16-08-2012, 04:53 PM
A Generic Framework for Three-Factor Authentication: Preserving Security and Privacy in Distributed Systems
A Generic Framework.PDF (Size: 348.11 KB / Downloads: 26)
INTRODUCTION
IN a distributed system, various resources are distributed
in the form of network services provided and managed
by servers. Remote authentication is the most commonly
used method to determine the identity of a remote client. In
general, there are three authentication factors:
1. Something the client knows: password.
2. Something the client has: smart card.
3. Something the client is: biometric characteristics
(e.g., fingerprint, voiceprint, and iris scan).
Most early authentication mechanisms are solely based
on password. While such protocols are relatively easy to
implement, passwords (and human generated passwords in
particular) have many vulnerabilities. As an example,
human generated and memorable passwords are usually
short strings of characters and (sometimes) poorly selected.
By exploiting these vulnerabilities, simple dictionary
attacks can crack passwords in a short time [1].
Motivation
The motivation of this paper is to investigate a systematic
approach for the design of secure three-factor authentication
with the protection of user privacy.
Three-factor authentication is introduced to incorporate
the advantages of the authentication based on password,
smart card, and biometrics. A well designed three-factor
authentication protocol can greatly improve the information
assurance in distributed systems.
Related Work
Several authentication protocols have been proposed to
integrate biometric authentication with password authentication
and/or smart-card authentication. Lee et al. [5]
designed an authentication system which does not need a
password table to authenticate registered users. Instead,
smart card and fingerprint are required in the authentication.
However, due to the analysis given in [6], Lee et al.’s
scheme is insecure under conspiring attack.
Lin and Lai [7] showed that Lee et al.’s scheme is
vulnerable to masquerade attack. Namely, a legitimate user
(i.e., a user who has registered on the system) is able to
make a successful login on behalf of other users. An
improved authentication protocol was given by Lin and Lai
to fix that flaw. The new protocol, however, has several
other security vulnerabilities.
Contributions
The main contribution of this paper is a generic framework
for three-factor authentication in distributed systems. The
proposed framework has several merits as follows:
First, we demonstrate how to incorporate biometrics in
the existing authentication based on smart card and
password. Our framework is generic rather than instantiated
in the sense that it does not have any additional
requirements on the underlying smart-card-based password
authentication. Not only will this simplify the design
and analysis of three-factor authentication protocols, but
also it will contribute a secure and generic upgrade from
two-factor authentication to three-factor authentication
possessing the practice-friendly properties of the underlying
two-factor authentication system.
Privacy Issues
A trivial way to include biometric authentication in smartcard-
based password authentication is to scan the biometric
characteristics and store the extracted biometric data as a
template in the server. During the authentication, a comparison
is made between the stored data and the input biometric
data. If there is a sufficient commonality, a biometric
authentication is said to be successful. This method, however,
will raise several security risks, especially in a multiserver
environment where user privacy is a concern (e.g., in a
distributed system). First, servers are not 100 percent secure.
Servers with weak security protections can be broken in by
attackers,who will obtain the biometric data on those servers.
Second, servers are not 100 percent trusted.
CONCLUSION
Preserving security and privacy is a challenging issue in
distributed systems. This paper makes a step forward in
solving this issue by proposing a generic framework for
three-factor authentication to protect services and resources
from unauthorized use. The authentication is based on
password, smart card, and biometrics. Our framework not
only demonstrates how to obtain secure three-factor
authentication from two-factor authentication, but also
addresses several prominent issues of biometric authentication
in distributed systems (e.g., client privacy and error
tolerance). The analysis shows that the framework satisfies
all security requirements on three-factor authentication and
has several other practice-friendly properties (e.g., key
agreement, forward security, and mutual authentication).
The future work is to fully identify the practical threats on
three-factor authentication and develop concrete threefactor
authentication protocols with better performances.