device stolen or lost, user privacy preserved, even if device ‘hacked’

IFIP SEC 2014

13 Baudron et al. PODC’01

4 June 2014

slide-14
SLIDE 14

ncl.ac.uk

Comparing Homomorphic Ciphertexts

  • Goal: compare 𝑏, 𝑐 given 𝐼. 𝐹𝑜𝑑 𝑏 , 𝐼. 𝐹𝑜𝑑(𝑐), device has key
  • Naïve: send to device, get response, but device learns 𝑏, 𝑐, might

cheat

  • Equivalent: Calculate 𝐼. 𝐹𝑜𝑑 𝑏 − 𝑐 , compare with zero
  • Randomise: 𝐼. 𝐹𝑜𝑑 𝑠(𝑏 − 𝑐) , so device does not learn 𝑏 − 𝑐, but

still might cheat

  • Mix with 𝑙 − 1 other values 𝐼. 𝐹𝑜𝑑 𝑑𝑗 for known 𝑑𝑗, now device

might still cheat, but will be caught with high probability

4 June 2014 IFIP SEC 2014

14

slide-15
SLIDE 15

ncl.ac.uk

Computation & Communication Cost

Cost of privacy for device: encryption

  • Basic protocol:
  • 3 homomorphic, 3 order-preserving encryptions
  • Authentication: 300ms on 2.66 GHz single-core processor
  • Only 2 rounds of communication
  • Improved protocol:
  • 𝑙 log ℓ homomorphic encryptions for security parameter 𝑙
  • Authentication failure discovered 4 seconds with 𝑙 = 2, ℓ = 100
  • log ℓ rounds of communication

IFIP SEC 2014

15

4 June 2014

slide-16
SLIDE 16

ncl.ac.uk

Final Remarks

  • Implicit authentication improves security without degrading usability
  • However it requires giving up on privacy! Is this necessary?
  • We proposed privacy-preserving implicit authentication
  • Guarantees privacy against carrier, also illegitimate users in case of

loss of device

  • Does not incur prohibitive extra computation, communication cost
  • A step towards showing that

the trade-off between privacy & security is a false one!

IFIP SEC 2014

16

4 June 2014

slide-17
SLIDE 17

Thank you!

Full version: Contact me: eprint.iacr.org/2014/203 siamak.shahandashti@ncl.ac.uk www.esperez.com