Securing Interactive Sessions Using Mobile Device through Visual Channel and Visual Inspection

Communication channel established from a display to a device's camera is known as visual channel, and it is helpful in securing key exchange protocol. In this paper, we study how visual channel can be exploited by a network terminal and mobile device to jointly verify information in an interactive session, and how such information can be jointly presented in a user-friendly manner, taking into account that the mobile device can only capture and display a small region, and the user may only want to authenticate selective regions-of-interests. Motivated by applications in Kiosk computing and multi-factor authentication, we consider three security models: (1) the mobile device is trusted, (2) at most one of the terminal or the mobile device is dishonest, and (3) both the terminal and device are dishonest but they do not collude or communicate. We give two protocols and investigate them under the abovementioned models. We point out a form of replay attack that renders some other straightforward implementations cumbersome to use. To enhance user-friendliness, we propose a solution using visual cues embedded into the 2D barcodes and incorporate the framework of "augmented reality" for easy verifications through visual inspection. We give a proof-of-concept implementation to show that our scheme is feasible in practice.Comment: 16 pages, 10 figure

Improving Direction-Giving Through Utilization of an RFID-Enabled Kiosk

This paper presents an RFID-enabled module for an electronic kiosk physical user interface which provides personalized information retrieval. The system builds on research in direction-giving by streamlining the process of the direction-giving phase and minimizing the introduction and closure phases, thereby providing the user with a quicker transaction for personalized information. The RFID technology also provides potential for greater security and privacy for the user of the kiosk system as compared to traditional magnetic strip methods. The developed RFID-enabled system is built on top of a current production informational kiosk utilized for a building directory, which was used for initial testing and evaluation

TwoKind Authentication: Protecting Private Information in Untrustworthy Environments (Extended Version)

We propose and evaluate TwoKind Authentication, a simple and effective technique that allows users to limit access to their private information in untrustworthy environments. Users often log in to Internet sites from insecure computers, and more recently have started divulging their email passwords to social-networking sites, thereby putting their private communications at risk. To mitigate this problem, we explore the use of multiple authenticators for the same account that are associated with specific sets of privileges. In its simplest form, TwoKind features two modes of authentication, a low and a high authenticator. By using a low authenticator, users can signal to the server they are in an untrusted environment, following which the server restricts the user\u27s actions, including access to private data. In this paper, we seek to evaluate the effectiveness of multiple authenticators in promoting safer behavior in users. We demonstrate the effectiveness of this approach through a user experiment --- we find that users make a distinction between the two authenticators and generally behave in a security-conscientious way, protecting their high authenticator a majority of the time. Our study suggests that TwoKind will be beneficial to several Internet applications, particularly if the privileges can be customized to a user\u27s security preferences

Practical security for rural internet kiosks

Rural Internet kiosks typically provide weak security guar-antees and therefore cannot support secure web access or transaction-oriented applications such as banking and bill payment. We present a practical, unobtrusive and easy-to-use security architecture for rural Internet kiosks that uses a combination of physical and cryptographic mechanisms to protect user data and kiosk infrastructure. Our contribu-tions include (a) a detailed threat analysis of rural Internet kiosks, (b) a security architecture for rural Internet kiosks that does not require any specialized hardware features in kiosks, and (c) an application-independent and backward-compatible security API for securely sending and receiving data between kiosks and the Internet that can operate over disconnection-tolerant links

Two Studies on The Use of Information Technology in Collaborative Planning, Forecasting & Replenishment (CPFR)

In the 1st study, I seek to determine whether there are trends in the coverage of the use of Information Technology in CPFR in support of Supply Chain Management. I look at the way technology is studied along two dimensions. The first dimension is the function within CPFR—Planning, Forecasting or Replenishment. The second dimension is level at which the study addresses use of the technology, whether at the Operational, Tactical or Strategic level. Within this 3x3 matrix, I seek to prove that studies would primarily fall along a line where the higher the level functions should be served by systems which have a longer-term orientation. This was broadly true, along with an emphasis on studies at the strategic level. Additionally, I find an underrepresentation of Forecasting, especially at the strategic level. The 2nd study seeks to determine the factors affecting IT system use for CPFR, in the real world. I examine the factors affecting system use along two dimensions. The first is along the company-level dimension. There are 3 points along the company-level dimension, defined as follows. Strategic use is defined as use by upper level management who are interested in the long term view of the organization and its processes and products. The Tactical use of IT for CPFR includes use by middle managers at a departmental level for medium term decision making. Operational level IT use covers functions which directly affect individual customers and keep the business running day to day. The second dimension along which system use is examined, is the functional-dimension. There are 3 points along this dimension and they are defined as follows. Use of IT for Planning, based on the VICS standard, is usually, but not exclusively under the purview of senior managers to determine what products to manufacture and the features they should have. Forecasting is done mainly by middle-managers in order to move enough products at the right time, to the right paces, while avoiding over-stocking each product. The Replenishment function is the actual process of moving items to the customer as they are ordered on-line or bought from the shelf. This is typically the job of operational logistics personnel such as purchasing and, shipping and delivery, as well as front-line staff such as customer service, shop-floor attendants or cashiers who interface directly with customers. In examining real world IT use for CPFR, I build on Simmonds, Haines & Li (2013) which looks at the trends and gaps in the IT literature as far as use of IT in CPFR was concerned. The aim is to determine whether the literature lines up with reality, or whether researchers are inherently biased when studying how Information Technology is used to support CPFR. A survey instrument was sent to 4000 senior managers in manufacturing and distribution companies. IT use along the STO dimension (Haines, Hough, & Haines, 2010) and its relationship with Industry characteristics (clock-speed of the industry and technological orientation) will be investigated in the context of the Technology Acceptance Model (TAM) (Fred D. Davis, 1989). Product factors (such as demand variability & luxury nature of the product) which drive IT use (Attaran & Attaran, 2007) along the PFR dimension will be investigated in the context of Technology Task Fit Theory (Goodhue & Thompson, 1995). Intra-firm trust (Frazier, Johnson, Gavin, Gooty, & Bradley Snow, 2010) and its effect on use on the PFR dimension, will be looked at with managerial influence within Innovation Diffusion theory (Rogers, 2010) as a basis. Trust issues including confidence of management in competence of workers and confidence of employees in dependability of IT

Security, Trust and Privacy (STP) Model for Federated Identity and Access Management (FIAM) Systems

The federated identity and access management systems facilitate the home domain organization users to access multiple resources (services) in the foreign domain organization by web single sign-on facility. In federated environment the user’s authentication is performed in the beginning of an authentication session and allowed to access multiple resources (services) until the current session is active. In current federated identity and access management systems the main security concerns are: (1) In home domain organization machine platforms bidirectional integrity measurement is not exist, (2) Integrated authentication (i.e., username/password and home domain machine platforms mutual attestation) is not present and (3) The resource (service) authorization in the foreign domain organization is not via the home domain machine platforms bidirectional attestation

Towards trustworthy kiosk computing

We present a system in which a user leverages a personal mobile device to establish trust on a public computing device, or kiosk, prior to revealing personal information to that kiosk. We have designed and implemented a protocol by which the mobile device determines the identity and integrity of the software running on the kiosk. A similar protocol simultaneously allows a kiosk owner to verify that the kiosk is running only approved software. Our system combines a number of emerging security technologies, including the Trusted Platform Module, the Integrity Measurement Architecture, and new support in x86 processors for establishing a dynamic root of trust. In ongoing work, we plan to use virtual machines to support the important case where the user wishes to run personal software on the kiosk. We are also continuing to explore several open issues we have identified surrounding trust in a kiosk scenario.