Pitfalls in Designing Zero-Effort Deauthentication: Opportunistic Human Observation Attacks
Deauthentication is an important component of any authentication system. The widespread use of computing devices in daily life has underscored the need for zero-effort deauthentication schemes. However, the quest for eliminating user effort may lead to hidden security flaws in the authentication sch...
Gespeichert in:
| Hauptverfasser: | , , , , , |
|---|---|
| Format: | Artikel |
| Sprache: | eng |
| Schlagworte: | |
| Online-Zugang: | Volltext bestellen |
| Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
| container_end_page | |
|---|---|
| container_issue | |
| container_start_page | |
| container_title | |
| container_volume | |
| creator | Huhta, O Shrestha, P Udar, S Juuti, M Saxena, N Asokan, N |
| description | Deauthentication is an important component of any authentication system. The
widespread use of computing devices in daily life has underscored the need for
zero-effort deauthentication schemes. However, the quest for eliminating user
effort may lead to hidden security flaws in the authentication schemes. As a
case in point, we investigate a prominent zero-effort deauthentication scheme,
called ZEBRA, which provides an interesting and a useful solution to a
difficult problem as demonstrated in the original paper. We identify a subtle
incorrect assumption in its adversary model that leads to a fundamental design
flaw. We exploit this to break the scheme with a class of attacks that are much
easier for a human to perform in a realistic adversary model, compared to the
na\"ive attacks studied in the ZEBRA paper. For example, one of our main
attacks, where the human attacker has to opportunistically mimic only the
victim's keyboard typing activity at a nearby terminal, is significantly more
successful compared to the na\"ive attack that requires mimicking keyboard and
mouse activities as well as keyboard-mouse movements. Further, by understanding
the design flaws in ZEBRA as cases of tainted input, we show that we can draw
on well-understood design principles to improve ZEBRA's security. |
| doi_str_mv | 10.48550/arxiv.1505.05779 |
| format | Article |
| fullrecord | <record><control><sourceid>arxiv_GOX</sourceid><recordid>TN_cdi_arxiv_primary_1505_05779</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><sourcerecordid>1505_05779</sourcerecordid><originalsourceid>FETCH-LOGICAL-a679-c380564870ad43b40400c5bd1a33db4625d761cec41fe20633c211a3a716bf313</originalsourceid><addsrcrecordid>eNotj71OwzAYRb0woMIDMOEXSLDjv5StKoUiVQpDJxiiz45dLFonsp0K3p6QMl3p3KsrHYTuKCl5LQR5gPjtzyUVRJREKLW8Rh9vPjs4HhP2AT_Z5A_BhwN-t7EvNs71MU8UxvxpQ_YGsu_DI26GYSrG4NPE8HY8QcCNTjae5wFe5QzmK92gq-k62dv_XKD982a_3ha75uV1vdoVINWyMKwmQvJaEeg405xwQozQHQXGOs1lJTolqbGGU2crIhkzFZ1KUFRqxyhboPvL7WzXDtGfIP60f5btbMl-AWEZTao</addsrcrecordid><sourcetype>Open Access Repository</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Pitfalls in Designing Zero-Effort Deauthentication: Opportunistic Human Observation Attacks</title><source>arXiv.org</source><creator>Huhta, O ; Shrestha, P ; Udar, S ; Juuti, M ; Saxena, N ; Asokan, N</creator><creatorcontrib>Huhta, O ; Shrestha, P ; Udar, S ; Juuti, M ; Saxena, N ; Asokan, N</creatorcontrib><description>Deauthentication is an important component of any authentication system. The
widespread use of computing devices in daily life has underscored the need for
zero-effort deauthentication schemes. However, the quest for eliminating user
effort may lead to hidden security flaws in the authentication schemes. As a
case in point, we investigate a prominent zero-effort deauthentication scheme,
called ZEBRA, which provides an interesting and a useful solution to a
difficult problem as demonstrated in the original paper. We identify a subtle
incorrect assumption in its adversary model that leads to a fundamental design
flaw. We exploit this to break the scheme with a class of attacks that are much
easier for a human to perform in a realistic adversary model, compared to the
na\"ive attacks studied in the ZEBRA paper. For example, one of our main
attacks, where the human attacker has to opportunistically mimic only the
victim's keyboard typing activity at a nearby terminal, is significantly more
successful compared to the na\"ive attack that requires mimicking keyboard and
mouse activities as well as keyboard-mouse movements. Further, by understanding
the design flaws in ZEBRA as cases of tainted input, we show that we can draw
on well-understood design principles to improve ZEBRA's security.</description><identifier>DOI: 10.48550/arxiv.1505.05779</identifier><language>eng</language><subject>Computer Science - Cryptography and Security</subject><creationdate>2015-05</creationdate><rights>http://arxiv.org/licenses/nonexclusive-distrib/1.0</rights><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>228,230,776,881</link.rule.ids><linktorsrc>$$Uhttps://arxiv.org/abs/1505.05779$$EView_record_in_Cornell_University$$FView_record_in_$$GCornell_University$$Hfree_for_read</linktorsrc><backlink>$$Uhttps://doi.org/10.48550/arXiv.1505.05779$$DView paper in arXiv$$Hfree_for_read</backlink></links><search><creatorcontrib>Huhta, O</creatorcontrib><creatorcontrib>Shrestha, P</creatorcontrib><creatorcontrib>Udar, S</creatorcontrib><creatorcontrib>Juuti, M</creatorcontrib><creatorcontrib>Saxena, N</creatorcontrib><creatorcontrib>Asokan, N</creatorcontrib><title>Pitfalls in Designing Zero-Effort Deauthentication: Opportunistic Human Observation Attacks</title><description>Deauthentication is an important component of any authentication system. The
widespread use of computing devices in daily life has underscored the need for
zero-effort deauthentication schemes. However, the quest for eliminating user
effort may lead to hidden security flaws in the authentication schemes. As a
case in point, we investigate a prominent zero-effort deauthentication scheme,
called ZEBRA, which provides an interesting and a useful solution to a
difficult problem as demonstrated in the original paper. We identify a subtle
incorrect assumption in its adversary model that leads to a fundamental design
flaw. We exploit this to break the scheme with a class of attacks that are much
easier for a human to perform in a realistic adversary model, compared to the
na\"ive attacks studied in the ZEBRA paper. For example, one of our main
attacks, where the human attacker has to opportunistically mimic only the
victim's keyboard typing activity at a nearby terminal, is significantly more
successful compared to the na\"ive attack that requires mimicking keyboard and
mouse activities as well as keyboard-mouse movements. Further, by understanding
the design flaws in ZEBRA as cases of tainted input, we show that we can draw
on well-understood design principles to improve ZEBRA's security.</description><subject>Computer Science - Cryptography and Security</subject><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2015</creationdate><recordtype>article</recordtype><sourceid>GOX</sourceid><recordid>eNotj71OwzAYRb0woMIDMOEXSLDjv5StKoUiVQpDJxiiz45dLFonsp0K3p6QMl3p3KsrHYTuKCl5LQR5gPjtzyUVRJREKLW8Rh9vPjs4HhP2AT_Z5A_BhwN-t7EvNs71MU8UxvxpQ_YGsu_DI26GYSrG4NPE8HY8QcCNTjae5wFe5QzmK92gq-k62dv_XKD982a_3ha75uV1vdoVINWyMKwmQvJaEeg405xwQozQHQXGOs1lJTolqbGGU2crIhkzFZ1KUFRqxyhboPvL7WzXDtGfIP60f5btbMl-AWEZTao</recordid><startdate>20150521</startdate><enddate>20150521</enddate><creator>Huhta, O</creator><creator>Shrestha, P</creator><creator>Udar, S</creator><creator>Juuti, M</creator><creator>Saxena, N</creator><creator>Asokan, N</creator><scope>AKY</scope><scope>GOX</scope></search><sort><creationdate>20150521</creationdate><title>Pitfalls in Designing Zero-Effort Deauthentication: Opportunistic Human Observation Attacks</title><author>Huhta, O ; Shrestha, P ; Udar, S ; Juuti, M ; Saxena, N ; Asokan, N</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-a679-c380564870ad43b40400c5bd1a33db4625d761cec41fe20633c211a3a716bf313</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2015</creationdate><topic>Computer Science - Cryptography and Security</topic><toplevel>online_resources</toplevel><creatorcontrib>Huhta, O</creatorcontrib><creatorcontrib>Shrestha, P</creatorcontrib><creatorcontrib>Udar, S</creatorcontrib><creatorcontrib>Juuti, M</creatorcontrib><creatorcontrib>Saxena, N</creatorcontrib><creatorcontrib>Asokan, N</creatorcontrib><collection>arXiv Computer Science</collection><collection>arXiv.org</collection></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Huhta, O</au><au>Shrestha, P</au><au>Udar, S</au><au>Juuti, M</au><au>Saxena, N</au><au>Asokan, N</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Pitfalls in Designing Zero-Effort Deauthentication: Opportunistic Human Observation Attacks</atitle><date>2015-05-21</date><risdate>2015</risdate><abstract>Deauthentication is an important component of any authentication system. The
widespread use of computing devices in daily life has underscored the need for
zero-effort deauthentication schemes. However, the quest for eliminating user
effort may lead to hidden security flaws in the authentication schemes. As a
case in point, we investigate a prominent zero-effort deauthentication scheme,
called ZEBRA, which provides an interesting and a useful solution to a
difficult problem as demonstrated in the original paper. We identify a subtle
incorrect assumption in its adversary model that leads to a fundamental design
flaw. We exploit this to break the scheme with a class of attacks that are much
easier for a human to perform in a realistic adversary model, compared to the
na\"ive attacks studied in the ZEBRA paper. For example, one of our main
attacks, where the human attacker has to opportunistically mimic only the
victim's keyboard typing activity at a nearby terminal, is significantly more
successful compared to the na\"ive attack that requires mimicking keyboard and
mouse activities as well as keyboard-mouse movements. Further, by understanding
the design flaws in ZEBRA as cases of tainted input, we show that we can draw
on well-understood design principles to improve ZEBRA's security.</abstract><doi>10.48550/arxiv.1505.05779</doi><oa>free_for_read</oa></addata></record> |
| fulltext | fulltext_linktorsrc |
| identifier | DOI: 10.48550/arxiv.1505.05779 |
| ispartof | |
| issn | |
| language | eng |
| recordid | cdi_arxiv_primary_1505_05779 |
| source | arXiv.org |
| subjects | Computer Science - Cryptography and Security |
| title | Pitfalls in Designing Zero-Effort Deauthentication: Opportunistic Human Observation Attacks |
| url | https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-25T18%3A45%3A43IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-arxiv_GOX&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Pitfalls%20in%20Designing%20Zero-Effort%20Deauthentication:%20Opportunistic%20Human%20Observation%20Attacks&rft.au=Huhta,%20O&rft.date=2015-05-21&rft_id=info:doi/10.48550/arxiv.1505.05779&rft_dat=%3Carxiv_GOX%3E1505_05779%3C/arxiv_GOX%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true |