Application authentication is typically performed using some form of secret credentials such as cryptographic keys, passwords, or API keys. Since clients are responsible for securely storing and managing the keys, this approach is vulnerable to attacks on clients. Similarly a centrally managed key store is also susceptible to various attacks and if compromised, can leak credentials. To resolve such issues, we propose an application authentication, where we rely on unique and distinguishable application's behavior to lock the key during a setup phase and unlock it for authentication. Our system add a fuzzy-extractor layer on top of current credential authentication systems. During a key enrollment process, the application's behavioral data collected from various sensors in the network are used to hide the credential key. The fuzzy extractor releases the key to the server if the application's behavior during the authentication matches the one collected during the enrollment, with some noise tolerance. We designed the system, analyzed its security, and implemented and evaluated it using 10 real-life applications deployed in our network. Our security analysis shows that the system is secure against client compromise, vault compromise, and feature observation. The evaluation shows the scheme can achieve 0 percent False Accept Rate with an average False Rejection Rate 14 percent and takes about 51 ms to successfully authenticate a client. In light of these promising results, we expect our system to be of practical use, since its deployment requires zero to minimal changes on the server.
翻译:应用认证通常使用某种秘密证书形式进行, 如密码钥匙、 密码或 API 密钥等。 由于客户负责安全存储和管理密钥, 这种方法很容易受到客户攻击。 同样, 中央管理的密钥商店也容易受到各种攻击, 如果受到破坏, 也会泄漏证书。 为了解决这些问题, 我们建议应用认证, 依靠独特和可辨别的应用行为, 在设置阶段锁定密钥, 并打开它进行认证。 我们的系统在当前认证系统之上添加了一个模糊的抽取层。 由于客户负责安全存储和管理密钥, 这种方法很容易被攻击客户。 在关键输入过程中, 从网络中各传感器收集的应用程序行为数据被用来隐藏标识密钥。 模糊的提取器向服务器释放了密钥, 如果应用程序在认证过程中的行为与在启动阶段所收集的密钥匹配, 并带有某种噪音容忍度。 我们设计了系统, 分析其安全性, 并使用在网络中安装的10个真实生活中的应用软件对其进行了评估。 我们的安全分析显示, 系统在关键输入过程中, 从网络中收集的客户妥协、 保险箱妥协和特性观测中收集到特性观测过程中, 。 评估计划在正常服务器的预期值中可以成功率 。 。 要求我们使用一个正常率 。