A Sophisticated RFID Application on Multi-Factor

Jing-Chiou Liou, Gregory Egan, Jay K. Patel and Sujith Bhashyam

Deaprtment of Computer Science Kean University 1000 Morris Ave. Union, NJ 07083, USA {jliou,egangr,pjay1,bhashyas}@kean.edu ABSTRACT Authentication is the process of verifying a user’s A simple authentication only involves a username credentials when they are requesting services from any and password and this can be easily deciphered. Adding a secure system. The most commonly form of authentication strong factor will reduce the chances of the user’s is the single-factor authentication, which only requires identification from being hacked. For the second factor, one factor for the user to log into the system. In this case, we will use Radio Frequency Identification (RFID) to the username and password together act as a single- provide the user a personalized factor of authentication factor. A more secure technique is the multi-factor access a secure server or website. Users will be asked for authentication, which requires more than one factor to username/password along with an extra code word to gain access into a particular system. In this paper, we verify to advance access. The RFAA method is a propose a RFID Factor Authentication Application server/client procedure that allows for secure login into a (RFAA); an enhanced technique from SofToken [1] that server and permits the client to perform secure acts as a technique for two-factor authentication. The transactions. RFAA not only sustains the next level of security but also In this paper, we will discuss in Section 2 the single- is proven to prevent most of security breaches. factor authentication, the two-factor authentication and other authentication methods that are available today. In KEYWORDS section 3, we will review RFID technology and propose Encryption, Multi–Factor Authentication, Radio RFAA for two-factor authentication. The Blowfish Frequency Identification encryption and decryption algorithm will be also discussed. We then compare the security measures with other authentication techniques in section 4. Finally, in section 5, we conclude our discussion and project on

1. INTRODUCTION possible future works.

Throughout the decades, computers have emerged and changed everything around the world. It is becoming absolutely necessary to use technology in our daily lives. 2. BACKGROUND Any information can reach any part of the world any time wherever computers and the Internet are available. The Authentication is the process of verifying users’ identities computer plays a significant role among people’s daily when they are requesting services from any secure lives today. system. During the authentication process, several In this technological age, computers have changed validation factors may be needed for verification of the the way how we live, as they are not only capable of client’s identity. An authentication factor is a portion of sharing information but also provide portability and information that is given by the client and used to verify services over the Internet anytime and anywhere. identity the client who is applying for access under certain Computers take communication beyond the definition of security constraints. The authentication factor is usually communication. With the use of computers, anybody can one of three techniques: “proof by knowledge” (e.g., communicate immediately with anyone around the world. username/password), “proof by possession” (smartcard or Through technological advancement, information is token), or “proof by property” (fingerprint scan). currently shared and accessed over millions of servers without boundaries. Even though computers are 2.1 Single-Factor Authentication augmenting our daily lives, they require certain measures on access control and user authentication. Authentication Single-Factor Authentication (S-FA) focuses on only one is the process of verifying a user’s credentials when they factor username/password. S-FA is mostly widely are requesting services from any secure system. accepted technique which is proved to be weak method especially when it comes to protecting data. Security concerns for S-FA are not only prevalent, Generally, this second factor takes the form of a but they are also apparent in today’s society, especially physical or smart card that the user has in when a prolific amount of the user’s data is located on a his/her possession. In this case, some application may also server or an online website. Secure passwords are often use mobile phone and other personal devices. One of the difficult to remember, as well as people have multiple examples is the use of ATM card issued by any bank. One passwords and usernames to remember. For passwords authentication factor is the physical ATM card that the that are easy to remember, they are conveniently suffered customer slides into the machine. The second factor is the from various forms of software attacks. In a study by a PIN the customer enters. Without both, authentication data security firm [2] that analyzed 32 million passwords cannot take place. exposed in the Rockyou.com breach in December 2009, Another application of the second factor may be a the top five most common passwords among those 32 biological factor, such as a fingerprint scan. Use of this million users are: 123456, 12345, 123456789, Password, technique requires special hardware to scan the input data, and iloveyou. thus having a higher complexity and cost in deployment. Even using secure passwords, phishing and spoofing attacks may use a site that looks like a legitimate one to Smart Card tricks the user into supplying the password. As a matter of fact, news on October 8, 2009 reported that phishing Smart card [9] is a successor of magnetic card that is scheme almost catches FBI Chief [3]. widely used in credit cards, debit cards, ATM cards and In addition, people usually don’t change their ID badges. The number on the smart card changes each passwords frequently. It was reported, in some cases, that time (also called an OTP), in which that number cannot less than 25 % of people change their password monthly be re-used as long as all processing is authenticated. and some 34% in a survey said they never change their Smart cards are about the same size as a credit card and passwords [4]. Therefore, a keystroke logger can be require a special reader. The downside is that the smart installed physically [5] or in the form of software to catch card is not a small device and the card reader is an extra passwords entered manually on a login screen. As there expense. Moreover, the smartcard and the reader also are many passwords to remember, many people keep a require special middleware application due to the file, a form of book-keeping, which includes their mismatch between smart card communication standards passwords on their computer. Hackers who are able to [10] and the communication protocols [11] used by reach that file can obtain the person’s all mainstream PC applications. username/password information. One improvement in S-FA is to utilized password Biometrics management utility. Password management is achieved by using various password valet applications, such as Users may biometrically authenticate via their fingerprint, RoboForm [6] and KeePass [7], which store user voiceprint, or iris scan using provided hardware and then passwords and can automatically enter the required fields enter a PIN or password. For many biometric identifiers, in a web form. The software typically has a local database the actual biometric information is rendered into string or or files that hold the encrypted password data. Many mathematic information. password managers also work as form filler, thus they fill The device scans the physical characteristic, extracts the user and password data automatically into forms. critical information, and then stores the result as a string Moreover, the data is still kept on the host computer of data. Comparison is therefore made between two data or device and can potentially be stolen through browser strings, and if there is sufficient commonality a pass is exploits, Trojan horses, etc. Still the data is vulnerable to achieved. spoofing and phishing attacks. Finally, if the password One problem that is apparent with biometrics is that manager corrupted, all passwords would be lost unless if a large number of users are being authenticated at the there is a backup process that adds to another security same time, the technique may become unacceptably slow issue. and comparatively expensive. It is also an easy target for a reply attack. Once the biometric information is 2.2 Two-Factor Authentication compromised (for example, fingerprint is being copied from something the user had held), it may easily be Two-factor authentication requires an extra factor while replayed unless the reader is completely secure and using username/password. Using two factors as opposed guarded. to one factor generally achieves a higher level of authentication assurance. The FFIEC issued supplemental Security Token guidance on this subject in August 2006 [8], "By definition true multifactor authentication requires the use Security tokens, also called OTP tokens, have an LCD of solutions from two or more of the three categories of screen that displays fixed number of alphanumeric factors. Using multiple solutions from the same category characters. The OTP tokens are mainly based on two ... would not constitute multifactor authentication." types of algorithms: time synchronized and event-based. Time synchronized algorithm produces a pseudo-random 2.3 SofToken Technique number with a built in pseudo-random number generator. Pseudo-random number changes at pre-determined SofToken was firstly introduced in 2010 by Liou and intervals, usually every 60 seconds. Event-based Bhashyam [1]. SofToken, rooted on software token, sends algorithm such as that proposed by the Open not just a pseudo-random number (an OTP), but also the Authentication (OATH) consortium [12] uses a user encrypted key to the server for authentication. The event, such as the user pushing a button on the token. technique significantly improves on feasibility and Some devices, such as RSA SecurityID [13] and VeriSign deployment cost of the two-factor authentication. [14], display 6 digits pseudo-random number and require A SofToken process commences when a user periodically resynchronize the server with the token. requests an account for online transaction from a service Taking portability into account, these security tokens provider, such as an online banking, an e-business site, or must use materials that are small and consume less power. an enterprise intranet, etc. When the user successfully Still, these tokens need to be replaced every few years establishes the user account through online access by when the battery is dead. In addition, once the token is providing sufficient information to the service provider; lost, the time and cost to replace can frustrate the user due the server delivers client software to the user’s computer. to not being able to access their data. Finally, the security This client software installs two components onto user’s tokens do not prevent Man-in-the-Middle (MitM) based computer with user’s consensus: A logon application and attacks against online transaction along with being unable a pseudo-random number generator. to defend against malicious users who could use the During the initialization process, an encrypted public legitimate user's credentials for authorizing an illegitimate key will be created and issued to the user’s computer as operation as explained in [15]. the seed of pseudo-random number generation. The key can be produced based on either a user’s favored Virtual Token challenge-response or by the server. This encrypted key will be stored at the user’s computer as part of the Virtual tokens are a comparably new concept in multi- pseudo-random number generator. factor authentication, first introduced in 2005 by a The logon application is directly communicating security company, Sestus [16]. Virtual token enables any between the server and user’s computer. The logon portable storage devices to work as an authenticate token, application requires filling in users credentials that are set that’s a protected file stored on the device for up with the server. The user provides the first-factor to the authentication. server, username/password. When the server verifies the Virtual tokens reduce the costs normally associated first-factor, the server sends a request to the pseudo- with implementation and maintenance of multi-factor random number generator installed on the user’s solutions by utilizing the user's existing portable storage computer to trigger the generation of a random number, device. Since the user's portable storage device is called code word. communicating directly with the authenticating website, The logon application will provide the user the code the solution claims to not suffer from man-in-the-middle word. The user is now able to enter the code word as the attacks and other forms of online fraud. second-factor authentication. The code word will be verified again by the server. Depending on the code Software Token word, if it is correct the server will grant access to the database otherwise it will close the connection. SofToken acts as second-factor authentication. RFAA is an There are two primary architectures for software tokens: enhancement process of SofToken. RFAA will required a Shared secret and public-key cryptography. Shared secret hardware specification that will be used as Second –factor architecture is considered more vulnerable than the authentication. hardware token. The configuration file can be compromised if it is stolen and the token is copied.

The generation of token code is not triggered by the server, but is on client’s device(s). User enters the PIN to 3. RFID FACTOR AUTHENTICATION the installed application, and the client software generates APPLICATION (RFAA) the tokencode. The major concern with such time-based software tokens is that it is possible to borrow an 3.1 Radio Frequency Identification individual's cell phone or , to set the clock forward, and to generate token codes that will be valid in the Technology future. In addition, anyone who provides the PIN correctly can retrieve the tokencode and use it for two- RFID has been widely used in many technological factor authentication on a web server from any cloned applications today as it is both inexpensive and small devices, such as an SIM card in a cell phone, or a USB enough to fit anywhere. Recently, the US government installed with such application. announced ongoing process to integrate RFID into Green Cards and US passports [17, 18]. Figure 1 illustrates an example of RFID reader and tags. The main concept of RFID is to retrieve the method to cipher the code word and then sends it to server information stored in the tokens using radio signals. RFID and server will go through decryption to convert cipher tags will communicate with an electronic reader equipped into original code to verify. We will use Blowfish with one or more antennas to emit radio waves and to algorithm to tighten the security of encrypting the code receive signals back from the tag that contains a pre- word. stored information. The electronic reader then passes the Using RFID for authentication is not new in information in digital form to the computer system. technology development. One way of securing the There are three types of RFID tokens, active tokens, information stored on RFID tokens is to encrypt the passive tokens, and battery assisted passive. The active information data stored on the token. Another method tokens contain a little size battery and transmit signals. would be, as mentioned earlier, is to use an application The passive tokens do not contain a battery and it needs that would use an algorithm that encrypts the data being an external source to fetch the signals. The battery sent from the client computer to the server, when assisted passive requires peripheral source to provoke to conducting online transactions. As one option to the two- achieve high range. factor authentication, the RFID tokens and reader combined with the Blowfish algorithm encrypts the data that is being sent from the client to the server.

We propose the RFAA technique as a more secure form of authentication. RFAA captures appealing ability to sustain security measures. In RFAA process, RFID passive tokens are used as the second form of authentication. Every RFID tokens stores preformatted information to enhance security. In RFAA, the RFID Token ID is encrypted using the Blowfish Algorithm. When request for establishing new user account, the user will receive an RFID token and install client application software onto user’s computer(s). The user Figure 1 RFID Reader & Tags will also receive a unique activation key, along with entering the username/password and scanning the RFID Since RFID tokens are small by nature, it is cost token, to activate the new user account as the user effective to build and distribute to different users. As the computer is yet registered as the default computer. After RFID tokens can be produced on mass scale by the the completion of registration process, the user can login service provider, the cost to the user would be very low to the system by only entering username/password and to and can be replaced easily if ever lost or stolen. scan the provided RFID token. Currently, the RFID readers and tokens are being used for a variety of tasks ranging from tracking merchandise in a warehouse to storing personal information in an official document such as passports. With many RFID applications in the market, such as RFID tokens in passports and identification badges, protecting the information on those tags has become an important issue. As a result, many institutions are developing a variety of methods that might increase the security of RFID tokens. The use of the Blowfish algorithm in conjunction with the RFID reader and tokens would increase the number of options for businesses, schools, and governments in order to make communication safer between the client and server. Figure 2 The Login Screen

3.2 RFAA Process This activation key will be also used to enhance portability for providing a user to access the server from One alternative for computer system access in non-default computers. As shown in Figure 2, the user SofToken [1] enabled systems is to use RFID technology will be prompted to enter their activation key upon as the physical device to store the encrypted key. It putting a check mark on “This is not my default PC.” A simply feeds the password into the computer for one-time-use temporary activation key will be emailed to authentication. The RFID reader and its respective tokens the user’s designated email address. will act as Two Factor Authentication. Once a user scans RFID tags the code word will go through encryption 3.3 RFAA Encryption Algorithm The process of function F is shown in the Figure 4. F’ will replace the left half of the string and P’ will replace Blowfish algorithm, designed by Bruce Schneier the right half, and the process will then be repeated fifteen [19], is a symmetric cryptographic block cipher that uses more times. Near at the end, the P’ and F’ are XORed 64 bits and the key can be any length up to 448 bits. with the last two numbers in the P-array, and then conjoin Blowfish algorithm is proven to be faster than DES and to create the 64-bit. Encryption will run again for the rest IDEA that makes it one of the fastest block ciphers. The of the string to produce 64 bits code. At the end of both implementation of Blowfish only requires about 5kB of encryptions, both encryptions will recombine to produce memory, which is insignificant comparing to the RAM 128-bit encrypted ciphertext. Users will be prompted to installed on a computer today. scan RFID tokens during authentication session. Blowfish encryption provides even stronger security Encryption will be then provoked every time user scans to the proposed RFAA technique. Figure 3 shows how the RFID tokens. does the Blowfish encryption is being used. In RFAA RFAA provides the same security measure for the implementation, RFID tokens contain ten-character server as well the client. The decryption is as important codeword long and that is exactly 80 bits for the whole part of the authentication as the Encryption. When a user string. Encryption will be applied twice for 80 bits since try to access to any system, user will be prompt to use Blowfish only allows 64 bits per encryption. As shown in RFID tokens to authenticate themselves. When a user the figure 4, encryption will divide the 80-bits codeword scans RFID tokens, username/password, codeword, and a into two 40-bits datawords. It will pad 40 bits to 64 bits secret key will be conceded to server. With this secret during encryption and same procedure takes place for key, server will be able to decrypt the codeword. The other 40 bits. Now encryption will again divide the 64 bits codeword will be an OTP just like the secret key. encrypted code into 32 bits since each line represents 32 bits. The algorithm keeps two sub keys arrays; eighteen 32 bits of P-array and four 32 bits of S-array. As they all are generated by a pseudo-random generator, therefore, it is extremely hard to decrypt. Blowfish will create a secret key to encrypt the message and RFAA application will then pass the same key to server to decrypt the ciphertext. As shown in Figure 3, the left 32 bits are XORed with the first number of a P-array to create new value of P-array, known as P’, after that it will run through function called F, then XORed with the right 32 bits of the string to produce a new value of F, known as F’.

Figure 4 The Process of Function F

Decryption will work exactly the opposite way of encryption. The decryption process in Blowfish Algorithm is to capture the same measure of security as the encryption process. Without the secret key, the server will not be able to decipher anything.

4. COMPARISON OF CURRENT AUTHENTIATION TECHNIQUES

In this section, we compare most current two-factor authentication techniques to identify their strengths and weaknesses. Each techniques used for two-factor authentication involves certain security issues. Table 1 compares the single-factor and two-factor techniques mentioned in this paper with RFAA in six feasibility and

Figure 3 Encryption Flow Chart three security measures.

4.1 Feasibility Measures authentication process. Some techniques will score low since there is no additional device to There exist six feasibility measures that can be perform two factor authentications. SofTokens, categorized into two groups: cost and deployment. Each biometrics, software token will also achieve low of these six measures may appear in both categories based since there are applications to be installed into on their specific requirements. the clients PC. On the other hand, RFAA scores a medium in this category since it requires little  Hardware requirement : This measure cost to replace the RFID reader and tokens. identifies the hardware cost for both the server 4.2 Security Measures and the users. RFAA technique requires a RFID reader and token for the client side. Among the We will compare the three security measures for different two-factor techniques, only the software tag and authentication techniques. These will demonstrate that we SofToken that achieve a low requirement should not use the single-factor authentication as it whereas the RFAA technique achieves a medium performs the worst in each of these measures. requirement due to the RFID reader and tokens that will be needed by different user devices to  MitM prevention : Single factor techniques are authenticate the user. more vulnerable to this type of attack. However,

 Deployment Complexity: This measure Virtual Tag, SofToken and RFAA provide better indicates how difficult it is to deploy the security prevention than any other techniques. technique. Most of the two-factor techniques have high complexity except virtual tag,  Phishing Prevention : Most of the OTP SofToken and RFAA, which achieve low techniques will perform strong in this measure. complexity due to the straightforward process of Software tag achieves only medium because the deploying the required hardware and software. second factor is not triggered by the server and it

 Portability: This is the measure indicates how display next tag code every 30-60 second. RFAA the easy for users to use the particular product. In scored strong in this category due to its ability to this measure, the single-factor techniques scores prevent third parties from accessing user’s high portability, however it fails to protect the credentials. user’s credentials due to it being highly susceptible to attacks. All the techniques that  Spoofing Prevention : The single factor does not require the second factor will only reach medium achieve high in this measure due to it being portability, since the user must carry multiple incapable of protecting the user’s identity from devices for authentication. RFAA, for instance, unauthorized parties. RFAA, along with many requires the user to carry the reader and tokens to other two–factor techniques, scored strong in this connect to other devices in order for two-factor category due to providing extra factors of authentication. protection and their ability to prevent  Identity backup: This measure shows how unauthorized access to the user’s account. difficult to get the identity recovered if stolen or

lost. As appears in Table 1, the non-OTP single

factor, biometrics, software token, SofToken and RFAA will produce high possibility of identity 5. CONCLUSION backup. RFAA will achieve high possibility of identify backup since the user can easily set up a In this paper, we propose the RFAA technique, a two- new account and register RFID tokens to the factor authentication for more secure identification. account without worrying about the old SofToken is a preceding technique of RFAA, in which the credentials. Moreover, the user can register with RFAA can be used for both online transactions and new RFID tokens and credentials without computer system access as opposed to the SofToken worrying about any security breach into their application that primary addresses to online transaction account. security. The comparison between RFAA and the other  Lost Recovery: This is about the loss of second techniques indicates that the RFAA scores highly in many authentication form. In two–factor techniques, categories due not only to its characteristics, but also its only biometrics, software token, SofToken and ability to maintain a higher level of security for the users. RFAA achieve high in this measure. RFAA scores high in this category because the user can replace the RFID token and easily register the new tokens to the server if they ever lose their tokens or if they become stolen.  Replacement cost: This measures the cost of replacing damaged or lost device that is used for 6. REFERENCES contacts – Part 3: Electronic signals and transmission protocols”. International Organization for Standards; http://www.iso.org [1]. J.-C. Liou and S. Bhashyam, A Feasible and Cost [11]. Postel, J. “Internet Protocol,” RFC 791, and Effective Two-Factor Authentication, Proc. 2nd “Transmission Control Protocol,” RFC 793 International Conference on Software Engineering September 1981 and Data Mining (SEDM ’10), pp. 47 – 51, Chengdu, [12]. Open Authentication Consortium supports event China, June 2010. based, and even time based OTP algorithms, http://www.openauthentication.org [2]. Imperva Releases Detailed Analysis of 32 Million

Breached Consumer Passwords [13]. RSA security http://www.rsa.com/ http://www.imperva.com/news/press/2010/01_21_Im [14]. VeriSign http://www.verisign.com/ perva_Releases_Detailed_Analysis_of_32_Million_P [15]. SC Magazine, Web Application Security in Un- asswords.html trusted Client Scenarios, [3]. Inside tech news October 8, 2009. Retrieved on http://www.scmagazineuk.com/web-application- 1/21/2010. security-in-un-trusted-client- http://insidetech.monster.com/news/articles/6142- scenarios/article/110448/ phishing-scheme-almost-catches-fbi-chief [4]. S. Furnell. “Computer Insecurity: Risking the [16]. Virtual Tag™ multi-factor authentication System, “pp. 54 – pp.56, Springer, London, UK, http://www.sestus.com/ 2005. [17]. RFID News Organization [5]. Spy keylogger http://www.rfidnews.org/2010/05/12/new-u-s-green- http://www.thinkgeek.com/gadgets/security/c49f card-using-optical-stripe-rfid- [6]. Roboform official site technology?tag=Border_Control http://www.roboform.com/index.html [18]. PCWORD, [7]. Keepass official site http://keepass.info/ http://www.pcworld.com/article/123246/united_state [8]. FFIEC press release s_to_require_rfid_chips_in_passports.html

http://www.ffiec.gov/press/pr081506.htm [19]. Bruce Schneier [9]. T.M. Jurgensen and S.B. Guthery, “Smart Cards”, http://www.schneier.com/paper-blowfish-fse.html Pearson Education, Inc., 2002. [10]. ISO/IEC 7816-3:1997 “Information technology – Identification cards – Integrated circuit(s) cards with

Username/ Smart Security Virtual Software Performance password Card Biometrics Token Token Token SofToken RFAA

Hardware requirement Low High High Medium Medium Low Low Medium Deployment complexity Low High High High Medium Low Low Low Portability High Medium High Medium Medium Medium Medium Medium Identity backup High Low High Low Medium High High High Lost recovery High Low High Low Medium High High High Replace cost Low High Low High Medium Low Low Medium MitM prevention Weak Medium Weak Medium Strong Medium Strong Strong Phishing prevention Weak Strong Medium Strong Strong Medium Strong Strong Spoofing prevention Weak Strong Medium Strong Strong Medium Strong Strong

Table 1: Comparison of Single-Factor and Two-Factor Authentication Techniques