多媒體網路安全實驗室 a strong user authentication framework for cloud computing date :...
TRANSCRIPT
多媒體網路安全實驗室
A Strong User Authentication Framework for Cloud Computing
A Strong User Authentication Framework for Cloud Computing
Date: 2012.08.10
Reporter : Hong Ji Wei
Authors : Amlan Jyoti Choudhury, Mangal Sain, Pardeep Kumar
Hoon Jae-Lee, Hyotaek Lim
From : 2011 IEEE Asia -Pacific Services Computing Conference
多媒體網路安全實驗室
OUTLINE
INTRODUCTION AND MOTIVATION1
LITERATURE REVIEW2
CLOUD SECURITY ARCHITECTURE33
CONCLUSION
PROPOSED SCHEME44
SECURITY ANALYSIS35
462
多媒體網路安全實驗室
INTRODUCTION AND MOTIVATION
Cloud computing has evolved through a number
of different services.The basic goal of cloud computing is to provide
great flexibility to users.Users do not need to concern with the processing
details.Cloud systems are divided into three categories
public cloud, private cloud and hybrid cloud.
3
多媒體網路安全實驗室
The new cloud computing technology offers many
advantages:
1. Information shared in virtual environment
2. Dynamic scalability
3. Storage utility
4. Software utilization
5. Platform and infrastructure utilization
6. Managed distributed computing power
INTRODUCTION AND MOTIVATION
4
多媒體網路安全實驗室
LITERATURE REVIEW
T
5
多媒體網路安全實驗室
CLOUD SECURITY ARCHITECTURE
6
2
31
6
7
4
5
ID,PW
Login Request
One –time password
Successful
Authentication
多媒體網路安全實驗室
PROPOSED SCHEME
7
The notations used in this paper are mentioned
below in table.
多媒體網路安全實驗室
PROPOSED SCHEME
The proposed scheme consists of three phases:
1. Registration
2. Login
3. AuthenticationIn addition, It also consists one activity called
Password change.
8
多媒體網路安全實驗室
PROPOSED SCHEME
Registration
9
Client Server
, ( ), ( )ID h PW x h x
( || ) ( ) ( )
1. ( ) ( )
2. ( ( ))
3. ( || )
4. mod
5. { , , , , , (.)}
h I J h x h y
ID new ID existing
J h ID h PW x
I h ID y
B g p
S store I J B p g h in the smartcard
( )Compute h PW x
Smartcard
Secure Channel
Enter x into smartcard
:{ , , , , , (.), }Smartcard I J B p g h x
多媒體網路安全實驗室
PROPOSED SCHEME
Login
10
Client Server
1 ,M B C 1
1
1. ( ( ))
2.
3. ( || )
J h ID h PW x
Check J J
C h I J
( )
1.
2. " mod
3. ( " || )
4. ( "), ( )
C h y
Generate K and sent it by SMS
B g p
L h B K
h B h L
2 ( "), ( )M h B h L
( )1. ' mod ( ')
2. ( *) ( ( ' || ))
3. ( ') ( ")
4. ( *) ( )
5. ( || ') ( )
h xB Bg p and h B
h L h h B K
Check h B h B
Check h L h L
R h T B and h R
3 , ( ),M I h R T
多媒體網路安全實驗室
PROPOSED SCHEME
Authentication
11
Client Server
( )1. ' mod ( ')
2. ( *) ( ( ' || ))
3. ( ') ( ")
4. ( *) ( )
5. ( || ') ( )
h xB Bg p and h B
h L h h B K
Check h B h B
Check h L h L
R h T B and h R
3 , ( ),M I h R T
1. '
2. ' ( || )
3. * ( || ") ( *)
4. ' , ( *) ( )
5. ( )k
Check if T T T
I h ID y
R h T B and h R
Check I I and h R h R
Compute S R L
4 ( )kM h S 1. * ( )
2. ( *) ( )k
k k
Compute S R L
Check h S h S
多媒體網路安全實驗室
PROPOSED SCHEME
Password change
Client Smartcard
,ID PW
1. * ( ( ))
2. *
Compute J h ID h PW x
Check J J
OK
' 'Generate x and PW', 'PW x
1. ' ( ( ' '))
2. ' '
Compute J h ID h PW x
Replace J by J and x by x in the smartcard
12
多媒體網路安全實驗室
SECURITY ANALYSIS
Session key agreement:
This key is different in every login session and cannot be replayed after the session expires.
Replay attack
The onetime key is valid for one login session, and the key is delivered to the user via mobile out of band channel.
Password guessing attack
The scheme uses complex password term (J=h(ID h(PW x))) using one way hash function.
13
多媒體網路安全實驗室
SECURITY ANALYSIS
Stolen verifier attack and data modification attack
Smartcard contain {I,J,B,p,g,h(.),x}, but without the knowledge of ID,PW and K it is very difficult to find B', L, R.
Insider attack
The password is never used openly, instead, it is digest with (J=h(ID h(PW x))), which is very difficult to invert.
14
多媒體網路安全實驗室
SECURITY ANALYSIS
Mutual authentication
15
Client Server
( )
1.
2. " mod
3. ( " || )
4. ( "), ( )
C h y
Generate K and sent it by SMS
B g p
L h B K
h B h L
2 ( "), ( )M h B h L
( )1. ' mod ( ')
2. ( *) ( ( ' || ))
3. ( ') ( ")
4. ( *) ( )
5. ( || ') ( )
h xB Bg p and h B
h L h h B K
Check h B h B
Check h L h L
R h T B and h R
3 , ( ),M I h R T
1. '
2. ' ( || )
3. * ( || ") ( *)
4. ' , ( *) ( )
5. ( )k
Check if T T T
I h ID y
R h T B and h R
Check I I and h R h R
Compute S R L
4 ( )kM h S 1. * ( )
2. ( *) ( )k
k k
Compute S R L
Check h S h S
多媒體網路安全實驗室
SECURITY ANALYSIS
Man in the middle attack
16
Client Server
1 ,M B C 1
1
1. ( ( ))
2.
3. ( || )
J h ID h PW x
Check J J
C h I J
( )
1.
2. " mod
3. ( " || )
4. ( "), ( )
C h y
Generate K and sent it by SMS
B g p
L h B K
h B h L
2 ( "), ( )M h B h L
( )1. ' mod ( ')
2. ( *) ( ( ' || ))
3. ( ') ( ")
4. ( *) ( )
5. ( || ') ( )
h xB Bg p and h B
h L h h B K
Check h B h B
Check h L h L
R h T B and h R
3 , ( ),M I h R T 1. '
2. ' ( || )
3. * ( || ") ( *)
4. ' , ( *) ( )
5. ( )k
Check if T T T
I h ID y
R h T B and h R
Check I I and h R h R
Compute S R L
多媒體網路安全實驗室
CONCLUSION
This paper proposes a strong user authentication framework for cloud computing with many security features.
The proposed protocol can resist many popular attacks.
There are two strong factor signifies in this scheme
1. Something you know
2. Something you have
17
多媒體網路安全實驗室