Preferred Name

Casey Lee Silver

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

ORCID

https://orcid.org/0000-0001-8564-5251

Date of Graduation

5-2020

Document Type

Thesis

Degree Name

Master of Science (MS)

Department

Department of Computer Science

Advisor(s)

Brett Tjaden

Xunhua Wang

Hossain Heydari

Abstract

This paper explores how existing push notification based two-factor authentication systems are susceptible to real-time man-in-the-middle relay attacks and proposes a system for mitigating such attacks. A fully functional reference system of the proposed mitigation was built and compared to an existing push notification two-factor authentication system while undergoing a real-time man-in-the-middle relay attack. The reference systems used cloud infrastructure for hosting, an Apple iPhone as the notification receiver, and Apple’s push notification service to send notifications. A publicly available tool for conducting real-time man-in-the-middle relay attacks was used to conduct the attacks. The results of the tests were recorded and contrasted to show how existing implementations fail to identify such attacks and how the proposed system could. It is recommended that the existing push notification two-factor authentication providers implement additional measures to protect users against real-time man-in-the-middle relay attacks while appropriately weighing key usability issues. While the proposed mitigation system is shown to prevent such attacks, it has usability drawbacks that should be considered.

Download

Share

COinS
 
 

To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.