Advertisement

A Strong Single Sign-on User Authentication Scheme Using Mobile Token Without Verifier Table for Cloud Based Services

  • Sumitra BinuEmail author
  • Mohammed Misbahuddin
  • Pethuru Raj
Chapter

Abstract

Cloud computing is an emerging computing paradigm that offers computational facilities and storage as services dynamically on demand basis via the Internet. The ability to scale resources and the pay-as-you-go usage model has contributed to its growth. However, cloud computing inevitably poses various security challenges and majority of prospective customers are worried about unauthorized access to their data. Service providers need to ensure that only authorized users access the resources, and for this they need to adopt strong user authentication mechanisms. The mechanism should provide users with the flexibility to access multiple services without repeated registration and authentication at each provider. Considering these requirements, this chapter deliberates a Single Sign-on based two-factor authentication protocol for cloud based services. The proposed scheme uses password and a mobile token as authentication factors and does not require a verifier table. The formal verification of the protocol is done using Scyther.

Keywords

Cloud Two-factor authentication Single Sign-on Mobile token Scyther 

References

  1. 1.
    CSA. (2009). Security guidance for critical areas of focus in Cloud Computing V2.1, Prepared by the Cloud Security Alliance.Google Scholar
  2. 2.
    Weins, K. (2017). Cloud computing trends: State of the cloud survey [Online], Available: http://www.rightscale.com/blog/cloud-industry-insights/cloud-computing-trends-2017-state-cloud-survey
  3. 3.
    Smith, D. M., Natis, Y. V., Petri, G., Bittman, T. J., Knipp, E., Malinverno, P., et al. (2011). Predicts 2012: Cloud computing is becoming a reality (Technical report, as G00226103). Gartner.Google Scholar
  4. 4.
    Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A., et al. (2009). Above the clouds: A Berkeley view of cloud computing (Technical report UCB/EECS-2009-28). Electrical Engineering and Computer Sciences, University of California.Google Scholar
  5. 5.
    NIST. (2012). NIST cloud computing program [Online], Available: http://www.nist.gov/itl/cloud/
  6. 6.
    Gens, F. (2009). New IDC IT cloud services survey: Top benefits and challenges, IDC Exchange [Online]. Available: http://blogs.idc.com/ie/?p=730
  7. 7.
    Gens, F. (2008). IT cloud services user survey, pt.2: Top benefits and challenges, IDC [Online]. Available: http://blogs.idc.com/ie/?p=210
  8. 8.
    Mell, P., & Grance, T. (2011). The NIST definition of cloud computing (NIST special publication 800-145) [Online]. Available: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf
  9. 9.
    Barker, E., Barker, W., Burr, W., Polk, W., & Smid, M. (2012). NIST special publication 800-57, Recommendation for key management-part 1: General (revision 3) [Online]. Available: http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57_part1_rev3_general.pdf
  10. 10.
    Meyer, R. (2007). Secure authentication on the Internet, SANS Institute Infosec Reading Room [Online]. Available: https://www.sans.org/reading-room/whitepapers/securecode/secure-authentication-internet-2084
  11. 11.
    Ponemon, L. (2009). Security of cloud computing users (Ponemon Institute Research Report May 2010). Challenges, IDC Exchange, http://www.ca.com/files/industryresearch/security-cloud-computing-users_235659.pdf
  12. 12.
    Fujitsu. (2010). Personal data in the cloud: A global survey of consumer attitudes (Technical report). Fujitsu research Institute.Google Scholar
  13. 13.
    Liang, C. (2011). The five major authentication issues in the current cloud computing environment [Online]. Available: https://chenliangblog.wordpress.com/tag/e-commerce/
  14. 14.
    Granneman, J. (2012, August). Password-based authentication: A weak link in cloud authentication [Online]. Available: http://searchcloudsecurity.techtarget.com/tip/Password-based-authentication-A-weak-link-in-cloud-authentication
  15. 15.
    Misbahuddin, M. (2010). Secure image based multi-factor authentication (SIMFA): A novel approach for web based services. PhD thesis, Jawaharlal Nehru Technological University [Online]. Available: http://shodhganga.inflibnet.ac.in/handle/10603/3473
  16. 16.
    Stallings, W. (2011). Cryptography and network security, principles and practices (5th ed.). Upper Saddle River, NJ: Pearson Publications.Google Scholar
  17. 17.
    NIST. (2006, April). Verifier impersonation attack, electronic authentication guideline (NIST special publication 800-63, Version 1.0.2).Google Scholar
  18. 18.
    Raza, M., Iqbal, M., Sharif, M., & Haider, W. (2012). A survey of password attacks and comparative analysis on methods for secure authentication. World Applied Sciences Journal, 19(4), 439–444.Google Scholar
  19. 19.
    Cristofaro, C. E., Hongle, D., Freudiger, J. F., & Norcie, G. (2014). A comparative study of two factor authentication. In Proceedings on the workshop on usable security USEC’14, San Diego, CA, USA. Google Scholar
  20. 20.
    Password Cracking. Wikipedia [Online]. Available: https://en.wikipedia.org/wiki/Password_cracking
  21. 21.
    Dictionary Attack. Wikipedia [Online]. Available: https://en.wikipedia.org/wiki/Dictionary_attack
  22. 22.
    Lee, C., Lin, T., & Chang, R. (2011). A secure dynamic ID based remote user authentication scheme for multi-server environment using smart cards. Expert Systems with Applications, 38, 13863–13870.Google Scholar
  23. 23.
    Misbahuddin, M., Aijaz, A. M., & Shastri, M. H. (2006). A simple and efficient solution to remote user authentication using smart cards. In Proceedings of IEEE innovations in information technology conference (IIT 06), Dubai.Google Scholar
  24. 24.
    Rainbow Table. Wikipedia [Online]. Available: https://en.wikipedia.org/wiki/Rainbow_table
  25. 25.
    Kulshrestha, A, & Dubey, S. K. (2014). A literature review on sniffing attacks in computer networks. International Journal of Advanced Engineering Research and Science, 1(2), 32–37.Google Scholar
  26. 26.
    Ku, W. C., & Chen, S. M. (2004). Weaknesses and improvements of an efficient password based remote user authentication scheme using smart cards. IEEE Transactions Consumer Electronics, 50(1), 204–207.CrossRefGoogle Scholar
  27. 27.
    Chen, Y. C., & Yeh, L. Y. (2005). An efficient nonce-based authentication scheme with key agreement. Applied Mathematics and Computation, 169(2), 982–994.MathSciNetCrossRefzbMATHGoogle Scholar
  28. 28.
    Kocher, P., Jaffe, J., & Jun, B. (2010). Differential power analysis. In M. Wiener (Ed.) CRYPTO 1999. LNCS: Vol. 1666 (pp. 388–397). Heidelberg: Springer.Google Scholar
  29. 29.
    Messerges, T. S., dabbish, E. A., & Sloan, R. H. (2002). Examining smart card security under the threat of power analysis attacks. IEEE Transactions on Computers, 51(5), 541–552.MathSciNetCrossRefGoogle Scholar
  30. 30.
    Hao, Z., Zhong, S., & Yu, N. (2011). A time-bound ticket based mutual authentication scheme for cloud computing. International Journal of Computers, Communications & Control, 6(2), 227–235.CrossRefGoogle Scholar
  31. 31.
    Jaidhar, C. D. (2013). Enhance mutual authentication scheme for cloud architecture. In: Proceeding 3rd IEEE International advanced computing conference (IACC).Google Scholar
  32. 32.
    Choudhary, A. J., Kumar, P., Sain, M., Lim, H., & Lee, H. J. (2011). A strong user authentication framework for cloud computing. In IEEE Asia Pacific services computing conference.Google Scholar
  33. 33.
    Jiang, R. (2013). Advanced secure user authentication framework for cloud computing. International Journal of Smart Sensing and Intelligent Systems, 6(4), 1700–1724.Google Scholar
  34. 34.
    Sanjeet, K. N., Subashish, M., & Bansidhar, M. (2012). An improved mutual authentication framework for cloud computing. IJCA, 52(5), 36–41.CrossRefGoogle Scholar
  35. 35.
    OASIS. (2005, February). Security Assertion Mark Up Language (SAML) 2.0 Technical overview, working draft 03. Available: https://www.oasis-open.org/committees/download.php/27819/sstc-saml-tect-overview-2.0-cd-02.pdf
  36. 36.
    Hillenbrand, M., Gotze, J., Muller, J., & Muller, P. (2005). A single sign-on framework for web-services-based distributed applications. In Proceedings of 8th international conference on telecommunications, ConTEL 2005 (pp. 273–279).Google Scholar
  37. 37.
    Trosch, J. (2008). Identity federation with SAML 2.0 [Online]. Available http://security.hsr.ch/theses/DA_2008_IdentityFederation_with_SAML_20.pdf
  38. 38.
    Cremers, C., & Casimier, J. F. (2006). Scyther - Semantics and verification of security protocols. PhD thesis [Online]. Available: http://alexandria.tue.nl/extra2/200612074.pdf

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  • Sumitra Binu
    • 1
    Email author
  • Mohammed Misbahuddin
    • 2
  • Pethuru Raj
    • 3
  1. 1.Christ UniversityBangaloreIndia
  2. 2.C-DACBangaloreIndia
  3. 3.IBM India Pvt. Ltd.BangaloreIndia

Personalised recommendations