A Sophisticated RFID Application on Multi-Factor Authentication
Total Page:16
File Type:pdf, Size:1020Kb
A Sophisticated RFID Application on Multi-Factor Authentication Jing-Chiou Liou, Gregory Egan, Jay K. Patel and Sujith Bhashyam Deaprtment of Computer Science Kean University 1000 Morris Ave. Union, NJ 07083, USA {jliou,egangr,pjay1,bhashyas}@kean.edu ABSTRACT Authentication is the process of verifying a user’s A simple authentication only involves a username credentials when they are requesting services from any and password and this can be easily deciphered. Adding a secure system. The most commonly form of authentication strong factor will reduce the chances of the user’s is the single-factor authentication, which only requires identification from being hacked. For the second factor, one factor for the user to log into the system. In this case, we will use Radio Frequency Identification (RFID) to the username and password together act as a single- provide the user a personalized factor of authentication factor. A more secure technique is the multi-factor access a secure server or website. Users will be asked for authentication, which requires more than one factor to username/password along with an extra code word to gain access into a particular system. In this paper, we verify to advance access. The RFAA method is a propose a RFID Factor Authentication Application server/client procedure that allows for secure login into a (RFAA); an enhanced technique from SofToken [1] that server and permits the client to perform secure acts as a technique for two-factor authentication. The transactions. RFAA not only sustains the next level of security but also In this paper, we will discuss in Section 2 the single- is proven to prevent most of security breaches. factor authentication, the two-factor authentication and other authentication methods that are available today. In KEYWORDS section 3, we will review RFID technology and propose Encryption, Multi–Factor Authentication, Radio RFAA for two-factor authentication. The Blowfish Frequency Identification encryption and decryption algorithm will be also discussed. We then compare the security measures with other authentication techniques in section 4. Finally, in section 5, we conclude our discussion and project on 1. INTRODUCTION possible future works. Throughout the decades, computers have emerged and changed everything around the world. It is becoming absolutely necessary to use technology in our daily lives. 2. BACKGROUND Any information can reach any part of the world any time wherever computers and the Internet are available. The Authentication is the process of verifying users’ identities computer plays a significant role among people’s daily when they are requesting services from any secure lives today. system. During the authentication process, several In this technological age, computers have changed validation factors may be needed for verification of the the way how we live, as they are not only capable of client’s identity. An authentication factor is a portion of sharing information but also provide portability and information that is given by the client and used to verify services over the Internet anytime and anywhere. identity the client who is applying for access under certain Computers take communication beyond the definition of security constraints. The authentication factor is usually communication. With the use of computers, anybody can one of three techniques: “proof by knowledge” (e.g., communicate immediately with anyone around the world. username/password), “proof by possession” (smartcard or Through technological advancement, information is token), or “proof by property” (fingerprint scan). currently shared and accessed over millions of servers without boundaries. Even though computers are 2.1 Single-Factor Authentication augmenting our daily lives, they require certain measures on access control and user authentication. Authentication Single-Factor Authentication (S-FA) focuses on only one is the process of verifying a user’s credentials when they factor username/password. S-FA is mostly widely are requesting services from any secure system. accepted technique which is proved to be weak method especially when it comes to protecting data. Security concerns for S-FA are not only prevalent, Generally, this second factor takes the form of a but they are also apparent in today’s society, especially physical security token or smart card that the user has in when a prolific amount of the user’s data is located on a his/her possession. In this case, some application may also server or an online website. Secure passwords are often use mobile phone and other personal devices. One of the difficult to remember, as well as people have multiple examples is the use of ATM card issued by any bank. One passwords and usernames to remember. For passwords authentication factor is the physical ATM card that the that are easy to remember, they are conveniently suffered customer slides into the machine. The second factor is the from various forms of software attacks. In a study by a PIN the customer enters. Without both, authentication data security firm [2] that analyzed 32 million passwords cannot take place. exposed in the Rockyou.com breach in December 2009, Another application of the second factor may be a the top five most common passwords among those 32 biological factor, such as a fingerprint scan. Use of this million users are: 123456, 12345, 123456789, Password, technique requires special hardware to scan the input data, and iloveyou. thus having a higher complexity and cost in deployment. Even using secure passwords, phishing and spoofing attacks may use a site that looks like a legitimate one to Smart Card tricks the user into supplying the password. As a matter of fact, news on October 8, 2009 reported that phishing Smart card [9] is a successor of magnetic card that is scheme almost catches FBI Chief [3]. widely used in credit cards, debit cards, ATM cards and In addition, people usually don’t change their ID badges. The number on the smart card changes each passwords frequently. It was reported, in some cases, that time (also called an OTP), in which that number cannot less than 25 % of people change their password monthly be re-used as long as all processing is authenticated. and some 34% in a survey said they never change their Smart cards are about the same size as a credit card and passwords [4]. Therefore, a keystroke logger can be require a special reader. The downside is that the smart installed physically [5] or in the form of software to catch card is not a small device and the card reader is an extra passwords entered manually on a login screen. As there expense. Moreover, the smartcard and the reader also are many passwords to remember, many people keep a require special middleware application due to the file, a form of book-keeping, which includes their mismatch between smart card communication standards passwords on their computer. Hackers who are able to [10] and the communication protocols [11] used by reach that file can obtain the person’s all mainstream PC applications. username/password information. One improvement in S-FA is to utilized password Biometrics management utility. Password management is achieved by using various password valet applications, such as Users may biometrically authenticate via their fingerprint, RoboForm [6] and KeePass [7], which store user voiceprint, or iris scan using provided hardware and then passwords and can automatically enter the required fields enter a PIN or password. For many biometric identifiers, in a web form. The software typically has a local database the actual biometric information is rendered into string or or files that hold the encrypted password data. Many mathematic information. password managers also work as form filler, thus they fill The device scans the physical characteristic, extracts the user and password data automatically into forms. critical information, and then stores the result as a string Moreover, the data is still kept on the host computer of data. Comparison is therefore made between two data or device and can potentially be stolen through browser strings, and if there is sufficient commonality a pass is exploits, Trojan horses, etc. Still the data is vulnerable to achieved. spoofing and phishing attacks. Finally, if the password One problem that is apparent with biometrics is that manager corrupted, all passwords would be lost unless if a large number of users are being authenticated at the there is a backup process that adds to another security same time, the technique may become unacceptably slow issue. and comparatively expensive. It is also an easy target for a reply attack. Once the biometric information is 2.2 Two-Factor Authentication compromised (for example, fingerprint is being copied from something the user had held), it may easily be Two-factor authentication requires an extra factor while replayed unless the reader is completely secure and using username/password. Using two factors as opposed guarded. to one factor generally achieves a higher level of authentication assurance. The FFIEC issued supplemental Security Token guidance on this subject in August 2006 [8], "By definition true multifactor authentication requires the use Security tokens, also called OTP tokens, have an LCD of solutions from two or more of the three categories of screen that displays fixed number of alphanumeric factors. Using multiple solutions from the same category characters. The OTP tokens are mainly based on two ... would not constitute multifactor authentication." types of algorithms: time synchronized and event-based. Time synchronized algorithm produces a pseudo-random 2.3 SofToken Technique number with a built in pseudo-random number generator. Pseudo-random number changes at pre-determined SofToken was firstly introduced in 2010 by Liou and intervals, usually every 60 seconds. Event-based Bhashyam [1]. SofToken, rooted on software token, sends algorithm such as that proposed by the Open not just a pseudo-random number (an OTP), but also the Authentication (OATH) consortium [12] uses a user encrypted key to the server for authentication.