Project Description

Common smartphone authentication mechanisms such as PINs, graphical passwords, and fingerprint scans offer limited security. They are relatively easy to guess or spoof, and are ineffective when the smartphone is captured after the user has logged in.

Multi-modal active authentication addresses these challenges by frequently and unobtrusively authenticating the user via behavioral biometric signals, such as touchscreen interaction, hand movements, gait, voice, and phone location. However, these techniques raise significant privacy and security concerns because the behavioral signals used for authentication represents personal identifiable data, and often expose private information such as user activity, health, and location. Because smartphones can be easily lost or stolen, it is paramount to protect all sensitive behavioral information collected and processed on these devices. One approach for securing behavioral data is to perform off-device authentication via privacy-preserving protocols. However, our experiments show that the energy required to execute these protocols, implemented using state-of-the-art techniques, is unsustainably high, and leads to very quick depletion of the smartphone’s battery.

This research advances the state of the art of privacy-preserving active authentication by devising new techniques that significantly reduce the energy cost of cryptographic authentication protocols on smartphones. Further, this research takes into account signals that indicate that the user has lost possession of the smartphone, in order to trigger user authentication only when necessary. The focus of this project is in sharp contrast with existing techniques and protocols, which have been largely agnostic to energy consumption patterns and to the user1s possession of the smartphone post-authentication. The outcome of this project is a suite of new cryptographic techniques and possession-aware protocols that enable secure energy-efficient active authentication of smartphone users. These cryptographic techniques advance the state of the art of privacy-preserving active authentication by re-shaping individual protocol components to take into account complex energy tradeoffs and network heterogeneity, integral to modern smartphones. Finally, this project will focus on novel techniques to securely offload computation related to active authentication from the smartphone to a (possibly untrusted) cloud, further reducing the energy footprint of authentication. The proposed research will thus make privacy-preserving active authentication practical on smartphones, from both an energy and performance perspective.

Personnel

• Paolo Gasti (Faculty, Pl)
• Kiran Balagani (Faculty, Co-pl)
• Keyvan Chamani
• Savitri Gadagi
• Mehdi Taheri
• Charissa Miller
• Nan Wu
• Tristan Gurtler
• Kendall Molas
• Maria Lombardo
• Krutik Poojara
• Seth Levine
• Diksha Chhabra
• Leroy Lomotey
• Francheska Niveyro

Publications

• Fatimah Elsayed, Kiran Balagani, Paolo Gasti, Chung Hyuk Park, and Anand Santhanakrishnan. Continuous and Transparent Authentication of Haptic Users. In Proceedings of the IEEE Haptics Symposium, IEEE, 2018
• Kiran Balagani, Mauro Conti, Paolo Gasti, Martin Georgiev, Tristan Gurtler, Daniele Lain, Charissa Miller, Kendall Molas, Nikita Samarin, Eugen Saraci, Gene Tsudik, and Lynn Wu. Silk-tv: Secret Information Leakage from Keystroke Timing Videos. In European Symposium on Research in Computer Security (ESORICS), Springer, Berlin, Heidelberg, 2018
• Qing Yang, Paolo Gasti, Kiran Balagani, Yantao Li, and Gang Zhou. Usb Side-channel Attack on Tor. In Elsevier Journal on Computer Networks (COMNET), vol. 141 pp. 57–66, 2018
• Qing Yang, Ge Peng, Paolo Gasti, Kiran Balagani, Yantao Li, and Gang Zhou. Meg: Memory and Energy Efficient Garbled Circuit Evaluation on Smartphones. In Transactions on Information Forensics and Security (T-IFS), vol. 10 pp. 384–396, 2018
• Yang, Qing, Paolo Gasti, Gang Zhou, Aydin Farajidavar, and Kiran S. Balagani. On Inferring Browsing Activity on Smartphones via USB Power Analysis Side-Channel. IEEE Transactions on Information Forensics and Security 12, no. 5 (2017): 1056-1066
• Gasti, Paolo, Jaroslav Šeděnka, Qing Yang, Gang Zhou, and Kiran S. Balagani. Secure, Fast, and Energy-Efficient Outsourced Authentication for Smartphones. IEEE Transactions on Information Forensics and Security 11, no. 11 (2016): 2556-2571 [code].

This research was made possible by NSF Grant CNS-19023, in collaboration with College of William and Mary