Stefano Cecconello

Computer Science for societal challenges and innovation, XXXIV series
Grant sponsor

Mauro Conti
Giuseppe Sartori


Project: Authentication methods: Novel attacks and defenses
Full text of the dissertation book can be downloaded from:

Abstract: Nowadays, authentication systems are widespread in our devices. They protect the security of our systems, guaranteeing that only authorized people have access to reserved services and data. Thanks to this role, authentication systems made their first appearance in the `60s, with the diffusion of the first computers in universities. Over the years, these systems have evolved. If the first authentication systems were based only on passwords, they are considerably advanced today. In particular, with the widespread diffusion of smartphones, authentication systems became commonly used, focusing on user-friendly systems such as biometrics. This evolution generated a market that is growing strongly, and it is expected to increase by 15% again in the next few years, with revenues of hundreds of billions of dollars. Usability is not the only factor influencing the evolution of authentication systems. Their safety also determines their evolution over time. If an authentication method guarantees the security of a system, it is also true that it is the first to suffer from cyber-attacks. After the appearance of new authentication technologies on the market, it is frequent to notice the spread of new methods to bypass the security of the novel technology. Research in these areas becomes fundamental: on one side, to discover new authentication systems that can improve the usability of our devices, and on the other, to anticipate possible vulnerabilities and make these systems more secure. This thesis investigates the security of authentication methods, and it is composed of two logical parts that focus on: (i) the development of novel attacks against existing authentication methods, (ii) the development of novel authentication methods. In the first part of this thesis, we focus on attacks against authentication methods. In particular, we show the effectiveness of three attacks against the security of password and PIN authentication methods. The first work shows how an attacker can use the audio recorded during a VoIP call to infer the keys pressed by a victim. We showed how this attack could be used to infer passwords successfully. The other two works of the first part consist of two distinct methods to steal secret codes from ATM PIN pads. For all these attacks, we propose effective countermeasures showing how important it is to actively participate in research in this field to improve the security of authentication systems. In the second part of this thesis, we explored authentication systems from the perspective of both users and devices authentication. In particular, we investigated a novel biometrics method based on recognizing the user's chewing movement and a new authentication method to ensure the security of legacy cyber-physical systems. We present our experimental results for the former, showing how our method can guarantee user security by keeping a user-friendly environment. For the latter, we present our authentication method showing how it can improve the security of legacy infrastructures, keeping costs down.