Critical File Access in Wireless Networks Using Multifactor Authentication

superfluitysmackoverSecurity

Feb 23, 2014 (3 years and 5 months ago)

80 views

Critical File Access in Wireless Networks
Using
Multifactor Authentication

1

Critical File Access in Wireless Networks
Using
Multifactor
Authentication

Sangheethaa Sukumaran
1
, Swathika Rengasamy
2
and

S. Sasirekha
3

Department of Information Technology, SSN College of Engineering, Kalavakkam, Chennai
-
603110

E
-
mail:
1
sangheethaas@ssn
.edu.in,
2
swathikar@ssn.edu.in,
3
sasirekhas@ssn.edu.in

ABSTRACT
:

The exponential increase in the growth of wireless networks has spawned many new threats. Existing
Wireless authentication schemes uses pre
-
shared keys which the clients and Access Point (AP)

share which are
susceptible to offline dictionary attacks. Hence stronger authentication systems are needed to secure a wireless
enterprise. This need for security is further enhanced when access to critical files is necessary. For authentication
requirem
ents where cracking is not an acceptable risk, multi
-
factor authentication is the only real way to provide a
strong authentication. In this paper, we demonstrate a scenario where the user needs to access a critical file over a
wireless network, and how to
secure it. Before access to the file is granted, the client needs to be authenticated.
Multi
-
factor Authentication technique is used to authenticate the users and the two authentication keys used in this
paper are One Time Passwords and Fingerprint.

Keywor
ds

Wireless Networks, Multifactor Authentication, Fingerprint
.

INTRODUCTION

ireless networks have had a significant impact on the
world as far back as World War II. Through the use
of wireless networks, information could be sent overseas or
behind enemy

lines easily and quickly and more reliably.
Since then wireless networks have continued to develop
and its uses have significantly grown. People and
businesses use wireless networks to send and share data
quickly whether it be in a small office building o
r across
the world. In future
,

all
c
ommunication will be wireless.
But a wireless network is susceptible to more type of new
attacks.

Threats in
Wireless Networks

A wireless network is more vulnerable [3] because anyone
can try to break into a network broa
dcasting a signal.
A
wireless network can be affected by hackers, viruses,
worms, Trojans. These types of attackers are introduced
through e
-
mail attachments, embedded in web pages or
transmitted through peer to peer applications.
Many
networks offer WEP

W
ired Equivalent Privacy

security
systems which have been found to be vulnerable to
intrusion [2]. Though WEP does block some intruders, the
security problems have caused some businesses to stick
with wired networks until security can be improved.
Another t
ype of security for wireless networks is WPA [6]

Wi
-
Fi Protected Access. WPA provides more security to
wireless networks than a WEP security set up. Existing
Wireless authentication schemes uses pre
-
shared keys
which the clients and Access Point (AP) share
. Pre
-
shared
keys are susceptible to offline dictionary attacks hence
stronger authentication systems are needed to secure a
wireless enterprise.

This need for security is further
enhanced when access to critical files is necessary. For
authentication requ
irements where cracking is not an
acceptable risk, multi
-
factor authentication is the only real
way to provide a strong authentication.

Multifactor authentication

Human authentication factors are generally classified into
three cases [5]:

Something the us
er has (e.g., ID card,
security token, software token, phone, or cell phone)
.
Something the user knows (e.g., a password, pass phrase,
or personal identification number (PIN))
.
Something the
user is or does (e.g., fingerprint or retinal pattern, DNA
sequen
ce (there are assorted definitions of what is
sufficient), signature or voice recognition, unique bio
-
electric signals, or another biometric identifier)
.

Often a combination of methods is used, e.g., a bankcard
and a PIN, in which case the term two
-
factor

authentication
(or multi
-
factor authentication) is used. In 2006, several
scientists at RSA Laboratories published a paper exploring
social networking as a fourth factor of human
authentication.

Historically, fingerprints have been used as
the most author
itative method of authentication. Other
biometric methods such as retinal scans are promising, but
have shown themselves to be easily spoof
-
able in practice.
Hybrid or two
-
tiered authentication methods offer a
compelling solution, such as private keys encr
ypted by
fingerprint inside of a USB device.

Using more than one
factor is also sometimes called strong authentication; using
just one factor, for example just a static password, is
considered by some to be weak authentication. It should be
remembered, how
ever, that strong authentication and multi
-
factor authentication are fundamentally different processes.
Soliciting multiple answers to challenge questions may be
W


120


Mobile and Pervasive Computing (CoMPC

2008)

considered strong authentication but, unl
ess the process
also retrieves ‘
something you have


o
r

something you are

,
it would not be considered multi
-
factor.

This paper discusses accessing critical files from a
server machine in a wireless network by using multifactor
authentication mechanism. This paper is organized into
following sections. Secti
on 2 gives literature survey.
Section 3 gives details about the major parts of the paper
like one time password, and
G
abor filter finger print
matching. Section 4 gives implementation details of the
paper. And finally section 5 gives the conclusion.

LITERA
TURE SURVEY

The major authentication keys used today are passwords,
hardware tokens, software tokens, One
-
time passwords and
Biometrics.

Passwords

The use of passwords for authentication is widely
established; both implementers and customers accept them,
w
ith the various issues being well documented and
understood. However, password systems are susceptible to
many attacks and attacks against passwords are generally
serious as they usually recover the password. Additional
protections for the communication ch
annel can be used to
protect the password, but this still does not prevent all
attacks. Many security experts now regard passwords, by
themselves, as insufficient for online authentication for
anything other than low risk services.

Hardware Tokens

Hardware

Tokens are specialized hardware devices that
protect secrets (normally cryptographic keys) and perform
cryptographic operations. The cryptographic operations
support authentication of both parties and the protection of
the communication channel used for t
he authentication
exchange. Drawbacks of hardware tokens, compared to
other authentication keys, include:

i
ncreased cost,
implementation and deployment complexity

and r
educed
ease of use for customers.

Software Tokens

Software tokens are essentially softwa
re implementations
of hardware tokens and so share many of the advantages of
hardware tokens. As with hardware tokens, software tokens
support authentication of both parties and protection of the
communication channel used for the authentication
exchange.

The major issues with software tokens are:
t
he
potential for them to be copied

and

t
hey may be copied
without the owner’s knowledge. This results from the lack
of a physical container protecting the secrets. The main
advantage, compared to hardware tokens,

is the lower cost.

One
-
time Passwords

One
-
time password systems rely on a series of passwords
generated using special algorithms. Each password of the
series is called a one
-
time password as it is distinct from
the others generated and can only be used on
ce. A wide
variety of one
-
time password systems exist that provide
varying protection against attacks. Common advantages for
one
-
time passwords systems are:

T
hey are easy for
customers to use
.
They have relatively low implementation
costs and complexity, w
hen compared to software and
hardware tokens.

Some of the attacks used against traditional passwords
are mitigated with one
-
time passwords. For example, with
discovery attacks (attacks that recover passwords such as
phishing attacks)
.
Any (one
-
time) passwo
rd obtained may
be used only once
.
With some systems, the (one
-
time)
password obtained can be used only within a very limited
time frame.

Authentication of the verifier is not usually
supported, which can be exploited in attacks. The exposure
to copying at
tacks (where the OTP device itself is copied)
depends on the actual solution used.

B
iometrics

Biometrics are well suited to local access control (as with
passports in border control) but not as well suited to remote
authentication. One of the main reasons
is that biometric
data is personal data and significant privacy issues arise
with the collection, storage and use of such information.
With remote authentication, this means special care must
be taken to protect transmitted biometric data. The
commonly use
d biometric method is finger printing
.

F
ingerprint
Matching

Fingerprint recognition or fingerprint authentication refers
to the automated method of verifying a match between two
human fingerprints. Fingerprin
t
based identification is one
of the most import
ant biometric technologies, which have
drawn a substantial amount of attention recently [1].
Humans have used fingerprints for personal identification
for centuries and the validity of fingerprint identification
has been well established. In fact, fingerpr
int technology is
so common in personal identification that it has almost
become the synonym of biometrics. Fingerprints are
believed to be unique across individuals and across fingers
of same individual. Even identical twins having similar
DNA, are believ
ed to have different fingerprints. These
observations have led to the increased use of automatic
fingerprint based identification in both civilian and law
-
enforcement applications.

Characteristics

of Fingerprints

A fingerprint is the pattern of ridges and
furrows on the
surface of a fingertip. Ridges and valleys are often run in
Critical File Access in Wireless Networks
Using
Multifactor Authentication

121

parallel and sometimes they bifurcate and sometimes they
terminate. When fingerprint image is analyzed at global
level, the fingerprint pattern exhibits one or more regions
where ri
dgelines assume distinctive shapes. These shapes
are characterized by high curvature, terminations,
bifurcations, crossover
,

etc. These regions are called
singular regions or singularities. These singularities may be
classified into three topologies; loop,

delta and whorl. At
local level, there are other important features known as
minutiae can be found in the fingerprint patterns. Minutiae
mean small details and this refers to the various ways that
the ridges can be discontinuous. A ridge can suddenly come

to an end, which is called termination, or it can divide into
two ridges, which is called bifurcations (Figure 1).


Fig.

1:
A Typical Fingerprint

F
inger Print
M
atching

T
echniques

There are many methods for finger print matching. This
section describes 2
such methods from the literature.

M
inutiae Based

M
atching

Fingerprint matching techniques can be broadly classified
as minutiae based and correlation based. Minutiae based
technique first locates the minutiae points in a given
fingerprint image and matches

their relative placements in a
stored template fingerprint. A good quality fingerprint
contains between 60 and 80 minutiae, but different
fingerprints have different number of minutiae. The
performances of minutiae
-
based techniques rely on the
accurate de
tection of minutiae points and the use of
sophisticated matching techniques to compare two minutiae
fields, which undergo non
-
rigid transformations.

C
orrelation
Based M
atching

Correlation based techniques compare the global pattern of
ridges and valleys t
o see if the ridges in the two fingerprints
align. The global approach to fingerprint representation is
typically used for indexing and does not offer reliable
fingerprint discrimination. The ridge structure in a
fingerprint can be viewed as an oriented te
xture patterns
having a dominant spatial frequency and orientation in a
local neighborhood. The frequency is due to inter ridge
-
spacing present in a fingerprint and the orientation is due to
the flow pattern exhibited by ridges. Most textured images
contai
n a narrow range of spatial frequencies. For a typical
fingerprint images scanned at 500 dpi, there is a little
variation in the spatial frequencies among different
fingerprints. By capturing the frequency and orientation of
ridges in local regions in the
fingerprint, a distinct
representation of the fingerprint is possible. An example of
correlation
-
based technique is Gabor Filter based
Fingerprint matching
.

CRITICAL FILE ACCESS


The application selected for showing the usage of
multifactor authentication
is file access in a wireless
network. This application
can be implemented in a
company
/workplace where restricted employees need to be
given access to critical or secret files.

By using multi
-
factor
authentication a more secure authentication system is in
place.

O
ne
-
T
ime

P
asswords

One
-
time password (OTP)
systems generate a series of
passwords using special algorithms. Each password of the
series is called a one
-
time password, as it can only be used
a single time and it is distinct from the other passwords
(or
at least distinct with very high probability over a given
cycle). There are many different one
-
time password
systems available. The comments concerning hardware
tokens above also apply to hardware one
-
time password
devices, except those relating to com
munication channel
protections. Tamper resistance varies across products and
this market is still maturing in its use of tamper resistance
features. Many one
-
time password methods are based on a
static base secret that is shared between the customer and
th
e verifier. The series of one
-
time passwords is then
generated using this base secret, a nonce (a value that is
different with each authentication, preventing replay
attacks) and a one
-
way function. These onetime password
systems come as two basic variants
, depending on whether
the nonce is based on:

A time value

This requires the
device to contain a clock and therefore a battery to run the
clock. A window exists for which the one
-
time password
can be used (from 30 seconds to a few minutes). Re
-
synchronizat
ion procedures are employed to handle clock
drift.

A counter

The counter is incremented at each use.

Solutions also exist that use a combination of these two
variants. Other systems are based on a collection of
passwords shared between the customer and ver
ifier that
122


Mobile and Pervasive Computing (CoMPC

2008)

are generated and distributed by the verifier. In this case the
collection itself is the base secret. Others use
challenge/response with a shared or known function. The
function may be simply a printed table or a more
sophisticated system based
on a one
-
way function. There is
a range of one
-
time password systems available and the
above is only a brief introduction.

A
dvantages

One
-
time password systems can be easy to deploy and may
not require any special software to be installed on the
customer’
s computer.

One
-
time password systems are
generally acceptable to customers, due to their similarity to
password systems.

One
-
time password clock
-
based devices
and challenge/response systems can be used across multiple
systems
.
With hardware one
-
time passw
ord devices and
printed lists, the customer is likely to notice the loss if they
are stolen.

A
ttacks

M
itigated

One
-
time passwords in general mitigate replay,
eavesdropper, key logger and shoulder
-
surfing attacks;
because once a one
-
time password is used it

cannot be used
again. One
-
time passwords used across multiple systems
cannot completely mitigate these attacks without further
protection measures being in place. Using communication
channel protections mitigates session hijacking attacks.

G
abor

F
ilter

ba
sed
F
ingerprint

M
atching

This paper uses a technique called Gabor filter

based finger
print matching. The scheme first detects the core point in a
fingerprint image using two different techniques. Core
point is defined as the north most point of innermost
ridge
line. In practices, the core point corresponds to center of
north most loop type singularity. In images where there are
no loop or whorl singularities, core is normally associated
with the maximum ridgeline curvature. A circular region
around the cor
e point is located and tessellated into various
sectors. The pixel intensities in each sector are normalized
to a constant mean and variance. The circular region is
filtered using Gabor filters to produce a set of images.
Gabor filter
-
banks are a well
-
know
n technique to capture
useful information in specific band pass channels. The
average absolute deviation with
in a sector quantifies the
underlying ridge structure and is used as a feature. The
feature vector is the collection of all the features, computed
from all the sectors, in every filtered image. The matching
stage computes the Euclidean distance between the two
corresponding feature vectors. In this scheme, translation is
taken care of by a reference point, which is core point
during the feature extra
ction stage, and the image rotation
is handled by a cyclic rotation of the feature values in the
feature vector.


Fig
.

2:
The ROC curve comparing the performance of the
Gabor filter based approach with the minutiae based
approach

The performance comparis
on between minutiae based
systems and Gabor Filter based m
atching can be shown as a
Receiver Operating Characteristic (ROC) curve that plots
the Genuine Accept Rate (GAR) against the False Accept
Rate (FAR) at different thresholds on the matching score.
As

can be seen in Figure 2, our approach outperforms the
minutiae based approach over wider range of FAR values.
For example, at 1% FAR, the Gabor filter based fingerprint
matcher gives a GAR of 91% while the minutiae based
matcher gives a GAR of 73%.

S
ecure

S
ocket
L
ayer

Secure Sockets Layer (SSL) and Transport Layer

Security
(TLS) are cryptographic protocols that provide secure
communications on the Internet for such things as web
browsing, e
-
mail, Internet faxing, instant messaging and
other data transfers.

There are slight differences between
SSL and TLS, but the protocol remains substantially the
same. The SSL protocol allows applications to
communicate across a network in a way designed to
prevent eavesdropping, tampering, and message forgery.
SSL provide
s endpoint authentication and communications
privacy over the Internet using cryptography. Typically,
only the server is authenticated (i.e., its identity is ensured)
while the client remains unauthenticated; this means that
the end user (whether an indivi
dual or an application, such
as a Web browser) can be sure with whom it is
communicating. The next level of security

in which both
ends of the

conversation


are sure with whom they are
communicating

is known as mutual authentication. SSL
involves three ba
sic phases:

Peer negotiation for algorithm
support, Key exchange and authentication
,

Symmetric
cipher encryption and message authentication
.

During the first phase, the client and server negotiate
cipher suites, which determine the ciphers to be used, the
key exchange and authentication algorithms, as well as the
message authentication codes (MACs).

The key exchange
and authentication algorithms are typically public key
Critical File Access in Wireless Networks
Using
Multifactor Authentication

123

algorith
ms, or preshared keys could be used. The message
authentication codes are made u
p from cryptographic hash
functions using the HMAC construction. Typical
algorithms could be: for key exchange: RSA, Diffie
-
Hellman, DSA, SRP, PSK. For encryption symmetric
ciphers: RC4, Triple DES, AES or Camellia. In older
versions of SSL, the ciphers RC
2, IDEA and DES were
also used. For cryptographic hash function, HMAC
-
MD5
or HMAC
-
SHA is used, while older versions o
f SSL also
used MD2 and MD4.

IMPLEMENTATION

This paper is implemented using J2SE 1.6 and Matlab 7.3.
This chapter provides an insight into

the various packages
used in our system and concludes with a few screen shots
of the final File Transfer Application. The various packages
and technologies used are:
Java Swing, Java Socket API
and Matlab.

Java Swing is used for the creation of Graphical
User
Interface (GUI). The Socket API takes care of the client
server interaction. Matlab is a tool for doing numerical
computations with matrices and vectors. We shall review
each of these technologies briefly in this chapter.

In this paper, Swing has been

used extensively to create
the GUI, at both the server side and the client side. The
Java Socket API provides a set of function calls to establish
communication between sockets on two remote machines.
When messages are sent, they are queued at the sending

socket until the underlying network protocol has
transmitted them. When they arrive, the messages are
queued at the receiving socket until the receiving process
makes the necessary calls to receive them.

Se
cure Socket Layer (SSL) Sockets

SSL Socket extend
s
Socket
s and provides secure socket
using protocols such as the

Secure Sockets Layer


(SSL)
or

Transport Layer Security


(TLS) protocols. Such
sockets are normal stream sockets, but they add a layer of
security protections over the underlying network tr
ansport
protocol, such as TCP. Those protections include:
Integrity
Protection

SSL protects against modification of messages
by an active wiretapper.
Confidentiality

In most modes,
SSL encrypts data being sent between client and server.
This protects the c
onfidentiality of data, so that passive
wiretapper won't see sensitive data such as financial
information or personal information of many kinds.

A

cipher suite


specifies these kinds of protection,
which is a combination of cryptographic algorithms used
by a given SSL connection. During the negotiation process,
the client and server must agree on a cipher suite that is
available in both environments. A negotiation process
called

handshaking establishes the cipher suite used.
When
SSL Socket
s are first cr
eated, no handshaking is
done so that applications may first set the
ir communication
preferences: what cipher suites to use, whether the socket
should be in client or server mode, etc. However, security
is always provided by the time that application data
is sent
over the connection.


Matlab

OTP is implemented in Java Swing and Fingerprint
matching is done using MATLAB and it has been
converted to java class files to be incorporated into the File
Transfer Application. When the
c
lient requests for a file to
a server in a wireless environment, his/her authentication
details has to be entered. OTP and fingerprint image of the
client is sent to the server for verification.

If either of the
authentication measures fails, then the system will deny
access to the cr
itical file. Fingerprint matching using Gabor
filters [4] involves the following steps
1.

Core Point
Detection

2. Tessellation 3. Normalization 4. Filtering

5. Feature Vector Extraction and Matching
.

C
ore
P
oint
D
etection

Fingerprints have man
y conspicuous landmark structures
and a combination of them could be used for establishing a
reference point. We define the reference point of a
fingerprint as the point of maximum curvature of the
concave ridges in the fingerprint image
.


Fig. 3
:
Concave and convex ridges in a fingerprint image
when the finger is positioned upright

Tessellation

A tessellation or tiling of the plane is a collection of plane
figures that fills the plane with no overlaps and no gaps. A
square tesse
llation is applied to the image, with the cent
e
r
of the image corresponding to the core point detected.

N
ormalization

Normalization is performed to remove the effects

of sensor
noise and gray level background due to finger

pressure
differences. Normalizati
on is the 3
rd

major step in
Fingerprint matching. After the core point is detected, the
Image required for normalization is cropped and the passed
to the normalization function. M
o

and V
o

are the desired
mean and variance values while M
i

and V
i

are the est
imated
mean and variance of gray levels in the sector Si
respectively. The formula used for Normalization is as
follows:

124


Mobile and Pervasive Computing (CoMPC

2008)


Fig
.

4
:
Representation of steps involved in Fingerprint matching

F
iltering

Gabor filters optimally capture both local orientation
and
frequency information from a fingerprint image.
They are
suited for extracting Texture information from images. An
even symmetric Gabor filter has the following general form
in the spatial domain:


F
eature

V
ector

E
xtraction and
M
atching

A feature vec
tor is composed of an ordered enumeration of
the features extracted from the local information contained
in each sub image. The Gabor Filter is calculated for

0, 22.5, 45, 67.5, 90, 112.5, 135, 157.5 degrees. The
Normalized Region of Inter
est is convolved with each of
these eight filters to produce a

set of eight filtered images.
For each sector in these filter images, the feature is the
average absolute deviation from the mean. The combi
-
nation of all features forms a Finger Code. The form
ula
used to calculate the Average Absolute Deviation is














i
n
i
i
i
i
F
y
x
F
n
V



,
1

The features in the Finger Code are cyclically
rotated
.
Rotation of Finger Code corresponds to
rotation of

actual
f
ingerprint.

For each fingerprint in
database, we store t
emplates corresponding to different
rotations of the Finger Code. The input test Finger Code is
matched with the templates stored in the database. If the
matching score (Euclidean Distance) is less then 1000, then
the test fingerprint is said to be matched
.

O
ne
-
T
ime

P
assword

The user has a secret pass phrase. The secret pass phrase is
concatenated with a seed. The seed is sent as clear text to
the server. The result of the concatenation is passed on to a
secure hash algorithm (SHA) or Message digest algorit
hm
Critical File Access in Wireless Networks
Using
Multifactor Authentication

125

(MD5) and is then reduced to 64 bits. A sequence of one
-
time passwords is produced by applying the secure hash
function multiple times to the output of the initial step
(called S). That is, the first one
-
time password to be used is
produced by passing S

through the secure hash function a
number of times (N) specified by the user. The next one
-
time password to be used is generated by passing S though
the secure hash function N

1 times. An eavesdropper who
has monitored the transmission of a one
-
time passw
ord
would not be able to generate
the next required password
because doing so would mean inverting the hash function
.

The server system has a database containing, for each
user, the one
-
time password from the last successful
authentication or the first OT
P of a newly initialized
sequence.

To authenticate the user, the server decodes the
one
-
time password received from
the generator into a 64
-
bit key and then runs this key through the secure hash
function once. If the result of this operation matches the
st
ored previous OTP, the authentication is successful and
the accepted one
-
time password is stored for future use.

CONCLUSION

In this p
aper
, we have implemented multi
-
factor
authentication in a wireless n
etwork for Critical File Access
using

Fingerprint and

One
-
Time Password as the two
factors of authentication. By transferring the authentication
keys through the Secure Socket Layer, the data transfer is
secure and eavesdropping is prevented.

As a future
enhancement to this paper, a
n extra factor of authenti
cation
like hardware token can be included. The Fingerprint
matching system using Gabor Filters can be coupled with
other minutia based matching so as to obtain a more
resilient matching system.

REFERENCES

[1]

Alex

Kotlarchyk, ‘Biometric Authentication in Wir
eless
Networks, Florida’, Atlantic University,

2006
.


[2]

Chris Hurley, “Identifying and Responding to wireless
attacks”, Black Hat Japan,

2005
.

[3]

Nicholas.M,‘www.mser.gov.bc.ca/privacyaccess

/Conferences
/
Feb2005/ConfPresentations/

Nicholas_Miller.pdf’,

2005
.

[4]

Mu
hammad Umer Munir and Dr.Muhammad Younas Javed,

‘Fingerprint Matching Using Gabor Filters’, National
Conference on Emerging technologies,

2004
.

[5]

State Services Commission, New

Zealand Government,

Guidance on Multifactor Authentication’,

2006
.

[6]

Frank Bulk
,


www.home.earthlinknet/trialwhip /computer/

wpa_article.pdf’, 2004.