Our research
Content type
+
Downloads (438)
+
Events (396)
 
Groups (150)
+
News (2571)
 
People (820)
 
Projects (1053)
+
Publications (11929)
+
Videos (5173)
Labs
Research areas
Algorithms and theory47205 (255)
Communication and collaboration47188 (185)
Computational linguistics47189 (178)
Computational sciences47190 (184)
Computer systems and networking47191 (664)
Computer vision208594 (35)
Data mining and data management208595 (57)
Economics and computation47192 (94)
Education47193 (79)
Gaming47194 (67)
Graphics and multimedia47195 (198)
Hardware and devices47196 (192)
Health and well-being47197 (74)
Human-computer interaction47198 (773)
Machine learning and intelligence47200 (710)
Mobile computing208596 (26)
Quantum computing208597 (16)
Search, information retrieval, and knowledge management47199 (610)
Security and privacy47202 (262)
Social media208598 (20)
Social sciences47203 (239)
Software development, programming principles, tools, and languages47204 (543)
Speech recognition, synthesis, and dialog systems208599 (53)
Technology for emerging markets208600 (24)
1–25 of 262
Sort
Show 25 | 50 | 100
1234567Next 
Dinei Florencio ˆ, Cormac Herley, and Paul C. van Oorschot

The research literature on passwords is rich but little of it directly aids those charged with securing web-facing services or setting policies. With a view to improving this situation we examine questions of implementation choices, policy and administration using a combination of literature survey and first-principles reasoning to identify what works, what does not work, and what remains unknown. Some of our results are surprising. We find that offline attacks, the justification for great demands of...

Publication details
Date: 1 November 2014
Type: Article
Publisher: USENIX – Advanced Computing Systems Association
Andrew Baumann, Marcus Peinado, and Galen Hunt

Today's cloud computing infrastructure requires substantial trust. Cloud users rely on both the provider's staff and its globally-distributed software/hardware platform not to expose any of their private data.

We introduce the notion of shielded execution, which protects the confidentiality and integrity of a program and its data from the platform on which it runs (i.e., the cloud operator's OS, VM and firmware). Our prototype, Haven, is the first system to achieve shielded execution of...

Publication details
Date: 1 October 2014
Type: Inproceeding
Publisher: USENIX – Advanced Computing Systems Association
Blase Ur, Jaeyeon Jung, and Stuart Schechter

We investigated how household deployment of Internetconnected locks and security cameras could impact teenagers’ privacy. In interviews with 13 teenagers and 11 parents, we investigated reactions to audit logs of family members’ comings and goings. All parents wanted audit logs with photographs, whereas most teenagers preferred text-only logs or no logs at all. We unpack these attitudes by examining participants’ parenting philosophies, concerns, and current monitoring practices. In a follow-up online...

Publication details
Date: 15 September 2014
Type: Inproceeding
Publisher: Ubicomp
Jaeyeon Jung and Matthai Philipose

Small and always-on, wearable video cameras disrupt social norms that have been established for traditional hand-held video cameras, which explicitly signal when and which subjects are being recorded to people around the camera-holder. We first discuss privacy-related social cues that people employ when recording other people (as a camera-holder) or when being recorded by others (as a bystander or a subject). We then discuss how low-fidelity sensors such as far-infrared imagers can be used to capture...

Publication details
Date: 14 September 2014
Type: Inproceeding
Publisher: ACM – Association for Computing Machinery
Zheng Dong, Kevin Kane, and L. Jean Camp

A critical component of the solution to online masquerade attacks, in which criminals create false web pages to obtain financial information, is the hierarchy of public key certificates. Masquerade attacks include phishing, pharming, and man-in-the-middle attacks. Public key certificates ideally authenticate the website to the person, before the person authenticates to the website. Public key certificates are typically issued by certificate authorities (CAs).

Banks are the most common target...

Publication details
Date: 13 September 2014
Type: Inproceeding
Publisher: SSRN
Dan Liebling and Sören Preibusch

Multiple vendors now provide relatively inexpensive desktop eye and gaze tracking devices. ith miniatureization and decreasing manufacturing costs, gaze trackers will follow the path of webcams, becoming ubiquitous and inviting many of the same privacy concerns. However, whereas the privacy loss from webcams may be obvious to the user, gaze tracking is more opaque and deserves special attention. In this paper, we review current research in gaze tracking and pupillometry and argue that gaze data should...

Publication details
Date: 13 September 2014
Type: Inproceeding
Publisher: ACM – Association for Computing Machinery
Christian Paquin

U-Prove tokens provide many security and privacy benefits over conventional credential technologies such as X.509 certificates. Like any long-lived credentials, there might be a need to revoke issued U-Prove tokens before they expire. Achieving this might seem counterintuitive: how can you revoke an identity when users are anonymous or pseudonymous? This paper explores various revocation mechanisms compatible with the U-Prove technology, to help system designers select the best one for...

Publication details
Date: 2 September 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-122
Cormac Herley

In a traditional threat model it is necessary and sufficient to protect against all attacks. While simple, and appropriate in high-assurance settings, we show that this model does not scale
and is entirely inappropriate to the financially-motivated cyber-crime that targets two billion Internet users. The attackers who prey on Internet users are very constrained. The have finite gains, non-zero costs, and must make profit in expectation. Above all their techniques must scale. This means that they...

Publication details
Date: 1 September 2014
Type: Article
Christopher Smowton, Jacob R. Lorch, David Molnar, Stefan Saroiu, and Alec Wolman

This paper presents Zero-Effort Payments (ZEP), a seamless mobile computing system designed to accept payments with no effort on the customer’s part beyond a one-time opt-in. With ZEP, customers need not present cards nor operate smartphones to convey their identities. ZEP uses three complementary identification technologies: face recognition, proximate device detection, and human assistance. We demonstrate that the combination of these technologies enables ZEP to scale to the level needed by...

Publication details
Date: 1 September 2014
Type: Inproceeding
Saranga Komanduri, Rich Shay, Lorrie Cranor, Cormac Herley, and Stuart Schechter
Publication details
Date: 20 August 2014
Type: Inproceeding
Publisher: USENIX
Joseph Bonneau and Stuart Schechter

Challenging the conventional wisdom that users cannot remember cryptographically-strong secrets, we test the hypothesis that users can learn randomly-assigned 56-bit codes (encoded as either 6 words or 12 characters) through spaced repetition. We asked remote research participants to perform a distractor task that required logging into a website 90 times, over up to two weeks, with a password of their choosing. After they entered their chosen password correctly we displayed a short code (4 letters or 2...

Publication details
Date: 20 August 2014
Type: Inproceeding
Publisher: USENIX
Publication details
Date: 20 August 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-95
Joppe W. Bos, Craig Costello, Michael Naehrig, and Douglas Stebila

Lattice-based cryptographic primitives are believed to offer resilience against attacks by quantum computers. We demonstrate the practicality of post-quantum key exchange by constructing ciphersuites for the Transport Layer Security (TLS) protocol that provide key exchange based on the ring learning with errors (R-LWE) problem; we accompany these ciphersuites with a rigorous proof of security. Our approach ties lattice-based key exchange together with traditional authentication using...

Publication details
Date: 5 August 2014
Type: Technical report
Number: MSR-TR-2014-107
Christian Paquin

The U-Prove Cryptographic Specification focuses on the core U-Prove capabilities; the specified features were selected to simplify implementation and integration into existing systems, while meeting the needs of a wide array of scenarios. By design, the specification provides extension points, making it possible to extend the core capabilities to meet additional needs.

This paper describes recently released features compatible with the U-Prove technology. The reader is assumed to be familiar with...

Publication details
Date: 5 August 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-105
Dinei Florencio, Cormac Herley, and Paul C. van Oorschot

We explore how to manage a portfolio of passwords. We review why mandating exclusively strong passwords with no re-use gives users an impossible task as portfolio size grows. We find that approaches justified by loss-minimization alone, and those that ignore important attack vectors (e.g., vectors exploiting re-use), are amenable to analysis but unrealistic. In contrast, we propose, model and analyze portfolio management under a realistic attack suite, with an objective function costing both loss and...

Publication details
Date: 1 August 2014
Type: Article
Ravi Bhoraskar, Seungyeop Han, Jinseong Jeon, Tanzirul Azim, Shuo Chen, Jaeyeon Jung, Suman Nath, Rui Wang, and David Wetherall

We present an app automation tool called Brahmastra for helping app stores and security researchers to test thirdparty components in mobile apps at runtime. The main challenge is that call sites that invoke third-party code may be deeply embedded in the app, beyond the reach of traditional GUI testing tools. Our approach uses static analysis to construct a page transition graph and discover execution paths to invoke third-party code. We then perform binary rewriting to “jump start” the third-party code...

Publication details
Date: 1 August 2014
Type: Inproceeding
Publisher: USENIX – Advanced Computing Systems Association
Arvind Arasu, Ken Eguro, Manas Joglekar, Raghav Kaushik, Donald Kossmann, and Ravi Ramamurthy

Cipherbase is a comprehensive database system that provides strong end-to-end data confidentiality through encryption. Cipherbase is based on a novel architecture that combines an industrial strength database engine (SQL Server) with lightweight processing over encrypted data that is performed in secure hardware. Cipherbase has the smallest trusted computing base (TCB) among comparable systems and provides significant benefits over the state-of-the-art in terms of security, performance, and...

Publication details
Date: 1 August 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-106
Yuri Gurevich, Efim Hudis, and Jeannette Wing

We say that an item of your personal information is private if you have it but nobody else does. It is inversely private if somebody has it but you do not. We analyze the provenance of inverse privacy and argue that technology and appropriate public policy can reduce inverse privacy to a minimum.

Publication details
Date: 1 July 2014
Type: Technical report
Number: MSR-TR-2014-100
Joppe Bos, Craig Costello, Patrick Longa, and Michael Naehrig

This document explains the details of the curve generation algorithms and provides the parameters for the NUMS (Nothing Up My Sleeve) curves. These curves are supported in the MSR Elliptic Curve Cryptography Library (MSR ECCLib).

Publication details
Date: 27 June 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-92
Xi He, Ashwin Machanavajjhala, and Bolin Ding

Privacy definitions provide ways for trading-off the privacy of individuals in a statistical database for the utility of downstream analysis of the data. In this paper, we present Blowfish, a class of privacy definitions inspired by the Pufferfish framework, that provides a rich interface for this trade-off. In particular, we allow data publishers to extend differential privacy using a policy, which specifies (a) secrets, or information that must be kept secret, and (b)...

Publication details
Date: 1 June 2014
Type: Proceedings
Publisher: ACM – Association for Computing Machinery
Bin B. Zhu, Jeff Yan, Guanbo Bao, Maowei Yang, and Ning Xu

Many security primitives are based on hard mathematical problems. Using hard AI problems for security is emerging as an exciting new paradigm, but has been under-explored. In this paper, we present a new security primitive based on hard AI problems, namely, a novel family of graphical password systems built on top of Captcha technology, which we call Captcha as gRaphical Passwords (CaRP). CaRP is both a Captcha and a graphical password scheme. CaRP addresses a number of security problems altogether,...

Publication details
Date: 1 June 2014
Type: Article
Publisher: IEEE – Institute of Electrical and Electronics Engineers
Number: 6
Mira Belenkiy

This document extends the U-Prove Cryptographic Specification by specifying bit decomposition proofs, useful for other extension protocols.

Publication details
Date: 1 June 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-83
Mira Belenkiy

This document extends the U-Prove Cryptographic Specification by specifying set membership proofs. This allows proving that a committed value is less than, less than or equal to, greater than, or greater than or equal to another (committed) value.

Publication details
Date: 1 June 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-88
Mira Belenkiy

This document extends the U-Prove Cryptographic Specification by specifying equality of discrete logarithm representation proofs. This allows proving equality between U-Prove attribute values.

Publication details
Date: 1 June 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-87
Mira Belenkiy

This document extends the U-Prove Cryptographic Specification by specifying set membership proofs. This allows proving that a U-Prove attribute value is within a set of values without disclosing which one.

Publication details
Date: 1 June 2014
Type: Technical report
Publisher: Microsoft Research
Number: MSR-TR-2014-89
1–25 of 262
Sort
Show 25 | 50 | 100
1234567Next 
> Our research