outsourcing phone based web authentication while
play

Outsourcing Phone-based Web Authentication while Protecting User - PowerPoint PPT Presentation

Jul 07, 2023 •351 likes •1.24k views

Outsourcing Phone-based Web Authentication while Protecting User Privacy NordSec 2016 Martin Potthast 1 Christian Forler 2 Eik List 1 Stefan Lucks 1 1 Bauhaus-Universitt Weimar <firstname>.<lastname>(at)uni-weimar.de 2 Beuth

  1. Outsourcing Phone-based Web Authentication while Protecting User Privacy NordSec 2016 Martin Potthast 1 Christian Forler 2 Eik List 1 Stefan Lucks 1 1 Bauhaus-Universität Weimar <firstname>.<lastname>(at)uni-weimar.de 2 Beuth Hochschule für Technik Berlin 04 Nov 2016 Outsourcing Phone-based Web Authentication 04 Nov 2016 1/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  2. Section 1 Motivation Outsourcing Phone-based Web Authentication 04 Nov 2016 2/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  3. Passwords Humans are bad at memorizing strong passwords Already 2007: Median user is registered at 25 web services [Florêncio and Herley, 2007] Passwords are unlikely to disappear in the near future Image: xato.net Outsourcing Phone-based Web Authentication 04 Nov 2016 3/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  4. Two-Factor Authentication 1st Factor 2nd Line of Defense against 2nd Factor Reused passwords Account or Personal Data Weak credentials or lacking 1st-factor policies Data breaches Phishing attacks . . . Image: https://www.google.com/landing/2step Outsourcing Phone-based Web Authentication 04 Nov 2016 4/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  5. Two-Factor Authentication Factors Something you know Unique tuple of username + password Idea: Duo Mobile 2014; Images: http://2.bp.blogspot.com/-3wBHxiz30Do/VEU8Ba4j7BI/AAAAAAAABo4/-gs07aNu7lA/s1600/homer-idea.png , https://frinkiac.com/caption/S06E02/42976 , http://s1.favim.com/orig/14/eye-homer-homer-simpson-simpson-simpsons-Favim.com-184669.jpg , https://upload.wikimedia.org/wikipedia/en/0/0b/Marge_Simpson.png Outsourcing Phone-based Web Authentication 04 Nov 2016 5/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  6. Two-Factor Authentication Factors Something you know Unique tuple of username + password Something you have Personal device or smartphone app Idea: Duo Mobile 2014; Images: http://2.bp.blogspot.com/-3wBHxiz30Do/VEU8Ba4j7BI/AAAAAAAABo4/-gs07aNu7lA/s1600/homer-idea.png , https://frinkiac.com/caption/S06E02/42976 , http://s1.favim.com/orig/14/eye-homer-homer-simpson-simpson-simpsons-Favim.com-184669.jpg , https://upload.wikimedia.org/wikipedia/en/0/0b/Marge_Simpson.png Outsourcing Phone-based Web Authentication 04 Nov 2016 5/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  7. Two-Factor Authentication Factors Something you know Unique tuple of username + password Something you have Personal device or smartphone app Something you are Fingerprint or retina scan Idea: Duo Mobile 2014; Images: http://2.bp.blogspot.com/-3wBHxiz30Do/VEU8Ba4j7BI/AAAAAAAABo4/-gs07aNu7lA/s1600/homer-idea.png , https://frinkiac.com/caption/S06E02/42976 , http://s1.favim.com/orig/14/eye-homer-homer-simpson-simpson-simpsons-Favim.com-184669.jpg , https://upload.wikimedia.org/wikipedia/en/0/0b/Marge_Simpson.png Outsourcing Phone-based Web Authentication 04 Nov 2016 5/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  8. Two-Factor Authentication Factors Something you know Unique tuple of username + password Something you have Personal device or smartphone app Something you are Fingerprint or retina scan Someone you know [Brainard et al., 2006] Idea: Duo Mobile 2014; Images: http://2.bp.blogspot.com/-3wBHxiz30Do/VEU8Ba4j7BI/AAAAAAAABo4/-gs07aNu7lA/s1600/homer-idea.png , https://frinkiac.com/caption/S06E02/42976 , http://s1.favim.com/orig/14/eye-homer-homer-simpson-simpson-simpsons-Favim.com-184669.jpg , https://upload.wikimedia.org/wikipedia/en/0/0b/Marge_Simpson.png Outsourcing Phone-based Web Authentication 04 Nov 2016 5/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  9. Phone-based Two-factor Authentication Benefits: Omnipresent, ubiquitous Spares users from carrying around additional devices Spares service providers from shipping devices Outsourcing Phone-based Web Authentication 04 Nov 2016 6/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  10. Phone-based Two-factor Authentication Benefits: Omnipresent, ubiquitous Spares users from carrying around additional devices Spares service providers from shipping devices Disadvantage: Difficult to implement from scratch = ⇒ outsourcing Outsourcing Phone-based Web Authentication 04 Nov 2016 6/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  11. Phone-based Two-factor Authentication Benefits: Omnipresent, ubiquitous Spares users from carrying around additional devices Spares service providers from shipping devices Disadvantage: Difficult to implement from scratch = ⇒ outsourcing Privacy? An honest-but-curious authentication provider potentially learns Usage statistics of users Usage statistics of service providers Relations of users to service providers Outsourcing Phone-based Web Authentication 04 Nov 2016 6/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  12. Phone-based Two-factor Authentication Benefits: Omnipresent, ubiquitous Spares users from carrying around additional devices Spares service providers from shipping devices Disadvantage: Difficult to implement from scratch = ⇒ outsourcing Privacy? An honest-but-curious authentication provider potentially learns Usage statistics of users Usage statistics of service providers Relations of users to service providers Goal of Passphone: Phone-based two-factor authentication scheme Outsource verification of 2nd factor while preserving privacy Outsourcing Phone-based Web Authentication 04 Nov 2016 6/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  13. Existing Phone-Based Two-Factor Authentication Schemes Time-based One-Time Passwords: Google 2-Step [Google, 2013] , Microsoft [Meisner, 2013] , Apple [Apple, 2016] , Facebook [Song, 2011] Cronto [VASCO, 2013] , Duo Mobile [Duo Security, 2016] Academia: SoundProof [Karapanos et al., 2015] : Avoided need for user interaction Shirvanian et al. [Shirvanian et al., 2014] : Resilience to off-line attacks PhoneAuth [Czeskis et al., 2012] MP-Auth [Mannan and van Oorschot, 2011] : No secret on device Tiqr [Van Rijswijk and Van Dijk, 2011] , Snap2Pass [Dodson et al., 2010] , QR-TAN [Starnberger et al., 2009] : QR-based PhoolProof [Parno et al., 2006] : Bookmark-based Outsourcing Phone-based Web Authentication 04 Nov 2016 7/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  14. Remarks Privacy-unaware users may be tracked down by other means: Users must avoid reuse or self-related credentials and mail addresses Users should hide their identity (e. g., use services like TOR) Base on TLS-secured connections Recommendations: Public-key pinning for Trusted Third Party Bind TLS connections to specific channel Goal: No additional angles for user profiling by second factor Outsourcing Phone-based Web Authentication 04 Nov 2016 8/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  15. Section 2 Passphone Protocols Outsourcing Phone-based Web Authentication 04 Nov 2016 9/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  16. Involved Parties T S Service provider Trusted Third T Party P User (prover) Prover’s telephone PT P S Prover’s mail box PM Outsourcing Phone-based Web Authentication 04 Nov 2016 10/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  17. Involved Parties T S Service provider Trusted Third T Party P User (prover) Prover’s telephone PT P S Prover’s mail box PM Assume: User has device PT and mail box PM under control Assume: TTP is honest (but curious) Encode protocol, step, version, and sender information in all messages Protocols: Registration, Activation, Authentication, Revocation, Rekeying Outsourcing Phone-based Web Authentication 04 Nov 2016 10/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  18. Passphone : Registration P ’s device PT generates and stores a key pair K public , K secret PT PT P T S Service provider ID X ID of X ( · ) X Signed by X Trusted Third Party Blinded ID of X E K �·� TLS-protected T h X P User (prover) Challenge of X N X Outsourcing Phone-based Web Authentication 04 Nov 2016 11/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  19. Passphone : Registration P submits public key and a blinded ID h PT = Hash ( N PT ) to T � � K public (1) E K , ID P M , h P T P T P T S Service provider ID X ID of X ( · ) X Signed by X T Trusted Third Party h X Blinded ID of X E K �·� TLS-protected P User (prover) N X Challenge of X Outsourcing Phone-based Web Authentication 04 Nov 2016 11/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  20. Passphone : Registration T sends challenge N T to P ’s mail account � � K public (1) E K , ID P M , h P T P T (2) X := ( N T ) T P T S Service provider ID X ID of X ( · ) X Signed by X T Trusted Third Party h X Blinded ID of X E K �·� TLS-protected P User (prover) N X Challenge of X Outsourcing Phone-based Web Authentication 04 Nov 2016 11/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  21. Passphone : Registration P forwards challenge to PT � � K public (1) E K , ID P M , h P T P T (2) X := ( N T ) T (3) X P T S Service provider ID X ID of X ( · ) X Signed by X T Trusted Third Party h X Blinded ID of X E K �·� TLS-protected P User (prover) N X Challenge of X Outsourcing Phone-based Web Authentication 04 Nov 2016 11/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
Outsourcing Overview Value Driven Engineering Value Driven Engineering Outsourcing is one

Outsourcing Overview Value Driven Engineering Value Driven Engineering Outsourcing is one

Outsourcing Overview Value Driven Engineering Value Driven Engineering Outsourcing is one available tool in Mustangs diversified toolkit, but not an all encompassing primary strategy Outsourcing will be used when it makes sense

439 views • 8 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in

A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in

A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in Authentication Workshop (WAY) 2019 Nikita Samarin, Donald Sannella Traditional Passwords Most common mechanism of authenticating users online

251 views • 14 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a

Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a

Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a computationally weak client to outsource its computation to an untrusted server. = () Main security concerns: 1. Correctness:

377 views • 4 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Seeing is Believing: Proximity-based Authentication Peter Pilgerstorfer | | Peter

Seeing is Believing: Proximity-based Authentication Peter Pilgerstorfer | | Peter

Source: [5] Seeing is Believing: Proximity-based Authentication Peter Pilgerstorfer | | Peter Pilgerstorfer 03.03.2015 1 Motivation Pairing without user interaction Traditional authentication E.g. enter/confirm shared PIN

270 views • 26 slides
Outsourcing of Essential Customer Services to Off Shore Based Suppliers The CPA Australia

Outsourcing of Essential Customer Services to Off Shore Based Suppliers The CPA Australia

Outsourcing of Essential Customer Services to Off Shore Based Suppliers The CPA Australia Experience Tony Gleeson Executive General Manager CIPSA / SCLAA Event Thursday 14 th April 2011 CPA Australia + 125 year old membership body for

326 views • 17 slides
Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim

Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim

Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim Lyubashevsky, Christof Paar, Krzysztof Pietrzak Authentication Protocols Prover Verifier HB-style authentication shared AES key K protocols

563 views • 22 slides
Secure SDN Authentication &amp; Authorization for Multi-tenancy (DNS based PKI model) Author:

Secure SDN Authentication &amp; Authorization for Multi-tenancy (DNS based PKI model) Author:

IETF94 2 Nov. 2015 Yokohama SDNRG WG Secure SDN Authentication &amp; Authorization for Multi-tenancy (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee Ietf{at}rozanak.com Motivation Problem: secure SDN authentication,

546 views • 10 slides
Real Parameterized and 2 Order Complexity Theory: Order Complexity Theory: From Computability in

Real Parameterized and 2 Order Complexity Theory: Order Complexity Theory: From Computability in

Real Parameterized and 2 nd nd Real Parameterized and 2 Order Complexity Theory: Order Complexity Theory: From Computability in Analysis From Computability in Analysis to Numerical Practice to Numerical Practice Martin Ziegler Martin

414 views • 20 slides
An early completion algorithm: Axel Thues 1914 paper on the transformation of symbol sequences

An early completion algorithm: Axel Thues 1914 paper on the transformation of symbol sequences

Axel Thues 1914 paper: An early completion algorithm: Axel Thues 1914 paper on the transformation of symbol sequences James Power Department of Computer Science, National University of Ireland Maynooth CiE, June 24, 2014 James Power,

912 views • 68 slides
Growing Sand Piles on a table with side walls. Luigi De Pascale (Pisa, Italy), Chlo Jimenez

Growing Sand Piles on a table with side walls. Luigi De Pascale (Pisa, Italy), Chlo Jimenez

Introduction Optimal transport at a.e. t Discrete source: f = k j = 1 c j yj More general source: f M + () Growing Sand Piles on a table with side walls. Luigi De Pascale (Pisa, Italy), Chlo Jimenez (Brest, France). Optimal

699 views • 42 slides
Mod elisation et m ethodes num eriques pour l etude du transport de particules dans

Mod elisation et m ethodes num eriques pour l etude du transport de particules dans

Mod elisation et m ethodes num eriques pour l etude du transport de particules dans un plasma S ebastien Guisset Soutenance de th` ese de lUniversit e de Bordeaux Talence, le 23 Septembre 2016 Directeur de th` ese :

874 views • 55 slides
Computer-aided cryptographic proofs and designs Gilles Barthe (IMDEA, Spain) Benjamin Grgoire

Computer-aided cryptographic proofs and designs Gilles Barthe (IMDEA, Spain) Benjamin Grgoire

Computer-aided cryptographic proofs and designs Gilles Barthe (IMDEA, Spain) Benjamin Grgoire (INRIA Sophia Antipolis, France) Juan Manuel Crespo (IMDEA, Spain) Francois Dupressoir (IMDEA, Spain) Csar Kunz (IMDEA/U. Politecnica Madrid,

815 views • 44 slides
Good Societies Index 2012 Comparing Quality of Life in Relatively Wealthy Societies Ron Anderson

Good Societies Index 2012 Comparing Quality of Life in Relatively Wealthy Societies Ron Anderson

4/18/2012 Good Societies Index 2012 Comparing Quality of Life in Relatively Wealthy Societies Ron Anderson University of Minnesota rea@umn.edu Revised 4/13/12 from a Presentation at the International Society for Quality of Life Studies

591 views • 32 slides
Exploring the uses of ICT in education: A national survey study Robert A.P. REUTER 1 , Gilbert

Exploring the uses of ICT in education: A national survey study Robert A.P. REUTER 1 , Gilbert

Exploring the uses of ICT in education: A national survey study Robert A.P. REUTER 1 , Gilbert BUSANA 1 &amp; Serge LINCKELS 2 1 Universit du Luxembourg 2 Ministre de lEducation nationale, de lEnfance et de la Jeunesse @bobreuter //

1.01k views • 57 slides
Nonnegative matrix factorization and applications in audio signal processing C edric F

Nonnegative matrix factorization and applications in audio signal processing C edric F

Nonnegative matrix factorization and applications in audio signal processing C edric F evotte Laboratoire Lagrange, Nice Machine Learning Crash Course Genova, June 2015 1 Outline Generalities Matrix factorisation models Nonnegative

581 views • 42 slides

More recommend