11-02-2013, 01:03 PM
LOCATION BASED REMOTE CLIENT AUTHENTICATION PROTOCOL (LRAP)
LOCATION BASED REMOTE.docx (Size: 634.32 KB / Downloads: 176)
INTRODUCTION
Authentication is considered the most important security service staying at the basis of many products and application services nowadays. To perform authentication, various methods with a variable degree of reliability are typically employed.
These methods are classified into three main classes or factors: what the user is (e.g. a fingerprint, retinal, voice recognition pattern or other biometric data), what the user has (e.g. an ID card, security token, mobile device or cell phone), and what the user knows (e.g. a static passwords or a one-time code). No single authentication method can fully protect against all types of security attacks.
For example, the challenge response one-time codes or the application-level PKI-based authentication render phishing and malicious software attacks useless, but they do not protect against man-in-the-middle attacks, even though both methods could be extended to achieve this protection too .
PKI-based Authentication
In contrast to one-time codes, authentication based on public-key cryptography doesn’t rely on shared secrets.Instead; each client is initially equipped with a private key (never to be exposed) and a matching public key. Furthermore, the server uses a PKI that issues a digital certificate to bind the client’s identity to his or her public key. The certificate contains the client’s public key, which is signed by one or more certificate agency (CA) that the server trusts. Although it’s somewhat difficult to establish and maintain a PKI, the authentication itself is rather simple. The server presents a randomly chosen challenge and the client signs with its private key. (If both parties fail to use necessary safeguards to prevent well-known crypto analytic attacks, such as the chosen-plaintext attack, however, then the authentication scheme can be broken.)
Location authentication
Authentication is widely known in its two major facets. Entity authentication helps corroborate the veracity of a claimed or presumed party’s identity.
Data-origin authentication verifies a message’s source. Location authentication assures the truthfulness of the claimed or presumed location information. The location-authentication schemes we address here use reference-based location determination, so they consider the located node’s information to establish its truthfulness. Reference nodes are also involved in location-authentication schemes, and sometimes a central authority (which might or might not be a reference node) is involved as well.
Location authentication problem and some solutions
To obtain the location information, one possible and simple solution is to use the U.S. space-based GPS system. For anyone with a GPS receiver, the system provides accurate location and time information in all weather, day and night, anywhere in the world. However, from the security point of view, the authenticity of the GPS signal is not guaranteed because a false (or spoofed) GPS signal could be generated by a dedicated GPS signal simulator, and a typical GPS receiver would not be able to detect that. Some “advanced” GPS receivers are enhanced with anti-spoofing modules in order to detect whether the GPS signal comes from the satellite or from a fake GPS simulator. However, in the recent years, more and more advanced GPS simulators .
OVERVIEW OF GSM
GSM (group special mobile or general system for mobile communications) is the Pan-European standard for digital cellular communications. The Group Special Mobile was established in 1982 within the European Conference of Post and Telecommunication Administrations (CEPT). A Further important step in the history of GSM as a standard for a digital mobile cellular communications was the signing of a GSM Memorandum of Understanding (MoU) in 1987 in which 18 nations committed themselves to implement cellular networks based on the GSM specifications.
GOALS OF GSM
The goal of the GSM recommendations is to provide a pan- European standard for digital cellular telecommunications. A consequence of this is that export restrictions and other legal restrictions on encryption have come into play. This is a hotly debated, highly political issue which involves the privacy rights of the individual, the ability of law enforcement agencies to conduct surveillance, and the business interests of corporations manufacturing cellular hardware for export.
USE CASE:
Location based authentication is a special procedure to prove an individual’s identity and authenticity on appearance simply by detecting its presence at a distinct location. To enable location based authentication, a special combination of objects is required.
Firstly, the individual that applies for being identified and authenticated has to present a sign of identity. Secondly, the individual has to carry at least one human authentication factor that may be recognized on the distinct location. Thirdly, the distinct location must be equipped with a resident means that is capable to determine the coincidence of individual at this distinct location.
CONCLUSION
The three authentication factors, that is, “something you know”, “something you have”, “something you are”, are irrefutably fine features in authenticating the identity of an individual but they still do not suffice for very strong authentication. One cannot completely rely upon these aspects when authenticating an individual.
Location based authentication is an additional factor in providing strong authentication as a location characteristic can never be stolen or spoofed. It has provided a supplementary dimension in network security. It gives the owner the complete control of the information that only he has access to. It is a strong deterrent to the hackers hiding behind surreptitious locations trying to access remote secured systems. It is very difficult for an intruder to gain control by pretending to be at the right location because the location data cannot be duplicated. GPS captures and stores the location information and is known to the authorized user only.