Auth4App: Protocols for Identification and Authentication using Mobile Applications
Resumo
The increasing adoption of mobile applications as a means of user authentication is revealing new security challenges and opportunities. In order to modernize their physical identification and authorization procedures (e.g., access turnstile), some institutions have adopted static QR Codes generated using simple and static user data, such as some type of individual citizen national identification number. This procedure is easy to implement and verify, but it represents a critical security vulnerability. To address this issue, we propose Auth4App, a set of protocols for identification and authentication using mobile applications. Auth4App has two main protocols, one for binding user credentials to the mobile device (i.e., identification) and another one for generating one-time authentication codes (OTACs). Both protocols were formally verified using Scyther, an automated verification tool. Based on the automated analysis, our results show Auth4App protocols are robust enough and meet safe relevant criteria. Our prototype simulates access control using electronic turnstiles and was developed to present how our solution works and its deployment feasibility. The results show Auth4App enables accurate user authentication with a low computational cost.
Referências
Almuzaini, N. Z. and Ahmad, I. (2019). Formal analysis of the signal protocol using the scyther tool. In 2019 2nd International Conference on Computer Applications Information Security (ICCAIS), pages 1–6.
Aloqaily, M., Kantarci, B., and Mouftah, H. T. (2017). Trusted third party for service management in vehicular clouds. In 13th International Wireless Comm. and Mobile Computing Conference, pages 928–933.
Amin, R., Lohani, P., Ekka, M., Chourasia, S., and Vollala, S. (2020). An enhanced anonymity resilience security protocol for vehicular ad-hoc network with scyther simulation. Computers & Electrical Engineering, 82:106554.
Androulidakis, I. I. (2016). SMS Security Issues, pages 71–86. Springer International Publishing, Cham.
Asokan, N. (2019). Hardware-assisted trusted execution environments: Look back, look ahead. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS ’19, page 1687, New York, NY, USA. Association for Computing Machinery.
Belani, G. (2020). 5 Cybersecurity Threats to Be Aware of in 2020 | IEEE Computer Society. Library Catalog: http://www.computer.org.
Bittencourt, L., Immich, R., Sakellariou, R., Fonseca, N., Madeira, E., Curado, M., Villas, L., DaSilva, L., Lee, C., and Rana, O. (2018). The internet of things, fog and cloud continuum: Integration and challenges. Internet of Things, 3- 4:134 – 155.
Brauer, W., Salomaa, A., Rozenberg, G., and Paulin-Mohring, C. (2004). Coq’art: The calculus of inductive constructions.
Coppolino, L., D’Antonio, S., Mazzeo, G., and Romano, L. (2019). A comprehensive survey of hardware-assisted security: From the edge to the cloud. Internet Things, 6.
Cremers, C. J. F. (2006). Scyther: Semantics and verification of security protocols. Eindhoven University of Technology Eindhoven.
Cristofaro, E. D., Du, H., Freudiger, J., and Norcie, G. (2013). Twofactor or not two-factor? A comparative usability study of two-factor authentication. CoRR, abs/1309.5344.
Curado, M., Madeira, H., da Cunha, P. R., Cabral, B., Abreu, D. P., Barata, J., Roque, L., and Immich, R. (2019). Internet of Things, pages 381–401. Springer International Publishing.
Di Pietro, R., Me, G., and Strangio, M. A. (2005). A two-factor mobile authentication scheme for secure financial transactions. In International Conference on Mobile Business (ICMB’05), pages 28–34. IEEE.
Eldefrawy, M. H., Alghathbar, K., and Khan, M. K. (2011). OTPBased Two-Factor Authentication Using Mobile Phones. In 8th Int. Conf. on Info. Tech.: New Generations, pages 327–331.
Ferrag, M. A., Maglaras, L. A., Derhab, A., Vasilakos, A. V., Rallis, S., and Janicke, H. (2018). Authentication schemes for smart mobile devices: Threat models, countermeasures, and open research issues. CoRR, abs/1803.10281.
InfoArmor (2017). Understanding the impact of compromised credentials.
Kaur, N., Devgan, M., and Bhushan, S. (2016). Robust login authentication using time-based OTP through secure tunnel. In 3rd Int. Conf. on Comp. for Sustainable Global Development, pages 3222–3226. IEEE.
Khamis, M., Hasholzner, R., Bulling, A., and Alt, F. (2017). GTmoPass: Two-factor Authentication on Public Displays Using Gaze-touch Passwords and Personal Mobile Devices. In 6th ACM International Symposium on Pervasive Displays, pages 8:1–8:9, New York, NY, USA. ACM.
Kreutz, D., Bessani, A., Feitosa, E., and Cunha, H. (2014). Towards secure and dependable authentication and authorization infrastructures. In IEEE 20th Pacific Rim International Symposium on Dependable Computing, pages 43–52.
Kreutz, D., Malichevskyy, O., Feitosa, E., Cunha, H., da Rosa Righi, R., and de Macedo, D. D. (2016). A cyber-resilient architecture for critical security services. Journal of Network and Computer Applications, 63:173 – 189.
Kreutz, D., Yu, J., Esteves-Veríssimo, P., Magalhães, C., and Ramos, F. M. V. (2018). The KISS principle in software-defined networking: A framework for secure communications. IEEE Security & Privacy, 16(5):60–70.
Kreutz, D., Yu, J., Ramos, F. M. V., and Esteves-Verissimo, P. (2019). ANCHOR: Logically centralized security for software-defined networks. ACM Transactions on Privacy and Security, 22(2):8:1–8:36.
Lee, Y. S., Kim, N. H., Lim, H., Jo, H., and Lee, H. J. (2010). Online banking authentication system using mobile-OTP with QR-code. In 5th Int. Conf. on Comp. Sciences and Convergence Information Technology, pages 644–648.
Maliki, T. E. and Seigneur, J. (2007). A Survey of User-centric Identity Management Technologies. In The Int. Conf. on Emerging Security Information, Systems, and Technologies, pages 12–17.
Meier, S., Schmidt, B., Cremers, C., and Basin, D. (2013). The tamarin prover for the symbolic analysis of security protocols. In Sharygina, N. and Veith, H., editors, Computer Aided Verification, pages 696–701, Berlin, Heidelberg. Springer Berlin Heidelberg.
Pinto, S. and Santos, N. (2019). Demystifying arm trustzone: A comprehensive survey. ACM Comput. Surv., 51(6).
Pratama, A. and Prima, E. (2016). 2FMA-NetBank: A proposed two factor and mutual authentication scheme for efficient and secure internet banking. In 8th Int. Conf. on Info. Tech. and Electrical Eng., pages 1–4.
Putra, D. S. K., Sadikin, M. A., and Windarta, S. (2017). S-Mbank: Secure mobile banking authentication scheme using signcryption, pair based text authentication, and contactless smart card. In 15th Int. Conf. on Quality in Research (QiR), pages 230–234.
Rui, Z. and Yan, Z. (2019). A survey on biometric authentication: Toward secure and privacy-preserving identification. IEEE Access, 7:5994–6009.
S. O’Dea (2020). Number of smartphone users worldwide from 2016 to 2021.
Starnberger, G., Froihofer, L., and Goeschka, K. M. (2009). Qrtan: Secure mobile transaction authentication. In 2009 International Conference on Availability, Reliability and Security, pages 578–583.
Verma, R. S., Chandavarkar, B. R., and Nazareth, P. (2019). Mitigation of hard-coded credentials related attacks using QR code and secured web service for IoT. In 10th International Conference on Computing, Communication and Networking Technologies, pages 1–5.
Wu, L., Wang, J., Choo, K. R., and He, D. (2019). Secure key agreement and key protection for mobile device user authentication. IEEE Trans. on Information Forensics and Security, 14(2):319–330.
Zhan, J., Fan, X., Cai, L., Gao, Y., and Zhuang, J. (2018). TPTVer: A trusted third party based trusted verifier for multi-layered outsourced big data system in cloud environment. China Communications, 15(2):122–137.
Aloqaily, M., Kantarci, B., and Mouftah, H. T. (2017). Trusted third party for service management in vehicular clouds. In 13th International Wireless Comm. and Mobile Computing Conference, pages 928–933.
Amin, R., Lohani, P., Ekka, M., Chourasia, S., and Vollala, S. (2020). An enhanced anonymity resilience security protocol for vehicular ad-hoc network with scyther simulation. Computers & Electrical Engineering, 82:106554.
Androulidakis, I. I. (2016). SMS Security Issues, pages 71–86. Springer International Publishing, Cham.
Asokan, N. (2019). Hardware-assisted trusted execution environments: Look back, look ahead. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS ’19, page 1687, New York, NY, USA. Association for Computing Machinery.
Belani, G. (2020). 5 Cybersecurity Threats to Be Aware of in 2020 | IEEE Computer Society. Library Catalog: http://www.computer.org.
Bittencourt, L., Immich, R., Sakellariou, R., Fonseca, N., Madeira, E., Curado, M., Villas, L., DaSilva, L., Lee, C., and Rana, O. (2018). The internet of things, fog and cloud continuum: Integration and challenges. Internet of Things, 3- 4:134 – 155.
Brauer, W., Salomaa, A., Rozenberg, G., and Paulin-Mohring, C. (2004). Coq’art: The calculus of inductive constructions.
Coppolino, L., D’Antonio, S., Mazzeo, G., and Romano, L. (2019). A comprehensive survey of hardware-assisted security: From the edge to the cloud. Internet Things, 6.
Cremers, C. J. F. (2006). Scyther: Semantics and verification of security protocols. Eindhoven University of Technology Eindhoven.
Cristofaro, E. D., Du, H., Freudiger, J., and Norcie, G. (2013). Twofactor or not two-factor? A comparative usability study of two-factor authentication. CoRR, abs/1309.5344.
Curado, M., Madeira, H., da Cunha, P. R., Cabral, B., Abreu, D. P., Barata, J., Roque, L., and Immich, R. (2019). Internet of Things, pages 381–401. Springer International Publishing.
Di Pietro, R., Me, G., and Strangio, M. A. (2005). A two-factor mobile authentication scheme for secure financial transactions. In International Conference on Mobile Business (ICMB’05), pages 28–34. IEEE.
Eldefrawy, M. H., Alghathbar, K., and Khan, M. K. (2011). OTPBased Two-Factor Authentication Using Mobile Phones. In 8th Int. Conf. on Info. Tech.: New Generations, pages 327–331.
Ferrag, M. A., Maglaras, L. A., Derhab, A., Vasilakos, A. V., Rallis, S., and Janicke, H. (2018). Authentication schemes for smart mobile devices: Threat models, countermeasures, and open research issues. CoRR, abs/1803.10281.
InfoArmor (2017). Understanding the impact of compromised credentials.
Kaur, N., Devgan, M., and Bhushan, S. (2016). Robust login authentication using time-based OTP through secure tunnel. In 3rd Int. Conf. on Comp. for Sustainable Global Development, pages 3222–3226. IEEE.
Khamis, M., Hasholzner, R., Bulling, A., and Alt, F. (2017). GTmoPass: Two-factor Authentication on Public Displays Using Gaze-touch Passwords and Personal Mobile Devices. In 6th ACM International Symposium on Pervasive Displays, pages 8:1–8:9, New York, NY, USA. ACM.
Kreutz, D., Bessani, A., Feitosa, E., and Cunha, H. (2014). Towards secure and dependable authentication and authorization infrastructures. In IEEE 20th Pacific Rim International Symposium on Dependable Computing, pages 43–52.
Kreutz, D., Malichevskyy, O., Feitosa, E., Cunha, H., da Rosa Righi, R., and de Macedo, D. D. (2016). A cyber-resilient architecture for critical security services. Journal of Network and Computer Applications, 63:173 – 189.
Kreutz, D., Yu, J., Esteves-Veríssimo, P., Magalhães, C., and Ramos, F. M. V. (2018). The KISS principle in software-defined networking: A framework for secure communications. IEEE Security & Privacy, 16(5):60–70.
Kreutz, D., Yu, J., Ramos, F. M. V., and Esteves-Verissimo, P. (2019). ANCHOR: Logically centralized security for software-defined networks. ACM Transactions on Privacy and Security, 22(2):8:1–8:36.
Lee, Y. S., Kim, N. H., Lim, H., Jo, H., and Lee, H. J. (2010). Online banking authentication system using mobile-OTP with QR-code. In 5th Int. Conf. on Comp. Sciences and Convergence Information Technology, pages 644–648.
Maliki, T. E. and Seigneur, J. (2007). A Survey of User-centric Identity Management Technologies. In The Int. Conf. on Emerging Security Information, Systems, and Technologies, pages 12–17.
Meier, S., Schmidt, B., Cremers, C., and Basin, D. (2013). The tamarin prover for the symbolic analysis of security protocols. In Sharygina, N. and Veith, H., editors, Computer Aided Verification, pages 696–701, Berlin, Heidelberg. Springer Berlin Heidelberg.
Pinto, S. and Santos, N. (2019). Demystifying arm trustzone: A comprehensive survey. ACM Comput. Surv., 51(6).
Pratama, A. and Prima, E. (2016). 2FMA-NetBank: A proposed two factor and mutual authentication scheme for efficient and secure internet banking. In 8th Int. Conf. on Info. Tech. and Electrical Eng., pages 1–4.
Putra, D. S. K., Sadikin, M. A., and Windarta, S. (2017). S-Mbank: Secure mobile banking authentication scheme using signcryption, pair based text authentication, and contactless smart card. In 15th Int. Conf. on Quality in Research (QiR), pages 230–234.
Rui, Z. and Yan, Z. (2019). A survey on biometric authentication: Toward secure and privacy-preserving identification. IEEE Access, 7:5994–6009.
S. O’Dea (2020). Number of smartphone users worldwide from 2016 to 2021.
Starnberger, G., Froihofer, L., and Goeschka, K. M. (2009). Qrtan: Secure mobile transaction authentication. In 2009 International Conference on Availability, Reliability and Security, pages 578–583.
Verma, R. S., Chandavarkar, B. R., and Nazareth, P. (2019). Mitigation of hard-coded credentials related attacks using QR code and secured web service for IoT. In 10th International Conference on Computing, Communication and Networking Technologies, pages 1–5.
Wu, L., Wang, J., Choo, K. R., and He, D. (2019). Secure key agreement and key protection for mobile device user authentication. IEEE Trans. on Information Forensics and Security, 14(2):319–330.
Zhan, J., Fan, X., Cai, L., Gao, Y., and Zhuang, J. (2018). TPTVer: A trusted third party based trusted verifier for multi-layered outsourced big data system in cloud environment. China Communications, 15(2):122–137.
Publicado
13/10/2020
Como Citar
KREUTZ, Diego; FERNANDES, Rafael; PAZ, Giulliano; JENUARIO, Tadeu; MANSILHA, Rodrigo; IMMICH, Roger; MIERS, Charles C..
Auth4App: Protocols for Identification and Authentication using Mobile Applications. In: SIMPÓSIO BRASILEIRO DE SEGURANÇA DA INFORMAÇÃO E DE SISTEMAS COMPUTACIONAIS (SBSEG), 20. , 2020, Petrópolis.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2020
.
p. 422-435.
DOI: https://doi.org/10.5753/sbseg.2020.19254.
