978-1-4799-5380-6/15/$31.00 ©2015 IEEE

1

Comparison of Security Algorithms in Cloud Computing

Dinesh Devkota, Prashant Ghimire, Dr. John Burris, and Dr. Ihssan Alkadi Southeastern Louisiana University

SLU Box 10847 Hammond, LA 70402

985-549-2037 ihssan.alkadi@selu.edu

Abstract—The need for simple security mechanisms for cloud computing systems that are being used by non-technical users is increasing in importance as cloud systems are becoming more widely accepted by these users. With cloud computing, data is stored on and delivered across the Internet infrastructure. The owner of the data has no knowledge of the where this data exists on the network nor geographically. The owner, therefore, does not have control or even know where their data is being stored. Additionally, in a multi-tenant environment, it may be very difficult for a cloud service provider to provide the level of isolation and associated guarantees that are possible with an environment dedicated to a single customer. Unfortunately, to develop a security algorithm that outlines and maps out the enforcement of a security policy and procedure can be a daunting task. A good security algorithm presents a strategy to counter the vulnerabilities in a Cloud system. This paper introduces a new security mechanism that will enforce cloud computing services against breaches and intrusions. Existing techniques for securing servers used for cloud computing and storage of data will be surveyed. In addition to these techniques, a newly developed technique for security in cloud-based servers (MIST) will be described in detail. Due to the relevance of cloud systems in gathering sensitive information in aerospace platforms, the techniques will also need to prevent common attacks through weak password recovery, retrieval, authentication and hardening systems, otherwise hackers will be able to compromise even the protected systems. In the case of security breaches, it would be advantageous to include the capabilities of the MIST algorithm (Alkadi). The MIST algorithm is named after the condensation from clouds that forms a layer before entering the cloud.

TABLE OF CONTENTS

1. INTRODUCTION ................................................. 1  2. BACKGROUND ................................................... 2  3. COMPARISON WITH OTHER SECURITY ALGORITHMS ........................................................ 2  4. MIST ................................................................ 2  5. IMPLEMENTATION DETAILS ............................. 3  6. ANALYSIS .......................................................... 4  7. APPLICATIONS .................................................. 5  8. CONCLUSION ..................................................... 5  REFERENCES ......................................................... 6  BIOGRAPHY .......................................................... 6  

1. INTRODUCTION The aerospace industry is starting to see an increased integration of cloud computing technology. From Supply Chain Management to maintenance/repair scheduling, cloud computing has become central to the day-to-day operations of the industry. However, in the era of the 24-hour news cycle, the failure of online security techniques for protecting user data is becoming more relevant to the users of cloud technology. This includes pilots, technicians, and administrators within the aerospace industry. What the news stories often gloss over is that one of the most common techniques for gaining unauthorized access to online accounts is social engineering to bypass password reset security. As significant numbers of online user accounts are compromised with this social engineering, we are studying current password reset technologies that are being used by many major websites. We will be comparing these existing security algorithms with the MIST algorithm that was developed by Ihssan Alkadi at Southeastern Louisiana University.

MIST is a security algorithm that has security question/answer system that allows an authorized person to access their account, aids in the memorization process to remember their account login credentials, and limits the effectiveness of social engineering to bypass the system. In the MIST algorithm, when a user logs in for the very first time, they are prompted with three questions and for each of those, they can choose very specific multiple choice answers. After the user provides answers to all given questions, a cloud system is using the MIST algorithm for password recovery. If a user forgets their password, then they are provided sixteen seconds to pick the correct for the security questions that were initially given during setup. With MIST, the answer to the security question is shown randomly shuffled with other possible answers of same category. For instance if the user sets his/her security question as ”What is your favorite laptop brand?”, the MIST algorithm provides fifty, as of now, different laptop brands as possible answers among which all the choices including the correct answer will be positioned on random spot. When a user selects all three correct answers, they are redirected to reset their password. While using MIST to reset a password, a user is only allowed a preset number of attempts at answering the

2

questions. An attempt would each time that a user was to answer a question incorrectly. The individual user’s account would become locked after the set number of attempts has been reached. The user would then have to get in contact with a server administration, providing additional credentials, to have their account unlocked. These additional credentials could be a state issued drivers license or a student identification card. This method would allow enhanced security while maintaining the integrity of the data stored on the server by the user.

2. BACKGROUND

Different technologies are being created and in constant competition to meet the demands of users who are generally “busy”. The selling points of these technologies is how they are able to address these demands without adding more to any workloads. One of the demands often discussed is that users want to have their digital information accessible from anywhere at anytime. This information includes documents, audio libraries, and more. Users also demand the ability to manage, edit and update this information regardless of physical location. Somewhat recently, mobile devices such as laptops, tablets and smartphones have provided these abilities. This is no small feat as vendors and providers have reduced the size of these devices to increase mobility. However, as the amount of personal information that users are wanting to access has grown exponentially, manipulation and storage of it requires more capable devices. To meet increased demand, increasing the capabilities of mobile devices may be impractical. Making mobile devices more powerful without technological advancement would require that the device be larger and use more resources such as battery life and processing power to function properly. Storing all of a user’s information on a mobile device that travels everywhere they go also adds vulnerability. The best technical solution to having a user’s information accessible is some sort of online storage where they can store, manipulate and retrieve their data. This in one of the most practical applications for the concept of cloud computing. As storage capabilities and Internet bandwidth has increased, so has the amount of personal data that users store online. Today, the average user has millions of bytes of data online. They can access it everywhere and whenever they need it. With greater adoption, people want their data safe and secure to maintain their privacy. As the user base has grown in size, the number of security issues of the personal data started to become increasingly important. As soon as someone’s data is on a remote server, some unauthorized users, or “Hackers”, could possibly have many opportunities to compromise it. As the online server needs to be up and running all the time, the only way to secure the cloud server is by using better passwords by every user. At some point, the flaws in password retrieval system can also help unwanted users to get their way to other people’s

personal data. Thus, the password retrieval system should also be free from any loopholes and vulnerabilities.

3. COMPARISON WITH OTHER SECURITY

ALGORITHMS Fingerprint, Retina Scan, and Facial Recognition

Fingerprint, retinal scanning and facial recognition systems are some of the most advanced security systems in the world. Since no two people's fingerprints are the same, not even identical twins (who share exactly the same genes) …(28, Plants), fingerprints are one of the best biometric authenticators to use as a password for protected systems. Unfortunately, the installation of fingerprint scanners are not always applicable to Internet applications. The same issues apply to retinal scanning and facial recognition systems. Considering the recent apple iCloud hacking incident, it may not be a good idea to store a user’s unique data on the web until such technologies become mainstream and unbreakable. MIST has been developed and implemented for use in protected cloud systems. It works around existing technology.

Traditional Security Question

Traditional security questions and answers make the user type in the answer to a standard question that user answered during setup. The problem with this system is that the answer is checked with the help of regular expression engines. Meaning the answer provided by a user should be identical to what was set during initial setup. By nature, human beings tend to forget the exact answer and it is often same as typing a password. Most of the time, a user needs multiple attempts to answer the question correctly. Since MIST is an enhanced security question and answer algorithm, it gives hint of the answer and helps users figure out the answer. It eliminates the hurdle of typing the same exact answer while still granting access to an account. It is explained further in Section 5.

4. MIST

MIST is an implementation of a secret question and answer system that uses predetermined questions with a number of possible answers for each question. During the development of MIST, multiple approaches were developed. The first iteration was a setup where a user could manually setup security questions. Even more, they could set any custom answers to those questions. The MIST algorithm had to show the answer that the user setup among a group of fifty other similar answers. For example, if a user set his security answer as “What is birthplace street address?”, the MIST application was able to take any custom answers from the user. But the problem arises when the custom answer among the group of fifty buttons had to be shown. A weakness was discovered for how the first iteration created the similar answers for a custom question setup. The improvement of similar answer selection was determined to be outside of our

3

research scope. Through trial and error and some careful consideration, the current iteration has determined maintains a persistent three questions for all accounts. The initial question selection was:

1) What is your favorite car brand?

2) Which country would you like to visit one day?

3) What is your lucky number between 1-100?

These questions will have generic answers. The important thing these improvements achieve by doing this was to avoid the users to manually security question and answer and more importantly put our work within the research scope of this work.

Additionally, for those three questions, a random list of fifty possible answers that will be always populated on the answer selection screen.

Figure 1 - User is prompted to choose answers to

security questions

To address added another security weakness an additional layer was added to this version of MIST. This security layer will not allow the user to try resetting their password more than five times. There are three questions to answer in a row and they have five chances to get it right. If the user fails to choose the correct answer for any of the security questions, they will be redirected to the home page and they will have to start over again. For each wrong answer they provide for any of those three security questions, they will lose one chance out of five. If they cannot make it through using all of their five attempts, their account will be locked down and they will not be able try to continue with the password reset

process. They will have to contact the administrator for getting access to their account again.

In reality, the improvement in the second version of Mist was focused on solving different security vulnerabilities in the first version. Although at first glance, the limiting down of the answer choices appears to increase the vulnerability of the system, it was the best way to address the weaknesses of the method. In addition, the changes reduced the susceptibility of the user to social engineering attacks. Since Mist is designed for user friendliness, the ease of use must be second in priority after the security. There is still a very small chance of getting the correct answers for all three questions in a row, but considering the user friendliness of Mist, the modifications are reasonable and explanatory.

5. IMPLEMENTATION DETAILS

The initial build for the MIST environment utilizes VMware's virtualization platform in concert with an enterprise grade server to meet the goals of building this solution on the latest enterprise software and hardware infrastructure. Hardware: Dell PowerEdge Server RAID 1 Data Store Hypervisor: VMware ESXi 5.5.0 The hypervisor or virtual machine monitor is a software application that manages the server’s virtual machines. The machine running the hypervisor is called the host machine, which each virtual machine called the guest machines. The running of Mist requires multiple simultaneous virtual machines. [W] OS: Debain 7.2 (Wheezy) Debian is a well-accepted Linux distribution that is well suited for network and server applications. Softwares: When the web application for implementing the Mist algorithm was developed, different existing applications and programming languages. PHP was used for the server side programming language. PHP is an open-source server side language couples very well with another open-source database software -- MySQL. Another reason to use PHP is because changes had to be made to the OwnCloud Web Application that was written in PHP. Instead of just using the basic installation of OwnCloud, changes were made to fit Mist. All of the technologies used in this implementation are free of monetary cost and open source. Below are the brief descriptions of the technologies that we used to develop our application implementing Mist. Since the listed software are mostly well-accepted open source projects, links to these applications are not included in this paper. The

4

copyright protection for these technologies will be closely analyzed to determine if the copyright protection for all or part Mist will be open source as well. Apache Web Server Apache is an open source HTTP Web Server application. It is commonly referred as just Apache. It is the most popular web server in use which serves for more than half of the total websites that are on the Internet today. It is common in UNIX like systems such as CentOS, Ubuntu and BSD. It is freely available under Apache License 2.0. MySQL MySQL is the most popular open source database software. It is also an essential part of the LAMP(Linux, Apache, MySQL, PHP/Pearl/Python) stack which is a prominent combined installations on the servers. It is a Relational Database Management System and is free of cost for the installation as well as the documentation. PHPMyAdmin is a web interface which makes using MySQL easier. OwnCloud Owncloud is one of the important software that was used to set up the cloud server. Owncloud is a free and open-source application that enables the users of the application to store their files and information on the cloud server. It also has a mobile application that gives access user data directly from their mobile devices such as phones and tablets. The Mist security algorithm is implemented within the OwnCloud application.

6. ANALYSIS The Mist algorithm was subjected to a blind intrusion test from a researcher with experience in the use of both social engineering and automated hacking techniques. The first iteration of testing showed significant weaknesses

in the implementation. The standard question used was “Which street did you grow up on?” This question was weak to the same social engineering approaches used to break traditional security question and answer schemes. In the first test, someone from another country had set up the account. With knowing the country and city of origin for the user, a screenshot of the possible answers was combined with knowledge from Google Maps to determine that there were only two valid answers in the 50 provided answers. The total number of attempts to break the security layer was two. The current iteration of Mist still has some weaknesses. The number of possibilities for answer selection can be stated rather straightforwardly. With three questions with fifty independent possible answers, we know by the multiplication principle that there are 125,000 possible answer combinations. Further:

!!"∗ !!"∗ !!"= !

!"#,!!!  𝑜𝑟  0.000008% (1)

This seems to be a reasonable strength for a security algorithm. However, a survey or test must take place to ensure that the distribution of answers is even amongst all of the possible answers. For example, the “lucky number” answer is more likely to end on a user’s birth year, graduation year, child’s birth year, or wedding day. Some numbers such as 42 and 69 could also be more likely to be chosen as a user’s lucky number. Through question selection or answer refinement, the answer distribution should be ideal in order to maintain the 0.000008% chance of selecting the correct answer. Eventually, the development of additional questions could aid in the user’s answer retention. Each question should be evaluated based on the following criteria: 1) the even distribution of the answers and 2) the susceptibility of the question to social engineering from social media and other public information.

Figure 2 - Answer selection in Mist

5

Another weakness in the current implementation is that the displayed answers are less than the number of possible answers. As a user attempts to reset the password for an account, the Mist algorithm selects 49 random possible answers in addition to the given answer. A browser plugin was developed to highlight answers that were repeatedly displayed. Each wrong answer has a 50% chance of being randomly selected for display with each additional reset attempt. With each attempt, the number of possible correct answers was statistically reduced by half. A simple alteration could address this weakness by selecting the randomly chosen wrong answers during setup and maintaining the same answers displayed for each login attempt.

7. APPLICATIONS

Helping the right user get access to their account

There are times in many peoples’ lives that they forget their password and they even forget their answer to security questions in traditional security question and answer systems. For instance, if a user was given the security question, “What is your pet’s name?” and the usual answer was the pet is named Jackie. However, there is a chance that the user will not just answer Jackie. Instead, the answer could be grumpy Jack, Jackie the Cat, or cute jackie. In scenarios like this, even the owner of an account may not be able to answer the security question properly.

With the Mist question and answer system, the user will be more able to recognize the security answer that was given during setup. This claim is backed by previous Psychological research. Given the right words, memory generally helps people figure out the right answer. In many instances, our ability to retrieve stored memories hinges on have appropriate retrieval clue. A retrieval clue is a clue, prompt or hint that can help trigger recall of a stored memory. [1]

Helping users with high stress or fatigue

The Aerospace industry is a perfect example of users who need access to accounts under conditions that include stress and fatigue. Airline travel and operation are synonymous with stressful conditions. With longer duration flights, fatigue is also a tremendous factor in user behavior. During these times, users can easily forget their passwords to an account they have not logged in for a while. It is because during the highly stressed period, people find conditions similar to the memory disorder. Under these conditions, MIST can help them get into their account, as it is quick and secure method to resetting their password. Mist accomplishes this by adding clues and context. The selection of question is key for giving the user a familiar area to recall. For instance, the favorite car manufacturer is unlikely to change over time. If a user thinks about the general category, the time, or the people involved, that

information will provide a clue about the specific details the person is trying to recall. [2]

Future: Facebook’s MIST-esque account recovery.

Facebook is a social media website with more than one billion active users every month. When you lose your password for Facebook then there are ways you can have access to your account. One of the ways to recover your password is to recognize the facial images of the user’s friends or social media connections. When a user does not have a phone number associated with the account, they do have that option as well. One needs to recognize at least three friends successfully in order to be able to reset the password. The pain about that system is that sometime a user is not able to recognize friend photos because Facebook does not have an standard for uploading a photos so that it can use it correctly showing the tags that one can recognize.

Two-factor authentication and MIST

Two-factor authentication is the use of multiple independent factors to verify the identity of a user. With each factor, a different approach to verifying identity is used, so the approaches to stealing that identity must also be different. For example, a biometric system measures the biological indicators of identity to grant access into a system. Mist measures the knowledge of the user’s personal information to verify the identity of the user. [5]

Two-factor authentication not only increases the diversity of the information requires to compromise a system but it also decreases the mathematical chances of compromise by the multiplication principle. This can be extended beyond two factors. With each additional factor, the security is increased. Mist being as unobtrusive as it is is a perfect candidate for integration into existing multifactor authentication systems.

Budget conscious security upgrades

The Aerospace industry has enough expenditures with physical security. For any technology requiring user accounts, the addition of the Mist algorithm to existing systems would require a minimal amount of spending. Implemented using free software and having an approach that is unobtrusive to existing security systems provides a budget conscious approach to upgrading security.

8. CONCLUSION

This work has presented a new method for verifying the identity of users of cloud computing resources during the process of identity verification. The Mist algorithm uses three previously determined questions with at least 50 previously determined answers for each question. These changes to traditional question and answer systems provide a user with a much easier way to verify their own identity while reduce the susceptibility of the system to social

6

engineering techniques used to compromise security and user accounts.

The Mist system has been implemented and is currently in use at Southeastern Louisiana University as a way for users of the OwnCloud system to recover their passwords. It was implemented using primarily free and open source software.

In the future, the details of the implementation will be evaluated using experiments and surveys of existing users. Additional question and answer combinations as well as answer times and number of attempts allowed. This will be expended to be more applicable to existing cloud computing technologies in the aerospace industry.

Figure 3 - Mist password recovery screen.

REFERENCES [1] D. Myers, Psychology. 10th Edition, Worth Publishers,

December 2011.

[2] K.M. Heilman Ph.D., L.Doty, Ph.D.., J.T. Stewart, MD., D.Bowers Ph.D., L. Gonzalez-Rothi, Ph.D.. “Helping People with Progressive Memory Disorders: A guide for You and Your Family. University of Florida Health Science Center.

[3] Jain, A.K.; Ross, A.; Prabhakar, S., "An introduction to biometric recognition," Circuits and Systems for Video Technology, IEEE Transactions on , vol.14, no.1, pp.4,20, Jan. 2004

[4] Constine, Josh, “Facebook Has Users Identify Friends In Photos To Verify Accounts, Prevent Unauthorized Access”, http://www.insidefacebook.com/, 2010.

[5] Aloul, F.; Zahidi, S.; El-Hajj, W., "Two factor authentication using mobile phones," Computer Systems and Applications, 2009. AICCSA 2009. IEEE/ACS International Conference on , vol., no., pp.641,644, 10-13 May 2009

BIOGRAPHY Dinesh Devkota is a student of Southeastern Louisiana University in Hammond, LA. He is currently pursuing a bachelor of science in computer science with a concentration in Information Technology. He is currently employed as a web and mobile app developer. Prashant Ghimire is pursuing a bachelor of science degree in Computer Science at Southeastern Louisiana University. He is currently working in systems administration and client connectivity for the university as an undergraduate student.

John Burris is an Assistant Professor of Computer Science at Southeastern Louisiana University. He received his B.S. in Computer Science from Louisiana Tech University in 2003 and his Ph.D. in Computer Science from Louisiana State University in 2012. His research areas include software

engineering, networking and high performance computing.

Ihssan Alkadi is on the faculty at Southeastern Louisiana University. He works in the Computer Science Department (CS-IT). He received his BS Degree in Computer Science at SLU, May 1985. In May 1992 he earned his MS. In Systems Science from Louisiana State University (LSU). He earned his

Doctoral degree in Computer Science at LSU May 1999. His research interests include testing in object oriented systems, systems validation, and system verification. His current research is in Cloud Computing Security and Cybersecurity. He is an IEEE active member.

7