The Smartphone as Mobile Authorization Proxy

Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group

The Smartphone as a Mobile Authorization Proxy - Towards Authentication Using Smartphones

Luis Roalter, Matthias Kranz, Stefan Diewald, Andreas Möller, Kåre Synnes

February 14, 2013 MCPT Workshop at Eurocast 2013


Daily routines…

14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 2


Scenario


Starting your work

• Login into the computer

• You must know your username and password

Reading your mails

• Login into your mailserver

• You must know another username and password (probably)

Scientific Research

• Login for your library

• You must know another username and password


Overview


Motivation

System architecture

Current implementation

Problems and Outlook


Past Scenario

Situation

• Various platforms

• Different user name / password combinations

• No unified login mask

Problems

• Many credentials to remember

• No overview

• Multiple accounts to maintain

• Phishing



Recent Scenario


Situation


• Usage of distributed login methods (LDAP, ADS, NIS, …)

• Mostly no unified login mask

• Only one username to remember

Problems

• One credential opens everything

• Phishing causes loss of complete system

• Public terminals / displays


Future Motivation


Situation


• Usage of distributed login methods (LDAP, ADS, NIS, …)

• Unified login mask è replace it with a QR code

• No username to remember

• Smartphone is your identity provider

• Phishing is hardly possible

Requirements/Problems

• Need of a smartphone with internet connection

• More involved parties; trust



The standard login…



Novel approach with QR codes…


Ideas


Single Sign-On

• Reduce number of different credentials

• Substitute other authentication methods

• Substitute many individual logins by one

• Works especially for organizations with many services

Motivation

• Easy usage at different services

• Global sign-off

• Privacy


Existing Single Sign-On Solutions


OpenID

• De-centralized authentication system

• OpenID identity provided by OpenID provider

• “Relying party” accepts identity as login

• Prone to phishing attacks as redirect is required

• Used by e.g. Yahoo, Microsoft, Facebook, Google

Shibboleth

•  Identity provider, service provider and discovery service

• Used mainly in university and educational context


Single Sign-On


Goals for Single Sign-On with mobile devices

•  Improved usability & utility: faster authentication process, less error-prone, …

•  Improved security (no overseeing of credentials input when typed on on-screen keyboard)

• Separation of private and public devices/data (no Bluetooth link for password input)

• No own login/password management

• No typing on a public display! (no keyboard substitution!)

• Better than direct login for public terminals (might be hacked as hardware is public)


Overview


Motivation

System architecture




Concept


Username 1Password 1

Username 2Password 2

Username nPassword n

User

Authenticate

Authenticate

Authenticate

User

UsernamePassword

SSO Server

Service 1 Service 2 Service nService 1 Service 2 Service n


How does single sign-on work?


Client

1. AccessService 3. Authenticate

5. User Information

4. Grant Access for User at Service

2. Redirect to SSO

6. Get InformationFrom Service

SSO ServerService


Introducing QR codes

Why make use of QR codes?

• Fast and easy transfer of ASCII/binary data to a smartphone

• Move forms to a trusted device (my smartphone)

Why smartphones?

•  Independent connection to the internet

• Storage of personal information

• Usage for other auxiliary services (to read from and write to)



Integrating the smartphone


Client

3. Print QR Code

1. AccessService

4. Send Data from QR Code

6. User Information

5. Grant Access for User at Service

7. Get InformationFrom Service

Service

2. Register Token

SSO Server


Overview


Motivation

System architecture




Current Implementation

Platform

• TomCat Server for RPC

• LDAP for user management

• SQL DB for service and session management

Mobile Client

• Android Smartphone

• UMTS/WiFi Connection

• SSL secured communication



Android Application: Registration


Registration / Login

• Your account (username, password)

• Your hardware: mobile unique ID (MUID), can be e.g. IMEI (direct device identification) or be calculated from hardware parameters for no direct relation to a device

• MUID is used to identify the device to transfer the session to, or for history information (who authenticated a SID)

What will be stored?

• Login name

•  (hashed) MUID

•  (hashed) password is just transferred once and discarded afterwards


Android Application: Profile / Management


Features

• Visualize running sessions

• Maintain your profile and personal information

• Recognize hijacking of account

• Logout session(s)

• Transparency to the user

Ideas

• Transfer sessions between devices (from desktop to mobile)

• Not only authenticating on public terminals, but improve mobility


Example Use Case: Room Reservation and Access

•  Tablet PC as door sign for meeting rooms •  See when room is occupied or available •  Book a room through the public display

–  Needs authentication (who reserves the room?)

–  Single-Sign-On with QR Code does not require to type credentials on public display

•  Allows even room access (digital lock)



Android Application: Authentication


Go to a (public or private) terminal

• Request service, e.g. open the login page of the service

• Wait for SSO authentication (e.g. QR code)

Terminal sends

• Session ID (SID) to SSO server

• Creates QR Code with that information and displays it on the terminal’s screen

Mobile Device

• Scans QR code, gets: SID, service, SSO Server

• Authenticates SID at SSO Server

• SSO Server authenticates session both on mobile and public terminal


Overview


Motivation

System architecture




Analysis


Improvements compared to traditional Single Sign-On

• No password input (direct or indirect) on a potentially insecure terminal

• Faster, less error-prone, more convenient identification

• Lost mobile – de-authenticate all sessions, deactivate MUID (SSO admin interface required)

• SSO server hard coded (typed in as preference on the mobile, substituting server in QR Code)

• No phishing login sites (as mobile always uses preferred SSO server)

• Additional hardware binding (one piece more of information)

• Additional channel for authentication (terminal, SSO server; mobile SSO server)


Analysis


Equal (or at least not worse)

• Only identification (ID verification), no access control yet (authorization)!

• “Fake” MUID (assuming algorithm is known), that is: send “copied” hashed MUID: as with lost physical key, as mobile has no trusted computing platform (TPM) module

• Both: at least accounting of active SIDs, monitoring “key usage”


Outlook and Future Work


Usability

• PAM module for QR code authentication

• Operating system login using QR codes

• Transfer sessions between terminals

Security

• Full encrypted connections (tokens already present)

User study

• Acceptance / Usability concept

• Novel applications (public displays)

• etc.


Thank you for your attention! Questions?

? ? [email protected]

[email protected] www.vmi.ei.tum.de/



Paper Reference

•  Please find the associated paper at: https://vmi.lmt.ei.tum.de/publications/2013/MCPT2013-IndoorNav_preprint.pdf

•  Please cite this work as follows: •  L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes

Decision-Point Panorama-Based Indoor Navigation In: 14th International Conference on Computer Aided Systems Theory (EUROCAST 2013), pp. 306-307, Las Palmas de Gran Canaria, Spain, February 2013



If you use BibTex, please use the following entry to cite this work:

14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes

@INPROCEEDINGS{MCPT13MobAuth, author = {Luis Roalter and Matthias Kranz and Stefan Diewald and Andreas M{\"o}ller}, title = {{The Smartphone as Mobile Authorization Proxy}}, booktitle = {14th International Conference on Computer Aided Systems Theory (EUROCAST 2013)}, editor = {Alexis Quesada-Arencibia and Jos\'{e} Carlos Rodriguez and Roberto Moreno-Diaz jr. and Roberto Moreno-Diaz}, year = {2013}, month = feb, pages = {306--307}, ISBN = {978-84-695-6971-9}, location = {Las Palmas de Gran Canaria, Spain}, }

32

The Smartphone as Mobile Authorization Proxy

Technology

Transcript of The Smartphone as Mobile Authorization Proxy