dimacs

Views:
 
Category: Education
     
 

Presentation Description

No description available.

Comments

Presentation Transcript

Secure Web Authentication With Mobile Phones: 

Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence Lab

Problem to Be Solved: 

Problem to Be Solved People increasingly reply on public computers to do business over the Internet But people’s passwords can be captured by the computer and later reused by a hostile party 2002: key logger at 14 NYC Kinko’s captured 450 usernames and passwords 2003: key logger on more than 100 campus computers in Boston College 2003: £6,300 stolen from a bank account after access at a public terminal

Our Approach: 

Our Approach

Our Approach: 

Our Approach

Authentication Protocol: 

Authentication Protocol “I am Alice”

Slide6: 

Authentication Protocol Your current authentication session is “FAITH” Session “FAITH” is waiting for approval

Slide7: 

Authentication Protocol Approve session “FAITH” “FAITH”

Slide8: 

Authentication Protocol Username Password

Slide9: 

Authentication Protocol (Dealing with Fraud) Lock my account until further notice “FAITH” Session “PSYCH” is waiting for approval

Two Mobile Phone Interfaces for Authentication: 

Two Mobile Phone Interfaces for Authentication Check and Approve Choose and Approve (Thanks for Steve Strassman)

User Study: 

User Study How do our approach compares, in terms of security and usability, to other existing mobile phone authentication solutions? One-time password sent to mobile phone (RSA Mobile, Fujitsu)

Four Login Techniques: 

Four Login Techniques One-time password approach Type Random Code: “1234-5678” Type Random Phrase: “swears trainee” Proxy-side spelling checker (Ispell) Our approach Check and Approve Choose and Approve

Method: 

Method Controlled experiment in the lab Logged in to Amazon.com using an account set up by us with a personal computer and a mobile phone provided by us 6 logins in a block for each technique, for a total of 24 logins, with the order of the four login techniques randomized

Simulated Attacks: 

Simulated Attacks Will a user blindly approve sessions without looking at the session name? Users were told that they were going to be spoofed by our simulated attacks

Unknown Attack: 

Unknown Attack “PSYCH” is waiting for approval

Duplicated Attack: 

Duplicated Attack “PSYCH” “FAITH”

Blocking Attack: 

Blocking Attack “PSYCH” is waiting for approval ? ? ?

Ease of Use: 

Ease of Use Single factor ANOVA with P = 0.01

Error Rates: 

Error Rates Login by Check and Approve was easily spoofed Duplicated attack: 4 successful out of 11 attacks Blocking attack: 2 out of 9 Unknown attack: 1 out of 33

Slide20: 

Error Rates Login by Check and Approve was easily spoofed Duplicated attack: 4 successful out of 11 attacks “There must be a bug in the proxy since the session name displayed in the computer does not match the one in the mobile phone.” Blocking attack: 2 out of 9 “The network connection must be really slow since the session name has not been displayed.” Unknown attack: 1 out of 33

Error Rates: 

Error Rates Choose and Approve has zero error rate!

Conclusion: 

Conclusion By asking the user to choose and approve a correct session name from her mobile phone, we provide a mobile phone authentication solution that is both secure and easy to use Flexible solution to web authentication Good backup to password login

Future Work: 

Future Work Field study Not only password but also any confidential information should avoid touching the hostile host

Thank You!: 

Thank You! Q/A

Threat Model: 

Threat Model Replay attack: the kiosk remembers the connection information Forge attack: a hostile party authenticates his connection by forging an approval message from a legal user

Threat Model and Enhancements: 

Threat Model and Enhancements Replay attack: the kiosk remembers the connection information One-time unique session name Forge attack: a hostile party authenticates his connection by forging an approval message from a legal user A nonce assigned to a session name to prevent the forged approval message

Mobile Phone As Authentication Token: 

Mobile Phone As Authentication Token “Zero deployment” to the user Mobile phone has high rate of acceptability and high rate of penetration No special token needed “Zero deployment” at the kiosk People are in possession of their mobile phones

Login Duration: 

Login Duration SMS latency WAP latency Single factor ANOVA with P = 0.02

Attack Assignment: 

Attack Assignment

Small Screen Size: 

Small Screen Size

Typos from One-Time Password: 

Typos from One-Time Password

authorStream Live Help