ABSTRACT
Cloud computing has not only emerged as an accepted computing paradigm, but is fast penetrating into major sectors of human endeavor. These include banking, human resources management, justice administration, investigation, academia/research, commerce, health administration etc. Based on the public and experts concerns about cloud applications in the mentioned sectors, preliminary investigations were carried out and it was found that security, and in particular, authenticating cloud users is the biggest challenge to cloud computing. Technologies employed by experts to resolve this challenge include the one, two, or three-factor authentications. Studies showed that the first two technologies are in vogue, but little use has been made of the three-factor model. This work therefore investigates the use of three-factor authentication model, developed an option of it and developed a Mat Lab code for it based on a pseudo code; adding more options to cloud security and providing a benchmark to assure the effectiveness of the option. The investigation also discovered and collated more knowledge for further research in the subject matter. Results of this research showed through probability analyses, that the three-factor model will appreciably reduce the chance (probability) of guessing the parameters to access a cloud system (and any network indeed) and greatly increase the randomness (entropy) of such attempts.
Keywords: Cloud, Security, Authentication, Factors, Probability, Entropy
vii
TABLE OF CONTENTS
Title Page …………………………………………………………….. i
Approval Page ……………..…………………………………..….….. ii
Certification ……………………………………………………….…. iii
Declaration …………………………………………………………… iv
Dedication …………………………………………………………….. v
Acknowledgement ………………………………………………..……vi
Abstract ………………… ………………………………………….… vii
Table of Content ………………………………………….……………. viii
List of Tables and Figures ………………………………….……..…… x
Chapter 1
INTRODUCTION
1
1.1
1.2
Background of Study……………………..
Benefits of Cloud Computing ………. …..
….
…..
1
2
1.3
Types of Cloud ……………………….. …
….
4
1.4
Cloud Deployment Forms ……………. …
….
6
1.5
1.6
Cloud Security ………………………… …
Problem Statement ……………………. …
….
….
7
10
1.7
Motivation …………………..…….. ……..
….
11
1.8
Aims and Objectives ………… …………..
….
11
1.9
Scope ………………………………… ….
….
12
1.10
Methodology ………………………… ….
….
12
1.11
Thesis Outline ………………………. ……
….
13
Chapter 2
LITERATURE REVIEW
14
2.1
Severity of Cloud Security …………….
….
14
2.2
Review of Past Works on User Authentication .
…
16
2.2.1 Password-Based Authentication ….
….
17
2.2.2 Transaction Authentication ………
…
18
2.2.3 Token Authentication ……………
…
19
2.2.4 Out-of-Band (OBB)Authentication …
…
19
2.2.5 Smart Card Authentication …………
….
20
2.2.6 Trusted Third Party Authentication ..
….
20
2.2.7 Physical Access Control ……………
….
21
2.3
Multi-Factor Authentication (MFA)….
….
21
2.3.1 Three-Factor Authentication (3FA) …..
…
24
viii
Chapter 3
METHODOLOGY
27
3.1 General Approach ……………….
27
3.2 User Authentication Probability Equations ……
28
Chapter 4
EXPERIMENTS AND RESULTS
33
4.1 Test Equations …………………..
33
4.2 Probability Calculations ……….
34
Chapter 5
RESULTS ANALYSIS AND DISCUSSION
38
5.1 Introduction ………………….
38
5.2 Result Analysis …………………
5.3 Discussion ……………………
5.4 Observations …………………..
5.5 Summary ………………………
38
40
40
41
Chapter 6
CONCLUSION AND RECOMMENDATIONS
6.1 Introduction ………………………..
6.2 Conclusion …………………………
6.3 Limitations of the Work ……………
6.4 Recommendations ………………….
42
42
42
43
43
Appendix I
Appendix II
Appendix III
Appendix IV
CHAPTER ONE
NTRODUCTION
1.1 Background of Study In network architectures, it is possible to provide computer network in such a way that a client accesses computing resources such as application software packages, storage space, access to other networks, utilization of extra memory, computing speed or extra processor including infrastructure on which they operate, in a network. The client may not need to have so much resources in his computer than the very basic ones including a web browser, with which he would access the hosting network. He can store his completed job within the same provision. This scenario is called Cloud Computing. Web-based e-mail programs (Yahoo!, gmail, hotmail etc), present day web-based file storage (Google drive), facebook, twitter, Quickteller, Amazon, Jumia, Internet Banking and so on, are examples of cloud computing. Cloud computing refers to the delivery of scalable IT resources over the Internet, as opposed to hosting and operating those resources locally, such as on a college or university network [50].
2
An organization can purchase these resources as the need arises, through the deployment of IT infrastructure and services over the network. It can then avoid the capital costs of software and hardware. The client side of the architecture, consisting of the client’s computer, its network as well as the application required to access the cloud computing system is termed front end. Examples of the application software for access include, Microsoft Internet Explorer, Mozilla Firefox, Google Chrome and all web browsers. The other end, back end, which is also referred to as the cloud, interacts with the front through a network, usually the Internet. It is made up of various computers, servers and data storage systems, with appropriate software packages. These create the “cloud” of computing services. Cloud computing is run by special software called middleware, using its own protocols. The middleware allows computers connected in the cloud to communicate with each other. 1.2 Benefits of Cloud Computing Other benefits of cloud computing include the fact that clients would be able to access their applications and data from anywhere at any time. It could bring hardware costs down, since the need for advanced hardware on the client side will be reduced. Cloud computing saves companies the trouble of space for
3
servers and digital storage devices, which may have to be rented. They have the option of storing their data on someone else’s facility, which may reduce spending on IT support. It is common knowledge that the use of computers imposes the responsibility of purchasing licensed software packages on the owner, for each computer in use. For a large corporation, the savings in paying only metered fee to a cloud computing company or acquiring a centralized cloud computing facility with cheaper (bulk) license may be another significant benefit. According to Brian Gammage, a Gartner Fellow, moving data centre to a cloud provider will cost a tenth of the acquisition cost, and the use of cloud applications can reduce costs from 50% to 90% – CTO of Washington D.C.[33]. This gave birth to new businesses referred to as Cloud Services Providers (CSP). If the cloud computing system’s back end is connected in a grid computing pattern, the client could take advantage of the network’s processing power. For instance a complex scientific calculation could be sent to such cloud for speedy output, by tapping into the processing power of all available computers on the back end. Furthermore, cloud offers what is called multitenancy, where a provider shares resources between users at the same time, through virtualization. In the same vein, almost all resources being provided can be scaled, based on the current
4
need and increased as the business grows. The offer is elastic, in that subscriptions can be up-scaled or downscaled as needed. Load balancers are usually employed to achieve this. For both users and CSPs, location of request, resources, users or provider does not matter, since the only requirement is access network and legitimate subscription parameters. Fig 1.1 The Cloud Metaphor Source: https://en.wikipedia.org/wiki/Cloud_computing 1.3 Types of Cloud
1. Software as a Service (SaaS)
In an October 2009 publication, Peter Mell and Tim Grance of the U.S. National Institutes of Standards & Technology (NIST) defined Software as a Service (SaaS)[31] as the computing application, whereby a consumer uses
5
the provider’s software applications running on a cloud infrastructure. An example of SaaS would be online tax filing, Remita (for Treasury Single Account, TSA in Nigeria), GIFMIS, etc. See Fig 1.1.
2. Platform as a Service (PaaS)
PaaS provides the cloud consumer with the capability to deploy applications onto the cloud platform using programming languages and tools that are supported by the cloud provider. Microsoft™ Azure and Google App engine are examples of PaaS. This is illustrated in Fig. 1.1.
3. Infrastructure as a Service (IaaS)
IaaS is the mode where the cloud user has the most control of the three types of clouds. Refer to Fig 1.1. The user has the freedom to provision processing, storage, networks, and other fundamental computing resources, where the consumer is able to deploy and run arbitrary software such as operating systems and applications. Amazon EC2 or vCloud are examples of IaaS.
6
Fig. 1.2 Delivery Modes Of Cloud Technology (Types) Source: “Avoiding ‘Cloud Failures’ – Strategies to Use the Cloud Effectively” – Martin Capurro [51].
1.4 Cloud Deployment Forms[31]
A CSP or user, will always deploy or engage one or more of four cloud forms. It could be Private cloud, which is the form where cloud infrastructure is operated solely for an organization (may be managed by the organization or a third party, and may exist on premises or off premises). It could also be a Community cloud, a Public or a Hybrid cloud. It is community when the cloud infrastructure is shared by several organizations and supports a specific community that has shared concerns (e.g. a mission etc), where it is managed by the organizations or a third party and may exist on premise or off premise.
7
It is public, if it is available to the general public or a large industry and is owned by an organization selling cloud services. Hybrid cloud is a composition of two or more clouds (private, community, or public) that remain unique entities but are bound together by standardized or proprietary technology that enables data and application portability (e.g., cloud bursting for load balancing between clouds). See Fig 1.2. These definitions were given in 2009 by the NIST of the US. 1.5 Cloud Security From the foregoing, cloud computing holds a lot of promise for business in the near future. However, its benefits and implementation present concurrent challenges to both clients and providers. These include problems such as trusting vendor’s security model, obtaining support for investigations since data is not with the user, loss of physical control of content by customer and inability to intervene in an event of a system failure. The biggest among these problems is security. To hand over important data to another party (for contracted or outsourced services) is worrisome. Even in corporate organizations, where cloud computing is implemented locally, there is the likelihood of connectivity to the internet, thereby introducing the risk of unauthorized access.
8
In any information system, three fundamental elements are necessary for security health: confidentiality, integrity and availability. Confidentiality is protecting information from being exposed to unauthorized persons. Integrity is to ensure that information is accurate, valid and complete, by protecting it against corruption or degradation; while availability is ensuring prompt access to information when and where needed. They are known as the CIA Triad, forming the foundation for electronic information security[43]. Cloud computing security is a broad set of policies, technologies, and controls deployed to protect data, applications, and the associated infrastructure of cloud computing. It is the most well-known challenge among users (In Fig 1.3, 74.8% of 244 repondents rated security very significant). Fig 1.3 Chart Showing the Import of Security Source: IDC Enterprise Panel, Aug 2008
9
The intending user of a cloud system has to be identified and given access to what and where he is entitled to and no more (authentication and authorization). Logs of past transactions must be kept, in case the need to trail an event arises. Existing cloud services, like any other computer networks, are prone to cyber-attacks. These include:
1. Side channel attacks: where information is gained from the physical implementation of the cryptosystem rather than brute force attack.
2. Denial of service attack: where a network is brought to its knees by flooding it with useless packets.
3. Man in the middle attack: This attack takes place when the attacker places himself between two users. The attacker modifies the data shared between the two users.
4. Authentication Attacks: Most service providers use username and password for authentication purpose. The attackers use phishing models to crack the username and password[45].
10
1.6 Problem Statement Based on investigations being carried out in this project, authenticating users has been found to be the biggest challenge, since the system will remain safe, if an unauthorised user is prevented from gaining access either to data in motion or at rest, as well as to application software and infrastructure. Research shows that several attempts have been made by service providers to achieve effective user authentication. The technologies deployed include the one, two, or three-factor authentications, which respectively assess one, two or three of the following schemes: i. Something the user possesses (e.g. token or phone) ii. Something the user knows (e.g. password or PIN) iii. Something inherent to the user (e.g. biometrics) The number of the schemes assessed to authenticate the user will define what is referred to as the one, two or three-factor authentication. One and two-factor authentication models are in popular use. Based on the insight from the literature review of this research (Chapter Two), it has been found that little use has been made of the three-factor model. Therefore, the three-factor authentication model will be investigated in this work, with a view
11
to seeing its suitability and putting forward additional options for securing cloud systems, using user authentication. 1.7 Motivation
Information, data and network securities are hot topics in contemporary technological world, even among ICT businesses. With the advent of cloud technology, which the Nigerian Government now deploys for governance, the security of the system is of interest. Many news reports reveal that there have been so many financial losses in Nigerian banks due to cybersecurity breaches and ATM card frauds. These have motivated a desire to research into this area, in order to add to knowledge and provide possible solution towards mitigating unauthorized access into clouds, as we have in banks and other online service providers.
1.8 Aims and Objectives
The objective of this thesis is to analyse some existing secure user authentication models, view them in the light of one- or two- factor authentication technique, identify their downsides and come up with a more secure three-factor model. The thesis is further expected to accumulate cloud computing security (and other) knowledge to provide a reference for further works in the same or related areas of research.
12
1.9 Scope The focus of this work is on user authentication improvement. Various authentication models will be studied, criticized, and attempt will be made to identify possible improvements, through the three-factor authentication model as earlier defined. Other authentication models improvements will not be considered. Solution to privacy will not be considered and higher (or lower)-factor authentication models are also beyond the scope of the project. 1.10 Methodology This research will test the proposed model by mathematically investigating the numerical value of the accessibility probability when an intruder attempts to gain access to a cloud system designed with a three-factor authentication model. The entropy values will be estimated for one-, two- or three-factor authentication parameters, after converting passwords, tokens and biometric inputs into numerical codes. This is expected to give an idea of the randomness (i.e. “hardness”) of the model, to an intruder. Various log-in simulations will be used as general test data. Test results will be analysed and an inference drawn from the analyses.
13
1.11 Thesis Outline This thesis consists of the introduction chapter, where the background is introduced; the motivation, aims and objective of the project, problem statement and project scope are also discussed. Chapter Two deals with an extensive literature review, while Chapter Three presents the methodology of the project. Chapter Four is a report of the experimentation on the model under investigation. Chapter Five highlights the testing results analyses, discussion, observations and summary, while Chapter Six features the project conclusions, recommendations and limitations.
14
Do you need help? Talk to us right now: (+234) 08060082010, 08107932631 (Call/WhatsApp). Email: [email protected].
IF YOU CAN'T FIND YOUR TOPIC, CLICK HERE TO HIRE A WRITER»
