second sign-in

Page:1

Second Sign-in

Speaker: Eddie Lin Speaker: Eddie Lin 林志忠林志忠Supervisor : Hsing MeiSupervisor : Hsing Mei

Date: 2008/09/05Date: 2008/09/05

Web Computing LaboratoryWeb Computing LaboratoryComputer Science and Information Engineering DepartmentComputer Science and Information Engineering Department

Fu Jen Catholic UniversityFu Jen Catholic University

Page:2

Outline

• Motivation • Introduction• Background• Future work• Reference

Page:3

Outline

• Motivation • Introduction• Background• Future work• Reference

Page:4

Is IP and Password enough?

• The way that get your ID and password

Client

Middle

Server

木馬 ● ●釣魚網站 ●SNIFFER ●暴力測猜 ●其他密碼洩漏 ●

Page:5

Why do people want to these things?

• Because of your ID and Password.

If lose ID and password, you will– Lose your money– Lose your credit– Lose your friends– Lose everything that you do in internet

Page:6

So what can we do with losing password?

Nothing that we can do? Waiting for dying out?

It should not be happen. We have responsibility for protecting people data.

Page:7

Outline

• Motivation • Introduction• Background• Future work• Reference

Page:8

Sign-in

• Sign in Google[1]

Fig 1 Fig2, 1 time wrong sign-in

Page:9

Sign-in

• Sign in Yahoo [2]

Fig 1Fig 2, 5 times wrong

Sign-in

Page:10

Sign in

• Sign in Pchome [3]Fig 1,Message with

wrong sign-in

Fig 2, 3 times wrong sign-in

Page:11

Sign in

Sign in JP[4].Using virtual keyboard.

Page:12

Sign in

Sign in Chinatrust[5].Using 3 field to sign in.

Page:13

So far

What do we see with these sites?

Only one step for sign-in.

Page:14

二次登入的流程

帳號申請設定

第二登入選擇

登入

成功 ? 合法來源 進入網站

否

是 是

否第二登入 成功 ?

否

是 儲存相關資料

Page:15

Outline

• Motivation • Introduction• Background• Future work• Reference

Page:16

登入流程之基本安全

帳號申請設定

第二登入選擇

登入

成功 ? 合法來源 進入網站

否

是 是

否第二登入 成功 ?

否

是 儲存相關資料

Page:17

Current tools

• SSL(HTTPS)• challenge-response • One Time Password• IC CARD

Page:18

登入流程之合法來源

帳號申請設定

第二登入選擇

登入

成功 ? 合法來源 進入網站

否

是 是

否第二登入 成功 ?

否

是 儲存相關資料

Page:19

Resource

Client Server

Cookie ●

Browser Type ●

OS Type ●

Session ●

Time ●

IP ●

What kind of data we can get?

Page:20

登入流程之生物特徵

帳號申請設定

第二登入選擇

登入

成功 ? 合法來源 進入網站

否

是 是

否第二登入 成功 ?

否

是 儲存相關資料

Page:21

We need to do

– Provide second step sign-in.– Need easy to use.– Can not change too mush current custom .– need easy to get tool.– Need to get some biometrics.

Page:22

EX:Hand-writing device

• Mouse• Keyboard• Touch panel• Touch screen• Writing board?

Page:23

登入流程之駭客

帳號申請設定

第二登入選擇

登入

成功 ? 合法來源 進入網站

否

是 是

否第二登入 成功 ?

否

是 儲存相關資料

HACKER HEAR

Page:24

Outline

• Motivation • Introduction• Background• Future work• Reference

Page:25

Future work

• Search more study of biometrics.• Find out relating work.

Page:26

Outline

• Motivation • Introduction• Background• Future work• Reference

Page:27

• [1] https://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&bsv=1k96igf4806cy&ltmpl=default&ltmplcache=2&hl=zh-TW, Google 的登入畫面

• [2] https://login.yahoo.com/config/login?.intl=tw&.src=ym&.done=https://tw.login.yahoo.com/cgi-bin/kcookie.cgi/mail/http%3a//edit.tpe.yahoo.com/config/mail%3f.intl=tw, Yahoo! 的登入畫面

• [3] http://shopping.pchome.com.tw/?m=myaccount&c=order, Pchome 的線上購物登入

• [4] http://www.jpmrich.com.tw/cgi-bin/jfonline/home/guest_home.jsp, 摩根富明林的登入畫面

• [5] https://www.chinatrust.com.tw/cgi-bin/prod/jsp/ch/home/default.jsp, 中國信託的登入畫面

Page:28

• [6] SessionLock: Securing Web Sessions against avesdropping, Ben Adida,, WWW 2008 / Refereed Track: Security and Privacy - Web Client Security April 21-25, 2008 · Beijing, China

• [7] 焯然 詹 , “The study of Biometrics for Digital Handwriting” ( 私立東海大學資訊丅程與程學研究所 , 2006)