[taler-anastasis] branch master updated: worked on authentication part - related work

[gnunet]

This is an automated email from the git hooks/post-receive script.

dennis-neufeld pushed a commit to branch master
in repository anastasis.

The following commit(s) were added to refs/heads/master by this push:
     new 8213e25  worked on authentication part - related work
8213e25 is described below

commit 8213e252425d4f424bbfdcda2f40d7fe78b186c5
Author: Dennis Neufeld <dennis.neufeld@students.bfh.ch>
AuthorDate: Tue Jun 2 20:14:58 2020 +0000

    worked on authentication part - related work
---
 doc/thesis/related_work.tex | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/doc/thesis/related_work.tex b/doc/thesis/related_work.tex
index f754851..86fbf2d 100644
--- a/doc/thesis/related_work.tex
+++ b/doc/thesis/related_work.tex
@@ -85,11 +85,25 @@ Because passwords can be forgotten, we do not recommend 
using this method in Ana
 
 \subsubsection{Secure question}
 Similar to password authentication the use of an authentication method based 
on a secure question requires the user to remember the correct answer to the 
specific question. The difference here is that the question provides a context 
that helps the user to remember the answer and the user does not need to 
memorize something new \cite{just2004}.\\
+There are several ways to implement authentication via a secure question:
+\begin{itemize}
+       \item The questions and answers are predefined.
+       \item Just the questions are predefined.
+       \item The user is free to create custom questions and answers.
+\end{itemize}
+The first option is the easiest one. But predefining the answers has the 
disadvantage being very impersonal and inflexible. The questions must 
inevitably be very general, which allows an attacker to answer the questions 
without even having to guess. Therefore the first option is not applicable.\\
+The second option is more applicable but has some drawbacks, too. For example 
there may be questions whose answers have multiple syntactic representations 
(for example, "St." versus "Street") \cite{just2004}. Another problem could be 
a question whose answer may change over time. Asking for the favourite actor 
for example could be problematic. In addition, there is a challenge to define 
questions for all kind of people. Some people for example could not answer to 
the question, what the na [...]
+In case of the third option we also have the problematic of the second one. 
Furthermore there is the difficulty for the user to ask creative questions. A 
good question should only be answerable by the user. Also, it would be perfect 
to have the attacker on the wrong track by using ambiguities he doesn't know.\\
+FIXME: privacy concerns (personal answers must be stored)
 
 
 \subsubsection{SMS authentication}
 Another way to authenticate is SMS authentication. The most popular use case 
is the mobile TAN used to authorize online banking transactions. But SMS is no 
longer considered secure. The SMS authentication relies on the security of the 
mobile network, which has different possible attacks \cite{rieck_detection}. 
There are also specialized mobile Trojans which are used to eavesdrop these 
messages directly on the mobile device.\\
-Instead of using SMS one can also use other forms of messages such as email or 
physical mail. They all face the threat of interception.
+When it comes to privacy, storing a phone number is a problem. But the service 
authenticating the user needs the phone number enabling it to send a message to 
the user during authentication process.\\
+In Anastasis we also need to store the phone number to the server. But in our 
case the phone number is encrypted with a secret key only the user owns. The 
server only gets this secret key during an authentication process. Thus 
stealing the database of the server does not reveal the phone number to the 
attacker.
+
+FIXME
+Instead of using SMS one can also use other forms of messages such as email or 
physical mail. They all face the threat of interception. FIXME
 
 \subsubsection{Mail authentication}
 

-- 
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.