contributions to web authentication for untrusted computers

Linköping Studies in Science and Technology

Thesis No. 1481

Contributions to Web Authentication for Untrusted

Computers

by

Anna Vapen

Submitted to Linköping Institute of Technology at Linköping University in partial

fulfilment of the requirements for the degree of Licentiate of Engineering

Department of Computer and Information Science

Linköping University

SE-581 83 Linköping, Sweden

Linköping 2011

Copyright © 2011 Anna Vapen

ISBN 978-91-7393-172-4

ISSN 0280-7971

Printed by LiU-Tryck, 2011

URL: http://urn.kb.se/resolve?urn=urn:nbn:se:liu:diva-67274


Linköpings universitet

SE-581 83 Linköping, Sweden

Contributions to Web Authentication for Untrusted

Computers

by

Anna Vapen

June 2011

ISBN 978-91-7393-172-4


Thesis No. 1481

ISSN 0280-7971

LiU-Tek-Lic- 2011:20

ABSTRACT

Authentication methods offer varying levels of security. Methods with one-time credentials generated by dedicated hardware tokens can reach a high level of security, whereas password-based authentication methods have a low level of security since passwords can be eavesdropped and stolen by an attacker. Password-based methods are dominant in web authentication since they are both easy to implement and easy to use. Dedicated hardware, on the other hand, is not always available to the user, usually requires additional equipment and may be more complex to use than password-based authentication.

Different services and applications on the web have different requirements for the security of authentication. Therefore, it is necessary for designers of authentication solutions to address this need for a range of security levels. Another concern is mobile users authenticating from unknown, and therefore untrusted, computers. This in turn raises issues of availability, since users need secure authentication to be available, regardless of where they authenticate or which computer they use.

We propose a method for evaluation and design of web authentication solutions that takes into account a number of often overlooked design factors, i.e. availability, usability and economic aspects. Our proposed method uses the concept of security levels from the Electronic Authentication Guideline, provided by NIST.

We focus on the use of handheld devices, especially mobile phones, as a flexible, multi-purpose (i.e. non-dedicated) hardware device for web authentication. Mobile phones offer unique advantages for secure authentication, as they are small, flexible and portable, and provide multiple data transfer channels. Phone designs, however, vary and the choice of channels and authentication methods will influence the security level of authentication. It is not trivial to maintain a consistent overview of the strengths and weaknesses of the available alternatives. Our evaluation and design method provides this overview and can help developers and users to compare and choose authentication solutions.

This work has been partially supported by ELLIIT.

List of Publications

Anna Vapen, David Byers and Nahid Shahmehri, “2-clickAuth - Optical Challenge-Response Authentication,” in Fifth International Conference on Availability, Reliability and Security, (ARES '10), Krakow, Poland, 15-18 Feb. 2010, pp.79-86. Anna Vapen and Nahid Shahmehri, “Security Levels for Web Authentication using Mobile Phones,” PrimeLife/IFIP Summer School, 2010 (Published in electronic pre-proceedings, distributed to summer school participants.) Anna Vapen and Nahid Shahmehri, “Security Levels for Web Authentication using Mobile Phones”, Post-proceedings of PrimeLife/IFIP Summer School, 2010. (Published by Springer 2011.) Anna Vapen and Nahid Shahmehri, “2-clickAuth - Optical Challenge-Response Authentication using Mobile Handsets,” International Journal of Mobile Computing and Multimedia Communications (IJMCMC), vol. 3(2), pp. 1-18, April-June 2011.

Acknowledgements

I would like to thank my supervisor Professor Nahid Shahmehri for introducing me to the area of information security research and for keeping me on the right track. This work would not have been possible without all her support and valuable advice over the years.

I would like to show my gratitude to my current and former colleagues at ADIT (Division of Database and Information Techniques) for their support. The internal research presentations at ADIT have been a great source of inspiration for me. Among my colleagues I would especially like to thank David Byers for the rewarding technical discussions. Thanks also to Brittany Shahmehri for her thorough proofreading of this thesis.

I also thank my near and dear ones for encouraging me to follow my dreams. I especially thank Peter for always being there for me and bringing joy into my life.

Finally, we acknowledge the partial financing of this work provided by ELLIIT.

Anna Vapen

Linköping, Sweden April, 2011

i

Contents

CHAPTER 1 INTRODUCTION .....................................................................................1

1.1 Motivation ..............................................................................................3 1.2 Problem Formulation .............................................................................5 1.3 Contribution ...........................................................................................5

CHAPTER 2 BACKGROUND ON WEB AUTHENTICATION ........................................7

2.1 Authentication Methods for the Web .....................................................7 2.2 Security Problems in Authentication .................................................. 10 2.3 Federated Identity Management ......................................................... 11

CHAPTER 3 SECURITY LEVELS FOR WEB AUTHENTICATION ............................ 13

3.1 Mobile Phones in Web Authentication ............................................... 14 3.2 Proposal for New Security Levels ...................................................... 15 3.3 Evaluation Method for Mobile Phone Authentication ....................... 16

CHAPTER 4 DESIGN OF AN OPTICAL AUTHENTICATION SOLUTION .................. 21

4.1 Design of an Optical Authentication Solution .................................... 22 4.2 2-clickAuth – Optical Challenge-Response ........................................ 22

4.2.1 Authentication ..................................................................................... 22 4.2.2 Initialization and Key Exchange ......................................................... 24 4.2.3 Design Choices for 2-clickAuth .......................................................... 25 4.2.4 Security Considerations ...................................................................... 27 4.2.5 Implementation and Choice of Software ............................................. 28

4.3 2-clickAuth Performance .................................................................... 29 4.4 Discussion ........................................................................................... 29

CHAPTER 5 CASE STUDIES ................................................................................... 31

5.1 Case Studies on Design ....................................................................... 31

ii

5.1.1 Design Case Study: Simple Web Site Authentication ......................... 31 5.1.2 Design Case Study: Online Banking ................................................... 32

5.2 Case Studies on Evaluation ................................................................. 34 5.2.1 Evaluation Case Study: 2-clickAuth .................................................... 34 5.2.2 Evaluation Case Study: Strong Authentication (SA) .......................... 35

5.3 Discussion about the Case Studies ...................................................... 36

CHAPTER 6 RELATED WORK ................................................................................ 37

6.1 Security Levels and Standards ............................................................ 37 6.2 Mobile Phone Authentication .............................................................. 38

6.2.1 Secure Web Authentication ................................................................. 38 6.2.2 Strong Authentication with Mobile Phone .......................................... 38 6.2.3 Confident .............................................................................................. 39 6.2.4 Smokey ................................................................................................. 39

CHAPTER 7 CONCLUSIONS AND FUTURE WORK ................................................. 41

7.1 Conclusions.......................................................................................... 41 7.2 Future Work ......................................................................................... 42

7.2.1 Improvements to our Design and Evaluation Method ........................ 42 7.2.2 An Expert System for Designing and Evaluating Authentication ....... 42 7.2.3 Security Requirements for Complex Web Services ............................. 43

REFERENCES .............................................................................................................. 45

LIST OF TABLES ......................................................................................................... 49

LIST OF FIGURES ........................................................................................................ 51

1

Chapter 1

Introduction

The web is widely used to provide services, such as banking, entertainment, and commerce. The number of services available on the web is increasing steadily with no sign of slowing down. This growth is increasing the amount of sensitive data available on the web. The goal of placing services on the web is to make them available at any time and place. In addition to existing services, a new and increasingly popular application for the web is web communities, which allow users to contribute content to web sites, comment on the content, and share it with others [1]. Common examples of web communities are blogs and social networks. User interaction such as sharing and commenting is often integrated into news sites and web sites for companies and organizations [1]. Today, a large part of the content of many web sites is user-created [2]. Users must authenticate, i.e. prove their identity, to be part of web communities and to use services on the web [3]. Web sites requiring authentication often contain personal or confidential information that can be stolen by an attacker. The attacker can also use the account to act as the user online, possibly causing financial loss or damaging the user's reputation [4].

A problem with web authentication is that an attacker can eavesdrop [5] on the authentication process and record the authentication data, which is secret information sent during authentication. The attacker can later use the authentication data in order to impersonate the user in a replay attack [5]. Biometric identifiers are examples of reusable authentication data, which is subject to replay attacks. However, biometric methods are not so widely used in authentication since they require additional hardware [5]. Another example of reusable authentication data is passwords. In addition to replay attacks, passwords can also be guessed in an online guessing attack, in which the attacker tries a large number of common passwords, using an automated tool. The attacker either uses a list of common passwords in conjunction with the tool, or performs a brute force attack, in which all possible

CHAPTER 1

2

combinations of characters are tried as passwords, given a limited password length and character set [6].

The habits and behavior of users impact the likelihood for success of an attack against password-based authentication. One such habit is to choose weak passwords. The weakness of a password can be gauged by how quickly it is guessed by an automated tool. The average password is relatively weak and rarely changed, which simplifies online guessing attacks [7]. According to a study by Flôrencio and Herley, the average web user has approximately 25 web site accounts that require password authentication, and less than seven different passwords for these sites [7]. Reuse of the same password on several sites increases the risk of successful password guessing performed by an attacker over a network [8].

Attacks against an authentication process can also take place in a local computer that is infected by malicious software (malware). The malware is capable of capturing authentication data and sending it to a remote attacker, independent of the strength of the password. Malware can easily spread over the Internet and locally connected media, e.g. an infected USB-stick. During the first quarter of 2011 the number of newly discovered types of malware reached 73 000 [9]. Due to the malware risk, any computer can be considered potentially untrusted [10]. Password-based authentication is not feasible for untrusted computers due to the risk of attacks against authentication.

A third approach to authentication that uses one-time authentication data was invented by Lamport [11] in 1981. One-time authentication data can be used instead of reusable authentication data, to protect against eavesdropping in untrusted computers as well as over a network. The data is only used once and cannot be replayed [11]. Examples of methods with one-time authentication data are one-time passwords (OTPs) and challenge-response. OTPs are passwords that can only be used one single time. They are stored in, or generated by, software running on a local computer or a portable hardware authentication device (e.g. a smart card, USB-stick or customized hardware device for authentication). OTPs can also be provided to the user on a printed list [3]. Challenge-response is a method in which a user proves the possession of a secret cryptographic key which is unique for the user. During authentication, the user is presented with a challenge value. The user then calculates a correct response value with a hardware authentication device. By providing the correct response the user proves the possession of the secret key, and thereby her/his identity. There are challenge-response solutions that run on software in the local computer, but to prevent attackers from guessing correct responses or deriving the secret key, challenge-response algorithms are usually running on a separate authentication device [3].

The requirement for additional equipment (i.e. authentication hardware devices) limits the number of authentication methods suitable for mobile users who access web sites from different geographical locations. Mobile users need to access their web site accounts from untrusted public computers and/or their own portable

INTRODUCTION

3

computer or handheld device. On public computers there are usually restrictions on installing software or connecting external hardware. These restrictions normally do not apply to the user’s own computer, but both types of computers are potentially untrusted because of the malware risk mentioned earlier. Hardware authentication devices are commonly malware-resistant [5]. However, the hardware device must be available to the user during the authentication process.

1.1 Motivation

Different services on the web have different security requirements. The security requirements for these services can be classified based on confidentiality, integrity and availability [3]. Confidentiality concerns the privacy of the user and the secrecy of data, e.g. that personal information and private messages stored on web communities are not leaked to an attacker. Integrity refers to the fact that an attacker should not be able to alter information, e.g. change a user’s bank account information. Nor should the attacker be able to impersonate the user, thus compromising the user’s integrity by acting in the name of the user, e.g. sending e-mail from the user’s e-mail account. Availability refers to information and services being reachable and usable.

Consider the following services for the web:

A) Calendar: A user maintains a web based calendar to keep track of meetings and everyday activities. The user shares the calendar with her/his family and colleagues. The information in the calendar is confidential in the sense that a thief could break in to the user’s home when the user is away according to the calendar. Therefore, a user should not make this kind of information public. The confidentiality and the integrity of the calendar (i.e. that only the correct user can make changes) are maintained with authentication.

B) Social network: A user has an account at a social network, such as Facebook, on which she/he sends personal messages to her/his friends and reads and writes information which is either sensitive or public. The user maintains both the integrity and the confidentiality of the information on the social network by authenticating.

C) Federated identity provider: A user has an account on a web site that allows her/him to access several web sites belonging to a specific identity federation (i.e. group of connected web sites) after authenticating to the identity provider for the federation, which is one or several of the sites in the group. Since authenticating once gives the user access to several services, the integrity and confidentiality depends on the services of the federation.

CHAPTER 1

4

D) Bank: A user is a customer of a specific bank and uses the bank’s web site to, for instance, check her/his account balance and transfer money to other accounts. The account balance is the type of information that the user does not usually share with others. Both the integrity and the confidentiality of the information should be protected. There are even higher integrity requirements on money transfers.

For most web sites, password-based authentication is still commonly used because of ease of use and deployment, despite the known security problems [7]. In the examples above, passwords are normally used for A, B and C. Application specific hardware authentication devices are common for D (banking).

There are alternatives to passwords and to specific hardware authentication devices, which only require a hardware device that the user already carries. A mobile phone is a flexible choice for a hardware device. Mobile phones also offer several channels for transferring authentication data, as well as large data processing capacity [12].

Authentication solutions with mobile phones vary, depending on which protocols they use and how they transfer data. Two examples of authentication solutions with mobile phones are Strong Authentication with Mobile Phones (SA) [13] and Smokey [14]. We chose these two solutions since they are very different from each other with regard to protocols, communication channels and the services they target.

SA consists of several sub-solutions for different purposes. The SA variant that we describe here is a challenge-response solution in which the user receives an SMS with the challenge. The phone calculates the response, which is sent to the local computer via Bluetooth and forwarded to a remote server. This solution requires a Bluetooth adapter, a connection to a phone network and a subscription to a specific phone operator. The solution is aimed at web authentication in general [13].

Smokey is an OTP solution in which a one-time password is generated by the phone and typed manually into the local computer by the user. The OTPs generated by Smokey are time-dependent. Therefore, synchronization problems occur. They are solved by clock synchronization over the phone network, which is not used during an authentication process. Smokey is designed for VPN access by companies and organizations and it requires the user to visit an administrator at the company or organization to initialize Smokey before it is used the first time [14].

The differences between these, and other existing solutions, make it difficult to determine which one is suitable for a specific service. A problem discussed in this thesis is how to compare authentication solutions that employ different approaches.

The Electronic Authentication Guideline (EAG), issued by NIST [5], is developed with the purpose of comparing authentication solutions. This guideline describes security issues related to authentication and defines four security levels for authentication solutions. By using the security level concept, authentication

INTRODUCTION

5

solutions can be rated and compared based on their security requirements [15]. However, EAG does not consider restrictions on authentication solutions due to mobility, nor does it provide methods for evaluating the design of authentication solutions. Also, new devices that communicate both with the local computer and directly with a remote server are not considered in EAG. On the one hand, the communication channels of these devices allow flexible and secure authentication methods. On the other hand, the different communication channels make new types of attacks possible.

1.2 Problem Formulation

These are the problems and questions to be addressed in this thesis:

• How does one evaluate and provide assurance that a web authentication solution belongs to a specific security level?

• How does one develop an evaluation method for web authentication which takes mobility and security into account?

• How does one attain secure web authentication for mobile users in untrusted environments and/or at untrusted computers?

1.3 Contribution

The contributions in this thesis are:

• A method for evaluation and design of web authentication solutions with mobile phones as authentication devices.

• Extensions to our method to take into account web authentication for mobile users and untrusted computers.

• A proposal for more fine-grained security levels than provided by existing guidelines to facilitate evaluation of authentication including mobile phones.

• The introduction of 2-clickAuth, our proof-of-concept implementation of an optical challenge-response solution, specifically designed for federated identity providers.

7

Chapter 2

Background on Web Authentication

In this chapter we provide background about existing authentication methods and their properties. For different authentication methods different security problems apply. We discuss common security problems related to web authentication and the impact of these problems on authentication. An example of an area in which the security of authentication is becoming increasingly important is federated identity management. We provide some background to show how it is related to the security in authentication.

2.1 Authentication Methods for the Web

This section describes currently used web authentication methods. We explain how the different methods work and which types of hardware devices are used in conjunction with the methods. The aim is to provide an overview of the state-of-the-art of web authentication methods. We also use the existing term authentication factor to describe the features and properties of different methods in order to group the methods and show the differences between them.

There are three types of authentication factors: ownership factors, knowledge factors and inherence factors [16]. Ownership factors are tokens that the user carries, such as smart cards, USB-sticks and other devices. Examples of knowledge factors include passwords or other information that the user remembers, such as images or patterns. OTPs and the cryptographic keys used in challenge-response solutions are also considered to be knowledge factors. OTPs and challenge-response are commonly used together with ownership factors in authentication. Inherence factors are biometric factors such as face features, fingerprints and voice recognition.

CHAPTER 2

8

Table 2-1 lists the properties of currently used authentication methods and their correspondence to authentication factors. Method Description Factor Passwords A secret combination of characters that can be

used several times for login. Images or patterns can be easier to remember than passwords for some user groups. An example is when a user remembers categories of items (e.g. cats, dogs and computers) and then are showed images containing different items. The user authenticates by clicking the images that contain items from the correct categories [17].

Knowledge factor

One-time passwords (OTPs)

Passwords used only once that are stored in a list on paper, in an application or generated by a hardware device.

Knowledge factor

Challenge-response

A variation of OTPs. A challenge generated by a server is sent to the user’s device, which calculates a response and sends it back.

Knowledge factor

Biometrics Proves a user’s identity by physical features of the user, for example a fingerprint. Requires special hardware.

Inherence factor

Location based authentication

A user located in a specific area is authorized based on, for example, mobile phone triangulation, GPS or a connection to a nearby access point.

A new type of factor, not common on the web.

Two-factor authentication

A combination of two types of authentication factors. A common example is the use of an ownership factor for generating OTPs, in combination with a PIN-code (i.e. a knowledge-based factor) [5].

A combination of two types of factors.

Table 2-1: Current authentication methods

Hardware devices are often used as ownership factors and can be used together with different methods, such as generating or storing OTPs, storing knowledge factors, generating responses to challenges and processing biometric data [5]. This section describes the features of different types of hardware devices and their usage in web authentication. The goal is to show the different choices of hardware devices and how they are used. Table 2-2 lists the properties of different types of hardware devices.

BACKGROUND ON WEB AUTHENTICATION

9

Device Description Smartcard Tamper-resistant hardware which requires a smartcard reader and

communicates automatically with the computer. Newer types of smartcards may contain a small keypad and display on the card, thus making it possible to use the card without a reader.

USB stick Does not require a specific reader, only a USB port. The USB stick either contains a smartcard chip or runs software used for authentication. The USB stick may be equipped with a button for generating data (e.g. OTPs), a display and a keypad.

Unconnected device

Often implemented as a small device with a display and, if allowing user input, a keypad. These devices cannot be connected to a computer, as USB sticks can.

Mobile phone Available to a large number of users, equipped with several channels for input and communication. Can communicate with a local computer and directly with a remote server.

PDA Similar to a phone, but often with a smaller number of channels available and not as commonly used as phones.

Table 2-2: Hardware devices for authentication

There are overlaps between the types of devices. For example, a smart card can be integrated in a USB-stick or used as a SIM card in mobile phones. We have listed the most common features of authentication devices in Table 2-3.

Device Features Display A surface on which data can be displayed to the user. Small

devices with simple displays can usually only show numbers.

Keypad A small numeric keyboard for user input.

Smartcard chip Provides tamper-resistant storage for cryptographic keys, and a secure environment for authentication algorithms to run in.

Other secure hardware

Specialized hardware such as trusted platform modules (TPM). Designed to provide high tamper-resistance.

Connector Used for connecting devices to physical ports on a computer, for example a USB-port.

Wireless channels Channels for sending data to a nearby computer or remote server, e.g. Bluetooth, NFC, GSM or Wi-Fi.

Biometric reader Reads fingerprints, voice or other biometric factors.

Table 2-3: Common features of authentication hardware devices

An authentication device can be equipped with several or a few of the features, but for specific methods the following features are required [5]:

CHAPTER 2

10

Requirements for OTP devices: The device requires some mechanism for output. For example the OTPs can be sent via a USB-port to the nearby computer, or the device can have a display that shows information that the user inputs manually to the computer.

Requirements for challenge-response devices: As with OTPs, some output mechanism is required, with an additional requirement for an input mechanism. If there is a USB-port or other channel, it can be used both for the challenge and the response. If the device displays information on a display, the display can be used for showing the response, whereas a keypad is needed for manual input of the challenge.

In the case when specific hardware is designed for authentication purposes, a display and/or a keypad is sufficient for most purposes. By equipping the device with a USB-connector, in- and output can be automatically transferred, but with the risk that the device could be infected by malware from the computer it connects to. Depending on which channels and methods are used for in- and output of authentication data, the security of an authentication solution can either be increased or decreased.

2.2 Security Problems in Authentication

Attacks against web authentication take different forms, depending on which part of the authentication solution the attack occurs in. We call these parts attack areas. The attack areas multiply when an additional hardware device is introduced. In Figure 2-1 we show six areas in which an attack can take place. The figure shows a local, untrusted computer (3), connected to a remote server (6) over a network (4). 1A and 1B are examples of two authentication devices that communicate with the local computer over short range channels (2). The devices can communicate directly with the remote server via the network. 1B can also communicate via a phone network (5). The circles around the devices and networks denote the attack areas.

Figure 2-1: Attack areas in hardware aided authentication.

As seen in the figure, the attacks occur both in (untrusted) devices and over networks and other channels. An attacker can eavesdrop on authentication data over

BACKGROUND ON WEB AUTHENTICATION

11

the remote network (4), the local communication channels (2) and the phone network (5). Thereafter the authentication data is either used to derive secret information such as cryptographic keys, or directly used in a replay attack. The replayed data is sent by the attacker to the remote server (6).

Another network attack is the Man-in-the-middle attack (MitM), in which the attack occurs in (4), between the user and the server to which the user authenticates. The attacker forwards authentication data from the user to get authenticated instead of her/him.

In a verifier impersonation attack, the attacker impersonates the verifier (i.e. the server to which the user authenticates) to learn passwords and other secrets sent by the user. This attack also takes place over the network (4).

In addition to network attacks, there is also the problem of the untrusted computer. Besides the untrusted computer, the authentication devices can also contain malware, depending on if the device can be connected to untrusted devices or not (e.g. to an untrusted computer via Bluetooth). Finally, the remote server can also be compromised.

2.3 Federated Identity Management

The impact of an attacker stealing a user’s identity varies depending on which type of identity management is used. The purpose of identity management is to solve the problem of users having many passwords and usernames to remember. One approach to identity management is federated identity management, in which participating sites form a circle of trust, so that if the user is authenticated to one site the other sites will automatically log the user in if the user visits them. A variation on this method uses a third party, often known as an identity provider, which holds information for the user and is responsible for authentication. Such systems are secure if the third party can be trusted [18]. Federated identity management is convenient for the user since there is only one password to remember, but it also leads to this password being more valuable. If using federated identity management, stronger authentication than passwords is needed for the identity providers. By using strong authentication methods at the identity providers, federated identity management can be used to strengthen web authentication, instead of being a security problem. Besides federated identity management, there is also user-centric identity management, in which users store and manage their identities themselves (e.g. by storing them in a hardware device or in software). In another type of identity management, a trusted third party is used, similar to the identity providers in identity federations, but without the collaboration between all the parties in the federation. Currently, federated identity management is widely used, especially in social networking and by sites that usually do not require very high security, but on which users are likely to store personal and sensitive information.

CHAPTER 2

12

In OpenID [19], which is one of the most widespread frameworks for federated identity management, sites can choose to be either relying parties, identity providers or both. A relying party is connected to the federation and when a user who is currently logged in to another site in the federation visits the relying party the user gets logged in automatically. An identity provider, on the other hand, is a site to which the user authenticates. The identity provider works as a trusted third party, which holds information for the user and is responsible for authentication. For federated solutions to be secure, the identity providers need to be trusted [18].

13

Chapter 3

Security Levels for Web Authentication

Most people today have multiple accounts and identities on the Internet, which they use in everyday life for a variety of purposes, from the inconsequential to the vital. To access these accounts, digital identities consisting of username/password pairs are commonly used [10]. Since users usually have many identities to remember, there is a risk that they will write the passwords down or choose the same password for several sites, which increases the risk of identity theft [20]. Users also tend to choose simple passwords that can be revealed to an attacker in an online guessing attack [6].

A hardware device can be used to ensure strong authentication by providing a tamper-resistant environment in which an authentication algorithm can run. Examples of hardware devices for authentication are smart cards, USB sticks, and devices with a display and a keypad [5]. Hardware devices for authentication are mainly used in online banking and other security-critical applications. The hardware is issued by the service provider and dedicated to a specific application [21]. Dedicated hardware can require additional equipment, such as cables or card readers. It may be inconvenient for the user to carry the device and other equipment at all times, especially for mobile users who use multiple computers in different locations, for example at work, at home and at an Internet kiosk. Another option is to use a device that a user will already be carrying for a different reason. A mobile phone is an example of a device that is always available to the user. Furthermore, distribution to users is not required, since most users already have access to a mobile phone [22].

CHAPTER 3

14

Examples of authentication solutions where a mobile phone is used are:

• 2-clickAuth [23], an optical authentication solution for identity providers;

• Strong Authentication with Mobile Phones [13], an authentication solution using SIM cards [24];

• SWA [25], authentication adapted specifically for untrusted computers.

Since authentication solutions using mobile phones differ significantly from each other, and since there are many choices with regard to data transfer and communication, it can be difficult to determine how secure a solution is. It is also difficult to design a new authentication solution with a specified security level in mind, since the choices of input and communication depend on the specific situation.

We propose a method for the evaluation and design of authentication solutions that use mobile phones as secure hardware devices. Our method focuses on mobile phones and considers usability, availability and economic aspects, as well as security. The method uses the security level concept from EAG [5]. We also propose supplements to the guideline to include secure hardware devices that can communicate with a local computer or a remote authentication server.

3.1 Mobile Phones in Web Authentication

The variety of communication and input channels differentiates mobile phones from other hardware devices for authentication. These channels allow transfers of large amounts of data without time-consuming typing. The phone can also connect directly to a remote server via a long-range channel [13]. However, the location of the user affects the availability of the channel, e.g. whether a long-range channel is accessible and if it is costly to use. The availability of an authentication solution depends on whether the communication channels in the solution can be used without extra equipment and costs. Since users are mobile and authenticate from different places, the hardware they use will not be consistent.

An authentication solution that is available to the user and reaches the required security level should also be easy to use, regardless of the user's skill level. Usability in a broader sense should also be considered, e.g. reduction of user actions needed to perform authentication.

There are also economic aspects to authentication, such as costs incurred by the user to access the long range communication channels and costs for purchase and distribution of equipment.

We discuss these factors in our design and evaluation method in section 3.3. However, first we describe how the existing security levels can be adapted to mobile phones as authentication devices.

SECURITY LEVELS FOR WEB AUTHENTICATION

15

3.2 Proposal for New Security Levels

EAG [5] defines four security levels (1 - 4 where 4 is the highest) that can be used for evaluating the security of authentication solutions in general. Below is a short overview of the guideline.

Level 1: Single or multi-factor authentication with no identity proof. Protection against online guessing and replay attacks.

Level 2: Single or multi-factor authentication. Protection against eavesdropping and the attacks from level 1.

Level 3: Multi-factor authentication with protection against verifier impersonation, MitM attacks and the attacks from level 2. Level 3 requires a token used for authentication to be unlocked by the user using a password or biometrics. Only non-reusable data (e.g. OTPs) may be used.

Level 4: Multi-factor authentication with FIPS-140-2 certified tamper-resistant hardware [26]. Protects against session hijacking and the attacks from level 3.

Since there are specific concerns related to phones, we suggest a complement to EAG [5] that would allow it to handle phone-specific issues, such as eavesdropping on short range (i.e. between a phone and a nearby computer) communication channels.

We propose two new levels between the existing security levels, to make EAG better suited for evaluating web authentication solutions, especially those that employ mobile phones. We make the original levels more fine-grained by inserting the new levels 2.5 and 3.5. The goal is to be better able to compare authentication solutions. With the current levels, two solutions that are very different in design and the degree of security they provide may end up being rated at the same level, which makes comparisons more difficult. When designing new solutions with a specific level in mind, a less secure design may be chosen since it is located at the same level as one that is more secure.

Since EAG is mainly intended for solutions where individuals are authenticated, identity proofing is required for all levels above 1. Identity proofing means that at registration the user must prove their physical identity, e.g. by providing their passport number and credit card number. Most web applications authenticate digital identities but are not concerned with physical ones. In such applications, security may be relevant even if identity proofing is not. Furthermore, our interest lies in the technological aspects of mobile authentication, whereas identity proofing is an administrative issue. For these reasons, identity proofing is not relevant to web authentication. Requiring identity proofing would make most web authentication solutions end up on level 1, independent of the overall security of the solutions.

CHAPTER 3

16

Level 2.5: The same requirements as for level 3, but rather than providing both phone locking and MitM protection, only providing one or the other.

Level 3.5: The same requirements as for level 4, but with a SIM or USIM card (or similar tamper-resistant module) that is not FIPS-140-2 certified.

When using a mobile phone for password storage, passwords may be strong and have high entropy without any extra inconvenience for the user. Because it is possible to store a password securely on the phone and transfer it to a local computer without a risk of keylogging, such solutions meet the requirements of level 2, except for the identity proofing aspect. Since we consider identity proofing a separate issue, we consider these solutions to be at level 2.

For level 2.5, either phone locking or MitM protection may be left out. A MitM attack is difficult to protect against, since such protection requires a side channel or the exchange of several rounds of data. Phone locking may be time-consuming for a user that authenticates often. Verifier impersonation remains in level 2.5 since it is a protocol issue that is unrelated to the properties of the phone.

Very few of today’s phones can reach level 4, because of the hardware requirements. Level 3.5 requires both protection against verifier impersonation and authentication of sensitive data transactions. However, a SIM or USIM card can be used in authentication, either in an EAP-SIM protocol [13] or for running authentication algorithms, e.g. calculating responses to a challenge. The SIM card may not be used in such a way that secret keys or other secrets are revealed to an attacker.

3.3 Evaluation Method for Mobile Phone Authentication

We provide a list of steps, outlined in Figure 3-1, to follow for evaluation and design of authentication solutions using any type of mobile phone, including smartphones. The list is used in conjunction with Table 3-1 to determine the highest security level that a solution can achieve or to suggest solutions for a chosen security level. Table 3-1 describes features present in the communication channels and makes it easy to compare the variety of communication channels for mobile phones, based on their features. The set of features is initial and will be extended. The features in the current set are the most important ones and can affect the security level of a solution.


17

Features F

acto

r

Blu

etoo

th

IR

NFC

Cab

le

Aud

io

Opt

ical

Man

ual Comments

Keylogger resistant

S

• • • • • • (•)

Manual input may be vulnerable to keyloggers when using passwords. Non-HID Bluetooth devices are not vulnerable to keyloggers.

Cannot spread malware

S

• • •

For closed environments

S

(•) • • • • • • Bluetooth can be eavesdropped from outside a building.

For open environments

S

(•) (•) • • (•) (•) •

Channels in parenthesis can be eavesdropped and replayed by a nearby attacker, if the data is used several times.

For phone unlocking

S

• • •

In specific cases a touch screen or fingerprint reader could be used for biometric unlocking.

For noisy environments

U

• • • • • •

For users with poor eyes

U • • • • • •

For users with shaky hands

U

• • • • • •

No extra equipment

AE

(•) (•) •

An optical channel from the phone to the computer requires a web camera. Audio channels require speakers and a microphone.

Table 3-1: Features of mobile phone communication channels

S: security factor, U: usability factor, A: availability factor, E: economic factor. •: the channel has this feature. (•): the channel usually has this feature, but there are exceptions that are noted in the Comments column.

CHAPTER 3

18

Figure 3-1: Description of the evaluation and design method.

1. Authentication methods: There are methods with reusable data (e.g. passwords) and with one-time data (e.g. OTPs). Evaluation: Identify the authentication method used in the solution. If a method with reusable data is used, level 2 is the highest level possible. For level 1, passwords must have reasonable security (see online guessing below). To reach level 2, passwords with at least 10 bit entropy are required [5]. Biometrics may not be used, according to EAG. Design: Choose the authentication methods that are feasible. For level 3 and higher, only methods with one-time data may be used. For level 2, passwords with 10 bit entropy are needed. Using a phone for password storage makes it possible to use a strong password that is difficult to remember.

2. Data protection a. Locking methods: To protect the phone when it is not in use, it

may be locked using biometrics (e.g. voice or face recognition) or a manual method (e.g. password or PIN). Evaluation: If the phone can be locked, the solution can reach level 3 or higher. Otherwise the solution can at most reach level 2. Design: For level 3 and higher, choose a locking method. This requires manual, optical or audio input on the phone, depending on the locking method.

b. Secure hardware: Tamper-resistant hardware in the phone can be used for data protection. Level 3 requires multi-factor authentication with a secure hardware device [26], a software token (e.g. software used for calculating non-reusable authentication data), or an OTP device. Phones can be considered hardware devices, without the FIPS certification needed for level 4, but can also be seen as devices containing software tokens.

Evaluation: If the phone uses secure hardware certified by the FIPS-140-2 standard (FIPS-140-2 level 2 overall security and FIPS-140-2 level 3 physical security) [5], the solution can reach level 4. If a SIM card is used as secure hardware, level 3.5 is possible. Otherwise level 3 is the highest level. Design: See evaluation.


19

3. Protocols: Depending on which protocol is used in authentication, the security of the solution may vary. The following authentication protocols may be used: proof-of-possession-protocols with either private or symmetric keys, tunneled or zero-knowledge password protocols[5] and challenge-response password protocols. Evaluation: Challenge-response passwords can at most reach level 1. Tunneled or zero-knowledge password protocols, which are protocols that cannot be easily eavesdropped, reach level 2 at most. Proof-of-possession protocols can reach level 4. Design: See evaluation. On a mobile phone, proof-of-possession protocols require keys to be securely loaded into and stored in the phone.

4. Attack resistance a. Online guessing: Passwords must be strong enough not to be

guessed. Evaluation: For level 1 and 2, passwords must resist online guessing. This is achieved by using strong passwords and not sending them in the clear. The maximum chance of success of a password guessing attack must be 1/1024 for level 1 and 1/16384 for level 2, over the complete lifetime of the password [5]. Reusable passwords are not used in levels 3 and 4. Design: See evaluation.

b. Replay attacks: In a replay attack, authentication data is reused by the attacker. Evaluation: Resistance against replay attacks is required for levels 1 - 4. If passwords are sent in the clear, the solution does not reach level 1. Design: To reach level 1, passwords must be tunneled or salted while sent over a network or phone channel.

c. Eavesdropping: Table 3-1 shows which channels can be used in a private environment, i.e. a room without untrusted people present, and which channels can be used in a public environment, e.g. an open area with untrusted people present, without being eavesdropped by an attacker. Evaluation: For non-reusable authentication data, the solution can reach level 4. For reusable data (e.g. passwords), use Table 3-1 to see if the channels are vulnerable to eavesdropping. If not, the solution can reach level 2. Otherwise the solution can reach level 1 at most. Level 2 also requires reusable data to be tunneled (e.g. using SSL) or otherwise protected, when sent from the local computer to a remote server. Design: For reusable data, choose channels not vulnerable to eavesdropping and tunnel the communication to the remote server to reach level 2. For non-reusable data, any channel may be used and tunneling is not necessary.

CHAPTER 3

20

d. MitM attacks: If there are long range channels available, such as a phone network or Wi-Fi, they can be used as a secure side channel to protect against MitM attacks. Without long range channels, mutual authentication can be used to prevent MitM attacks. Evaluation: With MitM mitigation the solution can reach level 3 and higher. For level 2.5, either MitM mitigation or phone locking must be present. Design: See evaluation.

e. Verifier impersonation: In this type of attack, an attacker claims to be the verifier in order to learn passwords and secret keys. Evaluation: Resistance against verifier impersonation is required for level 3 and higher. The data sent should not give any clues on the secret key used in authentication. Design: See evaluation.

f. Session hijacking: An attacker modifies or reroutes parts of a session. Evaluation: If there is a shared secret per session, this may be used to protect against hijacking. Such protection is required for level 4. Design: See evaluation.

5. Other factors: Evaluation: Use Table 3-1 to learn about features not discussed in EAG. These features do not affect the security level, but may affect other aspects of the solution. For solutions in which third parties are involved, shared secrets must not be revealed to the third party in order for the solution to reach level 2 or higher. Design: Choose channels based on the user's equipment, if known. Manual input is the default for both computers and phones. If challenge-response is used as authentication protocol, data transfer in both directions between the computer and the phone is needed. If there is a risk of malware, users with poor eyes etc, check Table 3-1 for solutions that may be used in the specific cases. For level 2 and higher, secrets must not be revealed to third parties.

6. Conclusions: Evaluation: Applying these steps will allow identification of the solution's maximum security level. This will also provide information about the properties that prevent the solution from reaching a higher level. Design: Given the preferred security level, this process will provide recommendations about possible channels, authentication methods and other features. An example of this would be OTPs or challenge-response with manual input and Wi-Fi as a side channel.

21

Chapter 4

Design of an Optical Authentication Solution

In this section we present a proof of concept prototype of an optical authentication solution. The purpose is to give an example of how mobile phones can be used in authentication as pervasive, always-available authentication devices.

Today, Internet users have accounts on a wide variety of web sites such as social networks, blog sites, forums and multimedia sites, e.g. YouTube. Usually users log in to these sites using a username and a password [10]. When a user chooses a strong password, which is difficult for an attacker to guess, they often write down the password and/or reuse the same password for every site [20]. This creates a risk since an attacker that captures a password for one site is likely to try the same password on other accounts belonging to the user.

For web sites with higher security requirements than passwords, we have designed and implemented the authentication solution 2-clickAuth as an alternative to the standard password-based solution [23]. It offers a higher level of security while retaining the simplicity of passwords.

2-clickAuth is an optical challenge-response solution that uses a camera-equipped mobile phone as a secure hardware token together with a web camera to provide fast, simple, highly available and secure authentication. Data is transferred both to and from the phone using Quick Response (QR) codes [27], a two-dimensional barcode type invented by Denso Wave Inc. It has been proven that QR codes can be reliably captured using mobile phone cameras.

To demonstrate and evaluate 2-clickAuth, we have implemented an identity provider for the federated identity management system OpenID, which uses 2-clickAuth for authentication. OpenID is a federated identity management system that uses trusted third parties called OpenID providers. Anyone can start an OpenID provider and the provider decides which login method to use. Some well-known

CHAPTER 4

22

OpenID providers are Google, Microsoft Live and Yahoo [19]. Web sites that allow users to log in using OpenID are called relying parties. Some well-known relying parties are Facebook, Sourceforge and MySpace [19]. The number of relying parties in OpenID is constantly increasing [28].

4.1 Design of an Optical Authentication Solution

For 2-clickAuth, we have chosen to use a challenge-response protocol since it provides higher security than passwords, prevents replay attacks (a risk with passwords and biometrics), is location-independent, and does not allow an attacker to capture and use authentication data while the user is awaiting authentication, which is a possibility with OTPs and biometrics.

Challenge-response-based systems often use a hardware security token on which keys can be stored and the response-generating algorithm can run in a tamper-proof environment.

We have elected to use a mobile phone for 2-clickAuth to support the goal of high availability. Because of their prevalence, mobile phones are an excellent platform for something that should be available to users at all times. Furthermore, mobile phones have several channels for input and communication (both with the nearby devices through e.g. Bluetooth [29] and directly with remote servers through e.g. a phone network) that can be used in an authentication solution.

Special-purpose devices could provide higher security and high usability, but such devices would need to be distributed to all users by some means. The practical difficulties and costs associated with distribution of a physical device make special-purpose devices an unattractive choice for the types of applications we want 2-clickAuth to support.

4.2 2-clickAuth – Optical Challenge-Response

2-clickAuth is an optical challenge-response solution where a camera phone is used as a secure hardware token together with a web camera to provide fast, simple, highly available and secure authentication. We have designed 2-clickAuth to be suitable for authentication in federated identity management systems, such as OpenID, but it can be used in any situation where authentication is required.

4.2.1 Authentication

The 2-clickAuth system we have built consists of an OpenID provider, a MIDlet running in the user’s phone and a Java Applet that communicates with the computer’s web camera. Figure 4-1 shows how 2-clickAuth is used to log in to an OpenID relying party. To use 2-clickAuth a user must register at the 2-clickAuth OpenID provider [30].

DESIGN OF AN OPTICAL AUTHENTICATION SOLUTION

23

Every user of 2-clickAuth shares a 128 bit secret key with the 2-clickAuth OpenID provider. This key is generated by the 2-clickAuth MIDlet in the phone and sent to the 2-clickAuth OpenID provider using 2-clickAuth key exchange when the user first registers at the 2-clickAuth OpenID provider. The secret key is part of the HMAC-SHA1 protocol (HMAC is a keyed hash function and SHA1 a cryptographic hash function) [31].

Figure 4-1: A user interacting with the 2-clickAuth OpenID provider

When the user wants to log in to an OpenID relying party using 2-clickAuth, authentication proceeds as follows (see Figure 4-1).

First, the OpenID protocol arranges for the user to be authenticated at the correct OpenID provider:

1. The user types their OpenID (a URL to a personal page at the OpenID provider) into the login form on the relying party’s web site in the computer’s web browser.

2. The OpenID is sent to the relying party. 3. The relying party sends an OpenID request to the 2-clickAuth OpenID

provider and notifies the relying party to redirect the user’s browser to the 2-clickAuth OpenID provider login page.

Next, the 2-clickAuth authentication process is executed: 4. The 2-clickAuth OpenID provider calculates a challenge, a 128 bit

random number. The challenge is presented to the user as a QR code in the browser.

5. The user opens the 2-clickAuth MIDlet on their phone and captures the QR code using their phone camera. The 2-clickAuth MIDlet interprets the QR code and calculates a response by creating a HMAC-SHA1 keyed hash from the challenge and truncating it to 128 bits. The response is displayed on the phone as a QR code.

6. The user holds the phone display in front of a web camera connected to the computer so that the response can be captured by the web camera.

7. The 2-clickAuth Applet in the web browser interprets the QR code captured by the web camera and the response is sent to the 2-clickAuth OpenID provider.

CHAPTER 4

24

8. The 2-clickAuth OpenID provider calculates the expected response using the secret key shared with the user’s phone, and compares it to the response captured using the web camera. If they match, the user is authenticated.

Finally, control is returned to the relying party: 9. If authentication is successful, the OpenID provider redirects the user

browser back to the relying party.

The reason for truncating the hash used as the response is that a smaller amount of data makes the barcode smaller and less dense, and therefore easier to capture and interpret, which makes the login process faster and more reliable. To prevent prediction by an attacker and to resist birthday attacks, the truncated hash should not be smaller than 80 bits or half the hash output length. The HMAC-SHA1 length is normally 160 bits, which gives a recommended smallest truncated length of 80 bits [31].

HMAC-SHA1 is designed for message integrity, but is also used in authentication solutions such as the OTP algorithm HOTP [32], in IPsec [33] and in TSIG (transaction signatures, mainly for domain name servers) [34].

Figure 4-2 shows the communication between the user’s phone, the untrusted computer and a server (which in our implementation is a combination of the OpenID provider and a relying party).

Figure 4-2: 2-clickAuth authentication

4.2.2 Initialization and Key Exchange

2-clickAuth requires the user and OpenID provider to share a secret key. The key is established by an initial key exchange when the user registers with the OpenID provider. Like authentication, key exchange is done optically using QR codes. A first-time user downloads the 2-clickAuth MIDlet to her phone and initiates it before first using it for authentication, as follows (see figure 4-3):


25

1. The MIDlet generates a secret key that is encrypted using the public RSA key of the 2-clickAuth OpenID provider. The RSA key is embedded in the MIDlet (which can be signed to ensure the integrity of the MIDlet and public key).

2. The encrypted key is then shown as a QR code on the phone display and captured by the computer’s web camera.

3. The key is transferred to the 2-clickAuth OpenID provider, which decrypts the key and stores it in a database. The user and the OpenID provider now have a shared secret used for 2-clickAuth.

Figure 4-3: 2-clickAuth key exchange

4.2.3 Design Choices for 2-clickAuth

When designing 2-clickAuth the following criteria were considered:

Security: 2-clickAuth shall be resistant to replay attacks and it shall not be possible for malware to fetch arbitrary information from the security token.

Availability: 2-clickAuth shall use a hardware token that the user probably already has. Registration and initialization of the token shall be done online. It shall be possible to use the solution without side channels (such as the token connecting directly to a remote server over the phone network).

Usability: 2-clickAuth should provide a login process so simple and fast that it can compete with passwords.

The security and availability criteria first led to the choice of a challenge-response protocol using a mobile phone as a hardware token. The communication channels, specific algorithms and data representation for 2-clickAuth were then chosen based on the same set of criteria.

Communication Channels Table 4-1 shows communication channels that can be used by a mobile phone communicating with a nearby computer.

CHAPTER 4

26

Channel Description Bluetooth Requires a Bluetooth adapter connected to the computer and must be

paired with the computer. Can be read from 100 meters and more [29]. Infrared Short range channel (less than 2 meters) that requires an IR adapter

connected to the computer. Not commonly used in modern mobile phones [35].

NFC Near Field Communication. Short range channel (10 cm) built on wireless smartcard technology. New, and not yet common in phones. Has small data capacity and therefore mainly used together with Bluetooth so that pairing is not needed [36].

Cable Direct data transfer from the mobile phone to the local computer.

Optical Can be used either with a phone camera (sending data to the phone) or a web camera (sending data to the computer). If in machine readable format, a large amount of data can be captured by the camera.

Manual input

Transfer of data between the computer and the token by the user typing on the keyboard/keypad.

Audio Can be used either with computer speakers and a phone microphone (sending data to the phone) or a phone speaker and a computer microphone (sending data to the computer). Data can be encoded as high frequency “modem sound”.

Table 4-1: Communication channels

We have chosen to use optical input since it makes it possible to transfer a large amount of data fast without any direct connection to the computer and without time-consuming typing. If choosing a data representation that is fault tolerant and easy to read, optical input is less error prone than sound in a noisy environment, for example, at an Internet café.

Bluetooth can be read from a distance by an attacker. It can also be used by malware on the untrusted computer to exploit the token [37]. Sound is error-prone in noisy environments. NFC, Bluetooth and infrared require special hardware that is not commonly available.

We have chosen to realize the optical channel with a camera on the mobile phone and a web camera on the computer. Today, cameras are common on mobile phones, and web cameras are increasingly common on computers, even on laptops and in locations like Internet cafés.

Data Representation When using an optical channel for information transfer, the data needs to be represented in a machine readable format. Table 4-2 shows different machine readable data representations that can be used in an optical authentication solution.


27

Data representation

Description

1D barcode [38]

Data is represented as black and white bars. The code stores 13-20 digits, usually an identification number that is read by a dedicated reader or a phone camera and mapped to a database.

2D barcode Data is represented as a two-dimensional bit pattern. There are several types of 2D barcodes that are adapted to mobile phones.

Character string Data is represented as human readable characters and processed using optical character recognition.

Light signals Blinking lights on the phone display and computer monitor, similar to Morse code.

Table 4-2: Machine readable data representation

We have chosen to use 2D barcodes for data representation since they have a higher data storage capacity than 1D barcodes, provide fast and fault tolerant reading without special hardware, are more environment independent than light signals and require less processing than optical character recognition.

The specific 2D barcode type chosen is QR-code (Quick Response Code), which is well suited for mobile phone usage and is already in widespread use [27].

4.2.4 Security Considerations

There are security risks related to authentication that must be considered. These risks have been described in section 2.3. For 2-clickAuth, we consider the following risks: replay attacks, stolen phone, and MitM attacks.

Replay attacks: Barcodes can be captured from a distance if the attacker can see the display and has a camera with which to capture the barcode. The challenge and the response can also be captured by malware on the computer running the 2-clickAuth applet. This risk is mitigated by using random secure numbers for the challenge: they are unpredictable, and the probability of repetition is extremely small.

Stolen phone: If an attacker steals a phone used for 2-clickAuth, the attacker can either use the application directly or extract the secret key. To mitigate this risk, the phone or the application should be PIN protected. Improved protection of the secret key is part of our future work.

MitM attacks: In a MitM attack, an attacker intercepts communication from the client and sends it on to the server (possibly after modifying it). The result is that when the server authenticates the client, the attacker gets authenticated instead. 2-clickAuth currently does not mitigate MitM attacks since mitigation requires either a secure side channel, for example the response being sent via SMS, or the exchange

CHAPTER 4

28

of more messages between the phone and the computer. Avoiding side channels and limiting the exchange of messages to one in each direction are availability and usability considerations, respectively.

4.2.5 Implementation and Choice of Software

In our implementation [30] of the 2-clickAuth OpenID provider and client software, the application on the phone is built as a Java ME MIDlet, which makes it platform independent. The image capturing mechanism is built on the Zxing [39] library from Google.

On the server side, the OpenID provider implementation is built on Joid [40], an OpenID library from Google, and the OpenID4Java [41] library, running on a Tomcat web server. All user data (pairs of usernames and keys) are stored in a relational database.

A Java Applet runs in the user’s web browser, showing the challenge barcode and a video window in which the user can see the response while showing it to the web camera. The applet does not have access to any secret information such as keys; it only serves as a GUI. Figure 4-4 shows a screenshot of the 2-clickAuth applet and MIDlet during the authentication process.

Figure 4-4: Screenshot of a 2-clickAuth authentication session

Figure 4-4 shows a user logging in on the 2-clickAuth OpenID provider using a mobile phone. In the upper part of the screen shot the QR code containing the challenge is displayed. Below the challenge is a video window, in which the user can see the same image as the web camera currently is capturing. The video window makes it easy for the user to adjust the phone’s position in relation to the web camera, thus speeding up the capturing process.


29

4.3 2-clickAuth Performance

One of the criteria for 2-clickAuth was that the authentication process should be fast. In order to evaluate the speed of the login method we had a user perform 200 trials of the 2-clickAuth authentication process, and we measured the time elapsed between the application being loaded and a correct response being recorded. Results above 8000 milliseconds were filtered out. The histogram in Figure 4-5 shows the distribution of the times.

Figure 4-5: Authentication speed (milliseconds) when using 2-clickAuth

The test shows an average of 6.25 seconds to use 2-clickAuth when logging in to a web site. Of this time, approximately 2 seconds are a delay in the image capturing software in the phone when loading the captured image into the MIDlet. The authentication time is also influenced by light conditions. The web camera used here either gives a low resolution image or uses automatic light settings to sharpen the image. As a result, the black parts of a QR code can melt into the white parts, making it impossible to interpret. To solve the problem of automatic light settings and poor image quality, the MIDlet animates the QR code, displaying the white parts in different shades of gray, ranging from pure white to dark gray. This makes the capture process less sensitive to lighting conditions. However, if the optimal shade in a particular light is the last one shown by the MIDlet, authentication may take a few extra seconds.

4.4 Discussion

In this section we have presented 2-clickAuth, a fast and simple authentication solution for the web that is designed to be as easy to use as normal passwords, while also being more secure than passwords, particularly in situations where authentication is done using an untrusted computer. 2-clickAuth uses a camera-equipped mobile phone to implement a challenge-response authentication protocol. Data is transferred to and from the mobile phone using two-dimensional barcodes.

CHAPTER 4

30

2-clickAuth is designed for applications that require better security than plain passwords can provide, but where usability, simplicity and availability cannot be sacrificed.

We have also implemented an OpenID identity provider that uses 2-clickAuth for authentication. This allows 2-clickAuth to be used with any OpenID relying party. In federated identity management systems, such as OpenID, a user needs only to authenticate to the identity provider in order to access any site that participates in the system. Therefore, it is desirable to have a higher level of security than normal passwords can provide. 2-clickAuth is resistant to key loggers and password-capturing malware, but does not sacrifice usability, requires only hardware that most users carry anyway, and requires no special software on the computer that is used for authentication.

Unlike other authentication solutions that use mobile phones, 2-clickAuth does not rely on a side channel. Although use of a side channel would increase security, it would also decrease the availability of the solution, since the user might be unable or unwilling to use the side channel. However, we are investigating the possibility of adding side channels to 2-clickAuth for those situations where sacrificing availability in favor of security is warranted.

2-clickAuth is as yet the only system that uses a web camera in a challenge-response solution. With video chats and similar applications in use today, web cameras are becoming very common. It is also a part of the user experience to be able to login by simply holding up a phone, taking a picture and turning the phone around.

31

Chapter 5

Case Studies

We now present four case studies that apply our method from section three for design and evaluation of authentication solutions.

5.1 Case Studies on Design

The two design case studies in this chapter describe how our evaluation and design method can be used for designing authentication solutions, given specific applications. In the first case study we consider a simple web site with user accounts, such as a chat site, a forum or a blog site. In the second case we consider an online banking solution. We have chosen these two applications since they have very different security requirements. The goal of these design case studies is to show how our method can help guide the process of designing authentication solutions with mobile phones as authentication devices.

5.1.1 Design Case Study: Simple Web Site Authentication

Consider a simple chat web site with user accounts. On sites of this type, passwords are normally used. We want to encourage users to choose strong passwords by providing them with the ability to store their password on a mobile phone. This would permit users to choose strong passwords without having to remember them and type them on the keyboard. The goal of this password storage is to reach the highest security level for password-based authentication, i.e. level 2. It should be possible to use the password storage both in private and public environments.

1. Authentication methods: The default method is passwords that may reach

level 2 if the passwords are tunneled or zero-proof passwords. 2. Data protection

a. Locking methods: Phone locking is not needed for level 2. b. Secure hardware: For level 2, no secure hardware is needed.

CHAPTER 5

32

3. Protocols: All protocols except challenge-response passwords may be used.

4. Attack resistance a. Online guessing: Passwords must be strong enough to resist

password guessing and dictionary attacks. They must also have at least 10 bit entropy.

b. Replay attacks: Tunneling can be used for mitigating replay attacks over a remote network. For transmission between the phone and a local computer, choose channels from Table 3-1 that are not open to attacks in public environments.

c. Eavesdropping: See replay attacks. d. MitM: Not needed for level 2. e. Verifier impersonation: Not needed for level 2. f. Session hijacking: Not needed for level 2.

5. Other factors: For transferring passwords from the phone to a local computer, manual input should be avoided in order to protect against keyloggers. In a public environment, NFC and a cable connection may be used. In a private environment IR, audio transfer and optical transfer may also be used.

6. Conclusions: One possible solution for this application would be to use strong, high entropy passwords (possibly automatically generated) stored on a phone and transferred to a nearby computer using a cable or NFC. Channels such as IR or Bluetooth are not appropriate since they are vulnerable to eavesdropping in a public environment. Finally, the password must be tunneled when sent over a remote network, or the solution would fail to reach even level 1.

5.1.2 Design Case Study: Online Banking

In this case study we explore an application that is more security-critical than the password storage case. Consider a general online banking solution in which the user can perform several different tasks which require different levels of security. Examples of these tasks are: A) check account balance, B) withdraw money from the account and move it to another account, which is owned by another person and C) close the account. For A we assume that the security of a password is sufficient, given that there is additional protection against keyloggers and eavesdropping. Therefore, level 2 is chosen for A. For B, we aim for a higher security level than A. C is considered the most security-critical case and requires as high a level of security as is possible. We will now use our evaluation method to find suitable authentication solutions for A and B. For this scenario we assume Bluetooth access, a phone network, a phone camera and manual input. We assume that the solutions are to be used in public environments.

CASE STUDIES

33

1. Authentication methods: A: All methods can be used. B: Only methods with non-reusable authentication data can be used.

2. Data protection a. Locking methods: A: No locking needed. B, C: Manual or optical

(biometric) input can be used for locking the phone. b. Secure hardware: A and B: Secure hardware is not needed. If a

SIM-card is used for secure storage, B may reach level 3.5. C: Secure hardware must be used, but is not present in phones.

3. Protocols: A: A strong password protocol such as tunneled or zero-knowledge password protocols may be used. Proof-of-possession protocols may also be used. B, C: A proof-of-possession-protocol must be used.

4. Attack resistance a. Online guessing: A: Passwords must be strong and have a least

10 bit entropy. B, C: Passwords are not used. b. Replay attacks: A: Bluetooth and optical data transfer should not

be used for sending reusable data. Tunneling must be used for reusable data. All channels can be used for one-time data. B, C: All channels can be used.

c. Eavesdropping: A, B and C: The same as for replay attacks apply.

d. MitM: A: MitM protection is not needed. B, C: The phone network can be used as a side channel. Other mitigation methods can also be used.

e. Verifier impersonation: A: Not needed for level 2. B, C: If an attack occurs, the attacker must not get access to sensitive data. Eavesdropping resistance will suffice in this case.

f. Session hijacking: A and B: protection against this type of attack is not needed for levels 2-3. C: Session secrets can be used for protection against hijacking.

5. Other factors: A: Only manual input is available for reusable data, but not suitable for passwords (malware risk). B: No other factors apply. C: Data transactions must be authenticated.

6. Conclusions: For checking account balance (A), OTPs with manual input may be used. An alternative is to transfer data via Bluetooth instead of manual input. A challenge-response protocol can be used instead of OTPs. In that case the response may be sent optically. Otherwise, manual input or Bluetooth may be used. For withdrawing money and moving it to another person's account (B), the requirements for A apply, but with locking using manual or optical input and with additional MitM mitigation. For closing the account (C), the requirements for B apply, but with authenticated data transfer and session secrets. Since secure hardware is not available, sufficient security for C cannot be achieved with a mobile phone alone. The user can initiate the closing of the account with the solution from B, but

CHAPTER 5

34

then must add another method such as physically signing a form from the bank and sending it by mail.

5.2 Case Studies on Evaluation

In the following two case studies we show how our method can be used to evaluate existing authentication solutions in which mobile phones are used as hardware devices. We have chosen to evaluate our optical authentication solution 2-clickAuth[23] and Strong Authentication with a Mobile Phone (SA)[13], since these two solutions use the mobile phone very differently from each other. 2-clickAuth does not depend on a specific phone operator and aims to increase availability by not using a side channel, while SA uses a side channel and collaborates with the phone operator by using the SIM card.

5.2.1 Evaluation Case Study: 2-clickAuth

2-clickAuth [23] is an optical challenge-response solution that uses a camera-equipped mobile phone as a secure hardware token together with a web camera to provide fast, simple, highly available and secure authentication. Data is transferred both to and from the phone using two-dimensional barcodes.

1. Authentication methods: 2-clickAuth uses challenge-response with non-

reusable data. Max level: 4 2. Data protection

a. Locking methods: 2-clickAuth can be used with a PIN-code to lock the phone. Max level: 4

b. Secure hardware: No secure hardware is used. Max level: 3 3. Protocols: A proof-of-possession protocol with shared keys is used. Max

level: 4 4. Attack resistance

a. Online guessing: Passwords are not used. Max level: 4 b. Replay attacks: Non-reusable data is used. Max level: 4 c. Eavesdropping: Since 2-clickAuth is intended for use by mobile

users in diverse locations there is a risk of eavesdropping, but the data cannot be used to gain knowledge about secret keys. Max level: 4

d. MitM: MitM protection is not used, due to availability. Max level: 2.5

e. Verifier impersonation: There is a risk of verifier impersonation, but since the authentication data transferred does not reveal any sensitive information, the impersonating attacker does not gain access to secrets. Max level: 4

f. Session hijacking: No session secrets are used. Max level: 3

CASE STUDIES

35

5. Other factors: It should be possible to use 2-clickAuth in noisy environments such as public places, because it uses optical data transfer. Optical channels are also malware resistant, since data can only be sent as a direct result of user action. No secure hardware can be assumed. Secrets are not revealed to third parties.

6. Conclusions: 2-clickAuth may reach level 2.5 if used with a PIN code. To reach level 3, some kind of MitM mitigation (e.g. using SMS as a side channel) must be used.

5.2.2 Evaluation Case Study: Strong Authentication (SA)

The Strong Authentication (SA) solution consists of several variants wherein a phone operator is considered a trusted third party. A secret identifier stored on the user's SIM card and listed in the phone operator's user database is used to calculate session IDs and challenges. The user authenticates by using one of the following alternatives:

A: The user sends an SMS to the SA server acknowledging that a session ID shown in the computer's browser and one sent to the user's phone are the same.

B: The user sends an SMS to the SA server, containing a response calculated by the phone to a challenge shown in the computer's browser and typed into the phone by the user (or sent via Bluetooth). A variant is that the user receives the challenge via SMS and sends the response via the computer.

C: The EAP-SIM protocol is used for strong authentication via Bluetooth or SMS [13].

1. Authentication methods: A: Identifier based on a static value. Max level: 2. B, C: Non-reusable data, comparable to OTPs. Max level: 4

2. Data protection a. Locking methods: Since the SIM card is used, a PIN code can be

assumed for phone locking. Max level: 4 b. Secure hardware: SIM cards are used in all SA variants. Max

level: 4 3. Protocols: A: Similar to using passwords. Max level: 2. B, C: Proof-of-

possession. Max level: 4 4. Attack resistance

a. Online guessing: Non-reusable data is used. Max level: 4 b. Replay attacks: Authentication data can only be used during the

session. Max level: 4 c. Eavesdropping: A: The session ID is based on a static identifier

and may be eavesdropped. Max level: 2. B, C: Not vulnerable to eavesdropping. Max level: 4

CHAPTER 5

36

d. MitM: A, B: Does not protect against MitM attacks, even if SMS is used for B. This is because the SMS channel is not used as a side channel, but as an alternative to short range channels. Max level: 2. C: MitM protection. Max level: 4

e. Verifier impersonation: A, B: Does not protect against verifier impersonation. Max level: 2. C: Verifier impersonation protection. Max level: 4

f. Session hijacking: A, B: Does not protect against verifier impersonation. Max level: 2. C: Verifier impersonation protection. Max level: 4

5. Other factors: SA requires the participation of a mobile phone operator. Shared secrets are not revealed to third parties in any of the SA variants. In A there are no shared secrets. Only C has authenticated data transfer. It is stated that SA needs to be usable. Bluetooth can spread malware between the phone and the computer. When there is a choice between SMS and Bluetooth, SMS is a better choice if it is feasible to use the phone network.

6. Conclusions: The session ID solution (A) is a simple solution that reaches level 1. Challenge-response solutions (B) reach level 2 and EAP-SIM solutions (C) reach level 3.5.

5.3 Discussion about the Case Studies

In the four case studies we have shown two examples of how our method can be used for design and two more of how it can be used for evaluation of authentication solutions. As shown in the case studies, the method can be used to find examples of feasible designs and provide guidance in making design choices. To use the method, it is not necessary to know in advance which security level the solution should achieve. However, having a security level in mind would facilitate the choice of design.

Using our method to evaluate existing solutions is a more straightforward process than using it for design, as long as the technical details of the solution being evaluated are well understood.

In our case studies we show two very different solutions to demonstrate how our method can help when comparing authentication solutions that are using different channels and features of mobile phones.

37

Chapter 6

Related Work

Here we present related work in the areas of web authentication, identity management, mobile phone authentication and security levels and standards.

6.1 Security Levels and Standards

EAG [5] covers different areas of authentication and discusses technical details and formal security requirements. However, security is the only factor that is discussed. In our work, the aim is to combine the well known and accepted security level concept with factors such as availability, usability and economic factors. This should help developers and evaluators make the best choice among several solutions that meet the same security requirements.

There is no comparison of authentication channels and methods made specifically for mobile phones. However, for the authentication system Strong Authentication with Mobile Phones, which uses a phone's SIM card in authentication, there is a comparison between the different modes of the system in which different channels are used. The comparison shows how the different modes compare to each other when it comes to factors such as cost, infrastructure, security and usability [13]. Cost and infrastructure, e.g. which equipment and networks are needed, are not factors that are explicitly discussed in this paper.

There is also work in progress on evaluating authentication solutions in the area of IMS (IP Multimedia Subsystem). The IMS evaluation method considers several different factors such as security, simplicity and userfriendliness [15].

CHAPTER 6

38

6.2 Mobile Phone Authentication

Here we present a number of different approaches to strong authentication on the web using mobile phones, which have been presented over the years.

6.2.1 Secure Web Authentication

Secure Web Authentication (SWA) proves that a user owns a specific mobile phone, and if the user does, access to a web site is allowed. When a user is going to log in to a web application they are redirected to a trusted third party where they enter a username. A session name, a short string of characters, is then sent to the user’s phone via SMS and is simultaneously shown in the web browser. If an attacker manipulates the session name shown in the browser it will not match the session name sent to the phone. After displaying the session name, the WAP browser of the phone is directed to a site where the user can deny or allow the current session, thus using a direct channel from the phone to the trusted third party instead of via the untrusted computer. If the user allows the current session, the user is logged in on the computer [25].

SWA depends on a side channel. Use of a side channel can increase security, but decreases availability since the user may not have access to (or may not want to access) the mobile phone network. For example, when abroad, the fees for using the phone network can be high, and in such a situation a solution that can be used without connecting to the phone network is less costly for the user. There are also situations when there is no phone network available, for example a CDMA phone will not work on a GSM network.

6.2.2 Strong Authentication with Mobile Phone

The Strong Authentication with Mobile Phone (SA) method consists of several different methods where the user’s phone operator is used as a trusted third party. A secret identifier stored on the user’s SIM card (Subscriber Identity Module) and listed in the phone operator’s user database is used to prove the identity of the user. This secret information is used to calculate session IDs and challenges as described below. When attempting to log in to a web site supporting SA, the user is redirected to the SA server, which acts as a trusted third party. The user then logs in by 1) sending an SMS to the SA server acknowledging that a session ID shown in the computer’s browser and one sent to the user’s phone is the same, or 2) sending an SMS to the SA server, containing a response calculated by the phone to a challenge shown in the computer’s browser and typed into the phone by the user (or sent via Bluetooth), or 3) receiving the challenge from the SA server via SMS, calculating the response with the phone and sending the response to the computer via manual typing or Bluetooth, or 4) using the EAP-SIM protocol for strong authentication via Bluetooth, or 5) using EAP-SIM via SMS. When sending information to the computer a SIM card embedded in a SIM dongle that is connected to the computer

RELATED WORK

39

can be used instead of a phone, in order to avoid the need for Bluetooth pairing [13].

6.2.3 Confident

Confident consists of two authentication solutions where the first is an OTP solution in which the user is presented with ImageShield, a collection of pictures in different categories (for example boats, dogs, people etc). Each picture has an alphabetic character associated with it. The user has chosen three categories beforehand, and when logging in, the user types the characters from the pictures related to the user’s pre-chosen categories. The characters and the position of the images on the screen change between each login. When using this method for the first time on a new computer the user must use an OTP sent by SMS to the user’s phone and typed into the computer’s web browser. This proves that the user has access to the phone, and is therefore considered trustworthy.

The second Confident solution is used without ImageShield and lets the user log in with a static password combined with an OTP sent to the user’s mobile phone and typed into the computer’s web browser [17].

One of the Confident variants uses a side channel, combined with a static password. The ImageShield variant of Confident also uses a side channel the first time a user uses a new computer (for users of Internet cafés and kiosks, this could be a frequent occurrence).

6.2.4 Smokey

Smokey [14] (Synchronizable Mobile Key) generates alphanumeric one time passwords based on a secret key, a counter and the clock of the mobile phone. These factors are shared with the server. The application uses the HOTP [32] algorithm.

The length of the OTP is configurable. By default, four characters from an alphabet of 32 characters are used. This choice is based on a usability test of the solution, in which potential users preferred short alphanumerical passwords over longer numerical passwords.

The user can synchronize the device clock and counter with the server, using HTTP over the phone network or Wi-Fi. Synchronization is useful if the clock has been reset or drifted.

Smokey does not require that the mobile device has phone network connectivity, other than when synchronizing or initializing the application. For the initialization, at the first time of use, the user is given an initialization key from a local IT administrator. The initialization key is to be typed manually into the phone. Smokey is intended to be used in a company or organization where the IT support department can enroll users into the system and provide the initialization keys.

41

Chapter 7

Conclusions and Future Work

Here we present the conclusions of this thesis and propose future work in the area of web authentication for untrusted computers.

7.1 Conclusions

Mobile users on untrusted computers need stronger authentication than passwords can provide. Hardware devices can help increase the security of authentication solutions. The mobile phone is a flexible and capable device with several channels for transferring authentication data. Different channels and authentication methods influence the level of security of authentication solutions, but it may be difficult to get an overview of all combinations of channels and methods. In this thesis we have presented a method for evaluating authentication solutions with mobile phones as hardware devices. This is different from the case where a user authenticates to a web site using the phone's browser (i.e. the phone is used as a handheld computer). In the latter case the phone itself becomes untrusted.

Our method is related to EAG, a standard document for authentication, but has been adapted to apply to the specific problems of mobile phone authentication. We have also introduced intermediary security levels to improve the granularity for comparing authentication methods. To the best of our knowledge, there are currently no other evaluation methods for web authentication with mobile phones. The method can be used both for evaluating existing authentication systems and for designing new solutions. The goal is to help developers create secure authentication, taking availability, usability and economic factors into account.

CHAPTER 7

42

7.2 Future Work

We have identified the following directions for our future work:

7.2.1 Improvements to our Design and Evaluation Method

Factors that impact the overall feasibility of an authentication solution are taken into account in our design and evaluation method. In this thesis we have discussed availability, usability and economic factors. We will investigate in more detail how these factors affect a solution.

Economic factors are especially important if our method is to be used in commercial settings. We have already taken into account the cost issues regarding the use of phone networks and equipment that the user may need for short range communication via specific channels. We intend to investigate other cost issues, such as factors related to deployment and running of authentication systems. We will integrate these factors into our method to help developers create economically feasible solutions.

The factors mentioned above are considered in the final step of our method and impact the overall result of an evaluation or design. However, it is possible to make the method more detailed and accurate if these factors are considered in each step of the method instead of at the end. We will therefore include factors other than security throughout the method. We will also make the method more detailed by adding more factors, such as infrastructure and learnability. Cryptographic protocols and trusted hardware modules and their impact on security will also be considered. Since different factors are important in different cases we will make it possible to add custom factors to the method.

Another part of our method that is to be extended is how it handles practical problems related to authentication, such as reset of credentials, lost authentication devices and account lifetimes. These problems are not directly connected to the authentication process, but to the overall solution.

We will also continue investigating how existing standards and guidelines can help to compare and evaluate authentication solutions. In this thesis we have used EAG. Other possible guidelines and standards are the FIPS guideline [26] for hardware requirements and the Common Criteria [42].

7.2.2 An Expert System for Designing and Evaluating Authentication

Currently our method is designed for manual use by designers and evaluators. It can be difficult to get an overview of the results while using the method. We are developing a tool for automating the development and design processes. The tool will work as an expert system, which will help to determine the security level or propose feasible solutions.

CONCLUSIONS AND FUTURE WORK

43

One reason for developing such a tool is to make it possible to use the method without detailed knowledge of security levels or technical details. We will also make it possible for experts to add knowledge to the method by providing input to the tool so the resulting output from the tool can be more accurate and up-to-date.

7.2.3 Security Requirements for Complex Web Services

Different parts of the same service in some cases have different security requirements. An example is online banking which consists of different subservices on different security levels. Currently there are web sites that allow different authentication methods for different parts of the service depending on how security-critical the specific part is. However, it is not possible for the user to easily switch between security levels. Flexible authentication where the user can actively change the security level (with a minimum level set by the service provider) would make it possible to authenticate more securely from different places.

For web services in which different parts of the service have different security requirements, we will improve our evaluation and design method to be able to handle authentication on different security levels for the different parts of the service. We will also investigate how a solution can be designed that would permit the user to decide on the preferred security level.

We will look into the possibility of creating component-based authentication in which different building blocks are put together to form authentication solutions.

Finally, we will investigate the security requirements of emerging technologies such as identity federations and mashups to see how flexible authentication could help provide versatile authentication in these cases.

45

References

[1] ITG Research and Analysis Team, Web 2.0: Trends, benefits, and risks. Cambridge: IT Governance Publishing, 2008.

[2] K.-J. Lin, “Building Web 2.0”, in Computer, vol. 40, (5), pp. 101-102, May 2007.

[3] M. Bishop, Introduction to Computer Security. Boston, United States: Pearson Education Inc., 2005.

[4] IT Governance Research Team, How to use web 2.0 and social networking sites securely: a pocket guide. Cambridge: IT Governance Publishing, 2009.

[5] W. E. Burr, D. F. Dodson and W. T. Polk. (2006, April). Electronic authentication guideline, recommendations of the national institute of standards and technology. [Online]. Available: http://csrc.nist.gov/publications/nistpubs/800-63/SP800-63V1_0_2.pdf, accessed: 2011-04-21

[6] J. Bonneau and S. Preibusch, “The password thicket: technical and market failures in human authentication on the web,” in Ninth Workshop on the Economics of Information Security, Cambridge, MA, United States, June 2010.

[7] D. Florencio and C. Herley, “A large-scale study of web password habits,” in Proceedings of the 16th International Conference on World Wide Web, Banff, Canada, 2007, pp. 657-666.

[8] B. Ives, K. R. Walsh, and H. Schneider, “The domino effect of password reuse,” Communications of the ACM, vol. 47, (4), pp. 75-78, April 2004.

[9] Panda Security. (2011, March) Creation of new malware increases by 26 percent to reach more than 73,000 samples every day. [Online]. Available: http://press.pandasecurity.com/news/creation-of-new-malware-increases-by-26-percent-to-reach-more-than-73000-samples-every-day-pandalabs-reports/, accessed 2011-03-23.

[10] M. Mannan and P. C. van Oorschot, “Using a personal device to strengthen

REFERENCES

46

password authentication from an untrusted computer,” in Proceedings of the 11th International Conference on Financial cryptography and 1st International conference on Usable Security, Scarborough, Trinidad and Tobago, 2007, pp. 88-103.

[11] L. Lamport, “Password authentication with insecure communication,” Communications of the ACM, vol. 24, (11), pp. 770-772, November 1981.

[12] D. van Thanh, T. Jønvik, B. Feng, D. van Thuan, and I. Jørstad, “Simple strong authentication for internet applications using mobile phones,” in Global Telecommunications Conference (IEEE GLOBECOM), New Orleans, United States, 2008, pp. 1-5.

[13] D. van Thanh, I. Jørstad, T. Jønvik, and D. van Thuan, “Strong authentication with mobile phone as security token,” in IEEE Sixth International Conference on Mobile Adhoc and Sensor Systems (MASS '09), 2009, pp. 777 -782.

[14] J. Hassmund, “Securing credentials on untrusted clients,” M.S. thesis, Department of Computer Science, Linköping University, Linköping, Sweden, 2010.

[15] C. Eliasson, M. Fiedler, and I. Jørstad, “A criteria-based evaluation framework for authentication schemes in IMS,” in Fourth International Conference on Availability, Reliability and Security (ARES’09), Fukoka, Japan, 2009, pp. 865-869.

[16] S. F. Carlton, J. W. Taylor, and J. L. Wyszynski, “Alternative authentication techniques,” in Proceedings of the 11th National Computer Security Conference, Baltimore, MD, United States, 1988, pp. 333-338.

[17] Confident Technologies Inc. (2010) Intuitive and secure image-based authentication solutions. [Online]. Available: http://www.confidenttechnologies.com/, accessed: 2010-05-11.

[18] S. S. Y. Shim, G. Bhalla, and V. Pendyala, “Federated identity management,” Computer, vol. 38, (12), pp. 120-122, 2005.

[19] OpenID Foundation. (2010) Get an OpenID. [Online]. Available: http://openid.net/get-an-openid, accessed: 2010-05-10.

[20] J. Yan, A. Blackwell, R. Anderson, and A. Grant, “Password memorability and security: Empirical results,” IEEE Security & Privacy, vol. 2, (5), pp. 25-31, 2004.

[21] A. Hiltgen, T. Kramp, and T. Weigold, “Secure internet banking authentication,” IEEE Security & Privacy, vol. 4, (2), pp. 21-29, March-April 2006.

[22] F. Aloul, S. Zahidi, and W. El-Hajj, “Two factor authentication using mobile phones,” in IEEE/ACS International Conference on Computer Systems and Applications (AICCSA ‘09), 2009, pp. 641 -644.

[23] A. Vapen, D. Byers, and N. Shahmehri, “2-clickAuth - Optical challenge-response authentication,” in Fifth International Conference on Availability,

REFERENCES

47

Reliability and Security, (ARES '10), Krakow, Poland, 15-18 Feb. 2010, pp.79-86.

[24] K. Rannenberg, “Identity management in mobile cellular networks and related applications,” Information Security Technical Report, vol. 9, (1), pp. 77-85, 2004.

[25] M. Wu, S. Garfinkel, and R. Miller, “Secure web authentication with mobile phones,” in DIMACS Workshop on Usable Privacy and Security Software, Piscataway, NJ, United States, July 2004.

[26] NIST. (2001, May) Security requirements for cryptographic modules. [Online]. Available: http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf, 2001, accessed: 2011-04-21

[27] Denso Wave Inc. (2009) QR Code.com. [Online]. Available: http://www.denso-wave.com/qrcode/index-e.html, accessed: 2009-09-16

[28] JanRain. (2009) Relying party stats as of Jan 1st, 2009. [Online]. Available: http://blog.janrain.com/2009/01/relying-party-stats-as-of-jan-1st-2008.html, accessed: 2009-09-25

[29] Bluetooth SIG Inc. (2010) Bluetooth.com. [Online]. Available: http://www.bluetooth.com/bluetooth, accessed: 2010-05-11

[30] A. Vapen and N. Shahmehri. (2009) Optical challenge-response authentication. [Online]. Available: http://www.ida.liu.se/divisions/adit/authentication/, accessed: 2011-04-21

[31] H. Krawczyk, M. Bellare, and R. Canetti. (1997, February) HMAC: Keyed-hashing for message authentication. [Online]. Available: http://www.ietf.org/rfc/rfc2104.txt, accessed: 2009-09-21

[32] D. M'Raihi, M. Bellare, F. Hoornaert, D. Naccache, and O. Ranen. (2005, December) HOTP: An HMAC-based one-time password algorithm. [Online]. Available: http://www.ietf.org/rfc/rfc4226.txt, accessed: 2009-09-21

[33] C. Glenn and R. Madson. (1998, November) The Use of HMAC-SHA-1-96 within ESP and AH. [Online]. Available: http://www.ietf.org/rfc/rfc2404.txt, accessed: 2009-09-23

[34] D. Eastlake. (2006, August) HMAC SHA TSIG algorithm identifiers. [Online]. Available: http://www.ietf.org/rfc/rfc4635.txt, accessed: 2009-09-23

[35] IRDA. (2011) Infrared Data Association. [Online]. Available: http://www.irda.org/, accessed: 2011-04-21

[36] NFC Forum. (2011) NFC Forum. [Online]. Available: http://www.nfc-forum.org, accessed: 2011-04-21

[37] A. Bose, K. G. Shin, “On mobile viruses exploiting messaging and Bluetooth services”, in Securecomm and Workshops, Baltimore, MD, United States, 2006, pp. 1-10.

[38] GS1 AISBL. (2011) GS1 – The global language of business. [Online].

REFERENCES

48

Available: http://www.gs1.org/barcodes, accessed: 2011-04-21

[39] Google. (2010) ZXing. [Online]. Available: http://code.google.com/p/zxing/, accessed: 2010-05-11

[40] Google. (2009) Joid. [Online]. Available: http://code.google.com/p/joid/, accessed: 2010-05-10

[41] [42]

Google. (2011) OpenID4Java. [Online]. Available: http://code.google.com/p/openid4java/, accessed: 2011-02-23 CCRA (2011) Common Criteria. [Online]. Available: http://www.commoncriteriaportal.org/, accessed: 2011-05-03

49

List of Tables

Table 2-1: Current authentication methods ................................................................. 8

Table 2-2: Hardware devices for authentication.......................................................... 9

Table 2-3: Common features of authentication hardware devices .............................. 9

Table 3-1: Features of mobile phone communication channels ................................ 17

Table 4-1: Communication channels ......................................................................... 26

Table 4-2: Machine readable data representation ...................................................... 27

51

List of Figures

Figure 2-1: Attack areas in hardware aided authentication. ...................................... 10

Figure 3-1: Description of the evaluation and design method. ................................. 18

Figure 4-1: A user interacting with the 2-clickAuth OpenID provider ..................... 23

Figure 4-2: 2-clickAuth authentication ...................................................................... 24

Figure 4-3: 2-clickAuth key exchange....................................................................... 25

Figure 4-4: Screenshot of a 2-clickAuth authentication session ............................... 28

Figure 4-5: Authentication speed (milliseconds) when using 2-clickAuth ............... 29

LINKÖPINGS UNIVERSITET

Rapporttyp

Report category

Licentiatavhandling

Examensarbete

C-uppsats

D-uppsats

Övrig rapport

Språk Language

Svenska/Swedish

Engelska/English

Titel Title

Författare Author

Sammanfattning

Authentication methods offer varying levels of security. Methods with one-time credentials generated by dedicated

hardware tokens can reach a high level of security, whereas password-based authentication methods have a low level

of security since passwords can be eavesdropped and stolen by an attacker. Password-based methods are dominant in

web authentication since they are both easy to implement and easy to use. Dedicated hardware, on the other hand, is

not always available to the user, usually requires additional equipment and may be more complex to use than

password-based authentication.

Different services and applications on the web have different requirements for the security of authentication.

Therefore, it is necessary for designers of authentication solutions to address this need for a range of security levels.

Another concern is mobile users authenticating from unknown, and therefore untrusted, computers. This in turn raises

issues of availability, since users need secure authentication to be available, regardless of where they authenticate or

which computer they use.

We propose a method for evaluation and design of web authentication solutions that takes into account a number of

often overlooked design factors, i.e. availability, usability and economic aspects. Our proposed method uses the

concept of security levels from the Electronic Authentication Guideline, provided by NIST.

We focus on the use of handheld devices, especially mobile phones, as a flexible, multi-purpose (i.e. non-

dedicated) hardware device for web authentication. Mobile phones offer unique advantages for secure authentication,

as they are small, flexible and portable, and provide multiple data transfer channels. Phone designs, however, vary

and the choice of channels and authentication methods will influence the security level of authentication. It is not

trivial to maintain a consistent overview of the strengths and weaknesses of the available alternatives. Our evaluation

and design method provides this overview and can help developers and users to compare and choose authentication

solutions.

ISBN

ISRN

Serietitel och serienummer ISSN Title of series, numbering


Thesis No. 1481

Nyckelord Keywords

Datum Date

URL för elektronisk version

X

X

2011-06-13

Avdelning, institution Division, department

Institutionen för datavetenskap

Department of Computer

and Information Science

http://urn.kb.se/resolve?urn=urn:nbn:se:liu:d

iva-67274

Contributions to Web Authentication for Untrusted Computers

Anna Vapen

Authentication, security levels, identity management, 2-clickAuth, information security

978-91-7393-172-4

0280-7971

LiU-Tek-Lic-2011:20


Linköpings universitet

Licentiate Theses

Linköpings Studies in Science and Technology

Faculty of Arts and Sciences

No 17 Vojin Plavsic: Interleaved Processing of Non-Numerical Data Stored on a Cyclic Memory. (Available at: FOA,

Box 1165, S-581 11 Linköping, Sweden. FOA Report B30062E)

No 28 Arne Jönsson, Mikael Patel: An Interactive Flowcharting Technique for Communicating and Realizing Al-

gorithms, 1984.

No 29 Johnny Eckerland: Retargeting of an Incremental Code Generator, 1984.

No 48 Henrik Nordin: On the Use of Typical Cases for Knowledge-Based Consultation and Teaching, 1985.

No 52 Zebo Peng: Steps Towards the Formalization of Designing VLSI Systems, 1985.

No 60 Johan Fagerström: Simulation and Evaluation of Architecture based on Asynchronous Processes, 1985.

No 71 Jalal Maleki: ICONStraint, A Dependency Directed Constraint Maintenance System, 1987.

No 72 Tony Larsson: On the Specification and Verification of VLSI Systems, 1986.

No 73 Ola Strömfors: A Structure Editor for Documents and Programs, 1986.

No 74 Christos Levcopoulos: New Results about the Approximation Behavior of the Greedy Triangulation, 1986.

No 104 Shamsul I. Chowdhury: Statistical Expert Systems - a Special Application Area for Knowledge-Based Computer

Methodology, 1987.

No 108 Rober Bilos: Incremental Scanning and Token-Based Editing, 1987.

No 111 Hans Block: SPORT-SORT Sorting Algorithms and Sport Tournaments, 1987.

No 113 Ralph Rönnquist: Network and Lattice Based Approaches to the Representation of Knowledge, 1987.

No 118 Mariam Kamkar, Nahid Shahmehri: Affect-Chaining in Program Flow Analysis Applied to Queries of Pro-

grams, 1987.

No 126 Dan Strömberg: Transfer and Distribution of Application Programs, 1987.

No 127 Kristian Sandahl: Case Studies in Knowledge Acquisition, Migration and User Acceptance of Expert Systems,

1987.

No 139 Christer Bäckström: Reasoning about Interdependent Actions, 1988.

No 140 Mats Wirén: On Control Strategies and Incrementality in Unification-Based Chart Parsing, 1988.

No 146 Johan Hultman: A Software System for Defining and Controlling Actions in a Mechanical System, 1988.

No 150 Tim Hansen: Diagnosing Faults using Knowledge about Malfunctioning Behavior, 1988.

No 165 Jonas Löwgren: Supporting Design and Management of Expert System User Interfaces, 1989.

No 166 Ola Petersson: On Adaptive Sorting in Sequential and Parallel Models, 1989.

No 174 Yngve Larsson: Dynamic Configuration in a Distributed Environment, 1989.

No 177 Peter Åberg: Design of a Multiple View Presentation and Interaction Manager, 1989.

No 181 Henrik Eriksson: A Study in Domain-Oriented Tool Support for Knowledge Acquisition, 1989.

No 184 Ivan Rankin: The Deep Generation of Text in Expert Critiquing Systems, 1989.

No 187 Simin Nadjm-Tehrani: Contributions to the Declarative Approach to Debugging Prolog Programs, 1989.

No 189 Magnus Merkel: Temporal Information in Natural Language, 1989.

No 196 Ulf Nilsson: A Systematic Approach to Abstract Interpretation of Logic Programs, 1989.

No 197 Staffan Bonnier: Horn Clause Logic with External Procedures: Towards a Theoretical Framework, 1989.

No 203 Christer Hansson: A Prototype System for Logical Reasoning about Time and Action, 1990.

No 212 Björn Fjellborg: An Approach to Extraction of Pipeline Structures for VLSI High-Level Synthesis, 1990.

No 230 Patrick Doherty: A Three-Valued Approach to Non-Monotonic Reasoning, 1990.

No 237 Tomas Sokolnicki: Coaching Partial Plans: An Approach to Knowledge-Based Tutoring, 1990.

No 250 Lars Strömberg: Postmortem Debugging of Distributed Systems, 1990.

No 253 Torbjörn Näslund: SLDFA-Resolution - Computing Answers for Negative Queries, 1990.

No 260 Peter D. Holmes: Using Connectivity Graphs to Support Map-Related Reasoning, 1991.

No 283 Olof Johansson: Improving Implementation of Graphical User Interfaces for Object-Oriented Knowledge- Bases,

1991.

No 298 Rolf G Larsson: Aktivitetsbaserad kalkylering i ett nytt ekonomisystem, 1991.

No 318 Lena Srömbäck: Studies in Extended Unification-Based Formalism for Linguistic Description: An Algorithm for

Feature Structures with Disjunction and a Proposal for Flexible Systems, 1992.

No 319 Mikael Pettersson: DML-A Language and System for the Generation of Efficient Compilers from Denotational

Specification, 1992.

No 326 Andreas Kågedal: Logic Programming with External Procedures: an Implementation, 1992.

No 328 Patrick Lambrix: Aspects of Version Management of Composite Objects, 1992.

No 333 Xinli Gu: Testability Analysis and Improvement in High-Level Synthesis Systems, 1992.

No 335 Torbjörn Näslund: On the Role of Evaluations in Iterative Development of Managerial Support Systems, 1992.

No 348 Ulf Cederling: Industrial Software Development - a Case Study, 1992.

No 352 Magnus Morin: Predictable Cyclic Computations in Autonomous Systems: A Computational Model and Im-

plementation, 1992.

No 371 Mehran Noghabai: Evaluation of Strategic Investments in Information Technology, 1993.

No 378 Mats Larsson: A Transformational Approach to Formal Digital System Design, 1993.

No 380 Johan Ringström: Compiler Generation for Parallel Languages from Denotational Specifications, 1993.

No 381 Michael Jansson: Propagation of Change in an Intelligent Information System, 1993.

No 383 Jonni Harrius: An Architecture and a Knowledge Representation Model for Expert Critiquing Systems, 1993.

No 386 Per Österling: Symbolic Modelling of the Dynamic Environments of Autonomous Agents, 1993.

No 398 Johan Boye: Dependency-based Groudness Analysis of Functional Logic Programs, 1993.

No 402 Lars Degerstedt: Tabulated Resolution for Well Founded Semantics, 1993.

No 406 Anna Moberg: Satellitkontor - en studie av kommunikationsmönster vid arbete på distans, 1993.

No 414 Peter Carlsson: Separation av företagsledning och finansiering - fallstudier av företagsledarutköp ur ett agent-

teoretiskt perspektiv, 1994.

No 417 Camilla Sjöström: Revision och lagreglering - ett historiskt perspektiv, 1994.

No 436 Cecilia Sjöberg: Voices in Design: Argumentation in Participatory Development, 1994.

No 437 Lars Viklund: Contributions to a High-level Programming Environment for a Scientific Computing, 1994.

No 440 Peter Loborg: Error Recovery Support in Manufacturing Control Systems, 1994.

FHS 3/94 Owen Eriksson: Informationssystem med verksamhetskvalitet - utvärdering baserat på ett verksamhetsinriktat och

samskapande perspektiv, 1994.

FHS 4/94 Karin Pettersson: Informationssystemstrukturering, ansvarsfördelning och användarinflytande - En komparativ

studie med utgångspunkt i två informationssystemstrategier, 1994.

No 441 Lars Poignant: Informationsteknologi och företagsetablering - Effekter på produktivitet och region, 1994.

No 446 Gustav Fahl: Object Views of Relational Data in Multidatabase Systems, 1994.

No 450 Henrik Nilsson: A Declarative Approach to Debugging for Lazy Functional Languages, 1994.

No 451 Jonas Lind: Creditor - Firm Relations: an Interdisciplinary Analysis, 1994.

No 452 Martin Sköld: Active Rules based on Object Relational Queries - Efficient Change Monitoring Techniques, 1994.

No 455 Pär Carlshamre: A Collaborative Approach to Usability Engineering: Technical Communicators and System

Developers in Usability-Oriented Systems Development, 1994.

FHS 5/94 Stefan Cronholm: Varför CASE-verktyg i systemutveckling? - En motiv- och konsekvensstudie avseende

arbetssätt och arbetsformer, 1994.

No 462 Mikael Lindvall: A Study of Traceability in Object-Oriented Systems Development, 1994.

No 463 Fredrik Nilsson: Strategi och ekonomisk styrning - En studie av Sandviks förvärv av Bahco Verktyg, 1994.

No 464 Hans Olsén: Collage Induction: Proving Properties of Logic Programs by Program Synthesis, 1994.

No 469 Lars Karlsson: Specification and Synthesis of Plans Using the Features and Fluents Framework, 1995.

No 473 Ulf Söderman: On Conceptual Modelling of Mode Switching Systems, 1995.

No 475 Choong-ho Yi: Reasoning about Concurrent Actions in the Trajectory Semantics, 1995.

No 476 Bo Lagerström: Successiv resultatavräkning av pågående arbeten. - Fallstudier i tre byggföretag, 1995.

No 478 Peter Jonsson: Complexity of State-Variable Planning under Structural Restrictions, 1995.

FHS 7/95 Anders Avdic: Arbetsintegrerad systemutveckling med kalkylprogram, 1995.

No 482 Eva L Ragnemalm: Towards Student Modelling through Collaborative Dialogue with a Learning Companion,

1995.

No 488 Eva Toller: Contributions to Parallel Multiparadigm Languages: Combining Object-Oriented and Rule-Based

Programming, 1995.

No 489 Erik Stoy: A Petri Net Based Unified Representation for Hardware/Software Co-Design, 1995.

No 497 Johan Herber: Environment Support for Building Structured Mathematical Models, 1995.

No 498 Stefan Svenberg: Structure-Driven Derivation of Inter-Lingual Functor-Argument Trees for Multi-Lingual

Generation, 1995.

No 503 Hee-Cheol Kim: Prediction and Postdiction under Uncertainty, 1995.

FHS 8/95 Dan Fristedt: Metoder i användning - mot förbättring av systemutveckling genom situationell metodkunskap och

metodanalys, 1995.

FHS 9/95 Malin Bergvall: Systemförvaltning i praktiken - en kvalitativ studie avseende centrala begrepp, aktiviteter och

ansvarsroller, 1995.

No 513 Joachim Karlsson: Towards a Strategy for Software Requirements Selection, 1995.

No 517 Jakob Axelsson: Schedulability-Driven Partitioning of Heterogeneous Real-Time Systems, 1995.

No 518 Göran Forslund: Toward Cooperative Advice-Giving Systems: The Expert Systems Experience, 1995.

No 522 Jörgen Andersson: Bilder av småföretagares ekonomistyrning, 1995.

No 538 Staffan Flodin: Efficient Management of Object-Oriented Queries with Late Binding, 1996.

No 545 Vadim Engelson: An Approach to Automatic Construction of Graphical User Interfaces for Applications in

Scientific Computing, 1996.

No 546 Magnus Werner : Multidatabase Integration using Polymorphic Queries and Views, 1996.

FiF-a 1/96 Mikael Lind: Affärsprocessinriktad förändringsanalys - utveckling och tillämpning av synsätt och metod, 1996.

No 549 Jonas Hallberg: High-Level Synthesis under Local Timing Constraints, 1996.

No 550 Kristina Larsen: Förutsättningar och begränsningar för arbete på distans - erfarenheter från fyra svenska företag.

1996.

No 557 Mikael Johansson: Quality Functions for Requirements Engineering Methods, 1996.

No 558 Patrik Nordling: The Simulation of Rolling Bearing Dynamics on Parallel Computers, 1996.

No 561 Anders Ekman: Exploration of Polygonal Environments, 1996.

No 563 Niclas Andersson: Compilation of Mathematical Models to Parallel Code, 1996.

No 567 Johan Jenvald: Simulation and Data Collection in Battle Training, 1996.

No 575 Niclas Ohlsson: Software Quality Engineering by Early Identification of Fault-Prone Modules, 1996.

No 576 Mikael Ericsson: Commenting Systems as Design Support—A Wizard-of-Oz Study, 1996.

No 587 Jörgen Lindström: Chefers användning av kommunikationsteknik, 1996.

No 589 Esa Falkenroth: Data Management in Control Applications - A Proposal Based on Active Database Systems,

1996.

No 591 Niclas Wahllöf: A Default Extension to Description Logics and its Applications, 1996.

No 595 Annika Larsson: Ekonomisk Styrning och Organisatorisk Passion - ett interaktivt perspektiv, 1997.

No 597 Ling Lin: A Value-based Indexing Technique for Time Sequences, 1997.

No 598 Rego Granlund: C3Fire - A Microworld Supporting Emergency Management Training, 1997.

No 599 Peter Ingels: A Robust Text Processing Technique Applied to Lexical Error Recovery, 1997.

No 607 Per-Arne Persson: Toward a Grounded Theory for Support of Command and Control in Military Coalitions, 1997.

No 609 Jonas S Karlsson: A Scalable Data Structure for a Parallel Data Server, 1997.

FiF-a 4 Carita Åbom: Videomötesteknik i olika affärssituationer - möjligheter och hinder, 1997.

FiF-a 6 Tommy Wedlund: Att skapa en företagsanpassad systemutvecklingsmodell - genom rekonstruktion, värdering och

vidareutveckling i T50-bolag inom ABB, 1997.

No 615 Silvia Coradeschi: A Decision-Mechanism for Reactive and Coordinated Agents, 1997.

No 623 Jan Ollinen: Det flexibla kontorets utveckling på Digital - Ett stöd för multiflex? 1997.

No 626 David Byers: Towards Estimating Software Testability Using Static Analysis, 1997.

No 627 Fredrik Eklund: Declarative Error Diagnosis of GAPLog Programs, 1997.

No 629 Gunilla Ivefors: Krigsspel och Informationsteknik inför en oförutsägbar framtid, 1997.

No 631 Jens-Olof Lindh: Analysing Traffic Safety from a Case-Based Reasoning Perspective, 1997

No 639 Jukka Mäki-Turja:. Smalltalk - a suitable Real-Time Language, 1997.

No 640 Juha Takkinen: CAFE: Towards a Conceptual Model for Information Management in Electronic Mail, 1997.

No 643 Man Lin: Formal Analysis of Reactive Rule-based Programs, 1997.

No 653 Mats Gustafsson: Bringing Role-Based Access Control to Distributed Systems, 1997.

FiF-a 13 Boris Karlsson: Metodanalys för förståelse och utveckling av systemutvecklingsverksamhet. Analys och värdering

av systemutvecklingsmodeller och dess användning, 1997.

No 674 Marcus Bjäreland: Two Aspects of Automating Logics of Action and Change - Regression and Tractability,

1998.

No 676 Jan Håkegård: Hierarchical Test Architecture and Board-Level Test Controller Synthesis, 1998.

No 668 Per-Ove Zetterlund: Normering av svensk redovisning - En studie av tillkomsten av Redovisningsrådets re-

kommendation om koncernredovisning (RR01:91), 1998.

No 675 Jimmy Tjäder: Projektledaren & planen - en studie av projektledning i tre installations- och systemutveck-

lingsprojekt, 1998.

FiF-a 14 Ulf Melin: Informationssystem vid ökad affärs- och processorientering - egenskaper, strategier och utveckling,

1998.

No 695 Tim Heyer: COMPASS: Introduction of Formal Methods in Code Development and Inspection, 1998.

No 700 Patrik Hägglund: Programming Languages for Computer Algebra, 1998.

FiF-a 16 Marie-Therese Christiansson: Inter-organisatorisk verksamhetsutveckling - metoder som stöd vid utveckling av

partnerskap och informationssystem, 1998.

No 712 Christina Wennestam: Information om immateriella resurser. Investeringar i forskning och utveckling samt i

personal inom skogsindustrin, 1998.

No 719 Joakim Gustafsson: Extending Temporal Action Logic for Ramification and Concurrency, 1998.

No 723 Henrik André-Jönsson: Indexing time-series data using text indexing methods, 1999.

No 725 Erik Larsson: High-Level Testability Analysis and Enhancement Techniques, 1998.

No 730 Carl-Johan Westin: Informationsförsörjning: en fråga om ansvar - aktiviteter och uppdrag i fem stora svenska

organisationers operativa informationsförsörjning, 1998.

No 731 Åse Jansson: Miljöhänsyn - en del i företags styrning, 1998.

No 733 Thomas Padron-McCarthy: Performance-Polymorphic Declarative Queries, 1998.

No 734 Anders Bäckström: Värdeskapande kreditgivning - Kreditriskhantering ur ett agentteoretiskt perspektiv, 1998.

FiF-a 21 Ulf Seigerroth: Integration av förändringsmetoder - en modell för välgrundad metodintegration, 1999.

FiF-a 22 Fredrik Öberg: Object-Oriented Frameworks - A New Strategy for Case Tool Development, 1998.

No 737 Jonas Mellin: Predictable Event Monitoring, 1998.

No 738 Joakim Eriksson: Specifying and Managing Rules in an Active Real-Time Database System, 1998.

FiF-a 25 Bengt E W Andersson: Samverkande informationssystem mellan aktörer i offentliga åtaganden - En teori om

aktörsarenor i samverkan om utbyte av information, 1998.

No 742 Pawel Pietrzak: Static Incorrectness Diagnosis of CLP (FD), 1999.

No 748 Tobias Ritzau: Real-Time Reference Counting in RT-Java, 1999.

No 751 Anders Ferntoft: Elektronisk affärskommunikation - kontaktkostnader och kontaktprocesser mellan kunder och

leverantörer på producentmarknader, 1999.

No 752 Jo Skåmedal: Arbete på distans och arbetsformens påverkan på resor och resmönster, 1999.

No 753 Johan Alvehus: Mötets metaforer. En studie av berättelser om möten, 1999.

No 754 Magnus Lindahl: Bankens villkor i låneavtal vid kreditgivning till högt belånade företagsförvärv: En studie ur ett

agentteoretiskt perspektiv, 2000.

No 766 Martin V. Howard: Designing dynamic visualizations of temporal data, 1999.

No 769 Jesper Andersson: Towards Reactive Software Architectures, 1999.

No 775 Anders Henriksson: Unique kernel diagnosis, 1999.

FiF-a 30 Pär J. Ågerfalk: Pragmatization of Information Systems - A Theoretical and Methodological Outline, 1999.

No 787 Charlotte Björkegren: Learning for the next project - Bearers and barriers in knowledge transfer within an

organisation, 1999.

No 788 Håkan Nilsson: Informationsteknik som drivkraft i granskningsprocessen - En studie av fyra revisionsbyråer,

2000.

No 790 Erik Berglund: Use-Oriented Documentation in Software Development, 1999.

No 791 Klas Gäre: Verksamhetsförändringar i samband med IS-införande, 1999.

No 800 Anders Subotic: Software Quality Inspection, 1999.

No 807 Svein Bergum: Managerial communication in telework, 2000.

No 809 Flavius Gruian: Energy-Aware Design of Digital Systems, 2000.

FiF-a 32 Karin Hedström: Kunskapsanvändning och kunskapsutveckling hos verksamhetskonsulter - Erfarenheter från ett

FOU-samarbete, 2000.

No 808 Linda Askenäs: Affärssystemet - En studie om teknikens aktiva och passiva roll i en organisation, 2000.

No 820 Jean Paul Meynard: Control of industrial robots through high-level task programming, 2000.

No 823 Lars Hult: Publika Gränsytor - ett designexempel, 2000.

No 832 Paul Pop: Scheduling and Communication Synthesis for Distributed Real-Time Systems, 2000.

FiF-a 34 Göran Hultgren: Nätverksinriktad Förändringsanalys - perspektiv och metoder som stöd för förståelse och

utveckling av affärsrelationer och informationssystem, 2000.

No 842 Magnus Kald: The role of management control systems in strategic business units, 2000.

No 844 Mikael Cäker: Vad kostar kunden? Modeller för intern redovisning, 2000.

FiF-a 37 Ewa Braf: Organisationers kunskapsverksamheter - en kritisk studie av ”knowledge management”, 2000.

FiF-a 40 Henrik Lindberg: Webbaserade affärsprocesser - Möjligheter och begränsningar, 2000.

FiF-a 41 Benneth Christiansson: Att komponentbasera informationssystem - Vad säger teori och praktik?, 2000.

No. 854 Ola Pettersson: Deliberation in a Mobile Robot, 2000.

No 863 Dan Lawesson: Towards Behavioral Model Fault Isolation for Object Oriented Control Systems, 2000.

No 881 Johan Moe: Execution Tracing of Large Distributed Systems, 2001.

No 882 Yuxiao Zhao: XML-based Frameworks for Internet Commerce and an Implementation of B2B e-procurement,

2001.

No 890 Annika Flycht-Eriksson: Domain Knowledge Management in Information-providing Dialogue systems, 2001.

FiF-a 47 Per-Arne Segerkvist: Webbaserade imaginära organisationers samverkansformer: Informationssystemarkitektur

och aktörssamverkan som förutsättningar för affärsprocesser, 2001.

No 894 Stefan Svarén: Styrning av investeringar i divisionaliserade företag - Ett koncernperspektiv, 2001.

No 906 Lin Han: Secure and Scalable E-Service Software Delivery, 2001.

No 917 Emma Hansson: Optionsprogram för anställda - en studie av svenska börsföretag, 2001.

No 916 Susanne Odar: IT som stöd för strategiska beslut, en studie av datorimplementerade modeller av verksamhet som

stöd för beslut om anskaffning av JAS 1982, 2002.

FiF-a-49 Stefan Holgersson: IT-system och filtrering av verksamhetskunskap - kvalitetsproblem vid analyser och be-

slutsfattande som bygger på uppgifter hämtade från polisens IT-system, 2001.

FiF-a-51 Per Oscarsson: Informationssäkerhet i verksamheter - begrepp och modeller som stöd för förståelse av infor-

mationssäkerhet och dess hantering, 2001.

No 919 Luis Alejandro Cortes: A Petri Net Based Modeling and Verification Technique for Real-Time Embedded

Systems, 2001.

No 915 Niklas Sandell: Redovisning i skuggan av en bankkris - Värdering av fastigheter. 2001.

No 931 Fredrik Elg: Ett dynamiskt perspektiv på individuella skillnader av heuristisk kompetens, intelligens, mentala

modeller, mål och konfidens i kontroll av mikrovärlden Moro, 2002.

No 933 Peter Aronsson: Automatic Parallelization of Simulation Code from Equation Based Simulation Languages, 2002.

No 938 Bourhane Kadmiry: Fuzzy Control of Unmanned Helicopter, 2002.

No 942 Patrik Haslum: Prediction as a Knowledge Representation Problem: A Case Study in Model Design, 2002.

No 956 Robert Sevenius: On the instruments of governance - A law & economics study of capital instruments in limited

liability companies, 2002.

FiF-a 58 Johan Petersson: Lokala elektroniska marknadsplatser - informationssystem för platsbundna affärer, 2002.

No 964 Peter Bunus: Debugging and Structural Analysis of Declarative Equation-Based Languages, 2002.

No 973 Gert Jervan: High-Level Test Generation and Built-In Self-Test Techniques for Digital Systems, 2002.

No 958 Fredrika Berglund: Management Control and Strategy - a Case Study of Pharmaceutical Drug Development,

2002.

FiF-a 61 Fredrik Karlsson: Meta-Method for Method Configuration - A Rational Unified Process Case, 2002.

No 985 Sorin Manolache: Schedulability Analysis of Real-Time Systems with Stochastic Task Execution Times, 2002.

No 982 Diana Szentiványi: Performance and Availability Trade-offs in Fault-Tolerant Middleware, 2002.

No 989 Iakov Nakhimovski: Modeling and Simulation of Contacting Flexible Bodies in Multibody Systems, 2002.

No 990 Levon Saldamli: PDEModelica - Towards a High-Level Language for Modeling with Partial Differential

Equations, 2002.

No 991 Almut Herzog: Secure Execution Environment for Java Electronic Services, 2002.

No 999 Jon Edvardsson: Contributions to Program- and Specification-based Test Data Generation, 2002.

No 1000 Anders Arpteg: Adaptive Semi-structured Information Extraction, 2002.

No 1001 Andrzej Bednarski: A Dynamic Programming Approach to Optimal Retargetable Code Generation for Irregular

Architectures, 2002.

No 988 Mattias Arvola: Good to use! : Use quality of multi-user applications in the home, 2003.

FiF-a 62 Lennart Ljung: Utveckling av en projektivitetsmodell - om organisationers förmåga att tillämpa

projektarbetsformen, 2003.

No 1003 Pernilla Qvarfordt: User experience of spoken feedback in multimodal interaction, 2003.

No 1005 Alexander Siemers: Visualization of Dynamic Multibody Simulation With Special Reference to Contacts, 2003.

No 1008 Jens Gustavsson: Towards Unanticipated Runtime Software Evolution, 2003.

No 1010 Calin Curescu: Adaptive QoS-aware Resource Allocation for Wireless Networks, 2003.

No 1015 Anna Andersson: Management Information Systems in Process-oriented Healthcare Organisations, 2003.

No 1018 Björn Johansson: Feedforward Control in Dynamic Situations, 2003.

No 1022 Traian Pop: Scheduling and Optimisation of Heterogeneous Time/Event-Triggered Distributed Embedded

Systems, 2003.

FiF-a 65 Britt-Marie Johansson: Kundkommunikation på distans - en studie om kommunikationsmediets betydelse i

affärstransaktioner, 2003.

No 1024 Aleksandra Tešanovic: Towards Aspectual Component-Based Real-Time System Development, 2003.

No 1034 Arja Vainio-Larsson: Designing for Use in a Future Context - Five Case Studies in Retrospect, 2003.

No 1033 Peter Nilsson: Svenska bankers redovisningsval vid reservering för befarade kreditförluster - En studie vid

införandet av nya redovisningsregler, 2003.

FiF-a 69 Fredrik Ericsson: Information Technology for Learning and Acquiring of Work Knowledge, 2003.

No 1049 Marcus Comstedt: Towards Fine-Grained Binary Composition through Link Time Weaving, 2003.

No 1052 Åsa Hedenskog: Increasing the Automation of Radio Network Control, 2003.

No 1054 Claudiu Duma: Security and Efficiency Tradeoffs in Multicast Group Key Management, 2003.

FiF-a 71 Emma Eliason: Effektanalys av IT-systems handlingsutrymme, 2003.

No 1055 Carl Cederberg: Experiments in Indirect Fault Injection with Open Source and Industrial Software, 2003.

No 1058 Daniel Karlsson: Towards Formal Verification in a Component-based Reuse Methodology, 2003.

FiF-a 73 Anders Hjalmarsson: Att etablera och vidmakthålla förbättringsverksamhet - behovet av koordination och

interaktion vid förändring av systemutvecklingsverksamheter, 2004.

No 1079 Pontus Johansson: Design and Development of Recommender Dialogue Systems, 2004.

No 1084 Charlotte Stoltz: Calling for Call Centres - A Study of Call Centre Locations in a Swedish Rural Region, 2004.

FiF-a 74 Björn Johansson: Deciding on Using Application Service Provision in SMEs, 2004.

No 1094 Genevieve Gorrell: Language Modelling and Error Handling in Spoken Dialogue Systems, 2004.

No 1095 Ulf Johansson: Rule Extraction - the Key to Accurate and Comprehensible Data Mining Models, 2004.

No 1099 Sonia Sangari: Computational Models of Some Communicative Head Movements, 2004.

No 1110 Hans Nässla: Intra-Family Information Flow and Prospects for Communication Systems, 2004.

No 1116 Henrik Sällberg: On the value of customer loyalty programs - A study of point programs and switching costs,

2004.

FiF-a 77 Ulf Larsson: Designarbete i dialog - karaktärisering av interaktionen mellan användare och utvecklare i en

systemutvecklingsprocess, 2004.

No 1126 Andreas Borg: Contribution to Management and Validation of Non-Functional Requirements, 2004.

No 1127 Per-Ola Kristensson: Large Vocabulary Shorthand Writing on Stylus Keyboard, 2004.

No 1132 Pär-Anders Albinsson: Interacting with Command and Control Systems: Tools for Operators and Designers,

2004.

No 1130 Ioan Chisalita: Safety-Oriented Communication in Mobile Networks for Vehicles, 2004.

No 1138 Thomas Gustafsson: Maintaining Data Consistency in Embedded Databases for Vehicular Systems, 2004.

No 1149 Vaida Jakoniené: A Study in Integrating Multiple Biological Data Sources, 2005.

No 1156 Abdil Rashid Mohamed: High-Level Techniques for Built-In Self-Test Resources Optimization, 2005.

No 1162 Adrian Pop: Contributions to Meta-Modeling Tools and Methods, 2005.

No 1165 Fidel Vascós Palacios: On the information exchange between physicians and social insurance officers in the sick

leave process: an Activity Theoretical perspective, 2005.

FiF-a 84 Jenny Lagsten: Verksamhetsutvecklande utvärdering i informationssystemprojekt, 2005.

No 1166 Emma Larsdotter Nilsson: Modeling, Simulation, and Visualization of Metabolic Pathways Using Modelica,

2005.

No 1167 Christina Keller: Virtual Learning Environments in higher education. A study of students’ acceptance of edu-

cational technology, 2005.

No 1168 Cécile Åberg: Integration of organizational workflows and the Semantic Web, 2005.

FiF-a 85 Anders Forsman: Standardisering som grund för informationssamverkan och IT-tjänster - En fallstudie baserad på

trafikinformationstjänsten RDS-TMC, 2005.

No 1171 Yu-Hsing Huang: A systemic traffic accident model, 2005.

FiF-a 86 Jan Olausson: Att modellera uppdrag - grunder för förståelse av processinriktade informationssystem i

transaktionsintensiva verksamheter, 2005.

No 1172 Petter Ahlström: Affärsstrategier för seniorbostadsmarknaden, 2005.

No 1183 Mathias Cöster: Beyond IT and Productivity - How Digitization Transformed the Graphic Industry, 2005.

No 1184 Åsa Horzella: Beyond IT and Productivity - Effects of Digitized Information Flows in Grocery Distribution, 2005.

No 1185 Maria Kollberg: Beyond IT and Productivity - Effects of Digitized Information Flows in the Logging Industry,

2005.

No 1190 David Dinka: Role and Identity - Experience of technology in professional settings, 2005.

No 1191 Andreas Hansson: Increasing the Storage Capacity of Recursive Auto-associative Memory by Segmenting Data,

2005.

No 1192 Nicklas Bergfeldt: Towards Detached Communication for Robot Cooperation, 2005.

No 1194 Dennis Maciuszek: Towards Dependable Virtual Companions for Later Life, 2005.

No 1204 Beatrice Alenljung: Decision-making in the Requirements Engineering Process: A Human-centered Approach,

2005.

No 1206 Anders Larsson: System-on-Chip Test Scheduling and Test Infrastructure Design, 2005.

No 1207 John Wilander: Policy and Implementation Assurance for Software Security, 2005.

No 1209 Andreas Käll: Översättningar av en managementmodell - En studie av införandet av Balanced Scorecard i ett

landsting, 2005.

No 1225 He Tan: Aligning and Merging Biomedical Ontologies, 2006.

No 1228 Artur Wilk: Descriptive Types for XML Query Language Xcerpt, 2006.

No 1229 Per Olof Pettersson: Sampling-based Path Planning for an Autonomous Helicopter, 2006.

No 1231 Kalle Burbeck: Adaptive Real-time Anomaly Detection for Safeguarding Critical Networks, 2006.

No 1233 Daniela Mihailescu: Implementation Methodology in Action: A Study of an Enterprise Systems Implementation

Methodology, 2006.

No 1244 Jörgen Skågeby: Public and Non-public gifting on the Internet, 2006.

No 1248 Karolina Eliasson: The Use of Case-Based Reasoning in a Human-Robot Dialog System, 2006.

No 1263 Misook Park-Westman: Managing Competence Development Programs in a Cross-Cultural Organisation - What

are the Barriers and Enablers, 2006. FiF-a 90 Amra Halilovic: Ett praktikperspektiv på hantering av mjukvarukomponenter, 2006.

No 1272 Raquel Flodström: A Framework for the Strategic Management of Information Technology, 2006.

No 1277 Viacheslav Izosimov: Scheduling and Optimization of Fault-Tolerant Embedded Systems, 2006.

No 1283 Håkan Hasewinkel: A Blueprint for Using Commercial Games off the Shelf in Defence Training, Education and

Research Simulations, 2006.

FiF-a 91 Hanna Broberg: Verksamhetsanpassade IT-stöd - Designteori och metod, 2006.

No 1286 Robert Kaminski: Towards an XML Document Restructuring Framework, 2006.

No 1293 Jiri Trnka: Prerequisites for data sharing in emergency management, 2007.

No 1302 Björn Hägglund: A Framework for Designing Constraint Stores, 2007.

No 1303 Daniel Andreasson: Slack-Time Aware Dynamic Routing Schemes for On-Chip Networks, 2007.

No 1305 Magnus Ingmarsson: Modelling User Tasks and Intentions for Service Discovery in Ubiquitous Computing,

2007.

No 1306 Gustaf Svedjemo: Ontology as Conceptual Schema when Modelling Historical Maps for Database Storage, 2007.

No 1307 Gianpaolo Conte: Navigation Functionalities for an Autonomous UAV Helicopter, 2007.

No 1309 Ola Leifler: User-Centric Critiquing in Command and Control: The DKExpert and ComPlan Approaches, 2007.

No 1312 Henrik Svensson: Embodied simulation as off-line representation, 2007.

No 1313 Zhiyuan He: System-on-Chip Test Scheduling with Defect-Probability and Temperature Considerations, 2007.

No 1317 Jonas Elmqvist: Components, Safety Interfaces and Compositional Analysis, 2007.

No 1320 Håkan Sundblad: Question Classification in Question Answering Systems, 2007.

No 1323 Magnus Lundqvist: Information Demand and Use: Improving Information Flow within Small-scale Business

Contexts, 2007.

No 1329 Martin Magnusson: Deductive Planning and Composite Actions in Temporal Action Logic, 2007.

No 1331 Mikael Asplund: Restoring Consistency after Network Partitions, 2007.

No 1332 Martin Fransson: Towards Individualized Drug Dosage - General Methods and Case Studies, 2007.

No 1333 Karin Camara: A Visual Query Language Served by a Multi-sensor Environment, 2007.

No 1337 David Broman: Safety, Security, and Semantic Aspects of Equation-Based Object-Oriented Languages and

Environments, 2007.

No 1339 Mikhail Chalabine: Invasive Interactive Parallelization, 2007.

No 1351 Susanna Nilsson: A Holistic Approach to Usability Evaluations of Mixed Reality Systems, 2008.

No 1353 Shanai Ardi: A Model and Implementation of a Security Plug-in for the Software Life Cycle, 2008.

No 1356 Erik Kuiper: Mobility and Routing in a Delay-tolerant Network of Unmanned Aerial Vehicles, 2008.

No 1359 Jana Rambusch: Situated Play, 2008.

No 1361 Martin Karresand: Completing the Picture - Fragments and Back Again, 2008.

No 1363 Per Nyblom: Dynamic Abstraction for Interleaved Task Planning and Execution, 2008.

No 1371 Fredrik Lantz:Terrain Object Recognition and Context Fusion for Decision Support, 2008.

No 1373 Martin Östlund: Assistance Plus: 3D-mediated Advice-giving on Pharmaceutical Products, 2008.

No 1381 Håkan Lundvall: Automatic Parallelization using Pipelining for Equation-Based Simulation Languages, 2008.

No 1386 Mirko Thorstensson: Using Observers for Model Based Data Collection in Distributed Tactical Operations, 2008.

No 1387 Bahlol Rahimi: Implementation of Health Information Systems, 2008.

No 1392 Maria Holmqvist: Word Alignment by Re-using Parallel Phrases, 2008.

No 1393 Mattias Eriksson: Integrated Software Pipelining, 2009.

No 1401 Annika Öhgren: Towards an Ontology Development Methodology for Small and Medium-sized Enterprises,

2009.

No 1410 Rickard Holsmark: Deadlock Free Routing in Mesh Networks on Chip with Regions, 2009.

No 1421 Sara Stymne: Compound Processing for Phrase-Based Statistical Machine Translation, 2009.

No 1427 Tommy Ellqvist: Supporting Scientific Collaboration through Workflows and Provenance, 2009.

No 1450 Fabian Segelström: Visualisations in Service Design, 2010.

No 1459 Min Bao: System Level Techniques for Temperature-Aware Energy Optimization, 2010.

No 1466 Mohammad Saifullah: Exploring Biologically Inspired Interactive Networks for Object Recognition, 2011

No 1468 Qiang Liu: Dealing with Missing Mappings and Structure in a Network of Ontologies, 2011.

No 1469 Ruxandra Pop: Mapping Concurrent Applications to Multiprocessor Systems with Multithreaded Processors and

Network on Chip-Based Interconnections, 2011

No 1476 Per-Magnus Olsson: Positioning Algorithms for Surveillance Using Unmanned Aerial Vehicles, 2011

No 1481 Anna Vapen: Contributions to Web Authentication for Untrusted Computers, 2011

No 1485 Loove Broms: Sustainable Interactions: Studies in the Design of Energy Awareness Artefacts, 2011

FiF-a 101 Johan Blomkvist: Conceptualising Prototypes in Service Design, 2011

No 1490 Håkan Warnquist: Computer-Assisted Troubleshooting for Efficient Off-board Diagnosis, 2011