32 research outputs found
Android Application for Password less Login to Web Application
Passwordless Login for Web Application? is an android application, will be used to access online internet accounts of distinct web applications and web services. The user would register with pre-requisite credentials primarily like, an email id, primary mobile number, and a unique username and a secondary mobile number. After successful registration, the user would be required to enter its registered username only. After submitting the registered username, a unique QR code will be popped up on the website. The user would scan the QR code using his/her android mobile phone. After successful scanning of QR code, the authentication and authorization procedure will be performed thereby granting secure access
Control What You Include! Server-Side Protection against Third Party Web Tracking
Third party tracking is the practice by which third parties recognize users
accross different websites as they browse the web. Recent studies show that 90%
of websites contain third party content that is tracking its users across the
web. Website developers often need to include third party content in order to
provide basic functionality. However, when a developer includes a third party
content, she cannot know whether the third party contains tracking mechanisms.
If a website developer wants to protect her users from being tracked, the only
solution is to exclude any third-party content, thus trading functionality for
privacy. We describe and implement a privacy-preserving web architecture that
gives website developers a control over third party tracking: developers are
able to include functionally useful third party content, the same time ensuring
that the end users are not tracked by the third parties
PALPAS - PAsswordLess PAssword Synchronization
Tools that synchronize passwords over several user devices typically store
the encrypted passwords in a central online database. For encryption, a
low-entropy, password-based key is used. Such a database may be subject to
unauthorized access which can lead to the disclosure of all passwords by an
offline brute-force attack. In this paper, we present PALPAS, a secure and
user-friendly tool that synchronizes passwords between user devices without
storing information about them centrally. The idea of PALPAS is to generate a
password from a high entropy secret shared by all devices and a random salt
value for each service. Only the salt values are stored on a server but not the
secret. The salt enables the user devices to generate the same password but is
statistically independent of the password. In order for PALPAS to generate
passwords according to different password policies, we also present a mechanism
that automatically retrieves and processes the password requirements of
services. PALPAS users need to only memorize a single password and the setup of
PALPAS on a further device demands only a one-time transfer of few static data.Comment: An extended abstract of this work appears in the proceedings of ARES
201
Analysing the Security of Google's implementation of OpenID Connect
Many millions of users routinely use their Google accounts to log in to
relying party (RP) websites supporting the Google OpenID Connect service.
OpenID Connect, a newly standardised single-sign-on protocol, builds an
identity layer on top of the OAuth 2.0 protocol, which has itself been widely
adopted to support identity management services. It adds identity management
functionality to the OAuth 2.0 system and allows an RP to obtain assurances
regarding the authenticity of an end user. A number of authors have analysed
the security of the OAuth 2.0 protocol, but whether OpenID Connect is secure in
practice remains an open question. We report on a large-scale practical study
of Google's implementation of OpenID Connect, involving forensic examination of
103 RP websites which support its use for sign-in. Our study reveals serious
vulnerabilities of a number of types, all of which allow an attacker to log in
to an RP website as a victim user. Further examination suggests that these
vulnerabilities are caused by a combination of Google's design of its OpenID
Connect service and RP developers making design decisions which sacrifice
security for simplicity of implementation. We also give practical
recommendations for both RPs and OPs to help improve the security of real world
OpenID Connect systems
Your Smart Home Can't Keep a Secret: Towards Automated Fingerprinting of IoT Traffic with Neural Networks
The IoT (Internet of Things) technology has been widely adopted in recent
years and has profoundly changed the people's daily lives. However, in the
meantime, such a fast-growing technology has also introduced new privacy
issues, which need to be better understood and measured. In this work, we look
into how private information can be leaked from network traffic generated in
the smart home network. Although researchers have proposed techniques to infer
IoT device types or user behaviors under clean experiment setup, the
effectiveness of such approaches become questionable in the complex but
realistic network environment, where common techniques like Network Address and
Port Translation (NAPT) and Virtual Private Network (VPN) are enabled. Traffic
analysis using traditional methods (e.g., through classical machine-learning
models) is much less effective under those settings, as the features picked
manually are not distinctive any more. In this work, we propose a traffic
analysis framework based on sequence-learning techniques like LSTM and
leveraged the temporal relations between packets for the attack of device
identification. We evaluated it under different environment settings (e.g.,
pure-IoT and noisy environment with multiple non-IoT devices). The results
showed our framework was able to differentiate device types with a high
accuracy. This result suggests IoT network communications pose prominent
challenges to users' privacy, even when they are protected by encryption and
morphed by the network gateway. As such, new privacy protection methods on IoT
traffic need to be developed towards mitigating this new issue
Undermining User Privacy on Mobile Devices Using AI
Over the past years, literature has shown that attacks exploiting the
microarchitecture of modern processors pose a serious threat to the privacy of
mobile phone users. This is because applications leave distinct footprints in
the processor, which can be used by malware to infer user activities. In this
work, we show that these inference attacks are considerably more practical when
combined with advanced AI techniques. In particular, we focus on profiling the
activity in the last-level cache (LLC) of ARM processors. We employ a simple
Prime+Probe based monitoring technique to obtain cache traces, which we
classify with Deep Learning methods including Convolutional Neural Networks. We
demonstrate our approach on an off-the-shelf Android phone by launching a
successful attack from an unprivileged, zeropermission App in well under a
minute. The App thereby detects running applications with an accuracy of 98%
and reveals opened websites and streaming videos by monitoring the LLC for at
most 6 seconds. This is possible, since Deep Learning compensates measurement
disturbances stemming from the inherently noisy LLC monitoring and unfavorable
cache characteristics such as random line replacement policies. In summary, our
results show that thanks to advanced AI techniques, inference attacks are
becoming alarmingly easy to implement and execute in practice. This once more
calls for countermeasures that confine microarchitectural leakage and protect
mobile phone applications, especially those valuing the privacy of their users