Advertisement

The OffPAD: Requirements and Usage

  • Kent Are Varmedal
  • Henning Klevjer
  • Joakim Hovlandsvåg
  • Audun Jøsang
  • Johann Vincent
  • Laurent Miralabé
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7873)

Abstract

Strong authentication for online service access typically requires some kind of hardware device for generating dynamic access credentials that are often used in combination with static passwords. This practice have the side effect that users fill up their pockets with more and more devices and their heads with more and more passwords. This situation becomes increasinlgy difficult to manage which in turn degrades the usability of online services. In order to cope with this situation users often adopt insecure ad hoc practices that enable them to practically manage their different identities and credentials. This paper explores how one single device can be used for authentication of user to service providers and server to users, as well as provide a range of other security services.

Keywords

Smart Phone Security Service Online Service Domain Name System Secure Element 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Alzomai, M., Alfayyadh, B., Jøsang, A.: Display Security for Online Transactions. In: The 5th International Conference for Internet Technology and Secured Transactions, ICITST 2010 (2010)Google Scholar
  2. 2.
    Arends, R., et al.: Protocol Modifications for the DNS Security Extensions. RFC 4035 (Proposed Standard). Updated by RFCs 4470, 6014. Internet Engineering Task Force (March 2005), http://www.ietf.org/rfc/rfc4035.txt
  3. 3.
    Arends, R., et al.: Resource Records for the DNS Security Extensions. RFC 4034 (Proposed Standard). Updated by RFCs 4470, 6014. Internet Engineering Task Force (March 2005), http://www.ietf.org/rfc/rfc4034.txt
  4. 4.
    Baker, N.: ZigBee and Bluetooth strengths and weaknesses for industrial applications. Computing Control Engineering Journal 16(2), 20–25 (2005)CrossRefGoogle Scholar
  5. 5.
    Diffie, W., Hellman, M.: New directions in cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)MathSciNetzbMATHCrossRefGoogle Scholar
  6. 6.
    Ferdous, M.S., Jøsang, A., Singh, K., Borgaonkar, R.: Security Usability of Petname Systems. In: Jøsang, A., Maseng, T., Knapskog, S.J. (eds.) NordSec 2009. LNCS, vol. 5838, pp. 44–59. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Ferdous, M.S., Jøsang, A.: Entity Authentication & Trust Validation in PKI using Petname Systems. In: Elçi, A., et al. (eds.) Theory and Practice of Cryptography Solutions for Secure Information Systems (CRYPSIS). IGI Global (2013) ISBN: 9781466640306Google Scholar
  8. 8.
    Franks, J., et al.: HTTP Authentication: Basic and Digest Access Authentication. RFC 2617 (Draft Standard). Internet Engineering Task Force (June 1999), http://www.ietf.org/rfc/rfc2617.txt
  9. 9.
    Hoffman, P., Schlyter, J.: The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698 Proposed Standard. Internet Engineering Task Force (August 2012), http://www.ietf.org/rfc/rfc6698.txt
  10. 10.
    Identification cards - Integrated circuit cards - Part 4: Organization, security and commands for interchange. Norm (2005), http://www.iso.org/iso/iso_catalogue_catalogue_tc/catalogue_detail.htm?csnumber=36134 (visited on April 01, 2013)
  11. 11.
    ISO. Information technology – Telecommunications and information exchange between systems – Near Field Communication – Interface and Protocol (NFCIP-1). ISO 18092. International Organization for Standardization, Geneva, Switzerland (2004)Google Scholar
  12. 12.
    Jøsang, A., et al.: Service provider authentication assurance. In: 2012 Tenth Annual International Conference on Privacy, Security and Trust (PST), pp. 203–210 (2012)Google Scholar
  13. 13.
    Jøsang, A.: Trust Extortion on the Internet. In: Meadows, C., Fernandez-Gago, C. (eds.) STM 2011. LNCS, vol. 7170, pp. 6–21. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  14. 14.
    Jøsang, A., Pope, S.: User Centric Identity Management. In: AusCERT Conference 2005 (2005)Google Scholar
  15. 15.
    Inc. Juniper Networks. Juniper Mobile Threat Report 2011. Tech. rep. Juniper Networks, Inc. (2011)Google Scholar
  16. 16.
    Klevjer, H., Varmedal, K.A., Jøsang, A.: Extended HTTP Digest Access Authentication. In: Fischer-Hübner, S., de Leeuw, E., Mitchell, C. (eds.) IDMAN 2013. IFIP AICT, vol. 396, pp. 83–96. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  17. 17.
    Laurie, B., Singer, A.: Choose the red pill and the blue pill: a position paper. In: Proceedings of the 2008 Workshop on New Security Paradigms, pp. 127–133. ACM (2009)Google Scholar
  18. 18.
    Jøsang, A., AlZomai, M., AlFayyadh, B., McCullagh, A.: An Experimental Investigation of the Usability of Transaction Authorization in Online Bank Security Systems. In: Proceedings of the Australasian Information Security Conference (AISC 2008), vol. 81, Wollongong, Australia (2008)Google Scholar
  19. 19.
    M’Raihi, D., et al.: HOTP: An HMAC-Based One-Time Password Algorithm. RFC 4226 (Informational). Internet Engineering Task Force (December 2005), http://www.ietf.org/rfc/rfc4226.txt
  20. 20.
    M’Raihi, D., et al.: TOTP: Time-Based One-Time Password Algorithm. RFC 6238 (Informational). Internet Engineering Task Force (May 2011), http://www.ietf.org/rfc/rfc6238.txt
  21. 21.
    Stajano, F.: Pico: No More Passwords! In: Christianson, B., Crispo, B., Malcolm, J., Stajano, F. (eds.) Security Protocols 2011. LNCS, vol. 7114, pp. 49–81. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  22. 22.
    Stiegler, M.: An Introduction to Petname Systems (2005), http://www.skyhunter.com/marcs/petnames/IntroPetNames.html (visited on December 04, 2012)
  23. 23.
    TazTag. Mobility Products, http://taztag.com/index.php?option=com_content&view=article&id=104 (visited on November 20, 2012)

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Kent Are Varmedal
    • 1
  • Henning Klevjer
    • 1
  • Joakim Hovlandsvåg
    • 1
  • Audun Jøsang
    • 1
  • Johann Vincent
    • 2
  • Laurent Miralabé
    • 3
  1. 1.Department of InformaticsUniversity of OsloNorway
  2. 2.GREYCENSICAENCaenFrance
  3. 3.TazTagBruzFrance

Personalised recommendations