11-03-2014, 12:38 PM
TOKEN BASED AUTHENTICATION USING MOBILE PHONE
TOKEN BASED AUTHENTICATION .docx (Size: 721.52 KB / Downloads: 19)
INTRODUCTION
The enrichment of Internet, business solutions, online services, government portals, social networking sites, information portals are replacing the traditional way of working and the communication. Authentication helps to establish proof of identity. These are the way to prove that, the user, trying to access the account is authentic. Most of the solutions comprise personal details, operational credits, certified information or services, which requisite digital identification for making proof of authenticity.
Today, three universally recognized philosophy are used for digital identification: what we know (i.e. password), what we have (i.e. Tokens and cards) and universal identity (i.e. Biometric characteristics). In order to extend authentication strength and make work more flexible and strong, recent work has been done on the field of virtual identification approach (i.e. virtual token). These virtual tokens not only help to reduce extra cost but also overcome the problem of remembrance and keeping the token. Static passwords are known as one of the easier target for attackers; further biometric readers are very costly and not feasible for web applications.
Security tokens are great way to make strong authentication and ascertain runtime interaction to increase identification strength. The resistance behind security token is, cost, server synchronization and worry to carry multiple tokens for multiple solutions. In advance, we assume that every user has mobile phone. Accordingly, to address the strong authentication and replace security token, mobile phones could be great solution. These solutions make cheaper and flexible strong authentication for user as well as for the service provider and reduces worry of carrying extra hardware for identification only. In this paper we have used mobile phone as security token and proposed an authentication model for strong digital identification.
ARCHITECTURE OVERVIEW
In Fig 1.2 the general overview of strong authentication using mobile phones is shown. It consists of the following elements:
1. User is the key element; wants to get access of application and connect with application or node with any network technology.
2. Password algorithm is the proposed algorithm design to generate dynamic password for each digital identification process.
3. The GSM server or SMS gateway help to generate SMS to send dynamic password to the user.
4. Visitor password register (VPR) is a temporary register used to store username and dynamic password for current session.
TECHNOLOGY DETAILS
In this topic we proposed general authentication architecture for mobile phone authentication. Strong authentication requisites mechanisms to implement mobile token as security token. These are an attempt to overcome cost and effort for strong authentication with security token services. The proposed system can implement following mechanism.
SMS Based Dynamic Password:
In this approach user send user id and 4 digit static passwords to the server to retrieve dynamic password. Server verifies the request as of user details and forwards it to password algorithm for generation of dynamic password. By helping static password, password algorithm generates a unique dynamic password for individual user. Thereafter, system stores it to VPR with user id for current session and sends it to user via SMS. Now, user has to submit this dynamic password with user id to gain application access. System verify requested password with stored one and redirect to main application access.
WORKING MODEL
We now present a threat model we have developed to define security of token-based authentication solutions implemented for mobile phone networks. The description is kept brief for lack of space; formal definitions of different attack notions will be provided in the future.
We consider adversaries who have complete access to messages sent from users to the bank server and can use this information to mount different types of attacks. Adversaries could either be eavesdroppers on the mobile network (outsiders) who exploit known vulnerabilities of network-layer protocols to recover messages or else they could be bank agents (insiders) with whom users interact while conducting withdrawal and deposit transactions.
It is reasonable to assume eavesdropping capabilities for agents since in many m-banking systems (including Eko’s) agents closely facilitate the communication of withdrawal messages to the bank: the contents of the message, including the authenticating information, are spoken out by the user as the agent types them into his or the users’ phone and sends them on behalf of the user. Such transactions are often referred to as aided transactions. In Eko’s current deployment, at least 67% of all withdrawal transactions are conducted in an aided manner, a phenomenon that is attributable to the limited literacy levels of the customers. In such a setting, insider eavesdropping is arguably easier to carry out than outsider eavesdropping.
We consider four different types of attacks against a mobile-based user authentication system. The first is PIN recovery, an attack in which the adversary acquires the secret PIN of a user. We then consider three types of impersonation attacks, which we refer to as type-0, type-1 and type-2 impersonation attacks. In type-0 impersonation attacks the adversary acquires a user’s phone and attempts to use it to authenticate to the bank as the phone’s legitimate owner. This models a scenario in which a user’s phone is stolen or lost and the thief wishes to transact on the user’s bank account. In type-1 impersonation attacks, the adversary is given, besides the user’s phone, access to his unique security token; the goal of the adversary is the same – authenticate to the bank as the legitimate user.
RESULT ANALYSIS
The results of our analysis are summarized in table 4.1. First, we find that the old scheme is insecure against PIN recovery attacks: given a list of k 10-digit signatures corresponding to a user, an attacker exhaustively searches for 4-digit subsequences that are common to all of them. If it finds such a subsequence, it reports it as the PIN; else, it aborts. We conducted a small lab experiment with this attack on Eko’s scheme. In 3 independent executions on real Eko codebooks, we found that by setting k equal to 7, the attack could always recover the PIN. On average, across the 3 experiments, every possible PIN could be recovered given just k=4 signatures.7 We remark that although this weakness was mentioned in, no security analysis with real codebooks was reported therein.
Improving Security of the New Scheme
The reason for greater probability of successful type-0 and type-2 impersonation in the new scheme is simple: signatures contain fewer random bits than in the old scheme. If an attack resistance of 10-4 is deemed insufficient in an authentication application, there is a simple way to improve it to say 10-(4 + x) for arbitrary x by modifying the scheme as follows: instead of storing 10-digit nonce’s in the codebooks, store nonce’s of length 10+x. Use the first 10 digits of every nonce as before. However, to the 4-digit signature thus obtained, append the last x digits of the nonce as is.
Tackling Man-in-the-Middle Attacks
One threat that our security model currently does not address is the man-in-the-middle (MITM) attack. In such an attack, an adversary can intercept communication from a user to the authentication server and can modify messages while they are in transit. Both schemes we discussed are susceptible to forgeries by a man-in-the-middle (MITM) attacker, as noted in [1]. For example, an MITM adversary can intercept a transaction message with its associated signature, change contents of the message (e.g., the recipient account information) and forward the modified version to the bank. The bank would still view the message as originating from the legitimate user as the signature would be a valid PIN encoding.
While MITM attacks are difficult to mount in mobile networks in real time, we sketch here a solution to counter them in the context of mobile banking. Our solution has some additional requirements: one, all transactions (including money transfers) must be carried out in the presence of a bank agent, and two, the agent must be equipped with a programmable phone. The latter is not an unreasonable assumption to make since the agent phone is shared across multiple users’ transactions, and it becomes cost-effective for the bank to invest in such a phone per agent (even where the latter cannot afford one himself). Once these requirements are met, forgeries can be prevented using standard cryptographic techniques.
CONCLUSION
Security is the mandatory key element to get success of any digital solution. Authentication is the way to prove that; the user, trying to access the account is authentic? This paper explores the possibilities to use of mobile phone instead of security tokens for strong authentication. Static password is no longer secure and easily vulnerable for attackers. Security token can be easily extending the authentication strength but extra cost, single use and server synchronization become most shortcoming issues.
Further, hardware token is given to each user for the respective account which increases the number of carried tokens and the cost. For the manufacturing and maintaining them, has become a burden on both the client and organization. As we know that most of the people do carry mobile phone, work proposed authentication architecture to replace security token with mobile phones and to introduce the dynamic interaction on demand.