Using Structural Diversity to Enforce Strong Authentication of Mobiles to the Cloud

Modern portable devices such as smartphones are enhanced by advanced functionalities and may therefore soon become both the preferred portable computing device (thereby substituting laptops)and the personal trusted device. They are also increasingly used to access to online cloud services, including those particularly sensitive which require high security. This paper introduces an original and strong authentication method for mobiles. It involves a two factor scheme enhanced through network channels and devices diversity. Our solution combines an OTP-based approach using an IoT object as secondary device in addition to the smartphone. The diversity of the network's channels rests on the use of one of the LPWAN networks together with LTE or WIFI networks. Authentication factors are therefore transmitted over different channels through different devices thus greatly reducing the attack surface. The proposal is also enhanced by end-to-end encryption of the transferred sensitive contents. The link with the authorization issues is analyzed and the integration of our approach to OpenID Connect/OAuth 2.0 is investigated. A platform that implements this scheme has been developed, tested and evaluated under different attack scenarios.

[1]  Martín Abadi,et al.  Prudent Engineering Practice for Cryptographic Protocols , 1994, IEEE Trans. Software Eng..

[2]  Leon Gommans,et al.  AAA Authorization Framework , 2000, RFC.

[3]  Roberto Di Pietro,et al.  A two-factor mobile authentication scheme for secure financial transactions , 2005, International Conference on Mobile Business (ICMB'05).

[4]  Dick Hardt,et al.  The OAuth 2.0 Authorization Framework , 2012, RFC.

[5]  Pavol Zavarsky,et al.  An Alternate Secure Element Access Control for NFC Enabled Android Smartphones , 2014 .

[6]  Chong Kuan Chen,et al.  IoT Security: Ongoing Challenges and Research Opportunities , 2014, 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications.

[7]  Marek Neruda,et al.  The issue of LPWAN technology coexistence in IoT environment , 2016, 2016 17th International Conference on Mechatronics - Mechatronika (ME).

[8]  Muhammad Khurram Khan,et al.  OTP-Based Two-Factor Authentication Using Mobile Phones , 2011, 2011 Eighth International Conference on Information Technology: New Generations.

[9]  Ahmed Bouabdallah,et al.  A Strong Authentication Method for Web/Mobile Services , 2019, 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom).

[10]  Michael B. Jones,et al.  JSON Web Token (JWT) , 2015, RFC.

[11]  Ralf Küsters,et al.  The Web SSO Standard OpenID Connect: In-depth Formal Security Analysis and Security Guidelines , 2017, 2017 IEEE 30th Computer Security Foundations Symposium (CSF).

[12]  Mike Kuniavsky,et al.  Smart Things: Ubiquitous Computing User Experience Design , 2010 .

[13]  Jorge Pereira,et al.  IIoTEED: An Enhanced, Trusted Execution Environment for Industrial IoT Edge Devices , 2017, IEEE Internet Computing.

[14]  Mehrbakhsh Nilashi,et al.  A Novel Two-Factor Authentication System Robust Against Shoulder Surfing , 2017 .

[15]  Ning Zhang,et al.  TDAS: a touch dynamics based multi-factor authentication solution for mobile devices , 2016, Int. J. Pervasive Comput. Commun..

[16]  Wassim El-Hajj,et al.  Two factor authentication using mobile phones , 2009, 2009 IEEE/ACS International Conference on Computer Systems and Applications.

[17]  Kyle Banker,et al.  MongoDB in Action , 2011 .

[18]  Krerk Piromsopa,et al.  An implementation of AES-128 and AES-512 on Apple mobile processor , 2017, 2017 14th International Conference on Electrical Engineering/Electronics, Computer, Telecommunications and Information Technology (ECTI-CON).

[19]  Kai Zhao,et al.  A Survey on the Internet of Things Security , 2013, 2013 Ninth International Conference on Computational Intelligence and Security.

[20]  Alfred Menezes,et al.  The Elliptic Curve Digital Signature Algorithm (ECDSA) , 2001, International Journal of Information Security.

[21]  Hong Liu,et al.  Two-factor authentication through near field communication , 2016, 2016 IEEE Symposium on Technologies for Homeland Security (HST).

[22]  Madjid Nakhjiri,et al.  AAA and Network Security for Mobile Access: Radius, Diameter, EAP, PKI and IP Mobility , 2005 .