Identification and Authentication: Technology and Implementation Issues

Computer-based information systems in general, and Internet e-commerce and e-business systems in particular, employ many types of resources that need to be protected against access by unauthorized users. Three main components of access control are used in most information systems: identification, authentication, and authorization. In this paper we focus on authentication, which is the most problematic component. The three main approaches to user authentication are: knowledge-based, possession-based, and biometric-based. We review and compare the various authentication mechanisms of these approaches and the technology and implementation issues they involve. Our conclusion is that there is no silver bullet solution to user authentication problems. Authentication practices need improvement. Further research should lead to a better understanding of user behavior and the applied psychology aspects of computer security

User Authentication and Supervision in Networked Systems

This thesis considers the problem of user authentication and supervision in networked systems. The issue of user authentication is one of on-going concern in modem IT systems with the increased use of computer systems to store and provide access to sensitive information resources. While the traditional username/password login combination can be used to protect access to resources (when used appropriately), users often compromise the security that these methods can provide. While alternative (and often more secure) systems are available, these alternatives usually require expensive hardware to be purchased and integrated into IT systems. Even if alternatives are available (and financially viable), they frequently require users to authenticate in an intrusive manner (e.g. forcing a user to use a biometric technique relying on fingerprint recognition). Assuming an acceptable form of authentication is available, this still does not address the problem of on-going confidence in the users’ identity - i.e. once the user has logged in at the beginning of a session, there is usually no further confirmation of the users' identity until they logout or lock the session in which they are operating. Hence there is a significant requirement to not only improve login authentication but to also introduce the concept of continuous user supervision. Before attempting to implement a solution to the problems outlined above, a range of currently available user authentication methods are identified and evaluated. This is followed by a survey conducted to evaluate user attitudes and opinions relating to login and continuous authentication. The results reinforce perceptions regarding the weaknesses of the traditional username/password combination, and suggest that alternative techniques can be acceptable. This provides justification for the work described in the latter part o f the thesis. A number of small-scale trials are conducted to investigate alternative authentication techniques, using ImagePIN's and associative/cognitive questions. While these techniques are of an intrusive nature, they offer potential improvements as either initial login authentication methods or, as a challenge during a session to confirm the identity of the logged-in user. A potential solution to the problem of continuous user authentication is presented through the design and implementation o f a system to monitor user activity throughout a logged-in session. The effectiveness of this system is evaluated through a series of trials investigating the use of keystroke analysis using digraph, trigraph and keyword-based metrics (with the latter two methods representing novel approaches to the analysis of keystroke data). The initial trials demonstrate the viability of these techniques, whereas later trials are used to demonstrate the potential for a composite approach. The final trial described in this thesis was conducted over a three-month period with 35 trial participants and resulted in over five million samples. Due to the scope, duration, and the volume of data collected, this trial provides a significant contribution to the domain, with the use of a composite analysis method representing entirely new work. The results of these trials show that the technique of keystroke analysis is one that can be effective for the majority of users. Finally, a prototype composite authentication and response system is presented, which demonstrates how transparent, non-intrusive, continuous user authentication can be achieved

ONE TIME PASSWORDLESS and IP ADDRESS AUTHENTICATION METHOD for WEB APPLICATION

Penelitian yang membahas model autentikasi pengguna, mulai dari autentikasi tradisional menggunakan username dan password hingga metode multi-factor authentication telah sering dilakukan. Namun model autentikasi tersebut masih menggunakan password, dimana manusia memiki keterbatasan untuk mengingat sehingga resiko kehilangan password kerap terjadi. Selain itu pencurian data pada jaringan komputer masih marak dilakukan sehingga perlu pendekatan lain dalam autentikasi pengguna terhadap sistem.Passwordless authentication adalah model autentikasi yang mulai dikenalkan, hanya saja proses implementasinya masih terbatas. Paper ini berusaha meningkatkan metode passwordless dengan tambahan time limit, session, dan ipaddress dalam melakukan autentikasi pengguna.Hasilnya, pengguna tidak perlu membuat dan mengingat password. Pengguna cukup memanfaatkan layanan email untuk proses registrasi dan login, kemudian ip address menjamin bahwa hanya pengguna tersebut yang dapat mengakses layanan website

Improving password system effectiveness.

As computers reach more aspects of our everyday life, so too do the passwords that keep them secure. Coping with these passwords can be a problem for many individuals and organisations who have to deal with the consequences of passwords being forgotten, yet little is known of this issue. This thesis considers the effectiveness of password authentication systems for three groups of stakeholders including users, support staff, and system owners. The initial problem of how to create memorable but secure passwords is reconceptualised as how to improve password system effectiveness. Interview, questionnaire, and system log studies in BT, and experiments at UCL-CS confirm some basic hypotheses about key variables impacting performance, and show that other variables than the memorability of password content are also important which have hitherto not figured in security research and practice. Interventions based on these findings are proposed. Empirical evaluation suggests that the interventions proposed that 'redesign' the user but exclude other parts of the system would fail. Reason's (1990) Generic Error Modelling System (GEMS) is used as a basis for modelling password system performance at the level of individual users. GEMS and the Basic Elements of Production are used generalise these findings, and for the first time to model information security. This new model, "Elevation", is validated by expert review, and a modified version is presented

Cracking-Resistant Password Vaults using Natural Language Encoders

Password vaults are increasingly popular applications that store multiple passwords encrypted under a single master password that the user memorizes. A password vault can greatly reduce the burden on a user of remembering passwords, but introduces a single point of failure. An attacker that obtains a user’s encrypted vault can mount offline brute-force attacks and, if successful, compromise all of the passwords in the vault. In this paper, we investigate the construction of encrypted vaults that resist such offline cracking attacks and force attackers instead to mount online attacks. Our contributions are as follows. We present an attack and supporting analysis showing that a previous design for cracking-resistant vaults—the only one of which we are aware—actually degrades security relative to conventional password-based approaches. We then introduce a new type of secure encoding scheme that we call a natural language encoder (NLE). An NLE permits the construction of vaults which, when decrypted with the wrong master password, produce plausible-looking decoy passwords. We show how to build NLEs using existing tools from natural language processing, such as n-gram models and probabilistic context-free grammars, and evaluate their ability to generate plausible decoys. Finally, we present, implement, and evaluate a full, NLE-based cracking-resistant vault system called NoCrack

Improving Authentication for Users via Better Understanding Password Use and Abuse

Passwords are our primary form of authentication. Yet passwords are a major vulnerability for computer systems due to their predictable nature, in fact Florêncio et al., conclude that human limitations makes what is often considered to be “proper password use” impossible [52]. It is vital we improve authentication with respect to both security and usability. The aim of this research is to investigate password use and abuse in order to improve authentication for users. We investigate circulated password advice that claims to help in this security fight. We find that it is contradictory, often at odds with best practice and research findings, and can be ambiguous and taxing on users. We complete a user study investigating user and administrator perceptions of the password advice collected. We leverage knowledge of security benefits, usability and organisation costs to investigate the trade-offs that exist when security advice is enforced. To improve password systems, effective and accurate information is needed regarding the prevalence of security vulnerabilities. We develop a guessability metric which produces guessing success results that are independent of the underlying distribution of the data. We use this to prove that small password breaches can lead to major vulnerabilities to entire cohorts of other users. We also demonstrate that a tailored learning algorithm can actively learn characteristics of the passwords it is guessing, and that it can leverage this information to improve its guessing. We demonstrate that characteristics such as nationality can be derived from data and used to improve guessing, this reduces security in an online environment and potentially leaks private information about cohorts of users. Finally, we design models to quantify the effectiveness of security policies. We demonstrate the value of the NIST 2017 guidelines. We find that if an organisation is willing to bear costs on themselves, they can significantly improve usability for their end-users, and simultaneously increase their security

The Proceedings of 15th Australian Information Security Management Conference, 5-6 December, 2017, Edith Cowan University, Perth, Australia

Conference Foreword The annual Security Congress, run by the Security Research Institute at Edith Cowan University, includes the Australian Information Security and Management Conference. Now in its fifteenth year, the conference remains popular for its diverse content and mixture of technical research and discussion papers. The area of information security and management continues to be varied, as is reflected by the wide variety of subject matter covered by the papers this year. The papers cover topics from vulnerabilities in “Internet of Things” protocols through to improvements in biometric identification algorithms and surveillance camera weaknesses. The conference has drawn interest and papers from within Australia and internationally. All submitted papers were subject to a double blind peer review process. Twenty two papers were submitted from Australia and overseas, of which eighteen were accepted for final presentation and publication. We wish to thank the reviewers for kindly volunteering their time and expertise in support of this event. We would also like to thank the conference committee who have organised yet another successful congress. Events such as this are impossible without the tireless efforts of such people in reviewing and editing the conference papers, and assisting with the planning, organisation and execution of the conference. To our sponsors, also a vote of thanks for both the financial and moral support provided to the conference. Finally, thank you to the administrative and technical staff, and students of the ECU Security Research Institute for their contributions to the running of the conference

Enhancing Web Browsing Security

Web browsing has become an integral part of our lives, and we use browsers to perform many important activities almost everyday and everywhere. However, due to the vulnerabilities in Web browsers and Web applications and also due to Web users\u27 lack of security knowledge, browser-based attacks are rampant over the Internet and have caused substantial damage to both Web users and service providers. Enhancing Web browsing security is therefore of great need and importance.;This dissertation concentrates on enhancing the Web browsing security through exploring and experimenting with new approaches and software systems. Specifically, we have systematically studied four challenging Web browsing security problems: HTTP cookie management, phishing, insecure JavaScript practices, and browsing on untrusted public computers. We have proposed new approaches to address these problems, and built unique systems to validate our approaches.;To manage HTTP cookies, we have proposed an approach to automatically validate the usefulness of HTTP cookies at the client-side on behalf of users. By automatically removing useless cookies, our approach helps a user to strike an appropriate balance between maximizing usability and minimizing security risks. to protect against phishing attacks, we have proposed an approach to transparently feed a relatively large number of bogus credentials into a suspected phishing site. Using those bogus credentials, our approach conceals victims\u27 real credentials and enables a legitimate website to identify stolen credentials in a timely manner. to identify insecure JavaScript practices, we have proposed an execution-based measurement approach and performed a large-scale measurement study. Our work sheds light on the insecure JavaScript practices and especially reveals the severity and nature of insecure JavaScript inclusion and dynamic generation practices on the Web. to achieve secure and convenient Web browsing on untrusted public computers, we have proposed a simple approach that enables an extended browser on a mobile device and a regular browser on a public computer to collaboratively support a Web session. A user can securely perform sensitive interactions on the mobile device and conveniently perform other browsing interactions on the public computer

Comparing Security Risk-oriented Modelling Languages to Manage Social Engineering Risks

Manipuleerimisrünnete turvariskide juhtimine on muutumas igapäevase riskide identifitseerimise keskseks tehnikaks. Kahjuks võivad selle standardid turva-modelleerimiskeelte ja kasutajate hõlmamise toetamisel olla piiratud. See on probleem, kuna vähene mõistmine võib viia analüüsi väärtõlgenduseni. Tänapäeval toimuvad korrapäraselt ühed ja samad turvasündmused, kuid neid ei käsitleta kohaselt. See võib tuleneda sellest, et tavakasutajad ei märka nõrkusi või tõlgendavad käimasolevat riskijuhtimisprotsessi vääralt. Teadmata, mis on tavakasutajale selge ja mida tuleks parandada, ei ole ükski manipuleerimisrünnete analüüs asjakohane. Selles töös rakendatakse struktureeritud lähenemist ühe turvariskide juhtimise standardi identifitseerimisele, mida saab rakendada eri modelleerimiskeeltega. Sügavamaks analüüsiks on selles töös kasutatud eri modelleerimiskeeli, nagu äriprotsesside modelleerimiskeel (ingl BPMN), Secure Tropos ja Misuse Case. Võttes arvesse, et manipuleerimisrünnete uurimise põhiaspekt on inimeste psühhomanipulatsioon, pidas autor heaks töö illustreerimise alusmaterjaliks Kevin Mitnicki raamatut „The art of deception”. Üks juhtum on valitud lähemaks uurimiseks ja analüüsitud, kasutades infosüsteemi turvariskide haldamise (ingl ISSRM) domeenimudelit eelpool mainitud kolme turva-modelleerimiskeele rakendusega. Identifitseerimaks tavakasutajate konkreetseid kontseptsioone või loogikat ja võtmaks arvesse nende infotehnoloogiateadmiste vähesust, on see töö keskendatud modelleerimislähenemise nõrkadele külgedele manipuleerimisrünnete analüüsis. See viis tulemuseni, et kasutajad eelistavad üldisi BPMN-i konstruktsioone ja Secure Tropose kontseptsiooni. Samuti, tuginedes kogutud tulemustele, püüdsime tõmmata paralleeli kontseptsioonide mõistmise ja osalejate konstruktsioonide vahel. Protsentuaalselt olid konstruktsioonide mõistmise tulemused kontseptsioonide mõistmise tulemustest kõrgemad. Ärivara, IS-vara, oht, ründmeetod, riskihaldus, turvanõue ja kontroll on konstruktsioonide vormis kergesti identifitseeritavad. Kontseptsioonide skoor oli kõrgem järgnevais aspektides: ärivara, turvakriteerium, mõju, sündmus, nõrkus, oht, ohuagent, turvanõue.Social engineering security risk management is emerging as a central technique for dealing with identification of occurring risks on the daily basis. Unfortunately, its standards might have limitations in support with security modelling languages and comprehension of users. This is a problem because lack of understanding can cause misinterpretation of analysis. Nowadays, same security events occur periodically, but they are not treated properly. It might be because ordinary users do not see vulnerabilities or their misunderstanding of ongoing process of risk treatment. Without knowing what is clear to ordinary users and what should be improved any social engineering analysis is irrelevant. The paper applies structured approach in identification of one security risk management standard that can be applied with different modelling languages. For a more in-depth analysis in this paper considered several modelling languages as BPMN, Secure Tropos and Misuse case. Taking into account the main aspect of the study in social engineering is psychological manipulation of people, author considered as a good foundation of the illustration a book of Kevin Mitnick “The art of deception”. One case has been chosen for a further study and analysed using ISSRM domain model with application of aforementioned three security modelling languages. To identify certain concepts or logic of ordinary users and taking into account their lack of knowledge in information technology this paper has been concentrated on weaknesses of modelling approaches for social engineering analysis. This led to the result that overall BPMN constructs and Secure Tropos concepts are preferred by users. Also based on collected results, we tried to make a parallel between understanding of concepts and constructs for participants. Percentage wise understanding of constructs showed higher results than concepts. Business asset, IS asset, threat, attack method, risk treatment, security requirement and control are easily identified in the form of constructs. Concepts are have received higher score in following aspects: Business Asset, Security criterion, Impact, Event, Vulnerability, Threat, Threat agent, Security requirement