Home » Posts tagged 'computer science'
Tag Archives: computer science
Have you ever been faced with a photo grid and asked to click on every traffic light to prove you weren’t a robot before your could access your email or bank? A recent proposal by Dr. Muath Obaidat, an Assistant Professor in John Jay College’s Department of Mathematics and Computer Science, could prevent you from having to go through that ever again.
Along with co-authors including his student Joseph Brown (a 2020 graduate who earlier this year was awarded John Jay’s Ruth S. Lefkowitz Mathematics Prize), Dr. Obaidat makes the case for a new way of authenticating user information that would make logging into websites more secure without overcomplicating the system. He calls it “a step forward” both technically and logistically, as the proposed authentication system is both technically more secure and easier to deploy commercially than previous proposals. So while Obaidat’s research may seem complicated, the solution he proposes in “A Hybrid Dynamic Encryption Scheme for Multi-Factor Verification: A Novel Paradigm for Remote Authentication” (Sensors, July 2020) is not just theoretical.
(To read the full text of the article for free, visit https://www.mdpi.com/1424-8220/20/15/4212/htm)
Read on for a Q&A with Dr. Muath Obaidat:
Can you describe the most common risks of the typical username/password authentication model most of us are using today?
The most common risk in current authentication models is the lack of presentation of actual proof of identity, especially during communications. Since the majority of websites use static usernames and passwords that do not change between sessions, if an attacker can get ahold of a login — whether by guessing or through more technical means — there is no further mechanism or nuance in design to actually stop them from using stolen data to imitate a user. While 2FA (Two Factor Authentication) has risen in popularity as a mitigation for this problem, both published papers from the National Institute of Standards and Technology (NIST) as well as high profile public hacks have shown this to be insufficient by itself, because of attacks which focus on manipulating or stealing data rather than simply brute-forcing (working through all possible combinations through trial-and-error to crack a passcode).
Can you explain how your proposed method works to authenticate a session?
The simplest way to explain how this form of authentication works is to imagine you had a key split into two halves; the client has a half, and the server has a half. But instead of just sending the half of the key you have, you’re sending the blueprint for said key half, which can only be reconstructed given the other half. This blueprint changes slightly each time you log in, but is still derivative of the other “whole” key.
Only two people have the respective halves: the client and the server. These halves are derivative of data which is itself derived from an original input. Thus, as long as you can produce something from the front-end that creates one input, even though this input is never sent, it can be integrated with this system. Think of that as the “mold” from which the key is derived, and then the blueprint is shifted on both ends according to the original mold.
How does your proposed scheme differ from others that have been in use or proposed previously?
What sets it apart is both the flexibility of the design as well as the range of problems it attempts to fix at one time. Many other schemes we studied were focused on fixing one problem: typically [they focused on] brute-forcing, which manifested in the form of padding “front-end” or “back-end” parts of a scheme without giving much thought to the actual transmission of data itself. Our scheme, on the other hand, is focused on protecting that transmitted data, while also being sure not to introduce additional weaknesses on either end of the communication.
Another big issue we often ran into with other schemes is design flexibility; many were either unrealistic to implement en masse, or were so specific that they pigeonholed themselves into a scenario where they could not be combined with other communication systems or improvements to other architectural traits. Our scheme is flexible in terms of architectural integration — for example, it uses the same simple Client-Server framework without introducing third parties or other nodes — and the overall design is both simplistic in terms of implementation and highly adaptable.
What is it that has prevented many newly-proposed authentication schemes from being implemented more broadly?
While it depends on the scheme in question, there are typically three factors that are preventative to implementation: user accessibility, deployment complications, and degree of benefit. The first isn’t really technical, but relates more to consumer factors. Many schemes simply are not widely implementable on a consumer level; not only because of aspects such as speed, but also because of logistics. Having a user go through a complicated process each time they want to log into a website isn’t very practical, especially if you’re selling a product where convenience is a factor, hence why some schemes don’t catch on despite being technically sound.
Deployment complications, on the other hand, would be related to things such as how to replace current infrastructure with new infrastructure; many schemes significantly stagger architectures or are high specific and complex to actually deploy. These complications act as a deterrent to those who may want to implement them. Lastly, degree of benefit is a big factor too. Given how ubiquitous current paradigms are, simply improving one aspect in exchange for the implementation of a widely different system is a very big ask. Implementation takes time, as does adoption on a wide scale, so unless the benefit is [significant enough to merit departing from] current paradigms, it’s unlikely many would want to explore “unproven” adoptions.
How would a new authentication method go from being theoretical to being widely adopted? In other words, by what process is this type of new technology adopted, and who is responsible for its uptake?
That’s a good question, and I do not think there is a singular answer unfortunately. Especially because of the decentralization of the internet, it’s hard to give a specific answer on what this would look like in practice. As the internet has been more consolidated under specific companies, I suppose one answer to this would be that bigger companies would have to take an interest in implementation and take action themselves to create a ripple effect. This is distinct from the past, when collective normalization of technology was bottom-up because of more decentralized standards.
Dr. Muath Obaidat is an Assistant Professor of Computer Science and Information Security at John Jay College of Criminal Justice of the City University of New York and a member of the Center for Cybercrime Studies, Graduate Faculty in the Master of Science Digital Forensics and Cyber Security program and Doctoral faculty of the Computer Science Department at the Graduate School and University Center of CUNY.
He has numerous scientific article publications in journals and respected conference proceedings. His research interests lie in the area of digital forensics, ubiquitous Internet of Things (IoT) security and privacy. His recent research crosscuts the areas wireless network protocols, cloud computing and security.
Dr. Edgardo Sanabria-Valentín sees himself in the PRISM students he works with. He credits his alma mater, the University of Puerto Rico, with instilling in him the spirit of preparedness that he brings to student researchers and presenters at John Jay — being ready not only with the technical facts but with the message about why your research is important, and how you are changing the world.
“Because of that, every time we go to a conference, we get minimum one award — my top is three!” he says. “Every time we go to an undergraduate research conference, John Jay’s name always comes up.” It is this tangible commitment to bringing out the best in John Jay’s science students that earned Dr. Sanabria-Valentín, who is the Associate Director of the John Jay Program for Research Initiatives in Science and Math (PRISM), a 2018 APACS President’s Award.
At its heart, PRISM is about teaching students skills, not only in the sciences but also to prepare them to succeed in and after college. “The bread and butter upon which PRISM was founded” is the Undergraduate Research Program. The program provides students with opportunities to be exposed to the process of science beyond their normal classroom studies by working directly with a faculty mentor on an original STEM research project.
And PRISM has grown. A second component is the Junior Scholars program, giving academic support to eligible students that can include stipends, professional development events and supplementary advisement, as well as financial support in applying to post-graduate programs in New York State-licensed professions. Just as important for an institution that counts many first-generation college students among its student body, Junior Scholars collaborates with student support services across the college, like the Math and Sciences Research Center, Center for Career and Professional Development, Wellness Center, Center for Postgraduate Opportunities, and even more. The program is designed to make sure that students have all the tools to get to know their college and excel.
External funding is part of what drives PRISM’s growth. The New York State Collegiate Science and Technology Entry Program, or CSTEP, awards grants to postsecondary and professional schools to start academic support programs — like PRISM — for students from underrepresented minority groups, or who are economically disadvantaged, to help them get into STEM fields. John Jay was among the first class of schools to receive CSTEP funding, thirty years ago and out of roughly 200 PRISM students, the CSTEP grant supports 140. Edgardo’s goal is to double that number over the next five years.
His hard work is a large part of why the CSTEP program is at John Jay — after a short hiatus, Edgardo’s application brought the program back in 2015 — and of John Jay’s unique status as the only school to have institutionalized this type of academic STEM-focused support initiative. He is also responsible for collaborating with other CSTEP schools in the region: NYU, Hostos Community College, Fordham, City College and Mt. Sinai are among the Manhattan and Bronx institutions that participate with John Jay in our CSTEP Regional Research Expos. Participating students are invited to present their own research in poster sessions and attend professional development activities.
His work on and logistical support for the expos has earned Edgardo an award from the President of the Association of Program Administrators for CSTEP and STEP (APACS). The honor also recognizes his success in running a program that benefits students in the sciences. The advisement services offered by PRISM have created the conditions for increased student success at John Jay and degree completion, and the program puts students on a path toward the pursuit of higher degrees, or toward a place in the workforce in a variety of science, technology and computer science fields. The Undergraduate Research Program has measurably helped students to pursue post-graduate degrees in science, medicine and more.
The bottom line for Edgardo, though, is his students. “My kids blow me away every time,” he gushes. “I have complete pride in showing them off at every conference I go to. I have learned so much by helping them with posters and advising on their projects; it’s encouraging that I sometimes find my students to be smarter than me.”
Learn more about:
CSTEP in New York State: http://www.highered.nysed.gov/kiap/colldev/CollegiateScienceandTechnologyEntryProgram.htm
Edgardo Sanabria-Valentín, Ph.D. is the Associate Program Director for PRISM and also the Pre-Health Careers Advisor at John Jay. He holds a Ph.D. from NYU-School of Medicine, where his dissertation work involved studying the mechanisms Helicobacter pylori employs to persist in the human stomach for the life span of each host. He came to John Jay after a Post-Doctoral Fellowship at Harvard Medical School followed by 3 years working in the Biotechnology Industry in Boston. Dr. Sanabria-Valentín is the recipient of the ESCMID Young Scientist Award (2007), a Leadership Alliance-Schering Plough Graduate Fellowship (2006), and the NBHS-Frank G. Brooks Award for Excellence in Student Research (2001). He is also a founding member of the NYC-Minority Graduate Student Network and The Leadership Alliance Alumni Association.