Privacy-Preserving Application-to-Application Authentication Using Dynamic Runtime Behaviors
Application authentication is typically performed using some form of secret credentials such as cryptographic keys, passwords, or API keys. Since clients are responsible for securely storing and managing the keys, this approach is vulnerable to attacks on clients. Similarly a centrally managed key store is also susceptible to various attacks and if compromised, can leak credentials. To resolve such issues, we propose an application authentication, where we rely on unique and distinguishable application's behavior to lock the key during a setup phase and unlock it for authentication. Our system add a fuzzy-extractor layer on top of current credential authentication systems. During a key enrollment process, the application's behavioral data collected from various sensors in the network are used to hide the credential key. The fuzzy extractor releases the key to the server if the application's behavior during the authentication matches the one collected during the enrollment, with some noise tolerance. We designed the system, analyzed its security, and implemented and evaluated it using 10 real-life applications deployed in our network. Our security analysis shows that the system is secure against client compromise, vault compromise, and feature observation. The evaluation shows the scheme can achieve 0 percent False Accept Rate with an average False Rejection Rate 14 percent and takes about 51 ms to successfully authenticate a client. In light of these promising results, we expect our system to be of practical use, since its deployment requires zero to minimal changes on the server.
READ FULL TEXT