vii TABLE OF CONTENTS CHAPTER
advertisement
vii TABLE OF CONTENTS CHAPTER 1 TITLE PAGE DECLARATION ii DEDICATION iii ACKNOWLEDGEMENT iv ABSTRACT v ABSTRAK vi TABLE OF CONTENTS vii LIST OF TABLES xiv LIST OF FIGURES xvi LIST OF ABBREVIATIONS xix LIST OF SYMBOLS xxiii LIST OF ALGORITHMS xxv LIST OF APPENDICES xxvi INTRODUCTION 1 1.1 Overview 1 1.2 Problem Background 2 1.2.1 TMIS Architecture 2 1.2.2 Authentication Protocols and TMIS Vulnerabilities 4 1.2.3 Performance, Verification and Validation issues 6 1.2.4 Problem Statement 7 1.2.5 Research Questions 8 1.3 Research Aim 9 1.4 Research Objectives 9 1.5 Scope 9 1.6 Significance of the Study 10 viii 1.7 2 Thesis Organization 11 LITERATURE REVIEW 12 2.1 Overview 12 2.2 Authentication Protocols 13 2.2.1 Autherntication Factors 13 2.2.2 Formal Analysis and Verification Methods 14 2.3 2.4 2.5 2.2.2.1 BAN Logic 15 2.2.2.2 Scyther 15 2.2.2.3 Cryptanalysis 16 2.2.2.4 Authentication Properties 16 Telecare Medical Information System 16 2.3.1 Facility 17 2.3.2 Significance of TMIS 19 TMIS Security Authentication Frameworks 20 2.4.1 21 Authentication Frameworks Authentication Protocols and Vulnerabilities in TMIS 27 2.5.1 Authentication Attacks in Authentication Protocols 27 2.5.1.1 Wu et al Secure and Authentic Protocol for TMIS 2.5.1.2 Debiao et al More Secure Authentication Protocol for TMIS 2.5.1.3 30 Xie et al Robust Anonymous Authentication Protocol for TMIS 2.5.1.8 30 Cao et al Improved Dynamic ID Based MIS Protocol 2.5.1.7 29 Lee and Liu Secure Smartcard Based MIS Key-agreement Protocol 2.5.1.6 28 Zhu et al Efficient TMIS Authentication Protocol 2.5.1.5 28 Wei et al Improved TMIS Authentication Protocol 2.5.1.4 27 31 Hao et al Chaotic Map Based Authentication Protocol for TMIS 31 ix 2.5.1.9 Jiang et al Robust Chaotic Map Based Key-agreement Protocol 32 2.5.1.10 Lin et al Secure Verifier Based Three-Party Authentication Protocol 32 2.5.1.11 Zhang et al Elliptic Curve Authentication Protocol for TMIS 32 2.5.1.12 Awasthi et al Biometric Authentication Protocol for TMIS 33 2.5.1.13 Yan et al 3FA Biometric-based Authentication Protocol 34 2.5.1.14 Other Limitations of TMIS Authentication Protocols 2.6 35 Authentication Issues in Cloud Computing Studies Outside TMIS 36 2.6.1 Smartphone Based MFA/2FA/3FA Studies and Authentication Issues 2.6.1.1 En-Nasry et al Smartphone based Digital Identity Authentication Protocol 2.6.1.2 37 Gunther et al 2FA Protocol for Banking Payment System 2.6.1.4 36 Hu et al 3FA Android Mobile Payment Authentication Framework 2.6.1.3 36 38 Honggang et al Cloud Computing 2FA Secure Protection between User and Mobile 2.6.1.5 Rassan et al Mobile Cloud Computing with Biometric (SMCBA) 2.6.1.6 40 Dinh et al Cloud Computing Framework For Enhanced Mobile Health 2.6.1.9 40 Aryan et al Concept for Smartphone Service Security on Cloud 2.6.1.8 40 Ziyad et al Multifactor Biometric Authentication for Cloud 2.6.1.7 39 Omri et al Cloud-based Mobile System 41 x for Biometrics 41 2.6.1.10 Khan et al Dynamic Credentials Generating Protocol in Mobile Cloud Computing 42 2.6.1.11 Al-Hasan et al Security of the Data between Cloud and Smartphone 2..7 43 Literature Review Analysis and Findings 43 2.7.1 TMIS Authentication Framework 43 2.7.2 TMIS Authentication Protocols and Authentication Attocks 45 2.7.3 TMIS Authentication Protocols Performance and Hardware Issues 46 2.7.4 Authentication Issues in Cloud Computing Studies outside TMIS 2.8 3 4 Summary 47 50 RESEARCH METHODOLOGY 52 3.1 Overview 52 3.2 Problem Formulation and Background Analysis 54 3.3 Cloud Computing 3FA Authentication Framework and Protocols for TMIS Facility 55 3.4 Athentication Testing, Verification and Validation 58 3.5 Assumptions 64 3.6 Summary 65 CLOUD COMPUTING THREE-FACTOR USER AUTHENTICATION FRAMEWORK AND PROTOCOLS FOR TIMIS 66 4.1 Overview 66 4.2 Cloud Computing 3FA User Authentication Framework for TMIS (3FA-AFSCC) 67 4.2.1 3FA Authentication Framework 67 4.2.2 Service Registration Process 68 4.2.2.1 Registration Authority Step 69 4.2.2.2 Mobile Service Provider Step 70 xi 4.2.3 Algorithms for Registration Process 71 4.2.4 Service Login Process 71 4.2.5 72 New Service Activation Process 4.2.5.1 Algorithms for New Service Activation Process 4.2.6 Service Reset Process 4.3 4.4 4.5 4.6 5 73 74 Cloud Computing 3FA Service Cataloguing and Initialization Protocols (3FA-SRLM) 77 4.3.1 The Basics of 3FA-SRLM 77 4.3.2 Service Cataloguing Authentication Protocol 78 4.3.3 Service Initialization Authentication Protocol 81 Cloud Computing 3FA New Service Stimulation and Reset Protocol 83 4.4.1 New Service Stimulation Protocol 83 4.4.2 Service Reset Protocol 86 Framework Validation (3FA) 89 4.5.1 Validation of Authentication Clouds 89 4.5.2 1FA Validation 91 4.5.3 2FA Validation 92 4.5.4 3FA Validation 93 Summary 94 AUTHENTICATION TESTING 3FA AUTHENTICATION FRAMEWORK AND PROTOCOLS FOR TMIS 95 5.1 Overview 95 5.2 Assumptions and Limitations 96 5.3 BAN Logic Verification 96 5.3.1 BAN Logic Postulates Mapping 97 5.3.1.1 Rule 1 Mapping 97 5.3.1.2 Rule 2 Mapping 98 5.3.1.3 Rule 3 Mapping 98 5.3.1.4 Rule 4 Mapping 98 5.3.2 Authentication Protocols Verification and Proofs 5.3.2.1 Idealization Form 99 99 xii 5.3.2.2 Logical Assumptions 100 5.3.2.3 Authentication Goal 100 5.3.3 Protocol Verification 5.4 Scyther Authentication Testing Simulation and Validation 5.4.1 Authentication Protocol Transformation (SPDL) 5.6 6 102 102 5.4.1.1 Transformation of 1FA 103 5.4.1.2 Transformation of 2FA 104 5.4.1.3 Transformation of 3FA 106 5.4.2 Validation of Authentication Claims 5.5 101 108 5.4.2.1 Validation of 1FA Transformation 108 5.4.2.2 Validation of 2FA Transformation 112 5.4.2.3 Validation of 3FA Transformation 114 5.4.3 Characterization of Attack Trace Patterns 116 5.4.4 BAN Logic and Scyther Test Discussion 119 Performance Testing 120 5.5.1 Performance Setup 121 5.5.2 Performance Testing Results 121 Summary 123 CRYPTANALYSIS, PERFORMANCE ANALYSIS AND DISCUSSION 125 6.1 Overview 125 6.2 Security and Performance Analysis and Discussion 126 6.2.1 Cryptanalysis 126 6.2.2 Assumptions and Limitations 126 6.2.2.1 Impersonation Attack (IPA) 127 6.2.2.2 Parallel Processing Attack (PPSA) 128 6.2.2.3 Replay Attack (RA) 129 6.2.2.4 Password Guessing Attack (Online/Offline) – (PGA) 130 6.2.2.5 Insider Attack (IA) 130 6.2.2.6 Denial-of-Service Attack (DoS 131 6.2.2.7 Forgery Attack (FA) 131 6.2.2.8 Server Spoofing Attack (SSA) 132 xiii 6.2.2.9 Mutual Authentication Vulnerability 6.2.2.10 User/Server Anonymity Resistance(UA) 133 6.2.3 Smartphone Specific Security Threats 7 132 134 6.2.3.1 Malicious SMS Threat 134 6.2.3.2 Smartphone Malware Attacks 135 6.2.3.3 Smartphone Spyware Attacks 135 6.2.4 Database and Application Level Attacks 135 6.2.4.1 SQL Injection Attacks (XSS) 136 6.2.4.2 Unauthorized Access Control (UAA) 136 6.3 Comparative Analysis of the Cryptanalysis 137 6.4 Comparative Analysis of Performance and Other Issue 141 6.5 Overall Contribution of This Study 144 6.6 Summary 147 CONCLUSIONS and FUTURE WORK 148 7.1 Overview 148 7.2 Contributions of this Study 149 7.2.1 Aim of This Study (3FA-AFSCC) 149 7.2.2 3FA-SRLM and 3FA-SARM Authentication Protocols on a Cloud Computing Environment 150 7.3 Overall Study Contribution 151 7.4 Future Work and Guidelines 152 7.4.1 Improved 3FA Biometrics Feature Extractions 152 7.4.2 Improved Telematics 3FA Authentication Framework using Smartphone 152 REFERENCES 153 Appendices A 167 xiv LIST OF TABLES TABLE NO. TITLE PAGE 2.1 Security Indices Results 28 2.2 Authentication and Performance Comparison 29 2.3 Performance and Authentication Analysis 30 2.4 Performance Analysis 32 2.5 Computational Analysis 33 2.6 Function Analysis 33 2.7 Literature Review Authentication and Other issues Comparison 49 2.8 Authentication Attack Abbreviations 50 3.1 BAN Logic Verification Parameters and Rules 59 3.2 BAN Logic Notations and Abbreviations 59 3.3 Scyther Security Simulation Parameters 63 3.4 Security Attacks 63 3.5 Performance Parameters 64 4.1 Notations used in 3FA-AFSCC 68 4.2 Parameters used in Algorithm 1 and 2 71 4.3 Parameters for New Service Activation 74 4.4 Variables for 3FA-SRLM and 3FA-SARM 78 5.1 Authentication Protocol Message Notations 99 5.2 1FA Transformation Variables/Parameters 103 5.3 2FA Transformation Variables/Parameters 105 5.4 3FA Transformation Variables/Parameters 106 5.5 1FA Roles, Roles Instances, Parameters 109 5.6 2FA Roles, Roles Instances, Parameters 112 5.7 3FA Roles, Roles Instances, Parameters 114 xv 5.8 BAN Scyther Test Comparison 120 6.1 Comparative Analysis of This Study with Existing Studies 146 6.2 Abbreviations used in Table 6.1 147 xvi LIST OF FIGURES FIGURE NO. TITLE PAGE 1.1 The Basic TMIS Framework 3 1.2 Example of Registration Phase 5 1.3 Example of Password Change Phase 5 2.1 Telecare Medical Information System (TMIS) 18 2.2 The Resource CAtalog Management (RCAM) 19 2.3 Multi-agent Security Framework 21 2.4 TMIS Security and Theoretical Framework 23 2.5 Design and Knowledge Framework 24 2.6 Hospital Information System Framework 25 2.7 inCASA Proposed Architecture 26 2.8 ECG Monitoring Health Cloud Framework 26 2.9 Implementation Framework 38 2.10 Payment Scheme Steps 39 2.11 Watermarking Algorithm 39 2.12 IMS based Mobile Health Framework 41 2.13 Handwritten Cloud Computing Security Framework 42 3.1 Research Methodology (Functional Flowchart) 53 4.1 Registered Authority Step 69 4.2 Mobile Service Provider Step 70 4.3 Service Login Process 72 4.4 New Service Activation/Registration Process 73 4.5 Service Reset Process 75 4.6 Complete 3FA-AFSCC Framework 76 4.7 New User Registration on Authentication Clouds 90 4.8 New User Registration Confirmation 90 xvii 4.9 Final Validation in Uhuru Cloud 91 4.10 MSP Windows 8 Phone Simulation 92 4.11 Successful and Unsuccessful Attempts (2FA) 93 4.12 MSP OTP (3FA) Validation 94 5.1 Transformation of 1FA 104 5.2 Transformation of 2FA 106 5.3 Transformation of 3FA 107 5.4 Scyther Security Attack Validation of 1FA Transformation 109 5.5 Attacks on 1FA Transformation 111 5.6 1FA Authentication Claims 112 5.7 Scyther Security Attack Validation of 2FA Transformation 113 5.8 2FA Authentication Claims 114 5.10 Scyther Security Attack Validation of 3FA Transformation 115 5.11 3FA Authentication Claims 116 5.12 1FA Roles Characterization 117 5.13 Attack Trace in peach color 117 5.14 2FA Roles Characterization 118 5.15 3FA Roles Characterization 118 5.16 Code Metrics 121 5.17 Profiler Setup of All Clouds 122 5.18 Profiler CPU Usage 122 5.19 Complete Performance Graphs of 1660 Sample Profiles 123 6.1 Parameterized SQL Queries 136 6.2 Impersonation Attack Evaluation 138 6.3 Insider Attack Evaluation 138 6.4 Online/Offline Password Attacks Evaluation 139 6.5 Replay Attack Evaluation 139 6.6 Parallel Processing Attack Evaluation 140 6.7 This Study Evaluation based on Other Attacks 140 6.8 This Study Performance Comparison 142 6.9 This Study VVI and IMI Evaluation 143 xviii 6.10 Performance Improvement with Existing Studies 6.11 Thia study Implementations Improvement with Existing Studies 6.12 6.13 143 144 This Study Validation/Verification Improvement with Existing Studies 144 Contribution of This Study as compare to Other Studies 145 xix LIST OF ABBREVIATIONS 1FA - First Factor Authentication 2FA - Two Factor Authentication 3FA - Three Factor Authentication 1G - First Generation 2G - Second Generation 3G - Third Generation 3DES - Triple Data Encryption Standard 2D - Two Dimensional 4FA - Fourth Factor of Authentication AHP - Analytical Hierarchy Process ATM - Automated Teller Machine AFSCC - Authentication Framework using Smartphone on Cloud Computing AD - Alzheimer’s disease AES - Advance Encryption Standard BAN - Burrows Abadi Needham CC - Cloud Computing CoSE - Cloud Secure Element CPU - Central Processing Unit DSS - Decision Support System DLP - Discrete Logarithms Problem DoS - Denial of Service DES - Data Encryption Standard DSP - Digital Signal Processing DFT - Discreet Fourier Transform DLL - Dynamic Link Library DB - Database xx ECG - Electrocardiography EIS - Enterprise Information System ESB - Enterprise Service Bus EE - External Event FA - Forgery Attack FR - Frame Rate FFT - Fast Fourier Transformation FFIEC - Federal Financial Institution Examination Council GPS - Global Positioning System HTTPS - Hyper Text Transport Protocol Secure IDM - Identity Management IMSI - International Mobile Subscriber Identity IMEI - International Mobile Station Equipment Identity IMS - IP Multimedia Subsystem IAAS - Infrastructure as a Service ISO - International Organization of Standardization IEC - International Electro technical Commission IA - Insider Attack IMI - Implementation Issues IPA - Impersonation Attack K2C - Key to Cloud LUA - Least Privilege User Account LHR - Lifetime Health Record MFA - Multifactor Authentication MOHM - Ministry of Health Malaysia MCDM - Multi Criteria Decision Making MCDA - Multi Criteria Decision Analysis MD5 - Message Digest Algorithm MAC - Media Access Control MSP - Mobile Service Provider Unit MSSQL - Microsoft Structured Query Language MAV - Mutual Authentication Vulnerability NFC - Near Field Communication xxi NFCTAN - NFC ChipTAN NGN - Next Generation Network NSR - New Service Activation/Registration NPP - Service Password Reset Framework OTP - One Time Password OMOS - Integrated Framework OS - Operating System OOS - Object Oriented Scanning PCI-DSS - Payment Card Industry Data Security Standard PDS - Personal Digital Assistant P2P - Peer-to-Peer PAAS - Platform as a Service PGA - Password Guessing Attack PAA - Privilege Access Attack PCI - Performance Computing Issue RCAM - Resource CAtalog Management RFID - Radio Frequency Identification SOA - Service Oriented Architecture SHA1 - Secure Hash Algorithm SRLM - Service Cataloguing and Initialization Protocol SARM - New Service Stimulation and Reset Protocol SSL - Secure Socket Layer SMCBA - Secure Mobile Computing with Biometric Authentication SDK - Software Development Kit SAAS - Software as a Service SPDL - Standard Page Description Language SGML - Standard Generalized Markup Language SSA - Server Spoofing Attack SA - Spyware Attack SME - Small Medium Enterprises TMIS - Telecare Medical Information System TCP/IP - Transport Control Protocol/Internet Protocol xxii TSCE - TMIS Smartphone based Cloud Environment TSP - TMIS Service Provider URL - Universal Resource Locators UA - User/Server Anonymity USIM - Universal Subscriber Identity Module UAA - Unauthorized Access Control VVI - Verification Validation Issue VMS - Virtual Memory System Web2ID - Web to Identification WSDL - Web Service Description/Definition Language XOR - Exclusive OR XSS - Cross Site Scripting Attack xxiii LIST OF SYMBOLS π΄π - Registered Authority π΄π₯ - Adversary ∀ - For All (\forall) π½ - Random Values πΆπ΄π - Registered Authority Cloud πΈπ - Computing Variables πΉπ - Computing Variables πΊπ - Computing Variables H - Secret Hash π - Positive Integer πΌπ·π - Identity π 1π - Session Temporary Variable ππ - Sent OTP Message ππ - MSP Cloud π1 - Message πππ - New Provider ππ€ - Registered Password ππ - Updated/New Password π|≡π - Message Meaning π⇒π - Jurisdiction/Authority ππ€ - Password ππ€πππ€ - New Password R - Request π π΅π - Biometrics-image ππ π - Session-Keys ππ , π(. ), βπ - Secure Function of Hash xxiv π π - Session Key πππ£ - Success Message ππ , πβ - Computing Variables for Timestamps πππΏ - TMIS Services π’πΌπ·π - Registered User π’ππ - Timestamp ππ - User V1, V2, V3 - Computing Variables of Server ππ - Computing Variables ππ - Variable X - Unique Identifier Key ⊕ - XOR-Operator β (π) - Nonce Verification (x) - Freshness ∈ - Belongs to ⊇ - Superset of or Equals to Σ - Summation xxv LIST OF ALGORITHMS ALGORITHM NO. TITLE 1 Algorithm for Service Registration Process 2 Algorithm for π π΅π enrolment using PAGE 167 Smartphone 168 3 Algorithm for π π΅π recognition and TSCE 169 4 Algorithm for π π΅π DSP Processing 170 5 Algorithm for π π΅π recognition using Algorithm 4 172 6 Algorithm for πππΏ list 174 7 Algorithm for Service Reset Process 174 xxvi LIST OF APPENDICES APPENDIX A TITLE 3FA-AFSCC Algorithms PAGE 167
