Abstract
The number of transactions that are performed electronically between coupled smart-devices increases rapidly. These devices are not only sensors nodes that collect the non-private data, but also are devices that process sensitive information that has higher requirements into security and privacy. Unique and qualified identification and high-secure authentication are essential basics to facilitate these requirements in security and privacy. While security and privacy are widely described and examined for applications used on personal computers, the situation is more demanding for smart-devices. Due to the steadily increasing number and the continuous enhancement of smart-devices, there will be no stable technology over the years. In consequence, new agile and secure methods become necessary to bring identification and high-secure authentication on smart platforms in a proper way. We propose a model for agile smart-device based multi-factor authentication combination to close this open gap and to provide secure authentication on mobile devices only. By using our proposed model, a user can combine multiple authenticators by using a cryptographic protocol on client-side only to increase the assurance into authentication. One significant advantage of our model is that it is transparent to existing eID validation infrastructure and can be used without modifications on the verification side. We proof the practical applicability of our model by implementing all components in combination with Austrian eGovernment infrastructure components. A first evaluation was done by a small group of users in conjunction with real eGovernment components on the testing stage.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
The JavaScript Object Notation (JSON) Data Interchange Format. RFC 7159 (2014). https://rfc-editor.org/rfc/rfc7159.txt
Bsi tr-03111: Elliptic curve cryptography, version 2.1 (2018)
International Journal of Security: Information technology – Security techniques – A framework for identity management – Part 1: Terminology and concepts. Technical report 24760-1, ISO/IEC, December 2011
Bertino, E., Takahashi, K.: Identity Management: Concepts, Technologies, and Systems. Artech House Inc., Norwood (2010)
van Tilborg, H.C.A., Jajodia, S. (eds.): Encyclopedia of Cryptography and Security. Springer, Boston (2011). https://doi.org/10.1007/978-1-4419-5906-5
Boyd, C.: Digital multisignatures. In: Cryptography and Coding, pp. 241–246 (1986)
Burr, W.E., et al.: Electronic authentication guideline. Technical report, 800-63-2, National Institute of Standards and Technology (NIST), August 2013. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf
Chatzigiannakis, I., Pyrgelis, A., Spirakis, P., Stamatiou, Y.: Elliptic curve based zero knowledge proofs and their applicability on resource constrained devices, July 2011
Corella, F., Lewison, K.: Techniques for implementing derived credentials. Technical report, Pomcor Research in Mobile and Web Technology (2012). https://pomcor.com/whitepapers/DerivedCredentials.pdf
Corella, F., Lewison, K.: An example of a derived credentials architecture. Technical report, Pomcor Research in Mobile and Web Technology (2014). https://pomcor.com/techreports/DerivedCredentialsExample.pdf
Croft, R.A., Harris, S.P.: Public-key cryptography and reusable shared secrets. In: Cryptography and Coding, pp. 189–201 (1989)
Entrust, E.A.: Mobile derived PIV/CAC credential - a complete solution for NIST 800-157. Technical report, Entrust Datacard (2014). https://www.entrust.com/wp-content/uploads/2014/10/Mobile-Derived-Credential-WEB2-Nov15.pdf
European Union: Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No. 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market. European Union (2015)
Ferraiolo, H., Cooper, D., Francomacaro, S., Regenscheid, A., Mohler, J., Gupta, S., Burr, W.: Guidelines for derived personal identity verification (PIV) credentials. Technical report, 800-157, National Institute of Standards and Technology (NIST), December 2014. http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-157.pdf
Ferraiolo, H., Regenscheid, A., Cooper, D., Francomacaro, S.: Mobile, PIV, and authentication. Technical report, Draft NISTIR 7981, National Institute of Standards and Technology (NIST), March 2014
Fiat, A., Shamir, A.: How to prove yourself: practical solutions to identification and signature problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987). https://doi.org/10.1007/3-540-47721-7_12
Florêncio, D., Herley, C., Van Oorschot, P.C.: An administrator’s guide to internet password research. In: Proceedings of the 28th USENIX Conference on Large Installation System Administration, LISA 2014, Berkeley, CA, USA, pp. 35–52. USENIX Association (2014). http://dl.acm.org/citation.cfm?id=2717491.2717494
Gennaro, R., Jarecki, S., Krawczyk, H., Rabin, T.: Robust threshold DSS signatures. Inf. Comput. 164(1), 54–84 (2001). https://doi.org/10.1006/inco.2000.2881. http://www.sciencedirect.com/science/article/pii/S0890540100928815
Grassi, P.A., Garcia, M.E., Feton, J.L.: Digital identity guidelines. Technical report, 800-63-3, National Institute of Standards and Technology (NIST), June 2017
Grassi, P.A., et al.: Digital identity guidelines - authentication and lifecycle management. Technical report, 800-63b, National Institute of Standards and Technology (NIST), June 2017
Hao, F.: Schnorr Non-interactive Zero-Knowledge Proof. RFC 8235, September 2017. https://doi.org/10.17487/RFC8235, https://rfc-editor.org/rfc/rfc8235.txt
Haupert, V., Müller, T.: (In)security of app-based TAN methods in online banking. University of Erlangen-Nuremberg, Germany (2016). https://www1.cs.fau.de/filepool/projects/apptan/apptan-eng.pdf
Hayikader, S., Hanis binti Abd Hadi, F.N., Ibrahim, J.: Issues and security measures of mobile banking apps. Int. J. Sci. Res. Publ. 6, 36–41 (2016)
ISO/IEC: ISO/IEC 29115. Information technology - Security techniques - Entity authentication assurance framework. International Standard, International Organization for Standardization (2013)
ISO/IEC: ISO/IEC COMMITTEE DRAFT 29003. Information technology - Security techniques - Identity proofing. Technical report, International Organization for Standardization (2016)
Jones, M.: JSON Web Key (JWK). RFC 7517, May 2015. https://doi.org/10.17487/RFC7517. https://rfc-editor.org/rfc/rfc7517.txt
Jøsang, A., Zomai, M.A., Suriadi, S.: Usability and privacy in identity management architectures. In: Proceedings of the Fifth Australasian Symposium on ACSW Frontiers, ACSW 2007, Darlinghurst, Australia, vol. 68, pp. 143–152. Australian Computer Society Inc. (2007). http://dl.acm.org/citation.cfm?id=1274531.1274548
Kerry, C.F., Romine, C.: FIPS PUB 186-4 Federal Information Processing Standards Publication Digital Signature Standard (DSS) (2013)
Kim, J.J., Hong, S.P.: A method of risk assessment for multi-factor authentication. JIPS 7, 187–198 (2011)
Lenz, T., Alber, L.: Towards cross-domain eID by using agile mobile authentication. In: 2017 IEEE Trustcom/BigDataSE/ICESS, pp. 570–577, August 2017. https://doi.org/10.1109/Trustcom/BigDataSE/ICESS.2017.286
Lenz, T., Krnjic, V.: Agile smart-device based multi-factor authentication for modern identity management systems. In: WEBIST (2018)
Lenz, T., Zwattendorfer, B.: A modular and flexible identity management architecture for national eID solutions. In: 11th International Conference on Web Information Systems and Technologies, pp. 321–331 (2015)
Lindell, Y.: Fast secure two-party ECDSA signing. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10402, pp. 613–644. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_21
MacKenzie, P., Reiter, M.K.: Two-party generation of DSA signatures. Int. J. Inf. Secur. 2(3), 218–239 (2004). https://doi.org/10.1007/s10207-004-0041-0. https://doi.org/10.1007/s10207-004-0
Mohammed, M.M., Elsadig, M.: A multi-layer of multi factors authentication model for online banking services. In: 2013 International Conference on Computing, Electrical and Electronic Engineering (ICCEEE), pp. 220–224, August 2013. https://doi.org/10.1109/ICCEEE.2013.6633936
Sarikhani, R.: Language and American social identity, January 2008. http://ezinearticles.com/?Language-and-American-Social-Identity&id=956774
Schnorr, C.P.: Efficient identification and signatures for smart cards. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 239–252. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_22
Taneski, V., Heričko, M., Brumen, B.: Password security - no change in 35 years? In: 2014 37th International Convention on Information and Communication Technology, Electronics and Microelectronics (MIPRO), pp. 1360–1365, May 2014. https://doi.org/10.1109/MIPRO.2014.6859779
Turner, S.: The application/pkcs10 media type. RFC 5967 (2010). https://rfc-editor.org/rfc/rfc5967.txt
Zwattendorfer, B.: Towards a privacy-preserving federated identity as a service-model (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Lenz, T., Krnjic, V. (2019). Torwards Flexible Multi-factor Combination for Authentication Based on Smart-Devices. In: Escalona, M., Domínguez Mayo, F., Majchrzak, T., Monfort, V. (eds) Web Information Systems and Technologies. WEBIST 2018. Lecture Notes in Business Information Processing, vol 372. Springer, Cham. https://doi.org/10.1007/978-3-030-35330-8_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-35330-8_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-35329-2
Online ISBN: 978-3-030-35330-8
eBook Packages: Computer ScienceComputer Science (R0)