Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zero-Interaction Authentication Mark Corner Brian Noble

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Zero-Interaction Authentication Mark Corner Brian Noble"— Presentation transcript:

1 Zero-Interaction Authentication Mark Corner Brian Noble http://mobility.eecs.umich.edu/

2 Major tertiary care center for Michigan FY 1999: 1.2M visits, $1B billable services Results in large data volume and costs 5-8 pieces of paper/patient visit all records in physical charts without (official) copying Obvious solution: electronic access to these records most patient records in a clinical data repository web-based front-end for easy access, CareWeb CareWeb is not as useful as you might imagine requires aggressive authentication physicians are notoriously jealous of their time end-user perception drives acceptance: they don’t! University of Michigan Medical Center

3 Disconnected CareWeb Experience with Coda suggested an obvious solution a laptop for every physician: disconnected CareWeb examine physician’s schedule for upcoming day prefetch records for each scheduled patient Demonstration for a number of UMHS staff members the physicians wanted it immediately the IT staff told us not to show it to any more physicians Real costs if patient data is improperly revealed HIPAA: $250K fines for disclosure/misuse of data Challenge: protect patient data without inconveniencing physicians

4 Solution: constant but invisible authentication ZIA: zero-interaction authentication constantly ask user “are you there?” have something other than user answer Watch as authentication token: “yes, I’m right here” worn by user for increased physical security enough computational power for small cryptographic tasks secure communication via short-range wireless network Design goals: protect laptop data from physical possession attacks preserve performance and usability give the user no reason to disable, work around

5 Outline Threat model Design how are files protected, shared? how do we improve performance? Implementation Evaluation what overhead does ZIA add? are optimizations useful? can ZIA be hidden from users? Related work Conclusion

6 Threat Model Attacker can exploit physical possession use cached credentials console-based attacks physical modification attacks (remove disk, probe memory) Attacker can exploit laptop-wireless link inspection, modification, insertion of messages Things we don’t consider network-based exploits (buffer overruns) jamming laptop-token link (DoS) replacing operating system untrustworthy users rubber hose cryptanalysis

7 Design guidelines Protect file system data all data on disk encrypted ensure user is present for each decryption Can’t contact token on every decryption adds (short) latency to (many) operations Take advantage of caching already used in file systems data on-disk: encrypted for safety data in cache: decrypted for performance token’s keys required for decrypting files Take advantage of fact that people move slowly only check “often enough” to notice user departure

8 Moving data from disk to cache Tokens cannot decrypt file contents directly small, battery-powered: limited computation connected to laptop via wireless link latency comparable to disk, bandwidth much less Instead, store file encrypting key on disk, itself encrypted key encrypting key never leaves token

9 Moving data from disk to cache Tokens cannot decrypt file contents directly small, battery-powered: limited computation connected to laptop via wireless link latency comparable to disk, bandwidth much less Instead, store file encrypting key on disk, itself encrypted key encrypting key never leaves token

10 Moving data from disk to cache Tokens cannot decrypt file contents directly small, battery-powered: limited computation connected to laptop via wireless link latency comparable to disk, bandwidth much less Instead, store file encrypting key on disk, itself encrypted key encrypting key never leaves token

11 Moving data from disk to cache Tokens cannot decrypt file contents directly small, battery-powered: limited computation connected to laptop via wireless link latency comparable to disk, bandwidth much less Instead, store file encrypting key on disk, itself encrypted key encrypting key never leaves token

12 Moving data from disk to cache Tokens cannot decrypt file contents directly small, battery-powered: limited computation connected to laptop via wireless link latency comparable to disk, bandwidth much less Instead, store file encrypting key on disk, itself encrypted key encrypting key never leaves token

13 Key-encrypting keys are capabilities File encrypted by some key, E E is on disk, encrypted with another key, O O is known only to authentication token may also choose to escrow O as a matter of policy Sharing accommodated by additional encrypted versions of E UNIX protection model: owner, group, and world E encrypted by owner key O, group key G each user’s token holds their O, and all applicable Gs members of same group share copies of G Can have per-machine world keys, too

14 Handle keys efficiently Key acquisition time can be expensive network round trip + processing time many milliseconds can’t add this to every disk operation! Two mechanisms mitigate this problem overlap key acquisition with disk operations cache decrypted keys, exploiting locality Neither mechanism helps with file creation is an asynchronous write: no overlap is a new file: no cached key observation: you don’t need any particular key prefetch a stash of “fresh” keys

15 Assign keys per directory What is the right granularity for file keys? small grain limits damage of key exposure large grain increases effectiveness of caching We chose per-directory keys to exploit access patterns files in same directory tend to be used together acquisition time amortized across a directory Directory keys stored in the directory they encrypt

16 Maintain performance, retain correctness Optimizations reduce laptop/token interactions but, still need to ask “are you there?” frequently! Add periodic polling exchange encrypted nonces: challenge/response once per second, because people are slow When user is away, protect file system data must be fast enough to foil theft When user returns, restore machine to pre-departure state user should see no performance penalty on return

17 Make protection fast and invisible Key question: what to do with cached data on departure? One alternative: flush on departure, read on arrival flush is fast: write dirty pages, bzero cache recovery is slow: read entire file cache from disk Instead, we encrypt on departure, decrypt on arrival protection is a bit slower, but fast enough recovery is much faster: no disk operations This retains current file cache behavior unused file blocks can be flushed when idle encrypted file blocks are treated identically

18 Implementation Implementation is split into two parts in-kernel file system support authentication system and token In-kernel support (Linux) provides cryptographic I/O manages keys polls for token Authentication system client running in user-space on the user’s laptop server running on token (Linux or WinCE) communicate via a secure channel

19 Implementation Implemented in-kernel as a stackable file system Uses FiST toolkit (Columbia) Rijndael used for encryption

20 Evaluation overview Several important questions what overhead does ZIA impose? how long does it take to secure the cache? how long does it take to restore the cache? Prototype System client system: IBM Thinkpad 570 token: Compaq iPAQ 3650 connected by 802.11 network in 1Mb/s mode

21 Evaluation: Andrew Benchmark Determine file system overhead Modified Andrew Benchmark copy and compile Apache source code 7.4 MB source only 9.7 MB source plus objects Compare ZIA against three file systems Ext2fs: file system “at the bottom” Base: null stacking layer implemented in FiST Cryptfs: FiST’s cryptographic file system (+Rijndael)

22 Modified Andrew Benchmark results File SystemTime, secOverhead (vs. Ext2fs) Ext2fs 52.63 (0.30) - Base 52.76 (0.22) 0.24% Cryptfs 57.52 (0.18) 9.28% ZIA 57.54 (0.20) 9.32% ZIA is indistinguishable from Cryptfs

23 Benefit of optimizations optimizations are critical Ext2fs52.63 (0.30)- ZIA57.54 (0.20)9.32% No prefetching No caching 232.04 (3.40)340.86% Turn off prefetching, caching to see how useful they are

24 Stress tests Andrew benchmark obligatory, but not necessarily good often measures the speed of your compiler Three benchmarks stress high-overhead operations 1) create many directories 2) scan those directories 3) bulk copy: 40MB Pine source

25 Creating directories Fresh key prefetching minimizes overhead File SystemTime, secOver Ext2fs Ext2fs9.67 (0.23)- Base9.66 (0.13)-0.15% Cryptfs9.88 (0.14)2.17% ZIA10.25 (0.09)5.9%

26 Reading directories Directory reads expose full key acquisition costs File SystemTime, secOver Ext2fs Ext2fs15.56 (1.25)- Base+15.72 (1.16)1.04% Cryptfs15.41 (1.07)-0.94% ZIA29.76 (3.33)91.24%

27 Copying large trees Bulk data costs dominated by cryptography and stacking overhead File SystemTime, secOver Ext2fs Ext2fs19.68 (0.28)- Base31.05 (0.68)57.78% Cryptfs42.81 (1.34)117.57% ZIA43.56 (1.13)121.38%

28 Time to secure/restore the file system All data must be encrypted when user leaves All data must be decrypted when user returns Benchmark: copy various trees into ZIA disable token, measure time to safety enable token, measure time to recovery

29 Time to protect/recover the file system recovery time (get keys, decrypt) protection time (encrypt)

30 Related work Many examples of cryptographic file systems CFS (Matt Blaze), Cryptfs (Erez Zadok), EFS (Win2k) all suffer from the problem of “implied consent” once you log in, the file system can forevermore decrypt Win2k asks you to authenticate more frequently inconvenient: anecdotally, it is often disabled Can use a smart card to hold keys (Blaze) rather than in-kernel smart card left in the machine: still has “implied consent” Some examples of hardware tokens for proximity detection Landwehr ’97, Ensure Technologies all advisory; tokens are not capabilities laptop capable of acting, could be forced to

31 Protecting Applications Underlying principle authentication is traditionally a persistent property what are the implications of making it transient? Protect applications (brute force) treat VM images like files encrypt paging space encrypt in-memory pages on departure, decrypt on return Expose to applications API for transient authentication services security-conscious applications manage their own state

32 Conclusions Your machine has the long-term authority to act as you Zero-Interaction Authentication user retains long-term authority to decrypt laptop holds only transient authority defends against physical possession attacks There is no reason to turn it off does not change user behavior does not noticeably impact performance Protects and restores machine quickly entire buffer cache within six seconds

33 Foil tailgaters How do I prevent my token from responding to your laptop? called the tailgater attack Leverage the login process users already are familiar with suppose bnoble logs into garcia.eecs garcia.eecs sends a challenge to bnoble’s token user gives response to the token could be simple (a tap) or complicated (one-time pass) token then bound: only bound tokens respond unless I bind my token to your laptop, you lose Provides assurance that this user means to use that laptop user plays the role of trusted third party in binding

34 Key acquisition costs Average cost of key acquisition: 13.9 ms similar to the average seek time of drives on 802.11 hardware Have not used a Bluetooth system yet

35 Possible Authentication Methods Several popular methods: Passwords: require typing, forgotten, written down Smart Cards swiped: swiped and never “unswiped” Smart Cards inserted: inserted and left Biometrics: suffer from a high false negative rate, bulky Token provides authentication without intervention Doctor must only be near terminal to authenticate Conforms to Doctor’s expectation: “It should just work.”

36 Vulnerability: File Systems Machines are distributed in physically insecure locations Disconnected operation caches sensitive files Theft of drives leads to data exposure Clear answer: Data Encryption Problem is where to store keys and how to authenticate users

37 Evaluation: Per-Operation Overhead (note: this is older data)

38 Why isn’t CareWeb the preferred choice? Tour of Internal Medicine department physicians still depend on physical charts there are no workstations in patient appointment rooms Why don’t they want an obvious improvement? physicians notoriously jealous of their time anything perceived as a waste of time is dismissed CareWeb requires aggressive reauthentication “Cost is not an issue. If we wanted them, they would be there tomorrow. I can’t waste time logging in.” – Tim Liang, Assoc. Chair Internal Medicine Perception of end-user costs drives acceptance

39 Moving data from disk to cache Tokens can only provide limited cryptography bandwidth much lower than disk Tokens cannot decrypt file contents directly store file encryption key on disk, itself encrypted key-encrypting keys stored only on token Send encrypted key to token, get decrypted result laptop-token channel protected by session encryption

Download ppt "Zero-Interaction Authentication Mark Corner Brian Noble"

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.

Cobalt: Separating content distribution from authorization in distributed file systems Kaushik Veeraraghavan Andrew Myrick Jason Flinn University of Michigan.
CSE506: Operating Systems Disk Scheduling. CSE506: Operating Systems Key to Disk Performance Don’t access the disk – Whenever possible Cache contents.

CSE506: Operating Systems Disk Scheduling. CSE506: Operating Systems Key to Disk Performance Don’t access the disk – Whenever possible Cache contents.
Zero-Interaction Authentication April 15, 2003 Mark D.Corner, Brian D. Noble Presented by Seong Oun Hwang CS744 Special Topics in System Architecture:

Zero-Interaction Authentication April 15, 2003 Mark D.Corner, Brian D. Noble Presented by Seong Oun Hwang CS744 Special Topics in System Architecture:
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.

Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
Software Certification and Attestation Rajat Moona Director General, C-DAC.

Software Certification and Attestation Rajat Moona Director General, C-DAC.
1 Cheriton School of Computer Science 2 Department of Computer Science RemusDB: Transparent High Availability for Database Systems Umar Farooq Minhas 1,

1 Cheriton School of Computer Science 2 Department of Computer Science RemusDB: Transparent High Availability for Database Systems Umar Farooq Minhas 1,
Grid Security. Typical Grid Scenario Users Resources.

Grid Security. Typical Grid Scenario Users Resources.
Protecting Applications with Transient Authentication Mark Corner and Brian Noble University of Michigan - EECS Department

Protecting Applications with Transient Authentication Mark Corner and Brian Noble University of Michigan - EECS Department
15-446 Networked Systems Practicum Lecture 12 – Privacy 1.

Networked Systems Practicum Lecture 12 – Privacy 1.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Active Messages: a Mechanism for Integrated Communication and Computation von Eicken et. al. Brian Kazian CS258 Spring 2008.

Active Messages: a Mechanism for Integrated Communication and Computation von Eicken et. al. Brian Kazian CS258 Spring 2008.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
Wide-area cooperative storage with CFS

Wide-area cooperative storage with CFS
Secure File Storage Nathanael Paul CRyptography Applications Bistro March 25, 2004.

Secure File Storage Nathanael Paul CRyptography Applications Bistro March 25, 2004.
OWASP Mobile Top 10 Why They Matter and What We Can Do

OWASP Mobile Top 10 Why They Matter and What We Can Do

Similar presentations

Ads by Google