A secure mobile phone-based interactive logon in Windows

Sammanfattning: Password-based logon schemes have many security weaknesses. Smart card and biometric based authentication solutions are available as a replacement for standard password-based schemes for security sensitive environments. However, the cost of deployment and maintenance of these systems is quite high. On the other hand, mobile network operators have a huge base of deployed smart cards that can be reused to provide authentication in other areas significantly reducing costs. This master’s thesis presents a study of how the workstation identity management can be made more secure and user-friendly by using a mobile phone in the Windows workstation logon process. Two workstation logon schemes that utilize both the mobile phone and the UICC inside of the phone are proposed as a result of this study. The first scheme emulates a smart card reader and a smart card in order to interoperate with the Windows smart card framework to provide PKI-based logon. The mobile phone with the UICC card emulates a smart card that communicates with the emulated smart card reader via protected Bluetooth channel. The proposed scheme reuses the Windows smart card infrastructure as much as possible, both in terms of software and hardware. Therefore, a seamless integration with Active Directory and Window server is achieved. This scheme can work with any authentication scheme used with real smart cards. It can be used not only for the logon but also for all other functions typically done with smart cards (e.g. signing of documents, e-mails). In the second scheme, the mobile phone with the UICC serves as a token for generating OTP values based on a shared secret key and the time parameter. In order to design Windows logon architectures based on mobile phones, a study of relevant technologies, components, and their security aspects has been conducted. Existing phone-based authentication schemes have been thoroughly studied both from the usability and from the security points of view. This has been done to understand possible alternatives for different aspects of the architectures that were designed. The thesis analyzed how new authentication schemes in general and those that work with mobile phones in particular could be integrated into the Windows logon system. A conclusion is made that it is impossible to make a generic architecture that would easily support all existing and possible future mobile phone authentication schemes for the Windows logon. Windows is already a highly customizable environment and can support virtually any authentication scheme for the logon, though a considerable amount of modifications may be required to implement a particular scheme.