[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[taler-anastasis] branch master updated: worked on authentication part -
From: |
gnunet |
Subject: |
[taler-anastasis] branch master updated: worked on authentication part - related work |
Date: |
Tue, 02 Jun 2020 22:15:01 +0200 |
This is an automated email from the git hooks/post-receive script.
dennis-neufeld pushed a commit to branch master
in repository anastasis.
The following commit(s) were added to refs/heads/master by this push:
new 8213e25 worked on authentication part - related work
8213e25 is described below
commit 8213e252425d4f424bbfdcda2f40d7fe78b186c5
Author: Dennis Neufeld <dennis.neufeld@students.bfh.ch>
AuthorDate: Tue Jun 2 20:14:58 2020 +0000
worked on authentication part - related work
---
doc/thesis/related_work.tex | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/doc/thesis/related_work.tex b/doc/thesis/related_work.tex
index f754851..86fbf2d 100644
--- a/doc/thesis/related_work.tex
+++ b/doc/thesis/related_work.tex
@@ -85,11 +85,25 @@ Because passwords can be forgotten, we do not recommend
using this method in Ana
\subsubsection{Secure question}
Similar to password authentication the use of an authentication method based
on a secure question requires the user to remember the correct answer to the
specific question. The difference here is that the question provides a context
that helps the user to remember the answer and the user does not need to
memorize something new \cite{just2004}.\\
+There are several ways to implement authentication via a secure question:
+\begin{itemize}
+ \item The questions and answers are predefined.
+ \item Just the questions are predefined.
+ \item The user is free to create custom questions and answers.
+\end{itemize}
+The first option is the easiest one. But predefining the answers has the
disadvantage being very impersonal and inflexible. The questions must
inevitably be very general, which allows an attacker to answer the questions
without even having to guess. Therefore the first option is not applicable.\\
+The second option is more applicable but has some drawbacks, too. For example
there may be questions whose answers have multiple syntactic representations
(for example, "St." versus "Street") \cite{just2004}. Another problem could be
a question whose answer may change over time. Asking for the favourite actor
for example could be problematic. In addition, there is a challenge to define
questions for all kind of people. Some people for example could not answer to
the question, what the na [...]
+In case of the third option we also have the problematic of the second one.
Furthermore there is the difficulty for the user to ask creative questions. A
good question should only be answerable by the user. Also, it would be perfect
to have the attacker on the wrong track by using ambiguities he doesn't know.\\
+FIXME: privacy concerns (personal answers must be stored)
\subsubsection{SMS authentication}
Another way to authenticate is SMS authentication. The most popular use case
is the mobile TAN used to authorize online banking transactions. But SMS is no
longer considered secure. The SMS authentication relies on the security of the
mobile network, which has different possible attacks \cite{rieck_detection}.
There are also specialized mobile Trojans which are used to eavesdrop these
messages directly on the mobile device.\\
-Instead of using SMS one can also use other forms of messages such as email or
physical mail. They all face the threat of interception.
+When it comes to privacy, storing a phone number is a problem. But the service
authenticating the user needs the phone number enabling it to send a message to
the user during authentication process.\\
+In Anastasis we also need to store the phone number to the server. But in our
case the phone number is encrypted with a secret key only the user owns. The
server only gets this secret key during an authentication process. Thus
stealing the database of the server does not reveal the phone number to the
attacker.
+
+FIXME
+Instead of using SMS one can also use other forms of messages such as email or
physical mail. They all face the threat of interception. FIXME
\subsubsection{Mail authentication}
--
To stop receiving notification emails like this one, please contact
gnunet@gnunet.org.
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [taler-anastasis] branch master updated: worked on authentication part - related work,
gnunet <=