Pragmatic Study Of Different Mobile Computer Science Essay

Published Date: 02 Nov 2017

R. Parimala1 C. Jayakumar 2

1 PhD Research Scholar, Bharathiar University, Coimbatore, India

Assistant Professor, S.S.K.V College of Arts and Science for Women, Kanchipuram

Email : [email protected]

2 PhD Research Supervisor, Bharathiar University, Coimbatore, India

Professor, CSE Department, RMK Engineering College, Kavaraipettai

Email : [email protected]

Abstract - Cloud Computing has to become the next-generation architecture of IT Enterprise. Clouds are massively complex systems. They can be reduced to simple primitives, that are replicated thousands of times, and common functional units. The complexity of cloud computing create many issues related to security as well as all aspects of

Cloud computing. One of the most important issues is data security. Since clouds typically have single security architecture but has many customers with different demands. The goal of this paper is to implement a working authentication solution that can be used in cloud services. The authentication method will be a two-factor authentication with a mobile phone as the authentication device that presents the user a password that is only valid one time for a certain period of time. The password given to the user after a successful 4-digit PIN input in the mobile phone software is the generated One Time Password used for authentication.

This paper also presents a solution to securely registered new users over the Internet, without compromising the security of the mobile application. Encryption methods used in the cloud service, must be a fast and secure encryption algorithm, will be implemented

Keywords – Static passwords, AES (Advanced Encryption Standard), RC4, MOTP with two factor authentication (Mobile One Time Password), SSL(Secure Socket Layer),

I. Introduction

Security is very important in cloud computing since people and companies store confidential data in the cloud. It must also be easy to use the services provided, since cloud services have so many users with different technical background. There are big security concerns when using cloud services. Since the control of services and data needed for the everyday-run of a corporation is being handled by another company. The consumer needs to trust the provider, and know that they handle their data in a correct manner, and that resources can be accessed when needed.

Mobile One Time Password focuses on authentication and transmission of encrypted data in cloud services. The current solutions used today to login the cloud services are investigated and concluded that they don't satisfy the needs for cloud services because they are insecure, complex and costly.

The most common login form used today for cloud services is using static passwords. Many agree that static password have a lot of security problems. Static passwords are often very easy to crack, because users prefer non-complex passwords. The users also rarely change their passwords or use the same password to access multiple services. Therefore, different cloud providers have lately started with One Time Password with Two-Factor Authentication. The problem with their solutions is that it has become costly, for the user or the provider because the user has to carry a separate authentication device with him at all time.

Mobile One Time Password proposes that by using the user's mobile phone as an authentication device for presenting onetime password, the problem with a separate authentication device for two-factor authentication is solved. As the mobile gives the user a One Time Password, the problem with static passwords for logins is also solved. [8][12].

II. Literature Survey

Authentication

In general authentication is the act of creating or validating something (or someone) as authentic. In computer networks and Internet or any web based services; authentication is usually done using the login password. Knowledge of the password is adopted to ensure that the user is authentic. Each user registers first or get registered using an assigned or self-stated password. On each subsequent use, the user must know and use the previously declared password. The weakness of this system is that passwords can often be stolen, unintentionally revealed or forgotten.[1][6].

Attacks:

Password Discovery Attack

It includes a series of attacks, including brute force, common passwords and dictionary, which aim to set a password. The attacker can try to guess a specific customer’s password, try common passwords to all customers or use an already made list of password to match against the password file (if they can restore it),In their attempt to find a valid password.

Man-in-the-Middle Attacks

Where an attacker inserts himself in between the client and verifier in an authentication process. The attacker attempts to authenticate by pretending as the client to the verifier and the verifier to the client.

Replay Attacks

Where the attacker traces the data of a successful authentication and reply’s this information to get an untruly authentication to the verifier.

Phishing Attacks

Social engineering attacks use fake emails, web pages and other electronic communications to encourage the customer to dislocate their password and other susceptible information to the attacker.[11].

Encryption

Encryption is the core basis in cryptography system. It can be defined as the process of transforming information (usually plaintext) using cipher algorithm to make it unreadable to anyone without using the inverse decryption process. Any encryption software can also perform decryption, to return the encrypted information

into a readable form (unencrypted) with the help of the encryption process, typically referred to as a key. Nowadays widely using two encryption systems are AES and RC4. Generally the most prominent cloud providers are using RC4 encryption. Between these two encryption systems, one encryption mechanism is combined with the proposed authentication system for cloud computing, so that no information during authentication process remains open and insecure.

III. TWO-FACTOR AUTHENTICATION WITH OTP

The Static Password can have many problem with authentication method, to eliminating that problem they started to use two-factor authentication with one time passwords as the login procedure for different services. One time passwords and two-factor authentication is two separate solutions but is most often used together for a better security solution.

One Time Passwords

A One Time Password (OTP) is just what the names implies, a password that is only valid for one login. The benefit of OTPs is that it offers much higher security than static passwords, in expense of user friendliness and configuration issues. OTPs is immune against password sniffing attacks, if an attacker use software to collect your data traffic, video records you when you type on your keyboard, or use social engineering, it doesn't matter since the password that the attacker gets hold on will not be valid to use. An OTP can be generated using different methods and is often used in conjunction with a device that is synchronized with an authentication server.[7][8].

Time-based OTPS

In Time-based method, a device with an internal clock generates passwords that are depending on the current time. For example, every minute a new password is generated in the device, and the same password is generated at the authentication server. When the user wants to login to a service or system, the current OTP that is displayed on the device is used. The device can also use the current time as a factor when creating a hashed OTPs, where the other factors usually is a challenge or a PIN-code (Two-factor authentication). The main advantage of the time-based method is that the password is only valid for a short period of time, before it expires. This can however lead to problems if the authentication server and the OTP-generating device is not properly synchronized.

Counter-Synchronized OTPS

A counter is synchronized between the authentication server and the device. The principle for when a user wants to login is the same as the time-based method; the user enters the current OTP that is displayed on the device. A new OTP will now be generated that the user can use next time to login, and the counter will advance one step in the device and in the server. The drawback of this method is that time is not considered when generating the password, making the password available for a long period of time, it will only be changed upon login. This will lead to serious problems if an attacker gets hold of the OTP-generating device.

Seed-Chain OTPS

The previous entered OTP is used as a seed to generate a new OTP, building a chain of passwords that all depend on the previous password. Some Linux distributions have the support of local login using this method. The passwords will be printed out on a piece of paper, and the user will have to follow the list in the correct order to be able to log in. However, this approach is not very safe since it removes the function of the OTP.

Challenge-based OTPS

OTPs are used together with two-factor authentication. A user has to put a challenge into the generating device (often a PIN code) in order to generate the OTP. This kind of method is often used when users log in to online banks.

Two Factor Authentication

In Two Factor Authentication a user has to supply two terms in order to authenticate him. The user must have something you know used together with something you have. For example, when a user logins to a web page he writes his static password (something you know), and a series of random numbers from an authentication device (something you have). The most common implementation of this is when a person withdraws money from an ATM. The user has a bank card that he puts in to the machine, and a PIN code must then be entered before withdrawal is possible. In most online implementations over the Internet, the static password is a PIN code that you enter into an authenticating device, which will then generate a OTP.[9]. The only thing sent over the Internet to authenticate the user is the OTP, which will be of no use of a sniffing attacker.

Over the recent years, three factor authentications have also been introduced. This kind of authentication also needs "something you are", like a fingerprint or a voice print, together with the password and the physical token. Two factor authentications together with OTP is much safer than static passwords, when looked at from an access attack perspective, such as sniffing, password cracking and social engineering. However, it cannot protect against two common attacks.

Man-in-the-middle attack

An attacker sets up a fake website, resembling a legitimate site, that the user surfs to in order to log in. The user generates the OTP and sends it to the fake website controlled by the attacker, which can now use this password to login to the real web site.

Trojan attack

A Trojan is installed on the user's computer, allowing a hacker to "piggyback" on the session established when the user logins to a website. These two attacks are best solved by educate users in how to spot web pages with false certificates and how to protect your computer and keep anti-virus software up to date.

IV.AUTHENTICATION WITH MOTP

The authentication method used is two-factor authentication with a one-time password, based on modifications. The user's mobile phone will work as the authentication device, in which the user have to enter a 4-digit PIN code to generate an OTP that can be used for login. This is done by a Java-application running on the phone. The OTP that is generated on the mobile phone is based on three components which will be hashed together with MD5: [8][12].

1. The 4-digit PIN code that the user enter.

2. A secret random number that was created during device-initialization (Init-secret) that only exists on the user's mobile device.

3. After hashing, the mobile phone will display the first six numbers of the hash that will be used as the OTP for login. Since time is part of the hash, the OTP is only valid for three minutes. The OTP will then be sent to the server during login. The server knows the Init-secret and the pin-code, which is stored in a database, and also the current time. Therefore the password can be verified by the server.

Fig.1 (Authentication with MOTP) explained as follows:

1. A client wishes to log to a personal account through a web browser, and surfs to the login page.

2. The client then starts an application on a mobile phone, and enters a PIN code.

3. After PIN input, a OTP is generated and displayed on the phone.

4. The client enters his username and the OTP at the login page, and sends the information to the authentication server.

5. The server denies or permits access for the client.

Fig.1 (Authentication with MOTP)

This solution offers greater benefits than other types of authentication solutions:

The only crucial information sent over the network will be the username and the OTP. Since the OTP is only valid for one time during a period of three minutes it will be of no value for an attacker.

The OTP needs a private PIN code to be generated on the mobile phone, a PIN code that only the user knows.

The cost will be absolutely free for both user and provider, since this is an open source solution.

No need to carry any extra authentication device, the user only have to carry his mobile phone with him.

Easy registration process where everything can be done from home, no need to order an external authentication device or get the device from a local office.

Easy to remove users mobile phones from the authentication database.

V. CONCLUSION

This paper have looked at the current security situation in cloud computing and how to solved the issue of authenticating users that wish to use a service in the cloud. In a few cases static passwords have been used when logging in, and in other cases two-factor authentication with OTPs. Regardless which method that has been chosen, they don't satisfy the needs for security, flexibility and cost. In this paper we propose a different way to securely and easy login to a cloud service using OTPs with the user's mobile phone as an authentication device.

The proposals ended up in a working solution that use mobile OTP authentication for the login procedure, a very secure registration system and with all traffic transmissions encrypted with RC4. The implementation provides high security for the users while it is still easy to use. It provides benefits over the current security solutions for authentication that is used today, both static passwords and two-factor solutions.

The big difference from solutions with static passwords is that the passwords in this solution are only valid for one time only, which is big advantage in security. Since it is the user's mobile phone that provide the passwords, and that the whole solution is based on open source code, it has advantages over other cloud provider’s two-factor authentication solutions. Since cloud services is used by millions of users, the security must be very good in order to protect private data, and also be fast, flexible and easy to use for all of the different users with different technology skills.