SGX-UAM: A Secure Unified Access Management Scheme With One Time Passwords via Intel SGX

With the convergence of fixed and mobile networks, heterogeneous networks are becoming ubiquitous. Internet giants are seeing the plight of identity authentication. To address this issue, unified access management (UAM) was conceived. This paper provides a novel unified access management scheme, named SGX-UAM, with one-time passwords (OTPs) based on Intel software guard extensions (SGX). SGX-UAM outperforms generic UAM for providing resistance to most client attacks, man-in-the-middle (MITM) attacks, phishing attacks, most replay attacks and most denial of service (DoS) attacks to which generic UAM implementaions are vulnerable. Specifically, client attacks are prevented by ensuring input security and memory security, where the former is achieved through shuffle mapping and "periodic hooking" strategy, the latter is mainly guaranteed by Intel SGX; MITM attacks are prevented by transferring ciphertext rather than plaintext; phishing attacks are avoided by authorization control; replay attacks cannot succeed because we adopts OTPs, which contain time-related dynamic factors that expire in a few seconds; as for DoS attack, we blunted its edge by blocking-invocation for identical user connection. SGX-UAM also differs from generic UAM in that it relieves the security concerns of sevice providers (SPs) and protects users' privacy at little cost of performance. An exceptional value of SGX-UAM is that it brings a lightweight OTP solution that eliminates the need of additional hardware devices, thus reducing the costs. The experimental results show that SGX-UAM consumes almost the same time with OpenID and OAuth2.0 for one login request and performs steadily when handling sequential login requests. Furthermore, the resource usage for SGX-UAM is acceptable.