SmartAuth: Multi-Factor Authentication Using Smart Card And Android On Web

my name is Mohammed Abbas today we will talk about small thoughts multi-factor authentication using smart cards and Android on web first we'll discuss authentication and then we'll present our proposed solution this talk was a part of my master's research in National University of Science and Technology authentication is an important security control to protect the system regarding CIA properties to protect the system form an unauthorized entity the authentication process is basic and first line of defense millions of users have been affected on that from all over the world because of unauthorized access unfortunately in this puzzle so as we saw user authentication is important and require to achieve our security walls and I've seen mobile transactions are

expected to exceed 100 billion dollars by 2020 we can use NFC for authentication purpose with smart card as smart cards can provide strong security to authenticate an entity to achieve our security goals objective of this research is an alternative approach for secure the user authentication which provides mutual entity verification using smart phone and smart card for more than 15% of Internet users have reported experiencing the takeover of an email or social networking account making progress to make a password free world we will review the shortcomings and strengths of popular authentication factors and select the best approach for small table knowledge-based based authentication has some problems like remembering according to a psychology review an average person tends to

remember only 7 random characters of debt approximately one two three four five six was still the top password in 2080 according to a Google research in the case of third party data bridges 12% of the exposed records including included a gmail address serving as a username and password of those passwords 7% were wellick due to reuse microsoft says to 50% increase in fishing in year 2018 other known issues with passwords including but not limited to social engineering more where's key loggers shoulder surfing if your password is no longer safe due to a better wage password check up gives recommendation that you should change your password immediately it's a prom extension by Google I will recommend to select this

roles in cyber security system is only as secure as a weakest link it has been established that humans are still the weakest cyber security length we can add we can add multi-factor we can add to multi layers of security to authenticate and authorize user if one pointer fails the second factor can still protect the system home and not first entity because of limited time I would like to refer something you are authentication factor to a talk social engineering and emerging multimedia technologies conducted last year here in besides me on the speaker analyzed this authentication factor in details this is evolving technology in the talk the speaker discussed tools which are available to generate real-time fake

targets even some are using AI n in future it could be possible to impersonate any two factor authentication is recommended one of the influence behind this research was an alternative approach home SMS authentication telecom shared on small location in my region on the time of my studies as some as two factor authentication won't work in low coverage areas until you can receive SMS for example in high tower buildings or basements tracking subscriber location obtaining call details tapping intercepting text messages that contain security codes are the harsh reality will live SSS seven vulnerability weakens SMS two-factor authentication NIST has restricted the uses of SMS one-time password and organizations are taking risk while using SMS OTP signaling system salmon is

a thirty years old out-of-band signaling protocol originally designed for wired networks in closed environments later SSS seven integrated for wireless networks without encryption in GSM international mobile subscriber identity historian SIM cards Chinese authenticated from home location register after authentication of I MSI a specific mobile switching control provides cellular service to the subscriber to send commands on SS s7 the attacker can obtain access with only several thousand dollars with can access from with only seven thousand dollars from black market ss7 attacks may be performed from anywhere additionally the hacker does not need to be a highly skilled professional either attacker sends update location ss7 come on to H a lot in such a way that SMS are

redirected to a fake MSC of the target subscribers they are taken now intercept SMS of the target subscriber which may include OTP or other positional information Google Authenticator works with shared secret key this generated time-based one-time password with server and user user has to enter the OTP within 30 seconds if there is a database and the attacker gains access to the passwords and secrets then he or she will be have access to you user accounts unlock this security tokens are portable devices to authenticate users adds an extra step for typing lots of numbers and an extra device to carry with you requires battery to operate they tend to work poorly with mobile phones people don't want to use authentication that is

not seamless when I was looking for my master master's thesis topic my supervisor dr. Abdul Ghafoor Abbasi he showed me smart cut and PayPal mobile card reader that Plattsmouth smartphone audio tech he guided me to work on smart cards with smart phones as smart cards are becoming new normal identity smart cards does not require batteries to operate and are protected from all waves this is the basic architecture of smart card open platform the card manager is the code component for open platform it provides interfaces for one word services and interfaces to the outside world a Java card Jacob has a Java car virtual machine to run smart card application written in Java the function of security domains is to

provide keys and cryptographic services for applications for example symmetric or asymmetric cryptography smart card microcontroller physically is protected by different layers or passive and active security - which includes sensors embedded in the tape had an attacker has to work through many fold of security measures before he can gain access to the secrets on the white we have photo for human hair in comparison with semiconductor structure of smart card microcontroller on the other side with the chip is chip in depression the lower picture the lower picture shows the electrical potentials of ram cells are measured using an electron beam destin scramble scrambling of memory cells is the present protection from this attack smart card can be used with both contact and

contactless readers having to an interface hybrid smart cards can have both smart card chip and RFID this is common our employees employee ID cards for physical access control systems for two-factor authentication most solutions are required to trust third party we discuss SMS OTP and observe the vulnerability Google Authenticator does not provide mutual entity authentication for example attacker may gain access to shared kill former death of break even even if we implement two-factor authentication it does not mean that we have secure authentication with half secure authentication if we design it securely in this video two-factor authentication implementation had a design flaw where the client can send a random phone number during the second factor flow and

the server sent the attacker the SMS one-time password holding account

so this is quality peak just so this this is our ability Justin isn't watching we propose smart of multi-factor authentication using smart card and Android one F with public key provided the architecture of smart auth is designed to achieve security through obscurity with PGI it is divided into two parts suicide user site includes Android smart phone and smart card based on public key infrastructure certificate authority to verify entities we use open SSL gin to generate self signed certificate for concept authentication server to authenticate authorized entities database of authorized users in center we have smartphone running an Android application I think as a medium to communicate between web and smart card for mutual authentication purpose smart

card module is to be responsible to communicate between smart card Android and Android over NFC for a successful authentication Papa user the user is required to authenticate first with password on web secondly we then authorize smart cards one smart cards one smile are secondly with an authorized smart card on web with smart phone communication with smart card is done by apdu commands IES odep is required as android supports different NFC technologies actually we had a one problem while using smart card I had a hybrid smart card which was also an RFID and smart cards so as per Android dispatch for NFC technology because and have seat there it was going to enough see death and was not selecting as a smart card so

it was take a lot of time to figure it out that actually we need to select highest death for communicating with NSF and also the smart card the smart card has javacard PKI is a open source project for the support with java and we integrated smart web mail server got a PKI project we follow Phipps one Lansing protocol entity authentication using public key cryptography Phipps 196 protocol was introduced and published by list we have to end it is that we want to authenticate virtually on web one entity initiator a is suicide and the second entity is user side responder B which enclose Android and smartphone for second factor authentication with smart card server sends authentication request to

smartphone while a push notification with a token ID Android responds with token the a one and a random number RB which is actually a random number generator from smart god next several are generators of generates high pseudo-random number and this early signs are a concatenated with our be the random number sent from smart card and sends back to the smart home ok at this step at this step when it receives the smart the smart phone receives that deserves it signature token a B it verifies that it is validated and after successful barrel validation this aware the entity is verified then smart card digitally signs the random number all be concatenated with re a sends back to the

server after successful validation of token beer to both entities are now mutually authenticated let's see smart toward election after user name password user selects device they receive a push notification one smartphone and using smart card after wiping their application distance militant is sent back to the server from smart hand sign bus Muslim and on there it is authenticated successfully the summary of whispah analysis of smart dog is safe as we are using public key cryptography and follow-up its 196 I will spa stands for automated validation of internal security protocols and applications the be spies are tool for analysis of Internet security products and applications the prodigal problems are written in the high-level protocol specific language

and automatic it automatically analyzed with hospital according to the specification of security protocols small thought provides mutual entity authentication protection against replay attack as validity or patent occasion request one is only 120 seconds prevents phishing and man in the middle attack during my research Phipps 196 protocol was announced obsolete and also be withdrawn because it has not been updated since February 18 1997 we continued with Phipps 196 as it still provides the required security for small dog as of now alternative afips 196 is not announced yet political cryptography is a next-generation approach to cryptography that uses mathematical formula it provides better performance and greater security with small key size as compared to RSA keys we are specifically

interested in sccp 256 k1 the Bitcoin elliptical curve 12 implement with smart ID with that will have more security with smart earth and a simple yet secure wallet a cross-platform smart card wallet with two-factor authentication awareness about threats and protection is the best defense this is an email from my bank on educating users about cyber threats and how they can protect themselves from different threads thus some references and thank you very much [Music]

how does it protect against man in the middle attacks Italy yes it's a very good question how this small talk can protect men in the media as I so you see we have a random number two if I can go back to D this one for example this is mutual entity authentication so we have our a and our B then the signs are a and it also sends the array within so there is no like this is a rule cryptographic secured random number so it sends from server to the time and it has this own RB which was sent in register in previous strength now from sour hand from its own both random numbers the

validate that is original and the certificates are validated by CA in architecture that we visit this one so the certificates are validated from this one and the signature is validated with I and our way so it prevents actually the mechanism so similarly the next step next step is to reverse random numbers like first it was RA because it was sent from server next step is RB it is sent from sign on our responder B so both entities can verify each other actually this is also a good question because the approach we want to like provide a solution for organizations they are certificate authority they will control like in this side architecture we are not dependent on any third party of a

certificate authority organization and have their own like I and it provides a unified attend occasion for organization for example we have Keith key cards so in key cards employees always use but there's like opportunity to use smart cards on web we can use readers on physical access control systems but with the this gap so this solution actually it's targeted for organizations that they can use in point ID cards within organization and this architecture is totally dependent it is independent of third party so they don't want to like like if they want to have a physical access they can use T card as a key card and if they want to event accattone organization's website they can use like

this solution on that and after after also if the access is devote only one click they all have access from buildings physical access as well as one harbour how like our unifor Unified actually authentication for imagination so this is certificate authority paralyzation can have their own actually

but still is a one-time solution like for example OpenSSL we can use for okay we can have a central database that do we can manage easily so like central database for all employees sword movie or maybe less shortage validity of certificates so then they can be like [Music]

[Music]

actually actually I do have I do have with me if anyone interested convincing no actually I did not implement that idea got your own question we haven't implemented anywhere but we all know think we are trying to do this one and I've already started like I have a this one I don't have a white paper website and interestingly coin smartcard coin from litecoin so I want to let based on this research I want you made smart card wallet putting Bitcoin Club smartphone so this will be like a product here looking into thank you only thanks me so like this is simple like the pros would be simple this smart card wallet we can sign transactions between

Schnauzer Chen over any cryptocurrency the cross-platform cross-platform support if we have mobile phone we can sign it like putting your wallet in your wallet literally so with mobile phone with NFC you can sign your transaction with for example POS we can buy products from smart card model and similarly ATM we can use like like people are already familiar with credit cards and ATM technology so it would be key to mass per mass adoption of cryptocurrency yeah yeah right now right now we'll be working on this tool like Java card maybe later we might have a specific but I right now we'll be working on this a one project one project I think open HSN I think they have they have an open

source project will be actually integrating different technologies to make it more seamless okay