All ETDs from UAB

Advisory Committee Chair

Nitesh Saxena

Advisory Committee Members

Jeremy Blackburn

Yuliang Zheng

Hugo Krawczyk

Patrick Traynor

Document Type

Dissertation

Date of Award

2018

Degree Name by School

Doctor of Philosophy (PhD) College of Arts and Sciences

Abstract

Authentication is one of the most crucial security aspects of almost any system that demands interaction between humans and machines, often serving as the pre-requisite for secure communications. Besides, authentication usually involves a human user in the loop (i.e., as a verifier, a verifiee, or a facilitator), which implies the significance of the usability of any authentication scheme. Numerous authentication schemes exist today, namely, “something you know” (e.g., passwords), “something you are” (e.g., voices), “something you have” (e.g., mobile phones), and combinations thereof. However, most of them suffer from various well-documented security and usability issues. In this dissertation work, we develop authentication schemes that are secure, robust to human errors and user-friendly. Specifically, we target two commonly used authentication methods, namely, text-based authentication and voice-based authentication. As the prime instance of text-based authentication, we focus on password-based web login and aim to improve its security and usability with mobile device-based second factors and mobile device-based and online password managers. As popular applications of voice-based authentication, we focus on machine-based speaker verification systems and mobile apps/voice assistants for local or remote login, and human-based speaker verification in arbitrary human communications. Further, we consider end-to-end encrypted voice and text/messaging applications that secure the communications with the use of authentication strings verbally verified by human users or otherwise deployed web of trust models. As a part of this work/thesis, we offer the following contributions: First, we build secure two-factor authentication (TFA) systems that are resistant to lunch-time attacks, man-in-the-middle attacks, offline dictionary attacks, and online guessing attacks with or without reliance on public key infrastructure. Second, we introduce, implement and evaluate a device-based and an online password manager that improve the security and usability of password-only authentication systems against offline dictionary attacks, online guessing attacks, and phishing attacks. Third, we evaluate the security of voice authentication (audio biometric) apps, devices, and systems in the face of voice synthesis attacks and discuss a mitigation scheme based on audio transcription that is robust against voice synthesis attacks. Fourth, we introduce voice imitation attacks against existing end-to-end encrypted voice and messaging applications and conduct human factors studies to evaluate the security and usability of them in benign and malicious scenarios. Fifth, based on the results of our studies, we build a novel and usable end-to-end encrypted voice and messaging model build on top of speech-to-text and text-to-speech tools that improves the security of voice and messaging apps against data man-in-the-middle attack and voice imitation attacks and is robust to human errors. Sixth, we introduce a decentralized trust model to validate the authenticity of the static public keys through the use of automated audio fingerprint verification. Overall, this work provides various human-to-machine and human-assisted machine-to-machine authentication schemes and protocols that aim to deliver a balance between security and usability features, which are usually considered as conflicting properties. Our schemes attempt to improve the security of the authentication systems transparently, by encompassing protocols and applications developed for personal mobile devices and online services, and thereby, can be integrated with the currently deployed systems with minimal or no modification on the systems and the user interaction models.

Share

COinS