Using Covert Communication to Enhance Security Presented By: Mohammed Almeshekah September 7th, 2013 1 Saturday, September 7, 13
May 10, 2015
Using Covert Communication to Enhance Security
Presented By:Mohammed Almeshekah
September 7th, 2013
1Saturday, September 7, 13
Students Knowledge Exchange Using Covert Communication to Enhance Systems Security and User Authentication Sept 7th, 2013
Motivations
2Saturday, September 7, 13
Students Knowledge Exchange Using Covert Communication to Enhance Systems Security and User Authentication Sept 7th, 2013
MotivationsTraditional security focuses on preventive techniques.
However, vulnerabilities always exist!
We mainly focus on the aftermath.
Can we be preemptive in security?
Adversaries view of the attack result in binary.
Can we change that?
There are no risks on the attacking side to probe a system with particular exploits.
2Saturday, September 7, 13
Students Knowledge Exchange Using Covert Communication to Enhance Systems Security and User Authentication Sept 7th, 2013
Authentication and Phishing Challenge
Servers traditionally provide “all-or-nothing” access.
If someone gets your username/password, your done.
Adversaries can try all the credentials to see which “works”.
When user account is compromised we know when the user complains
3Saturday, September 7, 13
Students Knowledge Exchange Using Covert Communication to Enhance Systems Security and User Authentication Sept 7th, 2013
Can we do better?
Username/passwords not always work (at least not for everything).
Phishers can get in, but not to the real accounts.
Know that the user’s account is compromise the moment attackers try to login.
4Saturday, September 7, 13
Students Knowledge Exchange Using Covert Communication to Enhance Systems Security and User Authentication Sept 7th, 2013
Preliminary SolutionBased on password-based authentication.
Goals:
Same interfaces.
Simple for users to remember.
Alleviate the damage of password compromise.
The user needs to choose one word from a dictionary of words.
No randomness requirement!
5Saturday, September 7, 13
Students Knowledge Exchange Using Covert Communication to Enhance Systems Security and User Authentication Sept 7th, 2013
Preliminary Solution - cont.User enters her normal username and password.
Following the password the user enters a space and either:
His choice of word --> Normal login from trusted machine/network.
Any other word from the dictionary --> Whenever there is doubt.
Username :
Password :Alice
pass<sp>wi
6Saturday, September 7, 13
Students Knowledge Exchange Using Covert Communication to Enhance Systems Security and User Authentication Sept 7th, 2013
Beyond Passwords
Biometrics - e.g., the choice of which finger to use, the angle, and the pressure can be used to express some information.
Multi-factor authentication:
Two-factor and active man-in-the-middle attacks.
The multiplicity of factors provides a new communication channel.
7Saturday, September 7, 13
Students Knowledge Exchange Using Covert Communication to Enhance Systems Security and User Authentication Sept 7th, 2013
Stored Credentials Challenges
In password DBs leakage, all what the adversary need is to crack it.
The retrieved credentials work by definition.
Such incident are not easily detected.
8Saturday, September 7, 13
Students Knowledge Exchange Using Covert Communication to Enhance Systems Security and User Authentication Sept 7th, 2013
Can we do better?
A solution presented by Jules and Rivest.
Add (N-1) saved credentials to the DB.
The adversary has to crack (N) instead of (1).
(N-1) of them are beaconing credentials to alert system admins that DB has been cracked whenever used.
9Saturday, September 7, 13
Students Knowledge Exchange Using Covert Communication to Enhance Systems Security and User Authentication Sept 7th, 2013
Final Remarks
Interesting applications.
Creating doubts and risk at the adversary side.
The grand vision of authentication.
Risk analysis and economics.
10Saturday, September 7, 13
Students Knowledge Exchange Using Covert Communication to Enhance Systems Security and User Authentication Sept 7th, 2013
Acknowledgment & ReferencesAcknowledgment:
This work was done in collaboration with Prof. Mikhail Atallah and Prof. Eugene Spafford.
Thanks to Prof. Marina Blanton and the NSF.
Portions of this work were supported by National Science Foundation Grants, Science and Technology Center, King Saud University, Qatar National Research, and by sponsors of CERIAS.
References:
M. Almeshekah, M. Atallah, and E. Spafford, “Covert channels can be useful! - layering authentica- tion channels to provide covert communication,” in Security Protocols XXI (B. Christianson, J. Malcolm, F. Stajano, and J. Anderson, eds.), vol. 8263 of Lecture Notes in Computer Science, Springer Berlin Heidelberg, 2013.
Ari Juels and Ronald L. Rivest, “Honeywords: Making Password-Cracking Detectable”.
11Saturday, September 7, 13
Questions?Mohammed Almeshekah
email: [email protected]: @meshekah
presentation:
12Saturday, September 7, 13