多媒體網路安全實驗室

A Strong User Authentication Framework for Cloud Computing

A Strong User Authentication Framework for Cloud Computing

Date： 2012.08.10

Reporter : Hong Ji Wei

Authors : Amlan Jyoti Choudhury, Mangal Sain, Pardeep Kumar

Hoon Jae-Lee, Hyotaek Lim

From : 2011 IEEE Asia -Pacific Services Computing Conference

多媒體網路安全實驗室

OUTLINE

INTRODUCTION AND MOTIVATION1

LITERATURE REVIEW2

CLOUD SECURITY ARCHITECTURE33

CONCLUSION

PROPOSED SCHEME44

SECURITY ANALYSIS35

462

多媒體網路安全實驗室

INTRODUCTION AND MOTIVATION

Cloud computing has evolved through a number

of different services.The basic goal of cloud computing is to provide

great flexibility to users.Users do not need to concern with the processing

details.Cloud systems are divided into three categories

public cloud, private cloud and hybrid cloud.

3

多媒體網路安全實驗室

The new cloud computing technology offers many

advantages:

1. Information shared in virtual environment

2. Dynamic scalability

3. Storage utility

4. Software utilization

5. Platform and infrastructure utilization

6. Managed distributed computing power

INTRODUCTION AND MOTIVATION

4

多媒體網路安全實驗室

LITERATURE REVIEW

T

5

多媒體網路安全實驗室

CLOUD SECURITY ARCHITECTURE

6

2

31

6

7

4

5

ID,PW

Login Request

One –time password

Successful

Authentication

多媒體網路安全實驗室

PROPOSED SCHEME

7

The notations used in this paper are mentioned

below in table.

多媒體網路安全實驗室

PROPOSED SCHEME

The proposed scheme consists of three phases:

1. Registration

2. Login

3. AuthenticationIn addition, It also consists one activity called

Password change.

8

多媒體網路安全實驗室

PROPOSED SCHEME

Registration

9

Client Server

, ( ), ( )ID h PW x h x

( || ) ( ) ( )

1. ( ) ( )

2. ( ( ))

3. ( || )

4. mod

5. { , , , , , (.)}

h I J h x h y

ID new ID existing

J h ID h PW x

I h ID y

B g p

S store I J B p g h in the smartcard

( )Compute h PW x

Smartcard

Secure Channel

Enter x into smartcard

:{ , , , , , (.), }Smartcard I J B p g h x

多媒體網路安全實驗室

PROPOSED SCHEME

Login

10

Client Server

1 ,M B C 1

1

1. ( ( ))

2.

3. ( || )

J h ID h PW x

Check J J

C h I J

( )

1.

2. " mod

3. ( " || )

4. ( "), ( )

C h y

Generate K and sent it by SMS

B g p

L h B K

h B h L

2 ( "), ( )M h B h L

( )1. ' mod ( ')

2. ( *) ( ( ' || ))

3. ( ') ( ")

4. ( *) ( )

5. ( || ') ( )

h xB Bg p and h B

h L h h B K

Check h B h B

Check h L h L

R h T B and h R

3 , ( ),M I h R T

多媒體網路安全實驗室

PROPOSED SCHEME

Authentication

11

Client Server

( )1. ' mod ( ')

2. ( *) ( ( ' || ))

3. ( ') ( ")

4. ( *) ( )

5. ( || ') ( )

h xB Bg p and h B

h L h h B K

Check h B h B

Check h L h L

R h T B and h R

3 , ( ),M I h R T

1. '

2. ' ( || )

3. * ( || ") ( *)

4. ' , ( *) ( )

5. ( )k

Check if T T T

I h ID y

R h T B and h R

Check I I and h R h R

Compute S R L

4 ( )kM h S 1. * ( )

2. ( *) ( )k

k k

Compute S R L

Check h S h S

多媒體網路安全實驗室

PROPOSED SCHEME

Password change

Client Smartcard

,ID PW

1. * ( ( ))

2. *

Compute J h ID h PW x

Check J J

OK

' 'Generate x and PW', 'PW x

1. ' ( ( ' '))

2. ' '

Compute J h ID h PW x

Replace J by J and x by x in the smartcard

12

多媒體網路安全實驗室

SECURITY ANALYSIS

Session key agreement:

This key is different in every login session and cannot be replayed after the session expires.

Replay attack

The onetime key is valid for one login session, and the key is delivered to the user via mobile out of band channel.

Password guessing attack

The scheme uses complex password term (J=h(ID h(PW x))) using one way hash function.

13

多媒體網路安全實驗室

SECURITY ANALYSIS

Stolen verifier attack and data modification attack

Smartcard contain {I,J,B,p,g,h(.),x}, but without the knowledge of ID,PW and K it is very difficult to find B', L, R.

Insider attack

The password is never used openly, instead, it is digest with (J=h(ID h(PW x))), which is very difficult to invert.

14

多媒體網路安全實驗室

SECURITY ANALYSIS

Mutual authentication

15

Client Server

( )

1.

2. " mod

3. ( " || )

4. ( "), ( )

C h y

Generate K and sent it by SMS

B g p

L h B K

h B h L

2 ( "), ( )M h B h L

( )1. ' mod ( ')

2. ( *) ( ( ' || ))

3. ( ') ( ")

4. ( *) ( )

5. ( || ') ( )

h xB Bg p and h B

h L h h B K

Check h B h B

Check h L h L

R h T B and h R

3 , ( ),M I h R T

1. '

2. ' ( || )

3. * ( || ") ( *)

4. ' , ( *) ( )

5. ( )k

Check if T T T

I h ID y

R h T B and h R

Check I I and h R h R

Compute S R L

4 ( )kM h S 1. * ( )

2. ( *) ( )k

k k

Compute S R L

Check h S h S

多媒體網路安全實驗室

SECURITY ANALYSIS

Man in the middle attack

16

Client Server

1 ,M B C 1

1

1. ( ( ))

2.

3. ( || )

J h ID h PW x

Check J J

C h I J

( )

1.

2. " mod

3. ( " || )

4. ( "), ( )

C h y

Generate K and sent it by SMS

B g p

L h B K

h B h L

2 ( "), ( )M h B h L

( )1. ' mod ( ')

2. ( *) ( ( ' || ))

3. ( ') ( ")

4. ( *) ( )

5. ( || ') ( )

h xB Bg p and h B

h L h h B K

Check h B h B

Check h L h L

R h T B and h R

3 , ( ),M I h R T 1. '

2. ' ( || )

3. * ( || ") ( *)

4. ' , ( *) ( )

5. ( )k

Check if T T T

I h ID y

R h T B and h R

Check I I and h R h R

Compute S R L

多媒體網路安全實驗室

CONCLUSION

This paper proposes a strong user authentication framework for cloud computing with many security features.

The proposed protocol can resist many popular attacks.

There are two strong factor signifies in this scheme

1. Something you know

2. Something you have

17

多媒體網路安全實驗室