Upload
akanksh-sudhakar
View
151
Download
1
Embed Size (px)
Citation preview
IEEE APRIL-2012
A SEMINAR PRESENTATIONON :
OPASS: A USER AUTHENTICATION PROTOCOL RESISTANT TOPASSWORD STEALING AND
PASSWORD REUSE ATTACKS
Submitted ByAKANKSH S
Under the Guidance ofMr. SHIVANANDA C S
DEPARTMENT OF COMPUTER SCIENCE ENGINEERINGVIVEKANANDA INSTITUTE OF TECHNOLOGY ,BANGALORE.
2011-2012
IEEE APRIL-2012OUTLINE
1 •INTRODUCTION
2 •AUTHENTICATION TYPES
3 •WHAT IS OPASS
4 •MAIN COMPONENTS
5 •ARCHITECTURE OF OPASS AND ITS ASSUMPTIONS
6 •WORKING
7 •ADVANTAGE
8 •ADVANTAGE VIDEO
9 •REAL TIME VIDEO
10 •CONCLUSION
IEEE APRIL-2012INTRODUCTION
People nowadays rely heavily on the Internet since conventional activities can be achieved with network services
User authentication is only handled by text passwords for most websites.
Password-based user authentication has a major problem that humans are not experts in memorizing text strings.
Most users would choose easy-to-remember passwordsand they will reuse them, even though they know the passwords might be unsafe.
Phishing attacks and Malware are threats against password protection.
IEEE APRIL-2012AUTHENTICATION TYPES
Researchers have investigated a variety of technology for providing user authentication procedure. They are,
Graphical Password Schemes
Password Management Tools
IEEE APRIL-2012AUTHENTICATION TYPES CONT,
Three-Factor Authentication
Two-Factor Authentication
IEEE APRIL-2012WHAT IS OPASS?
oPass is a Two-Factor Authentication.
Main concept of oPass is free users from having to remember or type any passwords into conventional computers for authentication.
oPass uses user’s cell and short message service (SMS) to prevent password stealing and password reuse attacks.
IEEE APRIL-2012MAIN COMPONENTS
ONE-TIME PASSWORD SMS CHANNEL 3G
CONNECTION
IEEE APRIL-2012ARCHITECTURE OF OPASS AND ITS ASSUMPTIONS
ARCHITECTURE
For users to perform secure login on an untrusted computer (kiosk), oPass consists of a trusted cell phone, a browser on the kiosk, and a web server that users wish to access.
The user operates her cell phone and the untrusted computer directly to accomplish secure logins to the web server.
IEEE APRIL-2012CONT.
IEEE APRIL-2012 ASSUMPTIONS
Each web server possesses a unique phone number.
The users’ cell phones are malware-free. The telecommunication service provider
(TSP) will participate in the registration and recovery phases.
Subscribers (i.e., users) connect to the TSP via 3G connections to protect the transmission.
The TSP and the web server establish a secure sockets layer (SSL) tunnel to prevent phishing attacks.
If a user loses her cell phone, she can notify her TSP and apply for a new card with the same phone number and user can perform the recovery phase using a new cell phone.
IEEE APRIL-2012WORKING
oPass consists of Registration phase Login phase , and Recovery phases.
We introduce the details of these three phases respectively. Next slide will describe the operation flows of users during each phase of oPass.
IEEE APRIL-2012
Open Registration Service on Phone
Fill Out Form & Submit by Phone
Input a Long-term Password into
Phone & Submit by Phone
Registration Success
Enter Account ID and Submit
by Browser
Launch Software on
phone
Enter Long-term Password and Submit by
Phone
Open Login Page
Receive a
Success message
Login Success
No
Open Recovery Service on Phone
Fill Out Form & Submit by Browser
Enter a Long-term Password and Submit On
Phone
Recovery Success
Yes
Registration Phase Login Phase Recovery PhaseOperation flow for user in each phase of oPass system
IEEE APRIL-2012 Registration phase
IEEE APRIL-2012 Login phase
IEEE APRIL-2012 Recovery phases
IEEE APRIL-2012ADVANTAGE
Anti-Malware
Phishing Protection
Secure Registration and Recovery
Password Reuse Prevention and Weak Password Avoidance
Cell-Phone Protection
IEEE APRIL-2012ADVANTAGE VIDEO
IEEE APRIL-2012REAL TIME APPLICATION
IEEE APRIL-2012CONCLUSION
we proposed a user authentication protocol named oPass which leverages cell phones and SMS to thwart password stealing and password reuse attacks.
Through oPass, each user only needs to remember a long-term password which has been used to protect her cell phone.
Users are free from typing any passwords into untrusted computers for login on all websites. Therefore , oPass is acceptable and reliable for users.
IEEE APRIL-2012
REFERENCES Hung-Min Sun, Yao-Hsin Chen, and Yue-Hsun
Lin . “oPass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks” in Proc. IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 7, NO. 2, APRIL 2012.
http://www.youtube.com/watch?v=E6NkWYzKcvw
http://www.youtube.com/watch?v=N40_4xeK49s
IEEE APRIL-2012
IEEE APRIL-2012