Privacy-Preserving Application-to-Application Authentication Using Dynamic Runtime Behaviors
Application authentication is typically performed using some form of secret credentials such as cryptographic keys, passwords, or API keys. Since clients are responsible for securely storing and managing the keys, this approach is vulnerable to attacks on clients. Similarly a centrally managed key s...
Gespeichert in:
Hauptverfasser: | , , |
---|---|
Format: | Artikel |
Sprache: | eng |
Schlagworte: | |
Online-Zugang: | Volltext bestellen |
Tags: |
Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
|
Zusammenfassung: | Application authentication is typically performed using some form of secret
credentials such as cryptographic keys, passwords, or API keys. Since clients
are responsible for securely storing and managing the keys, this approach is
vulnerable to attacks on clients. Similarly a centrally managed key store is
also susceptible to various attacks and if compromised, can leak credentials.
To resolve such issues, we propose an application authentication, where we rely
on unique and distinguishable application's behavior to lock the key during a
setup phase and unlock it for authentication. Our system add a fuzzy-extractor
layer on top of current credential authentication systems. During a key
enrollment process, the application's behavioral data collected from various
sensors in the network are used to hide the credential key. The fuzzy extractor
releases the key to the server if the application's behavior during the
authentication matches the one collected during the enrollment, with some noise
tolerance. We designed the system, analyzed its security, and implemented and
evaluated it using 10 real-life applications deployed in our network. Our
security analysis shows that the system is secure against client compromise,
vault compromise, and feature observation. The evaluation shows the scheme can
achieve 0 percent False Accept Rate with an average False Rejection Rate 14
percent and takes about 51 ms to successfully authenticate a client. In light
of these promising results, we expect our system to be of practical use, since
its deployment requires zero to minimal changes on the server. |
---|---|
DOI: | 10.48550/arxiv.2211.13195 |