logging in or signing up dimacs Minerva Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 60 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: January 15, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Secure Web Authentication With Mobile Phones: Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence LabProblem to Be Solved: Problem to Be Solved People increasingly reply on public computers to do business over the Internet But people’s passwords can be captured by the computer and later reused by a hostile party 2002: key logger at 14 NYC Kinko’s captured 450 usernames and passwords 2003: key logger on more than 100 campus computers in Boston College 2003: £6,300 stolen from a bank account after access at a public terminalOur Approach: Our ApproachOur Approach: Our ApproachAuthentication Protocol: Authentication Protocol “I am Alice”Slide6: Authentication Protocol Your current authentication session is “FAITH” Session “FAITH” is waiting for approvalSlide7: Authentication Protocol Approve session “FAITH” “FAITH”Slide8: Authentication Protocol Username PasswordSlide9: Authentication Protocol (Dealing with Fraud) Lock my account until further notice “FAITH” Session “PSYCH” is waiting for approvalTwo Mobile Phone Interfaces for Authentication: Two Mobile Phone Interfaces for Authentication Check and Approve Choose and Approve (Thanks for Steve Strassman) User Study: User Study How do our approach compares, in terms of security and usability, to other existing mobile phone authentication solutions? One-time password sent to mobile phone (RSA Mobile, Fujitsu)Four Login Techniques: Four Login Techniques One-time password approach Type Random Code: “1234-5678” Type Random Phrase: “swears trainee” Proxy-side spelling checker (Ispell) Our approach Check and Approve Choose and ApproveMethod: Method Controlled experiment in the lab Logged in to Amazon.com using an account set up by us with a personal computer and a mobile phone provided by us 6 logins in a block for each technique, for a total of 24 logins, with the order of the four login techniques randomizedSimulated Attacks: Simulated Attacks Will a user blindly approve sessions without looking at the session name? Users were told that they were going to be spoofed by our simulated attacksUnknown Attack: Unknown Attack “PSYCH” is waiting for approvalDuplicated Attack: Duplicated Attack “PSYCH” “FAITH”Blocking Attack: Blocking Attack “PSYCH” is waiting for approval ? ? ?Ease of Use: Ease of Use Single factor ANOVA with P = 0.01Error Rates: Error Rates Login by Check and Approve was easily spoofed Duplicated attack: 4 successful out of 11 attacks Blocking attack: 2 out of 9 Unknown attack: 1 out of 33 Slide20: Error Rates Login by Check and Approve was easily spoofed Duplicated attack: 4 successful out of 11 attacks “There must be a bug in the proxy since the session name displayed in the computer does not match the one in the mobile phone.” Blocking attack: 2 out of 9 “The network connection must be really slow since the session name has not been displayed.” Unknown attack: 1 out of 33 Error Rates: Error Rates Choose and Approve has zero error rate!Conclusion: Conclusion By asking the user to choose and approve a correct session name from her mobile phone, we provide a mobile phone authentication solution that is both secure and easy to use Flexible solution to web authentication Good backup to password loginFuture Work: Future Work Field study Not only password but also any confidential information should avoid touching the hostile hostThank You!: Thank You! Q/AThreat Model: Threat Model Replay attack: the kiosk remembers the connection information Forge attack: a hostile party authenticates his connection by forging an approval message from a legal userThreat Model and Enhancements: Threat Model and Enhancements Replay attack: the kiosk remembers the connection information One-time unique session name Forge attack: a hostile party authenticates his connection by forging an approval message from a legal user A nonce assigned to a session name to prevent the forged approval messageMobile Phone As Authentication Token: Mobile Phone As Authentication Token “Zero deployment” to the user Mobile phone has high rate of acceptability and high rate of penetration No special token needed “Zero deployment” at the kiosk People are in possession of their mobile phonesLogin Duration: Login Duration SMS latency WAP latency Single factor ANOVA with P = 0.02Attack Assignment: Attack AssignmentSmall Screen Size: Small Screen SizeTypos from One-Time Password: Typos from One-Time Password You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
dimacs Minerva Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINTLite Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 60 Category: Education License: All Rights Reserved Like it (0) Dislike it (0) Added: January 15, 2008 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Secure Web Authentication With Mobile Phones: Secure Web Authentication With Mobile Phones Min Wu, Simson Garfinkel, Robert Miller MIT Computer Science and Artificial Intelligence LabProblem to Be Solved: Problem to Be Solved People increasingly reply on public computers to do business over the Internet But people’s passwords can be captured by the computer and later reused by a hostile party 2002: key logger at 14 NYC Kinko’s captured 450 usernames and passwords 2003: key logger on more than 100 campus computers in Boston College 2003: £6,300 stolen from a bank account after access at a public terminalOur Approach: Our ApproachOur Approach: Our ApproachAuthentication Protocol: Authentication Protocol “I am Alice”Slide6: Authentication Protocol Your current authentication session is “FAITH” Session “FAITH” is waiting for approvalSlide7: Authentication Protocol Approve session “FAITH” “FAITH”Slide8: Authentication Protocol Username PasswordSlide9: Authentication Protocol (Dealing with Fraud) Lock my account until further notice “FAITH” Session “PSYCH” is waiting for approvalTwo Mobile Phone Interfaces for Authentication: Two Mobile Phone Interfaces for Authentication Check and Approve Choose and Approve (Thanks for Steve Strassman) User Study: User Study How do our approach compares, in terms of security and usability, to other existing mobile phone authentication solutions? One-time password sent to mobile phone (RSA Mobile, Fujitsu)Four Login Techniques: Four Login Techniques One-time password approach Type Random Code: “1234-5678” Type Random Phrase: “swears trainee” Proxy-side spelling checker (Ispell) Our approach Check and Approve Choose and ApproveMethod: Method Controlled experiment in the lab Logged in to Amazon.com using an account set up by us with a personal computer and a mobile phone provided by us 6 logins in a block for each technique, for a total of 24 logins, with the order of the four login techniques randomizedSimulated Attacks: Simulated Attacks Will a user blindly approve sessions without looking at the session name? Users were told that they were going to be spoofed by our simulated attacksUnknown Attack: Unknown Attack “PSYCH” is waiting for approvalDuplicated Attack: Duplicated Attack “PSYCH” “FAITH”Blocking Attack: Blocking Attack “PSYCH” is waiting for approval ? ? ?Ease of Use: Ease of Use Single factor ANOVA with P = 0.01Error Rates: Error Rates Login by Check and Approve was easily spoofed Duplicated attack: 4 successful out of 11 attacks Blocking attack: 2 out of 9 Unknown attack: 1 out of 33 Slide20: Error Rates Login by Check and Approve was easily spoofed Duplicated attack: 4 successful out of 11 attacks “There must be a bug in the proxy since the session name displayed in the computer does not match the one in the mobile phone.” Blocking attack: 2 out of 9 “The network connection must be really slow since the session name has not been displayed.” Unknown attack: 1 out of 33 Error Rates: Error Rates Choose and Approve has zero error rate!Conclusion: Conclusion By asking the user to choose and approve a correct session name from her mobile phone, we provide a mobile phone authentication solution that is both secure and easy to use Flexible solution to web authentication Good backup to password loginFuture Work: Future Work Field study Not only password but also any confidential information should avoid touching the hostile hostThank You!: Thank You! Q/AThreat Model: Threat Model Replay attack: the kiosk remembers the connection information Forge attack: a hostile party authenticates his connection by forging an approval message from a legal userThreat Model and Enhancements: Threat Model and Enhancements Replay attack: the kiosk remembers the connection information One-time unique session name Forge attack: a hostile party authenticates his connection by forging an approval message from a legal user A nonce assigned to a session name to prevent the forged approval messageMobile Phone As Authentication Token: Mobile Phone As Authentication Token “Zero deployment” to the user Mobile phone has high rate of acceptability and high rate of penetration No special token needed “Zero deployment” at the kiosk People are in possession of their mobile phonesLogin Duration: Login Duration SMS latency WAP latency Single factor ANOVA with P = 0.02Attack Assignment: Attack AssignmentSmall Screen Size: Small Screen SizeTypos from One-Time Password: Typos from One-Time Password