1 / 14

A mobile single sign-on system

A mobile single sign-on system. Master thesis 2006 Mats Byfuglien. Outline. Problem description Project description Research questions Methods Related work The prototype Results Further work Conclusion. Problem description. Most users today have a large number of passwords to manage

zivanka
Télécharger la présentation

A mobile single sign-on system

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A mobile single sign-on system Master thesis 2006 Mats Byfuglien

  2. Outline Problem description Project description Research questions Methods Related work The prototype Results Further work Conclusion

  3. Problem description Most users today have a large number of passwords to manage This often results in: The passwords are written down Easily guessable passwords are used One password used on multiple accounts This reduces the security passwords provide Secure passwords is still a good authentication mechanism SSO proposed as a way to improve password security

  4. Project description Today there are no mobile SSO solutions on the market supporting automated sign-ins. Develop a functional prototype of a mobile SSO system that handles passwords and supports automatic sign in. A mobile phone with a Java MIDlet handles the management of usernames and passwords Bluetooth/USB unit connected to the PC Conduct a user test Security analysis to find what security measures should be implemented

  5. Research questions 1. What types of single sign-on solutions are available? 2. How secure is the Bluetooth protocol for transferring sensitive data? 3. Is it possible to implement the proposed single sign-on concept? 4. What security mechanisms need to be in place to assure the security of this system? 5. How will this SSO concept be received by the users? 6. Will this SSO concept increase the users’ security level?

  6. Methods Literature study Technical feasibility study Develop the prototype User test Scenario Survey Interview Security analysis Adversary modeling

  7. Other SSO solutions A taxonomy lists 4 main categories: Local pseudo SSO SSO component is on the user's computer Proxy based pseudo SSO The user authenticates once to the proxy and the proxy handles authentication to the services Do not require any changes to the authentication systems True SSO User authenticates to Authentication Service Provider (ASP) once. True SSO solutions are expensive and difficult to configure correctly All systems must support the SSO solution Local true SSO Trused component Proxy based true SSO Kerberos

  8. The prototype

  9. Adversary modeling

  10. Resultsfromthe security analysis Four main issues were discovered: Secure the Bluetooth channel Secure protocol on top of Bluetooth protocol Properly authenticate the devices Digital certificates Protect data stored on the mobile phone Encryption Split data on two devices Confirm the integrity of software packages Digitally sign the packages

  11. Results from the user test 28 users participated 26 rated the system above average 19 would like to use the system daily 7 did not have an opinion, 2 would not use it 24 believes the system will improve their password management Everyone wanted a backup solution

  12. Further work Implement the proposed security measures Port the code to a smaller device Implement a backup solution Conduct a detailed security analysis when the security measures are implemented Conduct a large scale user test Allow users to test the system over time Include a largerer number of participants

  13. Conclusion It is possible to implement the SSO concept The system was well received by the users The system will not provide better security then other SSO solutions Mobility and easy to use functionality (no software or drivers needed) makes the system stand out The solution might apeal to a different group then other SSO solutions Will increase the security level of users who manages passwords manually Enables the user to use more secure passwords

  14. Questions?

More Related