27,476 research outputs found
Assentication: User Deauthentication and Lunchtime Attack Mitigation with Seated Posture Biometric
Biometric techniques are often used as an extra security factor in
authenticating human users. Numerous biometrics have been proposed and
evaluated, each with its own set of benefits and pitfalls. Static biometrics
(such as fingerprints) are geared for discrete operation, to identify users,
which typically involves some user burden. Meanwhile, behavioral biometrics
(such as keystroke dynamics) are well suited for continuous, and sometimes more
unobtrusive, operation. One important application domain for biometrics is
deauthentication, a means of quickly detecting absence of a previously
authenticated user and immediately terminating that user's active secure
sessions. Deauthentication is crucial for mitigating so called Lunchtime
Attacks, whereby an insider adversary takes over (before any inactivity timeout
kicks in) authenticated state of a careless user who walks away from her
computer. Motivated primarily by the need for an unobtrusive and continuous
biometric to support effective deauthentication, we introduce PoPa, a new
hybrid biometric based on a human user's seated posture pattern. PoPa captures
a unique combination of physiological and behavioral traits. We describe a low
cost fully functioning prototype that involves an office chair instrumented
with 16 tiny pressure sensors. We also explore (via user experiments) how PoPa
can be used in a typical workplace to provide continuous authentication (and
deauthentication) of users. We experimentally assess viability of PoPa in terms
of uniqueness by collecting and evaluating posture patterns of a cohort of
users. Results show that PoPa exhibits very low false positive, and even lower
false negative, rates. In particular, users can be identified with, on average,
91.0% accuracy. Finally, we compare pros and cons of PoPa with those of several
prominent biometric based deauthentication techniques
Tracking Users across the Web via TLS Session Resumption
User tracking on the Internet can come in various forms, e.g., via cookies or
by fingerprinting web browsers. A technique that got less attention so far is
user tracking based on TLS and specifically based on the TLS session resumption
mechanism. To the best of our knowledge, we are the first that investigate the
applicability of TLS session resumption for user tracking. For that, we
evaluated the configuration of 48 popular browsers and one million of the most
popular websites. Moreover, we present a so-called prolongation attack, which
allows extending the tracking period beyond the lifetime of the session
resumption mechanism. To show that under the observed browser configurations
tracking via TLS session resumptions is feasible, we also looked into DNS data
to understand the longest consecutive tracking period for a user by a
particular website. Our results indicate that with the standard setting of the
session resumption lifetime in many current browsers, the average user can be
tracked for up to eight days. With a session resumption lifetime of seven days,
as recommended upper limit in the draft for TLS version 1.3, 65% of all users
in our dataset can be tracked permanently.Comment: 11 page
- …