carnegie melloncarnegie mellon context-aware authentication framework cylab mobility research center...
TRANSCRIPT
Carnegie Mellon
Context-Aware Authentication Context-Aware Authentication FrameworkFramework
CyLab Mobility Research Center
Mobility Research CenterCarnegie Mellon Silicon Valley
Diwakar Goel, Eisha Kher, Shriya Joag, Veda Mujumdar, Martin Griss, Anind K. Dey
1
Carnegie Mellon
Outline
• Background• A Scenario• The Architecture• Threats and Attacks Mitigated• Conclusion
2October 26, 2009Context-Aware Authentication Framework
Carnegie Mellon
Outline
• Background• A Scenario• The Architecture• Threats and Attacks Mitigated• Conclusion
3Context-Aware Authentication Framework October 26, 2009
Carnegie Mellon
Context-Awareness
• Context:Context: • ‘information about the situation of an entity’, e.g.,
location, identity, time, activity
• Context-Aware Systems:Context-Aware Systems:• use context to provide relevantrelevant information and/or
services to the user• enhanceenhance the behavior of any application by informing
it of the context of use
4Context-Aware Authentication Framework October 26, 2009
Carnegie Mellon
Our solution framework
• Authentication algorithmAuthentication algorithm–User scans QR codes using camera-phones, requests
access–Context contains authentication information–Access may be granted based on policies
• Contextual cues usedContextual cues used–Location (coordinates, using Wi-Fi positioning)–Roles (faculty, student, staff, admin)–Time of day
Context-Aware Authentication Framework 5October 26, 2009
Carnegie Mellon
Context-Aware Authentication
• Enhances usabilityEnhances usability–Password replaced by gesture
• Enhances RobustnessEnhances Robustness–Adaptive instead of static passwords
• Scalable Scalable –Ubiquitous use of mobile phones
• ExtensibleExtensible–Multiple contextual cues, e.g., time, location, ‘roles’
Context-Aware Authentication Framework 6October 26, 2009
Carnegie Mellon
Outline
• Background• A Scenario• The Architecture• Threats and Attacks Mitigated• Conclusion
7Context-Aware Authentication Framework October 26, 2009
Carnegie Mellon
Outline
• Background• A Scenario• The Architecture• Threats and Attacks Mitigated• Conclusion
9Context-Aware Authentication Framework October 26, 2009
Carnegie Mellon
The Architecture
11Context-Aware Authentication Framework
Dynamic:-Linked to server-On tablets, kiosks, other screens
Static:-Inexpensive-On Paper
October 26, 2009
Carnegie Mellon
The Architecture
12Context-Aware Authentication Framework
Maintains:-QR code info-Location info-Expiry time
Logs:-Authentication attempts-Time-Result-Context info
October 26, 2009
Carnegie Mellon
The Architecture
13Context-Aware Authentication Framework
Stores:-User-specific info-Session token-Calendar id
October 26, 2009
Carnegie Mellon
Example
14Context-Aware Authentication Framework
Step 1: Scan QR codeStep 1: Scan QR code
Step 2: Extra authenticationStep 2: Extra authenticationOptional extra layer of securityOptional extra layer of security
Step 3: Context-based Step 3: Context-based Access Access
October 26, 2009
Carnegie Mellon
Outline
• Background• A Scenario• The Architecture• Threats and Attacks Mitigated• Conclusion
15Context-Aware Authentication Framework October 26, 2009
Carnegie Mellon
Threats and Attacks Mitigated
• Replication of displayed codeReplication of displayed code–Time varying, location varying QR codes
• Cloning/ theft of user deviceCloning/ theft of user device–Session tokens, ‘line-of-sight’ property
• Brute force/guessing attackBrute force/guessing attack–Dynamically generated codes
• Faking/manipulating context informationFaking/manipulating context information–Weighted context cues, peer verification
• Sniffing attackSniffing attack
16Context-Aware Authentication Framework October 26, 2009
Carnegie Mellon
Why QR codes?
• Can be read fast• Easy to generate• Can be displayed anywhere – on screens/print outs• Can be read by nearly all camera equipped phones• Robust against sniffing attacks• ‘Line-of-sight ‘ property
17Context-Aware Authentication Framework October 26, 2009
Carnegie Mellon
Outline
• Background• A Scenario• The Architecture• Threats and Attacks Mitigated• Conclusion
18Context-Aware Authentication Framework October 26, 2009
Carnegie Mellon
Conclusion
• Role-based and location-based access controlRole-based and location-based access control–Leveraged user’s context–Used light-weight tagging
• AdvantagesAdvantages–Simple, inexpensive, scalable, extensible–Centralized control over authentication sites–Smarter and robust authentication
• Future workFuture work–Adding other contextual cues, user profiling
19Context-Aware Authentication Framework October 26, 2009
Carnegie Mellon
Acknowledgments
• Thanks to Thanks to –Co-authors for their contribution–CyLab, ARO and Nokia for their grants–You for patient listening!
October 26, 200920Context-Aware Authentication Framework October 26, 2009