ZEBRA: Zero-Effort Bilateral Recurring Authentication (Companion report)

We describe and evaluate Zero-Effort Bilateral Recurring Authentication (ZEBRA) in our paper that appears in IEEE Symposium on Security and Privacy, May 2014. In this report we provide a more detailed comparative evaluation of ZEBRA against other related authentication schemes. The abstract of the paper follows. Common authentication methods based on passwords, tokens, or fingerprints perform one-time authentication and rely on users to log out from the computer terminal when they leave. Users often do not log out, however, which is a security risk. The most common solution, inactivity timeouts, inevitably fail security (too long a timeout) or usability (too short a timeout) goals. One solution is to authenticate users continuously while they are using the terminal and automatically log them out when they leave. Several solutions are based on user proximity, but these are not sufficient: they only confirm whether the user is nearby but not whether the user is actually using the terminal. Proposed solutions based on behavioral biometric authentication (e.g., keystroke dynamics) may not be reliable, as a recent study suggests. To address this problem we propose ZEBRA. In ZEBRA, a user wears a bracelet (with a built-in accelerometer, gyroscope, and radio) on her dominant wrist. When the user interacts with a computer terminal, the bracelet records the wrist movement, processes it, and sends it to the terminal. The terminal compares the wrist movement with the inputs it receives from the user (via keyboard and mouse), and confirms the continued presence of the user only if they correlate. Because the bracelet is on the same hand that provides inputs to the terminal, the accelerometer and gyroscope data and input events received by the terminal should correlate because their source is the same - the user\u27s hand movement. In our experiments ZEBRA performed continuous authentication with 85% accuracy in verifying the correct user and identified all adversaries within 11 s. For a different threshold that trades security for usability, ZEBRA correctly verified 90% of users and identified all adversaries within 50 seconds

Building Trust Networks

The common agreement in the industry is that the Public Key Infrastructure is complex and expensive. From the year 1976 with the introduction of public key cryptography and the introduction of PKI concept in 1977 a lot of scientific resources has been spent on creation of usable key exchange systems and concepts to build trust networks. Most EU Member States have implemented their own national Public Key Infrastructure solutions mainly to enable strong authentication of citizens. They are however not the only systems within the EU to utilize PKI. Due to the nature of the PKI it is most convenient or suitable in an environment with stakeholders with similar agendas. This has resulted in several new PKI developments for specific purposes, within one industry or one vertical such as healthcare. Some Member States have tried to incorporate vertical needs with an all-purpose PKI solution, such as the Austrian eID card with so called sector specific certificates (http://ec.europa.eu/idabc/en/document/4486/5584). From the CIA (Confidentiality, Integrity, Availability) triangle public key cryptography provides confidentiality and integrity. The modern world however has more requirements in environments where sensitive information is being exchanged. It is not enough to know identity of the entity trying to access the information, but to also know the entity permissions or privileges regarding the requested resource. The authorization process grants the user specific permissions to e.g. access, modify or delete resources. A pure PKI does not allow us to build complex authorization policies, and therefore some of the Member States have built (authentication and) authorization solutions on top of existing authentication infrastructures, especially in the eGovernment sector. The scientific community has also tried to solve this issue by creating extensions to the basic PKI concept, and some of these concepts have been successful. Another problem with large scales systems is the key distribution. Managing a large number of keys using a central solution such as PKI has proven to be problematic in certain conditions. Either there are tradeoffs in security, or problems with application support. The last issue deals with public key cryptography itself. Current cryptography relies on the fact that it provides enough security based on availability of the resources, i.e. computational power. New approaches have been introduced both scientifically and commercially by moving away from the mathematics to other areas such as quantum mechanics. This paper is a quick review on some of the existing systems and their benefits and inherent challenges as well as a short introduction to new developments in the areas of authentication, authorization and key distribution.JRC.G.6-Security technology assessmen

Secure data communication over mobile devices in health networks.

The continuous developments in the field of mobile computing have made it possible to use mobile devices for healthcare applications. These devices can be used by healthcare providers to collect and share patients' medical data. However, with increasing adoption of mobile devices that carry confidential data, organizations need to secure the data from unauthorized users and mobile device theft. When unencrypted data is transmitted from one device to another it faces various security threats from malicious code, unsecure networks, unauthorized access, and data theft. The objective of this research is to develop a secure data sharing solution customized for healthcare environments, which would allow authorized users to securely access and share patients' data over mobile devices. We identify the vulnerable locations in mobile communication network that can possibly be exploited by unauthorized users or malicious code to access the confidential data, and develop an efficient security protocol that provides end to end data protection without compromising device's performance. To demonstrate the feasibility of our proposed data sharing architecture, a prototype customized for Point-of-Care-Testing (POCT) scenarios was built in collaboration with Northern Health, Prince George. Simulations were performed to analyze and validate our solution against the pre-defined requirement criteria. --P. ii.The original print copy of this thesis may be available here: http://wizard.unbc.ca/record=b178382

Policy-Driven Adaptive Protection Systems.

PhDThe increasing number and complexity of security attacks on IT infrastructure demands for the development of protection systems capable of dealing with the security challenges of today’s highly dynamic environments. Several converging trends including mobilisation, externalisation and collaboration, virtualisation, and cloud computing are challenging traditional silo approaches to providing security. IT security policies should be considered as being inherently dynamic and flexible enough to trigger decisions efficiently and effectively taking into account not only the current execution environment of a protection system and its runtime contextual factors, but also dynamically changing the security requirements introduced by external entities in the operational environment. This research is motivated by the increasing need for security systems capable of supporting security decisions in dynamic operational environments and advocates for a policy-driven adaptive security approach. The first main contribution of this thesis is to articulate the property of specialisation in adaptive software systems and propose a novel methodological framework for the realisation of policy-driven adaptive systems capable of specialisation via adaptive policy transformation. Furthermore, this thesis proposes three distinctive novel protection mechanisms, all three mechanisms exhibit adaptation via specialisation, but each one presenting its own research novelty in its respective field. They are: 1. A Secure Execution Context Enforcement based on Activity Detection; 2. Privacy and Security Requirements Enforcement Framework in Internet-Centric Services; 3. A Context-Aware Multifactor Authentication Scheme Based On Dynamic Pin. 3 Along with a comprehensive study of the state of the art in policy based adaptive systems and a comparative analysis of those against the main objectives of the framework this thesis proposes, these three protection mechanisms serve as a foundation and experimental work from which core characteristics, methods, components, and other elements are analysed in detail towards the investigation and the proposition of the methodological framework presented in this thesis

Protecting Applications with Transient Authentication

How does a machine know who is using it? Current systems authenticate their users infrequently, and assume the user's identity does not change. Such persistent authentication is inappropriate for mobile and ubiquitous systems, where associations between people and devices are fluid and unpredictable. We solve this problem with Transient Authentication, in which a small hardware token continuously authenticates the user's presence over a short-range, wireless link. We present the four principles underlying Transient Authentication, and describe two techniques for securing applications. Applications can be protected transparently by encrypting inmemory state when the user departs and decrypting this state when the user returns. This technique is effective, requiring just under 10 seconds to protect and restore an entire machine, but indiscriminate. Instead, applications can utilize an API for Transient Authentication, protecting only sensitive state. We describe our ports of three applications---PGP, SSH, and Mozilla---to this API. Mozilla, the most complicated application we have ported, suffers less than 4% overhead in page loads in the worst case, and in typical use can be protected in less than 250 milliseconds