Post on 18-Jan-2017
Layering Authentication to Provide Covert Channel Communication
Authors: M. Almeshekah, M. Atallah and E. Spafford
The 21st International Workshop in Security Protocols
March 20th, 2013
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Motivation
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Motivation
Banks traditionally provide “all-or-nothing” access.
Ideally in this situation we want at least three levels (view-only, transactions, administrative).
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Motivation
Banks traditionally provide “all-or-nothing” access.
Ideally in this situation we want at least three levels (view-only, transactions, administrative).
It’s a good idea!
Why is it not provided?
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Preliminary Solution
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Preliminary SolutionBased on password-based authentication.
Goals:
Same interfaces.
Simple for users to remember.
Alleviate the damage of password compromise.
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Preliminary SolutionBased on password-based authentication.
Goals:
Same interfaces.
Simple for users to remember.
Alleviate the damage of password compromise.
The user needs to choose three regular words.
No randomness requirement!
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Preliminary Solution - 2User enters her normal username and password.
Following the password the user enters a space and one of the words, depending on what message she wants to convey.
Username :
Password :Alice
pass<sp>wi
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Conveying Different Messages
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Conveying Different MessagesConveying duress or coercion:
Choosing one of these words from a defined dictionary.
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Conveying Different MessagesConveying duress or coercion:
Choosing one of these words from a defined dictionary.
Exposing Phishing:
Communicating the user’s state covertly (solicited vs. unsolicited) and indirectly alerting the server.
Alleviate the damage incurred as a result of falling for a phishing attack.
A more sophisticated system with 3rd party monitoring the user’s login requests.
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Conveying Different MessagesConveying duress or coercion:
Choosing one of these words from a defined dictionary.
Exposing Phishing:
Communicating the user’s state covertly (solicited vs. unsolicited) and indirectly alerting the server.
Alleviate the damage incurred as a result of falling for a phishing attack.
A more sophisticated system with 3rd party monitoring the user’s login requests.
Credentials Sharing.
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Beyond Passwords
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Beyond Passwords
Biometrics - e.g., the choice of which finger to use, the angle, and the pressure can be used to express some information.
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Beyond Passwords
Biometrics - e.g., the choice of which finger to use, the angle, and the pressure can be used to express some information.
Multi-factor authentication:
Two-factor and active man-in-the-middle attacks.
The multiplicity of factors provides a new communication channel.
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Desiderata for a Better System
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Desiderata for a Better System
Obliviousness - Covert messages and replay protection.
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Desiderata for a Better System
Obliviousness - Covert messages and replay protection.
Resistance to Server Compromise:
Not taxing user memory vs. vulnerability against dictionary-like attacks.
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Desiderata for a Better System
Obliviousness - Covert messages and replay protection.
Resistance to Server Compromise:
Not taxing user memory vs. vulnerability against dictionary-like attacks.
Resistance to Persistent Adversaries.
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Further Remarks
21st SPW Layering Authentication to Provide Covert Communication March 19-20, 2013
Further Remarks
The grand vision of authentication.
Authentication information stored at the servers.
Psychological factors.
Risk analysis and economics.
Questions?Mikhail Atallah
matallah@purdue.eduMohammed Almeshekah malmeshe@purdue.edu
@meshekah
Eugene H. Spafford spaf@purdue.edu
@theRealSpaf