Security analysis for authentication and authorisation in mobile phone

Lewandowski, Piotr; Felkner, Anna; Janiszewski, Marek

doi:10.15199/48.2019.08.29

Artykuł - szczegóły

Tytuł artykułu

Security analysis for authentication and authorisation in mobile phone

Autorzy

Lewandowski Piotr , Felkner Anna , Janiszewski Marek

Wybrane pełne teksty z tego czasopisma

http://pe.org.pl/

Identyfikatory

DOI

10.15199/48.2019.08.29

Warianty tytułu

Analiza bezpieczeństwa metod uwierzytelniania i autoryzacji z wykorzystaniem telefonu komórkowego

Języki publikacji

Abstrakty

In this paper we discuss some authentication and authorisation systems where mobile phone is a main or an important component to improve security. Some of the presented solutions are available for SCADA software. Based on our analysis we list and compare safety measures and threats in mobile phone's technologies. We also briefly analyse the security models of the most popular solutions. Results of our analysis point out that the application generating one-time passwords is both secure and convenient for the users.

Artykuł zawiera analizę bezpieczeństwa wykorzystania telefonu komórkowego jako istotnego elementu procesu uwierzytelniania użytkownika w systemach teleinformatycznych (np. systemach SCADA). Analiza bezpieczeństwa obejmuje zarówno same metody uwierzytelniania jak i wykorzystanie telefonów komórkowych oraz sieci komórkowej w procesie uwierzytelniania. W podsumowaniu analizy bezpieczeństwa wskazujemy aplikację do generowania haseł jednorazowych jako rozwiązanie zarówno przyjazne dla użytkownika jak i bezpieczne.

Słowa kluczowe

access control mobile communication systems security and privacy protection telephony

bezpieczeństwo ochrona prywatności kontrola dostępu mobilne systemy operacyjne sieci komórkowe

Wydawca

Wydawnictwo SIGMA-NOT

Czasopismo

Przegląd Elektrotechniczny

Rocznik

2019

Tom

R. 95, nr 8

Strony

132--138

Opis fizyczny

Bibliogr. 34 poz., rys.

Twórcy

autor

Lewandowski Piotr

piotr.lewandowski@nask.pl

NASK - Research and Academic Computer Network, R&D Division, Information Security Methods Team, ul. Kolska 12, 01-045 Warsaw

autor

Felkner Anna

anna.felkner@nask.pl

NASK - Research and Academic Computer Network, R&D Division, Information Security Methods Team, ul. Kolska 12, 01-045 Warsaw

autor

Janiszewski Marek

marek.janiszewski@nask.pl

NASK - Research and Academic Computer Network, R&D Division, Information Security Methods Team, ul. Kolska 12, 01-045 Warsaw

Bibliografia

[1] Standards | OASIS Available online: https://www.oasisopen.org/standards (accessed on Jan 3, 2019).
[2] Konfigurowanie własnej aplikacji SAML - Administrator G Suite - Pomoc Available online: https://support.google.com/a/answer/6087519 (accessed on Jan 3, 2019).
[3] Azure AD SAML Protocol Reference | Microsoft Docs Available online: https://docs.microsoft.com/en-us/azure/activedirectory/develop/active-directory-saml-protocol-reference (accessed on Jan 3, 2019).
[4] Dennis, Z. Choosing an SSO Strategy: SAML vs OAuth2 | Mutually Human Available online: https://www.mutuallyhuman.com/blog/2013/05/09/choosing-ansso-strategy-saml-vs-oauth2/ (accessed on Jan 3, 2019).
[5] Recordon, D., Fitzpatrick, B. OpenID Authentication 1.1 Available online: https://openid.net/specs/openidauthentication-1_1.html (accessed on Jan 3, 2019).
[6] Hammer-Lahav, E. The OAuth 1.0 Protocol, Request for Comments, RFC Editor, (2010)
[7] Sakimura, N., Bradley, J., Jones, M.B., Medeiros, B. de, Mortimore, C. OpenID Connect Core 1.0 incorporating errata set 1 Available online: https://openid.net/specs/openid-connectcore-1_0.html (accessed on Jan 3, 2019).
[8] Fronczak, M. Zarządzanie tożsamością w chmurze i standardy SAML, OpenID, OAuth Available online: https://zaufanatrzeciastrona.pl/post/zarzadzanie-tozsamosciaw-chmurze-oraz-porownanie-standardow-saml-openid-oauth/ (accessed on Jan 8, 2019).
[9] M’Raihi, D., Machani, S., Pei, M., Rydell, J. TOTP: Time-Based One-Time Password Algorithm, (2011)
[10] M’Raihi, D., Bellare, M., Hoornaert, F., Naccache, D., Ranen, O. HOTP: An HMAC-Based One-Time Password Algorithm, (2005)
[11] Duo Mobile: Duo Security Available online: https://duo.com/product/trusted-users/two-factorauthentication/duo-mobile (accessed on Jan 8, 2019).
[12] How to use the Microsoft Authenticator app Available online: https://support.microsoft.com/en-us/help/4026727/microsoftaccount-how-to-use-the-microsoft-authenticator-app (accessed on Jan 8, 2019).
[13] Sébire, G. GSM Standarization History. In GSM/EDGE: Evolution and Performance, Säily, M., Sébire, G., Riddington, E., Eds., John Wiley & Sons, (2011)
[14] ETSI/SAGE, Specification of the 3GPP Confidentiality and Integrity Algorithms UEA2 & UIA2. Document 5: Design and Evaluation Report. Version 1.1, (2006)
[15] Alt, S., Fouque, P.-A., Macario-rat, G., Onete, C., Richard, B. A Cryptographic Analysis of UMTS/LTE AKA. In Applied Cryptography and Network Security, Manulis, M., Sadeghi, A.- R., Schneider, S., Eds., Lecture Notes in Computer Science, (2016), Vol. 9696, 18–35.
[16] Engel, T. SS7: Locate. Track. Manipulate., 31. Chaos Communication Congress, 2014, Available online: https://media.ccc.de/v/31c3_-_6249_-_en_-_saal_1_-_201412271715_-_ss7_locate_track_manipulate_-_tobias_engel (accessed on Jan 8, 2019).
[17] Nohl, K. Attacking Phone Privacy., Black Hat, 2010. Available online: https://media.blackhat.com/bh-us-10/whitepapers/Nohl/BlackHat-USA-2010-Nohl-Attacking.Phone.Privacy-wp.pdf (accessed on Jan 8, 2019).
[18] Dunkelman, O., Keller, N., Shamir, A. A Practical-Time Related-Key Attack on the KASUMI Cryptosystem Used in GSM and 3G Telephony. In Advances in Cryptology – CRYPTO 2010, Lecture Notes in Computer Science, (2010), Vol. 6223, 393–410.
[19] Ghanim, A. Overview of ZUC Algorithm and its Contributions on the Security Success and Vulnerabilities of 4G Mobile Communication. International Journal of Computer Applications (2017), n. 168, 34–38.
[20] Hussain, S.R., Chowdhury, O., Mehnaz, S., Bertino, E. LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE. In Proceedings 2018 Network and Distributed System Security Symposium, (2018).
[21] Liu, J., Yu, Y., Standaert, F.-X., Guo, Z., Gu, D., Sun, W., Ge, Y., Xie, X. Small Tweaks Do Not Help: Differential Power Analysis of MILENAGE Implementations in 3G/4G USIM Cards. In Computer Security -- ESORICS 2015, Lecture Notes in Computer Science, (2015), Vol. 9326, 468–480.
[22] Dubey, A., Vohra, D., Vachhani, K., Rao, A. Demonstration of vulnerabilities in GSM security with USRP B200 and opensource penetration tools. In 2016 22nd Asia-Pacific Conference on Communications (APCC), (2016), 496–501.
[23] Elenkov, N. Android’s Security Model. In Android Security Internals. An In-Depth Guide to Android’s Security Architecture, No Starch Press, Inc., (2014), 1–19.
[24] Apple iOS Security - iOS 12, Apple Inc., 2018, Available online: https://www.apple.com/business/site/docs/iOS_Security_Guide.pdf (accessed on Jan 8, 2019).
[25] Cunningham, E. Keeping you safe with Google Play Protect Available online: https://www.blog.google/products/android/google-play-protect/ (accessed on Jan 10, 2019).
[26] Maslennikov, D. ZeuS in the Mobile is back Available online: https://securelist.com/zeus-in-the-mobile-is-back/29830/ (accessed on Jan 10, 2019).
[27] Android.BankBot.149.origin — Dr.Web — innovation anti-virus security technologies. Comprehensive protection from Internet threats. Available online: https://vms.drwebav.pl/virus/?_is=2&i=14895561 (accessed on Jan 10, 2019).
[28] Xiao, C. AceDeceiver: First iOS Trojan Exploiting Apple DRM Design Flaws to Infect Any iOS Device - Palo Alto Networks Blog Available online: https://researchcenter.paloaltonetworks.com/2016/03/acedeceiver-first-ios-trojan-exploiting-apple-drm-design-flaws-to-infectany-ios-device/ (accessed on Jan 10, 2019).
[29] Xiao, C. YiSpecter: First iOS Malware That Attacks Nonjailbroken Apple iOS Devices by Abusing Private APIs - Palo Alto Networks Blog Available online: https://researchcenter.paloaltonetworks.com/2015/10/yispecterfirst-ios-malware-attacks-non-jailbroken-ios-devices-byabusing-private-apis/ (accessed on Jan 10, 2019).
[30] Bazaliy, M., Flossman, M., Blaich, A., Hardy, S., Edwards, K., Murray, M. Technical Analysis of Pegasus Spyware. An Investigation Into Highly Sophisticated Espionage Software Available online: https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf (accessed on Jan 10, 2019).
[31] Ignition 8 | Inductive Automation Available online: https://inductiveautomation.com/ignition/whatsnew (accessed on Jan 11, 2019).
[32] Windows Security Integration Available online: https://www.trihedral.com/help/Content/D_Customize/Dev_WinAuthIntro.htm (accessed on Jan 11, 2019).
[33] OpenID Connect Authentication Available online: https://www.trihedral.com/help/Content/D_Customize/Dev_OpenIDConfig.htm (accessed on Jan 11, 2019).
[34] Security Statement | Trust | AVEVA | Insight powered by Wonderware Online Available online: https://sw.aveva.com/trust/security (accessed on Jan 11, 2019).

Uwagi

Opracowanie rekordu w ramach umowy 509/P-DUN/2018 ze środków MNiSW przeznaczonych na działalność upowszechniającą naukę (2019).

Typ dokumentu

Bibliografia

Identyfikator YADDA

bwmeta1.element.baztech-b5ed1669-2059-4743-a29e-ae16e272d1e5