The Smartphone as Mobile Authorization Proxy
-
Upload
distributed-multimodal-information-processing-group -
Category
Technology
-
view
148 -
download
0
description
Transcript of The Smartphone as Mobile Authorization Proxy
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
The Smartphone as a Mobile Authorization Proxy - Towards Authentication Using Smartphones
Luis Roalter, Matthias Kranz, Stefan Diewald, Andreas Möller, Kåre Synnes
February 14, 2013 MCPT Workshop at Eurocast 2013
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Daily routines…
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 2
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Scenario
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 3
Starting your work
• Login into the computer
• You must know your username and password
Reading your mails
• Login into your mailserver
• You must know another username and password (probably)
Scientific Research
• Login for your library
• You must know another username and password
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Overview
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 4
Motivation
System architecture
Current implementation
Problems and Outlook
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Past Scenario
Situation
• Various platforms
• Different user name / password combinations
• No unified login mask
Problems
• Many credentials to remember
• No overview
• Multiple accounts to maintain
• Phishing
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 5
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 6
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Recent Scenario
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 7
Situation
• Various platforms
• Usage of distributed login methods (LDAP, ADS, NIS, …)
• Mostly no unified login mask
• Only one username to remember
Problems
• One credential opens everything
• Phishing causes loss of complete system
• Public terminals / displays
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 8
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Future Motivation
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 9
Situation
• Various platforms
• Usage of distributed login methods (LDAP, ADS, NIS, …)
• Unified login mask è replace it with a QR code
• No username to remember
• Smartphone is your identity provider
• Phishing is hardly possible
Requirements/Problems
• Need of a smartphone with internet connection
• More involved parties; trust
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 10
The standard login…
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 11
Novel approach with QR codes…
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Ideas
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 12
Single Sign-On
• Reduce number of different credentials
• Substitute other authentication methods
• Substitute many individual logins by one
• Works especially for organizations with many services
Motivation
• Easy usage at different services
• Global sign-off
• Privacy
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Existing Single Sign-On Solutions
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 13
OpenID
• De-centralized authentication system
• OpenID identity provided by OpenID provider
• “Relying party” accepts identity as login
• Prone to phishing attacks as redirect is required
• Used by e.g. Yahoo, Microsoft, Facebook, Google
Shibboleth
• Identity provider, service provider and discovery service
• Used mainly in university and educational context
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Single Sign-On
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 14
Goals for Single Sign-On with mobile devices
• Improved usability & utility: faster authentication process, less error-prone, …
• Improved security (no overseeing of credentials input when typed on on-screen keyboard)
• Separation of private and public devices/data (no Bluetooth link for password input)
• No own login/password management
• No typing on a public display! (no keyboard substitution!)
• Better than direct login for public terminals (might be hacked as hardware is public)
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Overview
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 15
Motivation
System architecture
Current implementation
Problems and Outlook
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Concept
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 16
Username 1Password 1
Username 2Password 2
Username nPassword n
User
Authenticate
Authenticate
Authenticate
User
UsernamePassword
SSO Server
Service 1 Service 2 Service nService 1 Service 2 Service n
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
How does single sign-on work?
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 17
Client
1. AccessService 3. Authenticate
5. User Information
4. Grant Access for User at Service
2. Redirect to SSO
6. Get InformationFrom Service
SSO ServerService
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Introducing QR codes
Why make use of QR codes?
• Fast and easy transfer of ASCII/binary data to a smartphone
• Move forms to a trusted device (my smartphone)
Why smartphones?
• Independent connection to the internet
• Storage of personal information
• Usage for other auxiliary services (to read from and write to)
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 18
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Integrating the smartphone
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 19
Client
3. Print QR Code
1. AccessService
4. Send Data from QR Code
6. User Information
5. Grant Access for User at Service
7. Get InformationFrom Service
Service
2. Register Token
SSO Server
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Overview
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 20
Motivation
System architecture
Current implementation
Problems and Outlook
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Current Implementation
Platform
• TomCat Server for RPC
• LDAP for user management
• SQL DB for service and session management
Mobile Client
• Android Smartphone
• UMTS/WiFi Connection
• SSL secured communication
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 21
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Android Application: Registration
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 22
Registration / Login
• Your account (username, password)
• Your hardware: mobile unique ID (MUID), can be e.g. IMEI (direct device identification) or be calculated from hardware parameters for no direct relation to a device
• MUID is used to identify the device to transfer the session to, or for history information (who authenticated a SID)
What will be stored?
• Login name
• (hashed) MUID
• (hashed) password is just transferred once and discarded afterwards
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Android Application: Profile / Management
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 23
Features
• Visualize running sessions
• Maintain your profile and personal information
• Recognize hijacking of account
• Logout session(s)
• Transparency to the user
Ideas
• Transfer sessions between devices (from desktop to mobile)
• Not only authenticating on public terminals, but improve mobility
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Example Use Case: Room Reservation and Access
• Tablet PC as door sign for meeting rooms • See when room is occupied or available • Book a room through the public display
– Needs authentication (who reserves the room?)
– Single-Sign-On with QR Code does not require to type credentials on public display
• Allows even room access (digital lock)
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 24
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Android Application: Authentication
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 25
Go to a (public or private) terminal
• Request service, e.g. open the login page of the service
• Wait for SSO authentication (e.g. QR code)
Terminal sends
• Session ID (SID) to SSO server
• Creates QR Code with that information and displays it on the terminal’s screen
Mobile Device
• Scans QR code, gets: SID, service, SSO Server
• Authenticates SID at SSO Server
• SSO Server authenticates session both on mobile and public terminal
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Overview
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 26
Motivation
System architecture
Current implementation
Problems and Outlook
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Analysis
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 27
Improvements compared to traditional Single Sign-On
• No password input (direct or indirect) on a potentially insecure terminal
• Faster, less error-prone, more convenient identification
• Lost mobile – de-authenticate all sessions, deactivate MUID (SSO admin interface required)
• SSO server hard coded (typed in as preference on the mobile, substituting server in QR Code)
• No phishing login sites (as mobile always uses preferred SSO server)
• Additional hardware binding (one piece more of information)
• Additional channel for authentication (terminal, SSO server; mobile SSO server)
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Analysis
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 28
Equal (or at least not worse)
• Only identification (ID verification), no access control yet (authorization)!
• “Fake” MUID (assuming algorithm is known), that is: send “copied” hashed MUID: as with lost physical key, as mobile has no trusted computing platform (TPM) module
• Both: at least accounting of active SIDs, monitoring “key usage”
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Outlook and Future Work
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 29
Usability
• PAM module for QR code authentication
• Operating system login using QR codes
• Transfer sessions between terminals
Security
• Full encrypted connections (tokens already present)
User study
• Acceptance / Usability concept
• Novel applications (public displays)
• etc.
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Thank you for your attention! Questions?
[email protected] www.vmi.ei.tum.de/
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 30
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
Paper Reference
• Please find the associated paper at: https://vmi.lmt.ei.tum.de/publications/2013/MCPT2013-IndoorNav_preprint.pdf
• Please cite this work as follows: • L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes
Decision-Point Panorama-Based Indoor Navigation In: 14th International Conference on Computer Aided Systems Theory (EUROCAST 2013), pp. 306-307, Las Palmas de Gran Canaria, Spain, February 2013
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 31
Technische Universität München Institute for Media Technology Distributed Multimodal Information Processing Group
If you use BibTex, please use the following entry to cite this work:
14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes
@INPROCEEDINGS{MCPT13MobAuth, author = {Luis Roalter and Matthias Kranz and Stefan Diewald and Andreas M{\"o}ller}, title = {{The Smartphone as Mobile Authorization Proxy}}, booktitle = {14th International Conference on Computer Aided Systems Theory (EUROCAST 2013)}, editor = {Alexis Quesada-Arencibia and Jos\'{e} Carlos Rodriguez and Roberto Moreno-Diaz jr. and Roberto Moreno-Diaz}, year = {2013}, month = feb, pages = {306--307}, ISBN = {978-84-695-6971-9}, location = {Las Palmas de Gran Canaria, Spain}, }
32