22-09-2012, 01:02 PM
A Generic Framework for Three-Factor Authentication: Preserving Security and Privacy in Distributed Systems
1A Generic Framework.pdf (Size: 348.11 KB / Downloads: 31)
Abstract
As part of the security within distributed systems, various services and resources need protection from unauthorized use.
Remote authentication is the most commonly used method to determine the identity of a remote client. This paper investigates a
systematic approach for authenticating clients by three factors, namely password, smart card, and biometrics. A generic and secure
framework is proposed to upgrade two-factor authentication to three-factor authentication. The conversion not only significantly
improves the information assurance at low cost but also protects client privacy in distributed systems. In addition, our framework
retains several practice-friendly properties of the underlying two-factor authentication, which we believe is of independent interest.
INTRODUCTION
IN a distributed system, various resources are distributed
in the form of network services provided and managed
by servers. Remote authentication is the most commonly
used method to determine the identity of a remote client. In
general, there are three authentication factors:
1. Something the client knows: password.
2. Something the client has: smart card.
3. Something the client is: biometric characteristics
(e.g., fingerprint, voiceprint, and iris scan).
Most early authentication mechanisms are solely based
on password. While such protocols are relatively easy to
implement, passwords (and human generated passwords in
particular) have many vulnerabilities. As an example,
human generated and memorable passwords are usually
short strings of characters and (sometimes) poorly selected.
By exploiting these vulnerabilities, simple dictionary
attacks can crack passwords in a short time [1]. Due to
these concerns, hardware authentication tokens are introduced
to strengthen the security in user authentication
Motivation
The motivation of this paper is to investigate a systematic
approach for the design of secure three-factor authentication
with the protection of user privacy.
Three-factor authentication is introduced to incorporate
the advantages of the authentication based on password,
smart card, and biometrics. A well designed three-factor
authentication protocol can greatly improve the information
assurance in distributed systems. However, the previous
research on three-factor authentication is confusing and far
from satisfactory.
Privacy Issues
Along with the improved security features, three-factor
authentication also raises another subtle issue, namely how
to protect the biometric data. Not only is this the privacy
information of the owner, it is also closely related to the
security in the authentication. As biometrics cannot be
easily changed, the breached biometric information (either
on the server side or the client side) will make the
biometric authentication totally meaningless. However,
this issue has received less attention than it deserves from
protocol designers.
We believe it is worthwhile, both in theory and in
practice, to investigate a generic framework for three-factor
authentication, which can preserve the security and the
privacy in distributed systems.
Contributions
The main contribution of this paper is a generic framework
for three-factor authentication in distributed systems. The
proposed framework has several merits as follows:
First, we demonstrate how to incorporate biometrics in
the existing authentication based on smart card and
password. Our framework is generic rather than instantiated
in the sense that it does not have any additional
requirements on the underlying smart-card-based password
authentication. Not only will this simplify the design
and analysis of three-factor authentication protocols, but
also it will contribute a secure and generic upgrade from
two-factor authentication to three-factor authentication
possessing the practice-friendly properties of the underlying
two-factor authentication system.
Error Tolerance and Nontrusted Devices
One challenge in biometric authentication is that biometric
characteristics are prone to various noise during data
collecting, and this natural feature makes it impossible to
reproduce precisely each time biometric characteristics are
measured. A practical biometric authentication protocol
cannot simply compare the hash or the encryption of
biometric templates (which requires an exact match).
Instead, biometric authentication must tolerate failures
within a reasonable bound. Another issue in biometric
authentication is that the verification of biometrics should
be performed by the server instead of other devices, since
such devices are usually remotely located from the server
and cannot be fully trusted. The above two subtle issues
seem to be neglected in a recent three-factor authentication
protocol proposed by Li and Hwang [18]. The detailed
analysis of their protocol is given in the supplementary file
(Section 1).
Comparison with Previous Protocols
The purpose of this paper is to investigate a systematic
approach for the design of secure three-factor authentication.
Thus, like almost all generic constructions, our
framework does not have advantages from the computational
point of view. Nevertheless, it is still affordable for
smart-card applications, due to the efficient designs of
SCPAP and fuzzy extractor: There are a number of efficient
SCPAPs in the literature, and fuzzy extractors can be
constructed from error-correcting code and standard pairwise-
independent hashing [21], both of which require only
lightweight operations. In addition, the proposed framework
enjoys several desirable properties of SCPAP. This
saves the time and effort on the design of three-factor
authentication with those properties, and more importantly
avoids the confusing “broken and improved” process in the
existing research on three-factor authentication.
CONCLUSION
Preserving security and privacy is a challenging issue in
distributed systems. This paper makes a step forward in
solving this issue by proposing a generic framework for
three-factor authentication to protect services and resources
from unauthorized use. The authentication is based on
password, smart card, and biometrics. Our framework not
only demonstrates how to obtain secure three-factor
authentication from two-factor authentication, but also
addresses several prominent issues of biometric authentication
in distributed systems (e.g., client privacy and error
tolerance). The analysis shows that the framework satisfies
all security requirements on three-factor authentication and
has several other practice-friendly properties (e.g., key
agreement, forward security, and mutual authentication).
The future work is to fully identify the practical threats on
three-factor authentication and develop concrete threefactor
authentication protocols with better performances.