ABSTRACT
We define and formalise a generic cryptographic construction that underpins coupling of companion devices, e.g., biometrics-enabled devices, with main devices (e.g., PCs), in a user-aware manner, mainly for on-demand authentication and secure storage for applications running on the main device. We define the security requirements of such constructions, provide a full instantiation in a protocol-suite and prove its computational as well as Dolev-Yao security. Finally, we implement our protocol suite and one password-manager use-case.
- FIDO Alliance. 2022. How FIDO Addresses a Full Range of Use Cases. Technical Report. FIDO Alliance. https://media.fidoalliance.org/wp-content/uploads/2022/03/How-FIDO-Addresses-a-Full-Range-of-Use-CasesFINAL.pdf.Google Scholar
- FIDO Alliance. 2023. User Authentication Specifications Overview. https://fidoalliance.org/specifications/.Google Scholar
- A. Armando, D. Basin, Y. Boichut, and et al.2005. The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications. In CAV.Google Scholar
- David Basin, Jannik Dreier, Lucca Hirschi, Saša Radomirovic, Ralf Sasse, and Vincent Stettler. 2018. A Formal Analysis of 5G Authentication. In CCS. 1383–1396.Google Scholar
- David A. Basin, Ralf Sasse, and Jorge Toro-Pozo. 2021. The EMV Standard: Break, Fix, Verify. In Security and Privacy (SP) 2021.Google Scholar
- B. Blanchet. 2001. An Efficient Cryptographic Protocol Verifier Based on Prolog Rules. In IEEE CSFW.Google Scholar
- Bruno Blanchet. 2012. Security Protocol Verification: Symbolic and Computational Models. In PST. 3–29.Google Scholar
- Christiaan Brand and et al. Alexei Czeskis. 2019. Client to Authenticator Protocol (CTAP). Prop. FIDO Alliance. https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html.Google Scholar
- Héctor Caballero-Hernández, Leopoldo Gil-Antonio, Erika Lopez-Gonzalez, and Juan Alberto Antonio-Velazquez. 2022. A BRIEF REVIEW ABOUT BIOMETRICS SYSTEMS IN MODERN CONTEXT. Int. J. of Advanced Research in Computer Science 13, 3 (2022).Google Scholar
- R. Canetti. 2001. A Unified Framework for Analyzing Security of Protocols. ECCC 8, 16 (2001).Google Scholar
- Dhiman Chakraborty and Sven Bugiel. 2019. simFIDO: FIDO2 User Authentication with simTPM. In CCS. 2569–2571.Google Scholar
- C. Cremers, M. Horvat, S. Scott, and T. van der Merwe. 2016. Automated analysis and verification of TLS 1.3: 0-RTT, resumption and delayed authentication. In SP.Google Scholar
- C.J.F. Cremers and S. Mauw. 2004. Operational semantics of security protocols. Technische Universiteit Eindhoven.Google Scholar
- Chris Culnane, Ioana Boureanu, Helen Treharne, Jean Snyman, and Steve Wesemeyer. 2023. Our Code, Proof and Tamarin Files. https://github.com/UoS-SCCS/CompendiumDevice-Project. Online: 2022-12-15.Google Scholar
- Garrett Davidson. 2021. Move beyond Passwords - WWDC21 - Videos. https://developer.apple.com/videos/play/wwdc2021/10106/.Google Scholar
- Garrett Davidson. 2022. Meet Passkeys. https://developer.apple.com/videos/play/wwdc2022/10092/.Google Scholar
- Dell. 2023. Precision 3660 Tower. https://www.dell.com/en-uk/shop/workstations/precision-3660-tower-workstation/spd/precision-3660-workstation/.Google Scholar
- Whitfield Diffie, Paul C Van Oorschot, and Michael J Wiener. 1992. Authentication and authenticated key exchanges. Designs, Codes and cryptography 2, 2 (1992), 107–125.Google Scholar
- D. Dolev and A. Yao. 1983. On the Security of Public-Key Protocols. IEEE Transactionson Information Theory 29 29, 2 (1983).Google Scholar
- Aymeric Augustin et. al.2023. Python websockets library. https://websockets.readthedocs.io/en/stable/.Google Scholar
- Ihor Filimonov, Ross Horne, Sjouke Mauw, and Zach Smith. 2019. Breaking Unlinkability of the ICAO 9303 Standard for e-Passports Using Bisimilarity. In ESORICS, Kazue Sako, Steve Schneider, and Peter Y. A. Ryan (Eds.). 577–594.Google Scholar
- O. Goldreich. 2006. Foundations of Cryptography: Volume 1. Cambridge University Press, New York, NY, USA.Google ScholarDigital Library
- Google. 2023. Get Verification Codes with Google Authenticator. https://support.google.com/accounts/answer/1066447.Google Scholar
- Shawn Hickey. 2021. Windows Unlock with Windows Hello Companion (IoT) Devices. docs.microsoft.com/en-us/windows/uwp/security/companion-device-unlock.Google Scholar
- Eiji Kitamura. 2022. A Path to a World without Passwords. https://io.google/.Google Scholar
- Eric Klieme, Jonathan Wilke, Niklas van Dornick, and Christoph Meinel. 2020. FIDOnuous: A FIDO2/WebAuthn Extension to Support Continuous Web Authentication. In TrustCom. 1857–1867.Google Scholar
- Kim Komando. 2023. Bluetooth security risks to know (and how to avoid them). https://eu.usatoday.com/story/tech/columnist/komando/2023/02/26/leaving-your-phones-bluetooth-24-7-can-major-security-risk/11308150002/.Google Scholar
- Yue Li, Haining Wang, and Kun Sun. 2018. BluePass: A Mobile Device Assisted Password Manager. EAI ETSS 5, 17 (2018), e3.Google Scholar
- Gavin Lowe. 1997. A hierarchy of authentication specifications. In CSFW. IEEE, 31–43.Google Scholar
- Emil Lundberg, Michael Jones, J. C. Jones, Akshay Kumar, and Jeff Hodges. 2021. Web Authentication: An API for Accessing Public Key Credentials - Level 2. Recommendation. World Wide Web Consortium (W3C). https://www.w3.org/TR/webauthn-2/.Google Scholar
- Daniel McCarney, David Barrera, Jeremy Clark, Sonia Chiasson, and Paul C. van Oorschot. 2012. Tapas: Design, Implementation, and Usability Evaluation of a Password Manager. In ACSAC. 89–98.Google ScholarDigital Library
- S. Meier, B. Schmidt, C. Cremers, and D. Basin. 2013. The TAMARIN Prover for the Symbolic Analysis of Security Protocols. In CAV (Saint Petersburg, Russia). 696–701.Google Scholar
- Ioan Moldovan. 2021. FiSSH: SSH Authentication via Fingerprint Scanning over Network (TLS Sockets). https://f-droid.org/.Google Scholar
- Stephen Perkins. 2019. How to Use Your Phone’s Fingerprint Scanner to Unlock Your Windows PC. https://android.gadgethacks.com/how-to/use-your-phones-fingerprint-scanner-unlock-your-windows-pc-0192636/.Google Scholar
- Matthew Prince, Daniel Stinson-Diess, and Sourov Zaman. 2022. The Mechanics of a Sophisticated Phishing Scam and How We Stopped It. http://blog.cloudflare.com/2022-07-sms-phishing-attacks/.Google Scholar
- Dominik Reichl. 2023. KeePass Password Safe. https://keepass.info/.Google Scholar
- V. Shoup. [n. d.]. Sequences of games: a tool for taming complexity in security proofs. ePrint 2004 ([n. d.]).Google Scholar
- Clare Stouffer. 2022. Bluetooth security risks to know (and how to avoid them). https://us.norton.com/blog/mobile/bluetooth-security.Google Scholar
- TCG. 2019. Trusted Platform Module 2.0 Library Specification. Rev 1.59. Trusted Computing Group. https://trustedcomputinggroup.org/resource/tpm-library-specification/Google Scholar
- Twilio, Inc.2023. Two-Factor Authentication (2FA) App. https://authy.com/.Google Scholar
- Paul Wagner, Kris Heid, and Jens Heider. 2021. Remote WebAuthn: FIDO2 Authentication for Less Accessible Devices:. In ISSP. 368–375.Google Scholar
- Yubico. 2023. Yubico Home. https://www.yubico.com/.Google Scholar
- Florian Zinggeler. 2018. NoKey - A Distributed Password Manager. Master’s thesis. Swiss Federal Institute of Technology Zurich. https://pub.tik.ee.ethz.ch/students/2017-HS/MA-2017-24.pdf.Google Scholar
Index Terms
- Formalising Application-Driven Authentication & Access-Control based on Users’ Companion Devices
Recommendations
A provably secure and efficient authentication scheme for access control in mobile pay-TV systems
To guarantee the secure access by authorized subscribers in mobile pay-TV systems, user authentication is required. User authentication is a security mechanism used to verify the identity of a legal subscriber. In 2012, Yeh and Tsaur proposed an ...
Attributed-based authentication and access control for IoT home devices: demo abstract
IPSN '18: Proceedings of the 17th ACM/IEEE International Conference on Information Processing in Sensor NetworksWe demonstrate attribute-based authentication and access control schemes tailored to resource-constrained devices typical of IoT home environments. The demo shows how IoT devices would be managed and controlled in such scenario. The underlying ...
An Authentication Mechanism for IoT Devices Based on Traceable and Revocable Identity-Based Encryption
Artificial Intelligence and SecurityAbstractTo solve low computing efficiency and high computational energy consumption in the traditional Public-key Infrastructure cryptosystem in the authentication of IoT devices, an authentication scheme for IoT devices based on the Identity-based ...
Comments