Abstract
As critical services and personal information are moving to the online world, password as the only user authentication method is no longer acceptable. The capacity of the human memory does not scale to the ever larger number of ever stronger passwords needed for these services. Single sign-on (SSO) systems help users cope with password fatigue, but SSO systems still mostly lack support for strong two-factor authentication. At the same time, the users have adopted mobile phones as personal digital assistants that are used both for accessing online services and for managing personal information. The phones increasingly include mobile trusted computing technology that can be used for hardware-based storage of user credentials. Thus, it is rather obvious that the mobile phones should be used as authentication tokens for critical online services.
In this paper, we show that existing open-source software platforms and commonly available mobile devices can be used to implement strong authentication for an SSO system. We use the Internet-enabled mobile phone as a secure token in a federated single sign-on environment. More specifically, we extend the Shibboleth SSO identity provider and build an authentication client based on a Nokia hardware security module. Our system design is modular, and both the SSO solution and the hardware-based security module in the phone can be replaced with other similar technologies. In comparison to most commercially available strong authentication services, our system is open in the sense that it does not depend on a specific credential issuer or identity provider. Thus, it can be deployed by any organization without signing contracts with or paying fees to a third party. No modifications need to be made to the client web browser or to the online service providers. We conclude that it is possible to implement strong personal authentication for an open-source SSO system with low start-up and operating costs and gradual deployment.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
3GPP. Generic bootstrapping architecture (GBA). Specification TS 33.220 v. 10.0.0, 3GPP (October 2010), http://www.3gpp.org/ftp/Specs/html-info/33220.html
3GPP. Generic authentication architecture (GAA); system description. Specification TR 33.919 v. 10.0.0, 3GPP (March 2011)
Abe, T., Itoh, H., Takahashi, K.: Implementing identity provider on mobile phone. In: The 2007 ACM Workshop on Digital Identity Management, DIM 2007. ACM (November 2007)
Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., Levkowetz, H.: Extensible Authentication Protocol (EAP). RFC 3748 (Proposed Standard), Updated by RFC 5247 (June 2004)
Aboba, B., Simon, D., Eronen, P.: Extensible Authentication Protocol (EAP) Key Management Framework. RFC 5247 (Proposed Standard) (August 2008)
Andrade, A.: Strong Mobile Authentication in Single Sign-On Systems. Master’s thesis, Aalto University School of Science (May 2011)
Aoyagi, M., Abe, T., Takahashi, K.: Symmetric identity federation for fixed-mobile convergence. In: Proceedings of the 4th ACM Workshop on Digital Identity Management, pp. 33–40 (October 2008)
Azema, J., Fayad, G.: M-Shield mobile security technology: making wireless secure. Texas Instruments, White paper (2008), http://focus.ti.com/pdfs/wtbu/ti_mshield_whitepaper.pdf (referred July 4, 2011)
Bhargav-Spantzel, A., Squicciarini, A., Bertino, E.: Privacy preserving multi-factor authentication with biometrics. In: DIM 2006: Proceedings of the Second ACM Workshop on Digital Identity Management. ACM (2006)
Bhatti, R., Bertino, E., Ghafoor, A.: An integrated approach to federated identity and privilege management in open systems. Communications of the ACM 50(2) (February 2007)
Carmody, S., Erdos, M., Hazelton, K., Hoehn, W., Morgan, R.B., Scavo, T., Wasley, D.: Shibboleth Architecture: Protocols and Profiles. Technical report, Internet2 Middleware Initiative (September 2005)
CSC - IT Center for Science. Kalmar e-identity union linking nordic research networks (2011), http://www.csc.fi/english/csc/publications/cscnews/2010/4/kalmar/ (referred July 5, 2011)
CSC - IT Center for Science. Funeteduperson schema (2011), http://www.csc.fi/english/institutions/haka/definitions/funeteduperson/ (referred July 5, 2011)
CSC - IT Center for Science. Haka federation (2011), http://www.csc.fi/english/institutions/haka (referred July 5, 2011)
DNA mobile network operator. DNA mobile certificate (2011), http://www.dna.fi/yksityisille/puhe/palvelut/Sivut/DNAMobiilivarmenne.aspx (ref. July 4, 2011)
Ekberg, J.-E., Asokan, N., Kostiainen, K., Eronen, P., Rantala, A., Sharma, A.: Onboard credentials platform design and implementation. Technical Report NRC-TR-2008-001, Nokia Research Center (2008)
Ekberg, J.-E., Asokan, N., Kostiainen, K., Rantala, A.: On-board credentials with open provisioning. Technical Report NRC-TR-2008-007, Nokia Research Center (2008)
FiCom Ry. FiCom published application instructions for mobile certificate standard (May 25, 2005) (in Finnish), http://www.ficom.fi/ajankohtaista/ajankohtaista_1_1.html?Id=1117009845.html (referred July 4, 2011)
FiCom Ry. Mobile certificate makes identification simpler (2008) (in Finnish), http://www.ficom.fi/tietoa/tietoa_5_3.html (rererred July 1, 2011)
Finnish Population Register Centre. Fineid citizen certificate (2011), http://fineid.fi (referred July 1, 2011)
Florêncio, D., Herley, C.: A largescale study of web password habits. In: Proceedings of the 16th International Conference on World Wide Web, WWW 2007 (2007)
Ideelabor. OpenID in Estonia (2008), http://openiddirectory.com/openid-providers-c-1.html (referred February 27, 2009)
Information society advisory board for creating electrical authentication. Mobile authentication methods, description and comparison (November 13, 2008) (in Finnish), http://www.arjen-tietoyhteiskunta.fi/files/185/mobiilitunnistamismenetelmat.pdf
Internet2. Shibboleth (2006), http://shibboleth.internet2.edu/ (referred September 5, 2006)
Kostiainen, K., Ekberg, J.-E., Asokan, N., Rantala, A.: On-board credentials with open provisioning. In: Proceedings of the 4th International Symposium on Information, Computer, and Communications Security, ASIACCS 2009 (2009)
Li, X., Ma, J., Park, Y., Xu, L.: A usim-based uniform access authentication framework in mobile communication. EURASIP Journal on Wireless Communications and Networking - Special Issue on Security and Resilience for Smart Devices and Applications (January 2011)
Messerges, T.S., Dabbish, E.A.: Digital rights management in a 3g mobile phone and beyond. In: DRM 2003: Proceedings of the 3rd ACM Workshop on Digital Rights Management, pp. 27–38. ACM, New York (2003)
Mizuno, S., Yamada, K., Takahashi, K.: Authentication using multiple communication channels. In: ACM Workshop on Digital Identity Management (2005)
NorthID. Operations models for electrical authentication and identity management. Workshop material (September 15, 2009) (in Finnish)
OpenID.net. Get an OpenID (2006), http://openid.net/get-an-openid/ (referred July 1, 2011)
OpenID.net. Openid.net website (2008), http://openid.net/ (referred December 30, 2008)
Ragouzis, N., Hughes, J., Philpott, R., Maler, E., Madsen, P., Scavo, T.: Security assertion markup language (SAML) v2.0 technical overview. Technical report, OASIS (March 25, 2008)
Rahnama, B., Elci, A., Celik, S.: Securing rfid-based authentication systems using parsekey+. In: SIN 2010: Proceedings of the 3rd International Conference on Security of Information and Networks (September 2010)
Recordon, D., Reed, D.: OpenID 2.0: A platform for user-centric identity management. In: ACM Workshop on Digital Identity Management, DIM (2006)
RSA Security. RSA SecureID (2009), http://www.rsa.com/node.aspx?id=1156 (referred July 4, 2010)
RSA Security. Software authenticators (2011), http://www.rsa.com/node.aspx?id=1313 (referred July 4, 2011)
Sharma, A.K.: Onboard credentials: Hardware assisted secure storage of credentials. Master’s thesis, Helsinki University of Technology (2007)
Shibboleth. Wiki (2011), https://wiki.shibboleth.net/ (referred July 5, 2011)
Sun, S.-T., Hawkey, K., Beznosov, K.: OpenIDemail enabled browser: Towards fixing the broken web single sign-on triangle. In: DIM 2010: Proceedigns of the 6th ACM Workshop on Digital Identity Management, October 8. ACM (2010)
Suoranta, S., Heikkinen, J., Silvekoski, P.: Authentication Session Migration. In: Aura, T., Järvinen, K., Nyberg, K. (eds.) NordSec 2010. LNCS, vol. 7127, pp. 17–32. Springer, Heidelberg (2012)
The Finnish Bankers’ Association. Banks’ tupas certification service for service providers (October 2005), http://www.pankkiyhdistys.fi/sisalto/upload/pdf/tupasV21eng.pdf (ref. September 8, 2006)
Trusted Computing Group. Trusted platform module (2011), http://www.trustedcomputinggroup.org/developers/trusted_platform_module/ (referred July 4, 2011)
Virtanen, M.: Mobile electronic id. Master’s thesis, Aalto University School of Science and Technology (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Suoranta, S., Andrade, A., Aura, T. (2012). Strong Authentication with Mobile Phone. In: Gollmann, D., Freiling, F.C. (eds) Information Security. ISC 2012. Lecture Notes in Computer Science, vol 7483. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-33383-5_5
Download citation
DOI: https://doi.org/10.1007/978-3-642-33383-5_5
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-33382-8
Online ISBN: 978-3-642-33383-5
eBook Packages: Computer ScienceComputer Science (R0)