Generating and Managing Secure Passwords for Online Accounts

User accounts at Internet services contain a multitude of personal data such as messages, documents, pictures, and payment information. Passwords are used to protect these data from unauthorized access. User authentication based on passwords has many advantages for both users and service providers. Users can use passwords across many platforms, devices, and applications and do not need to carry an additional device. Service providers can implement password-based user authentication with little effort and operate it with low cost per user. However, passwords have a key problem: the conflict between security and ease of use. For security reasons, passwords must be attack-resistant, individual for each account, and changed on a regular basis. But, these security requirements make passwords very difficult to use. They require users to create and manage a large portfolio of passwords. This poses three problems: First, the generation of attack-resistant passwords is very difficult. Second, the memorization of many passwords is practically impossible. Third, the regular change of passwords is very time-consuming. These problems are aggravated by the different password requirements, interfaces, and procedures of services. The preservation of passwords for users such as storing passwords on user devices mitigates the memorization problem, but it raises new problems: the confidentiality, availability, recoverability, and accessibility of the preserved passwords. Despite decades of research, the problems of passwords are not solved yet. Consequently, secure passwords are not usable in practice. As a result, users select weak passwords, use them across accounts, and barely change them. In this thesis, we introduce the Password Assistance System (PAS). It makes secure passwords usable for users. This is achieved by automation and comprehensive support. PAS covers all aspects of passwords. It generates, preserves, and changes passwords for users as well as ensures the confidentiality, availability, recoverability, and accessibility of the preserved passwords. This reduces the efforts and activities of users to deal with passwords to a minimum and thus enables users to practically realize secure passwords for their online accounts for the first time. PAS is the first solution that is capable of handling the different password implementations of services. This is achieved by a standardized description of password requirements, interfaces, and procedures. Moreover, PAS is solely realized on the user-side and requires no changes on the service-side. Both features ensure the practicability of PAS and make it ready to be used. PAS solves the password generation problem by creating attack-resistant, individual, and valid passwords for users automatically. Users just need to provide the URL of a service to generate an optimal password for an account. Our uniform description of password requirements provides the information to generate passwords in accordance with the individual password requirements of services. PAS is able to generate the requirements descriptions automatically by extracting the password requirements of services from their websites. So far, this was done for 185,696 services. Moreover, PAS is equipped with an optimal password-composition rule set for the event that services do not explicitly state their password requirements, which is the usual case. By means of the optimal rule set, PAS also generates attack-resistant passwords with the best possible acceptance rate in case of unknown password requirements. PAS solves the password memorization problem by preserving passwords for users. This releases users from memorizing their passwords and facilitates to use individual passwords for accounts. PAS makes users' password portfolios available on all their devices as well as automatically synchronizes changes. PAS achieves this without storing passwords at servers so that an attacker cannot steal them from servers. Moreover, PAS provides a backup solution to recover the preserved passwords in case of loss. Users need to create backups only once and do not have to update them even when their password portfolios change. Consequently, users can keep backups completely offline at secure, different, and physically isolated locations. This minimizes the risk of compromise and loss as well as enables an emergency access to the passwords for trusted persons. Moreover, PAS has a built-in revocation mechanism. It allows users to completely invalidate devices and backups in case they lose control over them. This guarantees that no passwords can be stolen from lost user devices and backups once revoked. Users always have full control of their passwords. PAS solves the password change problem by changing passwords automatically for users. Users neither need to create new passwords nor manually log in to their accounts. Our uniform description of password interfaces and procedures provides the information to change passwords at arbitrary services. Moreover, PAS is the first solution that provides autonomous password changes. It changes passwords on a regular basis with respect to the security level of passwords as well as immediately after PAS detects a compromise of users' passwords. The practicability of PAS is demonstrated by an implementation. The individual components of PAS can be used independently, integrated into other applications, and combined to a single user application, called a password assistant. In summary, this thesis presents a solution that makes secure passwords usable. This is done by automation and comprehensive support in the generation and management of passwords

Authentication and Data Protection under Strong Adversarial Model

We are interested in addressing a series of existing and plausible threats to cybersecurity where the adversary possesses unconventional attack capabilities. Such unconventionality includes, in our exploration but not limited to, crowd-sourcing, physical/juridical coercion, substantial (but bounded) computational resources, malicious insiders, etc. Our studies show that unconventional adversaries can be counteracted with a special anchor of trust and/or a paradigm shift on a case-specific basis. Complementing cryptography, hardware security primitives are the last defense in the face of co-located (physical) and privileged (software) adversaries, hence serving as the special trust anchor. Examples of hardware primitives are architecture-shipped features (e.g., with CPU or chipsets), security chips or tokens, and certain features on peripheral/storage devices. We also propose changes of paradigm in conjunction with hardware primitives, such as containing attacks instead of counteracting, pretended compliance, and immunization instead of detection/prevention. In this thesis, we demonstrate how our philosophy is applied to cope with several exemplary scenarios of unconventional threats, and elaborate on the prototype systems we have implemented. Specifically, Gracewipe is designed for stealthy and verifiable secure deletion of on-disk user secrets under coercion; Hypnoguard protects in-RAM data when a computer is in sleep (ACPI S3) in case of various memory/guessing attacks; Uvauth mitigates large-scale human-assisted guessing attacks by receiving all login attempts in an indistinguishable manner, i.e., correct credentials in a legitimate session and incorrect ones in a plausible fake session; Inuksuk is proposed to protect user files against ransomware or other authorized tampering. It augments the hardware access control on self-encrypting drives with trusted execution to achieve data immunization. We have also extended the Gracewipe scenario to a network-based enterprise environment, aiming to address slightly different threats, e.g., malicious insiders. We believe the high-level methodology of these research topics can contribute to advancing the security research under strong adversarial assumptions, and the promotion of software-hardware orchestration in protecting execution integrity therein

Lightweight KPABE Architecture Enabled in Mesh Networked Resource-Constrained IoT Devices

Internet of Things (IoT) environments are widely employed in industrial applications including intelligent transportation systems, healthcare systems, and building energy management systems. For such environments of highly sensitive data, adapting scalable and flexible communication with efficient security is vital. Research investigated wireless Ad-hoc/mesh networking, while Attribute Based Encryption (ABE) schemes have been highly recommended for IoT. However, a combined implementation of both mesh networking and Key-Policy Attribute Based Encryption (KPABE) on resource-constrained devices has been rarely addressed. Hence, in this work, an integrated system that deploys a lightweight KPABE security built on wireless mesh networking is proposed. Implementation results show that the proposed system ensures flexibility and scalability of self-forming and cooperative mesh networking in addition to a fine-grained security access structure for IoT nodes. Moreover, the work introduces a case study of an enabled scenario at a school building for optimizing energy efficiency, in which the proposed integrated system architecture is deployed on IoT sensing and actuating devices. Therefore, the encryption attributes and access policy are well-defined, and can be adopted in relevant IoT applications. 2013 IEEE.This publication was made possible by the National Priority Research Program (NPRP) grant [NPRP10-1203-160008] from the Qatar National Research Fund (a member of Qatar Foundation) and the co-funding by the IBERDROLA QSTP LLC. The publication of this article was funded by the Qatar National Library. The findings achieved herein are solely the responsibility of the authors.Scopus2-s2.0-8509909047

Platform Embedded Security Technology Revealed

Computer scienc

9th Annual Reality CLE

Meeting proceedings of a seminar by the same name, held October 14-15, 2021

Secure data storage and retrieval in cloud computing

Nowadays cloud computing has been widely recognised as one of the most inuential information technologies because of its unprecedented advantages. In spite of its widely recognised social and economic benefits, in cloud computing customers lose the direct control of their data and completely rely on the cloud to manage their data and computation, which raises significant security and privacy concerns and is one of the major barriers to the adoption of public cloud by many organisations and individuals. Therefore, it is desirable to apply practical security approaches to address the security risks for the wide adoption of cloud computing

Biometrics & [and] Security:Combining Fingerprints, Smart Cards and Cryptography

Since the beginning of this brand new century, and especially since the 2001 Sept 11 events in the U.S, several biometric technologies are considered mature enough to be a new tool for security. Generally associated to a personal device for privacy protection, biometric references are stored in secured electronic devices such as smart cards, and systems are using cryptographic tools to communicate with the smart card and securely exchange biometric data. After a general introduction about biometrics, smart cards and cryptography, a second part will introduce our work with fake finger attacks on fingerprint sensors and tests done with different materials. The third part will present our approach for a lightweight fingerprint recognition algorithm for smart cards. The fourth part will detail security protocols used in different applications such as Personal Identity Verification cards. We will discuss our implementation such as the one we developed for the NIST to be used in PIV smart cards. Finally, a fifth part will address Cryptography-Biometrics interaction. We will highlight the antagonism between Cryptography – determinism, stable data – and Biometrics – statistical, error-prone –. Then we will present our application of challenge-response protocol to biometric data for easing the fingerprint recognition process

Plugging in trust and privacy : three systems to improve widely used ecosystems

The era of touch-enabled mobile devices has fundamentally changed our communication habits. Their high usability and unlimited data plans provide the means to communicate any place, any time and lead people to publish more and more (sensitive) information. Moreover, the success of mobile devices also led to the introduction of new functionality that crucially relies on sensitive data (e.g., location-based services). With our today’s mobile devices, the Internet has become the prime source for information (e.g., news) and people need to rely on the correctness of information provided on the Internet. However, most of the involved systems are neither prepared to provide robust privacy guarantees for the users, nor do they provide users with the means to verify and trust in delivered content. This dissertation introduces three novel trust and privacy mechanisms that overcome the current situation by improving widely used ecosystems. With WebTrust we introduce a robust authenticity and integrity framework that provides users with the means to verify both the correctness and authorship of data transmitted via HTTP. X-pire! and X-pire 2.0 offer a digital expiration date for images in social networks to enforce post-publication privacy. AppGuard enables the enforcement of fine-grained privacy policies on third-party applications in Android to protect the users privacy.Heutige Mobilgeräte mit Touchscreen haben unsere Kommunikationsgewohnheiten grundlegend geändert. Ihre intuitive Benutzbarkeit gepaart mit unbegrenztem Internetzugang erlaubt es uns jederzeit und überall zu kommunizieren und führt dazu, dass immer mehr (vertrauliche) Informationen publiziert werden. Des Weiteren hat der Erfolg mobiler Geräte zur Einführung neuer Dienste die auf vertraulichen Daten aufbauen (z.B. positionsabhängige Dienste) beigetragen. Mit den aktuellen Mobilgeräten wurde zudem das Internet die wichtigste Informationsquelle (z.B. für Nachrichten) und die Nutzer müssen sich auf die Korrektheit der von dort bezogenen Daten verlassen. Allerdings bieten die involvierten Systeme weder robuste Datenschutzgarantien, noch die Möglichkeit die Korrektheit bezogener Daten zu verifizieren. Diese Dissertation führt drei neue Mechanismen für das Vertrauen und den Datenschutz ein, die die aktuelle Situation in weit verbreiteten Systemen verbessern. WebTrust, ein robustes Authentizitäts- und Integritätssystem ermöglicht es den Nutzern sowohl die Korrektheit als auch die Autorenschaft von über HTTP übertragenen Daten zu verifizieren. X-pire! und X-pire 2.0 bieten ein digitales Ablaufdatum für Bilder in sozialen Netzwerken um Daten auch nach der Publikation noch vor Zugriff durch Dritte zu schützen. AppGuard ermöglicht das Durchsetzen von feingranularen Datenschutzrichtlinien für Drittanbieteranwendungen in Android um einen angemessen Schutz der Nutzerdaten zu gewährleisten