Método de Autenticação Multi-canal Baseado em Proximidade
Resumo
Critical infrastructure (CI) systems are increasingly common today, with some of their features being exposed via the internet for remote use. However, such exposure involves risks that can cause serious damage to CI. An alternative to this is to consider the user's location as an authentication attribute, blocking location-based remote attackers. However, authentication techniques founded in the literature are forgeable. This work proposes a method based on proximity, forcing the user to be close to reference devices (anchors). The method makes it possible to communicate authentication attributes on different channels, such as optical media and wireless networks. A prototype was built to evaluate the proposed method in terms of security and performance requirements. the Sistemas de infraestrutura crítica (IC) são cada vez mais comuns atualmente, sendo que algumas de suas funcionalidades são expostas via internet para uso remoto. No entanto, essa exposição implica em riscos que podem causar danos graves a IC. Uma alternativa a isso é considerar a localização do usuário como um atributo de autenticação, bloqueando atacantes remotos. Porém, as técnicas de autenticação baseada em localização encontradas na literatura são forjáveis. Este trabalho propõe um método baseado em proximidade, obrigando o usuário a estar próximo a dispositivos de referência (âncoras). O método proposto possibilita a comunicação dos atributos de autenticação em diferentes canais, como o meio óptico e redes sem fio. Um protótipo exemplificando o método proposto foi implementado e avaliado quanto a requisitos de segurança e de performance.Referências
AeroGear. AeroGear Security OTP Specification. In https://aerogear.org/docs/specs/aerogear-securityotp/
Cao, Y. and Yang, L. (2010). “A survey of Identity Management technology,” 2010 IEEE Int. Conf. Inf. Theory Inf. Secur., pp. 287–293, 2010.
Curve25519, https://github.com/signalapp/curve25519-java
Denning, D. E. and MacDoran, P. F. (1996). “Location-based authentication: Grounding cyberspace for better security,” Comput. Fraud Secur., vol. 1996, no. 2, pp. 12–16, 1996.
Eddystone, https://developers.google.com/beacons/eddystone.
Fang, X., Misra, S., Xue, G. and Yang, D. (2012). “Smart Grid — The New and Improved Power Grid: A Survey,” IEEE Commun. Surv. Tutorials, vol. 14, no. 4, pp. 944–980, 2012.
Hassidim, A., Matias, Y., Yung, M. and Ziv, A. (2016). “Ephemeral Identifiers: Mitigating Tracking & Spoofing Threats to BLE Beacons,” pp. 1–11, 2016.
Hexiwear, https://www.hexiwear.com/.
Igure, V. M., Laughter, S. A., Williams, R. D. (2006) “Security issues in SCADA networks,” Computers & Security, Volume 25, Issue 7,2006.
Jansen, W., Korolev, V. and Hamilton, B. (2005) “Proximity-based Authentication for Mobile Devices,” 2005.
Jaros, D. and Kuchta, R. (2010). “New location-based authentication techniques in the access management,” Proc. - 6th Int. Conf. Wirel. Mob. Commun. ICWMC 2010, no. 1, pp. 426–430, 2010.
Khandelwal, S. (2018). "Bank Servers Hacked to Trick ATMs into Spitting Out Millions in Cash". In https://thehackernews.com/2018/10/bank-atm-hacking.html.
LaMarca, A., Chawathe, Y., Consolvo, S., Hightower, J. and Smith, I. (2005). “Place Lab: Device Positioning Using Radio Beacons in the Wild,” in International Conference on Pervasive Computing, 2005, pp. 116–133.
Langley, A., Hamburg, M. and Turner, S. (2016). “Elliptic curves for security,” No. RFC 7748. 2016.
Menezes, A. (2012). “Elliptic Curve Public Key Cryptosystems”, Springer Science & Business Media, 2012.
M'Raihi, D., Machani, S., Pei, M. and Rydell, J. (2011). "TOTP: Time-Based One-Time Password Algorithm", RFC 6238, DOI 10.17487/RFC6238, May 2011, <https://www.rfceditor. org/info/rfc6238>.
OpenID, https://openid.net/
QRCodeGen, https://github.com/kenglxn/QRGen.
Simon, J. and Nir, Y. (2016). "Curve25519 and Curve448 for the Internet Key Exchange Protocol Version 2 (IKEv2) Key Agreement," 2016.
Steven, E. J. and Peterson, G. (2006). “Introduction to Identity Management Risk Metrics.”
Talasila, M., Curtmola, R. and Borcea, C. (2015). “Collaborative Bluetooth-based location authentication on smart phones,” Pervasive Mob. Comput., vol. 17, no. PA, pp. 43–62, 2015.
Xiao, L., Yan, Q., Lou, W., Chen, G. and Hou, Y. T. (2013). “Proximity-based security techniques for mobile users in wireless networks,” IEEE Trans. Inf. Forensics Secur., vol. 8, no. 12, pp. 2089–2100, 2013.
Zhang, F., Kondoro, A. and Muftic, S. (2012). “Location-based authentication and authorization using smart phones,” Proc. 11th IEEE Int. Conf. Ubiquitous Comput. Commun. IUCC-2012, pp. 1285– 1292, 2012.
Cao, Y. and Yang, L. (2010). “A survey of Identity Management technology,” 2010 IEEE Int. Conf. Inf. Theory Inf. Secur., pp. 287–293, 2010.
Curve25519, https://github.com/signalapp/curve25519-java
Denning, D. E. and MacDoran, P. F. (1996). “Location-based authentication: Grounding cyberspace for better security,” Comput. Fraud Secur., vol. 1996, no. 2, pp. 12–16, 1996.
Eddystone, https://developers.google.com/beacons/eddystone.
Fang, X., Misra, S., Xue, G. and Yang, D. (2012). “Smart Grid — The New and Improved Power Grid: A Survey,” IEEE Commun. Surv. Tutorials, vol. 14, no. 4, pp. 944–980, 2012.
Hassidim, A., Matias, Y., Yung, M. and Ziv, A. (2016). “Ephemeral Identifiers: Mitigating Tracking & Spoofing Threats to BLE Beacons,” pp. 1–11, 2016.
Hexiwear, https://www.hexiwear.com/.
Igure, V. M., Laughter, S. A., Williams, R. D. (2006) “Security issues in SCADA networks,” Computers & Security, Volume 25, Issue 7,2006.
Jansen, W., Korolev, V. and Hamilton, B. (2005) “Proximity-based Authentication for Mobile Devices,” 2005.
Jaros, D. and Kuchta, R. (2010). “New location-based authentication techniques in the access management,” Proc. - 6th Int. Conf. Wirel. Mob. Commun. ICWMC 2010, no. 1, pp. 426–430, 2010.
Khandelwal, S. (2018). "Bank Servers Hacked to Trick ATMs into Spitting Out Millions in Cash". In https://thehackernews.com/2018/10/bank-atm-hacking.html.
LaMarca, A., Chawathe, Y., Consolvo, S., Hightower, J. and Smith, I. (2005). “Place Lab: Device Positioning Using Radio Beacons in the Wild,” in International Conference on Pervasive Computing, 2005, pp. 116–133.
Langley, A., Hamburg, M. and Turner, S. (2016). “Elliptic curves for security,” No. RFC 7748. 2016.
Menezes, A. (2012). “Elliptic Curve Public Key Cryptosystems”, Springer Science & Business Media, 2012.
M'Raihi, D., Machani, S., Pei, M. and Rydell, J. (2011). "TOTP: Time-Based One-Time Password Algorithm", RFC 6238, DOI 10.17487/RFC6238, May 2011, <https://www.rfceditor. org/info/rfc6238>.
OpenID, https://openid.net/
QRCodeGen, https://github.com/kenglxn/QRGen.
Simon, J. and Nir, Y. (2016). "Curve25519 and Curve448 for the Internet Key Exchange Protocol Version 2 (IKEv2) Key Agreement," 2016.
Steven, E. J. and Peterson, G. (2006). “Introduction to Identity Management Risk Metrics.”
Talasila, M., Curtmola, R. and Borcea, C. (2015). “Collaborative Bluetooth-based location authentication on smart phones,” Pervasive Mob. Comput., vol. 17, no. PA, pp. 43–62, 2015.
Xiao, L., Yan, Q., Lou, W., Chen, G. and Hou, Y. T. (2013). “Proximity-based security techniques for mobile users in wireless networks,” IEEE Trans. Inf. Forensics Secur., vol. 8, no. 12, pp. 2089–2100, 2013.
Zhang, F., Kondoro, A. and Muftic, S. (2012). “Location-based authentication and authorization using smart phones,” Proc. 11th IEEE Int. Conf. Ubiquitous Comput. Commun. IUCC-2012, pp. 1285– 1292, 2012.
Publicado
02/09/2019
Como Citar
MENGATO, Ronaldo; SANTIN, Altair; ABREU, Vilmar; BORCHARDT, Mauro.
Método de Autenticação Multi-canal Baseado em Proximidade. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 19. , 2019, São Paulo.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
p. 267-280.
DOI: https://doi.org/10.5753/sbseg.2019.13977.