Software-defined location-enhanced, multi-factor authentication with attribute-based encryption
Date
2017
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
University of Delaware
Abstract
When a user wants to access certain services offered by a service provider, typically the user must first authenticate herself with the service provider, such that the service provider may grant authorization to access the services. Authentication is the process through which the user provides confirmation of her identity to the service provider (and, in parallel, the user should receive confirmation that the service provider is legitimate). Several types (or factors) of authenticators can be utilized in this process. Namely, things the user know (e.g.: passwords, PINs); things the user possesses (e.g., token authenticators in the smartphone, key fobs, cards); characteristics or physical traits of the user (e.g., fingerprint, iris pattern); and, as proposed in this dissertation, the user’s location. Each authentication factor has, in terms of security and user experience when compared to other factors, strong and weak aspects, (or pros and cons). For instance, passwords must be long and random, but then remembering them can be taxing; fingerprints are (believed to be) unique and thus form a good authenticator, but they are immutable and hardly confidential; token authenticators and out-of-band tokens (such as SMS tokens) provide an ephemeral value that is valuable for security, but the user might lose possession of the respective token device. Combining two or more of those authenticators results in a potential increased security as compared to utilizing only one authenticator, which is known as multi-factor authentication. ☐ This dissertation focuses on multi-factor authentication. I present a cryptographic method to enable location as an authentication factor, using the flexibility of Ciphertext-Policy Attribute-Based Encryption (CP-ABE) and its access policies, together with location beacons. Such that this location authenticator can be realized, I develop a technique to request and control the presentation of multi-factor authenticators, through which scores are assigned to each authenticator type and both the user and the authentication service are aware of a minimum score needed for full authentication. To address the necessity of a secure scheme through which a user presents the authenticators, I construct a method for conveying the authentication factors in a Zero-Knowledge Password Proof (ZKPP) scheme and through an ephemeral, confidential session. The method also provides a secure joint authenticator that is the cryptographic composite (built within ZKPP) of the individual authenticators. To embody and realize these techniques, I devise a multi-factor authentication protocol named LOCATHE, through which a user device or user can authenticate herself to an authentication service using the device’s or user’s location and other authentication factors, with guarantees of forward secrecy. Moreover, I design a Location-Enhanced Multi-Factor Authentication Service (Loc-Auth), abstracting hardware (such as the location beacons) and control into a layered structure, to provide the authentication services and support for the components of this dissertation. Finally, I develop a Proof-of-Concept system, and perform an extensive security evaluation and analysis of the work herein.
Description
Keywords
Applied sciences, Authentication, Cryptography, Location, Multi-factor authentication, Protocol, Zero-knowledge password proof