ก ก API Two-factor Authentication by Web Application API and J2ME. Software ก ก. : Two-factor Authentication, One Time Password, Packet Sniffer

ก ก API J2ME Two-factor Authentication by Web Application API and J2ME Software 1 2 ก ก ก 41/20 ก 44150 : 0-4375-4322 2414 1 2 E-mail: c.pratchaya@msu.ac.th E-mail: somnuk.p@msu.ac.th ก ก ก Username/Password ก Password ก ก User Knowledge ก ก ก ก ก ก Smart Card, RSA Secure ID Authentication User Possession ก Smart Card Reader RSA SecurID Tokens ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก Web Application API J2ME Software ก ก ก Two Factor ก ก ก ก ก ก ก ก J2ME Web Application API Module ก Web server ก ก.Abstract Most of web applications rely on username/password to authenticate users. However, the password is an authentication factor by "user knowledge" that can be sniffed or leaked by many ways. Previous solutions to this problem (such as smart card or RSA Secure ID authentication) use "user possession" as the other factor. Yet, smart card readers and RSA secure tokens causes More cost to invest and more devices to carry. In this paper, we design, implement and test a web application API and J2ME software to enhance authentication to web application. The new solution is cheaper. It requires only to preload J2ME software into users' mobile phone and a web application API module into the web server : Two-factor Authentication, One Time Password, Packet Sniffer 1. ก [7] (Authentication Factor) 3 1) User Knowledge ก ก Username/Password, PIN Code 2) User Possession ก Smart Card, Secure Token, ก 3) User Attribute ก ก ก User Knowledge ก Username/Password ก Password ก ก ก ก ก ก ก ก ก Ethereal [1], Wireshark 812

[3] ก Username/Password ก Smart Card Authentication [4], RSA SecurID Authentication [5] One Time Password [9] ก ก ก ก ก ก ก ก ก ก ก ก ก ก ก กก (User Knowledge User Possession) ก ก ก User Knowledge ก Username/Password User Possession ก ก ก ก Module API ก Two Factor Authentication (TFA Module) ก J2ME ก Password Username/Password กก Password ก 1 ก ก ก ก ก ก 2 ก ก ก ก Smart Card Authentication, RSA SecurID Authentication One time Password 3 ก ก กก 4 5 6 ก ก ก 2. ก 2.1 Smart Card Authentication [4] Smart Card Authentication ก ก User Possession ก Smart Card ก ก (Private Key) ก ก (Public Key Encryption) ก ก ก ก ก Smart Card ก Smart Card (Smart Reader) ก ก ก ก ก ก 1 1 ก Smart Card Authentication Smart Card Authentication ก Smart Card 150-500 / ก Smart Reader Software 1,000-30,000 ก ก Smart Card Reader Smart Card ก ก Smart Card ก 2.2 RSA SecurID Authentication [9] RSA SecurID Authentication ก ก RSA ก ก User Possession RSA ก ก Secure Token ก ก ก ก ก Password ก ก RSA SecurID authentication 2 2 RSA SecurID authentication 813

RSA SecurID Authentication ก RSA SecurID (1) RSA ACE/Server (2) ก RSA SecurID Password Password ก ก ก RSA AEC/Server Password ก ก Password ก ก ก RSA SecurID Authentication ก AEC/Server RSA SecurID Token ก ก ก ก ก RSA SecurID Authentication ก ก Smart Card RSA SecurID ก Username/Password ก ก ก ก 2.3 Multi-factor Authentication [8] Multi-factor Authentication ก ก ก ก ก Knowledge Factor ก Possession Factor ก ก ก ก Multi-factor Authentication ก ก ก ก ก ก ก Password Web Application 2.4 One Time Password [9] One Time Password (OTP) ก ก ก ก ก Password ก OTP ก ก Password ก ก ก Login One Time Password Password User User Password Password ก ก Password 1 3. ก Username/Password ก ก ก Password ก ก Smart Card Authentication RSA SecurID Authentication ก ก ก ก ก ก ก 4. ก ก ก ก 1. Multi-factor Authentication Username/Password User Knowledge ก User Possession ก ก Module API Plug in ก ก Two-factor Authentication Module (TFA Module) ก J2ME User Possession ก TFA Module 2. ก ก User Possession ก Smart Card RSA SecurID Token ก ก ก ก ก J2ME ( ก ) 3. Cost ก Software Module ก ก J2ME ก ก 814

4. One Minute Password Password ก ก ก 1 ก ก Password ก Password 1 ก ก ก 4.1 ก Two-factor Authentication ก ก Two-factor Authentication ก 3 3 ก Two Factor Authentication ก 1. ก ก Server ก Client ก ก SSL [1] (Secure Socket Layer) ก ก ก 2. ก ก ก Password Password User Knowledge Password User Password ก ก Mobile Phone Password User กก ก J2ME Password ก ก User Password ก ก ก Password ก ก ก ก ก Password ก User 3. TFA Module API Module Plug in ก ก Two Factor Authentication Module API ก ก Password กก Ran ก J2ME 4. ก Mobile Phone Password J2ME Software User ก ก ก TFA Module Run Password ก User ก 5. ก Password 3 Password ก Mobile Phone Password ก Mobile Phone Password ก User Password ก ก ก Password ก ก TFA Module Password ก ก ก ก 6. User Password ก ก User Knowledge Mobile Phone Password ก ก ก ก Password User Knowledge ก Password Mobile Phone Password ก TFA Module ก ก Password J2ME User ก Login ก ก ก (Authorization) 4.2 ก Mobile Phone Password ก Mobile Phone Password J2ME Password ก ก ก TFA Module User ก ก Password 1. Organization Serial Number (OSN) Serial Number ก ก OSN ก Mobile Phone Password ก ก ก ก ก ก 815

2. Mobile Phone ID (MP ID) ID ก Mobile Phone MP ID ก Password ก ก ก OSN MP ID 3. Date/Time ก Password Password ก ก ก ก One Minute Password ก OSN ก MP ID ก Mobile Phone ก OSN MP ID ก ก Download ก J2ME ก ก ก ก 1 ก 64 th based On Function ก 1 ก Input Output ก ก Output ก ก ก 5 4 ก Mobile Phone Password ก! ก ก Mobile Phone Password 1 ก Input ก OSN, MPID, Date Time Input 240 Bit 2 240 Bit ก Hash Function MD5 Bit Digest 128 Bit 3 Bit Digest 64 th based On Function ก Bit Digest(128 Bit) ก 22 ก (132 bit) Mobile Phone Password ก ก 64 th based On Function กก 5 Input Output 64 th based On Function 5. ก ก Run TFA Module ก Two-factor Authentication Module ก Import API ก Module ก ก Module ก Login ก 816

6 ก Login ก ก ก 5 ก Login ก ก MFT Module ก ก ก login ก 3 ก Server Username, Password Mobile Phone Password ก Login ก Server ก ก 7 ก ก ก J2ME ก 6 ก ก J2ME ก Mobile Phone Password ก ก ก ก ก ก ก Organization Serial Number (OSN ) Mobile Phone ID (MP ID) กก ก ก ก ก ก ก ก Password ก 1 5.1 ก ก ก ก 1) Two-factor Authentication Username/Password User Knowledge ก User Possession ก TFA Module Password ก ก ก ก ก ก ก ก ก 2) Password ก 1 ก ก Password ก Password 1 5.2 ก ก 1) User Possession ก ก กก ก J2ME ก MDT Module ก ก ก ก ก Smart Card Authentication RSA SeurID Authentication ก Smart Card RSA SeurID Token 2) ก Plug in TFA Module Server Password ก J2ME ก Module API ก Multi-factor Authentication ก ก Smart Card Smart Card RAS SecuID ACE Server 6. ก ก ก Knowledge Factor ก ก ก ก ก ก Possession Factor Possession Factor ก ก ก ก ก Possession Factor ก ก ก ก ก Password ก ก ก ก ก ก TFA Module API 817

ก Two Factor Authentication ก ก ก ก กก Two-factor Authentication ก ก 7. ก [1]. "Ethereal." Retrieved January 2009, fromhttp://www.ethereal.com/. [2]. "OpenSSL." Retrieved 13, 2009, from http://www.openssl.org/. [3]. "Wireshark 1.0.5 Released." Retrieved January 2009, fromhttp://www.wireshark.org/. [4] "Security token and smart card authentication." Retrieved January 2009, from http://searchsecurity.techtarget.com/tip/0,289483,s id14_gci1338503,00.html. [5] Strong Two-Factor Authentication with RSA SecurID: 1-3. [6] Paul A, H. (2006). "Two-factor authentication a look behind the headlines." Network Security: 18-19. [7] Simmom, G. J. (1998). "A Survey of Information Authentication." IEEE: 603-604. [8] Tatum, M. "What is Multifactor Authentication?" Retrieved Janurary 2009, from http://www.wisegeek.com/what-is-multifactorauthentication.htm. [9] Tom Sheldon, B. S. M. (2001). "One-Time Password Authentication." Retrieved 13, 2009, from http://www.linktionary.com/o/one_time_password.ht ml. 818