Privacy-aware web authentication protocol with recovery and revocation
Resumo
Autenticação baseada em senha é a mais utilizada para serviços web, comumente associada a endereços de email para recuperação das credenciais. Porém, este esquema apresenta várias desvantagens de segurança e privacidade. É apresentado um simples esquema de autenticação pseudônima para serviços online, através de chaves criptográficas assimétricas armazenadas em dispositivo móvel. Em comparação com outros esquemas similares, nossa proposta demanda mínima interação do usuário, permite recuperação e revogação simples das contas, e não exige nenhuma terceira-parte. É criado um protótipo para avaliar a proposta e concluímos que ela é viável e tem boas propriedades de segurança, privacidade e usabilidade.
Referências
Bonneau, J. (2012). The science of guessing: analyzing an anonymized corpus of 70 million passwords. In 2012 IEEE Symposium on Security and Privacy, pages 538–552. IEEE.
Bonneau, J., Herley, C., Van Oorschot, P. C., and Stajano, F. (2012). The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In 2012 IEEE Symposium on Security and Privacy, pages 553–567. IEEE.
Bonneau, J. and Preibusch, S. (2010). The password thicket: Technical and market failures in human authentication on the web. In WEIS.
Borchert, B. and Günther, M. (2013). Indirect nfc-login. In ICITST, pages 204–209.
Dierks, T. and Rescorla, E. (2008). The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). Updated by RFCs 5746, 5878, 6176, 7465, 7507, 7568, 7627, 7685.
Gibson, S. (2016). Sqrl. https://www.grc.com/sqrl/sqrl.htm.
Lindemann, R., Baghdasaryan, D., and Tiffany, E. (2014). Fido universal authentication framework protocol. Version v1. 0-rd-20140209, FIDO Alliance, February.
Mansfield-Devine, S. (2015). The ashley madison affair. Network Security, 2015(9):8–16.
Percival, C. and Josefsson, S. (2016). The scrypt Password-Based Key Derivation Function. RFC 7914 (Informational).
Provos, N. and Mazières, D. (1999). Bcrypt algorithm. In Proceedings of 1999 USENIX Annual Technical Conference. USENIX.
Renaud, K. (2006). A visuo-biometric authentication mechanism for older users. In People and Computers XIX—The Bigger Picture, pages 167–182. Springer.
Saxena, N. and Watt, J. H. (2009). Authentication technologies for the blind or visually impaired. In Proceedings of the USENIX Workshop on Hot Topics in Security (HotSec), volume 9, page 130.
Stuart Schechter, A.J. Brush, S. E. (2009). It’s no secret: Measuring the security and reliability of authentication via ’secret’ questions. In Proceedings of the 2009 IEEE Symposium on Security and Privacy, Berkeley, CA, USA. IEEE Computer Society.
van Dijk, J. (2014). A closer look at sqrl. Technical report, University of Amsterdam.
Xu, F., Han, S., Wang, Y., Zhang, J., and Li, Y. (2015). Qrtoken: Unifying authentication framework to protect user online identity. In Cyber Security and Cloud Computing (CSCloud), 2015 IEEE 2nd International Conference on, pages 368–373. IEEE.
Yan, Q., Han, J., Li, Y., and Robert DENG, H. (2012). On limitations of designing usable leakage-resilient password systems: Attacks, principles and usability. In 19th Network and Distributed System Security Symposium (NDSS).
Bonneau, J., Herley, C., Van Oorschot, P. C., and Stajano, F. (2012). The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In 2012 IEEE Symposium on Security and Privacy, pages 553–567. IEEE.
Bonneau, J. and Preibusch, S. (2010). The password thicket: Technical and market failures in human authentication on the web. In WEIS.
Borchert, B. and Günther, M. (2013). Indirect nfc-login. In ICITST, pages 204–209.
Dierks, T. and Rescorla, E. (2008). The Transport Layer Security (TLS) Protocol Version 1.2. RFC 5246 (Proposed Standard). Updated by RFCs 5746, 5878, 6176, 7465, 7507, 7568, 7627, 7685.
Gibson, S. (2016). Sqrl. https://www.grc.com/sqrl/sqrl.htm.
Lindemann, R., Baghdasaryan, D., and Tiffany, E. (2014). Fido universal authentication framework protocol. Version v1. 0-rd-20140209, FIDO Alliance, February.
Mansfield-Devine, S. (2015). The ashley madison affair. Network Security, 2015(9):8–16.
Percival, C. and Josefsson, S. (2016). The scrypt Password-Based Key Derivation Function. RFC 7914 (Informational).
Provos, N. and Mazières, D. (1999). Bcrypt algorithm. In Proceedings of 1999 USENIX Annual Technical Conference. USENIX.
Renaud, K. (2006). A visuo-biometric authentication mechanism for older users. In People and Computers XIX—The Bigger Picture, pages 167–182. Springer.
Saxena, N. and Watt, J. H. (2009). Authentication technologies for the blind or visually impaired. In Proceedings of the USENIX Workshop on Hot Topics in Security (HotSec), volume 9, page 130.
Stuart Schechter, A.J. Brush, S. E. (2009). It’s no secret: Measuring the security and reliability of authentication via ’secret’ questions. In Proceedings of the 2009 IEEE Symposium on Security and Privacy, Berkeley, CA, USA. IEEE Computer Society.
van Dijk, J. (2014). A closer look at sqrl. Technical report, University of Amsterdam.
Xu, F., Han, S., Wang, Y., Zhang, J., and Li, Y. (2015). Qrtoken: Unifying authentication framework to protect user online identity. In Cyber Security and Cloud Computing (CSCloud), 2015 IEEE 2nd International Conference on, pages 368–373. IEEE.
Yan, Q., Han, J., Li, Y., and Robert DENG, H. (2012). On limitations of designing usable leakage-resilient password systems: Attacks, principles and usability. In 19th Network and Distributed System Security Symposium (NDSS).
Publicado
06/11/2017
Como Citar
NIEHUES, Lucas Boppre; CUSTÓDIO, Ricardo.
Privacy-aware web authentication protocol with recovery and revocation. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 17. , 2017, Brasília.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2017
.
p. 334-347.
DOI: https://doi.org/10.5753/sbseg.2017.19510.
