dLocAuth: a dynamic multifactor authentication scheme for mCommerce applications using independent location-based obfuscation

Kuseler, Torben and Lami, Ihsan (2012) dLocAuth: a dynamic multifactor authentication scheme for mCommerce applications using independent location-based obfuscation. In: SPIE 8406, Mobile Multimedia/Image Processing, Security, and Applications, May 1, 2012.

[img]
Preview
Text
dLocAuth a dynamic multifactor authentication scheme for mCommerce applications using independent location-based obfuscation.pdf

Download (288kB) | Preview
Official URL: http://proceedings.spiedigitallibrary.org/proceedi...

Abstract

This paper proposes a new technique to obfuscate an authentication-challenge program (named LocProg) using randomly generated data together with a client's current location in real-time. LocProg can be used to enable any handsetapplication on mobile-devices (e.g. mCommerce on Smartphones) that requires authentication with a remote authenticator (e.g. bank). The motivation of this novel technique is to a) enhance the security against replay attacks, which is currently based on using real-time nonce(s), and b) add a new security factor, which is location verified by two independent sources, to challenge / response methods for authentication. To assure a secure-live transaction, thus reducing the possibility of replay and other remote attacks, the authors have devised a novel technique to obtain the client's location from two independent sources of GPS on the client's side and the cellular network on authenticator's side. The algorithm of LocProg is based on obfuscating "random elements plus a client's data" with a location-based key, generated on the bank side. LocProg is then sent to the client and is designed so it will automatically integrate into the target application on the client's handset. The client can then de-obfuscate LocProg if s/he is within a certain range around the location calculated by the bank and if the correct personal data is supplied. LocProg also has features to protect against trial/error attacks. Analysis of LocAuth's security (trust, threat and system models) and trials based on a prototype implementation (on Android platform) prove the viability and novelty of LocAuth.

Item Type: Conference or Workshop Item (Paper)
Additional Information: Torben Kuseler, Ihsan A. Lami, "dLocAuth: a dynamic multifactor authentication scheme for mCommerce applications using independent location-based obfuscation," Mobile Multimedia/Image Processing, Security, and Applications 2012, Sos S. Agaian, Sabah A. Jassim, Eliza Yingzi Du, Editors, Proc. SPIE 8406, 840605 (8 May 2012). Copyright 2012 Society of Photo Optical Instrumentation Engineers. One print or electronic copy may be made for personal use only. Systematic electronic or print reproduction and distribution, duplication of any material in this paper for a fee or for commercial purposes, or modification of the content of the paper are prohibited. http://dx.doi.org/10.1117/12.918130
Uncontrolled Keywords: Challenge response; mCommerce; Mobile authentication; Obfuscated interpretation; Software protection
Subjects: Q Science > Q Science (General)
Divisions: School of Computing
Depositing User: Ihsan Lami
Date Deposited: 25 Aug 2015 14:25
Last Modified: 25 Aug 2015 14:25
URI: http://bear.buckingham.ac.uk/id/eprint/78

Actions (login required)

View Item View Item