ZeTA-Zero-Trust Authentication: relying on innate human ability, not technology

Andreas Gutmann; Karen Renaud; Joseph Maguire; Peter Mayer; Melanie Volkamer; Kanta Matsuura; Jorn Muller-Quade

doi:10.1109/EuroSP.2016.35

ZeTA-Zero-Trust Authentication: relying on innate human ability, not technology

Andreas Gutmann^*, Karen Renaud, Joseph Maguire, Peter Mayer, Melanie Volkamer, Kanta Matsuura, Jorn Muller-Quade

^*Corresponding author for this work

SDI

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Reliable authentication requires the devices and channels involved in the process to be trustworthy, otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. Our contributions are threefold: (1) We propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels. (2) We outline a security analysis to assess the envisaged performance of the proposed authentication protocol. (3) We report on a usability study that explores the viability of relying on human computation in this context.

Original language	English
Title of host publication	Proceedings of 2016 IEEE European Symposium on Security and Privacy, EURO S & P 2016
Place of Publication	Los Alamitos, CA
Publisher	IEEE Computer Society
Pages	357-371
Number of pages	15
ISBN (Electronic)	9781509017515
DOIs	https://doi.org/10.1109/EuroSP.2016.35
Publication status	Published - 9 May 2016
Event	1st IEEE European Symposium on Security and Privacy, EURO S and P 2016 - Saarbruecken, Germany Duration: 21 Mar 2016 → 24 Mar 2016

Conference

Conference	1st IEEE European Symposium on Security and Privacy, EURO S and P 2016
Country	Germany
City	Saarbruecken
Period	21/03/16 → 24/03/16

Fingerprint

Cite this

Gutmann, A., Renaud, K., Maguire, J., Mayer, P., Volkamer, M., Matsuura, K., & Muller-Quade, J. (2016). ZeTA-Zero-Trust Authentication: relying on innate human ability, not technology. In Proceedings of 2016 IEEE European Symposium on Security and Privacy, EURO S & P 2016 (pp. 357-371). [7467365] IEEE Computer Society. https://doi.org/10.1109/EuroSP.2016.35

@inproceedings{b3150d172b4649e78b451f36d39eac49,

title = "ZeTA-Zero-Trust Authentication: relying on innate human ability, not technology",

abstract = "Reliable authentication requires the devices and channels involved in the process to be trustworthy, otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. Our contributions are threefold: (1) We propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels. (2) We outline a security analysis to assess the envisaged performance of the proposed authentication protocol. (3) We report on a usability study that explores the viability of relying on human computation in this context.",

author = "Andreas Gutmann and Karen Renaud and Joseph Maguire and Peter Mayer and Melanie Volkamer and Kanta Matsuura and Jorn Muller-Quade",

year = "2016",

month = may

day = "9",

doi = "10.1109/EuroSP.2016.35",

language = "English",

pages = "357--371",

booktitle = "Proceedings of 2016 IEEE European Symposium on Security and Privacy, EURO S & P 2016",

publisher = "IEEE Computer Society",

address = "United States",

note = "1st IEEE European Symposium on Security and Privacy, EURO S and P 2016 ; Conference date: 21-03-2016 Through 24-03-2016",

}

Gutmann, A, Renaud, K, Maguire, J, Mayer, P, Volkamer, M, Matsuura, K & Muller-Quade, J 2016, ZeTA-Zero-Trust Authentication: relying on innate human ability, not technology. in Proceedings of 2016 IEEE European Symposium on Security and Privacy, EURO S & P 2016., 7467365, IEEE Computer Society, Los Alamitos, CA, pp. 357-371, 1st IEEE European Symposium on Security and Privacy, EURO S and P 2016, Saarbruecken, Germany, 21/03/16. https://doi.org/10.1109/EuroSP.2016.35

ZeTA-Zero-Trust Authentication : relying on innate human ability, not technology. / Gutmann, Andreas; Renaud, Karen; Maguire, Joseph; Mayer, Peter; Volkamer, Melanie; Matsuura, Kanta; Muller-Quade, Jorn.

Proceedings of 2016 IEEE European Symposium on Security and Privacy, EURO S & P 2016. Los Alamitos, CA : IEEE Computer Society, 2016. p. 357-371 7467365.

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - ZeTA-Zero-Trust Authentication

T2 - 1st IEEE European Symposium on Security and Privacy, EURO S and P 2016

AU - Gutmann, Andreas

AU - Renaud, Karen

AU - Maguire, Joseph

AU - Mayer, Peter

AU - Volkamer, Melanie

AU - Matsuura, Kanta

AU - Muller-Quade, Jorn

PY - 2016/5/9

Y1 - 2016/5/9

N2 - Reliable authentication requires the devices and channels involved in the process to be trustworthy, otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. Our contributions are threefold: (1) We propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels. (2) We outline a security analysis to assess the envisaged performance of the proposed authentication protocol. (3) We report on a usability study that explores the viability of relying on human computation in this context.

AB - Reliable authentication requires the devices and channels involved in the process to be trustworthy, otherwise authentication secrets can easily be compromised. Given the unceasing efforts of attackers worldwide such trustworthiness is increasingly not a given. A variety of technical solutions, such as utilising multiple devices/channels and verification protocols, has the potential to mitigate the threat of untrusted communications to a certain extent. Yet such technical solutions make two assumptions: (1) users have access to multiple devices and (2) attackers will not resort to hacking the human, using social engineering techniques. In this paper, we propose and explore the potential of using human-based computation instead of solely technical solutions to mitigate the threat of untrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potential to allow people to authenticate despite compromised channels or communications and easily observed usage. Our contributions are threefold: (1) We propose the ZeTA protocol with a formal definition and security analysis that utilises semantics and human-based computation to ameliorate the problem of untrusted devices and channels. (2) We outline a security analysis to assess the envisaged performance of the proposed authentication protocol. (3) We report on a usability study that explores the viability of relying on human computation in this context.

U2 - 10.1109/EuroSP.2016.35

DO - 10.1109/EuroSP.2016.35

M3 - Conference contribution

AN - SCOPUS:84978134365

SP - 357

EP - 371

BT - Proceedings of 2016 IEEE European Symposium on Security and Privacy, EURO S & P 2016

PB - IEEE Computer Society

CY - Los Alamitos, CA

Y2 - 21 March 2016 through 24 March 2016

ER -

Access to Document

10.1109/EuroSP.2016.35