nach oben

Erschienen in:

2017 | OriginalPaper | Buchkapitel

Security Keys: Practical Cryptographic Second Factors for the Modern Web

verfasst von : Juan Lang, Alexei Czeskis, Dirk Balfanz, Marius Schilder, Sampath Srinivas

Erschienen in: Financial Cryptography and Data Security

Verlag: Springer Berlin Heidelberg

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

“Security Keys” are second-factor devices that protect users against phishing and man-in-the-middle attacks. Users carry a single device and can self-register it with any online service that supports the protocol. The devices are simple to implement and deploy, simple to use, privacy preserving, and secure against strong attackers. We have shipped support for Security Keys in the Chrome web browser and in Google’s online services. We show that Security Keys lead to both an increased level of security and user satisfaction by analyzing a two year deployment which began within Google and has extended to our consumer-facing web applications. The Security Key design has been standardized by the FIDO Alliance, an organization with more than 250 member companies spanning the industry. Currently, Security Keys have been deployed by Google, Dropbox, and GitHub. An updated and extended tech report is available at https://github.com/google/u2f-ref-code/docs/SecurityKeys_TechReport.pdf.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication

Nächstes Kapitel Include Me Out: In-Browser Detection of Malicious Third-Party Content Inclusions

This is just an example, the real bad.com may not be malicious.

This is just an example, the real bamk.com may not be malicious.

http://smile.amazon.com/s/ref=sr_kk_1?rh=k:u2f.

Fallows, J.: Hacked! The Atlantic. November 2011

Honan, M.: How Apple and Amazon Security Flaws Led to My Epic Hacking. http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/all/, Acces-sed 31 Dec 2014

Wikipedia: 2014 celebrity photo hack – wikipedia, the free encyclopedia. http://en.wikipedia.org/w/index.php?title=2014_celebrity_photo_hack&oldid=640287871, Accessed 31 Dec 2014

Bonneau, J.: The science of guessing: analyzing an anonymized corpus of 70 million passwords. In: 2012 IEEE Symposium on Security and Privacy. May 2012

Bonneau, J., Herley, C., van Oorschot, P.C., Stajano, F.: The quest to replace passwords: a framework for comparative evaluation of web authentication schemes. In: 2012 IEEE Symposium on Security and Privacy. May 2012

Herley, C., Oorschot, P.C., Patrick, A.S.: Passwords: if we’re so smart, why are we still using them? In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 230–237. Springer, Heidelberg (2009). doi:10.1007/978-3-642-03549-4_14 CrossRef

Google Inc: Google 2-Step Verification (2015). https://support.google.com/accounts/answer/180744

Bank of America: SafePass Online Banking Security Enhancements (2015). https://www.bankofamerica.com/privacy/online-mobile-banking-privacy/safepass.go

Railton, J.S., Kleemola, K.: London Calling: Two-Factor Authentication Phishing From Iran (2015). https://citizenlab.org/2015/08/iran_two_factor_phishing/

10.

Harbach, M., Fahl, S., Rieger, M., Smith, M.: On the acceptance of privacy-preserving authentication technology: the curious case of national identity cards. In: Cristofaro, E., Wright, M. (eds.) PETS 2013. LNCS, vol. 7981, pp. 245–264. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39077-7_13 CrossRef

11.

Unknown: Estonia takes the plunge: A national identity scheme goes global (2014). http://www.economist.com/news/international/21605923-national-identity-scheme-goes-global-estonia-takes-plunge

12.

Shah, N.: Strengthening 2-Step Verification with Security Key (2014). https://googleonlinesecurity.blogspot.com/2014/10/strengthening-2-step-verification-with.html

13.

Heim, P., Patel, J.: Introducing U2F support for secure authentication (2015). https://blogs.dropbox.com/dropbox/2015/08/u2f-security-keys/

14.

Toews, B.: GitHub supports Universal 2nd Factor authentication (2015). https://github.com/blog/2071-github-supports-universal-2nd-factor-authentication

15.

Fast IDentity Online (FIDO): (2015). https://fidoalliance.org/

16.

Biddle, R., Chiasson, S., Van Oorschot, P.: Graphical passwords: learning from the first twelve years. ACM Comput. Surv. 44(4), 19:1–19:41 (2012)CrossRefMATH

17.

Jain, A.K., Flynn, P., Ross, A.A.: Handbook of Biometrics, 1st edn. Springer, New York (2010)

18.

Parno, B., Kuo, C., Perrig, A.: Phoolproof phishing prevention. In: Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 1–19. Springer, Heidelberg (2006). doi:10.1007/11889663_1 CrossRef

19.

Toopher Inc.: Toopher - 2 Factor Authentication (2012). http://toopher.com

20.

Oracle: Java Card Technology (2014). http://www.oracle.com/technetwork/java/embedded/javacard/overview/index.html

21.

Dierks, T., Rescorla, E.: The Transport Layer Security (TLS) Protocol, Version 1.2. http://tools.ietf.org/html/rfc5246, August 2008

22.

Gaw, S., Felten, E.W.: Password management strategies for online accounts. In: Proceedings SOUPS 2006, pp. 44–55. ACM Press (2006)

23.

Fontana, J.: Stolen passwords re-used to attack Best Buy accounts (2012). http://www.zdnet.com/stolen-passwords-re-used-to-attack-best-buy-accounts-7000000741/

24.

Aircrack: Aircrack-ng Homepage (2015). http://www.aircrack-ng.org/doku.php

25.

Butler, E.: Firesheep (2010). http://codebutler.com/firesheep

26.

Ewen, M.: The NSA Files (2015). http://www.theguardian.com/us-news/the-nsa-files

27.

The Register: Microsoft Outlook PENETRATED by Chinese ‘man-in-the-middle’ (2015). http://www.theregister.co.uk/2015/01/19/microsoft_outlook_hit_by_mitm_attack_says_china_great_fire_org/

28.

Adkins, H.: An update on attempted man-in-the-middle attacks. http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html, August 2011

29.

Rizzo, J., Duong, T.: BEAST. http://vnhacker.blogspot.com/2011/09/beast.html, September 2011

30.

AlFardan, N.J., Paterson, K.G.: Lucky Thirteen: Breaking the TLS and DTLS Record Protocols (2013). http://www.isg.rhul.ac.uk/tls/TLStiming.pdf

31.

Dietz, M., Czeskis, A., Balfanz, D., Wallach, D.S.: Origin-bound certificates: a fresh approach to strong client authentication for the web. In: Proceedings of the 21st USENIX Conference on Security Symposium. Security 2012, Berkeley, CA, USA, USENIX Association (2012). 16–16

32.

Popov, A., Balfanz, D., Nystroem, M., Langley, A.: The Token Binding Protocol Version 1.0 (2015). https://tools.ietf.org/html/draft-ietf-tokbind-protocol

33.

Nilsson, D.: Yubico’s Take On U2F Key Wrapping. https://www.yubico.com/2014/11/yubicos-u2f-key-wrapping/. Accessed 6 Jan 2016

34.

Barnes, R.: Intent to implement and ship: FIDO U2F API (2015). https://groups.google.com/forum/#!msg/mozilla.dev.platform/IVGEJnQW3Uo/Eu5tvyLmCgAJ

35.

Brickell, E., Camenisch, J., Chen, L.: Direct anonymous attestation. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, CCS 2004, pp. 132–145. ACM, New York (2004)

36.

Brickell, E., Li, J.: Enhanced privacy ID: a direct anonymous attestation scheme with enhanced revocation capabilities. In: Proceedings of the 2007 ACM Workshop on Privacy in Electronic Society, WPES 2007, pp. 21–30. ACM, New York (2007)

37.

Bichsel, P., Camenisch, J., Groß, T., Shoup, V.: Anonymous credentials on a standard Java Card. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 600–610. ACM (2009)

Titel: Security Keys: Practical Cryptographic Second Factors for the Modern Web
verfasst von: Juan Lang
Alexei Czeskis
Dirk Balfanz
Marius Schilder
Sampath Srinivas
Verlag: Springer Berlin Heidelberg
Buch: Financial Cryptography and Data Security
Print ISBN: 978-3-662-54969-8

Electronic ISBN: 978-3-662-54970-4

Copyright-Jahr: 2017
DOI: https://doi.org/10.1007/978-3-662-54970-4_25

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"