Post on 16-Jul-2015
transcript
Why?
Watermarks; hwing; SDW; I AM MY PHONE
A password is a single-factor
authentication factor that creates an
“assurance” that an individual is who
they say they are.
Passwords are doomed, and hated,
and unnecessarily difficult, and
perhaps irreplaceable.
The password is a miserable authenticator
if it’s complex enough, it’s too hard to remember
if it’s simple enough, bad guys will guess it
can’t re-use them
can’t write them down
the places they are used often have surveillance systems & people with recording devices
bad guys steal huge batches of them (sort of)
disconnect between cost and true necessity
Unfortunately, no one is going to give up using
passwords. It’s all they know.
They’ve spent their lifetimes naming their pets
accordingly.
Something must be done to
SAVE the PASSWORD.
passphrases
mnemonics
strength checkers
password management tool
Single sign on
openID+
NIST tips!
life experience passwords
graphical password
drawn passwords / signatures
uSig (know the pic/have the gizmo)
questions
gestures
multi-touch gestures
tokens (have the gizmo)
e-signature (requires “device”)
Not a single scheme is dominant over passwords, i.e., does
better on one or more benefits and does at least as well on
all others. Almost all schemes do better than passwords in
some criteria…
Thus, the current state of the world is a Pareto equilibrium.
Replacing passwords with any of the schemes examined is
not a question of giving up an inferior technology for
something unarguably better, but of giving up one set of
compromises and trade-offs in exchange for another.
The Quest to Replace
Passwords: A Framework
for Comparative
Evaluation of Web
Authentication Schemes
Joseph Bonneau University
of Cambridge / Cormac
Herley Microsoft Research /
Paul C. van Oorschot
Carleton University / Frank
Stajanoy University of
Cambridge
iris
retina
fingerprint
heart rate
face
ear geometry
hand geometry
palm vein pattern
thermal signature
odor
bioimpedance
+
Physical Biometrics is a miserable authenticator
people don’t want to give them up
once it’s in the wild, it’s gone
actual features identify a person, but does the digital representation adequately represent the actual feature
vulnerable – replay attacks+
Exploring novel, not-novel and failed mechanisms for multi-factor authentication
handwriting
voice
gait
interactions like
keyboarding
touch
phone movement/position
decisionmaking
linguistics
app behaviors
diligence
web browsing / app switching
transportation
(method/route/speed)
outbound social behavior
+ everything else
BehavioSec
• Keyboard Capture Intervals
• Application Switching
• Touch Motion
• Mouse Motion
Others
• Stylometry
• Application start
• Search behavior
• Covert games
RSA Conference –
Asia Pacific – 2013
DARPA Active
Authentication
Program: Behavioral
Biometrics
burstiness
length of session
average time on a page
time between revisits
genre (diffbot.com)
User Authentication
from Web Browsing
Behavior
Myriam Abramson
Naval Research
Laboratory / David W.
Aha Naval Research
Laboratory
Behavioral Biometrics may be better
transparent to users
can be used continuously
but
requires privacy and security by design
adequate processing for adequately complex analysis is not yet available
requires authentication unit / chip
For regular smartphone users, aggregating behavior information
will be adequate to verify identity.
Our phones could “know who we are”, if we taught them to “look at
our behavior”.
Rather than replacing passwords, which still have some security
purposes, as well as a psychological/cultural value, in the future
we could consider passwords to be the 2nd Factor – and behavioral
biometrics to be the1st Factor.
(mention the two Bs and EU Data Protection here)
a theoretical app used to brainstorm about facets of human/phone interaction and convergence
(or a real app if someone wants to develop it)
language (abbreviations, case usage, grammar, word omissions, slang, emoticons + )
keyboarding (use of autocomplete + )
errors and error correction (backspace/autocorrect)
locations / travel
app usage
gaming and in-game behavior
search behavior
phone positioning
unlock behavior
“telephone” usage (Bluetooth/speaker/handheld)
financial transactions
The role of VARIATION:
The extent to which each facet
VARIES in similar and different
contexts and assessed against
other facets, is itself an essential
facet.
The elements of the outside world that interact with you converge on only one person.*
The way they contact you and the way you respond is an authentication factor. For today, we will call it “convergence”.
The measureable facets of “convergence” include:
how (text, email, app)
when
where
extent (“length of interaction”)
response time
* of course, there are exceptions
“Outbound interactions” are a
behavioral biometric. “Inbound
interactions” are not. The
combination of the two can be used
as an authentication factor.
The theoretical “am I me” app makes a go/no-go decision regarding allowing
password submission.
The in-phone process creates “virtual images” that represent the person's range of
behaviors and connections (who/how+). The images are generated over time via
fly-by. Variability is critical; contrary to instinct, it is an identifying feature.
The "images" (akin to perceptual hashes) are the only aggregation point. The data
does not exist as a single unit except as represented in the image.
The images are stored in the app server. Then the current/recent "image" is
verified to the server images using complicated math. Based on the result, the
phone attests (or doesn’t attest) to the user, and a password can be submitted.
(In-phone verification is "possible" but seems (perhaps impossibly) more
vulnerable.)
After here… some references and slides I didn’t use
RE THE NEED FOR AN AUTHENTICATION PROCESSING UNIT
The challenge lies in assuring the security of the completed system
and for this, experience shows that general-purpose computing
systems cannot be made secure enough to resist compromise by a
determined adversary.
Historically, special-purpose computing needs have resulted in the
development of dedicated, special-purpose computing hardware.
Early in the history of computing, the Arithmetic Logic Unit (ALU)
was developed to augment the numerical processing capabilities of
more limited general-purpose CPUs. Likewise, Graphics Processing
Units (GPUs) were developed to provide high-performance graphics
handling. Similarly, designing and implementing a hardware
“Authentication Processing Unit” (APU) implementing the principles
of authentication outlined above would be an expected outcome of
such consideration.
Principles of
Authentication
Ed Talbot UC Davis /
Sean Peisert UC Davis
and Berkeley Lab /
Matt Bishop UC Davis
(SOUPS 2014)
Core Characteristics for Evaluating
Authenticators
Bruce K. Marshall PasswordResearch.com
Alternatives to passwords: Replacing the ubiquitous
authenticator
Ron Condon in Computer Weekly
Principles of Authentication
Ed Talbot UC Davis / Sean Peisert UC Davis and Berkeley
Lab / Matt Bishop UC Davis (SOUPS 2014)
Who You Are by way of What You Are:
Behavioral Biometric Approaches to Authentication
Michael Karlesky, Napa Sae-Bae, Katherine Isbister, Nasir
Memon NYU Polytechnic School of Engineering (SOUPS 2014)
User Authentication from Web Browsing Behavior
Myriam Abramson Naval Research Laboratory / David W.
Aha Naval Research Laboratory
The Quest to Replace Passwords: A Framework for
Comparative Evaluation of Web Authentication Schemes
Joseph Bonneau University of Cambridge / Cormac Herley
Microsoft Research / Paul C. van Oorschot Carleton
University / Frank Stajanoy University of Cambridge
DARPA Active Authentication
Website:
Abraham Aha
The authentication problem has been addressed in the context of masquerade detection in computer security by modeling user command line sequences
(Schonlau et al. 2001). In the masquerade detection problem, the task is to positively identify masqueraders but not to positively identify a particular user. Recent
experiments modeling user issued OS commands as bag-of-words without timing information have obtained a 72.7% true positive rate and a 6.3% false positive
rate (Salem and Stolfo 2010) on a set of 15000
commands for 70 users grouped in sets of 100 commands.
In that work, a one-class support vector machine (SVM) (Schölkopf et al. 2000) was shown to produce better performance results than threshold-based
comparison with a distance
metric. We extend the results of this work to features of Web browsing behavior individually and in combination with an ensemble.
LATER
The goal of this study is to verify the claim that users can be authenticated from their Web browsing behavior. All experiments
were conducted in the Weka machine learning workbench (Hall et al. 2009) augmented by our own ensemble algorithms.
We extracted the features of Web browsing behavior described above from each user session and aggregated them into one feature vector. A user’s dataset
consisted of all sessions collected for that user. For each user, we compared the false rejection rate (FRR) (i.e., false negative rate)and the false acceptance rate
(FAR) (i.e., false positive rate) for classifiers derived from each feature set and an ensemble classifier composed of classifiers based on a weighted random
sample of those features. FRR results were obtained using cross-validation on the user’s dataset while FAR results were obtained by applying the classifier
obtained on a dataset containing the data of all the other users.
LATER
One-class classification is pertinent in the context of classification with only positive examples where negative examples are hard to come by or do not fit into a
unique category. Some applications for one-class classification include anomaly detection, fraud detection, outlier detection, authorship verification and document
classification where categories are learned individually. The goal of one-class classification is to detect all classes that differ from the target class without knowing
them in advance. One-class classification is similar to unsupervised learning but tries to solve a discriminative problem (i.e., self or not self) rather than a
generative problem as in clustering algorithms or density estimation.
Several algorithms have been modified to perform one-class classification. We used a one-class SVM available with LibSVM (Schölkopf et al. 2000) as part of the
Weka machine learning toolbench. SVMs are large-margin classifiers that map feature vectors to a higher dimensional space using kernels based on similarity
metrics. The optimization objective in SVMs is to find a linear separating hyperplane with maximum margin between class boundaries.
Attacks
Masquerade attacks
Linkage attacks – like a database join
Graphical passwords – pattern based attacks
Abraham/Aha
Attribution is broadly defined as the assignment of an effect to a cause. We differentiate
between authentication and identification as two techniques for attribution of identity.
Authentication is defined as the verification of claimed identification (Jain, Bolle, and
Pankanti 1999). Their distinction is subtle in the sense that authentication is usually
obtained through identification. Likewise, identification can be obtained from
authentication attempts of each user in turn.
Identification involves recognition as a one-to-many matching problem while
authentication is a one-to-one matching problem. This paper focuses on the
authentication problem.
User syntactic patterns
Power Law distribution
how difficult they are to guess, forge, or steal
or inadvertently reveal
or give away
or USE without the individual’s willing participation
Passwords lack integrity based on...
Wikipedia says there are “Three categories of authentication factors”
Knowledge – things the user knows (passwords)
Possession – things the user has (card)
Inherence - things the user is (biometrics)
- physical biometrics
- behavioral biometrics
There’s at least one more. There’s “convergence” which is the interactions of the outside world with you.