Results 1 -
5 of
5
The emperor’s new password manager: Security analysis of web-based password managers
- In 23rd USENIX Security Symposium (USENIX Security 14
, 2014
"... personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires pri ..."
Abstract
-
Cited by 8 (0 self)
- Add to MetaCart
(Show Context)
personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission.
CamAuth: Securing Web Authentication with Camera
"... Abstract-Frequent outbreak of password database leaks and server breaches in recent years manifests the aggravated security problems of web authentication using only password. Two-factor authentication, despite being more secure and strongly promoted, has not been widely applied to web authenticati ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract-Frequent outbreak of password database leaks and server breaches in recent years manifests the aggravated security problems of web authentication using only password. Two-factor authentication, despite being more secure and strongly promoted, has not been widely applied to web authentication. Leveraging the unprecedented popularity of both personal mobile devices (e.g., smartphones) and barcode scans through camera, we explore a new horizon in the design space of two-factor authentication. In this paper, we present CamAuth, a web authentication scheme that exploits pervasive mobile devices and digital cameras to counter various password attacks including man-in-the-middle and phishing attacks. In CamAuth, a mobile device is used as the second authentication factor to vouch for the identity of a use who is performing a web login from a PC. The device communicates directly with the PC through the secure visible light communication channels, which incurs no cellular cost and is immune to radio frequency attacks. CamAuth employs publickey cryptography to ensure the security of authentication process. We implemented a prototype system of CamAuth that consists of an Android application, a Chrome browser extension, and a Java-based web server. Our evaluation results indicate that CamAuth is a viable scheme for enhancing the security of web authentication.
Automatic Recognition, Processing and Attacking of Single Sign-On Protocols with Burp Suite
"... ..."
Do not trust me: Using malicious IdPs for analyzing and attacking Single Sign-On
"... Abstract. Single Sign-On (SSO) systems simplify login procedures by using an an Identity Provider (IdP) to issue authentication tokens which can be consumed by Service Providers (SPs). Traditionally, IdPs are modeled as trusted third parties. This is reasonable for SSO systems like Kerberos, MS Pass ..."
Abstract
- Add to MetaCart
(Show Context)
Abstract. Single Sign-On (SSO) systems simplify login procedures by using an an Identity Provider (IdP) to issue authentication tokens which can be consumed by Service Providers (SPs). Traditionally, IdPs are modeled as trusted third parties. This is reasonable for SSO systems like Kerberos, MS Passport and SAML, where each SP explicitely specifies which IdP he trusts. However, in open systems like OpenID and OpenID Connect, each user may set up his own IdP, and a discovery phase is added to the protocol flow. Thus it is easy for an attacker to set up its own IdP. In this paper we use a novel approach for analyzing SSO authentication schemes by introducing a malicious IdP. With this approach we evaluate one of the most popular and widely deployed SSO protocols – OpenID. We found four novel attack classes on OpenID, which were not covered by previous research, and show their applicability to real-life implemen-tations. As a result, we were able to compromise 11 out of 16 existing OpenID implementations like Sourceforge, Drupal and ownCloud. We automated discovery of these attacks in a open source tool OpenID Attacker, which additionally allows fine-granular testing of all parameters in OpenID implementations. Our research helps to better understand the message flow in the OpenID protocol, trust assumptions in the different components of the system, and implementation issues in OpenID components. It is applicable to other SSO systems like OpenID Connect and SAML. All OpenID im-plementations have been informed about their vulnerabilities and we supported them in fixing the issues. 1
How to Wear Your Password
"... We describe a new authentication paradigm that seeks to achieve both a desirable user experience and a high level of security. We describe a po-tential implementation of an identity manager in the guise of a smart bracelet. This bracelet would be equipped with a low-power processor, a Bluetooth LE t ..."
Abstract
- Add to MetaCart
(Show Context)
We describe a new authentication paradigm that seeks to achieve both a desirable user experience and a high level of security. We describe a po-tential implementation of an identity manager in the guise of a smart bracelet. This bracelet would be equipped with a low-power processor, a Bluetooth LE transmitter, an accelerometer, and a clasp that is con-structed so that opening and closing it would break and close a circuit, thereby allowing an automatic detection of when the bracelet is put on and taken off. For reasons of cost, design and error avoidance, the bracelet could be designed to not have any user interface, nor any biometric sen-sors: All user interaction could be assisted by third-party devices, such as user phones and point of sale terminals. Our approach is based on the principle of physical and logical tether-ing of an identity manager to a user (e.g., by closing the clasp), where an identity manager represents its user’s interests after an initial user authen-tication phase, and until the user causes a disassociation by untethering the device (e.g., by opening the clasp). The authentication phase can be based on any type of authentication, and – to allow for the greatest pos-sible simplicity of design – can be aided by a third-party device, such as the user’s cell phone. We describe the physical design, including aspects to protect against violent attacks on users. We also describe the lightweight security pro-tocols needed for pairing, determination of user intent, and credential management, and give examples of usage scenarios – including automated login; simplified online and point-of-sale purchases; assisted appliance per-sonalization; and automated event logging. We then overview the proto-cols associated with the example usage scenarios, and discuss the security implications of our proposed design.
