Authentication with what you have: improving resilience and usability

Wang, Yongqi ORCID: 0009-0007-9290-2480 (2024). Authentication with what you have: improving resilience and usability. University of Birmingham. M.Sc.

Preview

Wang2024MScbyRes.pdf
Text - Accepted Version
Available under License All rights reserved.
Download (1MB) | Preview

Abstract

This thesis aims to improve the resilience and usability of authentication with what you have. I identify two problems which are pertinent to this area and present solutions to each.

The first problem concerns the remote registration of multiple authenticators. User authentication with discrete authenticators, such as YubiKeys, is becoming increasingly popular. The authenticators can be external or on-device. They work using challenge-response protocols and public key cryptography. Multiple accounts can be associated with each authenticator. Compared with other forms of authentication, this approach has advantages in security and usability. There are, however, significant limitations which persist.

In particular, if users possess only one authenticator, they lack resilience to loss and malfunction. On the other hand, if they possess multiple authenticators, they lack practical solutions to keep authenticators synchronised.

In this thesis, I present three solutions which combine the usability of a single authenticator with the resilience of multiple authenticators. I also present novel key derivation functions which are important components of the solutions. All three solutions maintain core security and privacy properties found in existing systems. Meanwhile, each solution provides additional value in different use cases. The security of the solutions is analysed using ProVerif.

The second problem concerns secret sharing without a central entity. A cryptographic secret can be shared amongst multiple players such that a subset of players must collaborate to use the secret. A central entity can be tasked to issue new shares of the secret but such an entity must be trusted and secure. This can be costly or impractical. To issue new shares in a decentralised manner, players can take two existing approaches which I call the frontloading approach [20] and the NSG approach [27].

The frontloading approach has the advantages of less communication complexity, fewer requirements to broadcast metadata, more robustness against delays or revoked decisions, and more flexibility in the choice of thresholds.

However, the frontloading approach has limitations which are not yet resolved. These limitations are addressed in this thesis. First, only a limited set of players are able to participate in issuing shares. Second, the setup stage is not fully decentralised. Players need to be provisioned with particular information before they can issue shares and an additional mechanism is required to generate this information in a decentralised manner.

To extend the ability to issue shares, I describe a protocol of multi-layered secret sharing. This includes a protocol for distributing and recombining shares without compromising the security of the shared secret. To make the frontloading approach fully decentralised, I describe a protocol of multi-layered secret sharing with multiple parties. Thus, players can generate the information required for frontloading without a central entity. These solutions may be used to improve the security and usability of secret sharing. This can be valuable for users and service providers in applications such as user authentication and threshold authorisation.

Type of Work:

Thesis (Masters by Research > M.Sc.)

Award Type:

Masters by Research > M.Sc.

Supervisor(s):