09-11-2016, 12:26 PM
1467694649-KALLEPU.docx (Size: 846.06 KB / Downloads: 13)
INTRODUCTION
The combination of cloud computing and mobilecomputing introduces mobile cloud computing, which alsopresent new issues of security threats such as unauthorized accessto resources exist in mobile cloud. Protecting mobile cloudcomputing from illegitimate access becomes an importantconcern to mobile users.
Definition of Cloud computing
Cloud Computing is a kind of on-demand computing method that lets users use IT resources such as network, server, storage, service, application, and so on via Internet when needing them rather than owning them. Cloud Computing can be considered as a sum of SaaS (Software as a Service) and utility computing and Figure1.1 shows the roles of users or providers in the Cloud Computing under the concept.
Mobile cloud computing
Mobile cloud computing is a modern marvel in the interdisciplinary field of wireless networks, cloud system and storage. It utilizes cloud connecting with a multitude of mobile devices to provide flexible, efficient, reliable, and secure services worldwide.
The ability to access data and applications from anywhere and at any time with low cost are the most important benefits of mobile cloud computing. The primary security issue on mobile cloud computing is protecting remote data and applications from illegitimate access. While authorized users can access the data, the cloud provider can also do so. There is also the possibility of unauthorized access, which is access by third parties such as hackers.Therefore, the security issue in mobile cloud computing becomes one of the top areas for research.In tradition, cloud computing users can avoid the security risk by just encrypting the data before it is sent and stored in the cloud. However, this is not the case with the mobile users, because encryption technology is not suitable for mobile devices due to the encryption process, which requires high workload and high CPU processing .
In this report ,new technologies are proposed and implemented to authenticate mobile cloud computing . Improving the mechanism of protecting access to the mobile cloud leads to improving the security overall, which at least protects the mobile cloud from unauthorized access. This section starts with an introduction to mobile cloud computing and describes the concept of mobile cloud computing. The rest of the paper is organized as follows: section 2 provides a review of authentication levels on mobile cloud.In section3 the authentication services were proposed. Insections 4,5,6,7 and 8 respectively, presents the proposed authentication technologies . At the end, conclusion is given in section 9.
2.0 AUTHENTICATION LEVELS
In the cloud computing environment, users use an authentication system to utilize the cloud services through a Web-based user interface, either a web browser or a mobile application, or a web service application programming interface (API). Authentication on the cloud is necessary to provide secure access to the cloud services by authorized users only. At present, authentication is done in different methods, such as a simple text password .
There are several proposed strong user authentication provided by researchers to improve mobile cloud security. Omri et al. introduced an application that uses handwriting recognition as an authentication system to secure access in mobile cloud. In this way, the user is identified by password and unique handwriting style. This application, which used the mobile phone as a biometric-capture device, also used Hadoop (Apache Hadoop is an open-source software that provides applications both reliability and data motion) to establish the connection between mobile user and the cloud via Internet. It has been implemented into two ways.
The main difference is in the implementation mode, one as web page and the other as mobile application. In , suggested using quick response code (QR code) for a user authentication system in the mobile cloud. In this system, the user ID, password, and the user's image are converted into QR code. In the multilevel authentication system proposed in , this authentication system generates and authenticates the password at multiple levels to access the cloud services. Access to the cloud is allowed if authentication is successful in all levels.
• First level of authentication is the organization level.
This level reads the organization password; if unauthenticated they are going to terminate. If it is authenticated, then it enters a second-level authentication.
• Second level of authentication is the team level.This level reads the team password; once authentication is done, it then enters a user-level authentication.
• Last level is the user level.This level reads the user password to provide the user privileges and permission.
A strong user authentication system was proposed for cloud computing; this system verifies user authenticity via password, smartcard, and out of band authentication. In 2011, Chen, et al. proposed an extension of Yang and Chang . Chen adds a password protection-based mechanism with dynamic ID to provide authentication to ensure user legality. As seen in this section, there are a few proposed systems in the literature for mobile cloud, but for regular cloud there are many proposed schemes that are good for improving security in regular cloud, but in the mobile cloud it's so hard for users because of its lack of usability. The balance between security and usability must be found , just as when trying to apply the authentication system from a traditional client server to cloud computing. It can be applied, but it has a high risk because the infrastructure in the cloud is shared among users and managed by the cloud providers.
2.1 Cloud computing providers
Cloud providers are divided into three parts, depending on the type of the service provided:
1. Software as a Service (SaaS)—the users can access an application remotely via the Internet.
2. Platform as a Service (PaaS)—users can create an application to meet their needs and then deploy it on the cloud.
3. Infrastructure as a Service (IaaS)—users can rent servers, networking components, hardware, and storage.
Indeed, when reviewing most cloud providers, perhaps all- have the same authentication system based on user ID or email and password, whether the service provided is critical or not.
2.2 Third party
Some companies prepare authentication systems as a service to access the cloud. Any services provided by companies other than the cloud provider are called third-party providers. Recently, many of mobile device fingerprint hardware solutions are provided by companies such as Grabba, S.I.C. Biometrics, and Fulcrum biometrics. Other companies provide software with strong authentication system using input either from external hardware or from the software itself. Also, there are many companies providing solutions such as web services and software development kits (SDK) for developers to create and integrate an authentication system to help the end users. But in this research we focus on products forwarded to the end users as a ready product to use. The lack of existing mobile user authentication systems is the main motivation to improve the mobile cloud security to strengthen the authentication system.
3.0 EXISTING AUTHENTICATION SERVICES
In this section we present existing solutions that are used as authentication services. They require a trusted arbiter to identify and authenticate the users. Most of them are using a ticket-based approach. The ticket is then delegated and it is acceptable by the entity, requesting authentication.
3.1 Kerberos
Kerberos is a Third Trusted Party (TTP)authentication protocol. The protocol requires parties to exchange 5 messages and an optional completion response. Kerberos provides an authentication service that acts as a trusted arbitrator. In practice service security is dependent onthe client-side implementation. To exchange encrypted messages between parties Kerberos uses DES, a symmetric cryptography protocol. The authentication mechanism is based on the Needham-Schroeder TTP protocol with some enchantments such as timestamps, a ticket-granting service ,and a different approach to cross-domain authentication.
The basic idea of Kerberos is depicted on Figure3.1. One flaw with Kerberos is that the replay attack is still feasible. The timestamps that should fix this problem can be reused within the lifetime of the ticket. The lifetimes of tickets can vary between 5 minutes and 8 hours, which is enough for replay or forced delays attacks. Another problem is that the protocol assumes that all the clocks in the network are approximately synchronized. If an attacker has the ability toinfluence the time on other hosts, then the replay attack can be strengthened. Most network time protocols do not consider security to be a major issue, and this can be a serious weakness.Kerberos is also prone to dictionary password-guessing attacks. User’s passwords are often chosen from a small password space.
Hence, an attacker who can record a completeauthentication session can attempt to decrypt it with a high probability of success. It was also noted by the authors of that the protocol is also prone an interleaving attack. More recent research demonstrated how to perform an efficient chosen-plaintext attack. The protocol depends on the Authentication Service (AS) availability. Therefore, there is a single point of failure that can paralyze the whole network.
3.2 OpenID
The OpenID authentication protocol was designed in 2005. The main objective of OpenID was to provide a Single Sign-On feature for web pages. It provides a decentralized userauthentication that supports using the same login credentials at multiple websites. An illustration of how the protocol works is shown in Figure 3.2. The future of the protocol and its applicability to ecommerce is, however unsure due to its phishing vulnerabilities .
OAuth
The OAuth protocol aims at secure authorization on the web. Similarly to OpenID, OAuth provides a Single Sign-On functionality. Its aim is to delegate authorization from webpages to a central authority. The central authority generates tokens for users. These tokens can be then used at webpages as required. The protocol uses nonce values, timestamps and signatures to increase security and to prevent several common attack strategies. The protocol resembles Kerberos in several aspects and thus has comparable advantages and drawbacks
3.4 MDA: A Secure Authentication Scheme
In a mobile cloud computing environment, if a mobile device is registered with a particular cloud service provider, both mobile device and cloud server must authenticate eachother in a uniform way in order to secure the communication with a single authentication technique each time when the mobile device accesses the cloud from different locations usingdifferent networks and different mobile devices. A single and secure authentication process will help in preventing third party from posing as a legitimate mobile device or as a legitimatecloud service provider. Not every mobile device has the built-in IMSI chip. For example, many iPads and laptops are not equipped with IMSI chips. Therefore, an authentication scheme based on IMSI is not appropriate for mobile cloud computing. Different than IMSI-based approaches, the proposed scheme, MDA, does not require any additional hardware infrastructure.
Thus, MDA is applicable to a variety of different mobile devices, including those that do not have IMSI chips. In addition, with MDA, even if the mobile device is stolen, the authentication information of the user can remain to be safe. Furthermore, when users change their registered mobile devices, they can still access the cloud using other mobile devices after a few encrypted files (such as hashed user and cloud certificates, and/or policies) are ported. MDA is composed of two phases: Registration and Authentication.
A. Registration Phase:
The registration process of a mobile device or a cloud user is one time and it is used for setting up an account with user id, password and other unique information, such as credit card for accessing cloud services as pay-peruse mode.
B.Authentication Phase:
The proposed authentication scheme is applicable once the Message digest are transferred to the mobile device during the registration process.
4.0 AUTHENTICATION USING FINGER PRINT RECOGNITION IN MOBILE CLOUDS
In this section, the proposed authentication mechanism using fingerprint recognition to secure access in mobile cloud is explained. Recently, there have a few works about using a digital camera or a webcam as a sensor, but in literature only. Embedding a special fingerprint sensor or adding external hardware as a fingerprint reader will be costly and will influence the mobile simplicity. Utilizing the existing camera in a mobile phone to capture fingerprint images as a biometric sensor is inexpensive to implement. The proposed solution is using a fingerprint recognition system to obtain the fingertip image through the mobile phone camera.
The aim is to convert fingertip image obtained by mobile phone camera to fingerprint image and extract ridge structure from it to be as similar as possible with the ridge structure gained from fingerprint sensor. Of course, mobile camera can't convert the image to be like the output image obtained and processed by using fingerprint sensor, but at least this process aim to export an acceptable output. Figure 1 shows the proposed design solution and how it works. Save or store fingerprint image on mobile device is not requirement, due each time user want access the cloud capture a new fingerprint image and login, as simple as. The whole approach was hosted on cloud to take all benefit from it (all processes and storage was there). As a developer account on a cloud provider has all privileges to create and maintain customize database as well as their applications. The database provided with Platform as a Service (PaaS) from cloud provider.
AUTHENTICATION IN GPS DIRECTED MOBILE CLOUDS
Most mobile clouds deploy Global Positioning System or GPS for location and timing management. GPS is a U.S. owned utility that provides users information on position, navigation, and timing (PNT) for a variety of applications. GPS originated as a military technology but has since been made available for free civilian and commercial use. Today, GPS satellites provide service to both civilian (SPS) and military users (PPS). GPS is currently used in a vast number of civilian sectors worldwide including cargo transport, public transportation, aviation, surveying, cell phones, police and fire, banking, and countless others . As shown in the lower part of Figure 5, GPS is made up of three segments: Space Segment (SS), Control Segment (CS), and User Segment (US) .
The Space Segment (SS) of GPS system consists of a constellation of satellites in space constantly transmitting radio signals to the users on earth. The constellation, originally made up of 24 satellites then expended to 27 in June of 2011, ensures that at least four satellites are in view from any point on earth at one time. U.S. Air Force however has been flying 31 satellites with 3-4 decommissioned satellites on standby that can be reactivated at any time when need. These extra satellites are not considered part of the constellation. GPS satellites are arranged into six equally spaced planes surrounding the earth. They fly in a medium earth orbit (MEO), about 20,200 km, each circling the globe twice a day. U.S. Air Force manages these satellites 24/7 to ensure continuous availability to both military and civilians.
The second segment is the Control Segment (CS), made up of a global network of ground infrastructure that performs operations including track the GPS satellites, monitor transmissions, analysis performance, data transfer, and send operator commands to the constellation. Currently, the CS is made up of a master and an alternate control station, 12 command and control antennas, and 16 monitoring sites whose locations are scattered across the entire globe . The third is the User Segment (US). This is made up of GPS receiver equipments outfitted to receive the signal from the satellites in the SS. Receiver requires a lock from several satellites in space to obtain a fix. The number of satellites varies depending on the number of satellites in view of the receiver as well as the number of satellites the receiver is programmed to register. Upon the reception of the id codes for each satellite, the GPS receiver will generate an internal copy of these codes. The satellites transmit their id codes every millisecond and the receiver continuously compares its copy to the received id, keeping track of the time lapse between send and receive. The difference in the 1 ms travel time and the time to arrival is determined by ∆T and is then used to calculate the distance to the corresponding satellite using; Distance= ∆T * speed of light .
Once the receiver determines the distance from all of the satellites it is receiving from, it can calculate the area of overlap to find the center, calculating the three-dimensional position and time and getting a fix on the receiver’s location on earth . SPS is a positioning and timing service provided by way of ranging signals broadcast at the GPS L1 frequency. L1 is one of four civil GPS signals, the others being L2C, L5, and L1C . L1 is transmitted by all satellites and contains a coarse/acquisition (C/A) code ranging signal with a navigation (Nav/System) data message. Presently, GPS is taking new and innovative directions in the fields of wireless security. Particularly in mobile clouds, GPS is emerging as a security feature. A GPS-Directed MobileCloud takes cloud as the backend to support GPS applications and uses GPS for a security measure to confirm an authentic source of wireless mobile communication. Cloud assists GPS authentication with data fusion and consistency check while GPS encodes geographic locations and timing profiles in data to confirm their genuineness.
6.0 PRODUCT AUTHENTICATION USING QR CODES
6.1 Quick Response Code
It is a plain old matrix code manufactured with the intent of decoding it at very high speed. The code was created as a step up from a bar code. QR Code contains data in both verticaland horizontal directions, whereas a bar code has only one direction of data, usually the vertical one. It can also correspondingly hold more information and are easily digested by scanning equipment, and because it has potentially twice the amount of data as bar code, it can increase the effectiveness of such scanning.
Further the code can handle alphanumeric character, symbol, binary, and other kinds of code. QR Code also has an error correction capability, whereby the data can be brought back to full life even if the symbol has been trashed. All of these features make this code far superior to bar code. QR codes are now presently used in the web pages to access the webpage directly from the mobile phone without entering the URL in the mobile phone but by capturing the QR code by the camera device attached with the mobile phones. The QR codes can also be used in the business cards; the code encoded with the data about the person is created and printed in the business cards of the person. If any of his friends wants to add the details in the mobile phone contact list, the QR code is just captured in the mobile with the camera and the reader software in the mobile phones decodes the data in the image and stores the various details of the person in the mobile's phone book. Presently this code is a general means of identification in mobile phone and battery and many electronic devices.
6.2 Authentication performance:
All the products are assumed to have QR code printed on its cover and it is unique for each product which is going to be used in our authentication system. This application reads the codes printed on the external cover of the product and it is encoded to get the data stored. Then the code is encrypted to add more security and sent to the central web server which is in the cloud through SMS (Short Messaging Service). The data can also be sent through W AP (Wireless Access protocol) and MMS (Multimedia Messaging Service). The central server collects the data and checks the data in the manufacturer's server for the products code. The code is searched with a searching algorithm and if it is found, the data in the manufacturer's database is marked as bought and a reply is sent to the central web server that the product is original as in Fig.6.2. If a match is not found then the manufacturer's server will return message stating that the product is duplicate.
The web server on receiving the message from the manufacturer's server sends a message to the user stating the status of the product and the user on receiving the message from the central server can then decide on buying the product. The QR code which is used in our model is better than the present Barcode and Holograms. Since the QR codes are not in human readable form, no one can make changes to make it look original and it can only read by the QR code readers. In this model the verification process is done by the user itself and there is no interference from shop keepers to complete the authentication process. The user sends the captured image and the final result is also received only by the user with the help of the QR code reader. Thus a dynamic authentication reporting mechanism delivers an immediate response system.
For the implementation a QR code reader application which is written in J2ME (Java 2 Micro Edition) is installed in the target mobile. J2ME helps the QR code reader to work in all java enabled mobile phones irrespective of its screen size thus making our model to work with all mobile phones with a small constraint that the mobile phone should have a capturing device that is a camera attached to it. In our model the computing technology used to connect the mobile devices with central web server is cloud which allows the users from various locations to access the web server to check the product's originality. Cloud computing helps in easy access to all the remote sites connected in the internet. The central server sends the reply from the manufacturer's server to the user who requests with a QR code to find the originality of a product. The central server can send the solution to the user in two ways; it can either send a SMS with details about the originality of the product or the web server can send a voice message to the user about the originality, the option of sending the reply is based on the user's selection while registering to the web server in the beginning. The dynamic reporting service does the job of collecting the evidence from the cloud and sending it to the mobile and as well to the government's consumer's forum for effective monitoring. 6.3 Security Mechanism
The authentication system uses SMS to transfer the data from the mobile phone to the server in the cloud. The data is transferred through the wireless medium using the Signaling System No 7 protocol. This protocol is used to send the SMS, MMS from the mobile phone to any other phone. Attacking the transmitted signal is considerably increased in the recent years. So there is a high probability of hacking the data sent through the SMS and modify it to show that the product scanned is original by the hacker. To avoid such attacks the system should also be able to resist the intrusion. The system is made more secure with the help of applying an encryption algorithm to it. The algorithm used is a normal public key encryption algorithm which uses the same key to encrypt and decrypt the message. With the help of this encryption system the message is encrypted before sending from the mobile and in the server after receiving the message from the mobile it is decrypted to get the actual message. The QR code along with an encryption algorithm increases the security of the whole system which makes it more difficult to attack the system and get the data transmitted.
CLOUDLETS AUTHENTICATION IN NFC BASED MOBILE COMPUTING
These secenarios are basedon NFC mobile applications that demand intensive computingresources. To save energy and avoid long WAN latencies, themobile device offloads its workload to a local cloudlet withconnectivity to the remote cloud servers as defined bySatyanarayanan . The objective of such elastic applicationsis to dynamically leverage cloudlet computing for resourceconstrained mobile devices.
The major issue in this context is that the cloudlet is not atrust entity in comparison with the cloud that can provide aSecurity As A Service, and the mobile that is endowed with asecure element. In the following subsections, we propose asolution to authenticate cloudlets by NFC mobile devices. Theauthentication of a cloudlet is required before migrating heavycomputational tasks from the mobile device to the cloudlet.The authors proposed a security model for elasticapplications made up of ‘weblets’ that can be migrated to andfrom a cloud to a mobile device. In particular, they introducethe authentication and secure session management needed forsecure communication between weblets and multipleinstantiation concurrently.
The NFCplatforms where the end user needs to access to services on theCloud uses NFC mobile phone. In this authenticationsolution, the SP manages the user Id and generates a digitaltoken. The SP delegates to a TSM the delivery of usercredentials in the user mobile phone through OTA capability tocommunicate with the SE embedded in the mobile phone.Hence, when the user requests access to the Cloud, the SP hasonly to compare its digital token with the one provided by the SE. The authors presented an elegant solution forauthentication called Smart OpenID to allow access to a SPthrough the internet. Their solution is an enhancement ofOpenID by moving part of the OpenID authentication server functionality to the smart card of the user’s device. Theyintroduce:
1) a trust third party called OPSF that shares a secretkey with the SIM card of the user, and
2) an entity called OPthat runs on the mobile device to validate authentication basedon the user credentials received from OPSF and thosegenerated by the SIM card.
8.0 AUTHENTICATION USING PROFILING IN MOBILE CLOUD COMPUTING
Profiling technique provides a suitable service for user and personal profile information in mobile environment. In this system ,a formal model has to be provided to offer information needed by application.
A User’s profile specifies information of internet for an end user. The profile was consisted of user information part and service information part .User information part stored user’s information such as user’s name , inclination, hobby and service information part stored services that they were used such as service name,service provider etc .
8.1Structure Of User Profile :
User Information : User name, User ID, Personal inclination ,Hobby etc .
Service Information: Service name , Service provider,Service context, Service frequency value etc.
9.0 CONCLUSION
The various authentication technologies are proposed. The access control and user authentication which are security technologies used in the cloud computing environment , misuse of access authority to resources and leak of personal information which should be used to authenticate a user cloud affect faser and more powerful compared to mono-system. For the effective user authentication in the cloud computing environment , the authentication technologies described above should be used by combining them suitably or a secure authentication method for the right purpose of cloud computing should be developed.As a further implementation , a proper user authentication service model and protocol for cloud computing should be designed and developed.