23-06-2012, 01:10 PM
A Generic Framework for Three-FactorAuthentication: Preserving Security and Privacy in Distributed Systems
[attachment=25234]
INTRODUCTION
IN a distributed system, various resources are distributed
in the form of network services provided and managed
by servers. Remote authentication is the most commonly
used method to determine the identity of a remote client. In
general, there are three authentication factors:
1. Something the client knows: password.
2. Something the client has: smart card.
3. Something the client is: biometric characteristics
(e.g., fingerprint, voiceprint, and iris scan).
Most early authentication mechanisms are solely based
on password. While such protocols are relatively easy to
implement, passwords (and human generated passwords in
particular) have many vulnerabilities. As an example,
human generated and memorable passwords are usually
short strings of characters and (sometimes) poorly selected.
By exploiting these vulnerabilities, simple dictionary
attacks can crack passwords in a short time [1].
Motivation
The motivation of this paper is to investigate a systematic
approach for the design of secure three-factor authentication
with the protection of user privacy.
Three-factor authentication is introduced to incorporate
the advantages of the authentication based on password,
smart card, and biometrics. A well designed three-factor
authentication protocol can greatly improve the information
assurance in distributed systems.
Related Work
Several authentication protocols have been proposed to
integrate biometric authentication with password authentication
and/or smart-card authentication. Lee et al. [5]
designed an authentication system which does not need a
password table to authenticate registered users. Instead,
smart card and fingerprint are required in the authentication.
However, due to the analysis given in [6], Lee et al.’s
scheme is insecure under conspiring attack.
Contributions
The main contribution of this paper is a generic framework
for three-factor authentication in distributed systems. The
proposed framework has several merits as follows:
First, we demonstrate how to incorporate biometrics in
the existing authentication based on smart card and
password. Our framework is generic rather than instantiated
in the sense that it does not have any additional
requirements on the underlying smart-card-based password
authentication. Not only will this simplify the design
and analysis of three-factor authentication protocols, but
also it will contribute a secure and generic upgrade from
two-factor authentication to three-factor authentication
possessing the practice-friendly properties of the underlying
two-factor authentication system.
Privacy Issues
A trivial way to include biometric authentication in smartcard-
based password authentication is to scan the biometric
characteristics and store the extracted biometric data as a
template in the server. During the authentication, a comparison
is made between the stored data and the input biometric
data. If there is a sufficient commonality, a biometric
authentication is said to be successful. This method, however,
will raise several security risks, especially in a multiserver
environment where user privacy is a concern (e.g., in a
distributed system). First, servers are not 100 percent secure.
Servers with weak security protections can be broken in by
attackers,who will obtain the biometric data on those servers.
Second, servers are not 100 percent trusted.
[attachment=25234]
INTRODUCTION
IN a distributed system, various resources are distributed
in the form of network services provided and managed
by servers. Remote authentication is the most commonly
used method to determine the identity of a remote client. In
general, there are three authentication factors:
1. Something the client knows: password.
2. Something the client has: smart card.
3. Something the client is: biometric characteristics
(e.g., fingerprint, voiceprint, and iris scan).
Most early authentication mechanisms are solely based
on password. While such protocols are relatively easy to
implement, passwords (and human generated passwords in
particular) have many vulnerabilities. As an example,
human generated and memorable passwords are usually
short strings of characters and (sometimes) poorly selected.
By exploiting these vulnerabilities, simple dictionary
attacks can crack passwords in a short time [1].
Motivation
The motivation of this paper is to investigate a systematic
approach for the design of secure three-factor authentication
with the protection of user privacy.
Three-factor authentication is introduced to incorporate
the advantages of the authentication based on password,
smart card, and biometrics. A well designed three-factor
authentication protocol can greatly improve the information
assurance in distributed systems.
Related Work
Several authentication protocols have been proposed to
integrate biometric authentication with password authentication
and/or smart-card authentication. Lee et al. [5]
designed an authentication system which does not need a
password table to authenticate registered users. Instead,
smart card and fingerprint are required in the authentication.
However, due to the analysis given in [6], Lee et al.’s
scheme is insecure under conspiring attack.
Contributions
The main contribution of this paper is a generic framework
for three-factor authentication in distributed systems. The
proposed framework has several merits as follows:
First, we demonstrate how to incorporate biometrics in
the existing authentication based on smart card and
password. Our framework is generic rather than instantiated
in the sense that it does not have any additional
requirements on the underlying smart-card-based password
authentication. Not only will this simplify the design
and analysis of three-factor authentication protocols, but
also it will contribute a secure and generic upgrade from
two-factor authentication to three-factor authentication
possessing the practice-friendly properties of the underlying
two-factor authentication system.
Privacy Issues
A trivial way to include biometric authentication in smartcard-
based password authentication is to scan the biometric
characteristics and store the extracted biometric data as a
template in the server. During the authentication, a comparison
is made between the stored data and the input biometric
data. If there is a sufficient commonality, a biometric
authentication is said to be successful. This method, however,
will raise several security risks, especially in a multiserver
environment where user privacy is a concern (e.g., in a
distributed system). First, servers are not 100 percent secure.
Servers with weak security protections can be broken in by
attackers,who will obtain the biometric data on those servers.
Second, servers are not 100 percent trusted.