16,279 research outputs found
Actor-network procedures: Modeling multi-factor authentication, device pairing, social interactions
As computation spreads from computers to networks of computers, and migrates
into cyberspace, it ceases to be globally programmable, but it remains
programmable indirectly: network computations cannot be controlled, but they
can be steered by local constraints on network nodes. The tasks of
"programming" global behaviors through local constraints belong to the area of
security. The "program particles" that assure that a system of local
interactions leads towards some desired global goals are called security
protocols. As computation spreads beyond cyberspace, into physical and social
spaces, new security tasks and problems arise. As networks are extended by
physical sensors and controllers, including the humans, and interlaced with
social networks, the engineering concepts and techniques of computer security
blend with the social processes of security. These new connectors for
computational and social software require a new "discipline of programming" of
global behaviors through local constraints. Since the new discipline seems to
be emerging from a combination of established models of security protocols with
older methods of procedural programming, we use the name procedures for these
new connectors, that generalize protocols. In the present paper we propose
actor-networks as a formal model of computation in heterogenous networks of
computers, humans and their devices; and we introduce Procedure Derivation
Logic (PDL) as a framework for reasoning about security in actor-networks. On
the way, we survey the guiding ideas of Protocol Derivation Logic (also PDL)
that evolved through our work in security in last 10 years. Both formalisms are
geared towards graphic reasoning and tool support. We illustrate their workings
by analysing a popular form of two-factor authentication, and a multi-channel
device pairing procedure, devised for this occasion.Comment: 32 pages, 12 figures, 3 tables; journal submission; extended
references, added discussio
Acoustic Integrity Codes: Secure Device Pairing Using Short-Range Acoustic Communication
Secure Device Pairing (SDP) relies on an out-of-band channel to authenticate
devices. This requires a common hardware interface, which limits the use of
existing SDP systems. We propose to use short-range acoustic communication for
the initial pairing. Audio hardware is commonly available on existing
off-the-shelf devices and can be accessed from user space without requiring
firmware or hardware modifications. We improve upon previous approaches by
designing Acoustic Integrity Codes (AICs): a modulation scheme that provides
message authentication on the acoustic physical layer. We analyze their
security and demonstrate that we can defend against signal cancellation attacks
by designing signals with low autocorrelation. Our system can detect
overshadowing attacks using a ternary decision function with a threshold. In
our evaluation of this SDP scheme's security and robustness, we achieve a bit
error ratio below 0.1% for a net bit rate of 100 bps with a signal-to-noise
ratio (SNR) of 14 dB. Using our open-source proof-of-concept implementation on
Android smartphones, we demonstrate pairing between different smartphone
models.Comment: 11 pages, 11 figures. Published at ACM WiSec 2020 (13th ACM
Conference on Security and Privacy in Wireless and Mobile Networks). Updated
reference
ZETA - Zero-Trust Authentication: Relying on Innate Human Ability, not Technology
Reliable authentication requires the devices and
channels involved in the process to be trustworthy; otherwise
authentication secrets can easily be compromised. Given the
unceasing efforts of attackers worldwide such trustworthiness
is increasingly not a given. A variety of technical solutions,
such as utilising multiple devices/channels and verification
protocols, has the potential to mitigate the threat of untrusted
communications to a certain extent. Yet such technical solutions
make two assumptions: (1) users have access to multiple
devices and (2) attackers will not resort to hacking the human,
using social engineering techniques. In this paper, we propose
and explore the potential of using human-based computation
instead of solely technical solutions to mitigate the threat of
untrusted devices and channels. ZeTA (Zero Trust Authentication
on untrusted channels) has the potential to allow people to
authenticate despite compromised channels or communications
and easily observed usage. Our contributions are threefold:
(1) We propose the ZeTA protocol with a formal definition
and security analysis that utilises semantics and human-based
computation to ameliorate the problem of untrusted devices
and channels. (2) We outline a security analysis to assess
the envisaged performance of the proposed authentication
protocol. (3) We report on a usability study that explores the
viability of relying on human computation in this context
- …