< “ Guess Who ?” Large -Scale Data-Centric Study of the Adequacy of Browser Fingerprints for Web Authentication> IMIS 2020, July 1, 2020 Nampoina Andriamilanto, Tristan Allard, Gaëtan Le Guelvouit
Web Authentication ◆ Passwords suffer from flaws – Dictionary attacks: common passwords [5] or reuse [14] – Phishing attacks: 12.4 million stolen credentials [12] ◆ Leading to multi-factor authentication 2 Public distribution
Web Authentication by Browser Fingerprinting ◆ Browser fingerprinting http://example.com – Collection of browser attributes – Depending on the web environment ◆ Use for web authentication 3 Public distribution
Motivation ◆ No large-scale study on browser fingerprints for authentication – Large fingerprint set, fewer than 30 attributes [4, 11, 15] – More than 30 attributes, less than 2,000 users [8, 17] ◆ Previous works focus on – Authentication mechanism designs [6, 10, 16] – Efficacy for web tracking [4, 11, 13, 15, 17] ◆ Existing tools lack documentation – Examples are MicroFocus 1 or SecureAuth 2 1 - https://www.netiq.com/documentation/access-manager-44/admin/data/how-df-works.html 2 - https://docs.secureauth.com/pages/viewpage.action?pageId=33063454 4 Public distribution
Institute of Research and Technology b-com.com Authentication Factor Properties 5 Public distribution
Similarity with Biometric Factors ◆ Similarity with biometric factors – Extraction of features from an entity – Recognition of the entity – Imperfections due to digitalization ◆ Properties identified by previous works [1, 2, 3] 6 Public distribution
Authentication Factor Properties ◆ Properties to be usable – Universality – Distinctiveness – Stability – Collectibility ◆ Properties to be practical – Performance – Acceptability – Circumvention 7 Public distribution
Authentication Factor Properties ◆ Properties to be usable – Universality – Distinctiveness – Stability – Collectibility ◆ Properties to be practical – Performance – Acceptability 3 – Circumvention [16] 3 - https://support.google.com/accounts/answer/1144110 8 Public distribution
Notation ◆ Fingerprint domain 𝑮 – Considering 𝑜 attributes, with 𝑊 𝑦 the domain of the attribute 𝑦 𝐺 = 𝑤 1 , … , 𝑤 𝑜 𝑤 𝑦 ∈ 𝑊 𝑦 } ◆ Fingerprint dataset 𝑬 – Fingerprint 𝑔 was collected from the browser 𝑐 at the moment 𝑢 – With 𝐶 the browser population, and 𝑈 the time domain 𝐸 = 𝑔, 𝑐, 𝑢 𝑔 ∈ 𝐺, 𝑐 ∈ 𝐶, 𝑢 ∈ 𝑈 } 9 Public distribution
Dinstictiveness ◆ Dinstictiveness: are two different browsers distinguishable? – 𝐶(𝑔, 𝐸) : the browsers sharing the fingerprint 𝑔 in the dataset 𝐸 𝐶 𝑔, 𝐸 = 𝑐 ∈ 𝐶 , 𝑐, 𝑢 ∈ 𝐸, 𝑔 = } ◆ Size of the anonimity sets – 𝐵(𝑡, 𝐸) : the fingerprints in an anonymity set of size 𝑡 𝐵 𝑡, 𝐸 = 𝑔 ∈ 𝐺 𝑑𝑏𝑠𝑒 𝐶 𝑔, 𝐸 = 𝑡 } 10 Public distribution
Stability ◆ Stability: can a browser be recognized through time? ◆ Example of consecutive fingerprints – Fingerprints: { 𝑔 1 , 𝑐, 𝑢 1 , 𝑔 2 , 𝑐, 𝑢 2 , 𝑔 3 , 𝑐, 𝑢 3 } – Consecutive fingerprints: { 𝑔 1 , 𝑔 2 , 𝑔 2 , 𝑔 3 } ◆ Stability measure – Grouped by the elapsed time – Similarity: proportion of identical attributes 11 Public distribution
Performance ◆ Collection time – Over the JavaScript attributes ◆ Size – Only the canvases are hashed ◆ Loss of efficacy – Through time: over the six months [9] – Through space: over the device types [7, 11] 12 Public distribution
Institute of Research and Technology b-com.com Results Public distribution 13
Large-scale Fingerprint Dataset ◆ Fingerprint collection experiment – Probe on two web pages – Industrial partner (top 15 French websites 4 ) Panopticlick [4] AmIUnique [11] Hiding in the Long-Term This study Crowd [13] Observation [17] Collection period 3 weeks 3-4 months 6 months 3 years 6 months Attributes 8 17 17 305 262 Fingerprints 470,161 118,934 2,067,942 88,088 4,145,408 Browsers - - - - 1,989,365 Unicity 0.836 0.894 0.336 0.954 – 0.958 0.818 4 - https://www.alexa.com/topsites/countries/FR 14 Public distribution
Fingerprints Distinctiveness ◆ >80% of the fingerprints are unique ◆ >94% are shared by ≤ 8 browsers 15 Public distribution
Fingerprints Distinctiveness per Device Type ◆ 84% of desktop fingerprints are unique ◆ 42% for the mobile browsers 16 Public distribution
Fingerprints Stability ◆ On average, 90% of the attributes stay identical ◆ Mobile fingerprints are generally more stable 17 Public distribution
Fingerprints Collection Time ◆ Median collection time of 2.92 seconds ◆ Mobile fingerprints generally take more time 18 Public distribution
Fingerprints Size ◆ Median size of 7,550 bytes ◆ Mobile fingerprints are generally lighter 19 Public distribution
Institute of Research and Technology b-com.com Conclusion 20 Public distribution
Conclusion Our fingerprints ◆ – Are majoritarily unique (>80%) – Are stable (>90% identical attributes) – Only weigh a dozen kilobytes – Are collected in seconds Our fingerprints of mobile browsers ◆ – Show a loss of distinctiveness – Are generally more stable and lighter, but longer to collect Promising additional web authentication factor ◆ 21 Public distribution
Thank You Any question ? tompoariniaina.andriamilanto@b-com.com
Institute of Research and Technology b-com.com References 23 Public distribution
References I Davide Maltoni, Dario Maio, Anil K. Jain, and Salil Prabhakar. Handbook of Fingerprint 1. Recognition . 1st ed., 2003. https://doi.org/10.1007/b97303. Vasilios Zorkadis and P. Donos . “On Biometrics ‐ based Authentication and Identification from a 2. Privacy ‐ protection Perspective: Deriving Privacy ‐ enhancing Requirements .” Information Management & Computer Security 12, no. 1 (January 1, 2004): 125 – 37. https://doi.org/10.1108/09685220410518883. Marco Gamassi, Massimo Lazzaroni, Mauro Misino, Vincenzo Piuri, Daniele Sana, and Fabio 3. Scotti . “ Quality Assessment of Biometric Systems: A Comprehensive Perspective Based on Accuracy and Performance Measurement .” IEEE Transactions on Instrumentation and Measurement 54, no. 4 (August 2005): 1489 – 1496. https://doi.org/10.1109/TIM.2005.851087. Peter Eckersley . “How Unique Is Your Web Browser?” In International Conference on Privacy 4. Enhancing Technologies (PETS) , 1 – 18, 2010. https://doi.org/10.1007/978-3-642-14527-8_1. 24 Public distribution
References II Joseph Bonneau. “The Science of Guessing: Analyzing an Anonymized Corpus of 70 Million 5. Passwords .” In IEEE Symposium on Security and Privacy (S&P), 538 – 52, 2012. https://doi.org/10.1109/SP.2012.49. Thomas Unger, Martin Mulazzani, Dominik Frühwirt, Markus Huber, Sebastian Schrittwieser, 6. and Edgar Weippl . “SHPF: Enhancing HTTP(S) Session Security with Browser Fingerprinting.” In International Conference on Availability, Reliability and Security (ARES), 255 – 61, 2013. https://doi.org/10.1109/ARES.2013.33. Jan Spooren, Davy Preuveneers, and Wouter Joosen . “Mobile Device Fingerprinting Considered 7. Harmful for Risk-Based Authentication .” In European Workshop on System Security (EuroSec) , 6:1 – 6:6, 2015. https://doi.org/10.1145/2751323.2751329. Amin Faiz Khademi, Mohammad Zulkernine, and Komminist Weldemariam . “An Empirical 8. Evaluation of Web-Based Fingerprinting.” IEEE Software 32, no. 4 (July 2015): 46 – 52. https://doi.org/10.1109/MS.2015.77. 25 Public distribution
References III Andreas Kurtz, Hugo Gascon, Tobias Becker, Konrad Rieck, and Felix Freiling . “Fingerprinting 9. Mobile Devices Using Personalized Configurations.” Proceedings on Privacy Enhancing Technologies 2016, no. 1 (2016). https://doi.org/10.1515/popets-2015-0027. Tom Goethem, Wout Scheepers, Davy Preuveneers, and Wouter Joosen . “ Accelerometer-Based 10. Device Fingerprinting for Multi-Factor Mobile Authentication .” In International Symposium on Engineering Secure Software and Systems (ESSoS) , 106 – 121, 2016. https://doi.org/10.1007/978-3-319-30806-7_7. Pierre Laperdrix, Walter Rudametkin , and Benoit Baudry. “Beauty and the Beast: Diverting 11. Modern Web Browsers to Build Unique Browser Fingerprints .” In IEEE Symposium on Security and Privacy (S&P) , 878 – 94, 2016. https://doi.org/10.1109/SP.2016.57. Kurt Thomas, Frank Li, Ali Zand, Jacob Barrett, Juri Ranieri, Luca Invernizzi, Yarik Markov, et 12. al. “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials .” In ACM SIGSAC Conference on Computer and Communications Security (CCS) , 1421 – 1434, 2017. https://doi.org/10.1145/3133956.3134067. 26 Public distribution
Recommend
More recommend