• Save
Using a Smartphone to Access Personalised Web Services on a Workstation
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Using a Smartphone to Access Personalised Web Services on a Workstation

  • 928 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
928
On Slideshare
927
From Embeds
1
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 1

https://www.linkedin.com 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Faysal Boukayoua KaHo Sint-Lieven, Ghent IFIP Summer school Trento, 07/09/20111
  • 2.  Motivation  Application Overview  Implementation  Evaluation ◦ Attacks ◦ Comparison  Future work2
  • 3. Passwords  Weak security  Can be stolen by malware  Human memory limitations  No attribute provisioning3
  • 4. Smartcards  Suitable hardware required  Proliferation vs. usability  Trust in workstation (PIN)4
  • 5. Security tokens  Hardware cost  Software tokens prone to malware  Proliferation vs. usability  No selective attribute disclosure5
  • 6. 2-factor SMS authentication  Password/token mgmt  2G GSM security questionable  Part of credentials still malware-prone6
  • 7. Federated Identity  Limited user control Management  Identity provider can profile users  One identity provider per user  User impersonation  Password/token mgmt7
  • 8. More mobility & Smartphones Mobile Internetmore computers omnipresent penetration8
  • 9. Service Identity User provider provider • Ubiquitous access • Obtain reliable • Provide reliable to Web services user info user info • Security & privacy • Authenticated • Personalisation provisioning9
  • 10.  What? ◦ 2-dimensional barcodes ◦ ~ 600 bytes of data  Why? ◦ Camera common in modern phones ◦ Every workstation has a screen…10
  • 11. User Trusted module Workstation Web Server 1. Go to Web service 2. Request Web service 3. Auth challenge (QR) 4. Auth challenge (QR scan) 5. Ask for consent 6. Review & give consent alt [consent given] 7. Mutually authenticate (out-of-band) 8. Confirm authentication [else] 7. Abort11
  • 12.  Tamperproof  Strong cryptography  Secure credential storage  Giesecke & Devrient Mobile Security Card SE 1.012
  • 13. SPi IDX  Trusted module is mediator between ◦ Identity providers ◦ Service providers  Access to attributes controlled by ◦ external authorities: certificates ◦ user consent13 13
  • 14.  Privacy properties ◦ No profiling  by identity providers  by colluding providers ◦ Access control to personal information  by audit authority  by user ◦ No user impersonation14 14
  • 15.  Samsung Galaxy S  Android 2.2.1  3G connection  Trusted module in SD card slot15
  • 16.  Authentication valve as Tomcat filter  No modifications, only extensions  Required attributes list  Secure, authentic channel with trusted module16
  • 17.  Simple webservice  Attribute provisioning  Secure authentic channel with trusted module17
  • 18.  Assumptions: ◦ Trust in phone software while physically in presence of user ◦ Access control & authorisation out of scope18
  • 19.  MODEL 1: Physical control over phone. ◦ Secure credential storage ◦ Tamperproof trusted module ◦ PIN authentication ◦ Revocation19
  • 20.  MODEL 2: malware controls workstation INCLUDING browser ◦ Credentials stored on trusted module ◦ Authentication out-of-band ◦ Feedback on phone20
  • 21.  MODEL 3: malware controls workstation EXCEPT browser ◦ Credentials stored on trusted module ◦ Authentication out-of-band ◦ Feedback on phone ◦ Malware cannot make user authenticate wrong session21
  • 22.  MODEL 4: active and passive network eavesdropping From To Channel Workstation Service provider HTTP over TLS Trusted module Service provider Secure authentic on phone channel Trusted module Identity provider Secure authentic on phone channel22
  • 23. Software Hardware Our Password Smartcard token token solutionStrong security No Yes Yes Yes YesSelectiveattribute No Typically not No No YesdisclosureProliferation vs.usabilityTrust in Yes Sometimes Yes No NoworkstationChanges to No Sometimes Yes No NoworkstationMarginalhardware cost / Zero >= 0 Zero >0 Zeronew SP
  • 24. Traditional OpenID Shibboleth Windows Our authenti- Cardspace solution cationMultiple IDPs / No No No Yes YesuserProfiling bycolluding IDPs n/a Yes Yes No No& SPsPhishing Yes Yes Yes No NoattacksUser-controlled No No Using plugin Yes YesattributedisclosurePortability
  • 25.  Enforcement of trusted code in phone  Standards interoperability  Automate authentication decisions (policies)  Integration in advanced Web apps  Other short-range protocols  Detailed performance statistics  Registration, backup & revocation strategies25
  • 26. 26