Beyond Passswords: Usage and Policy Transformation

The purpose of this research is to determine whether the transition to a two-factor authentication system is more secure than a system that relied only on what users “know” for authentication. While we found that factors that made passwords inherently vulnerable did not transfer to the PIN portion of a two-factor authentication system, we did find significant problems relating to usability, worker productivity, and the loss and theft of smart cards. The new authentication method has disrupted our ability to stay connected to ongoing mission issues, forced some installations to cut off remote access for their users and in one instance, caused a reserve unit to regress 10 years in their notification and recall procedures. The best-case scenario for lost productivity due to users leaving their CAC at work, in their computer, is costing 261 work years per year with an estimated cost of 10.4 million payroll dollars. Finally, the new authentication method is causing an increase in the loss or theft of CACs, our primary security mechanism for accessing DoD installations, at a rate of 28,222 a year. A single tool, such as the CAC, for all systems and services, carries much power, are we prepared for the responsibility

Cryptanalysis of an Exquisite Mutual Authentication Scheme with Key Agreement Using Smart Card

The weakness of an exquisite authentication scheme based on smart cards and passwords proposed by Liao et al. [C. H. Liao, H. C. Chen, and C. T. Wang, An Exquisite Mutual Authentication Scheme with Key Agreement Using Smart Card, Informatica, Vol. 33, No. 2, 2009, 125-132.] is analyzed. Five kinds of weakness are presented in different scenarios. The analyses show that Liao et al.’s scheme is insecure for practical application

User Authentication and Supervision in Networked Systems

This thesis considers the problem of user authentication and supervision in networked systems. The issue of user authentication is one of on-going concern in modem IT systems with the increased use of computer systems to store and provide access to sensitive information resources. While the traditional username/password login combination can be used to protect access to resources (when used appropriately), users often compromise the security that these methods can provide. While alternative (and often more secure) systems are available, these alternatives usually require expensive hardware to be purchased and integrated into IT systems. Even if alternatives are available (and financially viable), they frequently require users to authenticate in an intrusive manner (e.g. forcing a user to use a biometric technique relying on fingerprint recognition). Assuming an acceptable form of authentication is available, this still does not address the problem of on-going confidence in the users’ identity - i.e. once the user has logged in at the beginning of a session, there is usually no further confirmation of the users' identity until they logout or lock the session in which they are operating. Hence there is a significant requirement to not only improve login authentication but to also introduce the concept of continuous user supervision. Before attempting to implement a solution to the problems outlined above, a range of currently available user authentication methods are identified and evaluated. This is followed by a survey conducted to evaluate user attitudes and opinions relating to login and continuous authentication. The results reinforce perceptions regarding the weaknesses of the traditional username/password combination, and suggest that alternative techniques can be acceptable. This provides justification for the work described in the latter part o f the thesis. A number of small-scale trials are conducted to investigate alternative authentication techniques, using ImagePIN's and associative/cognitive questions. While these techniques are of an intrusive nature, they offer potential improvements as either initial login authentication methods or, as a challenge during a session to confirm the identity of the logged-in user. A potential solution to the problem of continuous user authentication is presented through the design and implementation o f a system to monitor user activity throughout a logged-in session. The effectiveness of this system is evaluated through a series of trials investigating the use of keystroke analysis using digraph, trigraph and keyword-based metrics (with the latter two methods representing novel approaches to the analysis of keystroke data). The initial trials demonstrate the viability of these techniques, whereas later trials are used to demonstrate the potential for a composite approach. The final trial described in this thesis was conducted over a three-month period with 35 trial participants and resulted in over five million samples. Due to the scope, duration, and the volume of data collected, this trial provides a significant contribution to the domain, with the use of a composite analysis method representing entirely new work. The results of these trials show that the technique of keystroke analysis is one that can be effective for the majority of users. Finally, a prototype composite authentication and response system is presented, which demonstrates how transparent, non-intrusive, continuous user authentication can be achieved

Methods for developing secure software and environments for small and medium enterprises

A thesis submitted for the degree of Master of Science by Research at the University of BedfordshireInformation Security covers activity concerned with the protection of data to ensure that information remains available, to those with rightful access, in the condition that it was originally stored or transmitted. The push to interact via electronic data is constantly increasing. Businesses are demanding that software designers find novel ways of facilitating electronic commerce, creating new business models that have only become possible with the development of the Internet. With the increase of traffic in information across the Internet, the risks associated with data have multiplied, matching the global growth in connectivity. Web application security deals with the measures taken to secure software built to promote e-commerce. Because it is necessary to accept user input across the Internet these applications carry a particular set of vulnerabilities that require a more technical approach to their mitigation. The applications themselves are usually composed of modules that interact across trust boundaries which all require hardening. Information Security governance controls how a company secures its data and that of its clients. While there are laws and standards that address the security requirement, applying them to all magnitude of businesses is difficult because the policies are biased towards large organisations in their assumptions of resources. This thesis investigates an international standard that can be used by small businesses to achieve legal compliance and a reasonable level of security. The thesis brings together a method for producing secure web applications and a checklist procedure for improving a company's data protection practices. Both offerings apply to small software production houses where there may be some overlap in role function and the pressure to meet software production deadlines can sometimes lead to a culture where security is seen as an avoidable expense

A digital identity management system

>Magister Scientiae - MScThe recent years have seen an increase in the number of users accessing online services using communication devices such as computers, mobile phones and cards based credentials such as credit cards. This has prompted most governments and business organizations to change the way they do business and manage their identity information. The coming of the online services has however made most Internet users vulnerable to identity fraud and theft. This has resulted in a subsequent increase in the number of reported cases of identity theft and fraud, which is on the increase and costing the global industry excessive amounts. Today with more powerful and effective technologies such as artificial intelligence, wireless communication, mobile storage devices and biometrics, it should be possible to come up with a more effective multi-modal authentication system to help reduce the cases of identity fraud and theft. A multi-modal digital identity management system is proposed as a solution for managing digital identity information in an effort to reduce the cases of identity fraud and theft seen on most online services today. The proposed system thus uses technologies such as artificial intelligence and biometrics on the current unsecured networks to maintain the security and privacy of users and service providers in a transparent, reliable and efficient way. In order to be authenticated in the proposed multi-modal authentication system, a user is required to submit more than one credential attribute. An artificial intelligent technology is used to implement a technique of information fusion to combine the user’s credential attributes for optimum recognition. The information fusion engine is then used to implement the required multi-modal authentication system

The IACS Cybersecurity Certification Framework (ICCF). Lessons from the 2017 study of the state of the art.

The principal goal of this report is to present the experiments of the IACS component Cybersecurity Certification Framework (ICCF) performed in 2017 by the NETs (National Exercise Teams) of several Member States, namely France, Poland and Spain. Based on real life use cases and simulations of ICCF activities, this report documents the current practices of these countries and NET members’ views in relation to IACS products cybersecurity certification. These studies have led to a series of findings that will be useful for the future of the ICCF in the context of the European Cybersecurity Certification Framework. In conclusion, a plan of action is proposed for the 2018-2019 period.JRC.E.2-Technology Innovation in Securit

A Digital Identity Management System

>Magister Scientiae - MScThe recent years have seen an increase in the number of users accessing online services using communication devices such as computers, mobile phones and cards based credentials such as credit cards. This has prompted most governments and business organizations to change the way they do business and manage their identity information. The coming of the online services has however made most Internet users vulnerable to identity fraud and theft. This has resulted in a subsequent increase in the number of reported cases of identity theft and fraud, which is on the increase and costing the global industry excessive amounts. Today with more powerful and effective technologies such as artificial intelligence, wireless communication, mobile storage devices and biometrics, it should be possible to come up with a more effective multi-modal authentication system to help reduce the cases of identity fraud and theft. A multi-modal digital identity management system IS proposed as a solution for managing digital identity information in an effort to reduce the cases of identity fraud and theft seen on most online services today. The proposed system thus uses technologies such as artificial intelligence and biometrics on the current unsecured networks to maintain the security and privacy of users and service providers in a transparent, reliable and efficient way. In order to be authenticated in the proposed multi-modal authentication system, a user is required to submit more than one credential attribute. An artificial intelligent technology is used to implement a technique of information fusion to combine the user's credential attributes for optimum recognition. The information fusion engine is then used to implement the required multi-modal authentication system