Office of Technology Transfer – University of Michigan

Application Protection Using Transient Authentication

Technology #2579

Questions about this technology? Ask a Technology Manager

Download Printable PDF

Categories
Researchers
Brian D. Noble
Managed By
Keith Hughes
Assistant Director, Physical Sciences & Engineering 734-764-9429

Background

Computing authentication requires that a user supply some proof of identity–via password, smartcard, or biometric–to a device. Unfortunately, it is infeasible to ask users to provide authentication for each request made of a device. Imagine a system that requires the user to manually compute a message authentication code for each command. The authenticity of each request can be checked, but the system becomes unusable. Instead, users authenticate infrequently to devices. User authentication is assumed to hold until it is explicitly revoked, though some systems further limit its duration to hours or days. Regardless, in this model authentication is persistent and creates tension between security and usability. To maximize security, a device must constantly re-authenticate its user. To be usable, authentication must be long-lived. Unfortunately, authentication between people and their computer devices is both infrequent and persistent. Should a device fall into the wrong hands, the imposter has the full rights of the legitimate user.

Technology

Researchers at the University of Michigan have developed a new model, called “transient authentication,” in which a user wears a small token, equipped with a short-range wireless link and modest computational resources. This token is able to authenticate constantly on the user’s behalf. It also acts as a proximity cue to applications and services; if the token does not respond to an authentication request, the device can take steps to secure itself. This technology provides an improved method and system to maintain application data security on machines that are running or have been suspended. Applications are protected transparently by encrypting in-memory state when the user departs and decrypting this state when the user returns. This technique is effective, requiring just seconds to protect and restore an entire machine. In the second embodiment, applications utilize an API for transient authentication, protecting only sensitive state. Ports of three applications, PGP, SSH, and Mozilla are described with respect to this API.

Applications and Advantages

Applications • Computing device authentication-nl-and security Advantages • Quick and simple authentication to promote-nl-high level of security and usability • Low implementation and-nl-cost hurdles