Sep 23, 2003 - Mr. Martin Leclerc, Wireless Network Consultant (Montreal, Quebec ... other existent authentication systems; and where humans network ...
”AUTHENLINK: A USER-CENTRED AUTHENTIFICATION SYSTEM FOR A SECURE M-COMMERCE”
CHRISTINA BRAZ
Université de Montréal
"AuthenLink: A User-Centred Authentication System for a Secure Mobile Commerce" By Christina Braz
Department of Computer Science and Operations Research Arts and Sciences Faculty
A Master’s Thesis Presented to the Department of Computer Science and Operations Research in Total Fulfillment of the Requirements for the Degree of Master of Sciences in Electronic Commerce
September 23, 2003 © Christina Braz, 2003
MASTER OF SCIENCE IN ELECTRONIC COMMERCE (HEC MONTRÉAL / UNIVERSITÉ DE MONTRÉAL)
March 10, 2004
”AUTHENLINK: A USER-CENTRED AUTHENTIFICATION SYSTEM FOR A SECURE M-COMMERCE”
CHRISTINA BRAZ
Université de Montréal Graduate Studies Faculty
Master’s Thesis Title: "AUTHENLINK: A USER-CENTRED AUTHENTICATION …………………………………………………………….......... SYSTEM FOR A SECURE MOBILE COMMERCE" ……………………………………………………………..........
Presented by CHRISTINA BRAZ ……………………………………………………………..........
Accepted and Approved on Behalf of the University:
ESMA AÏMEUR …………………..……………………………………………… Research Director ABDELHAKIM HAFID …………………………………………………………….......... Jury Member
MASTER OF SCIENCE IN ELECTRONIC COMMERCE (HEC MONTRÉAL / UNIVERSITÉ DE MONTRÉAL)
March 10, 2004
”AUTHENLINK: A USER-CENTRED AUTHENTIFICATION SYSTEM FOR A SECURE M-COMMERCE”
CHRISTINA BRAZ
Acknowledgements My sincere gratitude goes to my academic advisor Prof. Dr. Esma Aïmeur, who helped me, and guided me towards my academic as well as my personal success. The thesis would also not be successful without other people, which included: Mr. Pierre Boucher, Ericsson Canada Inc. (Montreal, Quebec - Canada) Mr. Louis Brun, Lipso Inc. (Montreal, Quebec - Canada) Mrs. Sabine Kebreau, École Polytechnique de Montréal (Montreal, Quebec - Canada) Mr. Dougoukolo Konaré, École Polytechnique de Montréal (Montreal, Quebec - Canada) Mr. Martin Leclerc, Wireless Network Consultant (Montreal, Quebec - Canada) Mr. Sylvain Monette, Ericsson Canada Inc. (Montreal, Quebec - Canada) Ms. Adriana Paes, General Electric Canada (Montreal, Quebec - Canada) They provided me a substantial amount of help and suggestions throughout my work. A special gratitude goes to Dr. Richard E. Smith, Information Security Consultant (Hastings, MN - U.S.), one of the most renowned experts in Computer Security and author of the book “Authentication: From Passwords to Public Key”, who gave me his thoughts and made great contributions to provide me with the best quality thesis in the authentication field.
III
MASTER OF SCIENCE IN ELECTRONIC COMMERCE (HEC MONTRÉAL / UNIVERSITÉ DE MONTRÉAL)
March 10, 2004
”AUTHENLINK: A USER-CENTRED AUTHENTIFICATION SYSTEM FOR A SECURE M-COMMERCE”
CHRISTINA BRAZ
Abstract I envision an environment where humans communicate directly with computers without additional authentication inputs like passwords, passphrases, PINs (Personal Identification Numbers), biometrics, or other existent authentication systems; and where humans network (intercommunicate) continually with wireless (mobile) devices1. This experiment may have large-scale implications for employers and for society in general, as humans define how closely they want to be connected with mobile devices. Within the framework of this master’s thesis, we propose a new mobile authentication system, called AuthenLink, coupled with a new approach to distinguish characteristics to authenticate people (authentication factor): something you CONVEY. The utmost purpose of this master’s thesis, called ''ASEMC: Authentication for a Secure M-Commerce'' is to provide an effective authentication system for the mobile commerce domain, more specifically for mobile devices, which would be achieved through a ChipTag computer implanted under human skin. This ChipTag would be able to authenticate user access to systems, wirelessly connect them, and enable mobile devices to securely perform mobile transactions (whatever that may be), access files, or shop online. Index terms: User Authentication, Wireless, Microprocessor, Mobile Commerce, Mobile Devices.
IV
1
A wireless (mobile) device is a device that has connectivity to the Internet without being physically plugged into a network with a wire. The most common examples of these are Internet-enabled cell phones like the WAP Phone, GSM Phone, or i-Mode phone; personal digital assistants (PDAs) like the Palm VII; Pocket PCs like the Wireless iPaq, and pagers like the RIM Blackberry.
MASTER OF SCIENCE IN ELECTRONIC COMMERCE (HEC MONTRÉAL / UNIVERSITÉ DE MONTRÉAL)
March 10, 2004
”AUTHENLINK: A USER-CENTRED AUTHENTIFICATION SYSTEM FOR A SECURE M-COMMERCE”
CHRISTINA BRAZ
Table of Contents Acknowledgements……………………………………………………………………………………. III Abstract.………………………………………………………………………………………………... IV Table of Contents………………………………………………………………………………………. V List of Figures………………………………………………………………………………………….. VIII List of Tables…………………………………………………………………………………………... IX Chapters 1 3 8
1. INTRODUCTION…………………………………………………………………………………. 2. DEFINITIONS OF IMPORTANTS TERMS 3. AUTHENTICATION……………………………………………………………………………… . 3.1. DEFINITION……………………………………………………………………………… 3.2. WHAT IS A STRONG AUTHENTICATION? ..............................................................… 3.3. THE USELFULNESS OF STRONG AUTHENTICATION…………………………….. 3.4. AUTHENTICATION FACTORS…………………………………………………………
9 9 10 12
4. THE STATE OF THE ART………………………………………………………………………..
14
4.1. PASSWORDS AND PINs……………………………………………………………………….… 4.2. AUTHENTICATION TOKENS…………………………………………………………..
14 17
4.2.1.
Non-Contact Tokens……………………………………………………………
18
i. Proximity cards………………………………………………………………………… ii. One Time Password generators……………………………………………………….. iii. Handheld Challenge-Response Calculators…………………………………………….
18 19 22
4.2.2. 4.2.3.
Contact Tokens………………………………………………………………… Smart Cards and Public-Key Authentication…………………………………...
25 26
i. Definition………………………………………………………………………………. ii. Types of Smart Cards………………………………………………………………….
26 28
4.3. KERBEROS………………………………………………………………………………. 4.4. BIOMETRICS……………………………………………………………………………..
30 32
4.4.1. 4.4.2.
Definition……………………………………………………………………..... Recognition Methods…………………………………………………………...
32 34
4.5. ASSOCIATING AUTHENTICATION METHODS……………………………………...
38
5. DISCUSSION………………………………………………………………………………………
40
V MASTER OF SCIENCE IN ELECTRONIC COMMERCE (HEC MONTRÉAL / UNIVERSITÉ DE MONTRÉAL)
March 10, 2004
”AUTHENLINK: A USER-CENTRED AUTHENTIFICATION SYSTEM FOR A SECURE M-COMMERCE”
CHRISTINA BRAZ
6. THE AUTHENLINK………………………………………………………………………………
43
6.1. DEFINITION……………………………………………………………………………… 6.2. AUTHENLINK COMPONENTS………………………………………………………...
43 43
6.2.1. 6.2.2. 6.2.3. 6.2.4. 6.2.5. 6.2.6. 6.3.
The ChipTag………………………………………………………………….... Radio Frequency Identification (RFID) ………………………………………. Mobile Reader…………………………………………………………………. AuthenLink Software………………………………………………………….. Authentication Server………………………………………………………….. Database………………………………………………………………………..
43 45 46 46 46 47
HOW THE AUTHENLINK SYSTEM WORKS…………………………………………
47
6.3.1. 6.3.2. 6.3.3. 6.4.
Scenario 1 - Internet and Architecture Mode (Maximum Mobility)…………... Scenario 2 - WLAN Architecture Mode (Medium Mobility)…………………. Scenario 3 - Ad Hoc Architecture Mode (Minimum Mobility)………………..
48 50 51
SECURITY………………………………………………………………………………..
52
6.4.1. Introduction……………………………………………………………………. 6.4.2. Security Mechanisms Between The ChipUser And Mobile Device (RFI Technology) …………………………………………………………………………..
52 55
6.4.3. Security Mechanisms Between The Mobile Reader And The Authentication Server…………………………………………………….………………………………….
56
i. Virtual Private Network (VPN) …………………………………………………….… ii. Secure Shell (SSH) …………………………………………………………………… iii. HTTPS….……………………………………………………………………………... iv. Secure Socket Layer (SSL) …………………………………………………………… v. Transport Layer Security (TLS) ……………………………………………………… vi. MD5 (Message Digest 5) ………………………………………………………........... vii. IPSec Protocol……………………………………………………………………….... viii. Rivest Cipher #4 (RC4) ……………………………………………………….. ix. Bluetooth Technology…………………………………………………….…………...
56 56 57 58 58 58 59 59 60
6.4.4.
Global System for Mobile Communications (GSM) Inbuilt Security………….
61
6.5. TO WHOM AUTHENLINK SHOULD BE ADDRESSED? ............................................. 6.6. ADVANTAGES & DISAVANTAGES OF THE AUTHENLINK……………………….
62 64
6.6.1. 6.6.2. 6.6.3.
ADVANTAGES……………………………………………………………….. DISAVANTAGES…………………………………………………………….. COMPARATIVE ANALYSIS OF THE AUTHENTICATION METHODS....
64 66 67
VI
MASTER OF SCIENCE IN ELECTRONIC COMMERCE (HEC MONTRÉAL / UNIVERSITÉ DE MONTRÉAL)
March 10, 2004
”AUTHENLINK: A USER-CENTRED AUTHENTIFICATION SYSTEM FOR A SECURE M-COMMERCE”
CHRISTINA BRAZ
6.7. IMPLICATIONS ON THE USER EXPERIENCE……………………………………….. 6.8. IMPLEMENTATION COSTS…………………………………………………………….
68 72
7. CONTRIBUTIONS OF THIS WORK…………………………………………………………….. 8. CONCLUSION AND FUTURE WORK………………………………………………………….. 9. BIBLIOGRAPHY…………………………………………………………………………………. 10. WEB RESOURCES……………………………………………………………………………….. 11. GLOSSARY……………………………………………………………………………………….
73 74 77 80 84
VII MASTER OF SCIENCE IN ELECTRONIC COMMERCE (HEC MONTRÉAL / UNIVERSITÉ DE MONTRÉAL)
March 10, 2004
”AUTHENLINK: A USER-CENTRED AUTHENTIFICATION SYSTEM FOR A SECURE M-COMMERCE”
CHRISTINA BRAZ
List of Figures 4.1. Figure 1: Authentication by Password………………………………………………………………. 4.2.1. (i) Figure 2: Contactless Smart Card……………………………………………………………... 4.2.1. (ii) Figure 3: RSA ACE/Server & SecurID……………………………………………………….. 4.2.1. (ii) Figure 4: SofToken II…………………………………………………………………………. 4.2.1. (ii) Figure 5: SecurID on Palm OS………………………………………………………………... 4.2.1. (ii) Figure 6: Authentication via a One-Time Password Generator……………………………….. 4.2.1. (ii) Figure 7a: Options for generating a One-Time Password (OTP) using Secret Key Cryptography……………………………………………………………………………………………..
15 18 19 19 19 19 20
4.2.1. (iii) Figure 8: User Authentication with Secure Sockets Layer (SSL)……………………………. 23 4.2.1. (iii) Figure 8a: Sequence Diagram – Challenge/Response Calculators…………………………… 24 4.2.2. (iii) Figure 9: Contact Tokens…………………………………………………………………….. 25 4.2.3. (ii) Figure 10: Memory Cards…………………………………………………………………….. 28 4.2.3. (ii) Figure 11: Microprocessor Multifunction Cards……………………………………………… 29 4.3. Figure 12: Kerberos Authentication………………………………………………………………… 30 4.4. Figure 13: Biometric Authentication……………………………………………………………….. 33 4.4.2. Figure 14: Fingerprint Recognition Scheme……………………………………………………… 34 4.4.2. Figure 15: FaceIt® ARGUS: Facial recognition system from Identix Inc………………………... 35 4.4.2. Figure 16: Spoken passphrase gathered by Apple’s Mac OS 9.0…………………………………. 35 4.4.2. Figure 17: Dynamic signature verification………………………………………………………... 36 6.2.1. Figure 18: Authentication ChipTag Size = 12mm by 2.1mm…………………………………….. 44 6.2.1. Figure 19: Authentication ChipTag: Size compared to a human fingertip……………………….. 44 6.3.1. Figure 20: AuthenLink’s System Architecture (Scenario 1): UMTS Architecture Mode (Maximum Mobility) ……………………………………………………………………………………. 49a 6.3.2. Figure 21: AuthenLink’s System Architecture (Scenario 2): Wireless Local Area Network (WLAN) Architecture Mode (Medium Mobility) ……………………………………………………….
50a
6.3.3. Figure 22: AuthenLink’s System Architecture (Scenario 3): Ad Hoc Architecture Mode (Minimum Mobility) …………………………………………………………………………………….. 51a 6.4.1. Figure 23: Secure communication channels through the implementation of security mechanisms……………………………………………………………………………………………….
54
VIII MASTER OF SCIENCE IN ELECTRONIC COMMERCE (HEC MONTRÉAL / UNIVERSITÉ DE MONTRÉAL)
March 10, 2004
”AUTHENLINK: A USER-CENTRED AUTHENTIFICATION SYSTEM FOR A SECURE M-COMMERCE”
CHRISTINA BRAZ
List of Tables 1. Table 1: Predicted mCommerce Revenues, 2001 – 2005……………………………………... 3.4. Table 2: Authentication Factors………………………………………………………………. 6.5. Table 3: Consumer Profiles…………………………………………………………………… 6.5. Table 4: Comparative Analysis of the Authentication Methods……………………………… 6.8. Table 5: Costs for Components of the AuthenLink……………………………………………
1 12 51 67a/67b 72
IX
MASTER OF SCIENCE IN ELECTRONIC COMMERCE (HEC MONTRÉAL / UNIVERSITÉ DE MONTRÉAL)
March 10, 2004
