Multi-Factor Authentication for Secured Financial Transactions in Cloud Environment

D.Prabakaran and Shyamala Ramachandran

1IFET College of Engineering,Villupuram,605108,Tamilnadu,India

2University College of Engineering-Tindivanam,Tindivanam,604001,Tamilnadu,India

Abstract:The rise of the digital economy and the comfort of accessing by way of user mobile devices expedite human endeavors in financial transactions over the Virtual Private Network (VPN) backbone.This prominent application of VPN evades the hurdles involved in physical money exchange.The VPN acts as a gateway for the authorized user in accessing the banking server to provide mutual authentication between the user and the server.The security in the cloud authentication server remains vulnerable to the results of threat in JP Morgan Data breach in 2014,Capital One Data Breach in 2019,and many more cloud server attacks over and over again.These attacks necessitate the demand for a strong framework for authentication to secure from any class of threat.This research paper,propose a framework with a base of Elliptical Curve Cryptography(ECC)to perform secure financial transactions through Virtual Private Network(VPN)by implementing strong Multi-Factor Authentication(MFA)using authenticationcredentials and biometricidentity.The research results prove that the proposed model is to be an ideal scheme for real-time implementation.The security analysis reports that the proposed model exhibits high level of security with a minimal response time of 12 s on an average of 1000 users.

Keywords: Cloud computing;elliptical curve cryptography;multi-factor authentication;mel frequency cepstral coefficient;privacy protection;secured framework;secure financial transactions

1 Introduction

Virtual Private Network (VPN) is an emerging technology that turns out to be vital among IT professions,research persons,and the common public in terms of employing the data resources through the cloud server.In this modern digital era,the common public utilizes the cloud resources [1] in the form of online financial transactions and as per the survey by Pew report and American Life project,51% of users stated that they utilize cloud computing due to its easiness and convenience in accessing the resources.The Virtual Private Network has multiple distinct attributes like elasticity,metered services,broad network access,on-demand self-service,resource pooling,measured service,etc.One noteworthy application of cloud computing is digital financial transaction using desktop or portable devices like smart phone,laptops,etc.through a cloud server,that drives the economy to scale exponentially.The digital financial transactions [2]are executed by accessing the banking server through a third-party cloud service provider,which provides access by consigning session key on prosperous verification of authentication credentials.The cloud computing in parallel to its notorious advantages also face weak security [3] as it is vulnerable to the attacks [4] introduced by Hackers.Some of the highlighted cyber financial attacks were,RBS World pay Hack (Atlanta,2008),National City Bank breach (United States,2010),U.S Federal Reserve bank of Cleveland breach (United States,2010),Global Payments breach (United States,2011),Brazilian payments system Attack (Brazil,2012),JP Morgan Chase Data Breach (United States,2014),Equifax hack (United States,2017),City Union Bank SWIFT Attack (India,2018),Mexican Bank Theft (Mexico,2018),State Bank of Mauritius (Mauritius,2018),SBI Breach (India,2019),Paypal Accounts linked to Google pay abused (United States &Germany,2020).The hackers target the security credentials by introducing multitudinous means of attacks like Man-in-the-Middle attack,impersonation attack [5],session hijack [6],secure socket layer attack,Denial of Service (DoS) attack [7],eavesdropping [8],password discovery attack and had succeeded in gaining access to the database resources with the authentication credentials earned illegitimately.The Deloitte-India Banking Fraud Survey,edition II,states that 54% of banking attacks were succeeded by hackers in executing the pre-mentioned attacks.Besides,the Quick Heal annual report 2017 mentions that hackers introduce attacks through range of vulnerabilities like Trojan,infectors,worm,Potentially Unwanted Application (PUA),adware,Ransomware.Research has been accelerated in this domain to clear the pit fall of weak security in cloud computing.Despite abundant research and results,the authentication policy [9]prevails weaker and lacks mutual authentication between the user device and cloud authentication servers.The cloud-based authentication server is a multi-cloud server,provide session key to the user on successful affirmation of the authentication process.The hacker manages to gain the session by cracking the authentication verification system.The feeble authentication paves a path to the breach of communication channel security and the integrity of the transmitted data was compromised.The severity of this concern is the motivation for this research work,and its benefaction to resolving this issue is spotlighted as follows.

1.1 Beneficence of the Research Work

(i) This research work proposes a novel framework with Multi-Factor Authentication (MFA)system to strengthen the security using a low entropy password,individual unique biometrics for authentication.

(ii) The influx of Multi-Factor Authentication (MFA) inhibits the hackers from attacking the session by encrypting the credentials and session key by Elliptical Curve Cryptography(ECC).

(iii) This system magnifies the security for third party transactions in the cloud network by preferring voice recognition as an imperative parameter along with customary credentials that include the user name and low entropy password.

(iv) The motive for the preference of voice recognition over different biometrics was these metrics follow image recognition system which can be duplicated whereas the voice recognition has the least possibility of duplication and most recent mobile devices embeds voice sensors for the authentication process.

1.2 Organization of This Research Work

The research paper is organized as follows: Section 2 illustrates the recent research works related to the issues aforementioned in Section 1.1,Section 3 narrates the architecture and the algorithms of the proposed framework followed by the security analysis of the proposed work is done in Section 4.Subsequently in Section 5,the evaluation of proposed system is performed and Section 6 concludes the proposed model.

2 Recent Research Results

Plentiful researchers had introduced several policies to implement a secure authentication process and to thwart hackers from succeeding in their attempt of accessing the cloud resources.

Garg et al.[10] proposed and evaluated a mobile phone-based authentication with a session key agreement approach that provides strong authentication services to SOCKS V5 protocol.This proposed protocol is applicable for mobile devices and employs International Mobile Subscriber Identity (IMSI) number to provide an individual’s unique identification.Xie et al.[11]proposed a novel dynamic ID-based anonymous two-factor authenticated key exchange protocol.The proposed model addresses multi-factor authentication and prevents vulnerabilities like a lost-smart-card-attack,offline dictionary attack,lack of forward secrecy.It supports smart card revocation and password update without centralized storage.Soares et al.[12] depicts a system that supersedes the ATM cards and PINs by the physiological biometric fingerprint and iris authentication.The feature of One-Time Password (OTP) affords confidentiality to the users and unfastens the user from reviving PINs.Hafizul Islam et al.[13] recommended a scheme of maintaining a password table in the server which has weak security against server masquerade attack,insider attack and hence backslides to sustain security.Tao et al.[14] proposed an intricate face authentication task on the devices with limited resources;the emphasis is largely on the reliability and applicability of the system.Both theoretical and practical considerations are taken.The final system has achieved an equal error rate of 2% under challenging testing protocols.Preeti et al.[15]presented a strong security protocol of three-factor remote authentication system to provide better security and is much complex in terms of performance and cost.Hafizul Islam [16] designed a protocol that offers computation cost-efficient and robust three-party Password-based Authentication Key Exchange (3-PAKE).The key confirmation is done using extended chaotic maps and smart card.The protocol has proved to be secure in the random oracle model and is certified through simulation of Automated Validation of Internet Security Protocols and Applications (AVISPA)software tic maps and smartcard.

The following are the gaps identified on the existing system through the literature survey are:

(i) Lack of stringent authentication scheme to secure the session key.

(ii) Complex Protocols with high computational cost and is vulnerable to attacks.

(iii) The fragile authentication policies,benefits the attackers masquerade the verification process.

3 Proposed Scheme

3.1 Preliminaries of Proposed Scheme

The practice of pairing among the factors of two cryptographic groups to the third group with a mapping

where,G1,G2,and GTare the additive cyclic groups of prime order “q”.

The pairing based cryptography satisfies the following properties:

(1) The bilinearity property:

(2) The non-degeneracy policy:

(3) The existence of efficient algorithm for the computation of bilinear pairing function “e”.

The notations in the Tab.1 are used to describe the process throughout the paper.

Table 1:Notations used in proposed model

Table 1:Continued

The aim to design the proposed model that provides a secure platform for the users in performing secured banking transactions using their mobile devices.The proposed model is composed of components namely mobile device,authentication server,banking server,and the user with valid low entropy password and biometric identity.This system has an elasticity of extending with multiple users and multiple banking servers.This model composed of five phases that take account of registration,user verification,voice coefficient extraction phase using MFCC,session key generation,and shielded transaction phase.Fig.1 illustrates the system architecture of the proposed model.In this proposed model,the user Uiaccesses the BSiby registering the low entropy password and biometric identity especially the user’s voice which is unique.The former has to register themselves to the authentication server using a low entropy password and International Mobile Subscriber Identity (IMSI) number while the later register with the authentication server by generating a key pair.

The user Uilogin with password and biometric identity say individual’s voice with the authentication server.The authentication server in turn fetches the IMSI of the user device and verifies the digital signature for proper authentication to provide ticket to user the same that received from banking server.

3.2 Algorithm for Registration and Key Agreement Using Elliptical Curve Cryptography

In the Fig.2,Registration and Key agreement phase were mentioned as registration which involves user’s mobile device (Ui),banking server (BSi) and the authentication server (ASi).This phase performs two process namely registration and key agreement process where the former is secured as the entire process is performed offline whereas the later uses Elliptical Curve Cryptography (ECC) [17] to generate the session key.The Fig.2 characterizes the registration process of user Uiand banking server BSiwith the authentication server in multi cloud ASi.

The algorithm for registration and key agreement is illustrated in Tab.2.

Table 2:Algorithm for registration and key agreement using elliptical curve cryptography

Table 2:Continued

The registration and key agreement algorithm is a notarization algorithm involving generation of private key and public key of banking server BSiand user device Ui.The banking server generates the secret key k3and transmits over the secure channel.

3.3 Algorithm for User Verification

This phase involves user Ui,authentication server ASiand banking server BSithat performs user authentication and credential verification process to provide a secure session key.In the Fig.3,the authentication process between the user Uiand the authentication server ASiis illustrated.In this phase,the Uiprovides low entropy password and the individual unique voice to prove its identity authentication process.The voice has been processed by incorporating Mel Frequency Cepstral Coefficient (MFCC) [18] algorithm.

The algorithm for user verification is exemplified in Tab.3.

The user provides its password,which undergoes authentication check and on successful verification,the user device sends login message to authentication server for authentication process for the grant of session key to the user.

Table 3:Algorithm for user verification

3.4 Algorithm for Voice Coefficient Extraction Using Mel Frequency Cepstrum Coefficient(MFCC)

The voice Vuof the Uiacts as the major credential and is recorded through the Uidevice.The Vuexpress the Uigender,emotion and ease the identification process of Ui.Several voice feature extraction algorithms like Linear Predictive Coefficients (LPC),Mel Frequency Cepstral Coefficients (MFCC) and Relative Spectra filtering of log domain coefficients (RASTA) were in practice,among which the Mel Frequency Cepstral Coefficient (MFCC) algorithm provides better accuracy [19],low error rate,high recognition rate,and faster response subject to utilization of self data set.The MFCC provides better Vucoefficients Viand is well aligned as of human ear’s perception that cannot exceed the frequency limit of 1 KHz.The Fig.4 elucidates the process implicated by MFCC algorithm in extracting the voice coefficients.

The MFCC technique involves pre-emphasis,sampling and windowing process,performing Fast Fourier Transform (FFT),Mel filter bank,performing discrete cosine transform to produce mel coefficients.The MFCC algorithm is executed in MATLAB R2013a version and for the reason that is simpler and creation of better coefficients;the MFCC is implemented in this proposed system to create credentials for authentication process.

The user gratifying the authentication process utilizes session key and providing valid biometric finger print,access BSito perform successful transaction.The MFCC accepts the Ui voice input Virecorded through microphone is continuous in time and is represented as v(t).The algorithm for the voice coefficient extraction using Mel Frequency Cepstrum Coefficient (MFCC)is illustrated in Tab.4.

Table 4:Algorithm for voice coefficient extraction using Mel frequency cepstrum coefficient

Table 4:Continued

3.5 Algorithm for Session Key Generation

This phase involves Ui,ASiand BSito issue secure session key based on successful verification of credentials as the process continuation to authentication checking of authorized Ui.The Fig.4,depicts that the session key generation followed by the request for ticket by the user Uito the bank server BSithrough authentication server ASi.The bank server issues the session key on successful verification of authentication and the ticket is forwarded to user Uithrough the authentication server ASi.

On reception of message M2,the algorithm for session key generation is executed as per illustrated in Tab.5.

Table 5:Algorithm for session key generation phase

3.6 Algorithm for Shielded Transaction Phase

This phase involves Uiand BSito perform a shielded transaction between the Uiand BSias the session key is issued and confirmed to grant a secure transaction.The Fig.5,illustrates the shielded transaction between the user Uiand banking server BSi.The user Uisends the fingerprint minutiae to the banking server and on successful verification the shielded transaction is granted to the user Ui.

1) The Uion applying the unique FPiextracts the features FPi=Minutiae ( ) to encrypt MSG=Evi(FPi||N1||ESKAS(BIDi||N2)) to BSi.

2) The BSidecrypts Dkey(MSG) to acquire (FPi||N1||ESKAS(BIDi||N2) and DSKAS(ESKAS(BIDi||N2) to test BIDi!=BIDiand N2!=N2 leads to termination of transaction while the amend leads to establishment of session and extraction of N1 to execute a successful transaction in triumph of FPi==FP*i.

On successful clearance of authentication process,the authentication server connects the user device with banking server to perform the transaction in a shielded mode.

4 Security Analysis

We put forward that our proposed model has much merits and can defy multiple security threats.

4.1 Theorem 1.The Proposed Model Provides Tough Anonymity Against Man-in-the-Middle Attack

Proof:This type of attack,the attacker attempts to alter the communication between Ui,ASiand BSi.In this case,the proposed system is resistive against this attack as the key q,K1,K2were generated in offline mode.The IMSIiidentity acts as a key to receive information from ASiand BSiwhich is unique and is stored in DBiof ASiin offline mode.Hence the possibility of extracting the IMSIiinformation is very low in this system.Also the ASisends {α,Bi,Di,SNi} over offline mode,even on breaking this information,the attacker feels hard to crack the information as the piis private to the Ui.The threat to M1-M6 were decrypted with {K,Bi,Di,SNi} were stored in Uiresists the attack hardly and has a least probability of success in attack.

The message M1: M1=EK(IMSIi||hi||ri||SNi);M2: M2=Eβ(h2||R||SNj||IMSIi);M3: M3=(Fi||h(IMSIi||BIDi));M4:M4=EKi(PID||N1);M5: M5=EK((PID||N1||BIDi||N2||SKAS);M6: M6=ESKAS(BIDi||N2).

Let we consider,that hacker tends to know the IMSIiof user Ui,and the entire message content through the successful execution of Man in the Middle attack,the hacker needs to know the key “k,β” which were the private keys generated by the ASifor BSiand User device Ui.

4.2 Theorem 2.The Proposed Model Withstands Stolen Sim-Card Attack

Proof:The Uistores the confidential information {K,Bi,Di,SNi} vital for decryption of M1-M6 face a threat of data disclosure on stolen sim card attack.Any attacker on having the confidential stored information and the sim card can involve in man-in-the-middle attack.The proposed model highly withstands stolen sim card attack,as the SKiis generated on verification of Viextracted from Vuwhich is unique to each user.Without generation of SKi,the stolen sim card and details have no more active in associative with the actions of attacker.Furthermore,SNiis invalidated without Vi=MFCC(dct) and this system is invulnerable to stolen sim card attack.

Consider the user device Uihas been lost or stolen by hacker to have an authorized access by an unauthorized user using the device Uiand with IMSIi.

M1: M1=EK(IMSIi||hi||ri||SNi);M2: M2=Eβ(h2||R||SNj||IMSIi);M3: M3=(Fi||h(IMSIi||BIDi));

M4: M4=EKi(PID||N1);M5: M5=EK((PID||N1||BIDi||N2||SKAS);M6: M6=ESKAS(BIDi||N2).

The hacker,knowing the IMSIiinformation is not sufficient to gain the session key illegally as he need to know the other parameters like.

4.3 Theorem 3.The Proposed Model Provides Rigid Secrecy Against Password Guessing Attack

Proof:In this type of attack,the attacker employs cryptanalytic techniques and attempts all probabilities of password against PWi.The attacker gains PWirelated information from DBifor the successful guessing of exact PWibut cannot be able to identify the decryption keys {K,Bi,Di,SNi} which was shared offline among Uiand ASi.The proposed system involves {PWi,Vi,FPi}for successful authentication whereas the later two credentials is highly essential for generating and sharing of SKi.The {Vi,FPi} and biometric sets that are not available in any directories.Thus the attacker even though succeeded in password guessing was blind in {Vi,FPi} flops in generation of SKithat proves the proposed system is highly resistive to password guessing attack.

Consider the hacker succeeds in guessing the low entropy password of User Ui.

M1: M1=EK(IMSIi||hi||ri||SNi);M2: M2=Eβ(h2||R||SNj||IMSIi);M3: M3=(Fi||h(IMSIi||BIDi));

M4: M4=EKi(PID||N1);M5: M5=EK((PID||N1||BIDi||N2||SKAS);M6: M6=ESKAS(BIDi||N2),

The hacker fails in decrypting any of message M1-M6 as it needs information about SNi,BIDi,PID,SKAS which still a short fall for the hacker to succeed in gaining unauthorized access.

4.4 Theorem 4.The Proposed Model Counters Known-Key Attack

Proof:Let’s consider that the attacker hacks the session key,tends to acquire the session illegally leads to failure attempt.The system proves to be rigid against any sort of attacks as the authentication process relies on multiple keys {γ,pi,K1;K2,K3} and is still secure that the final access grant relies on user’s voice print Viand finger print FPi.The fact that the attacker manages to know the key value,the proposed model not only relies on cryptographic keys but also utilize PWi,Vi=MFCC(dct) and Finger print FPi=Minutiae( ).These credentials are essential for the computation and grant of SKito the known Ui.Hence the proposed model is highly rigid towards the known key attack.

M1: M1=EK(IMSIi||hi||ri||SNi);M2: M2=Eβ(h2||R||SNj||IMSIi);M3: M3=(Fi||h(IMSIi||BIDi));

M4: M4=EKi(PID||N1);M5: M5=EK((PID||N1||BIDi||N2||SKAS);M6: M6=ESKAS(BIDi||N2)

Let us consider the hacker encounters with known key attack and is aware of secret keys k,βand can decrypt the message M1 to obtain the session number SNi.To obtain SNi,the user has to undergo successful authentication check with low entropy password,IMSIiand minutiae matching confirmation process.Hence the known key attack proves to be insufficient to gain the illegal access of session key SKi.

4.5 Theorem 5.The Proposed Model Discards Parallel Session Attack and Insider Attack

Proof:The Parallel session attack and the Insider attack in the cloud environment is,the attacker tends to grab the session illegally by gaining information about the keys {γ,pi,K1;K2,K3}.The proposed model engross {α,Bi,Di,SNi} keys which are computed within Uiand were shared in offline mode,which the parallel session attacker is not aware of remains fail in decrypting ((PID||N1||BIDi||N2||SKAS)) and gaining the session to perform transaction.Hence the proposed system discards the parallel session attack and insider attack.

4.6 Theorem 6.The Proposed Model Rebuff Denial of Service(DoS)Attack

Proof:The attacker introduce Denial of service attack in the cloud environment to make the service unavailable to the Uiby flooding the target network with superfluous traffic intends to overload the network.The proposed model is highly resistive to this attack,the ASiexercise N1,N2 value which were time bounded.The session establishment SKitransmits ((PID||N1||BIDi||N2||SKAS)) and the N1 and N2 were time bounded exceeding which the transaction is terminated.Thus the proposed model strongly rebuffs the denial of service attack.

M1: M1=EK(IMSIi||hi||ri||SNi);M2: M2=Eβ(h2||R||SNj||IMSIi);M3: M3=(Fi||h(IMSIi||BIDi));

M4: M4=EKi(PID||N1);M5: M5=EK((PID||N1||BIDi||N2||SKAS);M6: M6=ESKAS(BIDi||N2)

The Denial of Service (DoS) attack proves to be unsuccessful as the half completed request will exhaust due to the nonce value encrypted in all message M1-M6.

4.7 Theorem 7.The Proposed Model Proves Rigid Against Authentication Server Attack or MITC Attack

Proof:The attacker tends to attack the authentication server ASirather than performing other attacks to gain illegal access of a single user.The authentication server attack on becoming success,ease the attacker to gain the access of all the sessions that the authentication server acts as gateway.The proposed model proves highly rigid against the authentication server attack or insider attack as the system possess multi factor authentication system that includes low entropy password,feature extracted from voice print,IMSI identity of authenticated user’s device and user finger print noted as {PWi,Vi,IMSIi,FPi}.The attacker in the authentication server ASimay illegally gain information of {PWi,Vi,IMSIi} as all these secure credentials were verified and communicated through authentication server which is already compromised.The user’s finger print FPiis the final authentication credential that is passed over channel directly to banking server BSiwhere the MiTC attack proves inefficient in gaining the fingerprint FPiinformation.

5 System Evaluation

In this section,we analyzed the proposed system in terms of efficiency and effectiveness based on the key size and strength.The parameters considered for the analysis are the length of IMSIi,length of low entropy password PWi,random numbers and message digest M1-M6 against computing time represented in milli seconds.We had chosen key words of multiple lengths ranges from 160-512 bits to perform the experiment of measuring the efficiency of our proposed system.The Fig.6 illustrates the response of computational time with respect to the key length in bits.For clarity,the IMSIi,random numbers were numerical value whereas the PWiis composed of alphanumerical and special characters.To calculate the actual key length,we convert the key to numerical format as follows

The weight of PWicreated by the Uiis determined by converting the PWiinto an equivalent ASCII code.From Fig.6,it is evident that the increase in key length directly drives computational time proportionally and to achieve a least computational time the summation of key length of PWi,ri,ri,messages (M1-M6) must be short that attenuates the strong security against various attacks.

It is reasonable to select PWi,ri,ri,M1-M6 of average length means neither short nor too long such that to achieve computational time at customary range.In our proposed model,we chose the key length to be 256 bits based on outcome of system analysis.The computation time in the proposed system is classified into three phases namely user login phase,ASiauthentication phase and BSiauthentication phase.The proposed system transmits {M1,M2,M3,M4,M5,M6}between the entities to authenticate the user and this message is of {1024 + 1024 + 128 + 128+ 1024 + 128}=3456 bits which is lesser when compared to the reference model considered in this system.This makes the system to compute faster and to authenticate the user at faster rate such that it is more secured as it consumes least time which is not sufficient for any hacker to perform brute force attack.The proposed system provides high level of security as it involves user’s unique biometric identities namely user voice coefficient and fingerprint along with the low entropy password to authenticate the right user.

As explained earlier,the MFCC algorithm employed here performs hamming window to extract the Mel frequency coefficients from unique voice sample Viwhich has high response towards all range of frequencies.The Fig.7 depicts the feature point extraction from the voice print Vu.The hamming window detects and corrects the discontinuities in the start and end of voice sample to obtain the accurate Mel coefficients from the Vi.

In the proposed system,the nonce period is 60 s and from the Fig.8,it is clear that the proposed system utilize maximum of 12 s to respond for 1000 user requests.Hence the proposed system is proven to be highly robust against Denial of Service attack.

6 Conclusion

The authentication verification and secured transmission in the cloud network is a biggest challenge for which our proposed model,identity based secured transmission using MFCC algorithm provides better results and withstand various types of attacks in cloud environment.Our proposed system is efficient that proves its rigidity against any attacks and afford secured session key and mutual authentication to perform secure transmission over insecure network.As the protocol provides session key security,this protocol supports efficient practical applications in cloud network.The system has a capability of enhancing the security feature by safeguarding the credentials in authentication server database DBibe the future development to provide strong protection against any attack in particular the Man in the Cloud (MiTC) attack.

Funding Statement: The authors received no specific funding for this study.

Conflicts of Interest: The authors declare that they have no conflicts of interest to report regarding the present study.