Scholarly article on topic 'A Novel Strong Password Generator for Improving Cloud Authentication'

A Novel Strong Password Generator for Improving Cloud Authentication Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Academic journal
Procedia Computer Science
OECD Field of science
Keywords
{"Security Cloud Computing" / "One-time password" / "Multi-factor Authentication"}

Abstract of research paper on Computer and information sciences, author of scientific article — Abderrahim Abdellaoui, Younes Idrissi Khamlichi, Habiba Chaoui

Abstract In recent years, there has been a growing interest in the cloud computing paradigm thanks to its benefits, such as multi-tenancy, scalability, cost efficiency and its unlimited storage. However, like any new technology, there are still a number of challenges relevant to this paradigm and most notably user authentication. In order to achieve better security than the alphanumerical password, this paper describes a scheme which allows strengthening the authentication process in the cloud environment using the password generator module by means of a combination of different techniques such as multi-factor authentication, One-time password and SHA1.

Academic research paper on topic "A Novel Strong Password Generator for Improving Cloud Authentication"

ELSEVIER

International Conference on Computational Modeling and Security (CMS 2016)

A Novel Strong Password Generator for Improving Cloud

Authentication

Abderrahim Abdellaouia'*, Younes Idrissi Khamlichib, Habiba Chaouia

aSystems Engineering Laboratory, ADSI Team, ENSA Kenitra, Ibn Tofail University, Morocco bSystems Engineering Laboratory, UMBA University, ENSA Fes, Morocco

Abstract

In recent years, there has been a growing interest in the cloud computing paradigm thanks to its benefits, such as multi-tenancy, scalability, cost efficiency and its unlimited storage. However, like any new technology, there are still a number of challenges relevant to this paradigm and most notably user authentication. In order to achieve better security than the alphanumerical password, this paper describes a scheme which allows strengthening the authentication process in the cloud environment using the password generator module by means of a combination of different techniques such as multi-factor authentication, One-time password and SHA1.

© 2016 The Authors.Publishedby Elsevier B.V. This is an open access article under the CC BY-NC-ND license (http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-reviewunderresponsibility of the Organizing Committee of CMS 2016 Keywords: Security Cloud Computing; One-time password; Multi-factor Authentication;

CrossMark

Available online at www.sciencedirect.com

ScienceDirect

Procedia Computer Science 85 (2016) 293 - 300

1. Introduction

As Cloud computing is gaining more popularity in the recent years, more and more organizations are attracted by its characteristics (On-demand self-service, Broad network access, Resource pooling, Rapid elasticity, Measured service(1)) and advantages such as business ease and financial saving. Thus, these organizations attempt to shift to

* Corresponding author. Tel.: +212-6-53287057; E-mail address: abderrahim90@gmail.com.

1877-0509 © 2016 The Authors. Published by Elsevier B.V. This is an open access article under the CC BY-NC-ND license

(http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-review under responsibility of the Organizing Committee of CMS 2016

doi:10.1016/j.procs.2016.05.236

the cloud infrastructure in order to exploit its advantages. Cloud computing is an automated technology service, which deliver in addition to networking and storage, customer relationship management. It is an economic model based on a hugely scalable IT platform (Data Center) to reduce the cost of provisioning, operating and de-operating its resources. This concept is very cost efficient and it provides access to almost unlimited storage. However, some recent developments in cloud computing have heightened the need for promoting the security in this environment from a different security perspective (authentication, confidentiality, integrity, non-repudiation, availability), particularly cloud authentication. In fact, the safety and security of sensitive user data and applications in the cloud environment relies primarily on user authentication. As a matter of fact, the authentication feature is one of the most important security characteristics of whatever system, particularly, the cloud system. It enables verifying the legitimacy of the users before accessing to cloud resources. There are many authentication schemes that have been proposed in recent years following different approaches, specifically, we can distinguish, text password, multi-factor authentication, 3D password, third party authentication, biometric scans and graphical password. Furthermore, it has been recently shown that text-based password is the most used method among the previously cited methods. However, according to many research studies (4-10, 12, 15, 20, 21), due to its vulnerabilities such as dictionary and brute-force attacks, key-loggers, shoulder surfing and social engineering, the text-based password scheme remains a quite weak authentication method for the cloud environment even if its ease of use.

This paper introduces a new authentication scheme based on the one-time password and two-factor authentication. The aim of this scheme is to strengthen the authentication process in the cloud environment, using the password generator module. The second section presents some works related to the authentication techniques that enhance the process of authentication in the cloud. Section 3, describes the key concepts and introduces a prototype of our scheme. Section 4 provides the security analysis details about PassGen scheme. Finally, a conclusion is given with, eventually, some perspectives for further works.

2. Related works

A variety of methods have been proposed in the literature to overcome the problem of weak user authentication. Each one has its advantages and drawbacks. In 1981, Leslie Lamport (2) introduced his first remote user authentication method based on one-way hash encryption function and a password table. However, despite its ease of use, the scheme suffers from some weaknesses such as high hash overhead and the necessity to store the password table (3). Other researchers emphasize on the concept of smart card to overcome the weak user authentication problem. Hwang et al (4), presented a scheme in which they combine smart card and third party authentication to achieve a single sign-on authentication in an inter-cloud service. Several smart-card methods have been proposed in the literature, particularly, Tsaur et al.(5), Hwang et al.(6), Choudhury et al. (7), Jaidhar (8), however, these approaches require special tools such as a smart card reader for the authentication process. The second category of approaches is multifactor authentication, Yassin et al (9), proposed a scheme that combines two-factor authentication (2FA), RSA digital signature and One-Time Password (OTP) in the cloud computing using asymmetric scalar-product preserving encryption (ASPE) and RSA digital signature as two-factors. The scheme introduced three main steps: setup, registration and the authentication phase. The user performs the Setup and Registration phase only once, whereas the authentication phase is done whenever the user access to the cloud. This scheme does not require extra devices such as token device, a card reader in a smart card system and scanner in physiological biometrics. However, they have not treated password update in much detail. Another concept of enhancing authentication is biometric scans, by way of illustration, Jivanadham et al (10), proposes a two levels of authentication called the Cloud Cognitive Authenticator (CCA). It is an API, integrating bio-signals and one round Zero Knowledge Protocol (ZKP) for authentication. It uses Electro Dermal Responses (EDR) for the first level authentication. The main weakness of this scheme is the requirement of an extra device for the authentication. CCA uses data captured from an EDR biometric scanner when the users want to access the cloud services. One of the most important alternatives of the login/password scheme is graphical passwords, this technique consists of clicking on a set of images instead of using an alphanumeric password. By means of example, Shi et al. (11), introduced a scheme in which users choose and memorize the locations of passwords for each n x n squares, then, they enter the numbers corresponding to the locations in each randomly generated square. One major drawback of this scheme is, it cannot resist strong shoulder-surfing attack. In this section we have introduced some significant approaches

proposed in the literature in order to improve the process of authentication in the cloud environment. In the next section, we present our proposal in this context. Therefore, to mitigate the login/password scheme we employ a three level of authentication using a password generator from both the cloud provider and the client. Thus, the use of the password generator would improve and strengthens the entire authentication process against common types of attacks. The novelty of our work is the use of pixels of images in order to create a one-time password as a third level of authentication. Moreover, our method can address the guessing and shoulder-surfing attacks.

3. Proposed work

This section describes the proposed scheme for strengthening authentication in the cloud environment. The basic idea of the proposed scheme (fig 1) is described as follows:

1. The user inserts his Un and Password ( Ps ). Then the cloud server verifies the authenticity of the user < Un , Ps >

2. Upon receiving the login request, the cloud server sends a challenge S based on every specific user and requests an OTP.

3. Every user has a specific secret image Im . The user creates the OTP by means of a challenge, a secret image and a PassGenApps. The PassGen extract a portion of the secret image and compute its hash value in order to create the OTP.

4. The cloud server authenticates the user based on the OTP sent by the user in step3.

Before delving into more details about our systems, we introduce the terminology used in this paper.

Table 1. Notations

Notation Description

< Un, Ps> Login/password

Im ) Portion oof the Image Im

S Challenge

Im Image

OTP One-time password

PassGenerator

a Position From where the truncation begins

3.1. Registration phase

In the registration phase the user performs the following steps:

Stepl: The user installs the PassGenerator apps 3 in his device such as (Smartphone, PDA, Tablet ...) Step2: A user U chooses and registers his username Un and a password Ps, in the cloud server S. The server S assigns an image Im to the client and stores the triplet < Un, Ps , Im > as credentials. The cloud server request from 3 an image Im and a function ^ () < Im, Ç () >.

Step3: Upon receiving < Im, ^ () >, the cloud server sends < Im, ^ () > to the user Un then this latter stores

< Im, £ () > in his device that contains 3 (figl.(a)). In this phase, the clients and cloud server are supposed to be honest.

3.2. Login phase

Step 0: In the login phase the user performs the following steps: he submits his username Un and a password Ps

< Un , Ps > to the cloud provider, then, the cloud server S checks the authenticity of the user. If the user is authorized, go to stepl.

Step 1: The cloud server requests one-time password generation from the Cloud 3 . A challenge S is generated

from < Im , ^ ()> then it is sent to the cloud server S.

Fig. 1. (a) Login phase; (b) Registration phase.

Step 2: The cloud server provides a challenge S to the client and requests a one-time pass OTP1.

Step 3: The client receives the challenge ( S ) from the cloud server S, then he adds S to the client 3 and generates

an OTP2 using < Im, ^ ()> stored in the client device.

Step 4: The client generates OTP2 from the client 3 . He submits the OTP2 to the cloud server, after that, the cloud server checks if OTP2=OTP1 then the client is authenticated. The steps mentioned above are illustrated in Fig. 1.

3.3. Update pass-image phase

The users must change regularly their image-Pass to further protect their data as well as cloud services. The following section describes the image-Pass update steps.

To change Image Pass the user must authenticate to the server cloud server, and then the cloud server presents to the user a set of potential image-Pass. The user selects and downloads an image of his choice. At the end, the user will replace Im2 by Im1 in his device.

Fig. 2. Password reset phase;

3.4. Tools and Concept used in the PassGen 3

• Multi-factor authentication enables to add a second layer of security for the authentication process. It requires two or more of the following verification methods:

(1) Authentication based on Something you are (biometric methods).

(2) Authentication based on Something you know (passwords).

(3) Authentication based on Something you have (smart cards, challenge-response lists, one-time pads ... ).

• One-way hash function is a mapping f from some set of words in itself such that:

(1) f Takes a message as an input and converts it into a fixed output.

(2) f is one-way in the sense that it is easy to compute f from one way, but infeasible from the other way.

Suppose we have a message A, it is easy to compute f but unfeasible to compute f( f (A)).

• Function Trunca is a function that enables to truncate parts of alphanumerical text in order to generate the OTP. Trunca uses a to determine the position from where the truncation begins. a <= [1,34 n and can be represented as = c^o^ where ^ and^ are respectively tens and units digit of a .

• The challenge S is an alphanumerical code generated by the cloud 3 . The client 3 uses S and < Im, E, ()> in order to generate the one-time password OTP. 8 represents the coordinates X and Y of a point P (Pixel) in the image Im that have been provided during the registration phase. 8 can be represented as follows:

5 = ax || X || A || Y \ \&2 where A is the reference of the secret image Im and || is the concatenation operator.

• Function <^0 is a function that enable us to cover an important number of pixels (a portion of the image) used as parameters of the SHA-1 function in order to be used in 3 later. Fig. 3 Shows the process of extraction of

£ ( Im (8 )) and SHA-1( ( Im (S ))). Example : ¿f1 ( Im (S )))^ <P(0,0), P(x,0), P(x,y), P(0,y)> ¿f 2 ( Im (8))) ^ < P(0,0), P(x,0), P(x,y), P(0,0)> where P(x,y) points in the image Im .

Fig. 3.Extraction of ¿f ( Im ( S ))

• PassGenerator 3 One of the most important tools of this scheme is 3 . It is a tool that enables to create an OTP. We can distinguish two PassGenerator : a cloud 3 and a client 3 (fig.3). The cloud 3 is incorporated into the

cloud infrastructure and the client 3 is handheld and it can be installed in whatever device (Smartphone, Tablet, PDA). The prime responsibility of 3 is to generate a one-time password OTP and a challenge 8 by means of the fourfold < Un, Ps, Im, E, >. The challenge 8 plays an important role in the creation of the OTP. The 3 uses the challenge 8 to generate the one-time password OTP.

We describe the process of the OTP creation using 3 from the client and the cloud server as follow:

1- The client receives the challenge 8 from the cloud server.

2- The client adds the challenge 8 into his device.

3- The PassGen 3 Identify the point P(x,y) and OC by means of the decomposition of the Challenge 8 = a, || X || A || Y || a2 ^ [P(x,y),a] .

4- Apply the function ( ^ or^2 or .., ) On the secret image Im provided by the cloud server using 3 Apply the SHA-1 function on the portion of the image SHA-1( £, (Im( S )))Apply Trunc6 ( Trunca (SHA-1( £, (Im( S ))))= OTP (fig 3)

4. Analysis of the scheme

• Replay attack: After a brief time T1, the password will be no more valid. This feature prevents the intruder to record the client's password. In other words, the scheme resists to the replay attack.

• Man-In-The-Middle (MITM): Our scheme can resist against man in the middle attack using the technique of one-time password used in the PassGen scheme, so even if a malicious user intercepts the password during the authentication phase, the password would be expired and could not be used for the next session.

• Dictionary and brute-force attacks: The scheme resists against dictionary and brute-force attacks. In fact, the scheme uses a two-factor authentication [< Un , Ps >, OTP] so even if a brute-force or a dictionary attack could be applied and even if the password is revealed, it will be an expired password. So why try to crack such an obsolete password? Obviously, these attacks are fully eliminated.

• Guessing attacks: In our case, we use a scheme composed of two-factors. The first factor is the username Un and a password Ps <Un,Ps>, and the second factor is the one-time pass <OTP> created by 3 . Thus, in addition to the text password, we add a second level of authentication in order to strengthen the process of authentication. It is difficult for a malicious user to find or extract a password composed of at least 6 digits. Moreover, even if a malicious user finds Ps, he can't find the OTP. In other words, the scheme withstands guessing attack.

• Security of the password: The scheme uses the cloud 3 to create passwords automatically and these passwords are not stored in the cloud database. The cloud database contains only client's image instead of a file of passwords. The passwords are generated for every login phase automatically, and they are available for limited period. Thus, it is clearly evident that the scheme can supply security of the password.

• Password change: The scheme satisfies the password change feature for users. As a matter of fact, the cloud provider requests from the users to change their secret image Im1 after being used for a determined number of passwords, and replace it with a new image Im2. In this way, the scheme provides the password change by replacing Im1 by Im2.

• Privacy-breaching malware is a set of malware that enables malicious users to disclose sensitive user information such as login and password. Key-loggers are a prominent example of these malwares which are easy to implement (16,17,18). For this reason, our scheme can overcome this problem using 3 . Firstly, the code is generated in a different device (smartphone, PDA) so, the code could not be revealed and even if the attacker finds the OTP, this latter will be no more valid for the next authentication session.

It is helpful at this point to provide a comparison between PassGen and some existing cloud authentication. Table 2 is given as a result of the comparison study.

Table 2.Comparison between PassGen and some existing cloud authentication

2Lac [22] [ 19] [13] [14] PassGe^~

o - o - o O

o x o - o O

o o o - o O

o o o o o O

o o - o o O

Features

Password change o x x x o O

Cloud-based protocol o o o x o O

Privacy-breaching malware o x - - o O

One-time password x o x x x O

Replay Attack Man in the Middle Dictionary and Brute Force Attack

Guessing Attack Shoulder Surfing Attack

Table 2 shows a comparison between our scheme and some authentication schemes for the cloud and traditional systems published recently, particularly, Wu et al(13), Nimmy et al (14), Yassin et al(19), Abdellaoui et al (21) and Cheng et al(22). In Table 2, if the scheme prevents attack or satisfies the feature, the symbol 'o' is used and if the scheme fails to prevent attacks or does not satisfy the feature, the symbol x is used. The PassGen presents an improvement of 2LAC (21) system in term of authentication time and ease of use.

Table3. Creation of OTP

Image-Pass

Image Size

Challenge

sha-1(^ (Im (8 )))

0125A849

C6 58 70 05 DC A3 E2 E8 3C 8B 51 E3 4A 33 B8 6A 41 0F 77 66

128x128

0110A45

D8 30 E6 4E AC 7F E4 B3 EE 30 1F D9 29 52 FC 00 A0 D9 6F 30

236A1233

C0 3C 73 55 AE B6 2D 2C 41 32 0F 43 5A 38 F3 9D 1C BA 6E 43

1B 27 CE 75 E9 06 3C E4 E3 5D 49 B3 4E 97 33 9A EC E5 71 D5

2106B841

F9 9F 31 D0 6C 9E 49 01 D6 B8 D9 DA C0 C2 C7 2A 7E AE D3 16

0506B7264

EF DD 2F 87 BF 11 BB 18 18 B5 55 6F 07 50 3B 4D 28 6B 4A A8

DC A3 E2

E6 4E AC

43 5A 38

E7 5E 90

D9 DA C0

D2 F8 7B

Table 3 shows the one-time password creation steps using the challenge S the function applied to different

image-pass.

Conclusion and Future work

In this paper, we introduced the cloud computing environment, and then we presented several works proposed in the

literature in order to overcome the problem of weak user authentication in this environment. We further proposed a novel strong password scheme based on a one-time password and two-factor authentication scheme for the cloud environment using the PassGenerator to surmount the security flaws of login/password scheme. The PassGenerator can be implemented in a device like Smartphone and PDA. Our proposed scheme is immune to a common type of attacks while providing some important security features which several schemes fails to satisfy. The obtained results show that our scheme is more appropriate for the cloud environment compared to other related schemes. So far, we have developed an efficient cloud authentication framework. But despite of this, there still several open problems in the cloud security, particularly, data integrity. We believe that it would be a very interesting and fruitful area for further works.

References

1. Mell, P., & Grance, T. (2011). The NIST definition of cloud computing.

2. Lamport, L. (1981). Password authentication with insecure communication. Communications of the ACM, 24(11), 770-772

3. Kumar, M., & Balyan, A. (2010). Security Vulnerabilities of a Novel Remote User Authentication Scheme Using Smart Card Based on ECDLP. In Contemporary Computing (pp. 252-259). Springer Berlin Heidelberg.

4. Hwang, M. S., & Sun, T. H. (2013). Using smart card to achieve a single sign-on for multiple cloud services. IETE Technical

Review, 30(5), 410-416.

5. Tsaur, W. J., Li, J. H., & Lee, W. B. (2012). An efficient and secure multi-server authentication scheme with key agreement. Journal of Systems and Software, 85(4), 876-882.

6. Hwang, M. S., Chong, S. K., & Chen, T. Y. (2010). DoS-resistant ID-based password authentication scheme using smart cards. Journal of Systems and Software, 83(1), 163-172.

7. Choudhury, A. J., Kumar, P., Sain, M., Lim, H., & Jae-Lee, H. (2011, December). A strong user authentication framework for cloud computing. In Services Computing Conference (APSCC), 2011 IEEE Asia-Pacific (pp. 110-115). IEEE.

8. Jaidhar, C. D. (2013, February). Enhanced mutual authentication scheme for cloud architecture. In Advance Computing Conference (IACC), 2013 IEEE 3rd International (pp. 70-75). IEEE.

9. Yassin, A. A., Jin, H., Ibrahim, A., Qiang, W., & Zou, D. (2013). Cloud authentication based on anonymous one-time password. In Ubiquitous Information Technologies and Applications (pp. 423-431). Springer Netherlands.

10. Jivanadham, L. B., Islam, A. K. M. M., Katayama, Y., Komaki, S., & Baharun, S. (2013, May). Cloud Cognitive Authenticator (CCA): A public cloud computing authentication mechanism. In Informatics, Electronics & Vision (ICIEV), 2013 International Conference on (pp. 1-6). IEEE.

11. Shi, P., Zhu, B., & Youssef, A. (2009, June). A PIN entry scheme resistant to recording-based shoulder-surfing. In Emerging Security Information, Systems and Technologies, 2009. SECURWARE'09. Third International Conference on (pp. 237-241).

12. Moghaddam, F. F., Moghaddam, S. G., Rouzbeh, S., Araghi, S. K., Alibeigi, N. M., & Varnosfaderani, S. D. (2014, April). A scalable and efficient user authentication scheme for cloud computing environments. In Region 10 Symposium, 2014 IEEE (pp. 508-513). IEEE.

13. Wu, T. S., Lee, M. L., Lin, H. Y., & Wang, C. Y. (2014). Shoulder-surfing-proof graphical password authentication scheme. International journal of information security, 13(3), 245-254.

14. Nimmy, K., & Sethumadhavan, M. (2014, February). Novel mutual authentication protocol for cloud computing using secret sharing and steganography. In Applications of Digital Information and Web Technologies (ICADIWT), 2014 Fifth International Conference on the (pp. 101-106). IEEE.

15. Sabzevar, A. P., & Stavrou, A. Universal multi-factor authentication using graphical passwords. In Signal Image Technology and Internet Based Systems, 2008. SITIS'08. IEEE International Conference on(pp. 625-632). IEEE.

16. Hong, D., Man, S., Hawes, B., & Matthews, M. M. (2004). A Graphical Password Scheme Strongly Resistant to Spyware. In Security and Management (pp. 94-100).

17. Ortolani, S., & Crispo, B. (2012, August). NoisyKey: Tolerating Keyloggers via Keystrokes Hiding. In HotSec.

18. Holz, T., Engelberth, M., & Freiling, F. (2009). Learning more about the underground economy: A case-study of keyloggers and dropzones (pp. 1-18). Springer Berlin Heidelberg.

19. Yassin, A., Jin, H., Ibrahim, A., Qiang, W., & Zou, D. (2012, May). A Practical Privacy-preserving Password Authentication Scheme for Cloud Computing. In Parallel and Distributed Processing Symposium Workshops & PhD Forum (IPDPSW), 2012 IEEE 26th International (pp. 1210-1217). IEEE.

20. Abdellaoui, A., Khamlichi, Y. I., & Chaoui, H. (2015). Out-of-band Authentication Using Image-Based One Time Password in the Cloud Environment. International Journal of Security and Its Applications (IJSIA), 9(12), 35 - 46

21. Abdellaoui, A., Khamlichi, Y. I., & Chaoui, H. (2015). An Efficient Framework for Enhancing User Authentication in Cloud Storage Using Digital Watermark. International Review on Computers and Software (IRECOS), 10(2), 130-136.

22. Cheng, F. (2011). Security attack safe mobile and cloud-based one-time password tokens using rubbing encryption algorithm. Mobile Networks and Applications, 16(3), 304-336.