Key Based Mutual Authentication ( KBMA ) Mechanism for Secured Access in MobiCloud Environment

Mobile Cloud Computing (MCC) fuels innovation in Mobile Computing and opens new pathways between mobile devices and infrastructures. There are several issues in MCC environment as it integrates various technologies. Among all issues, security lies on the top where many users are not willing to adopt the cloud services. This paper focuses on the authentication. The objective of this paper is to provide a mechanism for authenticating all the entities involved in accessing the cloud services. A mechanism called Key Based Mutual Authentication (KBMA) is proposed which is divided into two processes namely registration and authentication. Registration is a one-time process where the users are registered for accessing the cloud services by giving the desired unique information. Authentication process is carried out mutually to verify the identities of Device and Cloud Service Provider (CSP). Scyther tool is used for analysing the vulnerability in terms of attacks. The result claims show that the proposed mechanism is resilient against various attacks.


Introduction
It has been observed that the significant technologies like Cloud Computing and Mobile devices are on trend for the last few years.The extensive adoption of these two technologies are changing our lives.Researchers and data analysts show exactly how these technologies have extremely created a reverberation in the technological landscape around the world.The cloud is already playing a much larger role in Information Technology.By the end of 2015, the propagation of Mobile Cloud Networking (MCN) development will become a natural extension of the Bring Your Own Device (BYOD) environment.According to the recent survey from Juniper Research, the number of mobile cloud computing users are expected to grow promptly in the next 5 years [1].In 2016, it is expected that mobile cloud market will produce annual revenue of $9.5 billion from $400 million (2009), at an average annual increase of 88%.
Mobile Cloud Computing (MCC) is an emerging technology where there are several issues as it integrates the three trending concepts, Mobile Computing, Cloud Computing and Networks.There are several benefits in using the MCC services.But, due to the constraints present in the devices, there are several issues in MCC environment.Among all the issues, security lies on the top where many users are not willing to adopt the services.In order to access the cloud, the user has to connect their mobile to mobile station.Then, the mobile station connects it to its internet server, which allows the user to access its cloud server.There are a numerous number of intermediate servers used for accessing the internet which makes the security a big concern.The major security issues are Authentication, Access Control, Availability, Confidentiality, Identity Management, Integrity, Application Security and Privacy.
This paper addresses only the security issues present in Mobile Cloud Computing Environment, especially Authentication.The rest of the paper is organized as follows.Section 2 discusses the related works.Section 3 provides the motivation and section 4 delivers the objective of the proposed work.Section 5 and section 6 explains the working concept and algorithm of the proposed mechanism.Section 7 discusses the results and findings of the work.Finally, Section 8 concludes the paper.

Related Works
Cloud computing users prove their identities with digital credentials, typically passwords and digital certificates.If an attacker could fake or steal these credentials, the cloud system will suffer from spoofing attacks [2].In MCC, the problem is even severe because mobile devices often lack computing power to execute complex security algorithms.Moreover, it is difficult to enforce a standardized credential protection mechanism due to the variety of mobile devices.
In recent years, several authentication mechanisms for cloud environment have been proposed to withstand against the attacks.Omri et al. [3] presented an application that uses handwriting recognition as an authentication pattern to access mobile cloud.Rassan et al. [4] projected a solution for authenticating mobile cloud users using the normal mobile device camera as a fingerprint reader to get the fingerprint image, process and realize it.Based on the activity logs, cloud security policies shall be revised and re-configured.Deepak et al. [5] proposed an authentication algorithm to verify the authenticity of the user.The proposed algorithm stands against the Brute Force attack and Man-in-the Middle attack but increases the computation time and consumes more energy than conventional methods.

Motivation
From the security perspective, all interfaces have the danger of exposing sensitive information and receiving malicious data.In addition, eavesdropping and spoofing are easier in wireless networks than wired network.Dealing with threats is a major challenge.Mobile cloud is highly virtualized and highly federated in nature.Most of the users expect to access the cloud resources and applications without any complex authentication process.Users are not willing to carry any external devices for authentication and also expect positive user experience.Users are willing to use their existing mobile devices for authentication.Several authentication mechanisms focus only on authenticating the users but not the entities participating in accessing the cloud services.Thus, an approach needs to be developed to control and manage identities across different clouds.

Objective
The primary objective of this paper is to provide a mechanism for authenticating all the entities participating in accessing the cloud services (i.e.Mutual Authentication).This will be helpful in providing secure communications over the internet and to authenticate the identity of each other in a secure manner.

Working of MobiCloud
The primary mode of mobile device communication is HTTP over Wi-Fi while the communication between the Unified Cloud Authenticator and the Cloud Service Provider (CSPs) is over HTTPS. .Shows the skeleton architecture of the MobiCloud environment which holds the Identity as a Service (IDaaS) and the other services like SaaS, IaaS, STaaS, AaaS, etc.The user is allowed to access the cloud resources only after completing all the three processes given in IDaaS.This paper details only the KBMA mechanism which authenticates the entities participating in accessing the cloud services (Device and CSP).
The working procedure of the Mobile Cloud Technology is given as follows [6].Initially, the user's requests are communicated over the Mobile Networks (MN) which holds the Base Station (BS), AAA sever and a user repository.Base Station acts as the transmitter and the AAA server authenticates the requests in the MN.Then, the requests are directed to the Unified Cloud Authenticator (UCA).The UCA plays a major role in security which contains the Authentication Server (AS) for authenticating not only the users but also their roles for accessing their respective services.The user repository is the place where all the user credential data are stored.Another major component is Cloud Service Provider (CSP) who provides the service to the users, which obviously holds the Cloud Service Server (CSS) and the Cloud Storage Repository (CSR).

KBMA Operations
The working procedure of KBMA is divided into two main processes.They are: a) Registration Process b) Authentication Process

Registration Process
Registration is the one time process carried out by the cloud server.For setting up an account, the user ID, password and other unique information like credit card details used for the payment on pay-per-use basis are given as inputs during registration process.Those input attributes are transferred over a standard protocol like Secure SHell (SSH) for secure transaction.The user, the hashed password and the device information will be stored in the master lookup table.The processes are shown in Figure 2.

Figure 2. Registration Process
A key C key is generated using the user ID and hashing the password at both ends which is used throughout the authentication process.

Authentication Process
There is a need to authenticate each other i.e.Mobile Device and the Cloud Service Provider (CSP) to ensure each other identity.The authentication in this phase is subdivided into two activities.They are as follows.
a) CSP authenticating Device b) Device authenticating the CSP

CSP authenticating Device
In this phase, two different activities take place, namely encryption and decryption.The following section reveals how the authentication process is carried out in the MobiCloud Environment.A key C key will be generated when the user requests for a service.Using the key C key , a random number is generated for generating an authentication key AUTH key to avoid the duplication of credential generation.The AUTH key is used for encrypting the AD mob and AD cloud as the Digestive Access Mechanism which is based on the cryptographic encryption techniques.
Finally, the encrypted data is sent to the cloud Server along with its Column Reference (C ref ).

Decryption
The Cloud Server searches for the user's ID and Password in the server database.Once the credentials are matched, a key C key will be generated at the server side.The generated key C key is used for decrypting the encrypted data which was already sent to the server to get the State Identifier and the Authentication Digest.
C key Decrypt (EAD mobcloud ||SI) … (7) Again, the same key C key is used for decrypting the Authentication Digest to obtain the plain data.
C key Decrypt (EAD mobcloud ) … (8) This process is done for matching the credential data into the server.The search will be based on the Column Reference C ref .
AD mobcloud … (9) Once the decrypted credentials are matched, the CSP authenticates the device of the user.

Claim 3: Secret PSWD
Here, the security of the password depends on the user.The length of the password can be 512 bit string.It is hashed and a replica is stored at the cloud authentication database during the registration process.The Password is not transferred during communication instead it is used at both ends.

Claim 4: Secret ID
The ID of user is sent along with the password to the CSP only once during the registration process.The communicating device does not send the ID to the CSP during Authentication process.Hence, it remains safe.But, the security of ID really depends on the user.

Claim 5: Secret AD mob
AD mob is the hashed data related to the user which holds the unique information, access policy, etc.Before transmission, every information is encrypted and hashed using the key C key .

Claim 6: Secret AD cloud
AD cloud is the hashed data related to the cloud which holds the unique information and cloud policy information.Before transmission, AD cloud is hashed and encrypted with AD mob using the Authentication Key (AUTH key ).

Claim 7: Secret Weak agree
The proposed mechanism proves that the device is in weak agreement with the CSP.The device is running the proposed mechanism with the CSP and likewise the CSP is running with the device.Hence, it is evident that the communication is not attacked by adversarial users during the authentication process.The trace pattern of the entities (Device and Cloud) involved in accessing the cloud resource is given in Figure 5.The result shows that there are no attacks during authentication process.

Conclusion
In recent times, the MCC is becoming a new hot technology and security of the same has become a research issue.Also, several existing authentication techniques and methods for mobile cloud computing are discussed.In this paper, a mechanism called KBMA is proposed which verifies the identity of the entities participating in accessing the cloud services.The proposed KBMA mechanism involves two processes namely registration and authentication.The algorithm of the KBMA is implemented and analysed using Scyther tool.The derived results show that the proposed KBMA is resilient against various attacks and the claims of the security is also analysed.From the results, it is evident that the proposed mechanism authenticates the entities and provides secure channel for communication.User Authentication will be incorporated in future research.
DOI: 10.1051/ C Owned by the authors, published by EDP Sciences, 201

Figure 1 .
Figure 1.Skeleton Architecture of MobiCloud During the registration process, a cryptographic hash function is applied at user (AD mob ) and cloud (AD cloud ) side for the purpose of authentication.AD mob contains the user certificate and user policy such as cloud service access policy, user access policy.AD mob = H (U pol ||U cert ) … (2) AD cloud contains the cloud certificate and the cloud policy such as cloud resource policy, user policy.AD cloud = H (C pol ||C cert ) … (3)The CSP will send a message in an encrypted form to the user's device using the key C key generated at both sides (1) which contains the digest of user, cloud, private key and the Column Reference.ECkey (AD mob ||AD cloud ||PRI key ||C ref ) … (4)The pseudocode for the process of user registration is given below.

Figure 3 .
Figure 3. Shows the encryption process carried out during authentication in the MobiCloud environment.

6. 2 . 2
Device Authenticating CSP This is the second process in Authentication process where the mobile device authenticates the CSP.A Digital Signature DS is generated at CSP side in which it consists of Authentication Digest of device and the cloud AD mobcloud encrypted using a Public Key PUB key .DS = PUB key Encrypt (AD mobcloud ) … (10) The Mobile Device decrypts the encrypted DS with the key Ckey which was already generated and stored at the mobile device.

Figure 4 .
Figure 4. Auto Claims Result Window of KBMA Mechanism

Figure 4
Figure 4 shows the auto claims result of the proposed authentication mechanism which has no attacks.

Table 1 .
Algorithm for User Registration Public key , PRI key Å Private key 7. Encrypt the value of AD mob , AD cloud ,PRI key and C ref ENC_user_reg_conf ÅEC key (AD mob ||AD cloud || Pri key || cert AE User Access grant Certificate C pol AE Cloud Policy C cert AE Cloud Certificate H() AE Hash function AD mob AE Digested data for device authentication AD cloud AE Digested data for cloud authentication C key AE Cryptography Key C ref AE Column reference for user detail in lookup table INP user AE User input for registration ENC_user_reg_conf AE Encrypted message of user

Table 2 .
Algorithm for User Registration