Web Authentication using Third-parties in Untrusted Environments - - PowerPoint PPT Presentation

web authentication
SMART_READER_LITE
LIVE PREVIEW

Web Authentication using Third-parties in Untrusted Environments - - PowerPoint PPT Presentation

Oct 19, 2022 266 likes •610 views

Web Authentication using Third-parties in Untrusted Environments Anna Vapen PhD Thesis Presentation 2016-09-30 Supervisors: Nahid Shahmehri, Niklas Carlsson ***** 3 Agenda 1. Background 2. Research problems 3. Analysis Web

slide-1
SLIDE 1

Web Authentication using Third-parties in Untrusted Environments

Anna Vapen PhD Thesis Presentation 2016-09-30 Supervisors: Nahid Shahmehri, Niklas Carlsson

slide-2
SLIDE 2

*****

slide-3
SLIDE 3

Agenda

3

1. Background 2. Research problems 3. Analysis

– Web authentication and untrusted computers – The third-party authentication landscape – Third-parties and privacy risks

4. Contributions

slide-4
SLIDE 4

Background

4

****

slide-5
SLIDE 5

Web Authentication

5

  • Method to prove that you are a

specific person

  • Personal web experience

– User accounts require authentication Background

Example: Signing in to Google with username and password

slide-6
SLIDE 6

Password Challenges

6

Background Most common web authentication method Simple setup Replay attacks Forgotten by the user Reused on several sites Written down Alternative methods Time consuming Additional equipment

slide-7
SLIDE 7

Mobile Users and Untrusted Environments

7

  • Mobile users

– Different devices – Different places Background

  • Untrusted environments

– Infected computer – Untrusted WiFi network

slide-8
SLIDE 8

Third-party Web Authentication

8

  • Use an IDP (identity provider) account to access many

RPs (relying parties)

  • Fewer logins – simplify authentication
  • Information sharing between websites

– Privacy leaks! Background

slide-9
SLIDE 9

Third-party Authentication Scenario

9

Redirect Logged in

Relying party (RP)

Background

Identity provider (IDP)

slide-10
SLIDE 10

Research Problems

10

slide-11
SLIDE 11

Research Problems

11

1. Web authentication

– For mobile users in untrusted environments?

2. Third-party authentication

– Usage over time? – How to measure?

3. Privacy risks

– Information flows between parties? Research problems

slide-12
SLIDE 12

Web Authentication and Untrusted Computers

12

slide-13
SLIDE 13

Mobile Phones as Authentication Devices

13

Web authentication

Strong authentication Carried by the user Security problems Comparing solutions?

slide-14
SLIDE 14

Design and Evaluation Method

  • Design

– Select requirements – Get design suggestions

  • Evaluation

– Start with an existing design – Get a security rating of the design Web authentication

Login Security rating Login Requirements

  • Security
  • Availability

PrimeLife’11

slide-15
SLIDE 15

Optical Authentication Proof-of-Concept

Web authentication

(1) Challenge barcode shown on screen (2) Take a picture

  • f the challenge

(3) Response generated (4) Show response to webcam

Logged in!

IJMCMC’11

slide-16
SLIDE 16

The Third-party Authentication Landscape

16

slide-17
SLIDE 17

Data Collection

17

  • Popularity-based logarithmic sampling

– 80,000 points uniformly on a logarithmic range – Pareto-like distribution – Capturing data from different popularity segments

3rd-party authentication

1 million most popular websites Sampled websites

PAM’14

slide-18
SLIDE 18

Large-scale Crawling

18

  • Selenium-based crawling and relationship identification
  • Able to process Web 2.0 sites with interactive elements
  • Low number of false positives
  • Validation with semi-manual classification and text-

matching

3rd-party authentication

Sampled websites

1 mil

PAM’14

Crawl sites to depth 2

slide-19
SLIDE 19

Collected Data

19

3rd-party authentication

25 million analyzed links 3 329 unique relationships 50 IDPs and 1 865 RPs WHOIS, server location, and audience location Total site size and number

  • f links and objects

1.6 terabyte analyzed data

PAM’14, IC’16

slide-20
SLIDE 20

IDPs vs Content Sharing Services

20

3rd-party authentication

Content sharing: Importing images, scripts etc. from other sites (third-party content providers) IDPs are selected locally, in contrast to content services.

PAM’14

slide-21
SLIDE 21

Service-based Analysis of RPs

21

3rd-party authentication

Likely to be IDPs Early adopters, using several IDPs Using social/portal IDPs

Social/portal News Tech Video Info

File sharing

Commerce

Ad services, CDNs PAM’14 Manual analysis: Top 200 websites in April 2012

slide-22
SLIDE 22

22

Third-parties and Privacy Risks

slide-23
SLIDE 23

App Rights and Information Flows

23

Privacy risks

App rights example

IDP RP

Actions: Write Update/remove Read

SEC’15, UEOP’16

slide-24
SLIDE 24

Our Studies on Privacy Risks

24

  • Categorization app-rights data

– Manual study on the top 200 most popular websites – Longitudinal approach: three years

  • Targeted login tests
  • Privacy risk categorization

– Data types in app rights – Combinations of types Privacy risks

slide-25
SLIDE 25

Protocol Selection

25

  • OpenID

– Authentication protocol – Decreasing in popularity

  • OAuth

– RP may use actions on IDP – Rich user data is shared – Increasingly popular

OAuth OpenID Both April 2012 vs. Sept 2014

  • 11%

+24%

Privacy risks

SEC’15, UEOP’16

slide-26
SLIDE 26

IDP Selection

26

  • Top 200 April 2012: 69 RPs and 180 relationships
  • Same sites, April 2015: +15 RPs and +33 relationships
  • 75% of these RPs are selecting all their IDPs from the top

5 most popular IDPs

Privacy risks

Top IDPs:

+

37%

+

19%

+

12% SEC’15, UEOP’16

slide-27
SLIDE 27

Risk Types

27

Facebook, Twitter and Google:

  • Only a few relationships in the most

privacy preserving category

  • 2+ IDPs: More than half are using

actions

– Dangerous when having several IDPs – Potential multi-hop leakage

51%

actions

2+ IDPs Privacy risks

SEC’15

slide-28
SLIDE 28

Multi-account Information Risks

28

  • Cross account leakage
  • Unwanted

combinations of conflicting information

  • RPs handle multi-IDP

usage badly

Private photos

Privacy risks

IDP 1 IDP 2 RP This is me! Connecting several IDPs to an RP SEC’15

slide-29
SLIDE 29

Structures in the RP-IDP Landscape

29

IDP HY RP

Hybrid case

  • Hybrids are both RP and IDP

Hybrid: RP and IDP

High-degree IDP case

  • IDP having many RPs
  • Top IDPs

IDP RP1 RP2

High-degree RP case

  • RP having many IDPs
  • Specialized IDPs

IDP1 IDP2 RP

Privacy risks

UEOP’16

slide-30
SLIDE 30

RP-to-RP Leakage Example

30

RP-to-RP leaks February 2014 April 2015 IDP All Severe All Severe Facebook 645 150 473 66 Twitter 110 110 110 110 Google 91 91 IDP RP1 RP2 RP-to-RP

  • Potential RP-to-RP leaks

– Data posted to IDP from RP1 – Data read from IDP to RP2

Dataset with 44 RPs using Facebook, 14 using Twitter and 12 using Google

Privacy risks

UEOP’16

slide-31
SLIDE 31

Contributions

31

slide-32
SLIDE 32

Contributions

32

  • Design and evaluation method
  • Large-scale RP-IDP measurements

– Novel measurement method – Categorization of RP-IDP relationships

  • Privacy risks and information sharing

– Protocol analysis – Structural properties Contributions

slide-33
SLIDE 33

Web Authentication using Third-parties in Untrusted Environments Anna Vapen

Papers included in this thesis:

  • Security Levels for Web Authentication using Mobile Phones, PrimeLife'11
  • 2-clickAuth - Optical Challenge-Response Authentication using Mobile

Handsets, IJMCMC'11

  • Third-party Identity Management Usage on the Web, PAM'14
  • A Look at the Third-Party Identity Management Landscape, IC'16
  • Information Sharing and User Privacy in the Third-party Identity

Management Landscape, SEC'15

  • Longitudinal Analysis of the Third-party Authentication Landscape,

UEOP'16