Security Assessment of Cloud Based Computing(IACC'09

8/6/2019 Security Assessment of Cloud Based Computing(IACC'09

1/6

Assessment of Strong User Authentication Schemes in Cloud based

Computing

Mohit Mathur, Nitin Saraswat

Sr. Lecturer, Department of IT &CS, Jagan Institute of Management Studies(Affiliated to GGSIP University, New Delhi), Rohini, Delhi, India.

[email protected], [email protected]

Studies indicate that digital identity fraud is still on

the rise, with an increase in complexity (that is,

"phishing," "man-in-the-middle," DNS poisoning,

malware, social engineering, and so on). With the

trend of upward moving data and services into the

Web and cloud-based platforms, the management

and control of access to confidential and sensitive

data is becoming more than verifying simple user

credentials at the onset of user sessions for one

application. One of the mostly used methods today

is the gaining of account access by stealing reusable

credentials for Web sites that have not yet

implemented "strong" user authentication. This is

so, because most common forms of credentials

today are knowledge-based (user ID and password)

and are requested only once during sign-on, which

provides a higher level of convenience to users, but

also requires less effort for attackers to exploit.

Many attacks are evident as "phishing" messages

that masquerade as ones that are sent by legitimate

organizations and contain URLs that point to

fraudulent Web sites that have the sameappearances as genuine ones. Often, they act as

"man-in-the-middle" and eventually do forward

visitors to the actual Web sites; but, in the process,

they have captured valid credentials that can be

used to gain access to actual accounts. The question

is if you can really afford the cloud if you cant

prevent unauthorized access to your data - which

will be far more expensive to your business in terms

of regulatory breach or reputation damage in the

long-run. In a shared pool outside the enterprise,

you don't have any knowledge or control of where

the resources run and where is the location where

your data being stored. This paper emphasizes theauthentication aspect of security in the cloud

computing environment and some suggested

solutions for that. Authentication in an Cloud

Environment guide identified that simple-password

authentication is insufficient for ensuring

authorized access to important cloud services.

INTRODUTION

It looks, soon all computing will be called cloudcomputing, just because the cloud is in. . The termcloud computing means: outsourced, pay-as-you-go,on-demand, somewhere in the internet, etc.CloudComputing is an emerging computing pattern wheredata and services reside in massively scalable datacenters and can be universally accessed from any

connected devices over the internet. It is Virtual,Scalable, Efficient, and Flexible. Cloud Computing isthe technology in which web is replacing a desktop. Itis providing services on virtual machines allocated ontop of large physical machine pool. It is a method toaddress scalability and availability concerns for largescale applications. It is totally Democratized distributedcomputing. It includes large scale data processing,Cluster Management. It is Virtualized server pool. It isan emerging approach to shared infrastructure in whichlarge pools of systems are linked together to provide ITservices. The computing recourses being accessed aretypically owned and operated by third party provideron a consolidated basis in data center locations. Targetconsumers are not concerned with the underlyingtechnologies used to achieve the increase in servercapability and is sold as a service available on demand.The greatest advantage of cloud computing is that iteasily handles peak load situations without the need foradditional hardware infrastructure that most of the timeremain underutilized. Physically, the resources mightspan multiple computers or even multiple data centers.

Remote machines owned by another company wouldrun everything from e-mail to word processing tocomplex data analysis programs. It's called cloudcomputing, and it could change the entire computer

industry.

From a user-authentication perspective, moving datainto the cloud and integrating cloud-based servicesshould be implemented with the same level of overalleffective authentication strength as the enterpriseviewpoint of authentication architecture. However,organizations have significantly less control over theauthentication strengths of the interdependent cloud-based services of their counterparts/partners. For
mailto:[email protected]:[email protected]:[email protected]:[email protected]


2/6

example, whether via identity federation or delegation,the overall security posture of the resultinginterconnected architecture can be compromised if theintegrated services themselves have comparativelylower-strength authentication systems in place.Extra attention must be focused on ensuringappropriate levels of authentications strengths fordifferent user communities in a multitenancy model,without compromising overall and individual securityand usability. Thus, the focus on authenticationsystems becomes one of the primary evaluation factorsfor organizations that are looking to adopt cloud-basedservices. Organizations must ensure that serviceproviders provide the flexibility to deliver varyinglevels of strong authentication to meet required securitypolicies.From a capabilities perspective, many of theauthentication architecture components are beingdeployed as cloud-based servicesfor example,identity-proofing services that are deployed by credit

bureaus, consumer-identity frameworks and providers,vulnerability-management networks, PKI andcertificate-management services, secondary-factorchannel providers, fraud detection, strong-authentication service providers, and so on. Theseservices provide much-needed capabilities to composea strong-authentication system; however, the sameintegration-security concerns remain such that any oneweak link in the connected-systems architecture willcompromise the overall security posture.Obviously the greater and greater mass of sensible datastored on cloud a corporate database has to beprotected properly: once operations took place on site

and the authentication (recognition we'd better say) ofthe user was easy; now the service provider and theservice-user (commonly addressed as server and clientin web-language) interact never seeing or meeting eachother and the problem of trustful, reciprocalrecognition is quite huge: privacy and securityconcerns are strong both for incorporates (whoseprivate data are related to their business activities) andPA (whose sensible data implies strong privacyconcerns for the citizens they represent and serve).Moreover for a big company with many employees thecontrol of their rights over certain data is a strictnecessity: easily guessable not all the research-lab

database should be brows able through the web norpossibly accessible from all insiders, but it's going tobe used and administrated only by few authorized userswho must be able to prove doubtlessly their rights tothe system daemon before they could interact withit.Actually Cloud Authentication is remoteauthentication. We know that, in near future allcomputing will be called cloud computing & sincesecurity of a cloud is yet to be resolved, In this paperwe are trying to point out various issues and challenges

in applying strong remote authentication mechanism onaccess of data/application/other services from cloud.Currently almost all of the cloud-companies areproviding username-password based authentication(weak authentication) to access cloud which carriesseveral flaws.

Authentication Schemes that can be applied to

Cloud

1.1 Sheme I (Identity Metasystems)

In the basic authentication process, the entity requiresauthentication presents credentials, usually an accountID and some additional information, to prove that therequest is coming from a legitimate owner of the ID.This is a straightforward process that has been in usefor decades. The basic logic behind password-basedsecurity is that an authorized user can keep andremember a secret. And that secret, in turn, is used to

authenticate the identity of the authorized user foraccess to a particular system. Many known weaknessesexist in password-based systems. The types of attackscan be divided into three categories: technical (bruteforce), discovery, and social engineering. To counterall these types of attacks, designers have respondedwith three types of safeguards; password rules, systemrules, and training and awareness. In the middle of allof these elements is the construct representing the usergenerated password memory aid.Password rules are either optional or enforcedspecifications about the length of the password and thevariety of the characters that comprise it. The lengthand variety contribute to the size of the domain setcontaining all possible passwords (commonly referredto as keyspace), that increases the difficulty of bruteforce detection. Prevention of easily guessed passwordsreduces discovery. However, the same rules thatincrease password resistance to brute force attackdirectly reduce the ability of a user to remember apassword and increase the need for password memoryaids. System rules relate to the procedural aspects ofgaining access and are enabled in a system. Forexample, the automatic user exclude after three failedattempts is a system enforced rule. More sophisticatedmechanisms include expiring passwords and theforcing of password changes, or prescribing the amount

of change at password change time. The reporting offailed access attempts is another system rule designedto improve security. System rules can also have anopposite effect though, as they can lead to discoverypatterns. There are systems that will email anunencrypted password back to a user if requested,presenting an opportunity for discovery.

1.2 Scheme II(Smart-Card Propagation)


3/6

With the availability of more complicated smart-cardsolutions and ecosystem support, more physicalcredentials are adopting smart-card (standard plasticcards embedded with microprocessors and/orintegrated circuits) deployments. For example, manycountries and states already have rolled outgovernment-sponsored electronic ID programs tonational citizens. Consequently, smart cards arebecoming another form of authentication factor, wheresmart-card readers are available and are integrated intoauthentication systems.A more complicated example is the smartcard system,where a user typically has an ID, a password, and alsoa time-generated passkey from the smart card whichchanges every 60 seconds. This represents the case ofsomething you have, as in the smartcard, or ownershipof a physical key. The authenticating server has thesame time changing numerical sequence as the specificsmart cards assigned to that ID and if the ID, passwordand card generated number are all correct,

authentication is approved. This scheme verifies not just the knowledge of an ID and password, but alsopossession of the specific smart card assigned to theID. Frequently smartcards are combined withpasswords for an account to increase security. This isan example of two-factor authentication and is moresecure because it requires more items forauthentication. The benefits of using a smart cardinclude increased security, possible user mobility, and chronological access to one machine by multipleusers.

Two factors contribute to the increased security ofsmart cards. First, there is a decreased possibility ofcopying the smart cards private key because it neverleaves the card. The smart card uses its on-board CPUto compute the transmitted datas digital signature. Incontrast, with a software-based token, the computerdecrypts the private key and holds it in memory whilethe CPU processes it. Second, its easier to copysoftware based token and to try to break the passwordat leisure without the users knowledge. Fake use of thesmart cards private key is less likely because theattacker has to both steal the card and know the userspassword or PIN. Guessing a cards password is

usually unproductive because most cards use their on-board CPU to lock up after several wrong guesses.Using a strong password to protect the software-basedtoken significantly diminishes this second threat. Itsalmost impossible to break a 16-character password.However A smart card-based system doesntautomatically allow user mobility. User mobility isonly possible if every machine that the user access hasa smart card reader attached. The machine mustsupport the same standard smart card reader interfaces

or use the same proprietary smart card reader.Similarly, to use the same machine in sequence,multiple users must all use the same smart cardtechnology. In addition, smart card technology can beexpensive.

1.3 Scheme III (Biometrics)A third form of authentication involves the concept ofrepresenting what you are or biometrics. Biometricscan take the form of several capacity, fromfingerprints, to retinal scans to pupil images. The ideais again the same, the presentation of uniqueinformation proving identity. The benefit of biometricsis that, for most cases you dont leave home withoutthem, and they can not be forgotten.

A form of strong Biometric authentication includeMultimodal biometrics use a combination of differentbiometric recognition technologies. In order for thebiometrics to be ultrasecure and to provide more-than-average accuracy, more then one form of biometricidentification is required. Hence the need arises for theuse of multimodal biometrics. This uses a combinationof different biometric recognition technologies.Multimodal biometric technology uses more then onebiometric identifier to compare the identity of theperson. Therefore in the case of a system using saythree technologies i.e. face mimic and voice. If one ofthe technologies is unable to identify, the system canstill use the other two to accurately identify.By usingmore then one means of biometric identification, themultimodal biometric identifier can retain highthreshold recognition settings. The system

administrator can then decide the level of security herequires. For a high security site, they might require allthree biometric identifiers to recognise the person orfor a lower security site, only one or two of the three.With this the probability of accepting an imposter isgreatly reduced.

In spite their numerous advantages, biometric systemsare susceptible to attacks, which can decrease theirsecurity. Biometric authentication is vulnerable to thefollowing eight types of attacks: Type 1 attackinvolves presenting a fake biometric to the sensor.Submitting a previously intercepted biometric data

constitutes the second type of attack (replay). In thethird type of attack, the feature extractor module iscompromised to produce feature values selected by theattacker. Real feature values are replaced with the onesselected by the attacker in the fourth type of attack.Matcher can be modified to output an unnaturally highmatching score in the fifth type of attack. The attack onthe template database constitutes the sixth type ofattack. The transmission medium between the template


4/6

database and matcher is attacked in the seventh type ofattack, resulting in the alteration of the transmittedtemplates. Finally, the matcher result (accept or reject)can be overridden by the attacker.

1.4 Scheme IV (Combination of Biometrics and

Smart Cards)The combined use of biometrics and smart card sumsthe advantages of the two technologies attractive thesecurity of the authentication protocol. Thiscombination raised as a matter of trustfulauthentication but still more than a security caveatcould affect the implementation of this kind of systemsand usually, if we try to prevent unauthorized accesses,we could use a three factor authentication protocolsthat involves even a PIN to primarily unlock the cardfor the biometric testing. Combining these factors weshould had achieved the strongest combination ofinformation needed to provide authentication into a

system.I) insert your smart card in a reader or in the USB portof a workstationII) enter your secret PIN to unlock the smart cardIII) place your finger on the scanner and have thesample compared to the fingerprint templateIV) if the data matches the smart card secured privatekey could be use in somewhat way, for exampleencrypting a nonce sent by the hosts applicationV) the application can now verify that a certified keyobtained from a valid certificate encrypted its nonceand verify, using the public key as well, whether thenonce is the same it has sent.

Although this protocol involves all the three factors ofthe trinity, a smart card, a pin and a finger none of thereaders of this paper would feel safe in using it becausewe have no information on its implementation, we donot know where the sample is taken and how is sent tothe smart card, we dont know how the PIN is used bythe host workstation, we cannot trust the workstationitself and we do not know if the reader has beenmanipulated by thirds. This demonstrates that its nottrue at all that using more than an authentication factorcould lead to strong and certain authentication unlessprotocols are strong and secure. So using a smart cardat its best we could achieve a safe encrypted storage for

the biometric template, addressing much of the privacyconcerns exposed in the previous paragraph andavoiding large on-line databases appealing the attentionof all Webs hackers. Using a biometric factor, mightbe combined with a PIN, we could grant higherrecognition rate. Answering the first question we haveposed talking about secure storage and smart card wecould report more than a technique to interact with thetemplate, each of these represents different challengesand grants variable security features.

1.5 Scheme V (Remote Authentication I)

A new feature Remote Authentication. Themotivation behind this feature is simple, users do notwant to sign up at every site they visit to post a

comment, and site administrators do not want to allownameless comments due to spam and other factors.Remote Authentication solves this problem byallowing people to login to a website with their logincredentials for another, established service.

Remote Authentication ship with support for somewebsite and accounts. When correctly configured theRemote Authentication system will allow registeredand users to login with their remote account to websiteinstance. Each login form will include a drop down boxof supported login services. If a user login succeeds, anew account is created for that user, storing their

remote username and the service used to authenticate,along with a secure hash of the password. In future,authentication will only be made with the remoteserver in the case that the user gets their passwordwrong, in which case the incorrect password ischecked with the remote service again to see if theincorrect password is in fact the new password forthat service. The username for the local account will beinitially the username for the remote account, however,if that username has already been registered with thelocal website instance a call is made tocustom_uniqueRemoteUsername passing in theusername and the service used. This function mayreturn an altered username, and it is up to thewebmaster at a given that website to write a version ofthis function that meets their needs.

1.6 Scheme VI (Remote Authentication II)

A client workstation provides a login address as ananonymous ftp (file transfer protocol) request, and apassword as a user's e-mail address. A destinationserver compares the user's e-mail address provided as apassword to a list of authorized users' addresses. If theuser's e-mail address is located on the list of authorizedusers' addresses maintained by the destination server,the destination server generates a random number, andencrypts the random number in an ASCII

representation using encryption techniques provided bythe Internet Privacy Enhanced Mail (PEM) procedures.The encrypted random number is stored in a file as theuser's anonymous directory. The server furtherestablishes the encrypted random number as one-timepassword for the user. The client workstation initiatesan ftp request to obtain the encrypted PEM randomnumber as a file transfer (ftp) request from thedestination server. The destination server then sends


5/6

the PEM encrypted password random number, as an ftpfile, over the Internet to the client workstation. Theclient workstation decrypts the PEM encrypted fileutilizing the user's private RSA key, in accordance withestablished PEM decryption techniques. The clientworkstation then provides the destination server withthe decrypted random number password, which is sentin the clear over the Internet, to login to the destinationserver. Upon receipt of the decrypted random numberpassword, the destination server permits the user tologin to the anonymous directory, thereby completingthe user authentication procedure and accomplishinglogin.

Conclusion

So, it appear that a user-authentication system for

consumer communities on the Web is growing beyondthe traditional database-driven and/or directory-drivencomponent of a Web application, for organizations thathave higher data-confidentiality requirements.Implementation approach for strong authenticationspan a full spectrum that ranges from highly integratedand interconnected/dependent to simple extensions ofexisting stand-alone architectures.Building strong user-authentication architecturerequires focus beyond just improving the credential-verification component. The overall architecture mightinclude additional aspects, such as a layered systemthat is driven by risk-based analytics, which enables an

adaptive authentication system. Also, the design of anauthentication approach should be weighed againstvarious requirements, such as data, identity assurance,and usability, compliance and auditing,portability/scalability, manageability, and user-community dynamics. More importantly, however, justthe same as other security initiatives, strong userauthentication also requires a carefully planned, well-balanced, and concerted approach across the entire ITarchitecture to ensure a consistently secureenvironment.With the growing acceptance of cloud-based services,consumer-identity metasystems, and mobile devices,while attack methods gain maturity and sophistication,

the future outlook for strong user authentication is setfor many ground-breaking developments.The rising trend of moving data and services into thecloud also necessitates methodical planning to ensuresecure access to authorized users over the Internet.While existing simple-passwordbased authenticationmight continue to work for many consumer-orientedWeb sites, its intrinsic vulnerabilities have beenidentified as security risks for institutions that have

higher data-privacy requirements. To ease the risk ofonline identity fraud, organizations look to strong userauthentication as the solution for improving their Web-based authentication systems.However, implementing strong user authenticationoften is not a straightforward task, as projects havemyriad options from which to choose, a huge numberof trade-offs to consider, and a cluster of intricacies tomanage. This paper has intended to distill acomprehensive view of strong user authentication byexamining its concepts, implementation approaches,and challenges and additional concerns at thearchitectural level.

6. References[1]Authentication in an Internet Banking Environment, Federal

Financial Institutions Examination Council.

http://www.ffiec.gov/pdf/authentication_guidance.pdf

[2]A Guide to Understanding Identification and Authentication in

Trusted Systems, National Computer Security Center

[3] A. Adams, Sasse, M. A., "Users Are Not The Enemy,"Communications of the ACM, vol. 42, pp. 41- 46, 1997.[4] B. L. Riddle, Miron, M. S., Semo, J. A., "Passwords in Use in aUniversity Timesharing Environment," Computers & Security, vol.8, pp. 569-579, 1989.[5]Computer Security Guidelines for Implementing the Privacy Act

of 1974, FIPS PUB 41.

[6] D. Weirich and M. A. Sasse, "Pretty Good Persuasion: A firststep towards effective password security in the real world," presentedat New security paradigms, Cloudcroft, New Mexico, 2002.[7]Electronic Authentication Guideline v1.0.1, National Institute of

Technology Special Publication

[8]Electronic Signatures in Global and National Commerce Act,

United States Congress E-SIGN Act.

[9] J. Yan, Blackwell, A., Anderson, R., Grant, A., "TheMemorability and Security of Passwords Some Empirical Results,"Cambridge University Computer Laboratory.[10]K. Dehnad, "A Simple Way of Improving the Login Security,"Computers & Security, vol. 8,[11]M. Burrows, Abadi, M., Needham, R., "A Logic ofAuthentication," Proceedings of the RoyalB. Lampson, Abadi, M., Burrows, M., Wobber, E., "Authenticationin Distributed Systems: Theory and Practice," ACM TransactionsComputer Systems, vol. 10[12] M. Abadi, Burrows, M., Kaufman, C., Lampson, B.,"Authentication and delegation with smart-cards," Science ofComputer Programming, vol. 21,J. Vaclav Matyas and Z. Riha, "Toward Reliable User

Authentication Through Biometrics," IEEE Security & Privacy, vol.I, 2003.[13] M. Bishop, and Klein, D.V., "Improving System Security viaProactive Password[14] M. Zviran, Haga, William, "Password Security: An Empirical

Study," Journal of Management Information Systems, vol. 15, pp.

161- 185, 1999. Proceedings of the 37th Hawaii International

Conference on System Sciences 2004 0-7695-2056-1/04 $17.00

(C) 2004 IEEE 9


6/6

[15] Microsoft Canada, "Information Overload:Canadians Have TooMany Passwords," vol. 2003: Microsoft Canada, 2000.[16] Microsoft, "Microsoft .Net Passport Q & A," vol. 2003:Microsoft, 2003.[17]Policy for a Common Identification Standard for Federal

Employees and Contractors, Homeland Security Presidential

Directive-12 (HSPD-12).

[18]Personal Identity Verification of Federal Employees andContractors, Federal Information Processing Standards Publication

201-1

[19] R. Pond, Podd, J., Bunnell, J., Henderson, R., "WordAssociation Computer Passwords: The Effect of FormulationTechniques on Recall and Guessing Rates," Computers & Security,vol. 19, pp. 645-656, 2000.[20] R. Shimonski, "Create effective passwords: strategies forcomputer systems," vol. 2003: IBM developerWorks, 2002.[21] S. N. Porter, "A Password Extension for Improved HumanFactors," Computers & Security, vol. 1, pp. 54-56, 1982.[22] S. L. Smith, "Authenticating Users by Word Association,"Computers & Security, vol. 6, pp. 464- 467, 1987.[23]Security Requirements for Cryptographic Modules, FIPS PUB

140-2.

[24] T. Jones, "Too many secrets? Password proliferation leads touser fatigue," in Columbia New Service - Columbia UniversityGraduate School of Journalism. New York, 2002.[25] W. Yang, Shieh, S., "Password Authentication Schemes withSmart Cards," Computers & Security, vol. 18,

Documents

Security Assessment of Cloud Based Computing(IACC'09