Malicious Manipulation in Service-Oriented Network, Software, and Mobile Systems: Threats and Defenses

Shen, Dakun

30 May 2019

This dissertation includes three approaches we have been designed to tackle threats and challenges in network, software, and mobile security. The first approach demonstrates a new class of content masking attacks against the Adobe PDF standard, causing documents to appear to humans dissimilar to the underlying content extracted by information-based services. The second work protects sensitive data in binaries from being corrupted by cyber attackers. The last work proposes a mechanism which utilizes the unique walking patterns inherent to humans and differentiate our work from other walking behavior studies by using it as first-order authentication and developing matching methods fast enough to act as an actual anti-theft system.

authentication

online services

System security

Computer Sciences

Autentisiering av användare i datoriserade miljöer hos SMF - biometri kontra tokens : En jämförelse av två sätt att implementera autentisering av användare / Authentication of users in computerized environments at SME - biometrics versus tokens : A comparison of two ways to implement authentication of users

Hedberg, David

January 2020

Allt eftersom mer och mer information sparas på datorer så ökar även trycket på att denna information sparas säkert, och att endast behöriga personer kommer åt den.Syftet med arbetet var att se vilka skillnader som finns mellan biometri och tokens, och vilka skillnader som små till medelstora företag borde ta i beaktande när de väljer en autentiseringsmetod. Det förväntade resultatet var då en beskrivning, i form av ett ramverk, över vilka för- och nackdelar som finns med de två metoderna, och således vilken metod som ett enskilt företag som använder ramverket borde använda sig utav.Arbetet genomfördes via en litteraturstudie, i vilket tre databaser användes för att samla information. IEEEXplore, ACM Digital Library, och ScienceDirect var de tre databaser som användes för arbetet. I dessa identifierades ett antal artiklar, som delades upp i kodade kategorier utefter innehåll. Detta i syfte att utföra en tematisk kodad analys.Totalt identifierades 28 artiklar i de olika databaserna. I dessa artiklar identifierades kostnad, säkerhet, integritet, och användarvänlighet som några av de mesta omtalade ämnena. 7 utav de 28 artiklarna pratade om kostnad, 20 av artiklarna nämnde säkerhet, 5 nämnde integritet, och 9 pratade om användarvänlighet. Det fanns även ett antal mindre teman i tvåfaktorsautentisering, skalbarhet, typer av biometri, typer av tokens, och framtida teknologi inom biometri.Efter genomförd analys formulerades ett ramverk i vilket ett smått till medelstort företag kan se vilken metod av autentisering som passar deras företag bäst. / As technology evolves, corporations and enterprises are forced to evolve alongside it. Storing company information and data on servers and computers have become common practice.Initially, the goal with the work presented was to compare biometric authentication and token authentication in relation so SMEs. In the current landscape there is no comprehensive study in these two methods of authentication in relation to SMEs. A framework was developed for system administrators to use when choosing one of these methods of authentication. The framework is a summarization of the works analytical part.A literature study was conducted to reach the goal. Three databases were used as sources of information. These three were namely IEEEXplore, ACM Digital Library, and ScienceDirect. From these sources, literature was identified on which the study was then based. Thematic coding was used to analyze the collected data.After the process of collecting and including/excluding was complete, a total of 28 articles remained. From these articles a total of 10 themes were identified from the thematic coding. These themes were cost, integrity, usability, security pros, security cons, two-factor authentication, scalability, biometric types, token types, and future biometric technology. Four of these were more prevalent, namely cost, integrity, usability, and security.After the analysis was finished the themes that emerged as important were integrity and usability. Because of this, the framework is heavily influenced by these themes and they are particularly important for system administrators to consider.

Biometric authentication

token-based authentication

authentication

authentication SME

information security

biometrisk autentisering

token-baserad autentisering

autentisering

autentisering SMF

informationssäkerhet

Information Systems

Simple SSH Management

Collett, Torstein Calvin

14 June 2021

SSH certificates are used by administrators so connections to the server can be verified. This ensures that only authorized administrators can access the server and that the server being accessed is the intended machine. Current solutions for managing SSH certificates are focused on commercial use, which makes them cumbersome for small groups and individuals to use. These solutions require running multiple services that companies already use but add significant overhead for smaller groups. We developed a new standalone system that makes it easy to manage SSH certificates for small amounts of servers and users, without requiring additional servers to be deployed. We evaluated our system with a user study to demonstrate its ease of use. We hope that this implementation can help guide future research toward a more simplified certificate authentication system for SSH.

SSH

certificate-based-authentication

Physical Sciences and Mathematics

A dynamic trust-based context-aware secure authentication framework for pervasive computing environments / Une architecture d'authentification dynamique et sécurisé, sensible au contexte et basé sur la confiance pour les environnements pervasifs

Abi-char, Pierre

30 March 2010

La prise en considération des exigences en matière de sécurité, de vie privée et de confiance au sein des environnements pervasifs (ubiquitaires) est indispensable à la fourniture des services personnalisés aux utilisateurs. L’objectif de cette thèse est de disposer d’une architecture souple et évolutive intégrant l’authentification des utilisateurs, la préservation de leur vie privée et la gestion de la confiance en vue d’optimiser la stratégie de contrôles d’accès aux services personnalisés. La première contribution porte sur la proposition d’un protocole d’authentification mutuelle construit à partir de schémas cryptographiques robustes d’établissement de clés basés sur les courbes elliptiques (MaptoPoint/Curve algorithm, Weil Pairing) et d’un modèle dynamique basé sur les attributs issus des données contextuelles. La seconde contribution porte sur la conception d’une nouvelle architecture bâti sur un modèle basé sur les attributs et organisée autour de 3 couches : la couche de contrôle de le vie privée qui assure la protection de la vie privée des utilisateurs en contrôlant leurs données personnelles, la couche d’accès associant les processus d’authentification et de contrôles d’accès en intégrant des mécanismes dédiés à la gestion des paramètres de confiance et la couche de service pour la gestion des accès aux services selon le profil de l’utilisateur et de son environnement. La troisième contribution porte sur le développement et la mise en œuvre d’un prototype au sein de la plateforme dédiée à la fourniture de services du laboratoire Handicom de Telecom SudParis. / To provide personalized services to users in pervasive environments, we should consider both user's privacy, trust and security requirements. Traditional authentication and access control mechanisms are not able to adapt their security policies to a changing context while insuring privacy and trust issues. This thesis introduces a new global vision for the protection of pervasive environments, based on context-aware principle. The aim of this thesis is to get a flexible and scalable framework including user authentication, user privacy preserving and trust management in order to optimize the access control strategy to personalized services. The first contribution include the proposal of a mutual authentication protocol supported by both robust key establishment schemes based on elliptic curves (MaptoPoint/Curve algorithm, Weil Pairing) and a dynamic model based on attributes issued from contextual data. The second contribution include the design of a new architecture built on an attribute based model and organized over 3 layers: the privacy control layer which insure the protection of the user private life by controlling their personal data, the access layer which associate authentication and access control processes while providing mechanisms dedicated to trust parameters management , and finally the service layer for service access management according to the user profile and his environment. The third contribution the implementation and the deployment of a prototype within the service delivery platform in Handicom lab of Telecom & Management SudParis.

Informatique omniprésente

Authentication

Pervasive computing

Cryptography

Wireless Authentication Using Remote Passwords

Harding, Andrew S.

08 January 2008

Current authentication methods for wireless networks are difficult to maintain. They often rely on globally shared secrets or heavyweight public-key infrastructure. Wireless Authentication using Remote Passwords (WARP) mitigates authentication woes by providing usable mechanisms for both administrators and end-users. Administrators grant access by simply adding users' personal messaging identifiers (e.g., email addresses, IM handles, cell phone numbers) to an access control list. There is no need to store passwords or other account information. Users simply prove ownership of their authorized identifier to obtain wireless access.

decentralized

wireless

authentication

SAW

SRP

Computer Sciences

Secure Mutual Self-Authenticable Mechanism for Wearable Devices

Eya, Nnabuike N., Mapoka, Trust T., Shepherd, Simon J., Abd-Alhameed, Raed, Elfergani, Issa T., Rodriguez, Jonathan

03 1900

Yes / Due to the limited communication range of wearable devices, there is the need for wearable devices to communicate amongst themselves, supporting devices and the internet or to the internet. Most wearable devices are not internet enabled and most often need an internet enabled broker device or intermediate device in order to reach the internet. For a secure end to end communication between these devices security measures like authentication must be put in place in other to prevent unauthorised access to information given the sensitivity of the information collected and transmitted. Therefore, there are other existing authentication solutions for wearable devices but these solutions actively involve from time to time the user of the device which is prone to a lot of challenges. As a solution to these challenges, this paper proposes a secure point-to-point Self-authentication mechanism that involves device to device interaction. This work exploits existing standards and framework like NFC, PPP, EAP etc. in other to achieve a device compatible secure authentication protocol amongst wearable device and supporting devices..

Wearable devices

Self-authentication

NFC

PPP

EAP

A Usability Study of FIDO2 Hardware Tokens on Mobile Devices

Lambert, Stephen

14 December 2022

Passwords as the primary form of authentication on the web have many issues, such as password re-use across sites and difficulty in remembering secure passwords. The FIDO Alliance has created a passwordless system that has with support from companies like Google, Apple, and Microsoft: FIDO2. Studies have shown so far that users find FIDO2 usable on personal computers, but no work has been published on its usability on mobile devices. I conducted a lab study in which participants used FIDO2 passwordless authentication with hardware tokens on a mobile phone. Participants found FIDO2 usable on mobile devices, but had similar fears as participants in prior studies, primarily revolving around account loss. I also found that showing participants an instructional video after they had used FIDO2 on a mobile device increased perceived usefulness and likelihood of adoption, though usability scores remained about the same.

usability

FIDO2

paswordless authentication

Physical Sciences and Mathematics

Machine Learning Based Listener Classification and Authentication Using Frequency Following Responses to English Vowels for Biometric Applications

Borzou, Bijan

10 July 2023

Auditory Evoked Potentials (AEPs) have recently gained attention as a biometric feature that may improve security and address reliability shortfalls of other commonly-used biometric features. The objective of this thesis is to investigate the accuracy with which subjects can be automatically identified or authenticated with machine learning (ML) techniques using a type of AEP known as the speech-evoked frequency following response (FFR). Accordingly, the results show more accurate discrimination between FFRs from different subjects than what has been reported in past studies. The accuracy improvement is searched either by optimized hyperparameter tuning of the ML model or extracting new features from FFRs and feeding them as inputs to the model. Finally, the accuracy of authenticating subjects using FFRs is investigated using a "sheep vs. wolves" scenario. The results of this work shed more light on the potential of use of speech-evoked FFRs in biometric identification and authentication systems.

Listener Classification

Listener Authentication

Biometrics

Machine Learning

Improving Password Usability with Visual Techniques

Komanduri, Saranga

13 November 2007

No description available.

passwords

graphical authentication

picture superiority

security indicators

Improving the Security of Mobile Devices Through Multi-Dimensional and Analog Authentication

Gurary, Jonathan, Gurary

28 March 2018

No description available.

Computer Engineering

Computer Science

authentication

mobile authentication

graphical password

analog authentication

multi-dimensional authentication

shoulder-surfing

challenge-response

keystroke dynamics

virtual reality