guess who large scale data centric study of the adequacy
play

< Guess Who ? Large -Scale Data-Centric Study of the Adequacy of - PowerPoint PPT Presentation

< Guess Who ? Large -Scale Data-Centric Study of the Adequacy of Browser Fingerprints for Web Authentication> IMIS 2020, July 1, 2020 Nampoina Andriamilanto, Tristan Allard, Gatan Le Guelvouit Web Authentication Passwords


  1. < “ Guess Who ?” Large -Scale Data-Centric Study of the Adequacy of Browser Fingerprints for Web Authentication> IMIS 2020, July 1, 2020 Nampoina Andriamilanto, Tristan Allard, Gaëtan Le Guelvouit

  2. Web Authentication ◆ Passwords suffer from flaws – Dictionary attacks: common passwords [5] or reuse [14] – Phishing attacks: 12.4 million stolen credentials [12] ◆ Leading to multi-factor authentication 2 Public distribution

  3. Web Authentication by Browser Fingerprinting ◆ Browser fingerprinting http://example.com – Collection of browser attributes – Depending on the web environment ◆ Use for web authentication 3 Public distribution

  4. Motivation ◆ No large-scale study on browser fingerprints for authentication – Large fingerprint set, fewer than 30 attributes [4, 11, 15] – More than 30 attributes, less than 2,000 users [8, 17] ◆ Previous works focus on – Authentication mechanism designs [6, 10, 16] – Efficacy for web tracking [4, 11, 13, 15, 17] ◆ Existing tools lack documentation – Examples are MicroFocus 1 or SecureAuth 2 1 - https://www.netiq.com/documentation/access-manager-44/admin/data/how-df-works.html 2 - https://docs.secureauth.com/pages/viewpage.action?pageId=33063454 4 Public distribution

  5. Institute of Research and Technology b-com.com Authentication Factor Properties 5 Public distribution

  6. Similarity with Biometric Factors ◆ Similarity with biometric factors – Extraction of features from an entity – Recognition of the entity – Imperfections due to digitalization ◆ Properties identified by previous works [1, 2, 3] 6 Public distribution

  7. Authentication Factor Properties ◆ Properties to be usable – Universality – Distinctiveness – Stability – Collectibility ◆ Properties to be practical – Performance – Acceptability – Circumvention 7 Public distribution

  8. Authentication Factor Properties ◆ Properties to be usable – Universality – Distinctiveness – Stability – Collectibility ◆ Properties to be practical – Performance – Acceptability 3 – Circumvention [16] 3 - https://support.google.com/accounts/answer/1144110 8 Public distribution

  9. Notation ◆ Fingerprint domain 𝑮 – Considering 𝑜 attributes, with 𝑊 𝑦 the domain of the attribute 𝑦 𝐺 = 𝑤 1 , … , 𝑤 𝑜 𝑤 𝑦 ∈ 𝑊 𝑦 } ◆ Fingerprint dataset 𝑬 – Fingerprint 𝑔 was collected from the browser 𝑐 at the moment 𝑢 – With 𝐶 the browser population, and 𝑈 the time domain 𝐸 = 𝑔, 𝑐, 𝑢 𝑔 ∈ 𝐺, 𝑐 ∈ 𝐶, 𝑢 ∈ 𝑈 } 9 Public distribution

  10. Dinstictiveness ◆ Dinstictiveness: are two different browsers distinguishable? – 𝐶(𝑔, 𝐸) : the browsers sharing the fingerprint 𝑔 in the dataset 𝐸 𝐶 𝑔, 𝐸 = 𝑐 ∈ 𝐶 𝑕, 𝑐, 𝑢 ∈ 𝐸, 𝑔 = 𝑕 } ◆ Size of the anonimity sets – 𝐵(𝑡, 𝐸) : the fingerprints in an anonymity set of size 𝑡 𝐵 𝑡, 𝐸 = 𝑔 ∈ 𝐺 𝑑𝑏𝑠𝑒 𝐶 𝑔, 𝐸 = 𝑡 } 10 Public distribution

  11. Stability ◆ Stability: can a browser be recognized through time? ◆ Example of consecutive fingerprints – Fingerprints: { 𝑔 1 , 𝑐, 𝑢 1 , 𝑔 2 , 𝑐, 𝑢 2 , 𝑔 3 , 𝑐, 𝑢 3 } – Consecutive fingerprints: { 𝑔 1 , 𝑔 2 , 𝑔 2 , 𝑔 3 } ◆ Stability measure – Grouped by the elapsed time – Similarity: proportion of identical attributes 11 Public distribution

  12. Performance ◆ Collection time – Over the JavaScript attributes ◆ Size – Only the canvases are hashed ◆ Loss of efficacy – Through time: over the six months [9] – Through space: over the device types [7, 11] 12 Public distribution

  13. Institute of Research and Technology b-com.com Results Public distribution 13

  14. Large-scale Fingerprint Dataset ◆ Fingerprint collection experiment – Probe on two web pages – Industrial partner (top 15 French websites 4 ) Panopticlick [4] AmIUnique [11] Hiding in the Long-Term This study Crowd [13] Observation [17] Collection period 3 weeks 3-4 months 6 months 3 years 6 months Attributes 8 17 17 305 262 Fingerprints 470,161 118,934 2,067,942 88,088 4,145,408 Browsers - - - - 1,989,365 Unicity 0.836 0.894 0.336 0.954 – 0.958 0.818 4 - https://www.alexa.com/topsites/countries/FR 14 Public distribution

  15. Fingerprints Distinctiveness ◆ >80% of the fingerprints are unique ◆ >94% are shared by ≤ 8 browsers 15 Public distribution

  16. Fingerprints Distinctiveness per Device Type ◆ 84% of desktop fingerprints are unique ◆ 42% for the mobile browsers 16 Public distribution

  17. Fingerprints Stability ◆ On average, 90% of the attributes stay identical ◆ Mobile fingerprints are generally more stable 17 Public distribution

  18. Fingerprints Collection Time ◆ Median collection time of 2.92 seconds ◆ Mobile fingerprints generally take more time 18 Public distribution

  19. Fingerprints Size ◆ Median size of 7,550 bytes ◆ Mobile fingerprints are generally lighter 19 Public distribution

  20. Institute of Research and Technology b-com.com Conclusion 20 Public distribution

  21. Conclusion Our fingerprints ◆ – Are majoritarily unique (>80%) – Are stable (>90% identical attributes) – Only weigh a dozen kilobytes – Are collected in seconds Our fingerprints of mobile browsers ◆ – Show a loss of distinctiveness – Are generally more stable and lighter, but longer to collect Promising additional web authentication factor ◆ 21 Public distribution

  22. Thank You Any question ? tompoariniaina.andriamilanto@b-com.com

  23. Institute of Research and Technology b-com.com References 23 Public distribution

  24. References I Davide Maltoni, Dario Maio, Anil K. Jain, and Salil Prabhakar. Handbook of Fingerprint 1. Recognition . 1st ed., 2003. https://doi.org/10.1007/b97303. Vasilios Zorkadis and P. Donos . “On Biometrics ‐ based Authentication and Identification from a 2. Privacy ‐ protection Perspective: Deriving Privacy ‐ enhancing Requirements .” Information Management & Computer Security 12, no. 1 (January 1, 2004): 125 – 37. https://doi.org/10.1108/09685220410518883. Marco Gamassi, Massimo Lazzaroni, Mauro Misino, Vincenzo Piuri, Daniele Sana, and Fabio 3. Scotti . “ Quality Assessment of Biometric Systems: A Comprehensive Perspective Based on Accuracy and Performance Measurement .” IEEE Transactions on Instrumentation and Measurement 54, no. 4 (August 2005): 1489 – 1496. https://doi.org/10.1109/TIM.2005.851087. Peter Eckersley . “How Unique Is Your Web Browser?” In International Conference on Privacy 4. Enhancing Technologies (PETS) , 1 – 18, 2010. https://doi.org/10.1007/978-3-642-14527-8_1. 24 Public distribution

  25. References II Joseph Bonneau. “The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million 5. Passwords .” In IEEE Symposium on Security and Privacy (S&P), 538 – 52, 2012. https://doi.org/10.1109/SP.2012.49. Thomas Unger, Martin Mulazzani, Dominik Frühwirt, Markus Huber, Sebastian Schrittwieser, 6. and Edgar Weippl . “SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting.” In International Conference on Availability, Reliability and Security (ARES), 255 – 61, 2013. https://doi.org/10.1109/ARES.2013.33. Jan Spooren, Davy Preuveneers, and Wouter Joosen . “Mobile Device Fingerprinting Considered 7. Harmful for Risk-Based Authentication .” In European Workshop on System Security (EuroSec) , 6:1 – 6:6, 2015. https://doi.org/10.1145/2751323.2751329. Amin Faiz Khademi, Mohammad Zulkernine, and Komminist Weldemariam . “An Empirical 8. Evaluation of Web-Based Fingerprinting.” IEEE Software 32, no. 4 (July 2015): 46 – 52. https://doi.org/10.1109/MS.2015.77. 25 Public distribution

  26. References III Andreas Kurtz, Hugo Gascon, Tobias Becker, Konrad Rieck, and Felix Freiling . “Fingerprinting 9. Mobile Devices Using Personalized Configurations.” Proceedings on Privacy Enhancing Technologies 2016, no. 1 (2016). https://doi.org/10.1515/popets-2015-0027. Tom Goethem, Wout Scheepers, Davy Preuveneers, and Wouter Joosen . “ Accelerometer-Based 10. Device Fingerprinting for Multi-Factor Mobile Authentication .” In International Symposium on Engineering Secure Software and Systems (ESSoS) , 106 – 121, 2016. https://doi.org/10.1007/978-3-319-30806-7_7. Pierre Laperdrix, Walter Rudametkin , and Benoit Baudry. “Beauty and the Beast: Diverting 11. Modern Web Browsers to Build Unique Browser Fingerprints .” In IEEE Symposium on Security and Privacy (S&P) , 878 – 94, 2016. https://doi.org/10.1109/SP.2016.57. Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, et 12. al. “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials .” In ACM SIGSAC Conference on Computer and Communications Security (CCS) , 1421 – 1434, 2017. https://doi.org/10.1145/3133956.3134067. 26 Public distribution

Recommend


More recommend