Opening the Web for all : inclusive and secure design of an online authentication system

Gibson, Marcia

January 2012

Effective use of the World Wide Web grants users increased power over people, time and space. However, its growing ubiquity also means these powers tend to become eroded in non-users. Growth of the Web as a marketplace and as a channel to deliver e-services, results in an ever increasing volume of sensitive information being transacted and stored online. As a result, authentication systems are now being used extensively on the Web. Unfortunately the profusion of Web sites and the large numbers of associated passwords reduces their efficacy and puts severe strain on users’ limited cognitive resources. Authentication systems themselves therefore can act as an additional source of exclusion. However, this step of authentication has up until now, been largely overlooked when considering inclusive design. People may experience a variety of barriers to Internet access: Psychological, Material, Skills and Usage. Existing models of these barriers within the literature are discussed, and a unified model of exclusion is developed and used to identify a series of potential solutions to the various aspects of each barrier. These solutions are classified into 4 separate design goals: Enhanced Usability, Enhanced Accessibility, Reduced End-user Cost and Robust Security. A number of groups who are especially at risk of Web exclusion are also identified. The design goals are used to evaluate existing traditional and image-based passwords. The accessibility component is assessed in terms of twenty-two use scenarios, consisting of a particular user group’s limiting characteristic and strategies the groups are known to use when accessing the Web. The accessibility analysis shows traditional passwords to be less accessible for several groups: • Novice users who experience reduced comparative learnability, efficiency and increased errors. • Mobile phone users, head wand users, eye gaze tracker users, those with reduced manual dexterity/and or tremors accessing principally via a mouse or keyboard, those with impaired ability to select and filter relevant sensory information and low-literacy users accessing via a normal or text to speech browsers. These groups experience reduced comparative efficiency and increased errors. • Users with impaired ability to remember information or sequences and illiterate users accessing via a text-to-speech browser or normal browser. These groups have the most significant issues with passwords, experiencing reduced comparative learnability, memorability, efficiency and increased errors. Image based passwords are found to be more accessible for some of these groups, but are unusable by blind users and less usable by those with visual impairments. Just as Web users are not a uniform, homogenous group, so too is there no homogenous solution to creating usable security. Even so, there may be solutions that are usable and secure given the particular scenario within which they will be used. For this reason, it is important to supply a number of alternatives because as one modality or model of interaction is locked out, another group becomes excluded. One such alternative, a novel scheme called “Musipass”, is trialled in lab-based and large-scale online user participation experiments. Musipass is found to offer superior long-term memorability to a traditional password and users report enjoying the experience of authenticating with music. A security analysis is conducted which shows Musipass to offer comparative or enhanced security compared to a traditional password against a number of well-known attacks.

004.01

Mobile One Time Passwords and RC4 Encryption for Cloud Computing

Azam, A.S.M Faruque, Johnsson, Markus

January 2011

Cloud services have grown very quickly over the past couple of years, giving consumers and companies the chance to put services, resources and infrastructures in the hands of a provider. Therefore removing the need of providing these services themselves. This can for example lead to cost savings, better resource utilization and removing the need of technical expertise for the customers. There is big security concerns when using cloud services. Security is very important in cloud computing since people and companies store confidential data in the cloud. It must also be easy to use the services provided, since cloud services have so many users with different technical background. Since the control of services and data needed for the everyday-run of a corporation is being handled by another company, further issues needs to be concerned. The consumer needs to trust the provider, and know that they handle their data in a correct manner, and that resources can be accessed when needed. This thesis focuses on authentication and transmission encryption in cloud services. The current solutions used today to login to cloud services have been investigated and concluded that they don't satisfy the needs for cloud services. They are either insecure, complex or costly. It can also be concluded that the best encryption algorithm to use in a cloud environment is RC4, which is secure and at the same time a fast algorithm. Compared to AES, which together with RC4, are the most common encryption methods used over the Internet today, RC4 is the better choice. This thesis have resulted in an authentication and registration method that is both secure and easy to use, therefore fulfilling the needs of cloud service authentication. The method have been implemented in a fully working finished solution, that use a regular mobile phone to generate one time passwords that is used to login to cloud services. All of the data transmissions between the client and the server have been configured to use RC4 encryption. The conclusions that can be drawn is that the security proposal implemented in this thesis work functions very well, and provide good security together with an ease of use for clients that don't have so much technical knowledge.

Network Security

Cloud Computing

Authentication system

Cloud Computing security

Computer and Information Sciences

Data- och informationsvetenskap

Computer Engineering

Datorteknik

Použití smart-karet v moderní kryptografii / The use of smart-cards in modern cryptography

Kočíř, Michal

January 2013

This thesis discusses the general use of smart cards in MULTOS in cryptographic applications. At first is described two types of authentication - the authentication by the subject with focusing on authenticators and the authentication by the knowledge. Furthermore there is the description of the anonymous authentication and attribute authentization. This is followed by a description of smart cards with a focus on MULTOS cards. There is also performed analysis of programmable smart cards .NET, JavaCard and MULTOS. Practical part is focused on the implementation of an authentication scheme, which is being developed at FEEC. The communication of authentication protocol is between the MULTOS card and reader connected to a PC. The protocol is composed of cryptographic functions such as random number generation, hash function, modular exponentiation, modular multiplication and difference of large numbers. It was also implemented the measurement of specific applications.

Ochrana soukromí na Internetu / Internet privacy protection

Malina, Lukáš

January 2010

Anonymous authentication is a mean of authorizing a user without leakage of user personal information. The technology of Anonymous Authentication Systems (AAS) provides privacy of the user and yet preserves the security of the system. This thesis presents the basic cryptographic primitives, which can provide anonymous authentication. Among these primitives there are usually some asymmetric cryptosystems, but an essential part of anonymous authentication is based on zero knowledge protocols, blind signature schemes, threshold group schemes, etc., that are presented in Chapter 1. Generally, Anonymous Authentication Systems have application as electronic coin, electronic cash, group signatures, anonymous access systems, electronic vote, etc., which are analyzed and presented in Chapters 2 and 3. In the practical section, the implementation (in the environment .NET in C#) of the AAS system is presented and described in Chapter 4, which is being developed at the FEEC BUT.