72 research outputs found
Android Application for Password less Login to Web Application
Passwordless Login for Web Application? is an android application, will be used to access online internet accounts of distinct web applications and web services. The user would register with pre-requisite credentials primarily like, an email id, primary mobile number, and a unique username and a secondary mobile number. After successful registration, the user would be required to enter its registered username only. After submitting the registered username, a unique QR code will be popped up on the website. The user would scan the QR code using his/her android mobile phone. After successful scanning of QR code, the authentication and authorization procedure will be performed thereby granting secure access
Nonce-based Kerberos is a Secure Delegated AKE Protocol
Kerberos is one of the most important cryptographic protocols, first because it is the basisc authentication protocol in Microsoft\u27s Active Directory and shipped with every major operating system, and second because it served as a model for all Single-Sign-On protocols (e.g. SAML, OpenID, MS Cardspace, OpenID Connect). Its security has been confirmed with several Dolev-Yao style proofs, and attacks on certain versions of the protocol have been described.
However despite its importance, despite its longevity, and despite the wealth of Dolev-Yao-style security proofs, no reduction based security proof has been published until now. This has two reasons: (1) All widely accepted formal models either deal with two-party protocols, or group key agreement protocols (where all entities have the same role), but not with 3-party protocols where each party has a different role. (2) Kerberos uses timestamps and nonces, and formal security models for timestamps are not well understood up to now.
As a step towards a full security proof of Kerberos, we target problem (1) here: We propose a variant of the Kerberos protocol, where nonces are used instead of timestamps. This requires one additional protocol message, but enables a proof in the standard Bellare-Rogaway (BR) model. The key setup and the roles of the different parties are identical to the original Kerberos protocol.
For our proof, we only require that the authenticated encryption and the message authentication code (MAC) schemes are secure. Under these assumptions we show that the probability that a client or server process oracle accepts maliciously, and the advantage of an adversary trying to distinguish a real Kerberos session key from a random value, are both negligible.
One main idea in the proof is to model the Kerberos server a a public oracle, so that we do not have to consider the security of the connection client--Kerberos. This idea is only applicable to the communication pattern adapted by Kerberos, and not to other 3-party patterns (e.g. EAP protocols)
PALPAS - PAsswordLess PAssword Synchronization
Tools that synchronize passwords over several user devices typically store
the encrypted passwords in a central online database. For encryption, a
low-entropy, password-based key is used. Such a database may be subject to
unauthorized access which can lead to the disclosure of all passwords by an
offline brute-force attack. In this paper, we present PALPAS, a secure and
user-friendly tool that synchronizes passwords between user devices without
storing information about them centrally. The idea of PALPAS is to generate a
password from a high entropy secret shared by all devices and a random salt
value for each service. Only the salt values are stored on a server but not the
secret. The salt enables the user devices to generate the same password but is
statistically independent of the password. In order for PALPAS to generate
passwords according to different password policies, we also present a mechanism
that automatically retrieves and processes the password requirements of
services. PALPAS users need to only memorize a single password and the setup of
PALPAS on a further device demands only a one-time transfer of few static data.Comment: An extended abstract of this work appears in the proceedings of ARES
201
Towards a threat assessment framework for apps collusion
App collusion refers to two or more apps working together to achieve a malicious goal that they otherwise would not be able to achieve individually. The permissions based security model of Android does not address this threat as it is rather limited to mitigating risks of individual apps. This paper presents a technique for quantifying the collusion threat, essentially the first step towards assessing the collusion risk. The proposed method is useful in finding the collusion candidate of interest which is critical given the high volume of Android apps available. We present our empirical analysis using a classified corpus of over 29,000 Android apps provided by Intel SecurityTM
Towards a threat assessment framework for apps collusion
App collusion refers to two or more apps working together to achieve a malicious goal that they otherwise would not be able to achieve individually. The permissions based security model of Android does not address this threat as it is rather limited to mitigating risks of individual apps. This paper presents a technique for quantifying the collusion threat, essentially the first step towards assessing the collusion risk. The proposed method is useful in finding the collusion candidate of interest which is critical given the high volume of Android apps available. We present our empirical analysis using a classified corpus of over 29,000 Android apps provided by Intel SecurityTM
- …