Logo des Repositoriums

Auflistung nach Schlagwort "authentication"

1 - 8 von 8
  • Konferenzbeitrag
    Design Considerations for Usable Authentication in Smart Homes
    (Mensch und Computer 2021 - Tagungsband, 2021) Prange, Sarah; George, Ceenu; Alt, Florian
    Smart home devices are on the rise. To provide their rich variety of features, they collect, store and process a considerable amount of (potentially sensitive) user data. However, authentication mechanisms on such devices a) have limited usability or b) are nonexisting. To close this gap, we investigated, on one hand, users’ perspectives towards potential privacy and security risks as well as how they imagine usable authentication mechanisms in future smart homes. On the other hand, we considered security experts’ perspectives on authentication for smart homes. In particular, we conducted semi-structured interviews (N=20) with potential smart home users using the story completion method and a focus group with security experts (N=10). We found what kind of devices users would choose and why, potential challenges regarding privacy and security, and potential solutions. We discussed and verified these with security experts. We derive and reflect on a set of design implications for usable authentication mechanisms for smart homes and suggest directions for future research. Our work can assist designers and practitioners when implementing appropriate security mechanisms for smart homes.
  • Konferenzbeitrag
    OIDC-Agent: Managing OpenID Connect Tokens on the Command Line
    (SKILL 2018 - Studierendenkonferenz Informatik, 2018) Zachmann, Gabriel
    OpenID Connect is widely used in Authentication and Authorization Infrastructures including the infrastructures of multiple EU projects like INDIGO -DataCloud, the Human Brain Project or the European Open Science Cloud. Due to their nature, OpenID Connect Access Tokens are currently not straightforward to use from the command line. They have a high character count and are short lived. Therefore, they de facto have to be copied from a source providing the access token, most likely a web service. Considering this insufficient usability from the command line, our goal was to overcome this by developing a tool to manage OpenID Connect tokens. We present the design of this tool named oidc-agent and possible usages. The design is oriented at the ssh-agent, providing the user a familiar way to handle OpenID Connect tokens. By splitting the whole service into multiple components we also ensure privilege separation. We implemented a daemon to manage OpenID Connect tokens (oidc-agent), a tool for generating agent account conĄgurations (oidc-gen) and a tool for loading and unloading these configurations from the agent (oidc-add). Additionally, we provide application programming interfaces for agent clients through C and UNIX domain sockets. We also provide an example agent client (oidc-token) that can be used to easily get an access token from oidc-agent using the command line. Therefore, users do not need to handle long, unhandy access tokens, but the application can obtain an access-token through oidc-agent when needed. All components can be freely used and are available on GitHub under the MIT license.
  • Konferenzbeitrag
    Preservation of (higher) Trustworthiness in IAM for distributed workflows and systems based on eIDAS
    (Open Identity Summit 2022, 2022) Strack, H.; Karius, S.; Gollnick, M.; Lips, M.; Wefel, S.; Altschaffel, R.
    The secure digitalisation of distributed workflows with different stakeholders (and trust relationships) using systems from different stakeholder domains is of increasing interest. Just one example is the workflow/policy area of student mobility. Others are from public administration and from economic sectors. According to the eIDAS regulation, eID and trust services (TS) are available across EU - upcoming also EUid & wallets (eIDAS 2.0) - to improve security aspects (providing interoperability or standards). We present some security enhancements to maintainhigher trustworthiness in Identity and Access Management (IAM) services for different policy areas with mandatory, owner-based and self-sovereign control aspects - based on eIDAS and different standards and the integration of views/results from deployed or ongoing projects (EMREX/ELMO, Europass/ EDCI, eIDAS, EUid, Verifiable Credentials, NBP initiative, OZG implementation, Self-Sovereign Identities SSI, RBAC, ABAC, DAC/MAC, IPv6) and a trustistor.
  • Konferenzbeitrag
    Privacy by Design Architecture Composed of Identity Agents Decentralizing Control over Digital Identity
    (Open Identity Summit 2020, 2020) Toth, Kalman C.; Cavoukian, Ann; Anderson-Priddy, Alan
    Proposed is an identity architecture that satisfies the principles of privacy by design, decentralizes control over digital identity from providers to users, mitigates breach and impersonation risks, and reduces dependency on remote access passwords. The architecture is composed of interoperating identity agents that work on behalf of their owners and deploy digital identities that are virtualized to look and behave like identities found in one’s wallet and contacts list. Encapsulating authentication data, identity agents strongly bind owners to their digital identities and private keys enabling them to prove who they are, protect their private data, secure transactions, conduct identity proofing, and reliably delegate consent. Identity agents also off-load application services from identity-related and privacy-related tasks. A gestalt privacy by design process has been used to discover the architecture’s privacy requirements and design elements and systematically reason about how the design elements satisfy the privacy requirements. Identity-related functionality has been intentionally compartmentalized within identity agents to focus development on creating trustworthy software. A reference model for development derived from the described identity architecture is proposed.
  • Zeitschriftenartikel
    Privacy-preserving Web single sign-on: Formal security analysis and design
    (it - Information Technology: Vol. 64, No. 1-2, 2022) Schmitz, Guido
    Single sign-on (SSO) systems, such as OpenID and OAuth, allow Web sites to delegate user authentication to third parties, such as Facebook or Google. These systems provide a convenient mechanism for users to log in and ease the burden of user authentication for Web sites. Conversely, by integrating such SSO systems, they become a crucial part of the security of the modern Web. So far, it has been hard to prove if Web standards and protocols actually meet their security goals. SSO systems, in particular, need to satisfy strong security and privacy properties. In this thesis, we develop a new systematic approach to rigorously and formally analyze and verify such strong properties with the Web Infrastructure Model (WIM), the most comprehensive model of the Web infrastructure to date. Our analyses reveal severe vulnerabilities in SSO systems that lead to critical attacks against their security and privacy. We propose fixes and formally verify that our proposals are sufficient to establish security. Our analyses, however, also show that even Mozilla’s proposal for a privacy-preserving SSO system does not meet its unique privacy goal. To fill this gap, we use our novel approach to develop a new SSO system, SPRESSO, and formally prove that our system indeed enjoys strong security and privacy properties.
  • Textdokument
    Smart Contract Federated Identity Management without Third Party Authentication Services
    (Open Identity Summit 2019, 2019) Mell, Peter; Dray, Jim; Shook, James
    Federated identity management enables users to access multiple systems using a single login credential. However, to achieve this a complex privacy compromising authentication has to occur between the user, relying party (RP) (e.g., abusiness), and a credential service provider(CSP) that performs the authentication. In this work, we use a smart contract on a blockchain to enable an architecture where authentication no longer involves the CSP. Authentication is performed solely through user to RP communications (eliminating fees and enhancing privacy). No third party needs to be contacted, not even the smart contract. No public key infrastructure (PKI) needs to be maintained. And no revocation lists need to be checked. In contrast to competing smart contract approaches, ours is hierarchically managed (like a PKI) enabling better validation of attribute providers and making it more useful for large entities to provide identity services for their constituents (e.g.,a government) while still enabling users to maintain a level of self-sovereignty.
  • Workshopbeitrag
    Using hash visualization for real-time user-governed password validation
    (Mensch und Computer 2019 - Workshopband, 2019) Fietkau, Julian; Balthasar, Mandy
    Building upon work by Perrig & Song [21], we propose a novel hash visualization algorithm and examine its usefulness for user-governed password validation in real time. In contrast to network-based password authentication and the best practices for security which have been developed with that paradigm in mind, we are concerned with use cases that require user-governed password validation in nonnetworked untrusted contexts, i.e. to allow a user to verify that they have typed their password correctly without ever storing a record of the correct password between sessions (not even a hash). To that end, we showcase a newly designed hash visualization algorithm named MosaicVisualHash and describe how hash visualization algorithms can be used to perform user-governed password validation. We also provide a set of design recommendations for systems where hash visualization for password validation is performed in real time, i.e. as the user is in the process of typing their password.
  • Konferenzbeitrag
    X.509 User Certificate-based Two-Factor Authentication for Web Applications
    (10. DFN-Forum Kommunikationstechnologien, 2017) Waldvogel, Marcel; Zink, Thomas
    An appealing property to researchers, educators, and students is the openness of the phys­ical environment and IT infrastructure of their organizations. However, to the IT administration, this creates challenges way beyond those of a single-purpose business or administration. Especially the personally identifiable information or the power of the critical functions behind these logins, such as financial transactions or manipulating user accounts, require extra protection in the heterogeneous educational environment with single-sign-on. However, most web-based environments still Jack a reasonable second-factor protection or at least the enforcement of it for privileged operations with­out hindering normal usage. In this paper we introduce a novel and surprisingly simple yet extremely flexible way to irnplement two-factor authentication based on X.509 user certificates in web applications. Our solution requires only a few !irres of code in web server configuration and none in the application source code for basic protection. Furthermore, since it is based on X.509 certificates, it can be easily combined with smartcards or USB cryptotokens to further enhance security.