• PDF / 263,071 Bytes
• 14 Pages / 439.363 x 666.131 pts Page_size
• 51 Downloads / 271 Views

DOWNLOAD

REPORT

University of Calgary, Canada {rei,nasafa}@ucalgary.ca 2 Newcastle University, UK [email protected]

Abstract. In an implicit authentication system, a user profile is used as an additional factor to strengthen the authentication of mobile users. The profile consists of features that are constructed using the history of user actions on her mobile device over time. The profile is stored on a server and is used to authenticate an access request originated from the device at a later time. An access request will include a vector of recent features measurements on the device that will be matched against the stored features to accept or reject the request. The features however include private information such as user location or web sites they have visited. In this paper we propose privacy-preserving implicit authentication which achieves implicit authentication without revealing unnecessary information about the users’ usage profiles to the server. We propose an architecture, give formal security models, and propose constructions with provable security. We consider two security models, namely for cases where the device behaves semi-honestly or maliciously. Keywords: Implicit Authentication, User Privacy, Homomorphic Encryption, Provable Security, Behavioural Features.

1

Introduction

In mobile applications such as mobile commerce, users often provide authentication information using Mobile Internet Devices (MIDs) including cell phones and notebooks. In most cases however, password authentication is the primary method of authentication. The weaknesses of password-based authentication systems, including widespread usage of weak passwords, have been widely studied (see e.g. [25] and references within). In addition to these weaknesses, limitations of user interface on MIDs results in an error prone process for inputting passwords, encouraging even poorer choices of password by users. To strengthen authentication, two-factor authentication has been proposed. The second factor, when based on extra hardware such as SecureID tokens, have additional cost and limit their wide application. An attractive method of strengthening password systems is implicit authentication [13] which effectively adds a second factor to authentication. The idea is to use the history of device usage to construct features, that are used to provide a second factor for verifying an access request from a user with a claimed identity. Experiments in [13] N. Cuppens-Boulahia et al. (Eds.): SEC 2014, IFIP AICT 428, pp. 471–484, 2014. c IFIP International Federation for Information Processing 2014 

472

N.A. Safa, R. Safavi-Naini, and S.F. Shahandashti

showed that features extracted from device history can be effectively used to distinguish users. Although the approach is applicable to any computing device, it is primarily used to enhance security of mobile users carrying MIDs. The user profile includes private information including (i) device data, such as GPS location data and WiFi/Bluetooth connections, (ii) carrier data, such as information o

Recommend Documents

Sensor Fusion Based Implicit Authentication for Smartphones

172 54 564KB

Implicit Knowledge

185 93 25MB

Implicit Theories

162 44 35MB

Implicit Definitions

199 112 43MB

Authentication

149 10 2MB

Authentication

179 68 6MB

Implicit Event

178 45 2MB

Authentication

195 43 49MB

Authentication

223 47 47MB

Implicit Beliefs

160 80 35MB

Implicit Beliefs

173 75 54MB

Implicit enumeration

157 10 24KB