web authentication
play

Web Authentication using Third-parties in Untrusted Environments - PowerPoint PPT Presentation

Oct 19, 2022 •266 likes •607 views

Web Authentication using Third-parties in Untrusted Environments Anna Vapen PhD Thesis Presentation 2016-09-30 Supervisors: Nahid Shahmehri, Niklas Carlsson ***** 3 Agenda 1. Background 2. Research problems 3. Analysis Web

  1. Web Authentication using Third-parties in Untrusted Environments Anna Vapen PhD Thesis Presentation 2016-09-30 Supervisors: Nahid Shahmehri, Niklas Carlsson

  2. *****

  3. 3 Agenda 1. Background 2. Research problems 3. Analysis Web authentication and untrusted computers – The third-party authentication landscape – Third-parties and privacy risks – 4. Contributions

  4. 4 **** Background

  5. Background 5 Web Authentication • Method to prove that you are a specific person Personal web experience • – User accounts require authentication Example: Signing in to Google with username and password

  6. Background 6 Password Challenges Most common web authentication method Simple setup Reused on several sites Written down Alternative methods Time consuming Replay attacks Additional equipment Forgotten by the user

  7. Background 7 Mobile Users and Untrusted Environments • Mobile users • Untrusted environments – Different devices – Infected computer – Different places – Untrusted WiFi network

  8. Background 8 Third-party Web Authentication • Use an IDP (identity provider) account to access many RPs (relying parties) Fewer logins – simplify authentication • • Information sharing between websites – Privacy leaks!

  9. Background 9 Third-party Authentication Scenario Identity provider (IDP) Redirect Logged in Relying party (RP)

  10. 10 Research Problems

  11. Research problems 11 Research Problems 1. Web authentication – For mobile users in untrusted environments? 2. Third-party authentication – Usage over time? – How to measure? 3. Privacy risks – Information flows between parties?

  12. 12 Web Authentication and Untrusted Computers

  13. Web authentication 13 Mobile Phones as Authentication Devices Security problems Strong authentication Comparing solutions? Carried by the user

  14. Web authentication Design and Evaluation Method • Design Requirements • Security – Select requirements Login • Availability – Get design suggestions • … • Evaluation Login Security – Start with an existing design rating – Get a security rating of the design PrimeLife’11

  15. Web authentication Optical Authentication Proof-of-Concept (3) Response generated (1) Challenge barcode Logged in! shown on screen (2) Take a picture of the challenge (4) Show response to webcam IJMCMC’11

  16. 16 The Third-party Authentication Landscape

  17. 3 rd -party authentication 17 Data Collection • Popularity-based logarithmic sampling – 80,000 points uniformly on a logarithmic range – Pareto-like distribution – Capturing data from different popularity segments 1 million Sampled most websites popular websites PAM’14

  18. 3 rd -party authentication 18 Large-scale Crawling • Selenium-based crawling and relationship identification • Able to process Web 2.0 sites with interactive elements Low number of false positives • • Validation with semi-manual classification and text- matching Sampled Crawl sites to websites depth 2 1 mil PAM’14

  19. 3 rd -party authentication 19 Collected Data 1.6 terabyte 25 million analyzed data analyzed links 3 329 unique relationships 50 IDPs and 1 865 RPs WHOIS, server location, and audience location Total site size and number of links and objects PAM’14, IC’16

  20. 3 rd -party authentication 20 IDPs vs Content Sharing Services Content sharing: Importing images, scripts etc. from other sites (third-party content providers) IDPs are selected locally, in contrast to content services. PAM’14

  21. 3 rd -party authentication 21 Service-based Analysis of RPs Commerce Likely to be IDPs Video Early adopters, using several IDPs Manual analysis: Top 200 websites Tech Social/portal in April 2012 File sharing News Info Ad services, CDNs Using social/portal IDPs PAM’14

  22. 22 Third-parties and Privacy Risks

  23. Privacy risks 23 App Rights and Information Flows IDP Read Actions : Write RP Update/remove App rights example SEC’15, UEOP’16

  24. Privacy risks 24 Our Studies on Privacy Risks • Categorization app-rights data – Manual study on the top 200 most popular websites – Longitudinal approach: three years • Targeted login tests Privacy risk categorization • – Data types in app rights – Combinations of types

  25. Privacy risks 25 Protocol Selection • OpenID April 2012 vs. – Authentication protocol Sept 2014 – Decreasing in popularity OAuth -11% • OAuth +24% OpenID – RP may use actions on IDP Both – Rich user data is shared – Increasingly popular SEC’15, UEOP’16

  26. Privacy risks 26 IDP Selection • Top 200 April 2012: 69 RPs and 180 relationships • Same sites, April 2015: +15 RPs and +33 relationships 75% of these RPs are selecting all their IDPs from the top • 5 most popular IDPs + 37% + 19% Top IDPs: + 12% SEC’15, UEOP’16

  27. Privacy risks 27 Risk Types Facebook, Twitter and Google: 2+ IDPs • Only a few relationships in the most privacy preserving category 51% actions • 2+ IDPs: More than half are using actions – Dangerous when having several IDPs – Potential multi-hop leakage SEC’15

  28. Privacy risks 28 Multi-account Information Risks • Cross account leakage IDP IDP • Unwanted 2 1 combinations of conflicting information This is me! • RPs handle multi-IDP Private usage badly photos RP Connecting several IDPs to an RP SEC’15

  29. Privacy risks 29 Structures in the RP-IDP Landscape IDP IDP IDP 1 IDP 2 Hybrid: HY RP and IDP RP 1 RP 2 RP RP High-degree IDP case High-degree RP case • • IDP having many RPs RP having many IDPs Hybrid case • • Top IDPs Specialized IDPs • Hybrids are both RP and IDP UEOP’16

  30. Privacy risks 30 RP-to-RP Leakage Example RP-to-RP leaks February 2014 April 2015 IDP IDP All Severe All Severe Facebook 645 150 473 66 Twitter 110 110 110 110 RP 1 RP 2 Google 91 0 91 0 Dataset with 44 RPs using Facebook, 14 using Twitter RP-to-RP and 12 using Google • Potential RP-to-RP leaks – Data posted to IDP from RP1 – Data read from IDP to RP2 UEOP’16

  31. 31 Contributions

  32. Contributions 32 Contributions • Design and evaluation method • Large-scale RP-IDP measurements – Novel measurement method – Categorization of RP-IDP relationships Privacy risks and information sharing • – Protocol analysis – Structural properties

  33. Web Authentication using Third-parties in Untrusted Environments Anna Vapen Papers included in this thesis: • Security Levels for Web Authentication using Mobile Phones, PrimeLife'11 • 2-clickAuth - Optical Challenge-Response Authentication using Mobile Handsets, IJMCMC'11 • Third-party Identity Management Usage on the Web, PAM'14 • A Look at the Third-Party Identity Management Landscape, IC'16 • Information Sharing and User Privacy in the Third-party Identity Management Landscape, SEC'15 • Longitudinal Analysis of the Third-party Authentication Landscape, UEOP'16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch

The Authentication Jungle An overview of all sorts of authentication technologies Karol Babioch Security Engineer kbabioch@suse.de New authentication standards ... 2 Some authentication technologies ... 3 - Authentication theory -

1.28k views • 88 slides
Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239

Outline Introduction Authentication Basic authentication mechanisms CS 239 Authentication on a single machine Computer Security Authentication across a network February 21, 2007 Lecture 9 Lecture 9 Page 1 Page 2 CS 236,

302 views • 8 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication

THE STATE OF AUTHENTICATION Chad Spensky Allthenticate OUTLINE Who am I? Authentication overview Current state of Authentication The future of authentication MY JOURNEY 2012-2015 2004-2011 2015-Present 1998-2004 Staff at MIT

453 views • 34 slides
User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication

User Authentication Passport Jason Situ Passport What is it? Passport is authentication middleware for Node. It is designed to serve a singular purpose: authenticate requests. Supports a comprehensive set of authentication mechanisms called

808 views • 16 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
Yubikey Discovery and fjrst use of Yubico's Yubikey Presented by : Maxime de Roucy

Yubikey Discovery and fjrst use of Yubico's Yubikey Presented by : Maxime de Roucy

Yubikey Discovery and fjrst use of Yubico's Yubikey Presented by : Maxime de Roucy mderoucy@linagora.com http:// dokuwiki. craoc.fr/ About myself (really quick I promise) Job Technical Account Manager OSSA Open Source

279 views • 17 slides
Wireless Network Security Vedavyas Duggirala CS 6204, Spring 2005 1 Wireless Devices - Benefits

Wireless Network Security Vedavyas Duggirala CS 6204, Spring 2005 1 Wireless Devices - Benefits

Wireless Network Security Vedavyas Duggirala CS 6204, Spring 2005 1 Wireless Devices - Benefits and Risks Benefits Risks Allow Mobility Suffers from all the risks of wired networks Greater flexibility, efficiency and

623 views • 27 slides
Attacking RO-PUFs with Enhanced Challenge-Response Pairs Nils Wisiol and Marian Margraf

Attacking RO-PUFs with Enhanced Challenge-Response Pairs Nils Wisiol and Marian Margraf

Attacking RO-PUFs with Enhanced Challenge-Response Pairs Nils Wisiol and Marian Margraf {firstname.lastname}@fu-berlin.de 1. Physically Unclonable Functions 2. Ring Oscillator PUF with Enhanced Outline Challenge-Response Pairs 3.

197 views • 19 slides
Hardware Security Chester Rebeiro IIT Madras 1 Physically Unclonable Functions Physical

Hardware Security Chester Rebeiro IIT Madras 1 Physically Unclonable Functions Physical

Hardware Security Chester Rebeiro IIT Madras 1 Physically Unclonable Functions Physical Unclonable Func1ons and Applica1ons: A Tutorial h8p://ieeexplore.ieee.org/document/6823677/ Edge Devices 1000s of them expected to be deployed Low power

1.06k views • 71 slides
CAPTCHAs: The Good, the Bad, and the Ugly ISSE-GI SICHERHEIT 2010 Paul Baecher*, Marc Fischlin*,

CAPTCHAs: The Good, the Bad, and the Ugly ISSE-GI SICHERHEIT 2010 Paul Baecher*, Marc Fischlin*,

CAPTCHAs: The Good, the Bad, and the Ugly ISSE-GI SICHERHEIT 2010 Paul Baecher*, Marc Fischlin*, Lior Gordon, Robert Langenberg, Michael Ltzow, Dominique Schrder* * TU Darmstadt, supported by DFG Emmy Noether Program October 7, 2010 | 1

573 views • 21 slides
Datagram Transport Layer Security in Constrained Environments draft-hartke-core-codtls-01 Klaus

Datagram Transport Layer Security in Constrained Environments draft-hartke-core-codtls-01 Klaus

Datagram Transport Layer Security in Constrained Environments draft-hartke-core-codtls-01 Klaus Hartke Olaf Bergmann Datagram Transport Layer Security in Constrained Environments Smart Objects: want the security that DTLS provides

452 views • 18 slides
The Design and Implementation of Protocol- Based Hidden Key Recovery Eu-Jin Goh, S tanford Dan

The Design and Implementation of Protocol- Based Hidden Key Recovery Eu-Jin Goh, S tanford Dan

The Design and Implementation of Protocol- Based Hidden Key Recovery Eu-Jin Goh, S tanford Dan Boneh, S tanford Philippe Golle, PARC Benny Pinkas, HP Labs Our contribution A key recovery syst em which is Hidden Unfilterable

594 views • 22 slides
Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control

Yasser F. O. Mohammad REMIDER 1: IPSec Uses REMINDER 2: IPSec Services Access control Connectionless integrity Data origin authentication Rejection of replayed packets a form of partial sequence integrity Confidentiality

818 views • 37 slides

More recommend