Vulnerability Analysis for the Authentication Protocols in Trusted Computing Platforms and a Proposed Enhancement of the OffPAD Protocol

Trusted computing architecture ensures the behavior of software that runs on a user machine by protecting software-level attacks. Due to the potential of exposing a user’s private information while accessing a system, many studies have focused on analyzing existing protocols to develop new methods based on biometrics or additional devices to add new layers of security to the authentication process. For a few years, the idea of utilizing the combination of something you know with something you have and a personal authentication device (PAD) has become common in verification protocols. Very recently, a more secure PAD, namely the Offline Personal Authentication Device (OffPAD), was invented to improve the authentication process. This single device can be used to manage the identities of both users and service providers as well as support the authentication process, while being offline most of the time. In this paper, a rigorous vulnerability analysis for OffPAD-based authentication techniques is conducted using an attack tree analysis. Finally, to overcome the vulnerabilities, mitigation techniques are proposed.

[1]  Stig Fr. Mjølsnes,et al.  A Vulnerability in the UMTS and LTE Authentication and Key Agreement Protocols , 2012, MMM-ACNS.

[2]  Chung-Ming Huang,et al.  One-Pass Authentication and Key Agreement Procedure in IP Multimedia Subsystem for UMTS , 2007, 21st International Conference on Advanced Information Networking and Applications (AINA '07).

[3]  Wade Trappe,et al.  Reducing delay and enhancing DoS resistance in multicast authentication through multigrade security , 2006, IEEE Transactions on Information Forensics and Security.

[4]  Rolf Lindemann,et al.  The Evolution of Authentication , 2013, ISSE.

[5]  Fahad Bin Muhaya,et al.  An Efficient Remote User Authentication with Key Agreement Scheme Using Elliptic Curve Cryptography , 2015, Wirel. Pers. Commun..

[6]  Ashok Kumar Das,et al.  Analysis and improvement on an efficient biometric-based remote user authentication scheme using smart cards , 2011, IET Inf. Secur..

[7]  Koichi Sasakawa,et al.  Fingerprint Authentication Device Based on Optical Characteristics Inside a Finger , 2006, 2006 Conference on Computer Vision and Pattern Recognition Workshop (CVPRW'06).

[8]  Audun Jøsang,et al.  Extended HTTP Digest Access Authentication , 2013, IDMAN.

[9]  V. K. Agrawal,et al.  Multi-level authentication technique for accessing cloud services , 2012, 2012 International Conference on Computing, Communication and Applications.

[10]  Caterina Urban,et al.  Formal analysis of Facebook Connect Single Sign-On authentication protocol , 2010 .

[11]  Goo Yeon Lee,et al.  Performance analysis of authentication and key distribution scheme for mobile multi-hop relay in IEEE 802.16j , 2011, Personal and Ubiquitous Computing.

[12]  Lawrence C. Stewart,et al.  HTTP Authentication: Basic and Digest Access Authentication , 1999 .

[13]  Robert H. Deng,et al.  Vulnerability Analysis of EMAP-An Efficient RFID Mutual Authentication Protocol , 2007, The Second International Conference on Availability, Reliability and Security (ARES'07).

[14]  Ilsun You,et al.  One-Time Biometrics for Online Banking and Electronic Payment Authentication , 2017 .

[15]  Xiaofeng Chen,et al.  Design and analysis of secure mechanisms based on tripartite credibility for RFID systems , 2016, Comput. Stand. Interfaces.

[16]  Josep Prieto Strong Personal Authentication Scheme Using Mobile Technology , 2003 .

[17]  J. Antonysamy,et al.  Multipurpose band specific antenna design and realization for wireless authentication device , 2011, 2011 Indian Antenna Week (IAW).

[18]  Sk Md Mizanur Rahman,et al.  Security vulnerability analysis and corresponding mitigation for password-based authentication using an offline personal authentication device , 2016, 2016 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET).

[19]  Colin Boyd,et al.  Analysis of two authorization protocols using Colored Petri Nets , 2014, International Journal of Information Security.

[20]  Min-Shiang Hwang,et al.  A new remote user authentication scheme using smart cards , 2000, IEEE Trans. Consumer Electron..

[21]  John A. Clark,et al.  Attacking Authentication Protocols , 1996 .

[22]  Julio C. Hernandez-Castro,et al.  Vulnerability Analysis of a Mutual Authentication Scheme under the EPC Class-1 Generation-2 Standard , 2008 .

[23]  Leslie Lamport,et al.  The temporal logic of actions , 1994, TOPL.

[24]  Audun Jøsang,et al.  The OffPAD: Requirements and Usage , 2013, NSS.

[25]  Amir Hossein Jahangir,et al.  Analysis of TESLA protocol in vehicular ad hoc networks using timed colored Petri nets , 2015, 2015 6th International Conference on Information and Communication Systems (ICICS).

[26]  Danny Dolev,et al.  On the security of public key protocols , 1981, 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981).

[27]  Muhammad Khurram Khan,et al.  Cryptanalysis and security enhancement of a 'more efficient & secure dynamic ID-based remote user authentication scheme' , 2011, Comput. Commun..

[28]  Muhammad Khurram Khan,et al.  User authentication schemes for wireless sensor networks: A review , 2015, Ad Hoc Networks.

[29]  Hong Zhao,et al.  An Enhanced Authentication and Key Agreement Mechanism for SIP Using Certificateless Public-key Cryptography , 2008, 2008 The 9th International Conference for Young Computer Scientists.

[30]  Na Ruan,et al.  DoS attack-tolerant TESLA-based broadcast authentication protocol in Internet of Things , 2012, 2012 International Conference on Selected Topics in Mobile and Wireless Networking.

[31]  Chun Chen,et al.  Analysis and Improvement of a Secure and Efficient Handover Authentication for Wireless Networks , 2012, IEEE Communications Letters.

[32]  Chun Chen,et al.  Secure and Efficient Handover Authentication Based on Bilinear Pairing Functions , 2012, IEEE Transactions on Wireless Communications.

[33]  Nasser Yazdani,et al.  Analysis of Attacks in Authentication Protocol of IEEE 802.16e , 2013 .

[34]  Elisa Bertino,et al.  Robust Multi-Factor Authentication for Fragile Communications , 2014, IEEE Transactions on Dependable and Secure Computing.

[35]  Ruhul Amin,et al.  A Novel User Authentication and Key Agreement Protocol for Accessing Multi-Medical Server Usable in TMIS , 2015, Journal of Medical Systems.

[36]  Dongho Won,et al.  Security Analysis of Authentication Scheme for Wireless Communications with User Anonymity , 2012, ITCS.

[37]  Jae-Hyeon Ahn,et al.  Improving information security management: An analysis of ID-password usage and a new login vulnerability measure , 2012, Int. J. Inf. Manag..

[38]  Shiguo Lian,et al.  On the analysis and design of secure multimedia authentication scheme , 2008, 2008 Third International Conference on Communications and Networking in China.