Using SIM for strong end-to-end Application Authentication
MetadataVis full innførsel
Today the Internet is mostly used for services that require low or none security. The commercial and governmental applications have started to emerge but met problems since they require strong authentication, which is both difficult and costly to realize. The SIM card used in mobile phones is a tamper resistant device that contains strong authentication mechanisms. It would be very convenient and cost-efficient if Internet services could use authentication methods based on the SIM. This master thesis presents an analysis and a design of a generic authentication system based on SIM, together with a detailed description of an implemented prototype. The proposed system, called the Generic SIM Authentication System (GAS), provides a strong authentication mechanism. The GAS builds upon the existing GSM authentication infrastructure, thus allows re-use of GSM expertise from the mobile operators. New services can easily be supported, such that these can benefit from strong authentication. By gradually implementing more authentication mechanisms (e.g. OTP and PKI) on the SIM, it will be able to support several levels of security. This will result in a generic authentication system satisfying the security needs for nowadays and also for the future. In order to design the GAS, the thesis starts by giving an overview of authentication and relevant technologies, before the requirements to the system, both functional and non-functional, are defined. Then different interaction diagrams, collaboration diagrams and sequence diagrams are presented, and the necessary components and interfaces in the system are outlined. This thesis builds on two student projects finished December 2005, where tentative high-level architectures for utilizing SIM-based authentication were proposed. A Prototype has been developed in Java to demonstrate the GAS, and includes both a client (Supplicant) and a server (Authenticator) part. The communication between the Supplicant and the other components in the authentication system is based on EAP, which is a general authentication protocol supporting multiple authentication methods. When performing the GSM authentication the EAP-SIM protocol is used. The Prototype has been tested end-to-end, i.e. from the SIM to the Telenor GSM HLR/AuC, via IP-based network. Three different services have been developed to demonstrate how easily the SIM authentication can be integrated. The first demo service shows how to integrate the authentication with JSP technology and Apache Tomcat. The second service, MyService, is another example of how the authentication service could be integrated into a web portal using PHP to demonstrate that the Prototype is independent of the service implementation language. MyService also illustrates how the service provider can control the registration of new users and link up with their SIM identity. The last service, GasSpot, shows how to integrate the GAS to authenticate users to a Captive Portal. The access is controlled by the gateway, which is implemented using ChilliSpot. Based on the results of the master thesis, the authors have written the paper ?A Generic Authentication System based on SIM?, which has been submitted and accepted for publication at the ICISP?06 Conference in Cap Esterel, Côte d?Azur, France, August 26-29, 2006.