Journal of Network and Computer Applications 61 (2016) 59–80
Contents lists available at ScienceDirect
Journal of Network and Computer Applications
journal homepage: www.elsevier.com/locate/jnca
Review Authentication in mobile cloud computing: A survey
Mojtaba Alizadeh a,b, Saeid Abolfazli c,n, Mazdak Zamani d, Sabariah Baharun b, Kouichi Sakurai a a Department of Informatics, Graduate School and Faculty of Information Science, Kyushu University, Fukuoka, Japan b Malaysia-Japan International Institute of Technology (MJIIT), Universiti Teknologi, Malaysia c YTL Communications and Xchanging, Malaysia d Department of Computer Science, Kean University, NJ, USA article info abstract
Article history: Mobile cloud computing (MCC) is the state-of-the-art mobile distributed computing model that incor- Received 29 March 2015 porates multitude of heterogeneous cloud-based resources to augment computational capabilities of the Received in revised form plethora of resource-constraint mobile devices. In MCC, execution time and energy consumption are 21 September 2015 significantly improved by transferring execution of resource-intensive tasks such as image processing, 3D Accepted 18 October 2015 rendering, and voice recognition from the hosting mobile to the cloud-based resources. However, Available online 6 November 2015 accessing and exploiting remote cloud-based resources is associated with numerous security and privacy Keywords: implications, including user authentication and authorization. User authentication in MCC is a critical Cloud computing requirement in securing cloud-based computations and communications. Despite its critical role, there is Mobile cloud computing a gap for a comprehensive study of the authentication approaches in MCC which can provide a deep Security insight into the state-of-the-art research. This paper presents a comprehensive study of authentication Authentication methods in MCC to describe MCC authentication and compare it with that of cloud computing. The taxonomy of the state-of-the-art authentication methods is devised and the most credible efforts are critically reviewed. Moreover, we present a comparison of the state-of-the-art MCC authentication methods considering five evaluation metrics. The results suggest the need for futuristic authentication methods that are designed based on capabilities and limitations of MCC environment. Finally, the design factors deemed could lead to effective authentication mechanisms are presented, and open challenges are highlighted based on the weaknesses and strengths of existing authentication methods. & 2015 Elsevier Ltd. All rights reserved.
Contents
1. Introduction and motivation ...... 60 2. Authentication in mobile cloud computing ...... 61 2.1. Mobile cloud computing ...... 61 2.2. User authentication in mobile cloud computing ...... 63 2.3. MCC vs. cloud computing authentication ...... 63 3. The state-of-the-art of authentication approaches in MCC: taxonomy ...... 64 3.1. Cloud-side authentication methods ...... 64 3.1.1. Identity-based authentication methods ...... 64 3.1.2. Context-based authentication methods ...... 66 3.2. User-side authentication methods ...... 67 3.2.1. Identity-based authentication methods ...... 67 3.2.2. Context-based authentication methods ...... 69 3.3. Evaluation criteria for authentication in MCC ...... 70 3.3.1. Usability ...... 71 3.3.2. Efficiency...... 71
n Corresponding author. E-mail addresses: [email protected], [email protected] (M. Alizadeh), [email protected] (S. Abolfazli), [email protected] (M. Zamani), [email protected] (S. Baharun), [email protected] (K. Sakurai). http://dx.doi.org/10.1016/j.jnca.2015.10.005 1084-8045/& 2015 Elsevier Ltd. All rights reserved. 60 M. Alizadeh et al. / Journal of Network and Computer Applications 61 (2016) 59–80
3.3.3. Security and robustness...... 72 3.3.4. Privacy...... 72 3.3.5. Adaptable to MCC environment ...... 72 4. Prospective authentication algorithms in MCC ...... 73 4.1. Mobile device characteristics ...... 73 4.2. Usability preferences ...... 73 4.3. Security and privacy ...... 74 4.4. Mobility...... 74 4.5. Support heterogeneity...... 74 4.6. Adaptiveness ...... 75 5. Open challenges...... 75 5.1. Heterogeneous infrastructure ...... 75 5.2. Seamless handover ...... 75 5.3. Identity privacy ...... 76 5.4. Resource scheduling ...... 76 6. Conclusions ...... 76 Acknowledgement...... 77 References...... 77
1. Introduction and motivation et al., 2014; Xuanxia et al., 2014; Khan et al., 2013a; Sood, 2012). Successful diffusion of cloud computing technology with mobile The mobile cloud computing (MCC) is “a rich mobile computing devices incites users desires for efficient and also secure service technology that leverages unified elastic resources of varied clouds delivery. Furthermore, in MCC environment, typical mobile devi- and network technologies toward unrestricted functionality, storage, ces communicate through the combination of heterogeneous and mobility to serve a multitude of mobile devices anywhere, wireless networks, which is more energy-intensive compared to anytime through the channel of Ethernet or the Internet regardless of wired communication. Hence, reducing mobile devices' resource heterogeneous environments and platforms based on the pay-as- consumption is an important and critical problem in delivering you-use principle.” (Sanaei et al., 2013). MCC incorporates cloud sustainable and long-lasting on-demand services to the end-users computing, mobile computing, and wireless networking and aims to (Shon et al., 2014). Although mobile devices' resource poverty can provide cloud-based services to the mobile consumers (Abolfazli be alleviated by cloud computing and cloud-based augmentation et al., 2014a; Fernando et al., 2013). In MCC, execution time and techniques (Abolfazli et al., 2014a), inadequate security manage- energy consumption are significantly improved by transferring ment inhibits development and successful deployment of cloud- execution of resource-intensive application from the hosting mobile connected security-sensitive applications in broad areas, including to the cloud-based resources.Therefore, once MCC is fully deployed, health-care, financial services, and e-government services. the mobile devices do not require high resources, such as central Researchers in several efforts (Yang et al., 2014; Li and Li, 2014; processing unit (CPU), random access memory (RAM), storage, and Si et al., 2014; Xia et al., 2014; Sookhak et al., 2014; Kaewpuang particularly battery, because the entire data or complex computing et al., 2013; Rahimi et al., 2013; Yang et al., 2013; Ma and Wang, are manipulated in the remote cloud-based resources (Ko et al., 2012; 2012; Satyanarayanan et al., 2009; Ra et al., 2011) have studied Abolfazli et al., 2012; Liu et al., 2015).MCChasemergedasasubsetof varied aspects of MCC, including task outsourcing, heterogeneity, cloud computing to enable intensive on-demand elastic computing virtualization, energy saving, and remote auditing, aiming to and storage on the go to the potential mobile users. Mobile devices, enhance the MCCs performance and efficiency. However, security particularly tablet personal computers, smart phones, and PDAs are (as another crucial aspect of MCC), particularly authentication is becoming an integral part of today's lifestyle as they are convenient overlooked. The security challenges in MCC are twofold, namely and effective communication endpoint. The swift development of cloud security and mobile network security because of the co- mobile computing has become a forceful pattern in IT technology's existence of cloud computing and mobile computing in MCC (Peng development in commerce and related fields. According to Cisco et al., 2014; Morrow, 2011; Zissis and Lekkas, 2012; Dijiang et al., visual networking index statistics (Cisco, 2014), the usage of smart- 2011). One of the most important security issues for MCC users is phone and global mobile data traffic grew 50 and 81 percent in 2013, authentication and authorization (Esposito and Ciampi, 2015; Yu respectively. Nevertheless, performance and functionality of mobile and Wen, 2012; Riley et al., 2011). As an example, a lost or stolen devices are hindered by several limitations, particularly computing mobile device could be abused to access a host and download and storage resources (i.e., CPU, RAM), wireless communication sensitive data from the cloud, if a mobile user is registered with a throughput, battery life, local data safety, communication security, particular cloud service provider, both mobile device and cloud and mobility impeding development of the quality of service (Abol- server should authenticate each other in order to secure the fazli et al., 2014a). The idea of remote computing and the process of communication when the mobile user accesses the cloud from augmenting mobile devices using remote cloud-based computing different locations using heterogeneous networks and various and storage resources is envisioned to overcome the inherent chal- mobile devices (Clarke et al., 2002). lenges and shortcomings in mobile computing (Aminzadeh et al., Several studies (Xu et al., 2013; Wang et al., 2013; Noureddine and 2015). This is carried out by utilizing other resource providers besides Bashroush, 2013; Ghazizadeh et al., 2014; Singh and Singh, 2012; Guo themobiledevicetohostthedeliveryofresource-intensivemobile et al., 2012; Dinesha and Agrawal, 2012; Li et al., 2013; Zhi-Hua et al., applications (Dinh et al., 2013; Alizadeh et al., 2013a,b). 2012; Zhang et al., 2012; Yongqing and Xiang, 2012; Yassin et al., Although MCC is proven to be advantageous in augmenting 2012; Wang and Jia, 2012; Sang-Ho et al., 2012; Ahn et al., 2011)have computational capabilities of mobile devices and conserving their been conducted to propose suitable authentication schemes in cloud native resources, leveraging remote resources introduces several computing. However, authentication in MCC, as one of the most challenges, including reliability, security, trust, and privacy (Khalil crucial security countermeasures, has not been studied yet. Moreover, M. Alizadeh et al. / Journal of Network and Computer Applications 61 (2016) 59–80 61 several efforts have been undertaken to study varied aspects of the Table 1 MCC. Khan et al. (2013a) evaluated and identified the security issues List of acronyms and corresponding full forms. of the existing security schemes in MCC infrastructure. Furthermore, Acronym Full form the security issues and challenges of MCC are discussed in Khan et al. (2013b,c), Popa et al. (2013), Jin et al. (2013), Kumar and Rajalakshmi 2D 2 dimensional (2013), Alizadeh and Wan (2013), Hui et al. (2013) and Shahzad and 2G 2nd generation Hussain (2013) by surveying the current state of mobile cloud devices 3G 3th generation 4G 4th generation security vulnerabilities, and exploring the various possible solutions. AES Advanced encryption standard However, authentication as one of the most crucial security coun- AS Authentication server termeasures, has not been studied yet. Therefore, we aim to fill the CER Crossover error rate gap by conducting a comprehensive survey to assess and analyze CPU Central processing unit various authentication schemes in MCC aiming to furnish an FAR False acceptance rate FRR False rejection rate insightful view of the state-of-the-art of authentication methods GPS Global positioning system in MCC. IA Integrated authentication The significance of applying appropriate authentication meth- ID Identifier ods and also lack of suitable authentication mechanisms in MCC IMEI International mobile station equipment identity IMSI International mobile subscriber identity based on security and usability criteria motivates us to evaluate LTE Long term evolution and analyze the state-of-the-art authentication approaches. MCC Mobile cloud computing The main contributions of this paper are: MDA Message digest algorithm NFC Near field communication We provide a description of MCC security challenges. OTP One-time pad PDA Personal digital assistant Comprehensive survey of the state-of-the-art authentication PIN Personal identification number methods in MCC is provided. PRNG Pseudorandom number generator Security and performance of authentication mechanisms are QR Quick response analyzed for MCC based on five critical metrics. ROC Relative operating characteristic RSA Rivest Shamir Adleman We identify and discuss several important factors deemed could SI State identifier contribute to the successful development of future authentica- SLA Service-level agreement tion methods for mobile devices in MCC environment. SMS Short message service Several open challenges that ground future researches are SNR Signal to noise ratio discussed. SSL Secure socket layer TCG Trusted computing group TLS Transport layer security Authentication in MCC benefits communications and networking TNC Trusted network connect communities by providing a comprehensive insight into the domain TPA Third party agent so future wireless communication technologies and architectures can TTP Trusted fi fi URI Uniform resource identi er ef ciently and effectively furnish cloud-based resources to the mobile VM Virtual machine users with high security and low footprint. Discussed evaluation WAN Wide area network criteria highlight effective factors as a guideline to design suitable Wi-Fi Wireless fidelity authentication schemes, which can benefit the research community. WiMAX Worldwide interoperability for microwave access The open challenges grant future research directions toward pro- WLAN Wireless local area network ZKP Zero knowledge proof posing a suitable authentication scheme that mitigates security issues in MCC. In this paper, the terms mobile devices and smartphones are used interchangeably with similar notion. Table 1 shows the list of computing phenomenon. MCC as the state-of-the-art mobile dis- acronyms used in the paper. tributed computing technology incorporates three principal tech- Section 2 provides a brief introduction to MCC and discusses nologies, namely mobile computing (Imielinski and Korth, 1996), the evaluation criteria to analyze authentication methods in this cloud computing (Mell and Grance, 2011), and wireless networking environment. Section 3 surveys the state-of-the-art authentication (Lei et al., 2013). Therefore, MCC can be defined as “arichmobile methods in MCC. In Section 4, the important factors that are computing technology that leverages unified elastic resources of deemed could benefit design and development of future MCC varied clouds and network technologies towards unrestricted func- authentication methods are presented. The open challenges are tionality, storage, and mobility to serve a multitude of mobile devices discussed in Section 5. Finally, we conclude this study in Section 6. anywhere, anytime through the channel of Ethernet or the Internet regardless of heterogeneous environments and platforms based on 2. Authentication in mobile cloud computing thepay-as-you-useprinciple” (Sanaei et al., 2013). In MCC, a shared pool of various configurable cloud-based In this section, we present a brief introduction over MCC from computing resources is utilized to enhance and optimize mobile authentication point of view. In the first part, definition of MCC is devices computing capabilities such as executing resource- presented based on the existing studies. We then describe possible intensive applications. MCC has penetrated into a very large MCC architectures and its different components. Furthermore, number of domains, and researchers are increasingly adopting fi authentication in MCC is presented and the signi cant role of cloud computing to augment mobile devices in critical domains, authentication in successful adoption of cloud-based mobile appli- particularly health-care (An et al., 2014; Al-Zoube and Alqudah, cationsishighlighted. 2014; Hoang and Chen, 2010; Doukas et al., 2010), education 2.1. Mobile cloud computing (Mahalingam and Rajan, 2013; Chen et al., 2013; Dong et al., 2012; Huang, 2011), remote monitoring (Xu et al., 2012; Zhang et al., In this part, some of the credible MCC definitions are provided to 2014), tourist industry (Song et al., 2012; Pal and Henderson, 2013; furnish the fundamental knowledge of this rapidly emerging Li et al., 2011), and transportation (Chandra et al., 2013). 62 M. Alizadeh et al. / Journal of Network and Computer Applications 61 (2016) 59–80
On the other hand, MCC can also be referred to a mixture of cloud limitations, and insufficient maintenance, hinder utilization of computing and mobile web, which are dominant preferred tools of such nearby resources (He et al., 2015a). Third resource type refers mobile users when consuming Internet services and applications (Liu to the proximate mobile computing entities such as PDAs, Tablets, et al., 2010; Christensen, 2009). MCC services focus on furnishing Laptops, wearable computers, and smartphones that provide varied cloud-based services, particularly computing and data storage resources to the other nearby mobile nodes. The security and to mobile users. Therefore, cloud-connected mobile users can per- privacy threats such as eavesdropping, denial-of-service, Trojans, form infinite computing and data storage on demand. malware, viruses, worms, and mobile loss, are the critical concerns Cloud resources are different for mobile users compared to using these kinds of resources (He et al., 2015b; Louk immobile users. Immobile users consume computing and storage et al., 2014; Allam et al., 2014; Mylonas et al., 2013; Wang et al., resources from the private or public cluster of visualized servers, 2012). The last type is the hybrid infrastructures which are com- known as cloud data centers mostly via wired connectivity. prised of various kinds of distant and proximate computing However, intrinsic and non-intrinsic limitations of mobile devices, machines. including resource poverty, interruptible battery, and wireless Themobiledevicesareconnectedtothecloud-basedresources communication (Abolfazli et al., 2014b) are obligating highly het- dominantly through the risky channel of the Internet via the wireless erogeneous types of cloud-based resources (Sanaei et al., 2013)to medium, though Internet-free connection to nearby or private fulfill varied computing requirements of mobile users in different resources is also conceivable. Therefore, the remote computing and occasions. Throughout the MCC efforts, four types of computing data transmission are completed in collaboration of mobile clients, resources (known as cloud-based resources) are introduced, cloud-based resources, and heterogeneous wireless technologies. namely distant immobile clouds, proximate immobile computing According to the classification of cloud-based resources, four possible entities, proximate mobile computing entities, and hybrid architectures depicted in Fig. 1, can be plausible for MCC. resources (Abolfazli et al., 2014a; Satyanarayanan et al., 2009). In Each of the plausible MCC architectures has different security and the distant immobile cloud, the mobile user connects to the sta- privacy requirements depend on the type of cloud-based resources tionary cloud servers in distance through the risky channel of the and wireless communication technology/medium. The security and Internet. Though the distant stationary cloud server such as the privacy threats within different parts of MCC, including cloud public cloud provides more secure enforcements, they are vul- resources (Xiao and Xiao, 2013), mobile devices (La Polla et al., 2013), nerable to security breaches and crashes due to bulky volume of and wireless networking makes designing a secure framework more sensitive data such as Amazon EC2 crash (Cachin and Schunter, challenging. Though mobile devices have some resource limitations to 2011). The second cloud-based resource type is the stationary perform complex cryptographic algorithms, the cloud resources can computers that are located near the mobile nodes. These machines process resource-intensive algorithms instead of mobile devices. are available for the mobile device in public places such as air- In this research, the security issues as one of the important con- ports, coffee shops, and malls, and can process resource-intensive cerns in MCC are considered, and some proposed solutions are parts of mobile applications. The security and privacy issues such reviewed. The user authentication is highly important to protect as lack of strong security approaches, security infrastructure networks from different security threats (Furnell et al., 2000, 2008;
Proximate Mobile Computing Distant Immobile Proximate Immobile Computing Cloud
BTS Internet Access Point Access Point
Hybrid Computing
Access Point
BTS
BTS Internet
Fig. 1. Four mobile cloud computing architecture models – (a) distant immobile clouds perform elastic computing, (b) proximate immobile computing entities near the user perform elastic computing, (c) proximate mobile computing entities in user vicinity perform elastic computing on behalf of user and (d) hybrid model converges varied types of cloud-based resources to perform elastic computing. M. Alizadeh et al. / Journal of Network and Computer Applications 61 (2016) 59–80 63
Clarke and Furnell, 2007; Simmons, 1988; Weiwei et al., 2011). Suc- mobile devices introduce some challenges for designing effective cessful adoption of MCC highly necessitates robust and effective and efficient authentication mechanisms. Some of the most authentication solutions by which users can utilize the cloud-based important differences between authentication requirements and services for their mobile devices anytime, anywhere, from any mobile principles in MCC and cloud computing are described below. device with low computing cost on the native resources. The MCC authentication is different from a typical mobile device because in Resource limitations: Resource limitation among mobile devices MCC environment, the mobile device connects to the Internet to refers to incapacitation in computational power, battery life- perform authentication. Furthermore, the resource-intensive parts of span, and storage capacity in comparison to typical computers authentication mechanism can be transferred and processed in cloud in cloud networks. Computational performance and function- servers using a suitable algorithm. alities of mobile devices are significantly hindered by such as During the last few years, authentication for cloud computing incapacitation. Consequently, most of the mobile devices are has been investigated in several researches (Ghazizadeh et al., incapable of efficiently executing sophisticated resource- 2014; Xu et al., 2013; Wang et al., 2013; Noureddine and Bash- intensive encryption algorithms, for example, RSA algorithm roush, 2013; Singh and Singh, 2012; Guo et al., 2012; Dinesha and with 2048 bits (Sheng and Gong, 2010). However, non-mobile Agrawal, 2012; Chow et al., 2010; Li et al., 2013; Zhi-Hua et al., cloud users are benefiting from plenty of local computational 2012; Zhang et al., 2012; Yongqing and Xiang, 2012; Yassin et al., resources, high speed wired Internet connection, and contin- 2012; Wang and Jia, 2012; Sang-Ho et al., 2012; Ruj et al., 2012); uous power source, which allow resource-intensive authentica- however, comprehensive study of MCC authentication, which is tion algorithms without serious effect on user experience crucial in design and development of future authentication (Qureshi et al., 2011). Therefore, mobile devices require robust methods is lacking and demands further efforts. The lack of secure but lightweight authentication mechanisms that can ensure and efficient authentication methods necessitates a vital need to authenticity of users without draining local resources (Yang conduct a comprehensive research to gain deep insight into the et al., 2010). filed. Different authentication methods aiming to improve the Mobile device sensors: Mobile device sensors such as touch MCC security are analyzed in the following parts. screen, gyroscope, accelerometer, camera, digital compass, and microphone give the researcher this opportunity to add other 2.2. User authentication in mobile cloud computing authentication factors, particularly biometrics to improve the level of security in MCC (Giuffrida et al., 2014; Lane et al., 2010; User authentication in MCC is the process of validating the Jeong et al., 2013; Le et al., 2013). The authentication mechan- identity of the mobile user to ensure that the user is legitimate to isms can benefit from the various types of mobile device access mobile cloud resources (Schwab and Yang, 2013). Authen- sensors, which can measure user's biometric attributes, such tication as a critical aspect of security enforcement approaches in as fingerprint, and facial, retina, iris, voice, gait and keystroke MCC is essential to protect users against existing security and patterns that are used as authentication factors (Omri et al., privacy issues by preventing unauthorized access to the mobile 2012; Al Rassan and AlShaher, 2014). Although the authentica- cloud user information (Park et al., 2011; Zhu et al., 2009). The tion methods in cloud computing can benefit from peripheral security and privacy issues of mobile cloud users are the main accessories and equipments on end-user computers, additional hurdles to the successful and rapid MCC deployment, which exist cost can create a hurdle. Besides the significant benefits of latest in three MCC components, namely cloud, wireless communication, sensors, they introduce security breach points too that compli- and mobile device. Therefore, considering characteristics and cate designing authentication methods in MCC. For instance, computing limitations of mobile devices, effective and efficient researchers in Owusu et al. (2012) could unveil credentials of a MCC authentication solutions are expected to be lightweight with user by decoding accelerometer sensor readings on smartphone the least possible computing, memory, and storage overheads. when the user enters his/her credentials. The aim of effective authentication solutions is to minimize the High mobility: Mobility can originate latency due to WAN security threats to mobile devices. Discussion over the security latency that is intensified by signal handoff in the presence of and privacy threats in MCC is out of scope of this paper, and thus heterogeneous networks. The miniature nature and mobility of we only point the most important threats and provide relevant mobile devices can intensify chance of robbery and loss leading references for interested readers. Some of the most important to high probability of user privacy and security violation in the security threats to mobile users are information leakage, denial of absence of robust authentication solutions (Khalil et al., 2014). service, malfunction of devices and theft or loss of the device (Park In addition, in contrast to static computers, the quality of et al., 2011). Moreover, security threats found in mobile devices connection to the Internet is not stable in MCC because of can manifest as attacks via the services offered through the mobility of peers (Ardagna et al., 2014). Furthermore, fast wireless networks, including network profiling, information lea- authentication procedure is desired to protect seamless con- kages by sniffing, session hijacking, and jamming (La Polla et al., nectivity for mobile devices in roaming (Lingfeng and Hoang, 2013; Xiao and Xiao, 2013; Morshed et al., 2011; Zissis and Lekkas, 2013; Mansoor et al., 2015; Jana and Bandyopadhyay, 2013). 2012; Khan et al., 2013a). Furthermore, the potential threats in the Network heterogeneity: The mobile devices connect to Hetero- cloud computing system include denial of services, information geneous Network (HetNet) (Sanaei et al., 2013; Lei et al., 2013), leakages due to mismanagement, authentication threats and which has various kinds of radio access such as Wi-Fi, WiMAX, control of access with default applications (Jang et al., 2011), can 2G, 3G, 4G and LTE to accomplish the data traffic demand in be considered in MCC. MCC. In addition, a proper handoff scheme is critical for In the following parts, The differences between authentication heterogeneous networks to have seamless connectivity and in cloud computing environment and MCC are discussed in the authentication plays key role in handoff procedure (Avelar following part. et al., 2015; Bin et al., 2012; Chu et al., 2012). An authentication method must be designed based on security and performance 2.3. MCC vs. cloud computing authentication requirements of each network technology that is a challenging part in MCC. In cloud computing environment, the user is Authentication mechanisms in MCC are different from cloud typically immobile and authentication procedure can be done computing in several ways. The capabilities and limitations of without using HetNet. 64 M. Alizadeh et al. / Journal of Network and Computer Applications 61 (2016) 59–80