NFC-based User Authentication Mechanisms for Personalized IPTV Services

基於近場通訊技術且適用於 IPTV

個人化服務之使用者身分鑑別機制

NFC-based User Authentication Mechanisms

for Personalized IPTV Services

Student : Chun-Kai Wang (王雋凱)

Advisor : Dr. Nai-Wei Lo (羅乃維博士) 2015/06/29

NFC-based User Authentication Mechanisms for Personalized IPTV Services

▪ Introduction

▪ Related Work

▪ Proposed Mechanisms

▪ Security and Performance Analysis

▪ Discussion and Comparison

▪ Conclusion

2

Outline

`Introduction

NFC-based User Authentication Mechanisms for Personalized IPTV Services Introduction

▪ IPTV (Internet Protocol Television)

▪ Combined with modern technologies to deliver high-quality

television content and rich services through IP networks

▪ Features of IPTV

▪ Support for interactive TV

▪ Time shifting

▪ Personalization

▪ Low bandwidth requirements

▪ Accessible on multiple devices

4

Background (1/2)


▪ STB (Set-top Box)

▪ A device at the customer side

▪ Connects an ordinary TV to the external network

▪ Converts the received signal display on the TV screen

5

Background (2/2)


▪ Existing IPTV authentication based on STB-level

▪ STB contains a unique hardware identifier registered by service

provider

▪ STB-level authentication leads to whole family members get the

same access level to IPTV services

▪ Family Services ≠ Personalized Services

▪ IPTV service provider cannot identify who is actually watching a

certain program

▪ Inconsistent with IPTV's main intention to provide personalized

services

6

Motivation


▪ To survey studies on identification for TV viewer

▪ To design a user authentication mechanism for

personalized IPTV services

▪ To develop a proof-of-concept implementation

▪ To analyze security and performance of the proposed

mechanism

▪ To evaluate the system by comparing with existing

solutions

7

Objectives

`Related Work

NFC-based User Authentication Mechanisms for Personalized IPTV Services Related Work

▪ Previous works can be classified into five types:

9

Viewer Identification Systems

Type Object of Identification

Password-based [26] ID, Password

Biometrics-based [8] [27] [38] Face-recognition

RFID-based [34] [39] RFID Tag

USIM-based [36] Subscriber Identification Module

Bluetooth-based [10] Bluetooth Device MAC Address


▪ Short range and wireless technology based on RFID

▪ NFC devices: NFC Reader, NFC Tag, NFC Phone

▪ NFC operation modes:

10

Near Field Communication (NFC)

Operation Mode Initiator Device Target Device

Reader / Writer NFC Phone NFC Tag

Peer-to-Peer NFC Phone NFC Phone

Card Emulation NFC Reader NFC Phone


▪ Conventional card emulation requires Secure Element (SE)

embedded in NFC mobile

▪ HCE allows NFC mobile can emulate a contactless smart card

using only software

11

Host Card Emulation (HCE)

SE-based card emulation HCE-based card emulation

`Proposed Mechanisms


13

Overview (1/2)

The proposed personalized IPTV service architecture

Proposed Mechanisms

NFC-based User Authentication Mechanisms for Personalized IPTV Services Proposed Mechanisms

▪ The proposed mechanisms have two authentication

schemes:

▪ HMAC-based Authentication Scheme

▪ Digital Signature-based Authentication Scheme

▪ Both schemes comprise three phases:

▪ Registration Phase

▪ To register a user becoming an IPTV service subscriber

▪ Authentication Phase

▪ To authenticate a IPTV service subscriber

▪ Key Update Phase

▪ To update the secret key of an IPTV service subscriber

14

Overview (2/2)


Notation Description

The IPTV services provider

The user , who is an IPTV subscriber

The personal computer of the user

The NFC-enabled mobile phone owned by the user

The set-top box , which equipped with NFC reader

The Application Server of

The HCE-enabled mobile app, which is developed by

The email address of the user

The password chosen by the user

The personal information of the user

The cell phone number of the user

The unique identifier of entity

The secret key, only known to entity and

The public key of entity

15

Notations (1/2)


Notation Description

The security (private) key of entity

The X.509 certificate of entity

A random number is generated by entity

The n th nonce value is generated by entity

The n th timestamp is generated by entity

The maximum allowed time interval for transmission delay

Check the message is valid

The message is encrypted by the public key of entity

The message is decrypted by the secret (private) key of entity

The message is signed by the secret (private) key of entity

The message is verified by the public key of entity

A keyed-hash message authentication code of message using security key

Entity send the message to entity

A concatenation operator

16

Notations (2/2)


Registration Phase

17

HMAC-based Auth. Scheme Digital-signature-based Auth. Scheme

Proposed Mechanisms


Authentication Phase

18


Proposed Mechanisms


19

Proposed Mechanisms

pp.21 pp.32



Key Update Phase

20


Proposed Mechanisms

`Security and Performance

Analysis

NFC-based User Authentication Mechanisms for Personalized IPTV Services Security and Performance Analysis

22

Trust Boundary

Trust boundary and the communication channels


▪ The data received during the registration phase are all correct.

▪ The trusted NFC phone is equipped with secure storage

▪ The NFC channel is insecure

▪ The STB and NFC reader in an open environment, any IPTV

subscriber can use his/her NFC phone to get authenticated

▪ The Internet channel protected by SSL/TLS

▪ The trusted Application Server connects to the database is secure

23

Assumptions


▪ Providing Mutual Authentication

▪ Impersonation Attack resistance

▪ Server Spoofing Attack resistance

▪ Replay Attack resistance

▪ Man-in-the-Middle Attack resistance

24

Security Analysis



▪ 𝐴𝑆𝑆𝑃 gets authenticated by 𝑈𝑖 if it can correctly compute HMAC

value by using secret key 𝐾𝑖,𝑆𝑃

▪ 𝑈𝑖 gets authenticated by 𝐴𝑆𝑆𝑃 if it can correctly compute HMAC

value by using secret key 𝐾𝑖,𝑆𝑃


▪ 𝐴𝑆𝑆𝑃 gets authenticated by 𝑈𝑖 if it can correctly verify the

signature by using public key 𝑃𝐾𝑆𝑃

▪ 𝑈𝑖 gets authenticated by 𝐴𝑆𝑆𝑃 if it can correctly verify the

signature by using public key 𝑃𝐾𝑖

▪ Impersonation & Server Spoofing Attack Resistance

25

Mutual Authentication


▪ Fresh nonce-embedded message

▪ The nonce is a random value that used only once

and not repeated

▪ 𝐴𝑆𝑆𝑃 can detect the message is a replay attack

because the scheme uses nonce, if a nonce is found

inconsistencies, 𝐴𝑆𝑆𝑃 will reject the request

26

Replay Attack


▪ STB-to-AS connection is based on SSL/TLS

▪ MITM attack is practically infeasible on NFC channel

27

Man-in-the-Middle Attack


▪ The prototype system consist of three components:

▪ Application Server (AS)

▪ provides a platform let user register service and apply for key update

▪ Set-top Box (STB)

▪ connected with an NFC reader via USB interface

▪ has an NFC application that can communicate with the HCE-enabled

app installed on the NFC Phone

▪ transfers authenticated messages to the AS for performing

authentication

▪ NFC-enabled Mobile Phone (NFC Phone)

▪ installed an HCE-enabled app that can react to APDU commands

from the NFC reader.

28

Prototype Implementation


▪ Application Server Specifications

29

Experimental Platform (1/3)

Application Server

CPU Intel Core i3-3120M

Memory 4GB DDR3 SO-DIMM

Operating

SystemGNU/Linux Ubuntu 14.04.2 LTS

Port TCP/IP


▪ Set-top Box Specifications

▪ ACR122U USB NFC Reader

30


Raspberry Pi Model B+

CPU700 MHz Low Power ARM1176JZFS

Applications Processor

GPU Dual Core VideoCore IV

Memory 512MB SDRAM

Operating

SystemEmbedded Linux (Raspbian)

Interface Ethernet, USB, HDMI


▪ NFC-enabled Mobile Phone Specifications

▪ Android OS version 4.4 or above supports HCE

31


Samsung Galaxy Note II

CPU 1.6 GHz Quad-Core Cortex-A9

Memory 2GB RAM

Operating

SystemAndroid 4.4.2 (KitKat)

ConnectivityHSPA+, LTE, NFC, Wi-Fi, DLNA, Wi-Fi Direct,

Bluetooth 4.0


32

Prototype System (1/3)


33



34


NFC Reader

Set-top Box

NFC Phone

TV Screen


35

Demo



36

Performance Test (1/4)

HMAC-based

Authentication Scheme

Key Size

(bits)

Authentication Session Time (ms)

MIN MAX AVG STDEV

HMAC-MD5

Implementation

80 1088 1243 1151.68 37.72

112 1079 1245 1154.31 42.69

128 1099 1277 1157.93 45.16

192 1081 1258 1144.78 35.77

256 1085 1247 1154.76 40.80

HMAC-SHA1

Implementation

80 1115 1280 1169.02 41.95

112 1093 1270 1156.12 39.10

128 1110 1276 1165.03 41.14

192 1105 1279 1161.14 43.03

256 1107 1275 1176.99 44.29


HMAC-based


Key Size

(bits)


MIN MAX AVG STDEV

HMAC-SHA256

Implementation

80 1120 1295 1181.13 34.80

112 1124 1312 1185.57 42.26

128 1138 1323 1206.81 51.74

192 1119 1330 1192.44 46.86

256 1136 1337 1217.65 62.38

HMAC-SHA384

Implementation

80 1173 1365 1247.53 52.04

112 1174 1367 1228.90 49.82

128 1161 1371 1244.92 54.27

192 1171 1360 1229.44 46.65

256 1178 1358 1241.01 51.64

HMAC-SHA512

Implementation

80 1198 1368 1270.54 43.88

112 1201 1382 1274.98 43.24

128 1221 1384 1280.84 43.30

192 1202 1366 1275.36 41.07

256 1219 1386 1279.97 45.44

37




38


Digital Signature-based


Key Size

(bits)


MIN MAX AVG STDEV

DSA-SHA1

Implementation

1024 1372 1509 1443.27 33.50

2048 1478 1632 1561.54 36.47

3072 1954 2120 2038.29 39.28

DSA-SHA256

Implementation

1024 1379 1505 1448.07 29.69

2048 1503 1636 1568.67 33.44

3072 2008 2130 2073.13 29.55

DSA-SHA384

Implementation

1024 1386 1517 1453.33 33.58

2048 1507 1639 1569.62 35.70

3072 2020 2189 2103.23 44.20

DSA-SHA512

Implementation

1024 1389 1530 1453.39 36.39

2048 1524 1641 1576.72 32.52

3072 2032 2178 2107.98 38.38


Digital Signature-based


Key Size

(bits)


MIN MAX AVG STDEV

ECDSA-SHA1

Implementation

160 1228 1371 1289.26 36.21

224 1268 1393 1335.25 26.39

256 1369 1469 1414.48 23.63

ECDSA-SHA256

Implementation

160 1227 1383 1281.03 37.30

224 1278 1387 1331.28 27.57

256 1358 1472 1410.27 22.98

ECDSA-SHA384

Implementation

160 1228 1368 1281.39 37.30

224 1279 1391 1331.86 23.19

256 1366 1463 1405.64 19.31

ECDSA-SHA512

Implementation

160 1229 1395 1285.96 32.29

224 1268 1364 1318.91 19.79

256 1374 1470 1411.78 21.05

39



40

Performance Comparison

Performance comparison of the algorithms used in the proposed schemes


▪ HMAC-based authentication scheme is better than Digital

Signature-based authentication scheme in terms of processing

speed

▪ Selected algorithm is the main factor that effects performance of

the HMAC-based authentication scheme

▪ The key size is the main factor that effects performance of the

Digital Signature-based authentication scheme

▪ Digital Signature-based scheme may be better choice at the

security strength in better than HMAC-based scheme. While the

session time of both scheme is equivalent.

41

Performance Analysis

`Discussion and

Comparison


▪ NFC for User-friendly Operation

▪ Users do not need background knowledge about the technology

▪ Use simply by touching two NFC devices together

▪ Non-password Authentication

▪ Not require to remember password

▪ Resist password guessing attacks

43

Usability

Discussion and Comparison


▪ NFC-enabled STB has been developed

▪ More easily integrate the proposed mechanisms

▪ HCE support could reach 85% of smartphones

▪ New released smartphones are all NFC-ready

▪ Not a barrier for near future

44

Deployability


Smartphone shipments per OS platform Q2 2014


▪ Mobile IPTV Services

▪ Live Stream TV

▪ Customers can enjoy Live TV broadcasting anywhere just with

a smartphone or tablet if they have an Internet connection

▪ Personalized EPG (Electronic Program Guide)

▪ A program guide offers a user friendly environment

▪ STB Remote Control

▪ Easy to control the STB directly from smartphone same as

using the classic RC

45

Service Scalability (1/2)



▪ Agent Tags

▪ Can have a temporary authority that authorized by an

authenticated user, to execute authentication

▪ Typical reader/writer mode of NFC operations

46

Service Scalability (1/2)

Tag IDRemaining

Count

Remaining

Time

Accepted

Channel

Accepted

Device

00000001 10 - CH-10 TV

00000002 - 24 Hour - Tablet

00000003 30 7 Day - -

00000004 - - CH-2 PC

00000005 5 30 Min CH-5 -



▪ HMAC-based vs. Digital Signature-based

47

Comparison of Two Proposed Schemes

HMAC-based


Digital Signature


Cryptosystem Symmetric Cryptosystem Asymmetric Cryptosystem

Integrity Yes Yes

AuthenticationYes

(not for third-party)

Yes

(support for third-party)

Key Size

(with equivalent security level)Shorter Longer

Computation Cost Lower Higher

Storage Cost Lower Higher

Additional Infrastructure NoneCertificate Authority

(optional)



48

Certificate Authority


Password-based Biometrics-based RFID-based

Identification unit A user A user A user

Authentication factor What you know What you are What you have

Object of identification Username, Password Face-recognition RFID tag

Authentication certifier STB STBSTB, IPTV

Authentication Server

Additional H/W device None Video cameraRFID reader in STB

and RFID tag

49

Comparison with Existing Solutions

USIM-based Bluetooth-based Proposed System

Identification unit A user A user A user

Authentication factorWhat you have,

What you know

What you have,

What you know

What you have,

What you know

Object of identificationSubscriber

identification module

Bluetooth device MAC

addressHMAC/Signature

Authentication certifier

3G network,

IPTV Service

Provider

Bluetooth STBSTB, IPTV Application

Server

Additional H/W device 3G mobile equipment

Bluetooth module in

STB and Bluetooth

phone

NFC reader in STB

and NFC phone


`Conclusion


▪ NFC-based user authentication mechanisms using HCE

and two authentication schemes are proposed

▪ HMAC-based authentication scheme has lightweight

operations and higher performance

▪ Digital Signature-based authentication scheme is

suitable to design open IPTV services

▪ The proposed mechanisms are suitable for personalized

IPTV services and can be easily deployed onto current

IPTV systems

51

Conclusion

Conclusion

`Thank You

`Q & A


1. S. C. Kim, S. S. Yeo, and S. K. Kim, “A Hybrid User Authentication Protocol for Mobile IPTV Service,” Multimedia tools and

applications, vol. 65, no. 2, pp. 283–296, May 2011.

2. R. Want, “An introduction to RFID technology,” IEEE Pervasive Computing, vol. 5, no. 1, pp. 25–33, Jan. 2006.

3. J. H. Cho, J. Kim, J. W. Kim, K. Lee, K. D. Aim, and S. Kim, “An NFC Transceiver with RF-powered RFID Transponder Mode,”

in Solid-State Circuits Conference, 2007. ASSCC ’07. IEEE Asian, 2007, pp. 172–175.

4. C. Bisdikian, “An Overview of the Bluetooth Wireless Technology,” IEEE Communications Magazine, vol. 39, no. 12, pp. 86–94,

Dec. 2001.

5. R. Bambini, P. Cremonesi, and R. Turrin, “A Recommender System for an IPTV Service Provider: a Real Large-Scale Production

Environment,” in Recommender Systems Handbook, F. Ricci, L. Rokach, B. Shapira, and P. B. Kantor, Eds. Springer US, 2011,

pp. 299–331.

6. V. Coskun, B. Ozdenizci, and K. Ok, “A Survey on Near Field Communication (NFC) Technology,” Wireless Pers Commun, vol.

71, no. 3, pp. 2259–2294, Dec. 2012.

7. H. Lee, W. C. Hong, C. H. Kao, and C. M. Cheng, “A User-Friendly Authentication Solution Using NFC Card Emulation on

Android,” in 2014 IEEE 7th International Conference on Service-Oriented Computing and Applications (SOCA), 2014, pp. 271–

278.

8. H. L. Wang, J. G. Wang, and W. Y. Yau, “Automated Age Regression for Personalized IPTV Services,” in 2010 IEEE

International Conference on Multimedia and Expo (ICME), 2010, pp. 1333–1336.

9. I. Krevatin, “Biometric Recognition in Telecom Environment,” in 2010 14th International Conference on Intelligence in Next

Generation Networks (ICIN), 2010, pp. 1–6.

10. A. G. Foina, J. Ramirez-Fernandez, and R. M. Badia, “Cell BE and Bluetooth applied to Digital TV,” in 2010 IEEE Network

Operations and Management Symposium (NOMS), 2010, pp. 825–828.

11. R. Jana, Y. F. Chen, D. C. Gibbon, Y. Huang, S. Jora, J. Murray, and B. Wei, “Clicker - An IPTV Remote Control in Your Cell

Phone,” in 2007 IEEE International Conference on Multimedia and Expo, 2007, pp. 1055–1058.

12. P. Urien, “Cloud of Secure Elements: An Infrastructure for the Trust of Mobile NFC Services,” in 2014 IEEE 10th International

Conference on Wireless and Mobile Computing, Networking and Communications (WiMob), 2014, pp. 213–218.

54

References


13. K. H. Lin, D. H. Shiue, Y. S. Chiu, W. H. Tsai, F. J. Jang, and J. S. Chen, “Design and Implementation of Face Recognition-aided IPTV

Adaptive Group Recommendation System Based on NLMS Algorithm,” in 2012 International Symposium on Communications and

Information Technologies (ISCIT), 2012, pp. 626–631.

14. J. Lyu, S. Pyo, J. Lim, M. Kim, S. Lim, and S. Kim, “Design of Open APIs for Personalized IPTV Service,” in The 9th International

Conference on Advanced Communication Technology, 2007, vol. 1, pp. 305–310.

15. M. Alattar and M. Achemlal, “Host-Based Card Emulation: Development, Security, and Ecosystem Impact Analysis,” in 2014 IEEE Intl

Conf on High Performance Computing and Communications, 2014 IEEE 6th Intl Symp on Cyberspace Safety and Security, 2014 IEEE

11th Intl Conf on Embedded Software and Syst (HPCC,CSS,ICESS), 2014, pp. 506–509.

16. K. Chang, J. Hightower, and B. Kveton, “Inferring Identity Using Accelerometers in Television Remote Controls,” in Pervasive Computing,

2009, pp. 151–167.

17. S. Zeadally, H. Moustafa, and F. Siddiqui, “Internet Protocol Television (IPTV): Architecture, Trends, and Challenges,” IEEE Systems

Journal, vol. 5, no. 4, pp. 518–527, Dec. 2011.

18. Z. Liu, B. Wei, and H. Yu, “IPTV, Towards Seamless Infotainment,” in 6th IEEE Consumer Communications and Networking Conference,

2009. CCNC 2009, 2009, pp. 1–5.

19. M. Bellare, R. Canetti, and H. Krawczyk, “Keying Hash Functions for Message Authentication,” in Advances in Cryptology —

CRYPTO ’96, 1996, pp. 1–15.

20. S. Park and S.-H. Jeong, “Mobile IPTV: Approaches, Challenges, Standards, and QoS Support,” IEEE Internet Computing, vol. 13, no. 3,

pp. 23–31, May 2009.

21. R. Want, “Near Field Communication,” IEEE Pervasive Computing, vol. 10, no. 3, pp. 4–7, Jul. 2011.

22. N. Saparkhojayev, A. Dauitbayeva, A. Nurtayev, and G. Baimenshina, “NFC-enabled Access Control and Management System,” in 2014

International Conference on Web and Open Access to Learning (ICWOAL), 2014, pp. 1–4.

23. A. Andersen, R. Karlsen, and A. Munch-Ellingsen, “NFC Provided User Friendliness for Technologically Advanced Services,” in Human

Interface and the Management of Information. Information and Interaction for Health, Safety, Mobility and Complex Environments, 2013,

pp. 337–346.

24. S. Shirali-Shahreza, H. Sameti, and M. Shirali-Shahreza, “Parental Control Based on Speaker Class Verification,” IEEE Transactions on

Consumer Electronics, vol. 54, no. 3, pp. 1244–1251, Aug. 2008.

25. R. Morris and K. Thompson, “Password Security: A Case History,” Commun. ACM, vol. 22, no. 11, pp. 594–597, Nov. 1979.

55

References


26. J. H. Choi, J. Jeok, S. Y. Lim, H. C. Kim, H. K. Lee, and J. W. Hong, “Personalized Data Broadcasting Service based on TV-Anytime

metadata,” in IEEE International Symposium on Consumer Electronics, 2007. ISCE 2007, 2007, pp. 1–6.

27. M. C. Hwang, L. T. Ha, N. H. Kim, C. S. Park, and S. J. Ko, “Person Identification System for Future Digital TV with Intelligence,” IEEE

Transactions on Consumer Electronics, vol. 53, no. 1, pp. 218–226, Feb. 2007.

28. M. Reveilhac and M. Pasquet, “Promising Secure Element Alternatives for NFC Technology,” in First International Workshop on Near

Field Communication, 2009. NFC ’09, 2009, pp. 75–80.

29. T. Jiang, Y. Hou, and S. Zheng, “Secure Communication between Set-top Box and Smart Card in DTV Broadcasting,” IEEE Transactions

on Consumer Electronics, vol. 50, no. 3, pp. 882–886, Aug. 2004.

30. S. K. Panigrahy, S. K. Jena, and A. K. Turuk, “Security in Bluetooth, RFID and Wireless Sensor Networks,” in Proceedings of the 2011

International Conference on Communication, Computing & Security, pp. 628–633.

31. E. Haselsteiner and K. Breitfuß, “Security in Near Field Communication (NFC),” in Workshop on RFID security, 2006, pp. 12–14.

32. S. H. Lee, M. K. Sohn, D. J. Kim, B. Kim, and H. Kim, “Smart TV Interaction System Using Face and Hand Gesture Recognition,” in 2013

IEEE International Conference on Consumer Electronics (ICCE), 2013, pp. 173–174.

33. B. Veselinovska, M. Gusev, and T. Janevski, “State of the Art in IPTV,” in 2014 37th International Convention on Information and

Communication Technology, Electronics and Microelectronics (MIPRO), 2014, pp. 479–484.

34. R. van Brandenburg, H. van den Berg, M. O. van Deventer, and I. M. Schenk, “Towards Multi-user Personalized TV Services,

Introducing Combined RFID Digest Authentication,” Graduate Thesis TNO+ University Twente, vol. 10, 2009.

35. A. Munch-Ellingsen, R. Karlsen, A. Andersen, and S. Akselsen, “Two-factor Authentication for Android Host Card Emulated Contactless

Cards,” in 2015 First Conference on Mobile and Secure Services (MOBISECSERV), 2015, pp. 1–6.

36. Y.-K. Park, S.-H. Lim, O. Yi, S. Lee, and S.H. Kim, “User Authentication Mechanism Using Java Card for Personalized IPTV Services,”

in International Conference on Convergence and Hybrid Information Technology, 2008. ICHIT ’08, 2008, pp. 618–626.

37. T. Silva, J. F. de Abreu, O. Pacheco, and P. Almeida, “User Identification: A Key Factor for Elderly Viewers to Benefit from Interactive

Television Services,” in ENTERprise Information Systems, M. M. Cruz-Cunha, J. Varajão, P. Powell, and R. Martinho, Eds. Springer

Berlin Heidelberg, 2011, pp. 40–48.

38. T. Mlakar, J. Zaletelj, and J. F. Tasic, “Viewer Authentication for Personalized iTV Services,” in Eighth International Workshop on Image

Analysis for Multimedia Interactive Services, 2007. WIAMIS ’07, 2007, pp. 63–63.

39. H. Jabbar, T. Jeong, J. Hwang, and G. Park, “Viewer Identification and Authentication in IPTV using RFID Technique,” IEEE

Transactions on Consumer Electronics, vol. 54, no. 1, pp. 105–109, Feb. 2008.

56

References

Date post:	28-Jan-2018
Category:	Technology
Upload:	chun-kai-wang
View:	36 times
Download:	0 times