Assessment of Strong User Authentication Schemes in Cloud based Computing

Mohit Mathur, Nitin Saraswat

Sr. Lecturer, Department of IT &CS, Jagan Institute of Management Studies (Affiliated to GGSIP University, New Delhi), Rohini, Delhi, India. mohitmathur19@yahoo.co.in, nitin779@gmail.com

Abstract
Studies indicate that digital identity fraud is still on the rise, with an increase in complexity (that is, "phishing," "man-in-the-middle," DNS poisoning, malware, social engineering, and so on). With the trend of upward moving data and services into the Web and cloud-based platforms, the management and control of access to confidential and sensitive data is becoming more than verifying simple user credentials at the onset of user sessions for one application. One of the mostly used methods today is the gaining of account access by stealing reusable credentials for Web sites that have not yet implemented "strong" user authentication. This is so, because most common forms of credentials today are knowledge-based (user ID and password) and are requested only once during sign-on, which provides a higher level of convenience to users, but also requires less effort for attackers to exploit. Many attacks are evident as "phishing" messages that masquerade as ones that are sent by legitimate organizations and contain URLs that point to fraudulent Web sites that have the same appearances as genuine ones. Often, they act as "man-in-the-middle" and eventually do forward visitors to the actual Web sites; but, in the process, they have captured valid credentials that can be used to gain access to actual accounts. The question is if you can really afford the cloud if you cant prevent unauthorized access to your data - which will be far more expensive to your business in terms of regulatory breach or reputation damage in the long-run. In a shared pool outside the enterprise, you don't have any knowledge or control of where the resources run and where is the location where your data being stored. This paper emphasizes the authentication aspect of security in the cloud computing environment and some suggested solutions for that. Authentication in an Cloud Environment guide identified that simple-password authentication is insufficient for ensuring authorized access to important cloud services.

INTRODUTION
It looks, soon all computing will be called cloud computing, just because the cloud is in. . The term cloud computing means: outsourced, pay-as-you-go, on-demand, somewhere in the internet, etc.Cloud Computing is an emerging computing pattern where data and services reside in massively scalable data centers and can be universally accessed from any connected devices over the internet. It is Virtual, Scalable, Efficient, and Flexible. Cloud Computing is the technology in which web is replacing a desktop. It is providing services on virtual machines allocated on top of large physical machine pool. It is a method to address scalability and availability concerns for large scale applications. It is totally Democratized distributed computing. It includes large scale data processing, Cluster Management. It is Virtualized server pool. It is an emerging approach to shared infrastructure in which large pools of systems are linked together to provide IT services. The computing recourses being accessed are typically owned and operated by third party provider on a consolidated basis in data center locations. Target consumers are not concerned with the underlying technologies used to achieve the increase in server capability and is sold as a service available on demand. The greatest advantage of cloud computing is that it easily handles peak load situations without the need for additional hardware infrastructure that most of the time remain underutilized. Physically, the resources might span multiple computers or even multiple data centers. Remote machines owned by another company would run everything from e-mail to word processing to complex data analysis programs. It's called cloud computing, and it could change the entire computer industry. From a user-authentication perspective, moving data into the cloud and integrating cloud-based services should be implemented with the same level of overall effective authentication strength as the enterprise viewpoint of authentication architecture. However, organizations have significantly less control over the authentication strengths of the interdependent cloudbased services of their counterparts/partners. For

example, whether via identity federation or delegation, the overall security posture of the resulting interconnected architecture can be compromised if the integrated services themselves have comparatively lower-strength authentication systems in place. Extra attention must be focused on ensuring appropriate levels of authentications strengths for different user communities in a multitenancy model, without compromising overall and individual security and usability. Thus, the focus on authentication systems becomes one of the primary evaluation factors for organizations that are looking to adopt cloud-based services. Organizations must ensure that service providers provide the flexibility to deliver varying levels of strong authentication to meet required security policies. From a capabilities perspective, many of the authentication architecture components are being deployed as cloud-based servicesfor example, identity-proofing services that are deployed by credit bureaus, consumer-identity frameworks and providers, vulnerability-management networks, PKI and certificate-management services, secondary-factor channel providers, fraud detection, strongauthentication service providers, and so on. These services provide much-needed capabilities to compose a strong-authentication system; however, the same integration-security concerns remain such that any one weak link in the connected-systems architecture will compromise the overall security posture. Obviously the greater and greater mass of sensible data stored on cloud a corporate database has to be protected properly: once operations took place on site and the authentication (recognition we'd better say) of the user was easy; now the service provider and the service-user (commonly addressed as server and client in web-language) interact never seeing or meeting each other and the problem of trustful, reciprocal recognition is quite huge: privacy and security concerns are strong both for incorporates (whose private data are related to their business activities) and PA (whose sensible data implies strong privacy concerns for the citizens they represent and serve). Moreover for a big company with many employees the control of their rights over certain data is a strict necessity: easily guessable not all the research-lab database should be brows able through the web nor possibly accessible from all insiders, but it's going to be used and administrated only by few authorized users who must be able to prove doubtlessly their rights to the system daemon before they could interact with it.Actually Cloud Authentication is remote authentication. We know that, in near future all computing will be called cloud computing & since security of a cloud is yet to be resolved, In this paper we are trying to point out various issues and challenges

in applying strong remote authentication mechanism on access of data/application/other services from cloud. Currently almost all of the cloud-companies are providing username-password based authentication (weak authentication) to access cloud which carries several flaws.

Authentication Schemes that can be applied to Cloud

1.1 Sheme I (Identity Metasystems) In the basic authentication process, the entity requires authentication presents credentials, usually an account ID and some additional information, to prove that the request is coming from a legitimate owner of the ID. This is a straightforward process that has been in use for decades. The basic logic behind password-based security is that an authorized user can keep and remember a secret. And that secret, in turn, is used to authenticate the identity of the authorized user for access to a particular system. Many known weaknesses exist in password-based systems. The types of attacks can be divided into three categories: technical (brute force), discovery, and social engineering. To counter all these types of attacks, designers have responded with three types of safeguards; password rules, system rules, and training and awareness. In the middle of all of these elements is the construct representing the user generated password memory aid. Password rules are either optional or enforced specifications about the length of the password and the variety of the characters that comprise it. The length and variety contribute to the size of the domain set containing all possible passwords (commonly referred to as keyspace), that increases the difficulty of brute force detection. Prevention of easily guessed passwords reduces discovery. However, the same rules that increase password resistance to brute force attack directly reduce the ability of a user to remember a password and increase the need for password memory aids. System rules relate to the procedural aspects of gaining access and are enabled in a system. For example, the automatic user exclude after three failed attempts is a system enforced rule. More sophisticated mechanisms include expiring passwords and the forcing of password changes, or prescribing the amount of change at password change time. The reporting of failed access attempts is another system rule designed to improve security. System rules can also have an opposite effect though, as they can lead to discovery patterns. There are systems that will email an unencrypted password back to a user if requested, presenting an opportunity for discovery. 1.2 Scheme II(Smart-Card Propagation)

With the availability of more complicated smart-card solutions and ecosystem support, more physical credentials are adopting smart-card (standard plastic cards embedded with microprocessors and/or integrated circuits) deployments. For example, many countries and states already have rolled out government-sponsored electronic ID programs to national citizens. Consequently, smart cards are becoming another form of authentication factor, where smart-card readers are available and are integrated into authentication systems. A more complicated example is the smartcard system, where a user typically has an ID, a password, and also a time-generated passkey from the smart card which changes every 60 seconds. This represents the case of something you have, as in the smartcard, or ownership of a physical key. The authenticating server has the same time changing numerical sequence as the specific smart cards assigned to that ID and if the ID, password and card generated number are all correct, authentication is approved. This scheme verifies not just the knowledge of an ID and password, but also possession of the specific smart card assigned to the ID. Frequently smartcards are combined with passwords for an account to increase security. This is an example of two-factor authentication and is more secure because it requires more items for authentication. The benefits of using a smart card include increased security, possible user mobility, and chronological access to one machine by multiple users. Two factors contribute to the increased security of smart cards. First, there is a decreased possibility of copying the smart cards private key because it never leaves the card. The smart card uses its on-board CPU to compute the transmitted datas digital signature. In contrast, with a software-based token, the computer decrypts the private key and holds it in memory while the CPU processes it. Second, its easier to copy software based token and to try to break the password at leisure without the users knowledge. Fake use of the smart cards private key is less likely because the attacker has to both steal the card and know the users password or PIN. Guessing a cards password is usually unproductive because most cards use their onboard CPU to lock up after several wrong guesses. Using a strong password to protect the software-based token significantly diminishes this second threat. Its almost impossible to break a 16-character password. However A smart card-based system doesnt automatically allow user mobility. User mobility is only possible if every machine that the user access has a smart card reader attached. The machine must support the same standard smart card reader interfaces

or use the same proprietary smart card reader. Similarly, to use the same machine in sequence, multiple users must all use the same smart card technology. In addition, smart card technology can be expensive. 1.3 Scheme III (Biometrics) A third form of authentication involves the concept of representing what you are or biometrics. Biometrics can take the form of several capacity, from fingerprints, to retinal scans to pupil images. The idea is again the same, the presentation of unique information proving identity. The benefit of biometrics is that, for most cases you dont leave home without them, and they can not be forgotten. A form of strong Biometric authentication include Multimodal biometrics use a combination of different biometric recognition technologies. In order for the biometrics to be ultrasecure and to provide more-thanaverage accuracy, more then one form of biometric identification is required. Hence the need arises for the use of multimodal biometrics. This uses a combination of different biometric recognition technologies. Multimodal biometric technology uses more then one biometric identifier to compare the identity of the person. Therefore in the case of a system using say three technologies i.e. face mimic and voice. If one of the technologies is unable to identify, the system can still use the other two to accurately identify. By using more then one means of biometric identification, the multimodal biometric identifier can retain high threshold recognition settings. The system administrator can then decide the level of security he requires. For a high security site, they might require all three biometric identifiers to recognise the person or for a lower security site, only one or two of the three. With this the probability of accepting an imposter is greatly reduced. In spite their numerous advantages, biometric systems are susceptible to attacks, which can decrease their security. Biometric authentication is vulnerable to the following eight types of attacks: Type 1 attack involves presenting a fake biometric to the sensor. Submitting a previously intercepted biometric data constitutes the second type of attack (replay). In the third type of attack, the feature extractor module is compromised to produce feature values selected by the attacker. Real feature values are replaced with the ones selected by the attacker in the fourth type of attack. Matcher can be modified to output an unnaturally high matching score in the fifth type of attack. The attack on the template database constitutes the sixth type of attack. The transmission medium between the template

database and matcher is attacked in the seventh type of attack, resulting in the alteration of the transmitted templates. Finally, the matcher result (accept or reject) can be overridden by the attacker.

1.5 Scheme V (Remote Authentication I) A new feature Remote Authentication. The motivation behind this feature is simple, users do not want to sign up at every site they visit to post a comment, and site administrators do not want to allow nameless comments due to spam and other factors. Remote Authentication solves this problem by allowing people to login to a website with their login credentials for another, established service. Remote Authentication ship with support for some website and accounts. When correctly configured the Remote Authentication system will allow registered and users to login with their remote account to website instance. Each login form will include a drop down box of supported login services. If a user login succeeds, a new account is created for that user, storing their remote username and the service used to authenticate, along with a secure hash of the password. In future, authentication will only be made with the remote server in the case that the user gets their password wrong, in which case the incorrect password is checked with the remote service again to see if the incorrect password is in fact the new password for that service. The username for the local account will be initially the username for the remote account, however, if that username has already been registered with the local website instance a call is made to custom_uniqueRemoteUsername passing in the username and the service used. This function may return an altered username, and it is up to the webmaster at a given that website to write a version of this function that meets their needs. 1.6 Scheme VI (Remote Authentication II) A client workstation provides a login address as an anonymous ftp (file transfer protocol) request, and a password as a user's e-mail address. A destination server compares the user's e-mail address provided as a password to a list of authorized users' addresses. If the user's e-mail address is located on the list of authorized users' addresses maintained by the destination server, the destination server generates a random number, and encrypts the random number in an ASCII representation using encryption techniques provided by the Internet Privacy Enhanced Mail (PEM) procedures. The encrypted random number is stored in a file as the user's anonymous directory. The server further establishes the encrypted random number as one-time password for the user. The client workstation initiates an ftp request to obtain the encrypted PEM random number as a file transfer (ftp) request from the destination server. The destination server then sends

1.4 Scheme IV (Combination of Biometrics and Smart Cards) The combined use of biometrics and smart card sums the advantages of the two technologies attractive the security of the authentication protocol. This combination raised as a matter of trustful authentication but still more than a security caveat could affect the implementation of this kind of systems and usually, if we try to prevent unauthorized accesses, we could use a three factor authentication protocols that involves even a PIN to primarily unlock the card for the biometric testing. Combining these factors we should had achieved the strongest combination of information needed to provide authentication into a system. I) insert your smart card in a reader or in the USB port of a workstation II) enter your secret PIN to unlock the smart card III) place your finger on the scanner and have the sample compared to the fingerprint template IV) if the data matches the smart card secured private key could be use in somewhat way, for example encrypting a nonce sent by the hosts application V) the application can now verify that a certified key obtained from a valid certificate encrypted its nonce and verify, using the public key as well, whether the nonce is the same it has sent. Although this protocol involves all the three factors of the trinity, a smart card, a pin and a finger none of the readers of this paper would feel safe in using it because we have no information on its implementation, we do not know where the sample is taken and how is sent to the smart card, we dont know how the PIN is used by the host workstation, we cannot trust the workstation itself and we do not know if the reader has been manipulated by thirds. This demonstrates that its not true at all that using more than an authentication factor could lead to strong and certain authentication unless protocols are strong and secure. So using a smart card at its best we could achieve a safe encrypted storage for the biometric template, addressing much of the privacy concerns exposed in the previous paragraph and avoiding large on-line databases appealing the attention of all Webs hackers. Using a biometric factor, might be combined with a PIN, we could grant higher recognition rate. Answering the first question we have posed talking about secure storage and smart card we could report more than a technique to interact with the template, each of these represents different challenges and grants variable security features.

the PEM encrypted password random number, as an ftp file, over the Internet to the client workstation. The client workstation decrypts the PEM encrypted file utilizing the user's private RSA key, in accordance with established PEM decryption techniques. The client workstation then provides the destination server with the decrypted random number password, which is sent in the clear over the Internet, to login to the destination server. Upon receipt of the decrypted random number password, the destination server permits the user to login to the anonymous directory, thereby completing the user authentication procedure and accomplishing login.

higher data-privacy requirements. To ease the risk of online identity fraud, organizations look to strong user authentication as the solution for improving their Webbased authentication systems. However, implementing strong user authentication often is not a straightforward task, as projects have myriad options from which to choose, a huge number of trade-offs to consider, and a cluster of intricacies to manage. This paper has intended to distill a comprehensive view of strong user authentication by examining its concepts, implementation approaches, and challenges and additional concerns at the architectural level.

6. References
Conclusion So, it appear that a user-authentication system for consumer communities on the Web is growing beyond the traditional database-driven and/or directory-driven component of a Web application, for organizations that have higher data-confidentiality requirements. Implementation approach for strong authentication span a full spectrum that ranges from highly integrated and interconnected/dependent to simple extensions of existing stand-alone architectures. Building strong user-authentication architecture requires focus beyond just improving the credentialverification component. The overall architecture might include additional aspects, such as a layered system that is driven by risk-based analytics, which enables an adaptive authentication system. Also, the design of an authentication approach should be weighed against various requirements, such as data, identity assurance, and usability, compliance and auditing, portability/scalability, manageability, and usercommunity dynamics. More importantly, however, just the same as other security initiatives, strong user authentication also requires a carefully planned, wellbalanced, and concerted approach across the entire IT architecture to ensure a consistently secure environment. With the growing acceptance of cloud-based services, consumer-identity metasystems, and mobile devices, while attack methods gain maturity and sophistication, the future outlook for strong user authentication is set for many ground-breaking developments. The rising trend of moving data and services into the cloud also necessitates methodical planning to ensure secure access to authorized users over the Internet. While existing simple-passwordbased authentication might continue to work for many consumer-oriented Web sites, its intrinsic vulnerabilities have been identified as security risks for institutions that have [1]Authentication
Financial in an Internet Banking Environment, Federal Institutions Examination Council. http://www.ffiec.gov/pdf/authentication_guidance.pdf [2]A Guide to Understanding Identification and Authentication in Trusted Systems, National Computer Security Center [3] A. Adams, Sasse, M. A., "Users Are Not The Enemy," Communications of the ACM, vol. 42, pp. 41- 46, 1997. [4] B. L. Riddle, Miron, M. S., Semo, J. A., "Passwords in Use in a University Timesharing Environment," Computers & Security, vol. 8, pp. 569-579, 1989. [5]Computer Security Guidelines for Implementing the Privacy Act of 1974, FIPS PUB 41. [6] D. Weirich and M. A. Sasse, "Pretty Good Persuasion: A first step towards effective password security in the real world," presented at New security paradigms, Cloudcroft, New Mexico, 2002. [7]Electronic Authentication Guideline v1.0.1, National Institute of Technology Special Publication [8]Electronic Signatures in Global and National Commerce Act, United States Congress E-SIGN Act. [9] J. Yan, Blackwell, A., Anderson, R., Grant, A., "The Memorability and Security of Passwords Some Empirical Results," Cambridge University Computer Laboratory. [10]K. Dehnad, "A Simple Way of Improving the Login Security," Computers & Security, vol. 8, [11]M. Burrows, Abadi, M., Needham, R., "A Logic of Authentication," Proceedings of the Royal B. Lampson, Abadi, M., Burrows, M., Wobber, E., "Authentication in Distributed Systems: Theory and Practice," ACM Transactions Computer Systems, vol. 10 [12] M. Abadi, Burrows, M., Kaufman, C., Lampson, B., "Authentication and delegation with smart-cards," Science of Computer Programming, vol. 21, J. Vaclav Matyas and Z. Riha, "Toward Reliable User Authentication Through Biometrics," IEEE Security & Privacy, vol. I, 2003. [13] M. Bishop, and Klein, D.V., "Improving System Security via Proactive Password [14] M. Zviran, Haga, William, "Password Security: An Empirical Study," Journal of Management Information Systems, vol. 15, pp. 161- 185, 1999. Proceedings of the 37th Hawaii International Conference on System Sciences 2004 0-7695-2056-1/04 $17.00 (C) 2004 IEEE 9

[15] Microsoft Canada, "Information Overload:Canadians Have Too Many Passwords," vol. 2003: Microsoft Canada, 2000. [16] Microsoft, "Microsoft .Net Passport Q & A," vol. 2003: Microsoft, 2003. [17]Policy for a Common Identification Standard for Federal Employees and Contractors, Homeland Security Presidential Directive-12 (HSPD-12). [18]Personal Identity Verification of Federal Employees and Contractors, Federal Information Processing Standards Publication 201-1 [19] R. Pond, Podd, J., Bunnell, J., Henderson, R., "Word Association Computer Passwords: The Effect of Formulation Techniques on Recall and Guessing Rates," Computers & Security, vol. 19, pp. 645-656, 2000. [20] R. Shimonski, "Create effective passwords: strategies for computer systems," vol. 2003: IBM developerWorks, 2002. [21] S. N. Porter, "A Password Extension for Improved Human Factors," Computers & Security, vol. 1, pp. 54-56, 1982. [22] S. L. Smith, "Authenticating Users by Word Association," Computers & Security, vol. 6, pp. 464- 467, 1987. [23]Security Requirements for Cryptographic Modules, FIPS PUB 140-2. [24] T. Jones, "Too many secrets? Password proliferation leads to user fatigue," in Columbia New Service - Columbia University Graduate School of Journalism. New York, 2002. [25] W. Yang, Shieh, S., "Password Authentication Schemes with Smart Cards," Computers & Security, vol. 18,