(IJCSIS) International Journal of Computer Science and Information Security, Vol. 14, No.5, May 2016
A BYOD method for enhancing authentication in the cloud environment using elliptic curves Abderrahim Abdellaoui1, Younes Idrissi Khamlichi2, Habiba Chaoui1 1
Systems Engineering Lab, National School of Applied Sciences, Ibn Tofail University Kenitra, Morocco 2 Systems Engineering Lab, National School of Applied Sciences, SMBA University FES, Morocco
[email protected],
[email protected] [email protected]
Abstract— The adoption of cloud computing technology has revolutionized the business world. Many of small and medium-sized businesses around the world rely on cloud services for almost everything. However, this paradigm is nowadays dominated by many issues and challenges, particularly, data security. In this regards, this paper will first address the problem of authentication in the cloud computing, and will then propose an efficient authentication framework which allows enhancing the authentication process using a BYOD method based on Smartphone technology and the Concept of elliptic curves. The experimental results show the efficiency and applicability of this framework and its robustness against common types of attacks. Keywords: Cloud Security, Authentication, BYOD, OTP, Elliptic Curves Introduction
I.
INTRODUCTION
Cloud computing has become widely used during the last decade due to its tremendous economic benefits. It leverages characteristics of its underlying technologies such as distributed system, virtualization, SOA, grid computing to enable resource provisioning by the service provider for its clients. Organizations are attracted to its features such as on-demand selfservice, rapid elasticity. This paradigm is not only beneficial for small and medium businesses, but also for particular customers who are seeking some specific computing resources. However, besides its numerous features and advantages, the cloud has also brought some issues, particularly, security and monitoring. One of its primary security concerns is the weak user authentication. In fact, there is a greater concern for potential compromise of the authentication criteria in the cloud environment by various means, notably, network attacks such as brute force, man-in-the-middle, replay attacks and phishing [12,5-6]. And considering that most cloud providers rely currently on alphanumerical password authentication, an attacker might succeed in obtaining credentials by applying these attacks and therefore get some sensitive information from the cloud [8,10,13]. The next section briefly reviews methods that have been proposed in the scientific literature to overcome the problem of weak user authentication in the cloud environment; Section III will present the proposed work in this sense, and finally, the conclusion and future works are given in Section IV
II.
RELATED WORKS
In order to overcome the problem of weak user authentication, Binu et al. [1] had proposed a protocol that enables the authentication using a password and mobile token in the cloud environment. This framework presents many characteristics, particularly, the use of SAML to provide the Single Sign-On functionality. Other techniques that have been proposed to enhance the authentication is the multi-agents system. In fact, Vorugunti et al. [3] had introduced a light-weight remote user authentication using the concept of the multi-agents system. They deploy an agent to provide the feature of biometric as a service in the cloud environment. In this sense, Moghaddam et al. [4] validate authentication in the cloud environment using a client-based agent from the user side and software as a service to verify the authentication from the provider side. They have also introduced cryptography agent to encrypt resources before storing them in the cloud servers. Whereas, Khan et al. [7] have incorporated Open-ID in OpenStack IAAS cloud, and have performed the authentication at the back-end, which enables users to use their OpenID Identifiers and log into OpenStack. Among its characteristics the use of the concept of Single-Sign On. Abdellaoui et al.[9] had presented a framework in which they use a novel kind of one-time password. In this scheme, the authentication is performed using an out of band channel and a novel method of authentication using images. III.
PROPOSED WORK
The aim of this scheme is to add an extra authentication layer in the cloud storage using various concepts. The following describes this scheme briefly. The users need to register with the Cloud server. A user who attempts to access the cloud server without registering will be redirected to the registration page. In this phase, the cloud server provides to the user an AuthModule tool that must be installed on the user’s smartphone and a secret image. After registration, the user inserts his username and password < Un , Ps >. Then the authentication server verifies the authenticity
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 14, No.5, May 2016 line ( ) . When P0 = P1, ( ) becomes a tangent at P0 or P1. of the user using < Un1 , Ps1 > stored in the database. If < Un , Ps > are valid. Then the authentication server sends a chal-
lenge based on the user’s secret image w that had been provided during the registration phase. Every user can extract its password using the triplet < challenge, secret image, AuthModule >. The authentication server related to the cloud storage authenticates the user Un if the password of this latter is valid.
Description Username
Psi
User’s Password
(.)
Hash function,
w
Secret image
Example (elliptic curve over F97): Consider an elliptic curve over the field F97 such as = 75 and = 79. The curve 2
3
equation in this case is Y x 75x 79 . 115 points satisfy this equation, including the point (0,46) since: Y2 mod j = x3 + 75x + 79 mod j 462 mod 97 = 79 mod 97 2116 mod 97 = 79 mod 97 79 = 79 The Figure1 represents solutions of the equation
TABLE I. NOTATION IN THIS PAPER.
Notation Un i
( ) is assumed to intersect K/Fj at the point 0. [12]
2
Y
3
x 75x 79 over F97
Trunk parts of a an Alphanumeric message Portion of an image
Trunc () Trunc ()
One time password Phone number Position where the truncation starts
PN
A. Elliptic curves. Assume that K/Fj is an elliptic curve K over a prime finite field Fj defined by Y
2
x x 3
(1)
Figure 1. Solutions of Y2 = x3 + 75x + 79 over the finite field F97
Where, , Fj and = 4 + 27 0
B. Function Trunc / Trunc .
The elements of K/ Fj form with an additional point 0 at infinity an additive group such as
In this paper, we introduce two types of Trunc function, Trunc () and Trunc () . Trunc () enables to truncate parts
3
2
= {( x, y) / x, y Fj , K( x, y) 0} {0}
(2)
Suppose that is the order of which can be defined as x mod q 0 , where H is the generator of ( is a cyclic additive group where P1 0 P1 / P1 ) The multiplication s × P1 over is defined as s × P1 = P1 +
P1 + … + P1 (s times) The point addition P0 + P1 such as P0 , P1 is a point –P2 on K/Fj such that the points P0 , P1 and –P2 lie on a straight
of an alphanumeric code using a position . It takes one alphanumeric argument as input and output an alphanumeric text. Example Trunc6 (91620821658793)=821658793 where = 6 Trunc9 (91620821658793)= 58793 where = 9
Trunc Truncate a portion of an image using a point P0 and a challenge to generate where P0 is a secret point (pixel) from the user’s secret image that satisfies the equation Y2 = x3 + x + and three points from the secret image (Table 3)
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 14, No.5, May 2016
Figure 2. Registration Step
C. The challenge . is an alphanumeric code generated by the authentication server. The client uses to create the password . has a general form < , 2 , 3 > where represents the number that will be employed by Trunc () . 2 and 3 represent the coordinates of a point Q solution of the equation Y2 = x3 + x + over the finite field Fc (Q represents the coordinates of a Pixel in the image that have been provided during the registration phase Figure.3). D. Registration step In this step both the cloud provider and the user perform the following steps:
Step1. The authentication server shares the AuthModule with the user. This latter installs the AuthModule in his Smartphone. Step2. The user must register his username and password < Un , Ps , Pn > and his phone number on the server. After that, The authentication server generates < , , , c, P0> where is a secret image, and are curve parameters of the equation Y2 = x3 + x + and c define the finite field Fc and P0 is the coordinates of a point (in the secret image) that satisfies the equation Y2 = x3 + x + . Step3. The authentication server concatenates < , , ,c, P0> and embeds the value w = || ||c||P0 into using a watermarking technique, and finally, the server sends the image w to the user using an out of band channel and the user’s Pn .
Figure 3. Authentication phase
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 14, No.5, May 2016
Step4. Upon receiving w , the user extract w = || ||c||P0 from the image w , split || ||c|||P0 into < , ,c, P0 > and stores < w , , ,c, P0 > in the AuthModule. After that, the client computes (P0 ) and sends it to the cloud server. Finally the cloud server checks if '(P0 ) (P0 ) . If so, the registration succeeds. Henceforth the AuthModule can produce . (Figure 2 shows the process of registration).
feature that enables the clients to change their password whenever they want. In this framework the password change feature can be performed following two ways: The first one by changing the secret image w , and the second one by changing only c in Fc related to the equation Y2 = x3 + x + .
E. Login phase Step 0. In this step the user submits < Un , Ps > to the cloud provider, then, this latter using his authentication server checks whether the user already exists. Step 1. If the user exists the authentication server ates and sends it to the user, and requests to compute a second factor from the client. Step 2. Upon receiving the challenge from the authentication server, the client computes by means of the AuthModule and delivered by the cloud provider. He performs the following steps: extract 2 3 from since = < , 2 , 3 > and P0 related to Un from the database. Compute < 2 , 3 > + P0 = P1 after that, the AuthModule construct the following points Form = < P1, 2 P1, 3 P1 > Step 3. The AuthModule truncate the form < P1, 2 P1, 3 P1> where P1 is a point of an elliptic curve 2 P1 = P1 + P1 , and 3 P1 = 2 P1 + P1 and Form = Trunc ( P1 , 2P1 , 3P1 ) ( Table 2) from user’s
secret image delivered by the authentication server during the registration step. And finally, the user computes Trunc ((form)) = .
Figure 4. Solution of Y2 = x3 + 75x +79 with Fc / c = {61,73,97}
G. The AuthModule AuthModule is a tool that can be installed on a mobile device. Its aim is to generate by using the triplet < w , , P0 >. We
describe the steps of the creation of from the client as follows: Upon receiving the challenge from the authentication server. The client adds into his smartphone in order to identify the form = < P1 , P2 , P3> / P2 = 2P1 , P3 = 3P1
Step 4. The client submits to the cloud server, after that, the
The AuthModule split the Challenge = || 2 || 3 into
cloud server checks if = 1 if so, then the client is authenti-
two separate values and a point Q, where refers to the position of truncation that will be used in Trunc and Q =
cated. The Figure. 3 Illustrates the steps mentioned above.
< 2 , 3 > are coordinates of a point Q from a curve that
F. Password Change phase The Password change is a very crucial feature in any authentication system, particularly, in the cloud environment. It is a
satisfies its equation Y2 = x3 + x + over the finite field Fc. After that, the authModule compute P1 using P0 and Q P1 = P0 + Q, P2 = 2 * P1 , P3 = 3*P1 using the elliptic curve addition and multiplication operations, and truncate the form =
TABLE II. EXTRACTION OF Trunc Γ (P, 2P, 3P) } ω
Γw
Trunc Γ (P, 2P, 3P) ω
ψ(TruncΓ (P, 2P, 3P)) ω
P Figure 1. 2P 3P
BB 59 35 52 76 D3 BD 02 6C 04 CC 64 8F AA 41 CE F9 70 3F 3C 09 30 07 5A D2 97 21 89 F0 45 E3 AE AF 4A 5F 4E A0 84 86 43 C1 B3 4A 34 DB B3 C8 A0 F1 22 01 48 EC 7C 82 DF 1C BE 47 5B 82 D8 BA EA
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 14, No.5, May 2016 TABLE III. CREATION OF USER
w
U1
128x128
U2
c
97
61
U3
73
P0
< P1, P2, P3 > from the secret image using Trunc (form) And w
Compute (trunc (form)) . Here is used in order to comw
pute Trunc ((trunc (form))) = where (.) = SHA, w
RIPEMD or MD5. The table 3 shows an example of identifying points from a secret image w and the compute of a value (Form) such as (.) = SHA512
IV.
ANALYSIS OF THE SCHEME
In this section, we focus on characteristics and security of the proposed framework: An adversary can perform a variety of attacks. For instance, he can build a fake app or site to steal the legitimate user’s password by performing a phishing attack. However, the adversary cannot create the challenge since he doesn’t own the secret image w and even though, he cannot create a valid challenge . The framework is robust against replay attacks thanks to the one-time password feature that consist of changing the password continuously using the hash function applied to parts of the secret image w and the challenge provided by the
authentication server. Our framework can withstand to dictionary attacks, as well, that consists of trying all possible passwords, until to find the valid one. This attack is considered as one of the most dangerous threats associated with user authentication since the passwords are often simple and easy to crack by automated programs running this kind of attacks [11]. In our case, we use two levels of authentication. The first level composed of Un and Ps , and the second level is . It is difficult for a malicious user to find the value Ps composed of at least eight digits. Moreover, even if a malicious user finds Ps, he cannot find the value of since = Trunc ((form)) . Thus, the attacker must find P1 , form ( P1 , 2P1 , 3P1 ) and the secret w
P1
2P1
3P1
(.)
SHA256
F2E0F21F
MD5
DBB32F67
RIPEMD160
64938A8E
SHA256
AC504BFF
MD5
39B9A46F
RIPEMD-160
E877AF70
SHA256
9B6C3ACB
MD5
0F7192B0
RIPEMD160
C5C072B6
which is practically infeasible. Obviously, the framework resists not only to brute force but also dictionary and guessing attacks. AuthModule can withstand the man in the middle attacks since the password can be valid only for one authentication session. So even if is intercepted using this kind of attack, it will be no more valid. The scheme also introduces some important feature such as security of the password. The second factor is created automatically, and the cloud database stores the user’s secret image w instead of the
password . Also, features like password change and mutual authentication are supported in this scheme.
CONCLUSION We have proposed throughout this paper a novel authentication scheme based on a mobile device to enhance authentication process in the cloud environment. Users tend to use easy passwords due to the difficulty of memory. The proposed method overcomes this problem and the problem of text password by deploying one-time password extracted from a secret image using the AuthModule and elliptic curves for identifying three hidden points from the image. Thus, the password can be retrieved and used on whatever tools such as smart phones PDA PC ( this is the reason why we called the method BYOD : bring your own device for cloud authentication). In the future, we envision to address the problem of verification of integrity and authorship proof in the cloud environment in order to build an integral security scheme in the cloud environment.
(IJCSIS) International Journal of Computer Science and Information Security, Vol. 14, No.5, May 2016
REFERENCES 1.
Binu, S., Misbahuddin, M., Raj, P.: A Mobile Based Remote User Authentication Scheme without Verifier Table for Cloud Based Services. In: Proceedings of the Third International Symposium on Women in Computing and Informatics, pp. 502-509 (2015)
2.
Kim, H., Timm, S. C.: X. 509 Authentication and Authorization in Fermi Cloud. In: Proceedings of the 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing , pp. 732737 (2014)
3.
Vorugunti, C. S., Indukuri, S. S. V.: A Secure and Efficient Biometric Authentication as a Service for Cloud Computing. In: Proceedings of the 6th IBM Collaborative Academia Research Exchange Conference (I-CARE) on I-CARE 2014, pp. 1-4 (2014)
4.
Moghaddam, F. F., Moghaddam, S. G., Rouzbeh, S., Araghi, S. K., Alibeigi, N. M., Varnosfaderani, S. D.: A scalable and efficient user authentication scheme for cloud computing environments. In: Region 10 Symposium, pp. 508-513 (2014)
5. Dong, Z., Zhang, L., Li, J.: Security Enhanced Anonymous Remote User Authentication and Key Agreement for Cloud Computing. In: 17th International Conference on Computational Science and Engineering, pp. 1746-1751 (2014) 6. Zwattendorfer, B., Tauber, A.: Secure cloud authentication using eIDs. In: 2nd International Conference on Cloud Computing and Intelligent Systems (CCIS), Vol. 1, pp. 397-401 (2012) 7.
Khan, R. H., Ylitalo, J., Ahmed, A. S.: OpenID authentication as a service in OpenStack. In: 7th International Conference on Information Assurance and Security (IAS), pp. 372-377 (2011)
8. Abdellaoui, A., Khamlichi, Y. I., Chaoui, H.: An Efficient Framework for Enhancing User Authentication in Cloud Storage Using Digital Watermark. In: International Review on Computers and Software (IRECOS), 10(2), pp. 130-136 (2015) 9.
Abdellaoui, A., Khamlichi, Y. I., Chaoui, H.: Out-of-band Authentication Using Image-Based One Time Password in the Cloud Environment. In: International Journal of Security and Its Applications (IJSIA), 9(12), pp. 35-46 (2015)
10.
Abdellaoui, A., Khamlichi, Y. I., Chaoui, H.: A Novel Strong Password Generator for Improving Cloud Authentication, Procedia Computer Science, pp. 293-300 (2016) doi : 10.1016/j.procs.2016.05.236
11.
Pinkas, B., Sander, T.: Securing passwords against dictionary attacks. In: Proceedings of the 9th ACM conference on Computer and communications security, pp. 161-170 (2002)
12.
Yin, X. C., Liu, Z. G., Lee, H. J.: An efficient and secured data storage scheme in cloud computing using ECC-based PKI. In: Advanced Communication Technology (ICACT), 2014 16th International Conference on, pp. 523-527 (2014)
13.
Abdellaoui, A., Khamlichi, Y. I., Chaoui, H.: Security Analysis in the Cloud Environment, Congrès International sur les Sciences et Technologies de l’Information et de la Communication (2014)
