ZeTA - Zero-Trust Authentication: Relying on Innate Human Ability, not Technology
2016 (English)In: 2016 IEEE European Symposium on Security and Privacy (EuroS&P), IEEE conference proceedings, 2016, 357-371 p.Conference paper (Refereed)
Reliable authentication requires the devices and channels involved in theprocess to be trustworthy; otherwise authentication secrets can easily becompromised. Given the unceasing efforts of attackers worldwide suchtrustworthiness is increasingly not a given. A variety of technicalsolutions, such as utilising multiple devices/channels and verificationprotocols, has the potential to mitigate the threat of untrustedcommunications to a certain extent. Yet such technical solutions make twoassumptions: (1) users have access to multiple devices and (2) attackerswill not resort to hacking the human, using social engineering techniques.In this paper, we propose and explore the potential of using human-basedcomputation instead of solely technical solutions to mitigate the threat ofuntrusted devices and channels. ZeTA (Zero Trust Authentication on untrusted channels) has the potentialto allow people to authenticate despite compromised channels orcommunications and easily observed usage. Our contributions are threefold:(1) We propose the ZeTA protocol with a formal definition and securityanalysis that utilises semantics and human-based computation to amelioratethe problem of untrusted devices and channels.(2) We outline a security analysis to assess the envisaged performance ofthe proposed authentication protocol.(3) We report on a usability study that explores the viability of relyingon human computation in this context.
Place, publisher, year, edition, pages
IEEE conference proceedings, 2016. 357-371 p.
IdentifiersURN: urn:nbn:se:kau:diva-42084DOI: 10.1109/EuroSP.2016.35ISBN: 978-1-5090-1751-5OAI: oai:DiVA.org:kau-42084DiVA: diva2:930056
EuroS&P'16 : IEEE European Symposium on Security and Privacy, 21-24 March 2016, Saarbrucken