You are on page 1of 6

Assessment of Strong User Authentication Schemes in Cloud based Computing

Mohit Mathur, Nitin Saraswat
Sr. Lecturer, Department of IT &CS, Jagan Institute of Management Studies (Affiliated to GGSIP University, New Delhi), Rohini, Delhi, India.,

Studies indicate that digital identity fraud is still on the rise, with an increase in complexity (that is, "phishing," "man-in-the-middle," DNS poisoning, malware, social engineering, and so on). With the trend of upward moving data and services into the Web and cloud-based platforms, the management and control of access to confidential and sensitive data is becoming more than verifying simple user credentials at the onset of user sessions for one application. One of the mostly used methods today is the gaining of account access by stealing reusable credentials for Web sites that have not yet implemented "strong" user authentication. This is so, because most common forms of credentials today are knowledge-based (user ID and password) and are requested only once during sign-on, which provides a higher level of convenience to users, but also requires less effort for attackers to exploit. Many attacks are evident as "phishing" messages that masquerade as ones that are sent by legitimate organizations and contain URLs that point to fraudulent Web sites that have the same appearances as genuine ones. Often, they act as "man-in-the-middle" and eventually do forward visitors to the actual Web sites; but, in the process, they have captured valid credentials that can be used to gain access to actual accounts. The question is if you can really afford the cloud if you can’t prevent unauthorized access to your data - which will be far more expensive to your business in terms of regulatory breach or reputation damage in the long-run. In a shared pool outside the enterprise, you don't have any knowledge or control of where the resources run and where is the location where your data being stored. This paper emphasizes the authentication aspect of security in the cloud computing environment and some suggested solutions for that. Authentication in an Cloud Environment guide identified that simple-password authentication is insufficient for ensuring authorized access to important cloud services.

It looks, soon all computing will be called cloud computing, just because the cloud is “in.” . The term ‘cloud computing’ means: outsourced, pay-as-you-go, on-demand, somewhere in the internet, etc.Cloud Computing is an emerging computing pattern where data and services reside in massively scalable data centers and can be universally accessed from any connected devices over the internet. It is Virtual, Scalable, Efficient, and Flexible. Cloud Computing is the technology in which web is replacing a desktop. It is providing services on virtual machines allocated on top of large physical machine pool. It is a method to address scalability and availability concerns for large scale applications. It is totally Democratized distributed computing. It includes large scale data processing, Cluster Management. It is Virtualized server pool. It is an emerging approach to shared infrastructure in which large pools of systems are linked together to provide IT services. The computing recourses being accessed are typically owned and operated by third party provider on a consolidated basis in data center locations. Target consumers are not concerned with the underlying technologies used to achieve the increase in server capability and is sold as a service available on demand. The greatest advantage of cloud computing is that it easily handles peak load situations without the need for additional hardware infrastructure that most of the time remain underutilized. Physically, the resources might span multiple computers or even multiple data centers. Remote machines owned by another company would run everything from e-mail to word processing to complex data analysis programs. It's called cloud computing, and it could change the entire computer industry. From a user-authentication perspective, moving data into the cloud and integrating cloud-based services should be implemented with the same level of overall effective authentication strength as the enterprise viewpoint of authentication architecture. However, organizations have significantly less control over the authentication strengths of the interdependent cloudbased services of their counterparts/partners. For

whether via identity federation or delegation. And that secret. is used to authenticate the identity of the authorized user for access to a particular system. and social engineering. the automatic user exclude after three failed attempts is a system enforced rule. These services provide much-needed capabilities to compose a strong-authentication system. but it's going to be used and administrated only by few authorized users who must be able to prove doubtlessly their rights to the system daemon before they could interact with it. However. and training and awareness. the same rules that increase password resistance to brute force attack directly reduce the ability of a user to remember a password and increase the need for password memory aids. consumer-identity frameworks and providers. More sophisticated mechanisms include expiring passwords and the forcing of password changes. System rules can also have an opposite effect though. designers have responded with three types of safeguards. identity-proofing services that are deployed by credit bureaus. secondary-factor channel providers. or prescribing the amount of change at password change time. and so on. that increases the difficulty of brute force detection. The length and variety contribute to the size of the domain set containing all possible passwords (commonly referred to as keyspace). To counter all these types of attacks. the same integration-security concerns remain such that any one weak link in the connected-systems architecture will compromise the overall security posture. There are systems that will email an unencrypted password back to a user if requested. the focus on authentication systems becomes one of the primary evaluation factors for organizations that are looking to adopt cloud-based services. Password rules are either optional or enforced specifications about the length of the password and the variety of the characters that comprise it. Many known weaknesses exist in password-based systems. fraud detection. System rules relate to the procedural aspects of gaining access and are enabled in a system. Organizations must ensure that service providers provide the flexibility to deliver varying levels of strong authentication to meet required security policies. Prevention of easily guessed passwords reduces discovery. discovery. many of the authentication architecture components are being deployed as cloud-based services—for example. password rules. the overall security posture of the resulting interconnected architecture can be compromised if the integrated services themselves have comparatively lower-strength authentication systems in place. however.2 Scheme II(Smart-Card Propagation) . as they can lead to discovery patterns.example. system rules. For example. Moreover for a big company with many employees the control of their rights over certain data is a strict necessity: easily guessable not all the research-lab database should be brows able through the web nor possibly accessible from all insiders. The reporting of failed access attempts is another system rule designed to improve security. From a capabilities perspective. We know that. to prove that the request is coming from a legitimate owner of the ID. Currently almost all of the cloud-companies are providing username-password based authentication (weak authentication) to access cloud which carries several flaws.1 Sheme I (Identity Metasystems) In the basic authentication process. in near future all computing will be called cloud computing & since security of a cloud is yet to be resolved. vulnerability-management networks. the entity requires authentication presents credentials. Extra attention must be focused on ensuring appropriate levels of authentications strengths for different user communities in a multitenancy model. The basic logic behind password-based security is that an authorized user can keep and remember a secret. Authentication Schemes that can be applied to Cloud 1. PKI and certificate-management services. Obviously the greater and greater mass of sensible data stored on cloud a corporate database has to be protected properly: once operations took place on site and the authentication (recognition we'd better say) of the user was easy. In this paper we are trying to point out various issues and challenges in applying strong remote authentication mechanism on access of data/application/other services from cloud. now the service provider and the service-user (commonly addressed as server and client in web-language) interact never seeing or meeting each other and the problem of trustful. This is a straightforward process that has been in use for decades. presenting an opportunity for discovery. Thus. reciprocal recognition is quite huge: privacy and security concerns are strong both for incorporates (whose private data are related to their business activities) and PA (whose sensible data implies strong privacy concerns for the citizens they represent and serve). in turn. strongauthentication service providers. In the middle of all of these elements is the construct representing the user generated password memory aid. 1.Actually Cloud Authentication is remote authentication. usually an account ID and some additional information. The types of attacks can be divided into three categories: technical (brute force). without compromising overall and individual security and usability.

more physical credentials are adopting smart-card (standard plastic cards embedded with microprocessors and/or integrated circuits) deployments. to use the same machine in sequence. A more complicated example is the smartcard system. the system can still use the other two to accurately identify. to retinal scans to pupil images. where smart-card readers are available and are integrated into authentication systems. many countries and states already have rolled out government-sponsored electronic ID programs to national citizens. The machine must support the same standard smart card reader interfaces or use the same proprietary smart card reader. Guessing a card’s password is usually unproductive because most cards use their onboard CPU to lock up after several wrong guesses. This is an example of two-factor authentication and is more secure because it requires more items for authentication. they might require all three biometric identifiers to recognise the person or for a lower security site. For example. The system administrator can then decide the level of security he requires. with a software-based token. • possible user mobility. authentication is approved.e. The transmission medium between the template . Therefore in the case of a system using say three technologies i. where a user typically has an ID. The smart card uses its on-board CPU to compute the transmitted data’s digital signature. Second. For a high security site. Two factors contribute to the increased security of smart cards. In order for the biometrics to be ultrasecure and to provide more-thanaverage accuracy. The benefits of using a smart card include • increased security. smart card technology can be expensive. Using a strong password to protect the software-based token significantly diminishes this second threat. face mimic and voice. Consequently. and also a time-generated passkey from the smart card which changes every 60 seconds. only one or two of the three. or ownership of a physical key. as in the smartcard. a password. Multimodal biometric technology uses more then one biometric identifier to compare the identity of the person. The benefit of biometrics is that. Biometric authentication is vulnerable to the following eight types of attacks: Type 1 attack involves presenting a fake biometric to the sensor. more then one form of biometric identification is required. Real feature values are replaced with the ones selected by the attacker in the fourth type of attack. Submitting a previously intercepted biometric data constitutes the second type of attack (replay). In contrast. A form of strong Biometric authentication include Multimodal biometrics use a combination of different biometric recognition technologies. In spite their numerous advantages. The authenticating server has the same time changing numerical sequence as the specific smart cards assigned to that ID and if the ID. the presentation of unique information proving identity. for most cases you don’t leave home without them. there is a decreased possibility of copying the smart card’s private key because it never leaves the card. If one of the technologies is unable to identify. the feature extractor module is compromised to produce feature values selected by the attacker. User mobility is only possible if every machine that the user access has a smart card reader attached. Hence the need arises for the use of multimodal biometrics. 1. In the third type of attack. Similarly. biometric systems are susceptible to attacks.3 Scheme III (Biometrics) A third form of authentication involves the concept of representing “what you are” or biometrics. With this the probability of accepting an imposter is greatly reduced. password and card generated number are all correct. First. but also possession of the specific smart card assigned to the ID. The attack on the template database constitutes the sixth type of attack. and • chronological access to one machine by multiple users. smart cards are becoming another form of authentication factor. the multimodal biometric identifier can retain high threshold recognition settings. In addition.With the availability of more complicated smart-card solutions and ecosystem support. Matcher can be modified to output an unnaturally high matching score in the fifth type of attack. This uses a combination of different biometric recognition technologies. from fingerprints. It’s almost impossible to break a 16-character password. However A smart card-based system doesn’t automatically allow user mobility. the computer decrypts the private key and holds it in memory while the CPU processes it. This represents the case of something you have. Frequently smartcards are combined with passwords for an account to increase security. it’s easier to copy software based token and to try to break the password at leisure without the user’s knowledge. Fake use of the smart card’s private key is less likely because the attacker has to both steal the card and know the user’s password or PIN. Biometrics can take the form of several capacity. The idea is again the same. multiple users must all use the same smart card technology. and they can not be forgotten. This scheme verifies not just the knowledge of an ID and password. which can decrease their security. By using more then one means of biometric identification.

In future. I) insert your smart card in a reader or in the USB port of a workstation II) enter your secret PIN to unlock the smart card III) place your finger on the scanner and have the sample compared to the fingerprint template IV) if the data matches the smart card secured private key could be use in somewhat way. and a password as a user's e-mail address.database and matcher is attacked in the seventh type of attack. Combining these factors we should had achieved the strongest combination of information needed to provide authentication into a system.5 Scheme V (Remote Authentication I) A new feature “Remote Authentication”. established service. a smart card. So using a smart card at its best we could achieve a safe encrypted storage for the biometric template. If the user's e-mail address is located on the list of authorized users' addresses maintained by the destination server. Remote Authentication ship with support for some website and accounts. 1. we could use a three factor authentication protocols that involves even a PIN to primarily unlock the card for the biometric testing. Each login form will include a drop down box of supported login services. This function may return an altered username. users do not want to sign up at every site they visit to post a comment. This demonstrates that it’s not true at all that using more than an authentication factor could lead to strong and certain authentication unless protocols are strong and secure. and site administrators do not want to allow nameless comments due to spam and other factors. storing their remote username and the service used to authenticate. addressing much of the privacy concerns exposed in the previous paragraph and avoiding large on-line databases appealing the attention of all Web’s hackers. A destination server compares the user's e-mail address provided as a password to a list of authorized users' addresses.4 Scheme IV (Combination of Biometrics and Smart Cards) The combined use of biometrics and smart card sums the advantages of the two technologies attractive the security of the authentication protocol. we don’t know how the PIN is used by the host workstation. The server further establishes the encrypted random number as one-time password for the user. 1. . Using a biometric factor. we could grant higher recognition rate. This combination raised as a matter of trustful authentication but still more than a security caveat could affect the implementation of this kind of systems and usually.6 Scheme VI (Remote Authentication II) A client workstation provides a login address as an anonymous ftp (file transfer protocol) request. if that username has already been registered with the local website instance a call is made to custom_uniqueRemoteUsername passing in the username and the service used. a new account is created for that user. a pin and a finger none of the readers of this paper would feel safe in using it because we have no information on its implementation. The destination server then sends 1. we do not know where the sample is taken and how is sent to the smart card. however. the destination server generates a random number. in which case the “incorrect” password is checked with the remote service again to see if the “incorrect” password is in fact the new password for that service. authentication will only be made with the remote server in the case that the user gets their password wrong. Remote Authentication solves this problem by allowing people to login to a website with their login credentials for another. The client workstation initiates an ftp request to obtain the encrypted PEM random number as a file transfer (ftp) request from the destination server. whether the nonce is the same it has sent. using the public key as well. and it is up to the webmaster at a given that website to write a version of this function that meets their needs. along with a secure hash of the password. The motivation behind this feature is simple. Answering the first question we have posed talking about secure storage and smart card we could report more than a technique to interact with the template. Although this protocol involves all the three factors of the trinity. we cannot trust the workstation itself and we do not know if the reader has been manipulated by thirds. for example encrypting a nonce sent by the host’s application V) the application can now verify that a certified key obtained from a valid certificate encrypted its nonce and verify. might be combined with a PIN. if we try to prevent unauthorized accesses. If a user login succeeds. Finally. When correctly configured the Remote Authentication system will allow registered and users to login with their remote account to website instance. the matcher result (accept or reject) can be overridden by the attacker. resulting in the alteration of the transmitted templates. each of these represents different challenges and grants variable security features. The encrypted random number is stored in a file as the user's anonymous directory. The username for the local account will be initially the username for the remote account. and encrypts the random number in an ASCII representation using encryption techniques provided by the Internet Privacy Enhanced Mail (PEM) procedures.

C. "Authentication in Distributed Systems: Theory and Practice. M. 21. Grant. as an ftp file. Miron. [11]M." Cambridge University Computer Laboratory. Abadi. 8. while attack methods gain maturity and sophistication. for organizations that have higher data-confidentiality requirements. However. [7]Electronic Authentication Guideline v1. [4] B. vol. vol. "A Simple Way of Improving the Login Security.ffiec. wellbalanced. Lampson. Weirich and M. Sasse. just the same as other security initiatives. M. 10 [12] M. Burrows. 8. "Toward Reliable User Authentication Through Biometrics.V. Burrows.. and concerted approach across the entire IT architecture to ensure a consistently secure environment. 15. Haga. organizations look to strong user authentication as the solution for improving their Webbased authentication systems. Cloudcroft. New Mexico. "A Logic of Authentication. and Klein. The rising trend of moving data and services into the cloud also necessitates methodical planning to ensure secure access to authorized users over the Internet. 42. D. http://www.. Dehnad. "Users Are Not The Enemy. however. thereby completing the user authentication procedure and accomplishing login. Lampson. "Passwords in Use in a University Timesharing Environment.. Implementation approach for strong authentication span a full spectrum that ranges from highly integrated and interconnected/dependent to simple extensions of existing stand-alone architectures. FIPS PUB 41. Proceedings of the 37th Hawaii International Conference on System Sciences – 2004 0-7695-2056-1/04 $17. B. in accordance with established PEM decryption techniques. implementing strong user authentication often is not a straightforward task. Wobber. M. consumer-identity metasystems. to login to the destination server. "Authentication and delegation with smart-cards. over the Internet to the client workstation. National Institute of Technology Special Publication [8]Electronic Signatures in Global and National Commerce Act. 1989. S. pp." Journal of Management Information Systems.. higher data-privacy This paper has intended to distill a comprehensive view of strong user authentication by examining its concepts. United States Congress E-SIGN Act. vol. A. [13] M. I. strong user authentication also requires a carefully planned. "Password Security: An Empirical Study. Vaclav Matyas and Z. the destination server permits the user to login to the anonymous directory." Proceedings of the Royal B. William. identity assurance. and usercommunity dynamics." presented at New security paradigms.. and usability. Federal Institutions Examination Council. M. implementation approaches. such as data.the PEM encrypted password random number. Also. and a cluster of intricacies to manage.1. the future outlook for strong user authentication is set for many ground-breaking developments. More importantly. [9] J. R. manageability. 41. Building strong user-authentication architecture requires focus beyond just improving the credentialverification component. Adams. E. pp. compliance and auditing.. Abadi. M.46.185. 569-579.. [5]Computer Security Guidelines for Implementing the Privacy Act of 1974. Zviran. vol.00 (C) 2004 IEEE 9 . Abadi. portability/scalability.0." Communications of the ACM. National Computer Security Center [3] A.. R. Semo. Bishop. it appear that a user-authentication system for consumer communities on the Web is growing beyond the traditional database-driven and/or directory-driven component of a Web application. pp.. M." Computers & Security. which is sent in the clear over the Internet... A. The client workstation then provides the destination server with the decrypted random number password. [6] D. Yan.. A. A.. "The Memorability and Security of Passwords Some Empirical Results. 6. A. vol. The overall architecture might include additional aspects.. 161. J. J.. 1997. The client workstation decrypts the PEM encrypted file utilizing the user's private RSA key. which enables an adaptive authentication system. Riddle. "Improving System Security via Proactive Password [14] M. With the growing acceptance of cloud-based services." Computers & Security.pdf [2]A Guide to Understanding Identification and Authentication in Trusted Systems." ACM Transactions Computer Systems. [10]K. the design of an authentication approach should be weighed against various requirements. References Conclusion So. 1999. such as a layered system that is driven by risk-based analytics. Blackwell. as projects have myriad options from which to choose. vol. Sasse. and challenges and additional concerns at the architectural level. While existing simple-password–based authentication might continue to work for many consumer-oriented Web sites. Needham. 2003. L. Kaufman. its intrinsic vulnerabilities have been identified as security risks for institutions that have [1]Authentication Financial in an Internet Banking Environment. 2002." IEEE Security & Privacy." Science of Computer Programming. a huge number of trade-offs to consider. Upon receipt of the decrypted random number password. vol. "Pretty Good Persuasion: A first step towards effective password security in the real world. Anderson. and mobile devices. Riha. To ease the risk of online identity fraud. Burrows.

. L. J. R. Porter.. 18. [18]Personal Identity Verification of Federal Employees and Contractors. vol. 2000." Computers & Security. 54-56. 19." vol. "A Password Extension for Improved Human Factors. Podd. Federal Information Processing Standards Publication 201-1 [19] R. Henderson. [23]Security Requirements for Cryptographic Modules. [20] R. [22] S. FIPS PUB 140-2. 6. 1.Net Passport Q & A. [24] T." Computers & Security. "Too many secrets? Password proliferation leads to user fatigue. Jones. "Create effective passwords: strategies for computer systems. 2003: Microsoft. Bunnell. N. vol. 464. 2002. [16] Microsoft. pp. "Information Overload:Canadians Have Too Many Passwords.." vol. [21] S. Shieh. Pond. S. Homeland Security Presidential Directive-12 (HSPD-12)." vol. J. 2003: IBM developerWorks. [17]Policy for a Common Identification Standard for Federal Employees and Contractors. 645-656. Yang. 2003: Microsoft Canada. vol. "Microsoft .Columbia University Graduate School of Journalism. 2000. "Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates. 1987. 1982.. 2002. pp.[15] Microsoft Canada." Computers & Security. "Password Authentication Schemes with Smart Cards." Computers & Security. "Authenticating Users by Word Association. vol. Shimonski. 2003.467. New York. . pp." in Columbia New Service . [25] W. Smith.