O website necessita de alguns cookies e outros recursos semelhantes para funcionar. Caso o permita, o INESC TEC irá utilizar cookies para recolher dados sobre as suas visitas, contribuindo, assim, para estatísticas agregadas que permitem melhorar o nosso serviço. Ver mais
Aceitar Rejeitar
  • Menu
de interesse


  • Nome

    André Nuno Cirne
  • Cargo

    Assistente de Investigação
  • Desde

    15 novembro 2018


Rogue key and impersonation attacks on FIDO2: From theory to practice

Barbosa, M; Cirne, A; Esquível, L;

Proceedings of the 18th International Conference on Availability, Reliability and Security, ARES 2023, Benevento, Italy, 29 August 2023- 1 September 2023

FIDO2 is becoming a defacto standard for passwordless authentication. Using FIDO2 and WebAuthn, web applications can enable users to associate cryptographic credentials to their profiles, and then rely on an external authenticator (e.g., a hardware token plugged into the USB port) to perform strong signature-based authentication when accessing their accounts. The security of FIDO2 has been theoretically validated, but these analyses follow the threat model adopted in the FIDO2 design and explicitly exclude some attack vectors as being out of scope. In this paper we show that two of these attacks, which appear to be folklore in the community, are actually straightforward to launch in practice (user PIN extraction, impersonation and rogue key registration). We demonstrate a deployment over vanilla Linux distributions and commercial FIDO2 authenticators. We discuss the potential impact of our results, which we believe will contribute to the improvement of future versions of the protocol. © 2023 ACM.


IoT security certifications: Challenges and potential approaches

Cirne, A; Sousa, PR; Resende, JS; Antunes, L;


The Internet of Things (IoT) has changed how we interact with the world around us. Many devices are moving from offline to online mode, connecting between them and the Internet, offering more functionality to users. Despite the increase in the quality of life for users provided by IoT devices, it is also necessary to establish trust in the privacy and security of end-users. With this level of connectivity, the amount of data exchanged between devices also increases, inducing malicious activities. One of the main problems is the lack of regulation in the IoT industry, especially between different manufacturers. There are no formal security rules, and manufacturers may not choose to install security mechanisms. Therefore, it is necessary to promote the adoption of security measures. One way to do this is by using IoT devices and systems certification. In recent years, IoT certifications have emerged. Meanwhile, the European Union has passed the Cyber Security Act to unify and regulate security certifications in member states. Our work collects the requirements that different IoT environments and application scenarios impose on certifications and discusses the current certifications' status according to those requirements. In addition, we also explored how EU measures apply to IoT and, where applicable, how certifications implement them, highlighting future research challenges.


pTASC: Trustable Autonomous Secure Communications

Sousa, PR; Cirne, A; Resende, JS; Martins, R; Antunes, L;


The number of devices connected to the Internet has been increasing exponentially. There is a substantial amount of data being exchanged among numerous connected devices. The added convenience brought by these devices spans across multiple facets of everyday life, such as drivers reporting an accident through dash cams, patients monitoring their own health, and companies controlling the safety of their facilities. However, it is critical to increase safety and privacy across the data generated and propagated by these devices. Previous works have focused mainly on device management and relied on centralized solutions namely Public Key Infrastructure (PKI). This paper describes a novel mechanism that ensures secure autonomous communication between Internet of Things (IoT) devices, while using a completely decentralized solution that mitigates the classical single points-of-failure problem. This is accomplished by a new peer-to-peer protocol using Short Authentication Strings (SAS), in which verification is made through a Limited-Location Channel (LLC).