-
FPSelect: Low-Cost Browser Fingerprints for Mitigating Dictionary Attacks against Web Authentication Mechanisms
Authors:
Nampoina Andriamilanto,
Tristan Allard,
Gaëtan Le Guelvouit
Abstract:
Browser fingerprinting consists into collecting attributes from a web browser. Hundreds of attributes have been discovered through the years. Each one of them provides a way to distinguish browsers, but also comes with a usability cost (e.g., additional collection time). In this work, we propose FPSelect, an attribute selection framework allowing verifiers to tune their browser fingerprinting prob…
▽ More
Browser fingerprinting consists into collecting attributes from a web browser. Hundreds of attributes have been discovered through the years. Each one of them provides a way to distinguish browsers, but also comes with a usability cost (e.g., additional collection time). In this work, we propose FPSelect, an attribute selection framework allowing verifiers to tune their browser fingerprinting probes for web authentication. We formalize the problem as searching for the attribute set that satisfies a security requirement and minimizes the usability cost. The security is measured as the proportion of impersonated users given a fingerprinting probe, a user population, and an attacker that knows the exact fingerprint distribution among the user population. The usability is quantified by the collection time of browser fingerprints, their size, and their instability. We compare our framework with common baselines, based on a real-life fingerprint dataset, and find out that in our experimental settings, our framework selects attribute sets of lower usability cost. Compared to the baselines, the attribute sets found by FPSelect generate fingerprints that are up to 97 times smaller, are collected up to 3,361 times faster, and with up to 7.2 times less changing attributes between two observations, on average.
△ Less
Submitted 13 October, 2020;
originally announced October 2020.
-
A Large-scale Empirical Analysis of Browser Fingerprints Properties for Web Authentication
Authors:
Nampoina Andriamilanto,
Tristan Allard,
Gaëtan Le Guelvouit,
Alexandre Garel
Abstract:
Modern browsers give access to several attributes that can be collected to form a browser fingerprint. Although browser fingerprints have primarily been studied as a web tracking tool, they can contribute to improve the current state of web security by augmenting web authentication mechanisms. In this paper, we investigate the adequacy of browser fingerprints for web authentication. We make the li…
▽ More
Modern browsers give access to several attributes that can be collected to form a browser fingerprint. Although browser fingerprints have primarily been studied as a web tracking tool, they can contribute to improve the current state of web security by augmenting web authentication mechanisms. In this paper, we investigate the adequacy of browser fingerprints for web authentication. We make the link between the digital fingerprints that distinguish browsers, and the biological fingerprints that distinguish Humans, to evaluate browser fingerprints according to properties inspired by biometric authentication factors. These properties include their distinctiveness, their stability through time, their collection time, their size, and the accuracy of a simple verification mechanism. We assess these properties on a large-scale dataset of 4,145,408 fingerprints composed of 216 attributes, and collected from 1,989,365 browsers. We show that, by time-partitioning our dataset, more than 81.3% of our fingerprints are shared by a single browser. Although browser fingerprints are known to evolve, an average of 91% of the attributes of our fingerprints stay identical between two observations, even when separated by nearly 6 months. About their performance, we show that our fingerprints weigh a dozen of kilobytes, and take a few seconds to collect. Finally, by processing a simple verification mechanism, we show that it achieves an equal error rate of 0.61%. We enrich our results with the analysis of the correlation between the attributes, and of their contribution to the evaluated properties. We conclude that our browser fingerprints carry the promise to strengthen web authentication mechanisms.
△ Less
Submitted 3 October, 2021; v1 submitted 16 June, 2020;
originally announced June 2020.
-
"Guess Who ?" Large-Scale Data-Centric Study of the Adequacy of Browser Fingerprints for Web Authentication
Authors:
Nampoina Andriamilanto,
Tristan Allard,
Gaëtan Le Guelvouit
Abstract:
Browser fingerprinting consists in collecting attributes from a web browser to build a browser fingerprint. In this work, we assess the adequacy of browser fingerprints as an authentication factor, on a dataset of 4,145,408 fingerprints composed of 216 attributes. It was collected throughout 6 months from a population of general browsers. We identify, formalize, and assess the properties for brows…
▽ More
Browser fingerprinting consists in collecting attributes from a web browser to build a browser fingerprint. In this work, we assess the adequacy of browser fingerprints as an authentication factor, on a dataset of 4,145,408 fingerprints composed of 216 attributes. It was collected throughout 6 months from a population of general browsers. We identify, formalize, and assess the properties for browser fingerprints to be usable and practical as an authentication factor. We notably evaluate their distinctiveness, their stability through time, their collection time, and their size in memory. We show that considering a large surface of 216 fingerprinting attributes leads to an unicity rate of 81% on a population of 1,989,365 browsers. Moreover, browser fingerprints are known to evolve, but we observe that between consecutive fingerprints, more than 90% of the attributes remain unchanged after nearly 6 months. Fingerprints are also affordable. On average, they weigh a dozen of kilobytes, and are collected in a few seconds. We conclude that browser fingerprints are a promising additional web authentication factor.
△ Less
Submitted 22 June, 2021; v1 submitted 19 May, 2020;
originally announced May 2020.
-
Enhanced blind decoding of Tardos codes with new map-based functions
Authors:
Mathieu Desoubeaux,
Cédric Herzet,
William Puech,
Gaëtan Le Guelvouit
Abstract:
This paper presents a new decoder for probabilistic binary traitor tracing codes under the marking assumption. It is based on a binary hypothesis testing rule which integrates a collusion channel relaxation so as to obtain numerical and simple accusation functions. This decoder is blind as no estimation of the collusion channel prior to the accusation is required. Experimentations show that using…
▽ More
This paper presents a new decoder for probabilistic binary traitor tracing codes under the marking assumption. It is based on a binary hypothesis testing rule which integrates a collusion channel relaxation so as to obtain numerical and simple accusation functions. This decoder is blind as no estimation of the collusion channel prior to the accusation is required. Experimentations show that using the proposed decoder gives better performance than the well-known symmetric version of the Tardos decoder for common attack channels.
△ Less
Submitted 30 May, 2013;
originally announced May 2013.
-
Information-theoretic resolution of perceptual WSS watermarking of non i.i.d. Gaussian signals
Authors:
Stéphane Pateux,
Gaëtan Le Guelvouit,
Christine Guillemot
Abstract:
The theoretical foundations of data hiding have been revealed by formulating the problem as message communication over a noisy channel. We revisit the problem in light of a more general characterization of the watermark channel and of weighted distortion measures. Considering spread spectrum based information hiding, we release the usual assumption of an i.i.d. cover signal. The game-theoretic r…
▽ More
The theoretical foundations of data hiding have been revealed by formulating the problem as message communication over a noisy channel. We revisit the problem in light of a more general characterization of the watermark channel and of weighted distortion measures. Considering spread spectrum based information hiding, we release the usual assumption of an i.i.d. cover signal. The game-theoretic resolution of the problem reveals a generalized characterization of optimum attacks. The paper then derives closed-form expressions for the different parameters exhibiting a practical embedding and extraction technique.
△ Less
Submitted 28 November, 2008;
originally announced November 2008.
-
Trellis-coded quantization for public-key steganography
Authors:
Gaëtan Le Guelvouit
Abstract:
This paper deals with public-key steganography in the presence of a passive warden. The aim is to hide secret messages within cover-documents without making the warden suspicious, and without any preliminar secret key sharing. Whereas a practical attempt has been already done to provide a solution to this problem, it suffers of poor flexibility (since embedding and decoding steps highly depend o…
▽ More
This paper deals with public-key steganography in the presence of a passive warden. The aim is to hide secret messages within cover-documents without making the warden suspicious, and without any preliminar secret key sharing. Whereas a practical attempt has been already done to provide a solution to this problem, it suffers of poor flexibility (since embedding and decoding steps highly depend on cover-signals statistics) and of little capacity compared to recent data hiding techniques. Using the same framework, this paper explores the use of trellis-coded quantization techniques (TCQ and turbo TCQ) to design a more efficient public-key scheme. Experiments on audio signals show great improvements considering Cachin's security criterion.
△ Less
Submitted 28 November, 2008;
originally announced November 2008.
-
Informed stego-systems in active warden context: statistical undetectability and capacity
Authors:
Sofiane Braci,
Claude Delpha,
Rémy Boyer,
Gaëtan Le Guelvouit
Abstract:
Several authors have studied stego-systems based on Costa scheme, but just a few ones gave both theoretical and experimental justifications of these schemes performance in an active warden context. We provide in this paper a steganographic and comparative study of three informed stego-systems in active warden context: scalar Costa scheme, trellis-coded quantization and spread transform scalar Co…
▽ More
Several authors have studied stego-systems based on Costa scheme, but just a few ones gave both theoretical and experimental justifications of these schemes performance in an active warden context. We provide in this paper a steganographic and comparative study of three informed stego-systems in active warden context: scalar Costa scheme, trellis-coded quantization and spread transform scalar Costa scheme. By leading on analytical formulations and on experimental evaluations, we show the advantages and limits of each scheme in term of statistical undetectability and capacity in the case of active warden. Such as the undetectability is given by the distance between the stego-signal and the cover distance. It is measured by the Kullback-Leibler distance.
△ Less
Submitted 28 November, 2008;
originally announced November 2008.
-
The Good, the Bad, and the Ugly: three different approaches to break their watermarking system
Authors:
Gaëtan Le Guelvouit,
Teddy Furon,
François Cayre
Abstract:
The Good is Blondie, a wandering gunman with a strong personal sense of honor. The Bad is Angel Eyes, a sadistic hitman who always hits his mark. The Ugly is Tuco, a Mexican bandit who's always only looking out for himself. Against the backdrop of the BOWS contest, they search for a watermark in gold buried in three images. Each knows only a portion of the gold's exact location, so for the momen…
▽ More
The Good is Blondie, a wandering gunman with a strong personal sense of honor. The Bad is Angel Eyes, a sadistic hitman who always hits his mark. The Ugly is Tuco, a Mexican bandit who's always only looking out for himself. Against the backdrop of the BOWS contest, they search for a watermark in gold buried in three images. Each knows only a portion of the gold's exact location, so for the moment they're dependent on each other. However, none are particularly inclined to share...
△ Less
Submitted 28 November, 2008;
originally announced November 2008.
-
Wide spread spectrum watermarking with side information and interference cancellation
Authors:
Gaëtan Le Guelvouit,
Stéphane Pateux
Abstract:
Nowadays, a popular method used for additive watermarking is wide spread spectrum. It consists in adding a spread signal into the host document. This signal is obtained by the sum of a set of carrier vectors, which are modulated by the bits to be embedded. To extract these embedded bits, weighted correlations between the watermarked document and the carriers are computed. Unfortunately, even wit…
▽ More
Nowadays, a popular method used for additive watermarking is wide spread spectrum. It consists in adding a spread signal into the host document. This signal is obtained by the sum of a set of carrier vectors, which are modulated by the bits to be embedded. To extract these embedded bits, weighted correlations between the watermarked document and the carriers are computed. Unfortunately, even without any attack, the obtained set of bits can be corrupted due to the interference with the host signal (host interference) and also due to the interference with the others carriers (inter-symbols interference (ISI) due to the non-orthogonality of the carriers). Some recent watermarking algorithms deal with host interference using side informed methods, but inter-symbols interference problem is still open. In this paper, we deal with interference cancellation methods, and we propose to consider ISI as side information and to integrate it into the host signal. This leads to a great improvement of extraction performance in term of signal-to-noise ratio and/or watermark robustness.
△ Less
Submitted 28 November, 2008;
originally announced November 2008.
