1,491 research outputs found
Smart card authentication for mobile devices
While mobile handheld devices provide productivity benefits, they also pose new risks. User authentication is the best safeguard against the risk of unauthorized use and access to a device’s contents. This paper describes two novel types of smart card with unconventional form factors, designed to take advantage of common interfaces built into many current handheld devices
Boosting usability for Protecting Online Banking Applications Against APTs
With the advent of Advanced Persistent Threats (APTs) and exploits such as Eurograbber, we can no longer trust the user's PC or mobile phone to be honest in their transactions with banks. This paper reviews the current state of the art in protecting PCs from malware and APTs that can modify banking transactions, and identifies their strengths and weaknesses. It then proposes an enhanced USB device based on speech and vision. User trials with a software prototype show that such a device is both user friendly and that users are less susceptible to accepting subtly modified transaction with this device than with other vision only USB devices. Since human factors are usually the weakest point in the security chain, and are often the way that APT actors perform their attacks, the focus of the proposed solution is on improving the usability of existing USB devices. However the device is still not failsafe, and therefore may not be as preferable as Sm@rt TAN-plus that is currently used by many German banks
Using smartphones as a proxy for forensic evidence contained in cloud storage services
Cloud storage services such as Dropbox, Box and SugarSync have been embraced by both individuals and organizations. This creates an environment that is potentially conducive to security breaches and malicious activities. The investigation of these cloud environments presents new challenges for the digital forensics community.
It is anticipated that smartphone devices will retain data from these storage services. Hence, this research presents a preliminary investigation into the residual artifacts created on an iOS and Android device that has accessed a cloud storage service. The contribution of this paper is twofold. First, it provides an initial assessment on the extent to which cloud storage data is stored on these client-side devices. This view acts as a proxy for data stored in the cloud. Secondly, it provides documentation on the artifacts that could be useful in a digital forensics investigation of cloud services
A Comparative Usability Study of Two-Factor Authentication
Two-factor authentication (2F) aims to enhance resilience of password-based
authentication by requiring users to provide an additional authentication
factor, e.g., a code generated by a security token. However, it also introduces
non-negligible costs for service providers and requires users to carry out
additional actions during the authentication process. In this paper, we present
an exploratory comparative study of the usability of 2F technologies. First, we
conduct a pre-study interview to identify popular technologies as well as
contexts and motivations in which they are used. We then present the results of
a quantitative study based on a survey completed by 219 Mechanical Turk users,
aiming to measure the usability of three popular 2F solutions: codes generated
by security tokens, one-time PINs received via email or SMS, and dedicated
smartphone apps (e.g., Google Authenticator). We record contexts and
motivations, and study their impact on perceived usability. We find that 2F
technologies are overall perceived as usable, regardless of motivation and/or
context of use. We also present an exploratory factor analysis, highlighting
that three metrics -- ease-of-use, required cognitive efforts, and
trustworthiness -- are enough to capture key factors affecting 2F usability.Comment: A preliminary version of this paper appears in USEC 201
Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials
Personal cryptographic keys are the foundation of many secure services, but
storing these keys securely is a challenge, especially if they are used from
multiple devices. Storing keys in a centralized location, like an
Internet-accessible server, raises serious security concerns (e.g. server
compromise). Hardware-based Trusted Execution Environments (TEEs) are a
well-known solution for protecting sensitive data in untrusted environments,
and are now becoming available on commodity server platforms.
Although the idea of protecting keys using a server-side TEE is
straight-forward, in this paper we validate this approach and show that it
enables new desirable functionality. We describe the design, implementation,
and evaluation of a TEE-based Cloud Key Store (CKS), an online service for
securely generating, storing, and using personal cryptographic keys. Using
remote attestation, users receive strong assurance about the behaviour of the
CKS, and can authenticate themselves using passwords while avoiding typical
risks of password-based authentication like password theft or phishing. In
addition, this design allows users to i) define policy-based access controls
for keys; ii) delegate keys to other CKS users for a specified time and/or a
limited number of uses; and iii) audit all key usages via a secure audit log.
We have implemented a proof of concept CKS using Intel SGX and integrated this
into GnuPG on Linux and OpenKeychain on Android. Our CKS implementation
performs approximately 6,000 signature operations per second on a single
desktop PC. The latency is in the same order of magnitude as using
locally-stored keys, and 20x faster than smart cards.Comment: Extended version of a paper to appear in the 3rd Workshop on
Security, Privacy, and Identity Management in the Cloud (SECPID) 201
Recommended from our members
RFC: Data flow from the MICE experiment
This article can be accessed at the link below.This document sketches out the flow of data from the MICE experiment, as I currently understand it. This includes not only illustrating the structure of the data flow, but also setting out a consistent vocabulary with which to describe it. Many aspects of this data flow are either misunderstood by me, currently undecided, not yet implemented, or simply have never been considered before; so feedback is both welcomed and essential.
Background information about job submission and file storage on the Grid can be found in previous MICE Notes and the references therein. In particular the first two sections of Note 247 are meant to provide a gentle introduction to Grid data storage from the MICE perspective, and timid MICE may wish to read those first
- …