BYU Computer Science grad student Tim van der Horst presented his latest research in the field of computer security at an international conference in Nice, France.

A doctoral student in computer science, van der Horst presented at SecureComm 2007, the Third International Conference on Security and Privacy in Communication Networks. Only one-fourth of the research advancements submitted this year were selected to be presented.

Van der Horst (seated to the left in the attached photo), who has conducted his research under Dr. Kent Seamons (third from left) of the Computer Science Department at BYU presented a unique method for Web authentication, known as SAW, which he has developed to addresses the problem of users having too many passwords. As the Internet becomes more of a presence in the lives of people across the globe, passwords become an ever increasing burden on the average person.  A typical internet user may be registered on ten, twenty, even thirty or forty websites, each requiring a username and password.  Reusing a password across multiple websites is risky, but managing dozens of passwords is impractical and burdensome and results in frequently forgotten passwords. 

Instead of dealing with the overriding problem, that of passwords themselves, most websites simply try to alleviate the symptoms by emailing users new passwords when the originals are lost or forgotten.  This method, known as automated email-based password reestablishment, or EBPR, does provide a way of recovering lost and forgotten passwords, but ignores the larger problem at hand.  EBPR requires users to open a new window in their browser, login to their email account, browse through their inbox, retrieve the email, and follow the link before beginning the process of logging into the original website all over again.  It is a tedious, time consuming process.  Furthermore, EBPR leaves the user open to passive attacks—anyone on the user’s network can intercept the email and gain access to the account. 

Seamons and Van der Horst have hit upon a revolutionary new solution to the problem with Simple Authentication for the Web, also known as SAW.  The goal of SAW is to create simpler ways to build trust, thus circumventing the need for multiple passwords in the first place.  SAW removes the setup and management costs of passwords at sites that accept the risks of EPBR, provides a simple login process without a specialized identity provider, and at the same time thwarts all passive attacks, providing a simpler, faster, and safer alternative to email-based password reestablishment. 

With SAW, users login to sites on which they are registered by entering their email addresses.  A password consisting of a randomly generated number is created, half of which is sent to the website in the form of a cookie, the other half of which is sent encrypted in a time-sensitive email to the address provided.  Splitting the password into two parts solves the lack of security inherent in EBPR; no longer can a passive attacker hack into the user’s account.  However, it preserves the tedium of having to login to an email account to retrieve the other portion.

Fortunately, the lab has created a toolbar application that solves the tedious email retrieval process.  This simple plug-in does all the work, checking the user’s email and sending the password back to the website, where it matches with the other half and gives the user entrance to the website.  All of this happens automatically and instantaneously.  In addition to email, the toolbar application works for a variety of personal messaging mediums, including text messaging and instant messaging. 

The technology behind SAW is particularly good for sharing and collaborating with other people.  For example, to extend access to a personal online photo album, a user no longer has to receive and grant requests for access.  He or she would simply have to specify the email addresses of the people allowed to view the photos and access is immediately granted.  Dr. Seamons is already using this technology in his classroom.  He simply uploads the email addresses of his students into his class blog to give them immediate access to the information they need. 

In addition to blogs and online photo albums, other uses of SAW include e-commerce sites, digital libraries, forums, conference program committee sites, private wikis, mailing lists, and personal websites.

SAW is not immune to active attacks, and is therefore not recommended as the only login method on high security sites, such as banks, which typically use multiple login methods to protect the sensitive information housed therein.  However, SAW virtually eliminates the threat of passive attacks with the toolbar application and can be used in conjunction with other login methods on higher risk sites. 

Furthermore, by lowering the number of usernames and passwords that internet users are required to have, SAW decreases the likelihood that an individual will use the same username and password on their online bank account that they will on their family blog.  Thus, it actually addresses the root of the problem and reduces security risks by decreasing password sharing. 

For the Deseret Morning News article on Van der Horst’s research, please see http://deseretnews.com/article/1,5143,695213311,00.html