< Guess Who ? Large -Scale Data-Centric Study of the Adequacy of - - PowerPoint PPT Presentation
< Guess Who ? Large -Scale Data-Centric Study of the Adequacy of Browser Fingerprints for Web Authentication> IMIS 2020, July 1, 2020 Nampoina Andriamilanto, Tristan Allard, Gatan Le Guelvouit Web Authentication Passwords
<“Guess Who?” Large-Scale Data-Centric Study of the Adequacy
IMIS 2020, July 1, 2020
Nampoina Andriamilanto, Tristan Allard, Gaëtan Le Guelvouit
Public distribution 2
Web Authentication
◆ Passwords suffer from flaws
– Dictionary attacks: common passwords [5] or reuse [14] – Phishing attacks: 12.4 million stolen credentials [12]
◆ Leading to multi-factor authentication
Public distribution 3
Web Authentication by Browser Fingerprinting
◆ Browser fingerprinting
– Collection of browser attributes – Depending on the web environment
◆ Use for web authentication
http://example.com Public distribution 4
Motivation
◆ No large-scale study on browser fingerprints for authentication
– Large fingerprint set, fewer than 30 attributes [4, 11, 15] – More than 30 attributes, less than 2,000 users [8, 17]
◆ Previous works focus on
– Authentication mechanism designs [6, 10, 16] – Efficacy for web tracking [4, 11, 13, 15, 17]
◆ Existing tools lack documentation
– Examples are MicroFocus1 or SecureAuth2
1 - https://www.netiq.com/documentation/access-manager-44/admin/data/how-df-works.html 2 - https://docs.secureauth.com/pages/viewpage.action?pageId=33063454
Institute of Research and Technology b-com.com
Public distribution 5
Public distribution 6
Similarity with Biometric Factors
◆ Similarity with biometric factors
– Extraction of features from an entity – Recognition of the entity – Imperfections due to digitalization
◆ Properties identified by previous works [1, 2, 3]
Public distribution 7
Authentication Factor Properties
◆ Properties to be usable
– Universality – Distinctiveness – Stability – Collectibility
◆ Properties to be practical
– Performance – Acceptability – Circumvention
Public distribution 8
Authentication Factor Properties
◆ Properties to be usable
– Universality – Distinctiveness – Stability – Collectibility
◆ Properties to be practical
– Performance – Acceptability3 – Circumvention [16]
3 - https://support.google.com/accounts/answer/1144110
Public distribution 9
Notation
◆ Fingerprint domain 𝑮
– Considering 𝑜 attributes, with 𝑊
𝑦 the domain of the attribute 𝑦
𝐺 = 𝑤1, … , 𝑤𝑜 𝑤𝑦 ∈ 𝑊
𝑦 }
◆ Fingerprint dataset 𝑬
– Fingerprint 𝑔 was collected from the browser 𝑐 at the moment 𝑢 – With 𝐶 the browser population, and 𝑈 the time domain
𝐸 = 𝑔, 𝑐, 𝑢 𝑔 ∈ 𝐺, 𝑐 ∈ 𝐶, 𝑢 ∈ 𝑈 }
Public distribution 10
Dinstictiveness
◆ Dinstictiveness: are two different browsers distinguishable?
– 𝐶(𝑔, 𝐸): the browsers sharing the fingerprint 𝑔 in the dataset 𝐸
◆ Size of the anonimity sets
– 𝐵(𝑡, 𝐸): the fingerprints in an anonymity set of size 𝑡
𝐶 𝑔, 𝐸 = 𝑐 ∈ 𝐶 , 𝑐, 𝑢 ∈ 𝐸, 𝑔 = } 𝐵 𝑡, 𝐸 = 𝑔 ∈ 𝐺 𝑑𝑏𝑠𝑒 𝐶 𝑔, 𝐸 = 𝑡 }
Public distribution 11
Stability
◆ Stability: can a browser be recognized through time? ◆ Example of consecutive fingerprints
– Fingerprints: { 𝑔
1, 𝑐, 𝑢1 , 𝑔 2, 𝑐, 𝑢2 , 𝑔 3, 𝑐, 𝑢3 }
– Consecutive fingerprints: { 𝑔
1, 𝑔 2 , 𝑔 2, 𝑔 3 }
◆ Stability measure
– Grouped by the elapsed time – Similarity: proportion of identical attributes
Public distribution 12
Performance
◆ Collection time
– Over the JavaScript attributes
◆ Size
– Only the canvases are hashed
◆ Loss of efficacy
– Through time: over the six months [9] – Through space: over the device types [7, 11]
Institute of Research and Technology b-com.com
Public distribution 13
Public distribution 14
◆ Fingerprint collection experiment
– Probe on two web pages – Industrial partner (top 15 French websites4)
Large-scale Fingerprint Dataset
Panopticlick [4] AmIUnique [11] Hiding in the Crowd [13] Long-Term Observation [17] This study Collection period 3 weeks 3-4 months 6 months 3 years 6 months Attributes 8 17 17 305 262 Fingerprints 470,161 118,934 2,067,942 88,088 4,145,408 Browsers
Unicity 0.836 0.894 0.336 0.954–0.958 0.818
4 - https://www.alexa.com/topsites/countries/FR
Public distribution 15
◆ >80% of the
fingerprints are unique
◆ >94% are shared
by ≤8 browsers
Fingerprints Distinctiveness
Public distribution 16
◆ 84% of desktop
fingerprints are unique
◆ 42% for the mobile
browsers
Fingerprints Distinctiveness per Device Type
Public distribution 17
◆ On average, 90%
stay identical
◆ Mobile fingerprints
are generally more stable
Fingerprints Stability
Public distribution 18
◆ Median collection
time of 2.92 seconds
◆ Mobile fingerprints
generally take more time
Fingerprints Collection Time
Public distribution 19
◆ Median size of
7,550 bytes
◆ Mobile fingerprints
are generally lighter
Fingerprints Size
Institute of Research and Technology b-com.com
Public distribution 20
Public distribution 21
Conclusion
◆
Our fingerprints – Are majoritarily unique (>80%) – Are stable (>90% identical attributes) – Only weigh a dozen kilobytes – Are collected in seconds
◆
Our fingerprints of mobile browsers – Show a loss of distinctiveness – Are generally more stable and lighter, but longer to collect
◆
Promising additional web authentication factor
tompoariniaina.andriamilanto@b-com.com
Institute of Research and Technology b-com.com
Public distribution 23
Public distribution 24
References I
1.
Davide Maltoni, Dario Maio, Anil K. Jain, and Salil Prabhakar. Handbook of Fingerprint
2.
Vasilios Zorkadis and P. Donos. “On Biometrics‐based Authentication and Identification from a Privacy‐protection Perspective: Deriving Privacy‐enhancing Requirements.” Information Management & Computer Security 12, no. 1 (January 1, 2004): 125–37. https://doi.org/10.1108/09685220410518883.
3.
Marco Gamassi, Massimo Lazzaroni, Mauro Misino, Vincenzo Piuri, Daniele Sana, and Fabio
Accuracy and Performance Measurement.” IEEE Transactions on Instrumentation and Measurement 54, no. 4 (August 2005): 1489–1496. https://doi.org/10.1109/TIM.2005.851087.
4.
Peter Eckersley. “How Unique Is Your Web Browser?” In International Conference on Privacy Enhancing Technologies (PETS), 1–18, 2010. https://doi.org/10.1007/978-3-642-14527-8_1.
Public distribution 25
References II
5.
Joseph Bonneau. “The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million Passwords.” In IEEE Symposium on Security and Privacy (S&P), 538–52, 2012. https://doi.org/10.1109/SP.2012.49.
6.
Thomas Unger, Martin Mulazzani, Dominik Frühwirt, Markus Huber, Sebastian Schrittwieser, and Edgar Weippl. “SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting.” In International Conference on Availability, Reliability and Security (ARES), 255–61, 2013. https://doi.org/10.1109/ARES.2013.33.
7.
Jan Spooren, Davy Preuveneers, and Wouter Joosen. “Mobile Device Fingerprinting Considered Harmful for Risk-Based Authentication.” In European Workshop on System Security (EuroSec), 6:1–6:6, 2015. https://doi.org/10.1145/2751323.2751329.
8.
Amin Faiz Khademi, Mohammad Zulkernine, and Komminist Weldemariam. “An Empirical Evaluation of Web-Based Fingerprinting.” IEEE Software 32, no. 4 (July 2015): 46–52. https://doi.org/10.1109/MS.2015.77.
Public distribution 26
References III
9.
Andreas Kurtz, Hugo Gascon, Tobias Becker, Konrad Rieck, and Felix Freiling. “Fingerprinting Mobile Devices Using Personalized Configurations.” Proceedings on Privacy Enhancing Technologies 2016, no. 1 (2016). https://doi.org/10.1515/popets-2015-0027.
10.
Tom Goethem, Wout Scheepers, Davy Preuveneers, and Wouter Joosen. “Accelerometer-Based Device Fingerprinting for Multi-Factor Mobile Authentication.” In International Symposium on Engineering Secure Software and Systems (ESSoS), 106–121, 2016. https://doi.org/10.1007/978-3-319-30806-7_7.
11.
Pierre Laperdrix, Walter Rudametkin, and Benoit Baudry. “Beauty and the Beast: Diverting Modern Web Browsers to Build Unique Browser Fingerprints.” In IEEE Symposium on Security and Privacy (S&P), 878–94, 2016. https://doi.org/10.1109/SP.2016.57.
12.
Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, et
ACM SIGSAC Conference on Computer and Communications Security (CCS), 1421–1434, 2017. https://doi.org/10.1145/3133956.3134067.
Public distribution 27
References IV
13.
Alejandro Gómez-Boix, Pierre Laperdrix, and Benoit Baudry. “Hiding in the Crowd: An Analysis
(TheWebConf), 2018. https://doi.org/10.1145/3178876.3186097.
14.
Chun Wang, Steve T.K. Jan, Hang Hu, Douglas Bossart, and Gang Wang. “The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services.” In ACM Conference on Data and Application Security and Privacy (CODASPY), 196–203, 2018. https://doi.org/10.1145/3176258.3176332.
15.
Antoine Vastel, Pierre Laperdrix, Walter Rudametkin, and Romain Rouvoy. “FP-STALKER: Tracking Browser Fingerprint Evolutions.” In IEEE Symposium on Security and Privacy (S&P), 728–41, 2018. https://doi.org/10.1109/sp.2018.00008.
16.
Pierre Laperdrix, Gildas Avoine, Benoit Baudry, and Nick Nikiforakis. “Morellian Analysis for Browsers: Making Web Authentication Stronger With Canvas Fingerprinting.” In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA), 43–66, 2019. https://doi.org/10.1007/978-3-030-22038-9_3.
Public distribution 28
References V
17.
Gaston Pugliese, Christian Riess, Freya Gassmann, and Zinaida Benenson. “Long-Term Observation on Browser Fingerprinting: Users’ Trackability and Perspective.” Proceedings on Privacy Enhancing Technologies 2020, no. 2 (April 1, 2020): 558–577. https://doi.org/10.2478/popets-2020-0041.