Article 1 - 220731 - 085226 PDF
Article 1 - 220731 - 085226 PDF
Article 1 - 220731 - 085226 PDF
Article #1:
Notes
1. Problem:
Password theft continues to be a significant issue, due in large part to the significant
attack surface for passwords, including the operating system (e.g., keyloggers),
application (e.g., phishing websites in browsers), during transmission (e.g., TLS
man-in-the-middle proxies), and at password verification services (e.g., theft of
passwords stored at a server)
2. Past Approaches (PA):
-Passwords are still dominant because of the combination of security, deploy ability, and
usability that has been difficult to match.
- People are easily tricked into entering their credentials into phishing applications (e.g.,
phishing websites).
- It is very easy to steal passwords in flights, especially when users struggle to identify
when a secure session will be used to transmit their password.
- The passwords are frequently stolen from storage and the Most of the recent large
password database leaks did not properly salt and hash the passwords.
-The passwords are frequently stolen from storage and most of the recent large
password database leaks did not properly insure the passwords.
- There have been many attempts in the research literature to improve password-based
authentication—e.g., strong password protocols, password creation policies,
phishing-resistant interfaces, advice to administrators.
- Using strong password protocols to further secure users’ passwords.
- Functionality that in the operating system can be hardened using operating system
primitives.
-Distinguish between a legitimate and malicious password entry interface.
-A Safe and Practical Environment for Security Applications e.g., key logging,
microphone, camera.
-Principles of user-centered design.
- Usable security.
3. Critique/Response to PA:
Despite the persistence and popularity of passwords, there are serious threats that
plague current password-based authentication at every level.
The use of strong password protocols obviates the need to trust the communication
channel, rendering any communication-level attacks ineffectual.
By centralizing all password entry into the operating system, there will be a single
interface for all password entry. By defnition, any other password-entry interface will
become a phishing interface.
The threat model for all existing password-based authentication research includes the
host environment as part of the trusted computing base.
As the operating system will be responsible for the creation and entry of all passwords,
it can help users create passwords in a consistent manner.
The operating system can detect insecure passwords when they are entered and notify
the user of this new result.
4. Authors Approach:
A new end-to-end password paradigm that transfers password functionality to two
endpoints, the operating system (entry, management, storage, and verification) and the
password verification service (varication, and verification token storage)
5. Method:
To address these problems, we propose a new end-to-end password paradigm that
transfers password functionality to two endpoints, the operating system (entry,
management, storage, and verification) and the password verification service
(verification, and verification token storage).
In this paradigm, passwords are never shared with applications or transmitted over the
network, but are instead verified using zero-knowledge protocols.
6. Results (R):
-Reduced attack surface.
- Protection from password phishing.
- Protection for malware.
- Consistent password policies.
- Rapid diffusion of improvements to password-based authentication.
7. Conclusions drawn from R:
The benefits of this paradigm are five-fold. First, it significantly
reduces the attack surface for password-based authentication. Second,
it has the potential to finally make a significant impact on
password phishing. Third, it offers protection from a compromised
host, which is outside the threat model of other approaches. Fourth,
it supports the consistent enforcement of password policies across
all of a user’s accounts. Finally, concentrating password responsibilities
in the operating system makes it easier to diffuse improvements rapidly.
8. Implications/Applications:
This paper identifies open research questions related to end-to-end
passwords. Specifically, we note the importance that the
development of this paradigm be guided by systematic application
of user-centered design principles and empirical usability analysis.
As such, there are a number of usability issues to be addressed in
this new paradigm. There are also a number of systems research
questions to be addressed to increase the capabilities and strengthen
the security of this new paradigm. Lastly, we briefly describe the
research needed to enable the transition from the current password
paradigm to the end-to-end password paradigm.
Paragraph (200-300 words) – Connect the sentences above into one flowing paragraph.
Password theft continues to be a significant problem. They are still dominant because of the
combination of security, deployability and usability that has been hard to match, but are
often stolen from storage and most recent large password database leaks did not properly
secure passwords.
People are easily tricked to enter their credentials into phishing applications/sites and have
difficulty recognizing when a secure session will be used to transfer their password.
There have been many attempts to improve password-based authentication, for example: use
of strong password protocols to further secure users' passwords, functionality in the
operating system that can be hardened using operating system primitives, distinguishing
between a legitimate and malicious password entry interface, a safe and practical
environment for security applications, Principles of user-centered design, usable security.
To address these issues, we propose a new password paradigm, in which passwords are never
shared with applications or transmitted over the network, but are authenticated using
zero-knowledge protocols. The benefits of this paradigm are that it will significantly
reduces the attacks and it has the potential to finally make a significant impact on
password phishing. It offers protection from a compromised host, and it supports the
consistent enforcement of password policies across all of a user’s accounts. Finally,
concentrating password responsibilities in the operating system makes it easier to diffuse
improvements rapidly.
Specifically, we note the importance that the development of this paradigm be guided by
systematic application of user-centered design principles and empirical usability analysis.
As such, there are a number of usability issues to be addressed in this new paradigm and also
a number of systems research questions to be addressed to increase the capabilities and
strengthen the security of this new paradigm. Lastly, we briefly describe the
research needs to enable the transition from the current password paradigm to an
end-to-end password paradigm.
Summary (100 words) – Reduce the above by 50%.
stealing and hacking passwords are a known phenomena and in this article we talk about a
different kind of solution. This end-to-end password solution tries to get over 5 problems: (a)
a minimal attack surface, (b) protection from password phishing, (c) protection from
malware, (d) consistent password policies, and (e) the ability to more rapidly diffuse
improvements from password research. They attend to do that by transferring password
functionality to two endpoints, the operating system (entry, management, storage, and
verification) and the password verification service (verification, and verification token
storage).
In this paradigm, passwords are never shared with applications or transmitted over the
network, but are instead verified using zero-knowledge protocols.
Stealing and hacking passwords are a known phenomenon and this article proposes a
solution by developing a new paradigm that will be better and safer - transition from the
current password paradigm to an end-to-end password paradigm.
Article #2:
Notes
1. Problem:
3. Critique/Response to PA:
4. Authors Approach:
5. Method:
6. Results (R):
8. Implications/Applications:
9. Other:
10. Other:
Paragraph (200-300 words) – Connect the sentences above into one flowing paragraph.
Article #3:
Notes
1. Problem:
4. Authors Approach:
5. Method:
6. Results (R):
8. Implications/Applications:
9. Other:
10. Other:
Paragraph (200-300 words) – Connect the sentences above into one flowing paragraph.
Synthesis
(Simply copy/paste Gists down here for your convenience.)
(Use the color coding system to better synthesize – like-colored items only need to be expressed
once in a synthesis.)
Gist 1
Gist 2
Gist 3
Dialogue
(By pitting contrasting positions against one another in a script (like in a movie or play), arrive at
a resolution in the form of a best way forward – a follow-up research project all parties can
subscribe to.)