outsourcing phone based web authentication while
play

Outsourcing Phone-based Web Authentication while Protecting User - PowerPoint PPT Presentation

Jul 07, 2023 •351 likes •1.24k views

Outsourcing Phone-based Web Authentication while Protecting User Privacy NordSec 2016 Martin Potthast 1 Christian Forler 2 Eik List 1 Stefan Lucks 1 1 Bauhaus-Universitt Weimar <firstname>.<lastname>(at)uni-weimar.de 2 Beuth

  1. Outsourcing Phone-based Web Authentication while Protecting User Privacy NordSec 2016 Martin Potthast 1 Christian Forler 2 Eik List 1 Stefan Lucks 1 1 Bauhaus-Universität Weimar <firstname>.<lastname>(at)uni-weimar.de 2 Beuth Hochschule für Technik Berlin 04 Nov 2016 Outsourcing Phone-based Web Authentication 04 Nov 2016 1/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  2. Section 1 Motivation Outsourcing Phone-based Web Authentication 04 Nov 2016 2/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  3. Passwords Humans are bad at memorizing strong passwords Already 2007: Median user is registered at 25 web services [Florêncio and Herley, 2007] Passwords are unlikely to disappear in the near future Image: xato.net Outsourcing Phone-based Web Authentication 04 Nov 2016 3/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  4. Two-Factor Authentication 1st Factor 2nd Line of Defense against 2nd Factor Reused passwords Account or Personal Data Weak credentials or lacking 1st-factor policies Data breaches Phishing attacks . . . Image: https://www.google.com/landing/2step Outsourcing Phone-based Web Authentication 04 Nov 2016 4/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  5. Two-Factor Authentication Factors Something you know Unique tuple of username + password Idea: Duo Mobile 2014; Images: http://2.bp.blogspot.com/-3wBHxiz30Do/VEU8Ba4j7BI/AAAAAAAABo4/-gs07aNu7lA/s1600/homer-idea.png , https://frinkiac.com/caption/S06E02/42976 , http://s1.favim.com/orig/14/eye-homer-homer-simpson-simpson-simpsons-Favim.com-184669.jpg , https://upload.wikimedia.org/wikipedia/en/0/0b/Marge_Simpson.png Outsourcing Phone-based Web Authentication 04 Nov 2016 5/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  6. Two-Factor Authentication Factors Something you know Unique tuple of username + password Something you have Personal device or smartphone app Idea: Duo Mobile 2014; Images: http://2.bp.blogspot.com/-3wBHxiz30Do/VEU8Ba4j7BI/AAAAAAAABo4/-gs07aNu7lA/s1600/homer-idea.png , https://frinkiac.com/caption/S06E02/42976 , http://s1.favim.com/orig/14/eye-homer-homer-simpson-simpson-simpsons-Favim.com-184669.jpg , https://upload.wikimedia.org/wikipedia/en/0/0b/Marge_Simpson.png Outsourcing Phone-based Web Authentication 04 Nov 2016 5/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  7. Two-Factor Authentication Factors Something you know Unique tuple of username + password Something you have Personal device or smartphone app Something you are Fingerprint or retina scan Idea: Duo Mobile 2014; Images: http://2.bp.blogspot.com/-3wBHxiz30Do/VEU8Ba4j7BI/AAAAAAAABo4/-gs07aNu7lA/s1600/homer-idea.png , https://frinkiac.com/caption/S06E02/42976 , http://s1.favim.com/orig/14/eye-homer-homer-simpson-simpson-simpsons-Favim.com-184669.jpg , https://upload.wikimedia.org/wikipedia/en/0/0b/Marge_Simpson.png Outsourcing Phone-based Web Authentication 04 Nov 2016 5/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  8. Two-Factor Authentication Factors Something you know Unique tuple of username + password Something you have Personal device or smartphone app Something you are Fingerprint or retina scan Someone you know [Brainard et al., 2006] Idea: Duo Mobile 2014; Images: http://2.bp.blogspot.com/-3wBHxiz30Do/VEU8Ba4j7BI/AAAAAAAABo4/-gs07aNu7lA/s1600/homer-idea.png , https://frinkiac.com/caption/S06E02/42976 , http://s1.favim.com/orig/14/eye-homer-homer-simpson-simpson-simpsons-Favim.com-184669.jpg , https://upload.wikimedia.org/wikipedia/en/0/0b/Marge_Simpson.png Outsourcing Phone-based Web Authentication 04 Nov 2016 5/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  9. Phone-based Two-factor Authentication Benefits: Omnipresent, ubiquitous Spares users from carrying around additional devices Spares service providers from shipping devices Outsourcing Phone-based Web Authentication 04 Nov 2016 6/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  10. Phone-based Two-factor Authentication Benefits: Omnipresent, ubiquitous Spares users from carrying around additional devices Spares service providers from shipping devices Disadvantage: Difficult to implement from scratch = ⇒ outsourcing Outsourcing Phone-based Web Authentication 04 Nov 2016 6/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  11. Phone-based Two-factor Authentication Benefits: Omnipresent, ubiquitous Spares users from carrying around additional devices Spares service providers from shipping devices Disadvantage: Difficult to implement from scratch = ⇒ outsourcing Privacy? An honest-but-curious authentication provider potentially learns Usage statistics of users Usage statistics of service providers Relations of users to service providers Outsourcing Phone-based Web Authentication 04 Nov 2016 6/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  12. Phone-based Two-factor Authentication Benefits: Omnipresent, ubiquitous Spares users from carrying around additional devices Spares service providers from shipping devices Disadvantage: Difficult to implement from scratch = ⇒ outsourcing Privacy? An honest-but-curious authentication provider potentially learns Usage statistics of users Usage statistics of service providers Relations of users to service providers Goal of Passphone: Phone-based two-factor authentication scheme Outsource verification of 2nd factor while preserving privacy Outsourcing Phone-based Web Authentication 04 Nov 2016 6/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  13. Existing Phone-Based Two-Factor Authentication Schemes Time-based One-Time Passwords: Google 2-Step [Google, 2013] , Microsoft [Meisner, 2013] , Apple [Apple, 2016] , Facebook [Song, 2011] Cronto [VASCO, 2013] , Duo Mobile [Duo Security, 2016] Academia: SoundProof [Karapanos et al., 2015] : Avoided need for user interaction Shirvanian et al. [Shirvanian et al., 2014] : Resilience to off-line attacks PhoneAuth [Czeskis et al., 2012] MP-Auth [Mannan and van Oorschot, 2011] : No secret on device Tiqr [Van Rijswijk and Van Dijk, 2011] , Snap2Pass [Dodson et al., 2010] , QR-TAN [Starnberger et al., 2009] : QR-based PhoolProof [Parno et al., 2006] : Bookmark-based Outsourcing Phone-based Web Authentication 04 Nov 2016 7/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  14. Remarks Privacy-unaware users may be tracked down by other means: Users must avoid reuse or self-related credentials and mail addresses Users should hide their identity (e. g., use services like TOR) Base on TLS-secured connections Recommendations: Public-key pinning for Trusted Third Party Bind TLS connections to specific channel Goal: No additional angles for user profiling by second factor Outsourcing Phone-based Web Authentication 04 Nov 2016 8/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  15. Section 2 Passphone Protocols Outsourcing Phone-based Web Authentication 04 Nov 2016 9/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  16. Involved Parties T S Service provider Trusted Third T Party P User (prover) Prover’s telephone PT P S Prover’s mail box PM Outsourcing Phone-based Web Authentication 04 Nov 2016 10/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  17. Involved Parties T S Service provider Trusted Third T Party P User (prover) Prover’s telephone PT P S Prover’s mail box PM Assume: User has device PT and mail box PM under control Assume: TTP is honest (but curious) Encode protocol, step, version, and sender information in all messages Protocols: Registration, Activation, Authentication, Revocation, Rekeying Outsourcing Phone-based Web Authentication 04 Nov 2016 10/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  18. Passphone : Registration P ’s device PT generates and stores a key pair K public , K secret PT PT P T S Service provider ID X ID of X ( · ) X Signed by X Trusted Third Party Blinded ID of X E K �·� TLS-protected T h X P User (prover) Challenge of X N X Outsourcing Phone-based Web Authentication 04 Nov 2016 11/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  19. Passphone : Registration P submits public key and a blinded ID h PT = Hash ( N PT ) to T � � K public (1) E K , ID P M , h P T P T P T S Service provider ID X ID of X ( · ) X Signed by X T Trusted Third Party h X Blinded ID of X E K �·� TLS-protected P User (prover) N X Challenge of X Outsourcing Phone-based Web Authentication 04 Nov 2016 11/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  20. Passphone : Registration T sends challenge N T to P ’s mail account � � K public (1) E K , ID P M , h P T P T (2) X := ( N T ) T P T S Service provider ID X ID of X ( · ) X Signed by X T Trusted Third Party h X Blinded ID of X E K �·� TLS-protected P User (prover) N X Challenge of X Outsourcing Phone-based Web Authentication 04 Nov 2016 11/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

  21. Passphone : Registration P forwards challenge to PT � � K public (1) E K , ID P M , h P T P T (2) X := ( N T ) T (3) X P T S Service provider ID X ID of X ( · ) X Signed by X T Trusted Third Party h X Blinded ID of X E K �·� TLS-protected P User (prover) N X Challenge of X Outsourcing Phone-based Web Authentication 04 Nov 2016 11/27 Martin Potthast, Christian Forler, Eik List, Stefan Lucks

Recommend

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization,

A2: Broken Authentication and Session Management But first Authentication, Authorization, Sessions Authentication Determining user identity Multiple ways What you know (password) What you have (phone, RSA SecureID, Yubikey)

1.57k views • 28 slides
Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password

Web Authentication Thierry Sans Several Methods Local authentication with login and password Token-based authentication Third party authentication Local Authentication How to store and verify password? Clear Data can be hacked

615 views • 14 slides
Outsourcing Overview Value Driven Engineering Value Driven Engineering Outsourcing is one

Outsourcing Overview Value Driven Engineering Value Driven Engineering Outsourcing is one

Outsourcing Overview Value Driven Engineering Value Driven Engineering Outsourcing is one available tool in Mustangs diversified toolkit, but not an all encompassing primary strategy Outsourcing will be used when it makes sense

439 views • 8 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in

A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in

A Key to Your Heart: Biometric Authentication Based on ECG Signals Who Are You?! Adventures in Authentication Workshop (WAY) 2019 Nikita Samarin, Donald Sannella Traditional Passwords Most common mechanism of authenticating users online

251 views • 14 slides
Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and

Authentication, vulnerabilities, exploits, and the secure design principles of Saltzer and Schroeder Authentication in general Bishop: Authentication is the binding of an identity to a principal. Network-based authentication mechanisms

1.6k views • 43 slides
HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the

HOST Authentication Overview ECE 525 Authentication Overview Authentication refers to the process of verifying the identity of the communicating principals to one another Usually sub-divided into Entity authentication Authentication

288 views • 10 slides
Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a

Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a

Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a computationally weak client to outsource its computation to an untrusted server. = () Main security concerns: 1. Correctness:

377 views • 4 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
Seeing is Believing: Proximity-based Authentication Peter Pilgerstorfer | | Peter

Seeing is Believing: Proximity-based Authentication Peter Pilgerstorfer | | Peter

Source: [5] Seeing is Believing: Proximity-based Authentication Peter Pilgerstorfer | | Peter Pilgerstorfer 03.03.2015 1 Motivation Pairing without user interaction Traditional authentication E.g. enter/confirm shared PIN

270 views • 26 slides
Outsourcing of Essential Customer Services to Off Shore Based Suppliers The CPA Australia

Outsourcing of Essential Customer Services to Off Shore Based Suppliers The CPA Australia

Outsourcing of Essential Customer Services to Off Shore Based Suppliers The CPA Australia Experience Tony Gleeson Executive General Manager CIPSA / SCLAA Event Thursday 14 th April 2011 CPA Australia + 125 year old membership body for

326 views • 17 slides
Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim

Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim

Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim Lyubashevsky, Christof Paar, Krzysztof Pietrzak Authentication Protocols Prover Verifier HB-style authentication shared AES key K protocols

563 views • 22 slides
Secure SDN Authentication &amp; Authorization for Multi-tenancy (DNS based PKI model) Author:

Secure SDN Authentication &amp; Authorization for Multi-tenancy (DNS based PKI model) Author:

IETF94 2 Nov. 2015 Yokohama SDNRG WG Secure SDN Authentication &amp; Authorization for Multi-tenancy (DNS based PKI model) Author: www.huawei.com Hosnieh Rafiee Ietf{at}rozanak.com Motivation Problem: secure SDN authentication,

546 views • 10 slides
Innovations in permutation-based encryption &amp; authentication . based on joint work with

Innovations in permutation-based encryption &amp; authentication . based on joint work with

Innovations in permutation-based encryption &amp; authentication . based on joint work with Fast Software Encryption Conference 2017 1 Joan Daemen 1 , 2 Guido Bertoni 1 , Michal Peeters 1 , Gilles Van Assche 1 and Ronny Van Keer 1 1

855 views • 30 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

1.66k views • 27 slides
Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication

Cryptography Authentication and Data Integrity Aims of Authentication Authentication and Data Integrity Authentication with Symmetric Key Encryption Authentication with Hash Cryptography Functions Authentication with MACs School of

613 views • 27 slides
Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago

Lecture 14 Passwords and Authentication Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides based on Baileys ECE 422 Major Portions Courtesy Ryan Cunningham AUTHENTICATION Authentication Basics

653 views • 42 slides
1 Outsourcing Across the Globe Major cost benefits? Does 50-70% cost savings for developers n

1 Outsourcing Across the Globe Major cost benefits? Does 50-70% cost savings for developers n

Agenda Outsourcing and Globalization n Introduction in Software Development n The Outsourcing Phenomenon n Leading Offshore Projects Jacques Crocker n Managing Customers UW CSE Alumni 2003 n Offshore Development Notes jc@cs.washington.edu n Q

340 views • 5 slides
Web Security: Authentication &amp; UI-based attacks CS 161: Computer Security Prof. Raluca Ada

Web Security: Authentication &amp; UI-based attacks CS 161: Computer Security Prof. Raluca Ada

Web Security: Authentication &amp; UI-based attacks CS 161: Computer Security Prof. Raluca Ada Popa April 12, 2016 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh Authentication &amp;

1.11k views • 73 slides
Outsourcing Pharma OUTSOURCING ON THAT SIDE OF THE PACIFIC. ABHAY DESHPANDE, CEO, JRF-GLOBAL

Outsourcing Pharma OUTSOURCING ON THAT SIDE OF THE PACIFIC. ABHAY DESHPANDE, CEO, JRF-GLOBAL

Outsourcing Pharma OUTSOURCING ON THAT SIDE OF THE PACIFIC. ABHAY DESHPANDE, CEO, JRF-GLOBAL PRESENTED AT OUTSOURCED PHARMA EVENT, SAN FRANCISCO, OCTOBER 29, 2018 JRF Global.Lead your LEAD with us! 1 Working Tariffs and Trade with

330 views • 32 slides
GAME OUTSOURCING SUMMIT AARON PULKKA GAME OUTSOURCING SUMMIT Putting it All Together - Building

GAME OUTSOURCING SUMMIT AARON PULKKA GAME OUTSOURCING SUMMIT Putting it All Together - Building

GAME OUTSOURCING SUMMIT AARON PULKKA GAME OUTSOURCING SUMMIT Putting it All Together - Building the Right Outsourcing Team Aaron Pulkka | Director of Production | Activision GAME OUTSOURCING SUMMIT AARON PULKKA Outsourcing Team Internal

854 views • 43 slides

More recommend