Presentation on theme: "Many personal devices have rich set of capabilities: sensors, communication, computing power and data storage, and they are personal. Potentially they."— Presentation transcript:
Many personal devices have rich set of capabilities: sensors, communication, computing power and data storage, and they are personal. Potentially they can aid the owners in performing authentication and securing communication. (User friendliness) + (Security) + ?
Server Terminal User smartcard (password, key) password, biometric Key, location info.
1.Personal device is trusted. Terminal untrusted. (Public Kiosk) 2.2-Factor Authentication. 3.Personal device is honest but it can be lost. (cant store sensitive data). Server Terminal User smartcard (password, key) password biometric Key, location info
TPM S. Garriss, R. Caceres, S. Berger, R Sailer, L. Doorn, X. Zhang. Trustworthy and Personalized Computing on Public kiosk, MobiSys08 Server Terminal User Personal device to verify that the kiosk has only loaded trustworthy software.
A. Oprea, D. Balfanz, G. Durfee and K.K. Smetters, Remote Terminal Application with a Mobile Trusted Device, ACSAC04 Server Terminal User tunnel connection
Personal device as OTP token. Oct 1, 2010 Server Terminal User (password, key) password Key Monetary Authority of Singapore expects banks to implement two-factor authentication at login in Internet Banking.
Using an out-of-band channel. Mobile authentication Oct 1, 2010 Server Terminal User sms (text message) password (password, OTP) OTP Can be made secure, but difficult to use.
Oct 1, 2010 Server Internet Terminal User key D.E. Clarke, B. Gassend, T. Kotwal, M. Burnside, M. Dijk, S. Devadas, and R.L. Rivest. The untrusted computer problem and camera-based authentication. International Conf. on Pervasive Computing, 2002 visual channel Using OCR to verify the messages and their signature
Oct 1, 2010 Server Internet Terminal User Image from [Sharp2006] Sharp et al, Secure Mobile Computing Via Public Terminal. key R. Sharp, J. Scott, A. Beresford, Secure Mobile Computing via Public Terminals. International Conference on Pervasive Computing, 2006
Oct 1, 2010 Server Internet Terminal User key, password key C. Fang, E.C.Chang, Securing Interactive Sessions Using Mobile Device through Visual Channel and Visual Inspection, ACSAC visual channel password Dat e acc oun t rem ark amo unt
Server User smartcard key Key Terminal
Server User key, password Key Terminal password
Server User ( k ) biometric k= H(Key, biometric) Terminal the biometric data are not stored in the server
Technical challenges in using biometric data: They are noisy. The key extracted by the cryptographic secure hash has to be consistent even under noise! – Dodis, Y., Reyzin, L., Smith, A.: Fuzzy extractors: How to generate strong keys from biometrics and other noisy data, EUROCRYPT – Linnartz, J.-P.M.G., Tuyls, P., New shielding functions to enhance privacy and prevent misuse of biometric templates. AVBPA 2003
We can use the computing power of personal device to enhance security. Can location information help?