Smart card authentication for mobile devices

While mobile handheld devices provide productivity benefits, they also pose new risks. User authentication is the best safeguard against the risk of unauthorized use and access to a device’s contents. This paper describes two novel types of smart card with unconventional form factors, designed to take advantage of common interfaces built into many current handheld devices

Boosting usability for Protecting Online Banking Applications Against APTs

With the advent of Advanced Persistent Threats (APTs) and exploits such as Eurograbber, we can no longer trust the user's PC or mobile phone to be honest in their transactions with banks. This paper reviews the current state of the art in protecting PCs from malware and APTs that can modify banking transactions, and identifies their strengths and weaknesses. It then proposes an enhanced USB device based on speech and vision. User trials with a software prototype show that such a device is both user friendly and that users are less susceptible to accepting subtly modified transaction with this device than with other vision only USB devices. Since human factors are usually the weakest point in the security chain, and are often the way that APT actors perform their attacks, the focus of the proposed solution is on improving the usability of existing USB devices. However the device is still not failsafe, and therefore may not be as preferable as Sm@rt TAN-plus that is currently used by many German banks

Using smartphones as a proxy for forensic evidence contained in cloud storage services

Cloud storage services such as Dropbox, Box and SugarSync have been embraced by both individuals and organizations. This creates an environment that is potentially conducive to security breaches and malicious activities. The investigation of these cloud environments presents new challenges for the digital forensics community. It is anticipated that smartphone devices will retain data from these storage services. Hence, this research presents a preliminary investigation into the residual artifacts created on an iOS and Android device that has accessed a cloud storage service. The contribution of this paper is twofold. First, it provides an initial assessment on the extent to which cloud storage data is stored on these client-side devices. This view acts as a proxy for data stored in the cloud. Secondly, it provides documentation on the artifacts that could be useful in a digital forensics investigation of cloud services

A Comparative Usability Study of Two-Factor Authentication

Two-factor authentication (2F) aims to enhance resilience of password-based authentication by requiring users to provide an additional authentication factor, e.g., a code generated by a security token. However, it also introduces non-negligible costs for service providers and requires users to carry out additional actions during the authentication process. In this paper, we present an exploratory comparative study of the usability of 2F technologies. First, we conduct a pre-study interview to identify popular technologies as well as contexts and motivations in which they are used. We then present the results of a quantitative study based on a survey completed by 219 Mechanical Turk users, aiming to measure the usability of three popular 2F solutions: codes generated by security tokens, one-time PINs received via email or SMS, and dedicated smartphone apps (e.g., Google Authenticator). We record contexts and motivations, and study their impact on perceived usability. We find that 2F technologies are overall perceived as usable, regardless of motivation and/or context of use. We also present an exploratory factor analysis, highlighting that three metrics -- ease-of-use, required cognitive efforts, and trustworthiness -- are enough to capture key factors affecting 2F usability.Comment: A preliminary version of this paper appears in USEC 201

Keys in the Clouds: Auditable Multi-device Access to Cryptographic Credentials

Personal cryptographic keys are the foundation of many secure services, but storing these keys securely is a challenge, especially if they are used from multiple devices. Storing keys in a centralized location, like an Internet-accessible server, raises serious security concerns (e.g. server compromise). Hardware-based Trusted Execution Environments (TEEs) are a well-known solution for protecting sensitive data in untrusted environments, and are now becoming available on commodity server platforms. Although the idea of protecting keys using a server-side TEE is straight-forward, in this paper we validate this approach and show that it enables new desirable functionality. We describe the design, implementation, and evaluation of a TEE-based Cloud Key Store (CKS), an online service for securely generating, storing, and using personal cryptographic keys. Using remote attestation, users receive strong assurance about the behaviour of the CKS, and can authenticate themselves using passwords while avoiding typical risks of password-based authentication like password theft or phishing. In addition, this design allows users to i) define policy-based access controls for keys; ii) delegate keys to other CKS users for a specified time and/or a limited number of uses; and iii) audit all key usages via a secure audit log. We have implemented a proof of concept CKS using Intel SGX and integrated this into GnuPG on Linux and OpenKeychain on Android. Our CKS implementation performs approximately 6,000 signature operations per second on a single desktop PC. The latency is in the same order of magnitude as using locally-stored keys, and 20x faster than smart cards.Comment: Extended version of a paper to appear in the 3rd Workshop on Security, Privacy, and Identity Management in the Cloud (SECPID) 201

RFC: Data flow from the MICE experiment

This article can be accessed at the link below.This document sketches out the flow of data from the MICE experiment, as I currently understand it. This includes not only illustrating the structure of the data flow, but also setting out a consistent vocabulary with which to describe it. Many aspects of this data flow are either misunderstood by me, currently undecided, not yet implemented, or simply have never been considered before; so feedback is both welcomed and essential. Background information about job submission and file storage on the Grid can be found in previous MICE Notes and the references therein. In particular the first two sections of Note 247 are meant to provide a gentle introduction to Grid data storage from the MICE perspective, and timid MICE may wish to read those first