Convenient Decentralized Authentication Using Passwords

Van Der Horst, Timothy W.

10 March 2010

Passwords are a very convenient way to authenticate. In terms of simplicity and portability they are very difficult to match. Nevertheless, current password-based login mechanisms are vulnerable to phishing attacks and typically require users to create and manage a new password for each of their accounts. This research investigates the potential for indirect/decentralized approaches to improve password-based authentication. Adoption of a decentralized authentication mechanism requires the agreement between users and service providers on a trusted third party that vouches for users' identities. Email providers are the de facto trusted third parties on the Internet. Proof of email address ownership is typically required to both create an account and to reset a password when it is forgotten. Despite its shortcomings (e.g., latency, vulnerability to passive attack), this approach is a practical solution to the difficult problem of authenticating strangers on the Internet. This research utilizes this emergent, lightweight relationship with email providers to offload primary user authentication from service providers; thus reducing the need for service provider-specific passwords. Our goal is to provide decentralized authentication that maintains the convenience and portability of passwords, while improving its assurances (especially against phishing). Our first step to leverage this emergent trust, Simple Authentication for the Web (SAW), improves the security and convenience of email-based authentications and moves them from the background into the forefront, replacing need for an account-specific password. Wireless Authenticationg using Remote Passwords (WARP) adapts the principles of SAW to authentication in wireless networks. Lightweight User AUthentication (Luau) improves upon WARP and unifies user authentication across the application and network (especially wireless) layers. Our final protocol, pwdArmor, started as a simple wrapper to facilitate the use of existing databases of password verifiers in Luau, but grew into a generic middleware framework that augments the assurances of conventional password protocols.

authentication

email-based authentication

passwords

password-authenticated key exchange

single sign-on

authentication in wireless networks

Computer Sciences

An Integrated Intelligent Approach to Enhance the Security Control of IT Systems. A Proactive Approach to Security Control Using Artificial Fuzzy Logic to Strengthen the Authentication Process and Reduce the Risk of Phishing

Salem, Omran S.A.

January 2012

Hacking information systems is continuously on the increase. Social engineering attacks is performed by manipulating the weakest link in the security chain; people. Consequently, this type of attack has gained a higher rate of success than a technical attack. Based in Expert Systems, this study proposes a proactive and integrated Intelligent Social Engineering Security Model to mitigate the human risk and reduce the impact of social engineering attacks. Many computer users do not have enough security knowledge to be able to select a strong password for their authentication. The author has attempted to implement a novel quantitative approach to achieve strong passwords. A new fuzzy logic tool is being developed to evaluate password strength and measures the password strength based on dictionary attack, time crack and shoulder surfing attack (social engineering). A comparative study of existing tools used by major companies such as Microsoft, Google, CertainKey, Yahoo and Facebook are used to validate the proposed model and tool. A comprehensive literature survey and analytical study performed on phishing emails representing social engineering attacks that are directly related to financial fraud are presented and compared with other security threats. This research proposes a novel approach that successfully addresses social engineering attacks. Another intelligent tool is developed to discover phishing messages and provide educational feedback to the user focusing on the visible part of the incoming emails, considering the email’s source code and providing an in-line awareness security feedback.

Characterizing and Detecting Online Deception via Data-Driven Methods

Hu, Hang

27 May 2020

In recent years, online deception has become a major threat to information security. Online deception that caused significant consequences is usually spear phishing. Spear-phishing emails come in a very small volume, target a small number of audiences, sometimes impersonate a trusted entity and use very specific content to redirect targets to a phishing website, where the attacker tricks targets sharing their credentials. In this thesis, we aim at measuring the entire process. Starting from phishing emails, we examine anti-spoofing protocols, analyze email services' policies and warnings towards spoofing emails, and measure the email tracking ecosystem. With phishing websites, we implement a powerful tool to detect domain name impersonation and detect phishing pages using dynamic and static analysis. We also analyze credential sharing on phishing websites, and measure what happens after victims share their credentials. Finally, we discuss potential phishing and privacy concerns on new platforms such as Alexa and Google Assistant. In the first part of this thesis (Chapter 3), we focus on measuring how email providers detect and handle forged emails. We also try to understand how forged emails can reach user inboxes by deliberately composing emails. Finally, we check how email providers warn users about forged emails. In the second part (Chapter 4), we measure the adoption of anti-spoofing protocols and seek to understand the reasons behind the low adoption rates. In the third part of this thesis (Chapter 5), we observe that a lot of phishing emails use email tracking techniques to track targets. We collect a large dataset of email messages using disposable email services and measure the landscape of email tracking. In the fourth part of this thesis (Chapter 6), we move on to phishing websites. We implement a powerful tool to detect squatting domains and train a machine learning model to classify phishing websites. In the fifth part (Chapter 7), we focus on the credential leaks. More specifically, we measure what happens after the targets' credentials are leaked. We monitor and measure the potential post-phishing exploiting activities. Finally, with new voice platforms such as Alexa becoming more and more popular, we wonder if new phishing and privacy concerns emerge with new platforms. In this part (Chapter 8), we systematically assess the attack surfaces by measuring sensitive applications on voice assistant systems. My thesis measures important parts of the complete process of online deception. With deeper understandings of phishing attacks, more complete and effective defense mechanisms can be developed to mitigate attacks in various dimensions. / Doctor of Philosophy / In recent years, online deception becomes a major threat to information security. The most common form of online deception starts with a phishing email, then redirects targets to a phishing website where the attacker tricks targets sharing their credentials. General phishing emails are relatively easy to recognize from both the target's and the defender's perspective. They are usually from strange addresses, the content is usually very general and they come in a large volume. However, Online deception that caused significant consequences is usually spear phishing. Spear-phishing emails come in a very small volume, target a small number of audiences, sometimes impersonate a trusted entity and use very specific content to redirect targets to a phishing website, where the attacker tricks targets sharing their credentials. Sometimes, attackers use domain impersonation techniques to make the phishing website even more convincing. In this thesis, we measure the entire process. Starting from phishing emails, we examine anti-spoofing protocols, analyze email services' policies and warnings towards spoofing emails, and measure the email tracking ecosystem. With phishing websites, we implement a tool to detect domain name impersonation and detect phishing pages using dynamic and static analysis. We also studied credential sharing on phishing websites. We measure what happens after targets share their credentials. Finally, we analyze potential phishing and privacy concerns on new platforms such as Alexa and Google Assistant.

Spear-Phishing

Email Spoofing

Email Tracking

Domain Squatting

Password Reuse

Voice Personal Assistant

Cuckoo Filter Probabilistic Password Similarity Detection

Degerfeldt, Anton

January 2024

Authentication in digital systems is still prominently done through passwords. These passwords should simultaneously be easy to remember, unique, and change over time. Humans, however, have a limited ability to remember complex passwords. To make this easier, users often adopt schemes where a base word is only modified slightly. While such schemes can easily fulfil basic password requirements based on length or the symbols used, they can leave users vulnerable. Leaked passwords, even expired ones, can be exploited by malicious actors and a single compromised account can cascade to multiple services.  We propose a v-gram based approach to detect similarity with a set of passwords, which could be used to improve user password habits. The proposed scheme utilizes a Cuckoo Filter, which allows for inherent obfuscation of the stored passwords and the integration of encryption techniques natively. The system could for example be embedded in a password manager to inform users when they are using a password that is too similar to a previous password. This work comprises an analysis of several aspects of the system in order to assess its suitability.  A Cuckoo Filter using a single byte fingerprint for each v-gram can achieve load factors exceeding 95%, while maintaining a false positivity rate of less than 3%. The computational cost of guessing a password based on the information stored within the filter is relatively low. While the false positivity rate of the filter and the size of the alphabet have an impact, they are only logarithmically proportional to the cost, and the attack is considered a significant vulnerability. Nevertheless, the proposed system can be a viable alternative for detecting similarity between passwords — if configured correctly — and could be used to guide user behaviour to more secure password habits.

cuckoo filter

bloom filter

password similarity

string similarity

ngram

n-gram

Computer Sciences

Datavetenskap (datalogi)

Vem använder lösenordshanterare? : En undersökning av demografiska variablers påverkan på användning av lösenordshanterare

Andersson, Markus, Vilmusenaho, Viktor

January 2020

Lösenordshanterare har länge varit tillgängliga och det finns mycket forskning som tyder på att användningen av dem är begränsad. Deras funktionalitet hjälper användaren att generera och spara unika och starka lösenord för varje individuell inloggning. Vi utformar en enkät med hjälp av tidigare forskning och en modifierad version av teknikacceptansmodellen i syfte att undersöka demografiska variablers påverkan på användningen av lösenordshanterare. Undersökningen bedrivs genom att kvantitativ data samlas in från den digitala plattformen reddit.com. Denna data analyseras därefter med hjälp av statistiska metoder, där vi kommer fram till att det finns signifikanta skillnaderivariablernakön,geografiskplats,antalunikalösenordochdatorvana. Dessa variabler påverkade både den faktiska användningen, men också attityden till systemet. Vi diskuterar detta resultat utifrån den presenterade teorin och relaterad forskning. / Password managers have been available for a long time, and there has been a lot of research showing that these tools are not commonly used. Their functionality helps the usertobothgenerateandsaveuniqueandstrongpasswordsforeachindividualauthentication online. We conduct a quantitative investigation where we create a survey based on related research and a modified version of the Technology Acceptance Model. The dataforourquantitativeanalysisweregatheredbypublishingasurveyontheplattform Reddit.com. Thisdatawerethereafteranalysedusingstatisticalmethods,whereanumber of statistically significant differences were found. We found that gender, geographic location,amountofuniquepasswordsandcomputerprofiencyallhadsignificanteffects on either the actual system use or on the attitude towards the system. These results are evaluated by relating them to the presented theories and related research.

Password manager

Browser based password manager

BPM

Technology Acceptance Model

TAM

Demographic variables

Lösenordshanterare

Browserbaserade lösenordshanterare

BPM

Teknikacceptansmodellen

TAM

Demografiska variabler

Information Systems, Social aspects

Usability Comparison between U2F-based Security Keys, TOTP and Plain Passwords : A Structured Literature Review

Iriarte Murgiondo, Asier

January 2022

Multi-factor authentication is a term that was foreign until a few years ago. But in reality, it has been around for decades in the world of computer security. In theory, has the purpose to improve the security of user authentication by adding an extra layer of security to the process. Although password authentication has been shown to be an imperfect technique, it is still the most widely used today. That is why this research has been carried out, to shed light on the issue of why multi-factor authentication is not a fundamental pillar in security. For this, two promising protocols of the second authentication factor have been chosen, Time-based One-time Password (TOTP) and Universal 2nd Factor (U2F), and the usability of these methods has been compared together with password authentication usability as well. A Systematic Literature Review has been executed to answer the raised research question. Although the setup and login processes of the protocols are excessively slow, the results show that the U2F devices are overall more usable than TOTP, as they have a more “friendly” daily usage. But not enough data has been found on TOTP to be able to make a comparison with a solid basis. / La autenticación de múltiples factores es un término que era extraño hasta hace varios años. Pero en realidad, ha existido durante décadas en el mundo de la seguridad informática. En teoría, su objetivo es mejorar la seguridad del proceso de autenticación de usuarios, agregando una capa adicional de seguridad al proceso. Aunque se ha demostrado que la autenticación de contraseña es una técnica imperfecta, sigue siendo la más utilizada en la actualidad. Esta es la razón por la que se ha realizado esta investigación, para arrojar luz sobre el tema de por qué la autenticación de múltiples factores no es un pilar fundamental en la seguridad. Para ello, se han elegido dos protocolos prometedores del segundo factor de autentificación, como son, Time-based One-time Password (TOTP) y Universal 2nd Factor (U2F), y se ha comparado la usabilidad de estos métodos junto con usabilidad de la autenticación por contraseña. Se ha realizado una Revisión Sistemática de la Literatura (Systematic Literature Review) para dar respuesta a la pregunta de investigación planteada. Aunque los procesos de configuración e inicio de sesión de los protocolos son excesivamente lentos, los resultados muestran que los dispositivos U2F son en general mas usables ya que tienen un uso diario más “amigable”. Pero no se han encontrado suficientes datos sobre TOTP para poder hacer una comparación con una sólida base. / <p><strong>Laburpena</strong> [Summary/Abstract, Basque/baskiska]</p><p>Faktore-anitzeko autentifikazioa orain dela urte gutxi arte arrotza izan den terminoetako bat da. Baina, egia esan, hamarkada batzuk daramatza segurtasun informatikoaren munduan errotua. Teorian, erabiltzaileen autentifikazio-prozesuaren segurtasuna hobetzeko helburu du, prozesuari segurtasun-geruza berri bat gehituz. Pasahitz autentifikazio teknika inperfektua dela frogatu bada ere, gaur egun oraindik erabiliena da. Horregatik egin da ikerketa hau, faktore anitzeko autentifikazioa zergatik ez den segurtasunaren oinarrizko zutabea argitzeko. Horretarako, faktore-anitzeko autentifikazio barruan aurkitzen diren bi protokolo itxaropentsu aukeratu dira, hala nola, Time-based One-time Password (TOTP) eta Universal 2nd Factor (U2F), eta hauen erabilgarritasuna konparatu da pasahitz bidezko erabilgarritasunarekin batera. Planteatutako ikerketa galderari erantzuteko Literatura Ikerketa Sistematikoa (Systematic Literature Review) burutu da, protokolo bakoitzaren onurak/eragozpenak bilduz eta hauen arteko konparaketa bat eginez. Protokoloen konfigurazio eta saioa hasteko prosezuak motelegiak badira ere, emaitzek erakusten dute U2F gailuak orokorreak TOTP baino erabilgarriagoak direla, eguneroko erabilera “lagunartekoagoa” baitute. Baina ez da datu nahikorik aurkitu TOTP-en oinarri sendo batekin konparazio bat egin ahal izateko.</p><p><strong>HITZ-GAKOAK:</strong> autentifikazioa, faktore-anitzeko autentifikazioa, Universal 2nd Factor, U2F, Time-based One-time Password, TOTP, alderaketa, erabilgarritasuna</p>

authentication

multi-factor authentication

Universal 2nd Factor

U2F

Timebased One-time Password

TOTP

usability

comparison

autenticación

autenticación de múltiples factores

Universal 2nd Factor

U2F

Time-based One-time Password

TOTP

usabilidad

Computer Sciences

Datavetenskap (datalogi)

Measuring the impact of information security awareness on social networks through password cracking

Okesola, Julius Olatunji

12 1900

Since social networks (SNs) have become a global phenomenon in almost every industry, including airlines and banking, their security has been a major concern to most stakeholders. Several security techniques have been invented towards this but information security awareness (hereafter “awareness”) remains the most essential amongst all. This is because users, an important component of awareness, are a big problem on the SNs regardless of the technical security implemented. For SNs to improve on their awareness techniques or even determine the effectiveness of these security techniques, many measurement and evaluation techniques are in place to ascertain that controls are working as intended. While some of these awareness measurement techniques are inexpensive, effective and efficient to some extent, they are all incident-driven as they are based on the occurrence of (an) incident(s). In addition, these awareness measurement techniques may not present a true reflection of awareness, since many cyber incidents are often not reported. Hence, they are generally adjudged to be post mortem and risk-permissive. These limitations are major and unacceptable in some industries such as insurance, airlines and banking, where the risk tolerance level is at its lowest. This study therefore aims to employ a technical method to develop a non-incident statistics approach of measuring awareness efforts. Rather than evaluating the effectiveness of awareness efforts by the success of attacks or occurrence of an event, password cracking is presented and implemented to proactively measure the impacts of awareness techniques in SNs. The research encompasses the development and implementation of an SN – sOcialistOnline, the literature review of the past related works, indirect observation (available information), survey (as a questionnaire in a quiz template), and statistical analysis. Consequently, measurement of awareness efforts is shifted from detective and corrective paradigms to preventive and anticipatory paradigms, which are the preferred information security approaches going by their proactive nature. / Engineering, Science & Technology / D. Phil (Computer Science)

Awareness effort

Impact

Measurement techniques

Non-incident statistics approach

Password cracking

Quiz template

Risk permissive

SNs

Socialist Online

Securely Handling Inter-Application Connection Credentials

Lieberman, Gary

01 January 2012

The utilization of application-to-application (A2A) credentials within interpretive language scripts and application code has long been a security risk. The quandaries being how to protect and secure the credentials handled in the main body of code and avoid exploitation from rogue programmers, system administrators and other users with authorized high levels of privilege. Researchers report that A2A credentials cannot be protected and that there is no way to reduce the risk of the inevitable successful attack and subsequent exploit. Therefore, research efforts to date have primarily been focused on mitigating the impact of the attack rather than finding ways to reduce the attack surface. The work contained herein successfully addresses this serious cross-cutting concern and proves that it is in fact possible to significantly reduce the risk of attack. This reduction of risk was accomplished through implementing a method of credential obfuscation which applied advice with concerns utilizing a composition filter. The filter modified messages containing the credentials as they were sent from the interpretive language script to the remote data store. The modification extracted credentials from a secure password vault and inserted them into the message being sent to the remote data store. This modification moved the handling of the credentials from the main body of code to a secure library and out of the reach of attackers with authorized high levels of privilege. The relocation of the credential handling code lines significantly reduced the attack surface and the overall risk of attack.

Abuse of privilege

Application-to-application credentials

Aspect Oriented Programming

hardcoded passwords

Password vault

Software Security

Computer Sciences

便捷的網路購物交易機制之研究

陳逸秉

Unknown Date

在全球化的競爭下，電子商務日益蓬勃發展的同時，國內外各大企業紛紛投入各類型之網路交易的建置，但如何營造一個讓使用者方便使用且安心參與的環境，是未來網路交易成功的關鍵。 目前的網路購物機制不勝楣舉，但大多是站在企業的角度加以思考，而未思索網路交易的啟動者─網路客戶的需求。雖然，一個完整的網路購物交易需要網路公司、物流業及扮演金流的銀行業者三者共同合作才算完整，但是，消費者希望感受到的不是受到「三個個別的服務」而是「一個完整的服務」，所以在規劃網路交易整體作業的流程設計時，不再只是要吻合內部管理的需要，而且必須以外部客戶的需求為導向，才不會造成網路購物速度的延宕及消費者的抱怨。 本研究首先採取 AHP 研究分析方法，找出影響便捷網路購物交易的顯著因素，並透過對各業界專家的深入訪談來加以驗證後，就目前的網路購物交易機制，加強網路公司、物流公司、銀行之間的資訊流串聯，以加速整體網路交易流程；並導入實體憑證之動態密碼以提高網路交易安全，建構一個方便、安全、即時的 BtoBtoC 網路購物機制，供日後業界及學術界的參考，並讓網路無空間的理想更有實現的可能。 / Under the global competition, while e-commerce grows vigorously day by day. Most of big enterprises build all kinds of internet-shopping platform. But how to build an environment that offers more conveniences to the users? It is the key for the internet-shopping succeeds in the future. So far, there are many types of online transactional modes. These modes stand for the enterprises' inside procedure but the customers' demand. Although an intact trade of internet-shopping needs network company, logistics industry and bank to cooperate together, the consumers hope for 「an intact service」 but a 「three specific services」. That is to say, when we plan an internet transactional procedure, we must put emphasis on the customer' demand rather than the need of inside management, which will accelerate the speed of the internet-shopping and the reduction of the customers' complaint. This research takes AHP method to find out the factors that influence "The convenient internet-shopping mode", and establish the convenient internet-shopping mode, which contact the information flow among the network company, logistics company and bank in order to accelerate the internet transactional speed, and use the One-Time-Password of entity's evidence so as to raise the security of the network trading. After visiting the industry experts to verify this mechanism's practicability, this research will build a more convenient, safer and faster BtoBtoC mode, to let business and academia for reference, and let the ideal without space of the network can be realized.

網路購物

流程整合

動態密碼

Internet-shopping

process integration

One-Time-Password

BtoBtoC

Piršto atspaudo naudojimas šifravimo rakto generavimui / Encryption key generation from fingerprint

Burba, Donatas

13 August 2010

Saugiais gali būti laikomi tik užšifruoti duomenys, o šifravimas neįmanomas be šifravimo rakto. Vienas iš geriausiai žinomų ir plačiausiai naudojamų šifravimo raktų yra slaptažodis, tačiau pagrindinis jo trūkumas tas, kad jį reikia atsiminti. Šioje situacijoje gali padėti biometrija, kadangi praktiškai kiekvienas žmogus turi unikalias charakteristikas. Tačiau pagrindinė problema yra - kaip iš biometrinių charakteristikų suformuoti šifravimo raktą. Pirštų atspaudai yra gerai žinoma biometrinė charakteristika, naudojama žmonių identifikavimui ir tapatybės patvirtinimui, o USB atmintinėse ar nešiojamuosiuose kompiuteriuose integruoti pirštų atspaudų skaitytuvai jau nieko nebestebina. Kiekvienas piršto atspaudas gali būti aprašytas minutiae taškų matrica iš kurios būtų galima generuoti šifravimo raktą. Tačiau netgi to paties piršto atspaudai nėra identiški ir į tai reikia atsižvelgti. Šiame darbe pateikiamas vienas tiesioginių šifravimo raktų generavimo iš pirštų atspaudų metodas. Iš atspaudo suformuojama minutiae taškų matrica, iš jos suformuojami parametrai ir perduodami raktų generatoriams. Matricų formavimui panaudoti du produktai, realizuoti 8 generatoriai, formuojantys 64 ir 128 bitų ilgio šifravimo raktus. Sistema ištestuota su pasiruošta pirštų atspaudų duomenų baze, pateikti gauti rezultatai. / Only encrypted data can be treated as secure data and encryption is impossible without encryption key. One of the best known and widely used encryption keys is password, but the main its drawback is necessity to remember it. Biometrics may help to avoid this situation, because everyone has unique characteristics. But the main question is how to extract encryption key from biometric data. Fingerprints are well known biometric characteristic, used for people identification or authentication and fingerprint readers integrated into USB flash drives or laptops don’t cause surprise any more. Every fingerprint can be described using minutiae points’ matrix and from this matrix encryption key can be generated. But fingerprints of the same finger aren’t identical, so this must be kept in mind as well. In this research one method of direct encryption key generation from fingerprint is introduced. Minutiae matrix is structured from fingerprint image; parameters are formed and passed to encryption key generators. Two products were used for making matrix and eight generators were produced, generating encryption keys length of 64 and 128 bits. This system was tested with prepared fingerprint set and all the results are given.

Informatics Engineering

Šifravimo raktas

Slaptažodis

Biometrija

Piršto atspaudas

Minutiae taškai

Encryption key

Password

Biometrics

Fingerprint

Minutiae points