You are on page 1of 6

Assessment of Strong User Authentication Schemes in Cloud based Computing

Mohit Mathur, Nitin Saraswat
Sr. Lecturer, Department of IT &CS, Jagan Institute of Management Studies (Affiliated to GGSIP University, New Delhi), Rohini, Delhi, India.,

Studies indicate that digital identity fraud is still on the rise, with an increase in complexity (that is, "phishing," "man-in-the-middle," DNS poisoning, malware, social engineering, and so on). With the trend of upward moving data and services into the Web and cloud-based platforms, the management and control of access to confidential and sensitive data is becoming more than verifying simple user credentials at the onset of user sessions for one application. One of the mostly used methods today is the gaining of account access by stealing reusable credentials for Web sites that have not yet implemented "strong" user authentication. This is so, because most common forms of credentials today are knowledge-based (user ID and password) and are requested only once during sign-on, which provides a higher level of convenience to users, but also requires less effort for attackers to exploit. Many attacks are evident as "phishing" messages that masquerade as ones that are sent by legitimate organizations and contain URLs that point to fraudulent Web sites that have the same appearances as genuine ones. Often, they act as "man-in-the-middle" and eventually do forward visitors to the actual Web sites; but, in the process, they have captured valid credentials that can be used to gain access to actual accounts. The question is if you can really afford the cloud if you can’t prevent unauthorized access to your data - which will be far more expensive to your business in terms of regulatory breach or reputation damage in the long-run. In a shared pool outside the enterprise, you don't have any knowledge or control of where the resources run and where is the location where your data being stored. This paper emphasizes the authentication aspect of security in the cloud computing environment and some suggested solutions for that. Authentication in an Cloud Environment guide identified that simple-password authentication is insufficient for ensuring authorized access to important cloud services.

It looks, soon all computing will be called cloud computing, just because the cloud is “in.” . The term ‘cloud computing’ means: outsourced, pay-as-you-go, on-demand, somewhere in the internet, etc.Cloud Computing is an emerging computing pattern where data and services reside in massively scalable data centers and can be universally accessed from any connected devices over the internet. It is Virtual, Scalable, Efficient, and Flexible. Cloud Computing is the technology in which web is replacing a desktop. It is providing services on virtual machines allocated on top of large physical machine pool. It is a method to address scalability and availability concerns for large scale applications. It is totally Democratized distributed computing. It includes large scale data processing, Cluster Management. It is Virtualized server pool. It is an emerging approach to shared infrastructure in which large pools of systems are linked together to provide IT services. The computing recourses being accessed are typically owned and operated by third party provider on a consolidated basis in data center locations. Target consumers are not concerned with the underlying technologies used to achieve the increase in server capability and is sold as a service available on demand. The greatest advantage of cloud computing is that it easily handles peak load situations without the need for additional hardware infrastructure that most of the time remain underutilized. Physically, the resources might span multiple computers or even multiple data centers. Remote machines owned by another company would run everything from e-mail to word processing to complex data analysis programs. It's called cloud computing, and it could change the entire computer industry. From a user-authentication perspective, moving data into the cloud and integrating cloud-based services should be implemented with the same level of overall effective authentication strength as the enterprise viewpoint of authentication architecture. However, organizations have significantly less control over the authentication strengths of the interdependent cloudbased services of their counterparts/partners. For

System rules can also have an opposite effect though. The length and variety contribute to the size of the domain set containing all possible passwords (commonly referred to as keyspace). 1. Thus. discovery. password rules. the same rules that increase password resistance to brute force attack directly reduce the ability of a user to remember a password and increase the need for password memory aids. In this paper we are trying to point out various issues and challenges in applying strong remote authentication mechanism on access of data/application/other services from cloud. as they can lead to discovery patterns. More sophisticated mechanisms include expiring passwords and the forcing of password changes. the automatic user exclude after three failed attempts is a system enforced rule. Extra attention must be focused on ensuring appropriate levels of authentications strengths for different user communities in a multitenancy model. the overall security posture of the resulting interconnected architecture can be compromised if the integrated services themselves have comparatively lower-strength authentication systems in place. or prescribing the amount of change at password change time. fraud detection. in turn. is used to authenticate the identity of the authorized user for access to a particular system. many of the authentication architecture components are being deployed as cloud-based services—for example. System rules relate to the procedural aspects of gaining access and are enabled in a system. There are systems that will email an unencrypted password back to a user if requested. We know that. reciprocal recognition is quite huge: privacy and security concerns are strong both for incorporates (whose private data are related to their business activities) and PA (whose sensible data implies strong privacy concerns for the citizens they represent and serve). The types of attacks can be divided into three categories: technical (brute force). Authentication Schemes that can be applied to Cloud 1. For example. Prevention of easily guessed passwords reduces discovery. usually an account ID and some additional information. the focus on authentication systems becomes one of the primary evaluation factors for organizations that are looking to adopt cloud-based services. but it's going to be used and administrated only by few authorized users who must be able to prove doubtlessly their rights to the system daemon before they could interact with it. presenting an opportunity for discovery.Actually Cloud Authentication is remote authentication. From a capabilities perspective. identity-proofing services that are deployed by credit bureaus.2 Scheme II(Smart-Card Propagation) . designers have responded with three types of safeguards. PKI and certificate-management services. This is a straightforward process that has been in use for decades. the entity requires authentication presents credentials. strongauthentication service providers. Password rules are either optional or enforced specifications about the length of the password and the variety of the characters that comprise it. without compromising overall and individual security and usability. whether via identity federation or delegation. In the middle of all of these elements is the construct representing the user generated password memory aid. Organizations must ensure that service providers provide the flexibility to deliver varying levels of strong authentication to meet required security policies. that increases the difficulty of brute force detection. system rules. However. consumer-identity frameworks and providers. and so on. and training and awareness. however. vulnerability-management networks. to prove that the request is coming from a legitimate owner of the ID. These services provide much-needed capabilities to compose a strong-authentication system. The basic logic behind password-based security is that an authorized user can keep and remember a secret. The reporting of failed access attempts is another system rule designed to improve security. Currently almost all of the cloud-companies are providing username-password based authentication (weak authentication) to access cloud which carries several flaws. And that secret.example. in near future all computing will be called cloud computing & since security of a cloud is yet to be resolved. Obviously the greater and greater mass of sensible data stored on cloud a corporate database has to be protected properly: once operations took place on site and the authentication (recognition we'd better say) of the user was easy. now the service provider and the service-user (commonly addressed as server and client in web-language) interact never seeing or meeting each other and the problem of trustful. Moreover for a big company with many employees the control of their rights over certain data is a strict necessity: easily guessable not all the research-lab database should be brows able through the web nor possibly accessible from all insiders.1 Sheme I (Identity Metasystems) In the basic authentication process. To counter all these types of attacks. and social engineering. secondary-factor channel providers. Many known weaknesses exist in password-based systems. the same integration-security concerns remain such that any one weak link in the connected-systems architecture will compromise the overall security posture.

and • chronological access to one machine by multiple users. A more complicated example is the smartcard system. The benefits of using a smart card include • increased security. This uses a combination of different biometric recognition technologies. where a user typically has an ID. Hence the need arises for the use of multimodal biometrics. authentication is approved. with a software-based token. face mimic and voice. smart card technology can be expensive. The system administrator can then decide the level of security he requires. In order for the biometrics to be ultrasecure and to provide more-thanaverage accuracy. By using more then one means of biometric identification. The machine must support the same standard smart card reader interfaces or use the same proprietary smart card reader. For example. Biometrics can take the form of several capacity. to retinal scans to pupil images. for most cases you don’t leave home without them. User mobility is only possible if every machine that the user access has a smart card reader attached. The smart card uses its on-board CPU to compute the transmitted data’s digital signature. smart cards are becoming another form of authentication factor. password and card generated number are all correct. they might require all three biometric identifiers to recognise the person or for a lower security site. In contrast. where smart-card readers are available and are integrated into authentication systems. For a high security site. • possible user mobility. Using a strong password to protect the software-based token significantly diminishes this second threat. This is an example of two-factor authentication and is more secure because it requires more items for authentication. the computer decrypts the private key and holds it in memory while the CPU processes it. Guessing a card’s password is usually unproductive because most cards use their onboard CPU to lock up after several wrong guesses. Submitting a previously intercepted biometric data constitutes the second type of attack (replay). In spite their numerous advantages. Therefore in the case of a system using say three technologies i. Real feature values are replaced with the ones selected by the attacker in the fourth type of attack. Frequently smartcards are combined with passwords for an account to increase security. However A smart card-based system doesn’t automatically allow user mobility.3 Scheme III (Biometrics) A third form of authentication involves the concept of representing “what you are” or biometrics. or ownership of a physical key. 1. Second. biometric systems are susceptible to attacks. a password. from fingerprints. The benefit of biometrics is that. the feature extractor module is compromised to produce feature values selected by the attacker. more then one form of biometric identification is required. as in the smartcard. more physical credentials are adopting smart-card (standard plastic cards embedded with microprocessors and/or integrated circuits) deployments. In addition. The attack on the template database constitutes the sixth type of attack. A form of strong Biometric authentication include Multimodal biometrics use a combination of different biometric recognition technologies. and also a time-generated passkey from the smart card which changes every 60 seconds. The transmission medium between the template . and they can not be forgotten. This scheme verifies not just the knowledge of an ID and password. many countries and states already have rolled out government-sponsored electronic ID programs to national citizens. Two factors contribute to the increased security of smart cards.With the availability of more complicated smart-card solutions and ecosystem support. Consequently. Similarly. The idea is again the same. multiple users must all use the same smart card technology. This represents the case of something you have. First. the system can still use the other two to accurately identify. The authenticating server has the same time changing numerical sequence as the specific smart cards assigned to that ID and if the ID. With this the probability of accepting an imposter is greatly reduced. the presentation of unique information proving identity. Matcher can be modified to output an unnaturally high matching score in the fifth type of attack. there is a decreased possibility of copying the smart card’s private key because it never leaves the card. Biometric authentication is vulnerable to the following eight types of attacks: Type 1 attack involves presenting a fake biometric to the sensor.e. Multimodal biometric technology uses more then one biometric identifier to compare the identity of the person. it’s easier to copy software based token and to try to break the password at leisure without the user’s knowledge. but also possession of the specific smart card assigned to the ID. which can decrease their security. Fake use of the smart card’s private key is less likely because the attacker has to both steal the card and know the user’s password or PIN. If one of the technologies is unable to identify. It’s almost impossible to break a 16-character password. only one or two of the three. In the third type of attack. the multimodal biometric identifier can retain high threshold recognition settings. to use the same machine in sequence.

The motivation behind this feature is simple.database and matcher is attacked in the seventh type of attack. established service. if that username has already been registered with the local website instance a call is made to custom_uniqueRemoteUsername passing in the username and the service used. in which case the “incorrect” password is checked with the remote service again to see if the “incorrect” password is in fact the new password for that service. using the public key as well. If the user's e-mail address is located on the list of authorized users' addresses maintained by the destination server. Answering the first question we have posed talking about secure storage and smart card we could report more than a technique to interact with the template. addressing much of the privacy concerns exposed in the previous paragraph and avoiding large on-line databases appealing the attention of all Web’s hackers. Finally. and a password as a user's e-mail address. authentication will only be made with the remote server in the case that the user gets their password wrong. we could use a three factor authentication protocols that involves even a PIN to primarily unlock the card for the biometric testing. A destination server compares the user's e-mail address provided as a password to a list of authorized users' addresses. Remote Authentication ship with support for some website and accounts. users do not want to sign up at every site they visit to post a comment. each of these represents different challenges and grants variable security features. the matcher result (accept or reject) can be overridden by the attacker. and site administrators do not want to allow nameless comments due to spam and other factors. and encrypts the random number in an ASCII representation using encryption techniques provided by the Internet Privacy Enhanced Mail (PEM) procedures. a new account is created for that user. This function may return an altered username. a smart card. however. Using a biometric factor. the destination server generates a random number. In future. The server further establishes the encrypted random number as one-time password for the user.4 Scheme IV (Combination of Biometrics and Smart Cards) The combined use of biometrics and smart card sums the advantages of the two technologies attractive the security of the authentication protocol.6 Scheme VI (Remote Authentication II) A client workstation provides a login address as an anonymous ftp (file transfer protocol) request. 1. along with a secure hash of the password.5 Scheme V (Remote Authentication I) A new feature “Remote Authentication”. Remote Authentication solves this problem by allowing people to login to a website with their login credentials for another. we do not know where the sample is taken and how is sent to the smart card. we cannot trust the workstation itself and we do not know if the reader has been manipulated by thirds. resulting in the alteration of the transmitted templates. might be combined with a PIN. The encrypted random number is stored in a file as the user's anonymous directory. When correctly configured the Remote Authentication system will allow registered and users to login with their remote account to website instance. I) insert your smart card in a reader or in the USB port of a workstation II) enter your secret PIN to unlock the smart card III) place your finger on the scanner and have the sample compared to the fingerprint template IV) if the data matches the smart card secured private key could be use in somewhat way. for example encrypting a nonce sent by the host’s application V) the application can now verify that a certified key obtained from a valid certificate encrypted its nonce and verify. The username for the local account will be initially the username for the remote account. This demonstrates that it’s not true at all that using more than an authentication factor could lead to strong and certain authentication unless protocols are strong and secure. if we try to prevent unauthorized accesses. we could grant higher recognition rate. The client workstation initiates an ftp request to obtain the encrypted PEM random number as a file transfer (ftp) request from the destination server. This combination raised as a matter of trustful authentication but still more than a security caveat could affect the implementation of this kind of systems and usually. a pin and a finger none of the readers of this paper would feel safe in using it because we have no information on its implementation. 1. Although this protocol involves all the three factors of the trinity. we don’t know how the PIN is used by the host workstation. If a user login succeeds. . The destination server then sends 1. storing their remote username and the service used to authenticate. So using a smart card at its best we could achieve a safe encrypted storage for the biometric template. Each login form will include a drop down box of supported login services. Combining these factors we should had achieved the strongest combination of information needed to provide authentication into a system. and it is up to the webmaster at a given that website to write a version of this function that meets their needs. whether the nonce is the same it has sent.

"Authentication and delegation with smart-cards. "A Simple Way of Improving the Login Security. The rising trend of moving data and services into the cloud also necessitates methodical planning to ensure secure access to authorized users over the Internet. 161. Adams. Needham. While existing simple-password–based authentication might continue to work for many consumer-oriented Web sites. to login to the destination server. 8. Grant. R. Vaclav Matyas and Z.. strong user authentication also requires a carefully planned.. vol.. Yan. "Toward Reliable User Authentication Through Biometrics. Riddle. 1999. 2002. "A Logic of Authentication.. the future outlook for strong user authentication is set for many ground-breaking developments. S. it appear that a user-authentication system for consumer communities on the Web is growing beyond the traditional database-driven and/or directory-driven component of a Web application. I. [9] J. Sasse." presented at New security paradigms. as projects have myriad options from which to choose. "Authentication in Distributed Systems: Theory and Practice.pdf [2]A Guide to Understanding Identification and Authentication in Trusted Systems. M.00 (C) 2004 IEEE 9 . which enables an adaptive authentication system.. More importantly. 41. Building strong user-authentication architecture requires focus beyond just improving the credentialverification component." Science of Computer Programming. 10 [12] M.. Kaufman.. [4] B. Semo. wellbalanced.1. and Klein. Haga. implementing strong user authentication often is not a straightforward task. Burrows." Journal of Management Information Systems. "The Memorability and Security of Passwords Some Empirical Results. National Institute of Technology Special Publication [8]Electronic Signatures in Global and National Commerce Act. vol. implementation approaches. J. vol. Bishop. pp. National Computer Security Center [3] A. However. This paper has intended to distill a comprehensive view of strong user authentication by examining its concepts. as an ftp file. "Improving System Security via Proactive Password [14] M. 1997. http://www... Abadi. E. Burrows. compliance and auditing. [13] M. however. "Passwords in Use in a University Timesharing Environment.. A.185. "Password Security: An Empirical Study. Abadi." IEEE Security & Privacy. R. To ease the risk of online identity fraud. vol. A. pp. M. The overall architecture might include additional aspects. and usercommunity dynamics. just the same as other security initiatives. References Conclusion So. while attack methods gain maturity and sophistication. 1989. manageability. M. [7]Electronic Authentication Guideline v1. Cloudcroft. M. Lampson.the PEM encrypted password random number. pp.. such as a layered system that is driven by risk-based analytics. Burrows.46. 15. FIPS PUB 41. 8. and usability. higher data-privacy requirements.. and concerted approach across the entire IT architecture to ensure a consistently secure environment. With the growing acceptance of cloud-based services. A. Miron. its intrinsic vulnerabilities have been identified as security risks for institutions that have [1]Authentication Financial in an Internet Banking Environment...ffiec. [11]M. organizations look to strong user authentication as the solution for improving their Webbased authentication systems. Blackwell. and challenges and additional concerns at the architectural level. Implementation approach for strong authentication span a full spectrum that ranges from highly integrated and interconnected/dependent to simple extensions of existing stand-alone architectures. such as data.. which is sent in the clear over the Internet.V. Lampson. thereby completing the user authentication procedure and accomplishing login. and a cluster of intricacies to manage. consumer-identity metasystems. New Mexico. Abadi.0. Upon receipt of the decrypted random number password. [10]K. J. The client workstation decrypts the PEM encrypted file utilizing the user's private RSA key. D. 21. "Pretty Good Persuasion: A first step towards effective password security in the real world. 569-579. Anderson." Communications of the ACM. vol. the design of an authentication approach should be weighed against various requirements. Dehnad. and mobile devices." Computers & Security. Also. C. over the Internet to the client workstation. Federal Institutions Examination Council. Riha. Zviran. The client workstation then provides the destination server with the decrypted random number password. B. for organizations that have higher data-confidentiality requirements. Weirich and M. 2003. Sasse. a huge number of trade-offs to consider. [6] D. identity assurance. vol. 42. 6. portability/scalability. L. "Users Are Not The Enemy." ACM Transactions Computer Systems. the destination server permits the user to login to the anonymous directory. in accordance with established PEM decryption techniques. Wobber. vol. United States Congress E-SIGN Act." Proceedings of the Royal B." Cambridge University Computer Laboratory. M." Computers & Security. A. [5]Computer Security Guidelines for Implementing the Privacy Act of 1974. M. William. Proceedings of the 37th Hawaii International Conference on System Sciences – 2004 0-7695-2056-1/04 $17.

Net Passport Q & A. Shieh. 2003." Computers & Security. [23]Security Requirements for Cryptographic Modules. pp.467. 464. "Create effective passwords: strategies for computer systems. 1987. . Jones. "Microsoft . Podd.Columbia University Graduate School of Journalism. [18]Personal Identity Verification of Federal Employees and Contractors. 2002. vol. pp. [22] S. 18. 54-56. 645-656. Yang. R. "Authenticating Users by Word Association. N. 6. [24] T. "Information Overload:Canadians Have Too Many Passwords. J. 2003: Microsoft. 1." vol.. vol. "Too many secrets? Password proliferation leads to user fatigue.. [21] S. vol. "Password Authentication Schemes with Smart Cards. 1982. J. 2000. [25] W. Pond." Computers & Security. S. 2000. 2002. pp.[15] Microsoft Canada." in Columbia New Service . Homeland Security Presidential Directive-12 (HSPD-12). L." vol. vol." Computers & Security. Porter. "A Password Extension for Improved Human Factors. 2003: Microsoft Canada." vol. Henderson." Computers & Security. Federal Information Processing Standards Publication 201-1 [19] R. [20] R. Shimonski. Smith. "Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates.. 2003: IBM developerWorks. 19. [16] Microsoft. New York.. Bunnell. FIPS PUB 140-2. [17]Policy for a Common Identification Standard for Federal Employees and Contractors.