Generic Security Architecture And Internet User Authentication

In practice, there are a number of existing security infrastructures, in some caseswith almost ubiquitous coverage, such as infrastructures supported by mobile telephonytechnologies (including those for GSM and UMTS), Trusted Computing (TC) technologiesand EMV payment technologies. These infrastructures all provide end users with someform of hardware-based security modules, e.g. SIM/USIM cards, TPM chips and EMVpayment cards. Such modules are pre-installed with strong credentials (e.g. secret keys orpublic key pairs and certifcates) and equipped with a set of cryptographic capabilities.When deploying a new network security system it is therefore tempting to try to exploitone of these existing security infrastructures to avoid the need for the potentially costlyroll-out of a new infrastructure.This thesis looks at use of existing security infrastructures to enable the provision ofgeneral-purpose security services for Internet applications and constructing Internet userauthentication using the enabled security services. It is divided into three parts. The frstpart introduces Generic Authentication Architecture (GAA) standardised by3GPP, whichenables the GSM and UMTS authentication infrastructures to provide authenticationservices to mobile and Internet applications.Motivated by GAA, the second part proposes Generic Security Architecture (GSA),which can exploit almost any existing security infrastructures to establish session keysbetween GSA-enabled user platforms and GSA-aware application servers. The main con-tributions follow where two practical instantiations of GSA supported by TC technologies(i.e. the technology that conforms to the Trusted Computing Group (TCG) specifca-tions) and EMV payment systems are proposed (referred to as TC-GSA and EMV-GSA,respectively). We also consider GAA as an instantiation of GSA (referred to as GSM-and UMTS-GSA). Given a proper implementation and deployment of these GSA in-stantiations, we envision that GSA will enabled ubiquitous security services for Internetapplications, including authentication, confdentiality and integrity services.Internet user authentication is one of the most important security systems. Staticpasswords remain the dominant means for user authentication for a wide range of Inter- net services, even in the face of signifcant problems related to password theft. It has beena huge challenge to protect long-term passwords in current Internet environment. In thethird part we frst consider two principles of using ubiquitous GSA security services tosupport Internet user authentication, from both perspectives of enhancing and replacingstatic passwords. For enhancing static passwords, we propose a basic security-enhancedpassword system which protects passwords from being revealed to malicious remote par-ties (i.e. attackers target at insecure communications links or represent malicious remoteservers). We further enhance the basic system into a one-time password (OTP) systemand an SSL/TLS session-aware user authentication system, in order to address phishingand man in the middle attacks, respectively.On the other hand, we consider constructing cost-efective alternatives to static pass-words, as supported by UMTS-GSA. We propose UbiPass, which uses a GSA-and UMTS-enabled mobile phone (e.g. a3G mobile phone) as a trusted OTP generator to generateaccount-specifc OTPs, and relays through a typical client PC only the OTPs to theremote server for authentication. Most notably, avoiding use of long-term passwords,it could be used with untrusted PCs (e.g. PCs has been compromised by keyloggers orother malware). We have also developed a web-based prototype of UbiPass to evaluateits performance and verify its practicality.Finally, this thesis also concludes with some open research directions.