many personal devices have rich set of capabilities: sensors, communication, computing power and...
TRANSCRIPT
Authentication with Personal Devices
• Many personal devices have rich set of capabilities: sensors, communication, computing power and data storage, and they are “personal”.
• Potentially they can aid the owners in performing authentication and securing communication.
• (User friendliness) + (Security) + ?
Authentication using personal devices
Server
12345
Terminal
User
smartcard
(password, key)
password,biometric
Key, location info.
I. Trust models
1. Personal device is trusted. Terminal untrusted. (Public Kiosk)2. 2-Factor Authentication.3. Personal device is honest but it can be lost. (can’t store sensitive
data).
Server
12345
Terminal
User
smartcard
(password, key)
passwordbiometric
Key, location info
TPM
II. Public Kiosk
S. Garriss, R. Caceres, S. Berger, R Sailer, L. Doorn, X. Zhang. Trustworthy and Personalized Computing on Public kiosk, MobiSys’08
Server
Terminal
User
Personal device to verify that the kiosk has only loaded trustworthy software.
A. Oprea, D. Balfanz, G. Durfee and K.K. Smetters, Remote Terminal Application with a Mobile Trusted Device, ACSAC’04
Server
Terminal
User
tunnel connection
III. 2-factor Authentication
• Personal device as OTP token.
Server
Terminal User
12345
(password, key)
password
KeyMonetary Authority of Singapore expects banks to implement two-factor authentication at login in Internet Banking.
• Using an out-of-band channel. “Mobile authentication”
Server
Terminal
User
sms (text message)
password(password, OTP)
OTP
Can be made secure, but difficult to use.
Server
Internet Terminal
User
key
key
D.E. Clarke, B. Gassend, T. Kotwal, M. Burnside, M. Dijk, S. Devadas, and R.L. Rivest. The untrusted computer problem and camera-based authentication. International Conf. on Pervasive Computing, 2002
visual channel Using OCR to verify the messages and theirsignature
Server
Internet Terminal
User
Image from [Sharp2006] Sharp et al,Secure Mobile Computing Via Public Terminal.
key
key
R. Sharp, J. Scott, A. Beresford, Secure Mobile Computing via Public Terminals. International Conference on Pervasive Computing, 2006
Server
Internet Terminal
User
key, password
key
C. Fang, E.C.Chang, Securing Interactive Sessions Using Mobile Device through Visual Channel and Visual Inspection, ACSAC 2010.
visual channel password
Date
accoun
t
remark
amount
IV. Device honest but can be lost
Server
User
smartcard
key
Key
Terminal
Server
User
key, password
Key
Terminal
password
Device as the “biometric” scanner
Server
User
( k )
biometric
k= H(Key, biometric)
Terminal
the biometricdata are not stored inthe server
• Technical challenges in using biometric data: They are noisy. The key extracted by the cryptographic secure hash has to be consistent even under noise!
– Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: How to generate strong keys from biometrics and other noisy data, EUROCRYPT 2004.
– Linnartz, J.-P.M.G., Tuyls, P., New shielding functions to enhance privacy and prevent misuse of biometric templates. AVBPA 2003
V. Conclusion
• We can use the computing power of personal device to enhance security.
• Can location information help?