You are on page 1of 6

Assessment of Strong User Authentication Schemes in Cloud based Computing

Mohit Mathur, Nitin Saraswat
Sr. Lecturer, Department of IT &CS, Jagan Institute of Management Studies (Affiliated to GGSIP University, New Delhi), Rohini, Delhi, India.,

Studies indicate that digital identity fraud is still on the rise, with an increase in complexity (that is, "phishing," "man-in-the-middle," DNS poisoning, malware, social engineering, and so on). With the trend of upward moving data and services into the Web and cloud-based platforms, the management and control of access to confidential and sensitive data is becoming more than verifying simple user credentials at the onset of user sessions for one application. One of the mostly used methods today is the gaining of account access by stealing reusable credentials for Web sites that have not yet implemented "strong" user authentication. This is so, because most common forms of credentials today are knowledge-based (user ID and password) and are requested only once during sign-on, which provides a higher level of convenience to users, but also requires less effort for attackers to exploit. Many attacks are evident as "phishing" messages that masquerade as ones that are sent by legitimate organizations and contain URLs that point to fraudulent Web sites that have the same appearances as genuine ones. Often, they act as "man-in-the-middle" and eventually do forward visitors to the actual Web sites; but, in the process, they have captured valid credentials that can be used to gain access to actual accounts. The question is if you can really afford the cloud if you can’t prevent unauthorized access to your data - which will be far more expensive to your business in terms of regulatory breach or reputation damage in the long-run. In a shared pool outside the enterprise, you don't have any knowledge or control of where the resources run and where is the location where your data being stored. This paper emphasizes the authentication aspect of security in the cloud computing environment and some suggested solutions for that. Authentication in an Cloud Environment guide identified that simple-password authentication is insufficient for ensuring authorized access to important cloud services.

It looks, soon all computing will be called cloud computing, just because the cloud is “in.” . The term ‘cloud computing’ means: outsourced, pay-as-you-go, on-demand, somewhere in the internet, etc.Cloud Computing is an emerging computing pattern where data and services reside in massively scalable data centers and can be universally accessed from any connected devices over the internet. It is Virtual, Scalable, Efficient, and Flexible. Cloud Computing is the technology in which web is replacing a desktop. It is providing services on virtual machines allocated on top of large physical machine pool. It is a method to address scalability and availability concerns for large scale applications. It is totally Democratized distributed computing. It includes large scale data processing, Cluster Management. It is Virtualized server pool. It is an emerging approach to shared infrastructure in which large pools of systems are linked together to provide IT services. The computing recourses being accessed are typically owned and operated by third party provider on a consolidated basis in data center locations. Target consumers are not concerned with the underlying technologies used to achieve the increase in server capability and is sold as a service available on demand. The greatest advantage of cloud computing is that it easily handles peak load situations without the need for additional hardware infrastructure that most of the time remain underutilized. Physically, the resources might span multiple computers or even multiple data centers. Remote machines owned by another company would run everything from e-mail to word processing to complex data analysis programs. It's called cloud computing, and it could change the entire computer industry. From a user-authentication perspective, moving data into the cloud and integrating cloud-based services should be implemented with the same level of overall effective authentication strength as the enterprise viewpoint of authentication architecture. However, organizations have significantly less control over the authentication strengths of the interdependent cloudbased services of their counterparts/partners. For

presenting an opportunity for discovery. Obviously the greater and greater mass of sensible data stored on cloud a corporate database has to be protected properly: once operations took place on site and the authentication (recognition we'd better say) of the user was easy. Prevention of easily guessed passwords reduces discovery. fraud detection. the focus on authentication systems becomes one of the primary evaluation factors for organizations that are looking to adopt cloud-based services.2 Scheme II(Smart-Card Propagation) . System rules can also have an opposite effect though. Moreover for a big company with many employees the control of their rights over certain data is a strict necessity: easily guessable not all the research-lab database should be brows able through the web nor possibly accessible from all insiders. the entity requires authentication presents credentials. The length and variety contribute to the size of the domain set containing all possible passwords (commonly referred to as keyspace). consumer-identity frameworks and providers. reciprocal recognition is quite huge: privacy and security concerns are strong both for incorporates (whose private data are related to their business activities) and PA (whose sensible data implies strong privacy concerns for the citizens they represent and serve). usually an account ID and some additional information. We know that. vulnerability-management networks. the same rules that increase password resistance to brute force attack directly reduce the ability of a user to remember a password and increase the need for password memory aids. There are systems that will email an unencrypted password back to a user if requested.Actually Cloud Authentication is remote authentication. without compromising overall and individual security and usability. the overall security posture of the resulting interconnected architecture can be compromised if the integrated services themselves have comparatively lower-strength authentication systems in place. More sophisticated mechanisms include expiring passwords and the forcing of password changes. The basic logic behind password-based security is that an authorized user can keep and remember a secret. and training and awareness. strongauthentication service providers. password rules. that increases the difficulty of brute force detection. system rules. However. discovery. the automatic user exclude after three failed attempts is a system enforced rule. in turn. Currently almost all of the cloud-companies are providing username-password based authentication (weak authentication) to access cloud which carries several flaws. now the service provider and the service-user (commonly addressed as server and client in web-language) interact never seeing or meeting each other and the problem of trustful. System rules relate to the procedural aspects of gaining access and are enabled in a system. 1. but it's going to be used and administrated only by few authorized users who must be able to prove doubtlessly their rights to the system daemon before they could interact with it. designers have responded with three types of safeguards. For example.example. Many known weaknesses exist in password-based systems. In the middle of all of these elements is the construct representing the user generated password memory aid. PKI and certificate-management services. as they can lead to discovery patterns. is used to authenticate the identity of the authorized user for access to a particular system. Authentication Schemes that can be applied to Cloud 1. Password rules are either optional or enforced specifications about the length of the password and the variety of the characters that comprise it. The reporting of failed access attempts is another system rule designed to improve security. many of the authentication architecture components are being deployed as cloud-based services—for example. Organizations must ensure that service providers provide the flexibility to deliver varying levels of strong authentication to meet required security policies. and social engineering. This is a straightforward process that has been in use for decades. secondary-factor channel providers.1 Sheme I (Identity Metasystems) In the basic authentication process. the same integration-security concerns remain such that any one weak link in the connected-systems architecture will compromise the overall security posture. And that secret. In this paper we are trying to point out various issues and challenges in applying strong remote authentication mechanism on access of data/application/other services from cloud. The types of attacks can be divided into three categories: technical (brute force). From a capabilities perspective. however. to prove that the request is coming from a legitimate owner of the ID. and so on. in near future all computing will be called cloud computing & since security of a cloud is yet to be resolved. whether via identity federation or delegation. To counter all these types of attacks. Extra attention must be focused on ensuring appropriate levels of authentications strengths for different user communities in a multitenancy model. These services provide much-needed capabilities to compose a strong-authentication system. or prescribing the amount of change at password change time. identity-proofing services that are deployed by credit bureaus. Thus.

3 Scheme III (Biometrics) A third form of authentication involves the concept of representing “what you are” or biometrics. For example. the presentation of unique information proving identity. only one or two of the three. for most cases you don’t leave home without them. This uses a combination of different biometric recognition technologies. smart card technology can be expensive. Real feature values are replaced with the ones selected by the attacker in the fourth type of attack. For a high security site. the multimodal biometric identifier can retain high threshold recognition settings. to use the same machine in sequence. it’s easier to copy software based token and to try to break the password at leisure without the user’s knowledge. In order for the biometrics to be ultrasecure and to provide more-thanaverage accuracy. In the third type of attack. A more complicated example is the smartcard system. Submitting a previously intercepted biometric data constitutes the second type of attack (replay). The idea is again the same. User mobility is only possible if every machine that the user access has a smart card reader attached. which can decrease their security. With this the probability of accepting an imposter is greatly reduced. the computer decrypts the private key and holds it in memory while the CPU processes it. By using more then one means of biometric identification. Second. It’s almost impossible to break a 16-character password. multiple users must all use the same smart card technology. Matcher can be modified to output an unnaturally high matching score in the fifth type of attack. The benefits of using a smart card include • increased security. This represents the case of something you have. where a user typically has an ID. Two factors contribute to the increased security of smart cards. Using a strong password to protect the software-based token significantly diminishes this second threat. The authenticating server has the same time changing numerical sequence as the specific smart cards assigned to that ID and if the ID. and • chronological access to one machine by multiple users. the feature extractor module is compromised to produce feature values selected by the attacker. Similarly. as in the smartcard. authentication is approved. Fake use of the smart card’s private key is less likely because the attacker has to both steal the card and know the user’s password or PIN. Multimodal biometric technology uses more then one biometric identifier to compare the identity of the person. face mimic and voice. to retinal scans to pupil images. If one of the technologies is unable to identify. from fingerprints. 1. password and card generated number are all correct. they might require all three biometric identifiers to recognise the person or for a lower security site.e. The system administrator can then decide the level of security he requires. This scheme verifies not just the knowledge of an ID and password. The machine must support the same standard smart card reader interfaces or use the same proprietary smart card reader. In spite their numerous advantages. or ownership of a physical key. Biometric authentication is vulnerable to the following eight types of attacks: Type 1 attack involves presenting a fake biometric to the sensor. Consequently. The transmission medium between the template .With the availability of more complicated smart-card solutions and ecosystem support. Therefore in the case of a system using say three technologies i. The attack on the template database constitutes the sixth type of attack. a password. but also possession of the specific smart card assigned to the ID. Guessing a card’s password is usually unproductive because most cards use their onboard CPU to lock up after several wrong guesses. A form of strong Biometric authentication include Multimodal biometrics use a combination of different biometric recognition technologies. smart cards are becoming another form of authentication factor. with a software-based token. more physical credentials are adopting smart-card (standard plastic cards embedded with microprocessors and/or integrated circuits) deployments. First. In contrast. the system can still use the other two to accurately identify. and also a time-generated passkey from the smart card which changes every 60 seconds. more then one form of biometric identification is required. In addition. and they can not be forgotten. The smart card uses its on-board CPU to compute the transmitted data’s digital signature. The benefit of biometrics is that. biometric systems are susceptible to attacks. there is a decreased possibility of copying the smart card’s private key because it never leaves the card. Hence the need arises for the use of multimodal biometrics. Frequently smartcards are combined with passwords for an account to increase security. Biometrics can take the form of several capacity. However A smart card-based system doesn’t automatically allow user mobility. • possible user mobility. where smart-card readers are available and are integrated into authentication systems. many countries and states already have rolled out government-sponsored electronic ID programs to national citizens. This is an example of two-factor authentication and is more secure because it requires more items for authentication.

If the user's e-mail address is located on the list of authorized users' addresses maintained by the destination server. users do not want to sign up at every site they visit to post a comment. a new account is created for that user. The destination server then sends 1. addressing much of the privacy concerns exposed in the previous paragraph and avoiding large on-line databases appealing the attention of all Web’s hackers. each of these represents different challenges and grants variable security features. and site administrators do not want to allow nameless comments due to spam and other factors. and encrypts the random number in an ASCII representation using encryption techniques provided by the Internet Privacy Enhanced Mail (PEM) procedures. The username for the local account will be initially the username for the remote account. 1. using the public key as well. we don’t know how the PIN is used by the host workstation. and a password as a user's e-mail address. and it is up to the webmaster at a given that website to write a version of this function that meets their needs. authentication will only be made with the remote server in the case that the user gets their password wrong. Using a biometric factor. might be combined with a PIN. in which case the “incorrect” password is checked with the remote service again to see if the “incorrect” password is in fact the new password for that service. When correctly configured the Remote Authentication system will allow registered and users to login with their remote account to website instance. if we try to prevent unauthorized accesses. I) insert your smart card in a reader or in the USB port of a workstation II) enter your secret PIN to unlock the smart card III) place your finger on the scanner and have the sample compared to the fingerprint template IV) if the data matches the smart card secured private key could be use in somewhat way. along with a secure hash of the password. resulting in the alteration of the transmitted templates.5 Scheme V (Remote Authentication I) A new feature “Remote Authentication”. . 1. if that username has already been registered with the local website instance a call is made to custom_uniqueRemoteUsername passing in the username and the service used. we cannot trust the workstation itself and we do not know if the reader has been manipulated by thirds. This function may return an altered username. the matcher result (accept or reject) can be overridden by the attacker. In future.4 Scheme IV (Combination of Biometrics and Smart Cards) The combined use of biometrics and smart card sums the advantages of the two technologies attractive the security of the authentication protocol. The client workstation initiates an ftp request to obtain the encrypted PEM random number as a file transfer (ftp) request from the destination server. we could grant higher recognition rate. If a user login succeeds. Although this protocol involves all the three factors of the trinity. a smart card. The encrypted random number is stored in a file as the user's anonymous directory. So using a smart card at its best we could achieve a safe encrypted storage for the biometric template. This combination raised as a matter of trustful authentication but still more than a security caveat could affect the implementation of this kind of systems and usually.6 Scheme VI (Remote Authentication II) A client workstation provides a login address as an anonymous ftp (file transfer protocol) request. The server further establishes the encrypted random number as one-time password for the user. however. whether the nonce is the same it has sent. Answering the first question we have posed talking about secure storage and smart card we could report more than a technique to interact with the template. storing their remote username and the service used to authenticate. The motivation behind this feature is simple. established service. for example encrypting a nonce sent by the host’s application V) the application can now verify that a certified key obtained from a valid certificate encrypted its nonce and verify. a pin and a finger none of the readers of this paper would feel safe in using it because we have no information on its implementation. we could use a three factor authentication protocols that involves even a PIN to primarily unlock the card for the biometric testing. Combining these factors we should had achieved the strongest combination of information needed to provide authentication into a system. we do not know where the sample is taken and how is sent to the smart card. A destination server compares the user's e-mail address provided as a password to a list of authorized users' addresses.database and matcher is attacked in the seventh type of attack. Remote Authentication ship with support for some website and accounts. Remote Authentication solves this problem by allowing people to login to a website with their login credentials for another. Each login form will include a drop down box of supported login services. This demonstrates that it’s not true at all that using more than an authentication factor could lead to strong and certain authentication unless protocols are strong and secure. Finally. the destination server generates a random number.

More importantly. http://www. "Improving System Security via Proactive Password [14] M. J." Cambridge University Computer Laboratory. A. "A Simple Way of Improving the Login Security. [6] D. to login to the destination server. vol. 21. Cloudcroft. "Passwords in Use in a University Timesharing Environment. and Klein. Burrows.. Adams. and usability. William. J. "Users Are Not The Enemy. While existing simple-password–based authentication might continue to work for many consumer-oriented Web sites. FIPS PUB 41. I. and challenges and additional concerns at the architectural level.pdf [2]A Guide to Understanding Identification and Authentication in Trusted Systems." IEEE Security & Privacy. in accordance with established PEM decryption techniques. and usercommunity dynamics. A. Bishop. Semo. as projects have myriad options from which to choose. 161... The overall architecture might include additional aspects. vol.V. B. its intrinsic vulnerabilities have been identified as security risks for institutions that have [1]Authentication Financial in an Internet Banking Environment. and concerted approach across the entire IT architecture to ensure a consistently secure environment. which enables an adaptive authentication system. and mobile devices. 2003. 15. Kaufman. Sasse. C.00 (C) 2004 IEEE 9 . Abadi. "A Logic of Authentication. Riha. "Password Security: An Empirical Study. Burrows. portability/scalability. such as data. Riddle. "The Memorability and Security of Passwords Some Empirical Results.. while attack methods gain maturity and sophistication. Lampson. However.the PEM encrypted password random number. A." Communications of the ACM. wellbalanced. 569-579. M. [4] B. [5]Computer Security Guidelines for Implementing the Privacy Act of 1974. "Pretty Good Persuasion: A first step towards effective password security in the real Vaclav Matyas and Z." ACM Transactions Computer Systems. Sasse. Also. which is sent in the clear over the Internet. The rising trend of moving data and services into the cloud also necessitates methodical planning to ensure secure access to authorized users over the Internet." Science of Computer Programming. and a cluster of intricacies to manage. [7]Electronic Authentication Guideline v1. Dehnad. Upon receipt of the decrypted random number password. as an ftp file. S. United States Congress E-SIGN Act. 8. identity assurance. D. 6. consumer-identity metasystems." presented at New security paradigms. Haga. Implementation approach for strong authentication span a full spectrum that ranges from highly integrated and interconnected/dependent to simple extensions of existing stand-alone architectures." Journal of Management Information Systems.. vol.. Wobber. manageability. Blackwell. A. Lampson. Miron.0.. Building strong user-authentication architecture requires focus beyond just improving the credentialverification component. R. Zviran. however.." Computers & Security. a huge number of trade-offs to consider. just the same as other security initiatives. R. A.185. 1999. Proceedings of the 37th Hawaii International Conference on System Sciences – 2004 0-7695-2056-1/04 $17. Abadi. compliance and auditing. implementation approaches. vol. M. vol. The client workstation decrypts the PEM encrypted file utilizing the user's private RSA key. for organizations that have higher data-confidentiality requirements. Grant. 1997. pp. The client workstation then provides the destination server with the decrypted random number password. thereby completing the user authentication procedure and accomplishing login. References Conclusion So. M. M. the design of an authentication approach should be weighed against various requirements. "Authentication in Distributed Systems: Theory and Practice. such as a layered system that is driven by risk-based analytics. higher data-privacy requirements. Yan. vol. the destination server permits the user to login to the anonymous directory. over the Internet to the client workstation. 41. 8. pp. 2002. vol. 1989. [13] M. the future outlook for strong user authentication is set for many ground-breaking developments. strong user authentication also requires a carefully planned.1. Abadi. M. it appear that a user-authentication system for consumer communities on the Web is growing beyond the traditional database-driven and/or directory-driven component of a Web application. To ease the risk of online identity fraud. National Institute of Technology Special Publication [8]Electronic Signatures in Global and National Commerce Act." Proceedings of the Royal B. National Computer Security Center [3] A.. [10]K. "Toward Reliable User Authentication Through Biometrics. New Mexico. Weirich and M." Computers & Security. Anderson. [9] J. 42.46.. [11]M. implementing strong user authentication often is not a straightforward task. L... 10 [12] M. pp. E.. "Authentication and delegation with smart-cards. This paper has intended to distill a comprehensive view of strong user authentication by examining its concepts.. With the growing acceptance of cloud-based services. Needham. Federal Institutions Examination Council. Burrows. M.. organizations look to strong user authentication as the solution for improving their Webbased authentication systems.

. "A Password Extension for Improved Human Factors. Pond. pp. New York. Homeland Security Presidential Directive-12 (HSPD-12)." Computers & Security. 645-656. FIPS PUB 140-2. [23]Security Requirements for Cryptographic Modules. "Password Authentication Schemes with Smart Cards.. pp." Computers & Security. Shimonski. "Create effective passwords: strategies for computer systems. [25] W. Jones. 6. Bunnell. [17]Policy for a Common Identification Standard for Federal Employees and Contractors. [16] Microsoft. 19.467. 1982.[15] Microsoft Canada. "Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates. [18]Personal Identity Verification of Federal Employees and Contractors. "Authenticating Users by Word Association. "Information Overload:Canadians Have Too Many Passwords. [21] S.. 18." vol." in Columbia New Service .Net Passport Q & A. Podd. J. 2000. 54-56. S. R. Smith. 2002. pp. 2002. 2003: Microsoft Canada. J. Henderson. Yang. 1. 2003." Computers & Security. Federal Information Processing Standards Publication 201-1 [19] R. vol. Porter. "Microsoft . "Too many secrets? Password proliferation leads to user fatigue." vol. 2000. vol. 1987.. 464. [22] S. L. [24] T. vol." vol. [20] R. 2003: IBM developerWorks." Computers & Security. 2003: Microsoft. . vol.Columbia University Graduate School of Journalism. Shieh. N.