Securing Communication 2FA Using Post-Quantic Cryptosystem: Case of QC-MDPC- Mceliece Cryptosystem

Securing Communication 2FA Using Post-Quantic Cryptosystem: Case of QC-MDPC- Mceliece Cryptosystem

Kouraogo Yacouba (LabMiA-SI, Faculty of Sciences, Mohammed V University in Rabat, Rabat, Morocco), Orhanou Ghizlane (LabMiA-SI, Faculty of Sciences, Mohammed V University in Rabat, Rabat, Morocco) and Elhajji Said (LabMiA-SI, Faculty of Sciences, Mohammed V University in Rabat, Rabat, Morocco)
Copyright: © 2020 |Pages: 14
DOI: 10.4018/IJISP.2020040106

Abstract

Many financial institutions interact with their customers via short message services (SMS), which is today one of the fastest and most powerful means of communicating information around the world. This information can sometimes be an access code such as the unique password (OTP) for two-factor authentication (2FA) or banking information and personal identities. All this data is confidential, and it is a major disadvantage to send them since an SMS service does not provide data encryption during network transmission and on mobile. Recently, OTPs via SMS have suffered from strong attacks that intercept messages. In order to avoid attacks and offer effective content security to 2FA credentials sent via SMS, the authors propose an SMS encryption mechanism using a post quantic cryptosystem quasi-cyclic MDPC and an electronic signature of the OTPs. Finally, this article performs an implementation and a security analysis of the proposal.
Article Preview
Top

Introduction

Nowadays, many organizations and companies operate online. Commercial institutions, banks and many other parts of the society are taking advantage of the benefits of e-business by opening the access to networks and services to their employees, partners and customers. Thus, mobile devices are used today as an alternative to online transaction systems for authentication.

In this context, the traditional login / password authentication mechanism is not considered secure enough to be used in many security-critical applications, such as online banking. Two-factor authentication systems (2FA) promise a higher level of protection by extending the authentication factor to what the user owns (a hardware token or a smartphone) or who the user is (biometrics) (Dmitrienko, Liebchen, Rossow, & Sadeghi, 2014) However, today, it is very easy to carry out increasingly sophisticated attacks on two-factor authentication systems (2FA), which not only compromise a device (PC) but also take control of other devices (Mulliner, Borgaonkar, Stewin, & Seifert, 2013) On the other hand, biometric authentication is relatively expensive. Hardware tokens such as OTP generators (Schartner & Burger, 2011) are cheaper, but still generate additional costs for users. In this context, single passwords (OTPs) offer a promising alternative for 2FA systems. Thus, 2FA systems that use mobile devices (such as smartphones) to manage OTPs have become popular recently and have been adopted by many banks and major service providers. These 2FA mobile systems are considered to offer an appropriate compromise between security, ease of use and cost. An important example of 2FA mobile are SMS-based TAN (Transaction Authentication Number) systems, such as mTANs, smsTAN, mobileTANs.

Unfortunately, today, OTP SMS can not be considered secure for two different reasons:

  • 1.

    First, the security of OTP SMS relies on the confidentiality of SMS messages that depends heavily on network security. Several attacks against GSM and even 3G networks have shown that the confidentiality of SMS messages is not offered by default;

  • 2.

    Second, attackers have adjusted and created specialized trojans for mobile phones (Maslennikov, 2018; Klein, 2017) in order to recover the OTPs, since many service providers have adapted SMS OTP to secure transactions (Mulliner, Borgaonkar, Stewin, & Seifert, 2013).

Today, there are several mechanisms for encrypting SMS content using cryptography based on difficult mathematical problems like factorization and discrete logarithm. However, the advent of the quantum computer, which could have a much higher computational power than our conventional computers, would be able to break most conventional encrypted systems based on the discrete logarithm and the factorization problem. To solve and anticipate this security problem, the authors propose to use post-quantum cryptography that would be a priori resistant to the quantum computer. Thus, in this paper, they will use post-quantum cryptography to ensure confidentiality of the transmitted information such as SMS OTP on the unsecured public channel. They propose an SMS encryption mechanism using the Quasi-Cyclic MDPC version of the MC-Ellice cryptosystem and an electronic signature of OTPs based on elliptic crossovers ECDSA (Elliptic Curve Digital Signature Algorithm).

After presenting in section 2 the various existing research works, the authors will then describe briefly the cryptosystems which will be used in their proposal. In section 4, they will present their proposed SMS-based 2FA system using post quantum cryptosystems. Finally, the authors will present an implementation of their proposed system and a security issues discussion.

Complete Article List

Search this Journal:
Reset
Open Access Articles
Volume 14: 4 Issues (2020): 2 Released, 2 Forthcoming
Volume 13: 4 Issues (2019)
Volume 12: 4 Issues (2018)
Volume 11: 4 Issues (2017)
Volume 10: 4 Issues (2016)
Volume 9: 4 Issues (2015)
Volume 8: 4 Issues (2014)
Volume 7: 4 Issues (2013)
Volume 6: 4 Issues (2012)
Volume 5: 4 Issues (2011)
Volume 4: 4 Issues (2010)
Volume 3: 4 Issues (2009)
Volume 2: 4 Issues (2008)
Volume 1: 4 Issues (2007)
View Complete Journal Contents Listing