Abstract
Reliable authentication requires the devices and channels involved in the process to be trustworthy, otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. Our contributions are threefold: (1) We propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels. (2) We outline a security analysis to assess the envisaged performance of the proposed authentication protocol. (3) We report on a usability study that explores the viability of relying on human computation in this context.
| Original language | English |
|---|---|
| Title of host publication | Proceedings of 2016 IEEE European Symposium on Security and Privacy, EURO S & P 2016 |
| Place of Publication | Los Alamitos, CA |
| Publisher | IEEE Computer Society |
| Pages | 357-371 |
| Number of pages | 15 |
| ISBN (Electronic) | 9781509017515 |
| DOIs | |
| Publication status | Published - 9 May 2016 |
| Event | 1st IEEE European Symposium on Security and Privacy, EURO S and P 2016 - Saarbruecken, Germany Duration: 21 Mar 2016 → 24 Mar 2016 |
Conference
| Conference | 1st IEEE European Symposium on Security and Privacy, EURO S and P 2016 |
|---|---|
| Country | Germany |
| City | Saarbruecken |
| Period | 21/03/16 → 24/03/16 |
Fingerprint
Cite this
}
ZeTA-Zero-Trust Authentication : relying on innate human ability, not technology. / Gutmann, Andreas; Renaud, Karen; Maguire, Joseph; Mayer, Peter; Volkamer, Melanie; Matsuura, Kanta; Muller-Quade, Jorn.
Proceedings of 2016 IEEE European Symposium on Security and Privacy, EURO S & P 2016. Los Alamitos, CA : IEEE Computer Society, 2016. p. 357-371 7467365.Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
TY - GEN
T1 - ZeTA-Zero-Trust Authentication
T2 - relying on innate human ability, not technology
AU - Gutmann, Andreas
AU - Renaud, Karen
AU - Maguire, Joseph
AU - Mayer, Peter
AU - Volkamer, Melanie
AU - Matsuura, Kanta
AU - Muller-Quade, Jorn
PY - 2016/5/9
Y1 - 2016/5/9
N2 - Reliable authentication requires the devices and channels involved in the process to be trustworthy, otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. Our contributions are threefold: (1) We propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels. (2) We outline a security analysis to assess the envisaged performance of the proposed authentication protocol. (3) We report on a usability study that explores the viability of relying on human computation in this context.
AB - Reliable authentication requires the devices and channels involved in the process to be trustworthy, otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. Our contributions are threefold: (1) We propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels. (2) We outline a security analysis to assess the envisaged performance of the proposed authentication protocol. (3) We report on a usability study that explores the viability of relying on human computation in this context.
U2 - 10.1109/EuroSP.2016.35
DO - 10.1109/EuroSP.2016.35
M3 - Conference contribution
SP - 357
EP - 371
BT - Proceedings of 2016 IEEE European Symposium on Security and Privacy, EURO S & P 2016
PB - IEEE Computer Society
CY - Los Alamitos, CA
ER -