The Smartphone as Mobile Authorization Proxy

358 views

Published on

We present a novel approach to use a mobile device for authentication and authorization purposes, where the user is able to authenticate and authorize himself for access on a public terminal. The concept is based on an extension of a Single-Sign On solution for mobile and public terminals.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
358
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

The Smartphone as Mobile Authorization Proxy

  1. 1. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenThe Smartphone as a Mobile Authorization Proxy - Towards Authentication Using Smartphones Luis Roalter, Matthias Kranz, Stefan Diewald, Andreas Möller, Kåre Synnes February 14, 2013 MCPT Workshop at Eurocast 2013
  2. 2. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenDaily routines…14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 2
  3. 3. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenScenarioStarting your work •  Login into the computer •  You must know your username and passwordReading your mails •  Login into your mailserver •  You must know another username and password (probably)Scientific Research •  Login for your library •  You must know another username and password 14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 3
  4. 4. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenOverview Motivation System architecture Current implementation Problems and Outlook14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 4
  5. 5. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenPast ScenarioSituation •  Various platforms •  Different user name / password combinations •  No unified login maskProblems •  Many credentials to remember •  No overview •  Multiple accounts to maintain •  Phishing14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 5
  6. 6. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität München14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 6
  7. 7. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenRecent ScenarioSituation •  Various platforms •  Usage of distributed login methods (LDAP, ADS, NIS, …) •  Mostly no unified login mask •  Only one username to rememberProblems •  One credential opens everything •  Phishing causes loss of complete system •  Public terminals / displays14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 7
  8. 8. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität München14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 8
  9. 9. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenFuture MotivationSituation •  Various platforms •  Usage of distributed login methods (LDAP, ADS, NIS, …) •  Unified login mask è replace it with a QR code •  No username to remember •  Smartphone is your identity provider •  Phishing is hardly possibleRequirements/Problems •  Need of a smartphone with internet connection •  More involved parties; trust14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 9
  10. 10. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenThe standard login…14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 10
  11. 11. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenNovel approach with QR codes…14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 11
  12. 12. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenIdeasSingle Sign-On •  Reduce number of different credentials •  Substitute other authentication methods •  Substitute many individual logins by one •  Works especially for organizations with many servicesMotivation •  Easy usage at different services •  Global sign-off •  Privacy14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 12
  13. 13. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenExisting Single Sign-On SolutionsOpenID •  De-centralized authentication system •  OpenID identity provided by OpenID provider •  “Relying party” accepts identity as login •  Prone to phishing attacks as redirect is required •  Used by e.g. Yahoo, Microsoft, Facebook, GoogleShibboleth •  Identity provider, service provider and discovery service •  Used mainly in university and educational context14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 13
  14. 14. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenSingle Sign-OnGoals for Single Sign-On with mobile devices •  Improved usability & utility: faster authentication process, less error-prone, … •  Improved security (no overseeing of credentials input when typed on on-screen keyboard) •  Separation of private and public devices/data (no Bluetooth link for password input) •  No own login/password management •  No typing on a public display! (no keyboard substitution!) •  Better than direct login for public terminals (might be hacked as hardware is public)14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 14
  15. 15. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenOverview Motivation System architecture Current implementation Problems and Outlook14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 15
  16. 16. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenConcept Service  1 Service  2 Service  n Service  1 Service  2 Service  n Authenticate Authenticate Authenticate Username  2 Password  2 SSO  Server Username  1 Username  n Password  1 Password  n Username Password User User14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 16
  17. 17. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenHow does single sign-on work? Service SSO  Server 4.  Grant  Access  for  User  at  Service 5.  User  Information 1.  Access Service 2.  Redirect  to  SSO 3.  Authenticate 6.  Get  Information From  Service Client14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 17
  18. 18. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenIntroducing QR codesWhy make use of QR codes? •  Fast and easy transfer of ASCII/binary data to a smartphone •  Move forms to a trusted device (my smartphone)Why smartphones? •  Independent connection to the internet •  Storage of personal information •  Usage for other auxiliary services (to read from and write to)14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 18
  19. 19. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenIntegrating the smartphone Service 5.  Grant  Access  for  User  at  Service SSO  Server 6.  User  Information 2.  Register  Token 3.  Print  QR  Code 1.  Access Service 4.  Send  Data  from  QR  Code 7.  Get  Information From  Service Client14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 19
  20. 20. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenOverview Motivation System architecture Current implementation Problems and Outlook14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 20
  21. 21. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenCurrent ImplementationPlatform •  TomCat Server for RPC •  LDAP for user management •  SQL DB for service and session managementMobile Client •  Android Smartphone •  UMTS/WiFi Connection •  SSL secured communication14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 21
  22. 22. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenAndroid Application: RegistrationRegistration / Login •  Your account (username, password) •  Your hardware: mobile unique ID (MUID), can be e.g. IMEI (direct device identification) or be calculated from hardware parameters for no direct relation to a device •  MUID is used to identify the device to transfer the session to, or for history information (who authenticated a SID)What will be stored? •  Login name •  (hashed) MUID •  (hashed) password is just transferred once and discarded afterwards14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 22
  23. 23. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenAndroid Application: Profile / ManagementFeatures •  Visualize running sessions •  Maintain your profile and personal information •  Recognize hijacking of account •  Logout session(s) •  Transparency to the userIdeas •  Transfer sessions between devices (from desktop to mobile) •  Not only authenticating on public terminals, but improve mobility14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 23
  24. 24. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenExample Use Case: Room Reservation and Access•  Tablet PC as door sign for meeting rooms•  See when room is occupied or available•  Book a room through the public display –  Needs authentication (who reserves the room?) –  Single-Sign-On with QR Code does not require to type credentials on public display•  Allows even room access (digital lock)14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 24
  25. 25. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenAndroid Application: AuthenticationGo to a (public or private) terminal •  Request service, e.g. open the login page of the service •  Wait for SSO authentication (e.g. QR code)Terminal sends •  Session ID (SID) to SSO server •  Creates QR Code with that information and displays it on the terminal’s screenMobile Device •  Scans QR code, gets: SID, service, SSO Server •  Authenticates SID at SSO Server •  SSO Server authenticates session both on mobile and public terminal14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 25
  26. 26. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenOverview Motivation System architecture Current implementation Problems and Outlook14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 26
  27. 27. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenAnalysisImprovements compared to traditional Single Sign-On •  No password input (direct or indirect) on a potentially insecure terminal •  Faster, less error-prone, more convenient identification •  Lost mobile – de-authenticate all sessions, deactivate MUID (SSO admin interface required) •  SSO server hard coded (typed in as preference on the mobile, substituting server in QR Code) •  No phishing login sites (as mobile always uses preferred SSO server) •  Additional hardware binding (one piece more of information) •  Additional channel for authentication (terminal, SSO server; mobile SSO server)14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 27
  28. 28. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenAnalysisEqual (or at least not worse) •  Only identification (ID verification), no access control yet (authorization)! •  “Fake” MUID (assuming algorithm is known), that is: send “copied” hashed MUID: as with lost physical key, as mobile has no trusted computing platform (TPM) module •  Both: at least accounting of active SIDs, monitoring “key usage”14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 28
  29. 29. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenOutlook and Future WorkUsability •  PAM module for QR code authentication •  Operating system login using QR codes •  Transfer sessions between terminalsSecurity •  Full encrypted connections (tokens already present)User study •  Acceptance / Usability concept •  Novel applications (public displays) •  etc.14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 29
  30. 30. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität München Thank you for your attention! Questions? ? ? andreas.moeller@tum.de roalter@tum.de www.vmi.ei.tum.de/14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 30
  31. 31. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenPaper Reference•  Please find the associated paper at: https://vmi.lmt.ei.tum.de/publications/2013/MCPT2013-IndoorNav_preprint.pdf•  Please cite this work as follows:•  L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes Decision-Point Panorama-Based Indoor Navigation In: 14th International Conference on Computer Aided Systems Theory (EUROCAST 2013), pp. 306-307, Las Palmas de Gran Canaria, Spain, February 201314.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 31
  32. 32. Institute for Media TechnologyDistributed Multimodal Information Processing Group Technische Universität MünchenIf you use BibTex, please use the following entry to citethis work: @INPROCEEDINGS{MCPT13MobAuth, author = {Luis Roalter and Matthias Kranz and Stefan Diewald and Andreas M{"o}ller}, title = {{The Smartphone as Mobile Authorization Proxy}}, booktitle = {14th International Conference on Computer Aided Systems Theory (EUROCAST 2013)}, editor = {Alexis Quesada-Arencibia and Jos{e} Carlos Rodriguez and Roberto Moreno-Diaz jr. and Roberto Moreno-Diaz}, year = {2013}, month = feb, pages = {306--307}, ISBN = {978-84-695-6971-9}, location = {Las Palmas de Gran Canaria, Spain}, }14.2.2013 L. Roalter, M. Kranz, S. Diewald, A. Möller, K. Synnes 32

×