Alpha Eritrean Engineers Community

VOL. 3 NO. 2 JUNE 2012

FORMAL VERIFICATION OF AN ELECTRONIC PAYMENT SYSTEM ALTERNATING CURRENT(AC) VS. DIRECT CURRENT(DC)

MOBILE AUTHENTICATION LIST OF COMPANIES HIRING

AEEC | October 2011

1 AEEC

CONTENTS AND CONTRIBUTORS

TOWARDS FORMAL VERIFICATION OF AN ELECTRONIC PAYMENT SYSTEM BY D R . T EMESGHEN K AHSAI A LTERNATING CURRENT (AC) VS.D IRECT CURREN(DC) BY S AMUEL F ESSEHAYE MOBILE AUTHENTICATION BY Y ARED N EGUSSIE LIST OF COMPANIES OR GOVERNMENTAL
AGENCIES CURRENTLY HIRING

EDITORS
SEBLE GEBREMEDHIN, M.S. IN PSYCHOLOGY ADIAM WOLDEGERGISH, PH.D SAMSON GONNETZ, B.A. IN CIVIL ENGINEERING AND YOSIEF WOLDEMARIAM, B.A. IN ELECTRICAL ENGINEERING.

AEEC | October 2011

It is imprudent to mourn the men and women who gave everything they had, including the ultimate sacrifice of life. Rather, we should be grateful such heroic men and women lived. We shall not and will not forget the sacrifice of our fallen fathers, mothers, brothers and sisters without whom the dream of freedom would not have materialized.

AEEC | October 2011

TOWARDS FORMAL VERIFICATION OF AN ELECTRONIC PAYMENT SYSTEM IEL AND CONCRETE NTRODUCTION
In this paper we describe the formal analysis, verification and testing of an electronic payment system called EP2. Here, we illustrate the modeling of the EP2 specification in a formal specification language, namely Csp-Casl. The latter allow us to describe in a mathematically rigorous and expressive way the important aspects and functionality of the system. Having a formal specification of EP2 allows us to verify interesting properties such as deadlock freedom. Electronic payment systems are now very common and these days we expect almost all shops to be able to take payment by debit or credit card. The system comprises of components such as back-end systems (e.g., the shops and the banks computer systems), the point of service (e.g., till), and the PIN-pad. A typical use case is that the sales assistant instructs the till to take payment by card, then you insert your card into the PIN-pad and then enter your PIN number and if the PIN number is correct then money is electronically transferred from your bank account to the shops bank account. Electronic payment systems represent an important benchmark for both the theory and practice of system Figure 1: Overview of EP2 architecture. specification. In theory, they provide a suitable benchmark to demonstrate the abilities of formal specification languages. In practice, they are classified The EP2 system is such an electronic payment system as critical systems and thus must be developed with due and it stands for EFT/POS 2000, short for Electronic diligence. Fund Transfer/Point Of Service 2000, it is a joint project established by a number of (mainly Swiss) In this paper we consider such an application by financial institutes and companies in order to define developing a formal specification, reason about its EFT/POS infrastructure for credit, debit, and electronic correctness and finally test an actual physical payment purse terminals in Switzerland. system.

AEEC

AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~

AEEC | October 2011

AEEC

The EP2 system, as illustrated in Figure 1, consists of seven autonomous entities: Acquirer: A system for processing electronic payment transactions. Card: Payment utility opened by a specific cardholder. Point of Service (POS): A system where a cardholder may purchase goods and/or services. POS Management System (PMS): System that allows the merchant to administrate his terminal population. Service Center: A system component used for configuration and maintenance of a terminal. Terminal: A system used for processing transactions. Card: Utility to make payments.

When a system deadlocks it appears to the user as if the system has frozen (or crashed) and can be impossible to interact with. We would like to establish whether our formal specifications have certain desirable properties such as deadlock freedom. We have developed an infrastructure including tool support [2, 3] that can verify that our formal specifications do indeed exhibit such properties. On the other hand, in order to increase our confidence that a particular physical system actually fulfils its specification, we have developed a testing framework [4, 5]. This framework allows us to run tests on the physical system and evaluate the result against what the specification states should be the result.

AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~

In the next section we describe the modeling of EP2 in Csp-Casl. We then discuss how we prove some desirable properties such as deadlock freedom. Finally, These components are centered around an EP2 PINwe illustrate how we test a physical EP2 PIN-pad in an pad. The different entities communicate with the automated fashion. terminal and, to a certain extent, with one another via messages in a fixed format. The messages contain information about payment authorization, financial FORMALLY SPECIFYING THE ELECTRONIC PAYMENT transactions, as well as other aspects such as SYSTEM maintenance and configuration of the components. The state of each component heavily depends on the content The (informal) EP2 specification [6] consists of twelve of the exchanged messages. documents (approximately 600 pages in total), each of which describe the different components or some aspect A formal specification language is a way of writing common to the components. Each document is down in a mathematically rigorous way, exactly what a comprised of a number of different informal system should do. For this project we used one of many specification notations: plain English; UML-like formal specification languages, namely Csp-Casl [1]. graphics (use cases, activity diagrams, message Csp-Casl is tailored for the description of distributed sequence charts, class models, etc.); pictures; tables; systems e.g., electronic payment systems. This language lists; file descriptions; encoding rules, etc. The top level can describe the different aspects involved in EP2 such EP2 documents provide only an overview of the data as data (e.g., amount of money, account numbers, PIN involved, while the presentation of further details for a numbers, etc.) and processes (e.g., the behavior of the specific type is delayed to separate low-level PIN-pad and other components). documents. Many systems have faults, in both software and Informal specifications such as this have inherent hardware; deadlock is a common example of such a problems such as ambiguity and imprecision. fault.

AEEC | June 2011

AEEC

A formal specification language is a way of writing down in a mathematically rigorous way exactly what a system should do. A specification does not stipulate how a system should do its job, just what it should do. As formal specification languages (such as CspCasl) are defined mathematically they are not ambiguous and are precise, thus addressing some of the shortcomings of informal specifications. Also, as formal specifications are based on mathematics, reasoning about them (using mathematical proofs) is possible. The informal specification has various levels of abstraction, which we mirror in our formal Csp-Casl specification. At the highest level of abstraction (which we call the architectural level) we capture the overall view of the system and forget about all the technical details. The abstraction level is the easiest to understand and just specifies the individual components of the system as black boxes (i.e., that they exist and we do not state their behavior) and how such components are connect together. Figure 1 shows the informal architectural level, which we mirror in Csp-Casl. Once the architectural level as been specified we move to a more detailed description of the components at the next level of abstraction, which we call the abstract component level. Here we add detail about each of the components and how each one should behave. This can be thought of as sketching how a component works in a rough sense, like what data it can send and expect to receive at certain points in time. For instance you would expect when making a payment at a shop that the PINpad shows you the amount of money for your purchase, then asks you for your PIN number, at which point you enter your PIN number and then the PIN-pad takes appropriate action if you entered the correct PIN number. This is what we mean by specifying the behavior of the PIN-pad. At this level of abstraction our data (the messages) becomes more detailed, for instance we state that messages contain data such as account numbers and the monetary amounts of the purchases.

At the most detailed level (that we consider here), which we call the concrete component level; we specify even more details about each component. We fill in all the details about exactly how each component should behave. The messages at this level are fully detailed and contain further information on the data inside the messages e.g., exactly how long account numbers should be (in terms of digits). These levels do not stand alone, they are related by what we call refinement. The top level specification (the architectural level) refines to the abstract component level and the abstract component level refines to the most detailed level, the concrete component level. Refinement means that at a lower level we do not contradict what we said at higher levels, but only add more detail to the system specification. Any properties that we expect to exist at higher levels of abstraction should also hold at lower levels of abstraction. The reader can refer to [7, 8] for the overall modeling of EP2 in Csp-Casl.
The informal specifications have informal refinements between the levels of abstractions which cannot be verified mathematically. Whereas the formal specifications have formal refinements which can be verified mathematically. Such verification (i.e., mathematical proof) requires tool support, to this end we have developed tool support to help us carry out

AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~

refinement proofs in Csp-Casl.

TOOL SUPPORT
For quite a while, Csp-Casl existed only as a blackboard language: while the subject of several papers, its syntax and semantics remained malleable, allowing experimentation and discussion. In order to achieve its full promise, however, it was clear that tool support would be required. The first step towards such tool support was to fix Csp-Casls syntax and static semantics, and to implement them within an appropriate tool [9].

AEEC | June 2011

AEEC

We have developed Csp-Casl-Prover [3, 10], a tool, which allows one to perform interactive theorem proving on Csp-Casl specifications. Specifications can contain refinements, which the specifier expects to hold. Using Csp-Casl-Prover we can guarantee mathematically that such formal refinements actually hold. This task requires the user (specifier) to guide the theorem prover through the mathematics until the theorem prover can establish that the refinements actually hold. In the next section, we discuss how to verify properties of Csp-Casl specifications. Verification is centered around formal refinements and thus the tool Csp-CaslProver is central to verification for Csp-Casl.

AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~

Figure 2: Overview of Csp-Casl based testing.

VERIFICATION

TESTING THE EP2 SYSTEM

In the previous section we have mentioned the verification of interesting properties of EP2. Such verification process is done at the specification level. Here, using Csp-Casl-Prover we have proven that for instance, according to the specification, that the communication between a PIN-pad and the acquirer is deadlock free. We now need to relate the physical EP2 PIN-pad with the formal specification. Such relation is done through testing.

Having a formal specification of a system allow us to verify certain properties. In the case of EP2, we have verified that the refinement between the different levels of abstraction is actually correct. This means that all properties that have been outlined at the architectural level are still present in the abstract component level and finally in the concrete component level. Such proofs are done systematically using Csp-Casl-Prover. [2, 8] describes in more detail how such proofs are In [4, 5] a theory for Csp-Casl based testing has been carried out. proposed. In [12] such theory has been applied to Moreover, we have proved that the communications formally test the starting system of the Rolls-Royce between the different EP2 components are deadlock BR725 jet engine. Figure 2 shows, in a nutshell, how free. Deadlock is a phenomenon pertaining to networks Csp-Casl based testing works. of communicating systems, which occur when two systems cannot agree to communicate with each other, Specification, Implementation (physical system) and thus the whole system becomes permanently frozen. Test Cases are mutually related artifacts. Specifications This is potentially catastrophic in the case of payment and Test Cases are written in Csp-Casl, the systems, see [11]. Again the proofs of deadlock analysis Implementation is treated as a black box. A test case is of EP2 are done systematically using Csp-Casl-Prover. simply an experiment that is run on the system.

AEEC | June 2011

AEEC

Test cases can be constructed either from the specification as shown in the triangle or independently from it. The specification determines the alphabet of the test cases (e.g., the type of messages the EP2 components exchange), and the expected result of each test case. The expected result is coded in a coloring scheme of test cases. If a test case is constructed which checks for the presence of a required feature (according to the specification), we define its color to be green. If a test case checks for the absence of some unwanted behavior, we say that it has the color red. If the specification does neither requires nor disallows the behavior tested by the test case, i.e., if a system under test may or may not implement this behavior, the color of the test case is defined to be yellow. During the execution of a test on a particular system under test, the verdict is determined by comparing the color of the test case with the actual behavior. A test fails, if the color of the test case is green but the system under test does not exhibit this behavior, or if the color is red but the behavior can be observed in the system under test. The execution of a yellow test case yields an inconclusive verdict. Otherwise, the test passes.

system, we have implemented a tool called TEV (test evaluator) [8, 13]. Such tool is a hardware-in-a-loop testing framework. Hardware-in-a-loop testing is a well-established approach to validate complex systems, where the correct integration of software with its underlying hardware is essential [14]. The overall testing process of EP2 is done in two stages: 1. In the first stage, we classify the test case in terms of a coloring scheme, i.e., green, red or yellow. The proof of coloring a test case is done in Csp-Casl-Prover. 2. In the second stage, the colored Csp-Casl test case is first translated to the input language of TEV, and then this is directly executed on the physical EP2 system.

AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~

TEV determines automatically if a particular test case has passed or failed. The test execution is conducted in a network environment, where two different machines are connected with a crossed Ethernet cable. Figure 3 illustrates this setting. Here, the EP2 terminal software is running on the black laptop (Windows OS), where a PIN-pad is attached on the serial port. TEV is running In selecting test cases for the EP2 system, we have on the white laptop (Mac OS). adopted some general guidelines based on the informal EP2 specification and the Csp-Casl specifications. Here, we use some general test purposes; for instance we have selected test cases in order to experiment the main functionality of the EP2 components, e.g., the PIN-pad is able to process a payment transaction. Other test purposes are related to the security features of the EP2 system. Here, we have selected test cases in order to make sure that the security features outlined in the specifications are actually present in the physical system. In order to execute test cases on the physical EP2 Figure 3: Testing a physical EP2 PIN-pad.

AEEC | June 2011

CONCLUSION
In this paper we have described the formal analysis, verification and testing of EP2 an electronic payment system. Here, we have described the modeling of the EP2 specification in the formal specification language Csp-Casl. Having a formal specification of EP2 allowed us to verify interesting properties such as deadlock freedom. Finally, we have presented a tool that tests a physical EP2 payment system in an automatic fashion. Overall this industrial application of the theoretical framework of Csp-Casl, demonstrates the feasibility of modeling, verification and testing in Csp-Casl. This includes many aspects: (1) Scalability: It is possible to completely model a non-trivial system like EP2. (2) Expressiveness: Csp-Casl is expressive enough to capture the different aspect of such system. The reactive behavior and the complex data types. (3) Clarity: Csp-Casl is able to mirror the informal specification and to capture the different levels of abstraction. The refinement between the different levels are then proven using Csp-Casl-Prover. (4) Verification: Having a formal specification made it possible to prove interesting properties of the system. (5) Testing: Our testing framework is able to effectively test a physical EP2 PIN-pad. Future research will include the automatic selection and generation of test cases from the Csp-Casl specification and the studies of novel strategies to test new security features of EP2. ~ Dr. Temesghen Kahsai (SE)

Reference:

[1]M. Roggenbach, Csp-Casl: A new integration of process algebra and algebraic specification, Theoretical Computer Science, vol. 354, no. 1, pp. 4271, 2006. [2]T. Kahsai and M. Roggenbach, Property preserving refinement notions for Csp-Casl, in WADT 2008, LNCS 5486, pp. 206210, 2009. [3]L. OReilly, M. Roggenbach, and Y. Isobe, Csp-Casl-Prover: A generic tool for process and data refinement, Electron. Notes Theor. Comput. Sci., vol. 250, no. 2, pp. 6984, 2009. [4]T. Kahsai, M. Roggenbach, and B.-H. Schlingloff, Specification-based testing for refinement, in SEFM 2007 (M. Hinchey and T. Margaria, eds.), pp. 237247, IEEE Computer Society, 2007. [5]T. Kahsai, M. Roggenbach, and B.-H. Schlingloff, Specification-based testing for software product lines, in SEFM 2008, pp. 149159, IEEE Computer Society, 2008. [6] E. Consortium, EFT/POS 2000 specification, version 4.0.0, 2008. Project Overview available at http://www.eftpos2000.ch. Last accessed June 2010 [7]A. Gimblett, M. Roggenbach, and B.-H. Schlingloff, Towards a formal specification of an electronic payment systems in Csp-Casl, in WADT04, LNCS 3423, Springer, 2005. [8]T. Kahsai, Property Preserving Development and Testing for Csp-Casl. PhD thesis, Swansea University, 2010. [9]A. Gimblett, Tool support for Csp-Casl, Masters thesis, Swansea University, 2008. [10]L. OReilly, Developing proof technology for Csp-Casl, Masters thesis. [11]Barclays computer glitch shuts down cash machines and online banking for three-and-a-half hours, 2009. http://www.dailymail.co.uk/news/article-1193440/. Last accessed June 2010. [12]T. Kahsai, G. Holland, M. Roggenbach, and B.-H. Schlingloff, Towards formal testing of jet engine Rolls-Royce BR725, in Concurrency, Specification and Programming, pp. 217229, 2009. [13]L. B. Chuan, Towards hardware-in-a-loop testing for an international standard of an electronic payment system, Masters thesis, University of Wales Swansea, 2005. [14]S. Nabi, M. Balike, J. Allen, and K. Rzemien, An overview of hardware-in-the-loop testing systems at Visteon, SAE Technical Paper Series, 2004

AEEC | June 2011

Comments & Suggestions

Page
Wow, what a great job!!! I am really proud of you guys. I Hi, just got the email and start reading it, it sounds really good. Thank you for your hard work of professional happen. Great Congratulations on the issuance and making it magazine & sorry for job!!! time to respond while I have actually read all on time. taking Engineer Mekonen Hadgu Working in group with people in related discipline like this might seem meaningless in the short term but if you continue working Comments with institutions harder and specially get linked & Suggestions at home there could It is really nice to seegap especially in consultancyoutput. be possibility to fill a the project issuing its first services. Page Great work and keep it up. Hope it will inspire lots of Eritrean Engineers and may be it will the a venue forlist. Many thanks for including my name in be circulation attaining engineering carries for a lot of young Eritrean and theYohannes GebreAb like. Engineer Filipos Abreha Hello, Bravo. This is really wonderful and your effort and those of Thank is much appreciated and to make hope the best for others you for working hard workneeded. Ithis happen. But I noticed minor error on Yared's educational background. Yared graduated the future of AEEC and its members. I also want to thank from Chico State in Computer engineering, not computer you for your kind words in the 1st edition. I am very science. humbled and honored. I believe that if we are in a position Samson Gonets to lend a helping hand to our fellow people, then the fruits of that simple effort are enjoyed by many. Engineer Daniel Woldeselasie ALPHA ERITREAN ENGINEERS

A E E C

AEEC | June 2011

AEEC

ALTERNATING CURRENT (AC) VS. D IRECT CURREN(DC)

BACKGROUND Thomas Edison is known to many as the heroic American inventor of light bulb. During the initial years of electricity distribution, Edison's direct current was the first standard for the United States. Direct current (DC) worked well with incandescent lamps; the principal load of the day worked well with motors. Direct-current systems could be directly used with storage batteries, providing valuable load-leveling and backup power during generator operation interruptions. Direct-current generators could be easily paralleled, allowing economical operation by using smaller machines during light load periods, and improving reliability. At the introduction of Edison's system, no practical AC motor was available. Alternating current (AC) was first developed in Europe. In North America, one of the believers in the new AC technology was George Westinghouse. Westinghouse was willing to invest in the technology, and hired other engineers to work on an AC distribution system-using step up and step down transformers of a new design in Figure 1 1886. In the later years, Nikola Tesla joined the company. Tesla partnered with Westinghouse Electric to Fig - 1 Nikola Tesla's AC dynamo used to generate AC commercialize his particular AC system. which is used to transport electricity across great distances.

AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~

Engineering problems are under-defined; there are many solutions, good, bad and indifferent. The art is to arrive at a good solution. This is a creative activity, involving imagination, intuition and deliberate choice.
- Ove Arup -

AEEC | June 2011

10

AEEC

During the "War of Currents" era in the late 1880s, George Westinghouse and Thomas Edison became adversaries due to Edison's promotion of direct current (DC) for electric power distribution over alternating current (AC), advocated by several European companies and Westinghouse Electric based out of Pittsburgh, PA. Nicolas Tesla, an electromechanical engineer, initially was hired by Edison. Edison promised him money for what he was going to do, yet refused to pay him. Tesla eventually quit Edisons company and joined the company of G. Westinghouse. This event marked the beginning of the war of currents. At Westinghouse, Tesla developed the system of AC generators. DC power was very expensive especially with long distance transmission. This was due to the tremendous loss of power in transmission; on the other hand, AC transmission had less power loss and more effective. Hence, this behavior made AC affordable even to remote areas. Edison became jealous of Teslas achievement and campaigned against Teslas new AC generation system, stating that it was dangerous. He tried to prove this by electrocuting live animals in front of audiences. Tesla became successful, and the Westinghouse Company went on bankruptcy to fight the AC propaganda.

THE RETURN OF DC CURRENT AC transmission allows the electricity system to cover larger geographical areas, bringing into play huge grid networks and the possibility of electricity generation from more remote sources such as hydroelectric power stations even though the rules are changing. The basic assumptions of efficiency and security of supply that underpin big networks are now being questioned. Large generating plants are becoming less competitive compared to small-scale technologies. Power failures more commonly originate in the electricity grid than in the generating technology. The discovery of semiconductors and the invention of the transistor triggered a revolution in how we use electricity. Machines and appliances such as computers, video recorders and microwave ovens operate internally on DC power. Individual inverters on each appliance convert the incoming AC electricity into DC.

AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~

The cheapest, cleanest, and most reliable power could be generated by technologies at home. Solar photovoltaic (PV) panels convert sunlight directly into electricity. They can replace roof tiles and building facades, they have no moving parts and they generate electricity without emissions of greenhouse or other gases. Fuel cells are a developing technology, generating electricity from hydrogen and oxygen and emitting only Tesla designed the first major hydroelectric power plant water vapour. in the world using his poly phase system of AC electricity. As a result, in 1896 the city of Buffalo was lit The development of bio-diesel, biomass electrical, by AC electric generated from Niagara Falls, which he combined heat and power generators is also progressing, developed utilizing his AC system. The system was since it works on small-scale wind turbines. All these efficient and cheap compared to Edisons DC system. technologies generate DC electricity. With inverter Therefore, this marked the end of the War of Currents. efficiencies of around 90%, each switch of electricity Finally, Thomas Edison gave up on the competition and between AC and DC means that less electricity is the AC electricity was recognized as the standard available for use. Do AC electric systems still make electric system in the United States.

AEEC | June 2011

11

AEEC

Sense with more appliances using DC and more businesses, and grants are on offer to encourage uptake. technologies generating it? And if the electricity output is used close to where it is generated, what gains are As uptake increases, costs should come down with there in inverting it to AC for transmission? further developments to the technology, and economies of scale kicking in. From the perspective of developing countries, a DCbased electrical system could provide access to electricity without the mass of towers and wires that are necessary for an AC system. Locally managed, smaller scale, and more environmentally benign technologies such as solar PV and small hydro-electric schemes allow communities to have control over how their electricity system is developed and utilized. For something as important as electricity, we have little influence on its production. Presently, it comes from remote, large-scale, uncontrollable networks, routed by people who have never heard of solar PV. By installing Fig 2 low-polluting power plants at home or in communities, Although still costly at the moment, technologies such energy does not necessarily need to be tied to the global as solar photovoltaic (PV) panels and fuel cells have real power politics of oil and gas any longer. Thomas Edisons original vision was a direct current, potential for delivering a low-polluting energy system. locally based electricity system. Over 100 years later, the technologies have started to emerge with motivation. This has been recognized by governments and ~ Engineer Samuel Fessehaye

AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~

Reference:

1. Cheney, Margaret (2001). Tesla: man out of time. Simon and Schuster. p. 21. ISBN 978-0-7432-1536-7. "Everyone in London is talking about the New Wizard of the Westand they don't mean Mr. Edison" 2. AC Power History: http://www.edisontechcenter.org/ACPowerHistory.html 3. McNichol, Tom (2006). AC/DC: the savage tale of the first standards war. John Wiley and Sons. p. 80. ISBN 978-0-7879-8267-6. 4. Great Barrington Historical Society, Great Barrington, Massachusetts 5. "AC vs DC". IEEE Global History Network. IEEE. Retrieved 21 July 2011.

AEEC | June 2011

12

Eritreans who are currently looking for Engineering/Technical jobs

Name
Kibrom Hadgu Samuel Fessehaye Thomas Araya Samson Gonetz Simon Haile

Degree
Electrical Engineer Electrical Engineer Computer Science Civil Engineer Electrical Engineer

Experience
17 years Eight years Seven ears Five Year One year

Email
kibromwoldehaimanot@yahoo.com SBFessehaye14@gmail.com thomasaraya@yahoo.com samigonnetz@yahoo.com dhaile8@gmail.com

Phone Number
(415) 678-7179 (510) 830-7082 (510) 757-7352 (510) 495-4538 (678) 982-0147

AEEC | June 2011

13

AEEC

Mobile Authentication
AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~
In both cases, someone can gain access to the session that in progress and access confidential information and data. Since mobile devices are small, they are prone to Because of the pervasiveness of mobile devices, people the second problem and thus the focus of this paper and are increasingly relying on their mobile devices to do compare transient mobile authentication method and business. This business includes connecting to online the location based mobile authentication. financial services such as banks and to corporate office. When connecting to online banks or corporate offices Transient authentication ameliorates this problem by an individual is required to type in a user name and terminating connection to the mobile device if user is password. Then, the information is transmitted securely away from the device a few meters. This especially to the destination intended. This process requires two prevents access to the mobile device when the device is events to happen. First, the user must be authenticated, stolen or lost. A proposal by (Anthony et. Al, 2006) which means the user needs verification to make sure provides not only authenticating users with transient the individual is who he claims to be and second, the authentication method, but also protecting data while information needs to be transmitted securely. the connection is terminated. This protection of data There have been many proposals of authentication methods to mobile devices. Some of the proposed methods are: 1) token based authentication where tokens are used to authenticate user, 2) transient authentication where tokens are used to authenticate users and the connection is terminated as the token is further than few meters away from the device (Anthony N, Mark R, and Brian N., 2006) and 3) location based authentication where the authentication is based on the users current location. Traditionally, authentication relies on what user knows and/or what user has. Location based authentication is an addition to the traditional authentication by adding where user is and when. Barbecaru (2011) shows how this approach can be cost effective and secure. includes encryption, overwriting and flushing data when necessary. In the case where the user is away from the system, all the necessary confidential information will be dealt with appropriately until the user returns, at which time, the connection automatically resumes and system is restored to where it was before the termination. Transient application works as follows: user carries a wearable token on his body, which constantly communicates with the mobile device. The token uses Bluetooth technology to communicate with the mobile device. When the token departs from the device within certain range, then data in the mobile device is protected by using encryption, overwriting and/or flushing system.
Principles:

Comparison of Transient and Location Based Mobile Authentication

TRANSIENT AUTHENTICATION:

Transient authentication is based on the The main goal of transient authentication is to alleviate following four principles: authentication problems that are prone to persistent 1. Sensitive computation is performed only when sessions. There are two major issues with persistent log the user is near the token. That is, the user is the in sessions. The first one is in an event when one is only one who has access to the device as he away from the device and the log in the session is carries the token. All encryption keys will active, anyone will be able to accessing the computer. present on the users wearable token. When the The second problem is when the device is lost or stolen. pairing is broken, any credential that is stored in

AEEC | June 2011

14

AEEC

the devices cash, for performance reason, must be flushed, and everything else needs to be secured. 2. There should be no excessive security overhead that will frustrate and overwhelm users. This prevents users from disabling their security features because they are aggravated or frustrated. When the user departs from the device, system should be protected within reasonable time. Upon returning to the device, the system should restore within short time period.

Besides encryption, one important aspect is what happens if the token is lost. This problem must be handled cautiously since the token holds the decryption key. Two scenarios are explained by (Anthony et. Al, 2006), With tokens require PIN or password to work a user must enter his personal identification number t least once. When the time expires, the token is unusable unless the user enters password. On the other hand, how does a token distinguishes one device from another? This is handled by requiring binding. A user can select which devices he would like to bind during the authentication. If there is no selection from the user for a particular device, then there will be no The token must be explicitly authenticated. User must communication between token and the device. enter PIN to login to the token. When a device is apart from the token, all confidential AUTHENTICATION ARCHITECTURE: file locations must be secured and one has to determine which locations need to be secured. Some types of data The main part of the system is the link between the have inherently short life time. Files in registers and device and the token. The link is established via short Translation Lookup Buffers (TLB) have data that is range wireless communication. The wearable token constantly overwritten or flushed out by the operating contains the server process, which includes public key system, thus being handled by the operating system. encryption keys and the mobile device has the client The challenge is then to determine which locations of process. The server continually polls the client and if the system will be secured. As data passes from one there is no response, then all data in various locations of location to another, parts or all of the data may be the device must be protected by encryption, overwriting cached in different part of the system. Once the device or flushing depending on what needs to be protected. and the token are separated, data that may lie within different part of the system must be secured. The One of the components of authentication architecture is following locations are identified by (Anthony et. Al, key management. To protect attacker from easily 2006), as areas where system must be secured: decrypting encryptions, to prevent unnecessary latency and performance degradation, the key management has a. Persistent locations: flash memories, hard drives to be handled very carefully. To access the data that and other persistent locations need to be was encrypted, the device must have appropriate secured. Since deleting files is not enough to decryption key as the user departs. To avoid low get rid of confidential material these persistent performance by the device as well as others getting hold areas must be encrypted. of encryption keys, these keys are stored in the token. b. Virtual memories: This process utilizes ram and To further protect degrading performance, the device disk storage devices for paging, used by the caches decrypting keys avoids unwanted virtual memory needs to be secured. The communication between the token and device. These transient authentication framework encrypts cashed encryption keys are flushed when the token and content of RAM in place when token departs device are separated.

AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~

AEEC | June 2011

15

AEEC

preventing latency. The system already secures disks; therefore, it will not be ideal to try to encrypt data stored in the disk by the virtual memory. c. Peripherals: This system does not encrypt, or flush the system since it is difficult to encrypt in this locations and it is not accessible externally. To secure data that may be in peripherals the recommendation is to use end-to-end encryption such as NIC. d. Displays: Securing data, which is in video card buffers requires overwriting buffers which leaves the displays blank.

and performance issues and will deal with performance tradeoff ZIAfs employs per-directory keys.

AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~

LOCATION BASED AUTHENTICATION:

While token based authentication is a strong mechanism, there has been some resistance in using it. The resistance is mainly because of cost, server synchronization and worry to carry multiple tokens for multiple solutions (Tanvi, Sonal, Kumar, 2011). Tokens can also be lost and they may be difficult to replace once compromised. To mitigate the issue of tokens, strong authentication mechanism is needed. Location based authentication provides a solution as an alternate means of token based authentication. With the growing popularity of the Internet, social media and Smartphone, one can easily see the potential of location based authentication without delving too much into the details of how it works. Location based authentication can be used in addition to one of the traditional authentication methods: what user knows or what he is. Location based authentication avoids issues with loosing tokens or keys. (Jansen & Korolev, 2009) list benefits of using location based authentications as follows. An authentication attempt from an authorized location is rejected If an authentication attempt is made from outside the defined territory, the authentication mechanism can require for additional authentication mechanisms to satisfy the requirement If a user attempts to initiate specialized authentication, the authentication mechanism can require such activity be conducted only from approved location.

ZERO INTERACTION FILE SYSTEMS:

When the device reconnects with the token, all secured data is unlocked and the device is available for work leaving the device in unsafe mode. These locking and unlocking of the device happens when the user enters his password. To alleviate such problem, some systems may force re-authentication; however, doing so decreases the usability of the system by creating annoyance. A new file system, Zero Interaction File System (ZIAfs) was created in response to the authentication problem. ZIAFs provides an effective file encryption and because the encryption keys are stored in the file directory which is encrypted, accessing file creates latency. This latency is created as a result of the communication between the token and device to encrypt and decrypt information. To ease the improper performance burden, ZIAfs keeps cached copies of all decrypted keys in the device. When the connection with the token is broken, this information is flushed and has to be repopulated again. This method keeps performance in check while making sure security is maintained by not exposing the keys to public and how granular file and directory structure affects performance. Assigning each file or chunk its own symmetric key this will create massive amount of keys

AEEC | June 2011 16

AEEC

If a user moves from a defined territory, This would be a onetime unpredictable password. automatic trigger of authentication mechanism can be initiated in order to grant or deny access. Galileo Local Element the LE (Local Element) is an important part of Galileo which is in charge of Many types of location based authentications have been certifying the time and accuracy of the location. By proposed. (Francis, Mayes, Hancke and Markanonakis, gathering data from GPS and Galileo this system 2010) propose location based authentication based on provides much accurate position information. intelligent location agents installed on mobile devices. In this model, the location of the device is the basis of One Time Codes (OTC) In authentication based on authentication to the network system and available one time codes, the prover and verifier both share a network services. This part of the document examines secret. The prover presents this secret to the provider. LRAP: A location based remote client authentication This secret is one time code. The one time code can be protocols for mobile devices proposed by (Berbecaru, generated by the user, or it can be generated by the prover and sent to the user. 2011) In location based authentication, major problem exists in resolving the location. The location provided by the location sensing device needs to be authenticated by third party in order to be considered reliable (Berbecaru, 2011). Two classes of solution are provided by (Jansen and Korsov, 2009) are the first class of solution where the location is known by the device and not the infrastructure. Infrastructure is explained as the set collection of sensor equipment such as GPS satellite or mobile network tower. The second class of solution relies on the infrastructure. (Berbecaru, 2011) provides few solutions of for location authentication problem. The first solution presented is to use the U.S. space-based GPS system. This system provides accurate location information regardless of the weather; however, from security stand point, it has its drawback. There are several GPS simulators that provide location information designed to appear as if it came from GPS satellite, which means this is prone to spoofing attack. LRAPis based on three factors: 1) what the user knows, 2) where the user is and 3) when and what the user has. The architecture is composed of several components: the user, the User Terminal (UT), the Service Provider (SP) and the Galileo LE. This protocol consists of two phases: registration phase and operational phase. Before a remote client wants to establish a connection, he must have a unique ID that will be given upon successful completion of the registration phase (Limkar, Jha, Pmpalkar, Darde, 2011) The service provider generates an OTC encrypted with a key derived from the UT location and sends it to the UT for authentication. Several data is provided to the SP by the client during the registration. To check the accuracy of the data, SP might collect more data. The UT is authenticated based on OTC, ownership of the UT and the position of the UT. Using location based encryption algorithm, the author combined the position information with OTC. This will guarantee that the user can only recover the information if he is in certain position and has access to the UT.

AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~

LSS location signature sensor is a solution that was proposed to mitigate the GPS signal authentication In LRAP location dependent data encryption algorithm problem. This tamper proof device would create and is used to drive the LDEA-key; however symmetric key verify a location signature containing geodetic position encryption with shared key is used to generate the and valid for a short time.

AEEC | June 2011

17

AEEC

Final-key; however, since the location information provided by the GPS receiver can be inaccurate, additional parameter Toleration Distance (TD) is introduced. TD must be known both by the sender and receiver. Implementation of LRAP: In this section, the document describes implementation of LRAP-based payment service at self-service gas station. The payment operations are performed via UT communicating with POS. Architecture: the SP such as bank is part of private payment system, which can manage multiple types of payment methods. The user assumes the UT is secure device. Two types of communication can be initiated by the UT: short range channel which is used to exchange information with the POS device at the gas station, and long range channel which is used to communicate with the PS and with the LE.

COMPARISON OF THE AUTHENTICATION METHODS

Security is not just important feature of mobile computing. It is mandatory that information is secured while information is being transferred through unsecured medium. There is no clearly defined strong authentication. In this paper, transient authentication and location based authentications have been explained. Two specific implementations of transient authentication and location based authentication were examined. The proposed transient authentication is basically token based authentication system, which provides authentication and encryption method. Advantages:

AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~

The proposed transient authentication method is very secure. In order for anyone to get authenticated, the user must have the token. The token is wearable which prevents issues such as loosing password, or forgetting Phases: the service is composed of registration and the password. operational phase. In the registration phase, the client and the gas station provider are registered with the In an event in which a device is stolen or lost, service provider by providing several data about encryption is immediately applied to all sensitive areas. themselves. Decryption of device and return to normal state is relatively easy. User needs only to be within vicinity in In the operational phase is where the position of the order for the device to decrypt and connection is device determined. This phase is composed of 11 steps. restored. Very detailed security measures are taken in The first of which is to get the location coordinates of order to secure the system while the token and device the UT from the GPS system or from the LE. The LE are parted. Every part of the system is secured. Data calculates the position of the UT based on the that is cached is overwritten or flushed. information that it gathers from the UT. Once the coordinates are taken care of, the UT opens secure Transient authentication framework leverages the connection with the SP to receive token. At this point operating systems security features. It avoids all communication to the SP has to be done securely. redundant actions by allowing the operating system The UT sends user authentication credentials over this handle some of the security issues that are originally channel; therefore, it is important that the taken care of by the operating system. communication is highly secured and encrypted. The SP first checks to see if the UT has been declared lost or The design of the transient system also took in to stolen before providing the token. Once information is consideration of the overall system usability. It avoided checked, token is provided which is then can recover forcing authentication repeatedly which will annoy the OTC.

AEEC | June 2011

18

AEEC

users and would cause them to disable the important Since location can be different within short period of security features. time, it will be very difficult for an attacker to fabricate an attack.

AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~ AEEC ~

DISADVANTAGES;

DISADVANTAGES OF LOCATION BASED AUTHENTICATION

Since the tokens are separately worn, they are prone to theft or loss. In case there is loss of token, the article The main drawback of location based authentication is (what article??) made no proposal what the monitory or that it relies on the feeds it receives about location of the device. The location can be spoofed. That means time cost is. data can be presented as if it is in one location while it Implementation of the transient authentication can be is really not in that location. costly. There are many components involved: device, token, servers and software which have to be constantly Implementation of the location based system is complex. There are lots of players involved in the maintained and updated. implementation. It requires that SP is aware of the On the other hand, the location based authentication authentication scheme in order for the authentication to system uses completely different model. It relies on the work. location of the device. The location is calculated based on signal from GPS. ADVANTAGES OF LOCATION BASED AUTHENTICATION: This authentication method does not require carrying a token or any other third device.
References Anthony N, Mark R, and Brian N, (2006)Mobile Device Security Using Transient Authentication. Transactions on mobile computing. Computer Society. 1489-1502. Berbecaru, D. (2011). A Location-Based Remote Client Authentication Protocol for Mobile Environments.Proceedings: 19th International Euromicro Conference on Parallel, Distributed, and Network-Based Processing: Aiya Napa, Cyprus, 8-11 February 2011 (pp. 141-145). Los Alamitos, Calif.: IEEE Computer Society Press. Parekh Tanvi, Gawshinde Sonal, Sharma Mayank Kumar, "Token Based Authentication Using Mobile Phone," csnt, pp.85-88, 2011 International Conference on Communication Systems and Network Technologies, 2011 Suresh V. Limkar, Rakesh Kumar Jha, Shilpa Pimpalkar, Santosh Darade, "Geo-Encryption - A New Direction to Secure Traditional SSL VPN," itng, pp.1070-1071, 2011 Eighth International Conference on Information Technology: New Generations, 2011 Wayne Jansen, Vlad Korolev, "A Location-Based Mechanism for Mobile Device Security," csie, vol. 1, pp.99-104, 2009 WRI World Congress on Computer Science and Information Engineering, 2009

~ Engineer Yared Nugssie

It provides strong authentication method. It also is powerful because it is used in addition to other factors such as password.
AEEC | June 2011 19

Hard to reach doesnt have to mean hard to do

A E E C

Bringing the best and the brightest together

Current Job Opportunities

Companies or Government Jobs
http://jobs-boeing.com/wright-patterson-afb/softwareengineering/jobid2493061-java-j2ee-software-engineer-1jobs http://jobs-boeing.com/houston/softwareengineering/jobid2493157-software-engineer-1_2-jobs http://jobs-boeing.com/huntsville/softwareengineering/jobid2490412-modeling-and-simulationsoftware-engineer-1_2-jobs http://jobs-boeing.com/oklahoma-city/systemsengineering/jobid2493059-systems-engineer-1_2-jobs http://jobs-boeing.com/oklahoma-city/systemsengineering/jobid2493062-systems-engineer-1_2-jobs http://jobs-boeing.com/oklahoma-city/systemsengineering/jobid2493066-systems-engineer-2-jobs

Location & Number

Closing Date
07/09/2012 07/09/2012 07/09/2012

Software Engineering
Wright Patterson, Ohio, 12-1013095 Houston, Texas, 12-1012236 Huntsville, AL, 12-1012750

System Engineering
Oklahoma City, OK, 12-1013074 Oklahoma City, OK, 12-1013108 Oklahoma City, OK, 12-1013126 09/04/2012 09/04/2012 09/04/2012

Mechanical Engineering
http://jobs-boeing.com/st-louis/mechanical-and-structuralengineering/jobid2493035-structural-analysis-engineer-2-st.louis-bma-%EF%B9%A0-phantom-works-jobs

Saint Louis, MO, 12-1012779

09/04/2012

AEEC | June 2011

20

About the authors

Temesghen Kahsai
lememta@gmail.com received his PhD in

computer science from Swansea University and currently a software developer at Microsoft (Skype division) and also a visiting researcher at the University of Iowa.

Samuel Fessehaye
SBFessehaye14@gmail.com earned his B.S. in Electrical Engineering from Asmara University. Currently he is working (volunteering) with Caltrans as an engineer. Yared Nugssie

If you need an updated information or discussions or got an Engineering experiences that you want exchange your knowledge or ideas with your fellow professionals. You will find us on www.linkedin.com/groups/AlphaEritrean-Engineers-Community

negussie@gmail.com received his B.S. in

Computer Engineering from Chico California State University and currently he is Sr. Technical Support Specialist at Pearson.

AEEC | June 2011

21