A Study of Online Security Practices

January 2017

abstract: Data from a total of 282 online web applications was collected, and accounts for 230 of those web applications were created in order to gather data about authentication practices, multistep authentication practices, security question practices, fallback authentication practices, and other security practices for online accounts. The account creation and data collection was done between June 2016 and April 2017. The password strengths for online accounts were analyzed and password strength data was compared to existing data. Security questions used by online accounts were evaluated for security and usability, and fallback authentication practices were assessed based on their adherence to best practices. Alternative authentication schemes were examined, and other security considerations such as use of HTTPS and CAPTCHAs were explored. Based on existing data, password policies require stronger passwords in for web applications in 2017 compared to the requirements in 2010. Nevertheless, password policies for many accounts are still not adequate. About a quarter of online web applications examined use security questions, and many of the questions have usability and security concerns. Security mechanisms such as HTTPS and continuous authentication are in general not used in conjunction with security questions for most web applications, which reduces the overall security of the web application. A majority of web applications use email addresses as the login credential and the password recovery credential and do not follow best practices. About a quarter of accounts use multistep authentication and a quarter of accounts employ continuous authentication, yet most accounts fail to combine security measures for defense in depth. The overall conclusion is that some online web applications are using secure practices; however, a majority of online web applications fail to properly implement and utilize secure practices. / Dissertation/Thesis / Combination of Security Practices / Coded Account Data for 282 and 230 Web Applications / Password Recovery Statistics and Graphs / Password Policies Statistics and Graphs / Security Question Statistics and Graphs / Masters Thesis Computer Science 2017

Computer science

Web studies

Fallback Authentication

Mulitfactor Authentication

Password Policy

Primary Authentication

Security Question

Web Application

Convenient Decentralized Authentication Using Passwords

Van Der Horst, Timothy W.

10 March 2010

Passwords are a very convenient way to authenticate. In terms of simplicity and portability they are very difficult to match. Nevertheless, current password-based login mechanisms are vulnerable to phishing attacks and typically require users to create and manage a new password for each of their accounts. This research investigates the potential for indirect/decentralized approaches to improve password-based authentication. Adoption of a decentralized authentication mechanism requires the agreement between users and service providers on a trusted third party that vouches for users' identities. Email providers are the de facto trusted third parties on the Internet. Proof of email address ownership is typically required to both create an account and to reset a password when it is forgotten. Despite its shortcomings (e.g., latency, vulnerability to passive attack), this approach is a practical solution to the difficult problem of authenticating strangers on the Internet. This research utilizes this emergent, lightweight relationship with email providers to offload primary user authentication from service providers; thus reducing the need for service provider-specific passwords. Our goal is to provide decentralized authentication that maintains the convenience and portability of passwords, while improving its assurances (especially against phishing). Our first step to leverage this emergent trust, Simple Authentication for the Web (SAW), improves the security and convenience of email-based authentications and moves them from the background into the forefront, replacing need for an account-specific password. Wireless Authenticationg using Remote Passwords (WARP) adapts the principles of SAW to authentication in wireless networks. Lightweight User AUthentication (Luau) improves upon WARP and unifies user authentication across the application and network (especially wireless) layers. Our final protocol, pwdArmor, started as a simple wrapper to facilitate the use of existing databases of password verifiers in Luau, but grew into a generic middleware framework that augments the assurances of conventional password protocols.

authentication

email-based authentication

passwords

password-authenticated key exchange

single sign-on

authentication in wireless networks

Computer Sciences

ECG Authentication for Mobile Device

Arteaga Falconi, Juan Sebastian

January 2013

Mobile devices users are storing more and more private and often highly sensitive information on their mobiles. Protective measures to ensure that users of mobile devices are appropriately safeguarded are thus imperative to protect users. Traditional mobile login methods, like numerical or graphical passwords, are vulnerable to passive attacks. It is common for criminal s to gain access to victims' personal information by watching victims enter their passwords into their cellphone screens from a short distance away. With this in mind, a Biometric authentication algorithm based on electrocardiogram or ECG is proposed. In this system the user will only need to touch the ECG electrodes of the mobile device to gain access. With this authentication mode no one will be able to see the biometric pattern that is used to unlock the de vices. This will increase the protection for the users. The algorithm was tested with ten subjects from MCRlab at the University of Ottawa at different days and conditions using a two electrode ECG phone case. Several tests were performed in order to reach the best setting for the algorithm to work properly. The final results show that the system has a 1.41% of chance to accept false users and 81.82% of accepting the right users. The algorithm was also tested with 73 subjects from Physionet database and the results were around the same, which confirms the consistency of the algorithm. This is the first approach on mobile authentication using ECG biometric signals and shows a promising future for this technology to be used in mobiles.

Biometrics

ECG authentication

ECG Biometrics

ECG authentication for mobiles

ECG Identification

Biometrics for Mobiles

Mobile Authentication

Phone Authentication

ECG Phone Authentication

New authentication mechanism using certificates for big data analytic tools

Velthuis, Paul

January 2017

Companies analyse large amounts of sensitive data on clusters of machines, using a framework such as Apache Hadoop to handle inter-process communication, and big data analytic tools such as Apache Spark and Apache Flink to analyse the growing amounts of data. Big data analytic tools are mainly tested on performance and reliability. Security and authentication have not been enough considered and they lack behind. The goal of this research is to improve the authentication and security for data analytic tools.Currently, the aforementioned big data analytic tools are using Kerberos for authentication. Kerberos has difficulties in providing multi factor authentication. Attacks on Kerberos can abuse the authentication. To improve the authentication, an analysis of the authentication in Hadoop and the data analytic tools is performed. The research describes the characteristics to gain an overview of the security of Hadoop and the data analytic tools. One characteristic is that the usage of the transport layer security (TLS) for the security of data transportation. TLS usually establishes connections with certificates. Recently, certificates with a short time to live can be automatically handed out.This thesis develops new authentication mechanism using certificates for data analytic tools on clusters of machines, providing advantages over Kerberos. To evaluate the possibility to replace Kerberos, the mechanism is implemented in Spark. As a result, the new implementation provides several improvements. The certificates used for authentication are made valid with a short time to live and are thus less vulnerable to abuse. Further, the authentication mechanism solves new requirements coming from businesses, such as providing multi-factor authenticationand scalability.In this research a new authentication mechanism is developed, implemented and evaluated, giving better data protection by providing improved authentication.

Cloud Access Management

certificate on demand

Apache Spark

Apache Flink

Kerberos

transport security layer (TLS)

Authentication

Multi Factor Authentication

Authentication for data analytic tools

certificate based Spark authentication

public key encryption

distributed authentication

short valid authentication

Computer Sciences

Datavetenskap (datalogi)

Universal Hashing for Ultra-Low-Power Cryptographic Hardware Applications

Yuksel, Kaan

28 April 2004

Message Authentication Codes (MACs) are valuable tools for ensuring the integrity of messages. MACs may be built around a keyed hash function. Our main motivation was to prove that universal hash functions can be employed as underlying primitives of MACs in order to provide provable security in ultra-low-power applications such as the next generation self-powered sensor networks. The idea of using a universal hash function (NH) was explored in the construction of UMAC. This work presents three variations on NH, namely PH, PR and WH. The first hash function we propose, PH, produces a hash of length 2w and is shown to be 2^(-w)-almost universal. The other two hash functions, i.e. PR and WH, reach optimality and are proven to be universal hash functions with half the hash length of w. In addition, these schemes are simple enough to allow for efficient constructions. To the best of our knowledge the proposed hash functions are the first ones specifically designed for low-power hardware implementations. We achieve drastic power savings of up to 59% and speedup of up to 7.4 times over NH. Note that the speed improvement and the power reduction are accomplished simultaneously. Moreover, we show how the technique of multi- hashing and the Toeplitz approach can be combined to reduce the power and energy consumption even further while maintaining the same security level with a very slight increase in the amount of key material. At low frequencies the power and energy reductions are achieved simultaneously while keeping the hashing time constant. We develope formulae for estimation of leakage and dynamic power consumptions as well as energy consumption based on the frequency and the Toeplitz parameter t. We introduce a powerful method for scaling WH according to specific energy and power consumption requirements. This enables us to optimize the hash function implementation for use in ultra-low-power applications such as "Smart Dust" motes, RFIDs, and Piconet nodes. Our simulation results indicate that the implementation of WH-16 consumes only 2.95 ìW 500 kHz. It can therefore be integrated into a self- powered device. By virtue of their security and implementation features mentioned above, we believe that the proposed universal hash functions fill an important gap in cryptographic hardware applications.

self-powered

universal hashing

ultra-low-power

message authentication codes

provable security

Cryptography

Authentication

Microelectromechanical systems

Message authentication codes

Encrypt/Decrypt COMSEC Unit for Space-based Command and Telemetry Applications

Merz, Doug, Maples, Bruce

10 1900

International Telemetering Conference Proceedings / October 20-23, 2003 / Riviera Hotel and Convention Center, Las Vegas, Nevada / This paper describes the system-level architecture and design concept of a communications security (COMSEC) equipment intended for space-based low data rate (< 1 Mbps) command and telemetry applications. The COMSEC Unit is a stand-alone piece of equipment which provides decryption of uplink command and control information and encryption of downlink telemetry data. The system-level architecture is described followed by an overview of the digital design concepts and a discussion of applications. Finally, although specifically targeted for narrowband command and telemetry applications, this design approach is flexible enough to accommodate other algorithms of choice as well as operate in higher data rate applications.

Cryptography

Communications Security

Encryption

Decryption

Key

Authentication

Proposed iNET Network Security Architecture

Dukes, Renata

10 1900

ITC/USA 2009 Conference Proceedings / The Forty-Fifth Annual International Telemetering Conference and Technical Exhibition / October 26-29, 2009 / Riviera Hotel & Convention Center, Las Vegas, Nevada / Morgan State University's iNET effort is aimed at improving existing telemetry networks by developing more efficient operation and cost effectiveness. This paper develops an enhanced security architecture for the iNET environment in order to protect the network from both inside and outside adversaries. This proposed architecture addresses the key security components of confidentiality, integrity and authentication. The security design for iNET is complicated by the unique features of the telemetry application. The addition of encryption is complicated by the need for robust synchronization needed for real time operation in a high error environment.

iNET

Authentication

Confidentiality

Integrity

Network Security Architecture

Non-intrusive continuous user authentication for mobile devices

Karatzouni, Sevasti

January 2014

The modern mobile device has become an everyday tool for users and business. Technological advancements in the device itself and the networks that connect them have enabled a range of services and data access which have introduced a subsequent increased security risk. Given the latter, the security requirements need to be re-evaluated and authentication is a key countermeasure in this regard. However, it has traditionally been poorly served and would benefit from research to better understand how authentication can be provided to establish sufficient trust. This thesis investigates the security requirements of mobile devices through literature as well as acquiring the user’s perspectives. Given the findings it proposes biometric authentication as a means to establish a more trustworthy approach to user authentication and considers the applicability and topology considerations. Given the different risk and requirements, an authentication framework that offers transparent and continuous is developed. A thorough end-user evaluation of the model demonstrates many positive aspects of transparent authentication. The technical evaluation however, does raise a number of operational challenges that are difficult to achieve in a practical deployment. The research continues to model and simulate the operation of the framework in an controlled environment seeking to identify and correlate the key attributes of the system. Based upon these results and a number of novel adaptations are proposed to overcome the operational challenges and improve upon the impostor detection rate. The new approach to the framework simplifies the approach significantly and improves upon the security of the system, whilst maintaining an acceptable level of usability.

005.8

Requirements for a secure and efficientAuthentication System for a large organizationJuan Carlos

Crespo, Juan Carlos

January 2010

<p>In this thesis, a full review on what are the minimum requirements needed to perform an Authentication System is explained. While building the system we have in consideration the users of it, the security needed for each of the resources that must be accessed by the users and what methods can be applied to access to these resources.</p><p>In basics, an Authentication System is built when we need to keep track to who is entering on an organization, the bigger the organization is and the more information must be keep  safe the more complex the system will be.</p><p>Although there are other methods, I tried to keep it easy and understandable for all the possible readers. With this, the reader will understand the basics that he need to keep in mind when implementing such a system like this. The organization in mind for the system is a University that consist between twenty two thousand (22.000) and twenty five thousand (25.000) users.</p>

Authentication

Authorization

Accounting

AAA

Identification

Network Security

Enabling Efficient Passive RFID SystemsThrough Modulation Silencing

ALMA'AITAH, ABDALLAH

01 May 2013

RFID technology has attracted much attention due to its wide range of applications, such as inventory control and object tracking. Passive RFID tags are battery-less, mobile and lack intercommunication. Hence, they require a central node (the reader) to power them up, organize their replies, and read their data. In the last decade, several proposals have targeted the channel efficiency in RFID systems to improve time and power efficiencies. While such proposals achieve significant performance improvements, they are limited by the backscattering half-duplex channel in which the reader has to wait for the tag to finish its reply (even if the reply is corrupt or redundant). In this thesis, the Modulation Silencing Mechanism (MSM) is proposed as a novel full-duplex-like communication over half-duplex RFID links. With a simple additional circuit at the tag and upgraded software algorithms at the reader, the reader is capable of terminating the tag's non-useful transmissions. Consequently, we propose three schemes that utilize MSM in key application domains where the tag-reader transaction contains a considerable amount of non-useful transmissions. MSM is utilized to enhance tag identification, tag count estimation and tag authentication. First, we propose a Modulation Silencing Anti-collision (MSA) scheme that targets collision time reduction in time slotted anti-collision protocols. In MSA, the time requirements of state of the art identification protocols are significantly reduced. Moreover, we establish a backward compatibility procedure for proper identification of legacy and MSM-enabled tags. Secondly, a Variance- Modulation Silencing Estimation (VMSE) scheme is proposed to increase tag estimation accuracy and to minimize overall estimation time. Variance-to-mean ratio estimator is proposed to determine the most accurate tag count estimate. VMSE combines both, the accuracy of the variance-to-mean ratio estimator and the time efficiency of MSM and delivers rapid, accurate, and anonymous tag estimation that outperform recent estimation schemes for small and large scale tag deployment. Finally, we propose Unique Hash Sequence Authentication (UHSA) scheme for efficient tag authentication. The UHSA is based on hashed key prefetching algorithm at the reader augmented by the MSM circuitry at the tag. UHSA scheme provides higher time efficiency and robustness against tracking and compromising attacks. / Thesis (Ph.D, Electrical & Computer Engineering) -- Queen's University, 2013-04-30 12:38:44.0

Count Estimation

Anti-collision

RFID

Authentication