Morellian analysis for browsers: Making web authentication stronger with canvas fingerprinting

Pierre Laperdrix; Gildas Avoine; Benoit Baudry; Nick Nikiforakis

doi:10.1007/978-3-030-22038-9_3

Morellian analysis for browsers: Making web authentication stronger with canvas fingerprinting

Pierre Laperdrix
, Gildas Avoine
, Benoit Baudry
, Nick Nikiforakis

Computer Science

Helmholtz Center for Information Security
Campus de Beaulieu
KTH Royal Institute of Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

24 Scopus citations

Abstract

In this paper, we present the first fingerprinting-based authentication scheme that is not vulnerable to trivial replay attacks. Our proposed canvas-based fingerprinting technique utilizes one key characteristic: it is parameterized by a challenge, generated on the server side. We perform an in-depth analysis of all parameters that can be used to generate canvas challenges, and we show that it is possible to generate unique, unpredictable, and highly diverse canvas-generated images each time a user logs onto a service. With the analysis of images collected from more than 1.1 million devices in a real-world large-scale experiment, we evaluate our proposed scheme against a large set of attack scenarios and conclude that canvas fingerprinting is a suitable mechanism for stronger authentication on the web.

Original language	English
Title of host publication	Detection of Intrusions and Malware, and Vulnerability Assessment - 16th International Conference, DIMVA 2019, Proceedings
Editors	Roberto Perdisci, Roberto Perdisci, Clémentine Maurice, Giorgio Giacinto, Magnus Almgren
Publisher	Springer Verlag
Pages	43-66
Number of pages	24
ISBN (Print)	9783030220372
DOIs	https://doi.org/10.1007/978-3-030-22038-9_3
State	Published - 2019
Event	16th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2019 - Gothenburg, Sweden Duration: Jun 19 2019 → Jun 20 2019

Publication series

Name	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume	11543 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	16th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2019
Country/Territory	Sweden
City	Gothenburg
Period	06/19/19 → 06/20/19

Access to Document

10.1007/978-3-030-22038-9_3

Cite this

Laperdrix, P., Avoine, G., Baudry, B., & Nikiforakis, N. (2019). Morellian analysis for browsers: Making web authentication stronger with canvas fingerprinting. In R. Perdisci, R. Perdisci, C. Maurice, G. Giacinto, & M. Almgren (Eds.), Detection of Intrusions and Malware, and Vulnerability Assessment - 16th International Conference, DIMVA 2019, Proceedings (pp. 43-66). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11543 LNCS). Springer Verlag. https://doi.org/10.1007/978-3-030-22038-9_3

Laperdrix, Pierre ; Avoine, Gildas ; Baudry, Benoit et al. / Morellian analysis for browsers : Making web authentication stronger with canvas fingerprinting. Detection of Intrusions and Malware, and Vulnerability Assessment - 16th International Conference, DIMVA 2019, Proceedings. editor / Roberto Perdisci ; Roberto Perdisci ; Clémentine Maurice ; Giorgio Giacinto ; Magnus Almgren. Springer Verlag, 2019. pp. 43-66 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{ecfea32558804064ad4907f94b6fbde7,

title = "Morellian analysis for browsers: Making web authentication stronger with canvas fingerprinting",

abstract = "In this paper, we present the first fingerprinting-based authentication scheme that is not vulnerable to trivial replay attacks. Our proposed canvas-based fingerprinting technique utilizes one key characteristic: it is parameterized by a challenge, generated on the server side. We perform an in-depth analysis of all parameters that can be used to generate canvas challenges, and we show that it is possible to generate unique, unpredictable, and highly diverse canvas-generated images each time a user logs onto a service. With the analysis of images collected from more than 1.1 million devices in a real-world large-scale experiment, we evaluate our proposed scheme against a large set of attack scenarios and conclude that canvas fingerprinting is a suitable mechanism for stronger authentication on the web.",

author = "Pierre Laperdrix and Gildas Avoine and Benoit Baudry and Nick Nikiforakis",

note = "Publisher Copyright: {\textcopyright} Springer Nature Switzerland AG 2019.; 16th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2019 ; Conference date: 19-06-2019 Through 20-06-2019",

year = "2019",

doi = "10.1007/978-3-030-22038-9\_3",

language = "English",

isbn = "9783030220372",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer Verlag",

pages = "43--66",

editor = "Roberto Perdisci and Roberto Perdisci and Cl{\'e}mentine Maurice and Giorgio Giacinto and Magnus Almgren",

booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 16th International Conference, DIMVA 2019, Proceedings",

}

Laperdrix, P, Avoine, G, Baudry, B & Nikiforakis, N 2019, Morellian analysis for browsers: Making web authentication stronger with canvas fingerprinting. in R Perdisci, R Perdisci, C Maurice, G Giacinto & M Almgren (eds), Detection of Intrusions and Malware, and Vulnerability Assessment - 16th International Conference, DIMVA 2019, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 11543 LNCS, Springer Verlag, pp. 43-66, 16th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2019, Gothenburg, Sweden, 06/19/19. https://doi.org/10.1007/978-3-030-22038-9_3

Morellian analysis for browsers: Making web authentication stronger with canvas fingerprinting. / Laperdrix, Pierre; Avoine, Gildas; Baudry, Benoit et al.
Detection of Intrusions and Malware, and Vulnerability Assessment - 16th International Conference, DIMVA 2019, Proceedings. ed. / Roberto Perdisci; Roberto Perdisci; Clémentine Maurice; Giorgio Giacinto; Magnus Almgren. Springer Verlag, 2019. p. 43-66 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 11543 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Morellian analysis for browsers

T2 - 16th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2019

AU - Laperdrix, Pierre

AU - Avoine, Gildas

AU - Baudry, Benoit

AU - Nikiforakis, Nick

N1 - Publisher Copyright: © Springer Nature Switzerland AG 2019.

PY - 2019

Y1 - 2019

N2 - In this paper, we present the first fingerprinting-based authentication scheme that is not vulnerable to trivial replay attacks. Our proposed canvas-based fingerprinting technique utilizes one key characteristic: it is parameterized by a challenge, generated on the server side. We perform an in-depth analysis of all parameters that can be used to generate canvas challenges, and we show that it is possible to generate unique, unpredictable, and highly diverse canvas-generated images each time a user logs onto a service. With the analysis of images collected from more than 1.1 million devices in a real-world large-scale experiment, we evaluate our proposed scheme against a large set of attack scenarios and conclude that canvas fingerprinting is a suitable mechanism for stronger authentication on the web.

AB - In this paper, we present the first fingerprinting-based authentication scheme that is not vulnerable to trivial replay attacks. Our proposed canvas-based fingerprinting technique utilizes one key characteristic: it is parameterized by a challenge, generated on the server side. We perform an in-depth analysis of all parameters that can be used to generate canvas challenges, and we show that it is possible to generate unique, unpredictable, and highly diverse canvas-generated images each time a user logs onto a service. With the analysis of images collected from more than 1.1 million devices in a real-world large-scale experiment, we evaluate our proposed scheme against a large set of attack scenarios and conclude that canvas fingerprinting is a suitable mechanism for stronger authentication on the web.

UR - https://www.scopus.com/pages/publications/85067800996

U2 - 10.1007/978-3-030-22038-9_3

DO - 10.1007/978-3-030-22038-9_3

M3 - Conference contribution

AN - SCOPUS:85067800996

SN - 9783030220372

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 43

EP - 66

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 16th International Conference, DIMVA 2019, Proceedings

A2 - Perdisci, Roberto

A2 - Maurice, Clémentine

A2 - Giacinto, Giorgio

A2 - Almgren, Magnus

PB - Springer Verlag

Y2 - 19 June 2019 through 20 June 2019

ER -

Laperdrix P, Avoine G, Baudry B, Nikiforakis N. Morellian analysis for browsers: Making web authentication stronger with canvas fingerprinting. In Perdisci R, Perdisci R, Maurice C, Giacinto G, Almgren M, editors, Detection of Intrusions and Malware, and Vulnerability Assessment - 16th International Conference, DIMVA 2019, Proceedings. Springer Verlag. 2019. p. 43-66. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-22038-9_3

Morellian analysis for browsers: Making web authentication stronger with canvas fingerprinting

Abstract

Publication series

Conference

Access to Document

Other files and links

Fingerprint

Cite this