Authentication Model Based Bluetooth-enabled Mobile Phone

: Authentication is a mechanism to establish proof of identities, the authentication process ensure that who a particular user is. Current PC, laptop user authentication systems are always done once and hold until it explicitly revoked by the user, or asking the user to frequently reestablish his identity which encouraging him to disable authentication. Zero-Interaction Authentication (ZIA) provides solution to this problem. In ZIA, a user wears a small authentication token that communicates with a laptop over a short-range, wireless link. ZIA combine authentication with a file encryption. Here we proposed a Laptop-user Authentication Based Mobile phone (LABM), in our model of authentication, a user uses his Bluetooth-enabled mobile phone, which work as an authentication token that provides the authentication for laptop over a Bluetooth wireless link, in the concept of transient authentication with out combining it with encryption file system. The user authenticate to the mobile phone infrequently. In turn, the mobile phone continuously authenticates to the laptop by means of the short-range, wireless link.


INTRODUCTION
In recent years, many people use their office or home PC for their work and store the sensitive information, at the same time mobile computing has enjoyed a tremendous rise in popularity. As laptops proliferate, theft has become an ever more critical security issue. Within the much broader arena of IT security, there are five classes of technology that are most relevant to laptops. These are: User authentication, Physical locking devices, Encryption, Monitoring and tracing software, Alarms [1]. The key aspect of cryptography and computer security is authentication [2]. Authenticate help establish trust by identifying who a particular user is. Authentication ensures that the claimant is really what he/she clam to be. User authentication is a required component of all security systems.
Persistent and Transient Authentication: Persistent authentication-Users authenticate infrequently to devices. User authentication holds until it is explicitly revoked. Currently, most of the systems use this technique [3]. Should a device fall into the wrong hands, the imposter has the full rights of the legitimate user while authentication holds. Persistent authentication creates tension between protection and usability. To maximize protection, a device must constantly reauthenticate its user. To be usable, authentication must be long-lived. If someone steals your laptop while you are logged in, they have full access to your data. Such persistent authentication is inappropriate for mobile computers.
This tension of persistent authentication resolved with a new model, called transient authentication [4]. In this model, a user wears a small token, equipped with a short-range wireless link and modest computational resources. This token is able to authenticate constantly on the user's behalf. Transient authentication shifts the problem of authentication to the token. We implement an authentication model for laptop devices that uses cell phone as authentication token.

Laptop-Cell
Phone Authentication System Principles: In this model of authentication, a user uses his mobile phone which works as an authentication token, that provide the authentication for laptop over a short-range wireless link as shown in Fig. 1. The user authenticate to the token infrequently. In turn, the mobile phone continuously authenticates to the laptop by means of the short-range, wireless link [5]. Mutual Authentication: The mutual authentication is the first step in the authentication system. In this step the system perform a challenge-response function between the laptop and mobile phone in order to authenticate each other based on public key system [6]. The mobile phone and has predefined key pair.
User Notification: After performing the mutual authentication between user and his/her cell phone the cell phone notify user about the connection that has been established and ask for user agreement. Whenever user agree for the connection the system dose not ask him/her again and cell phone take all responsibility for authentication system.

Session Key Creation:
Session key is used to encrypt all laptop -mobile phone communication, once session key is established, all information that transfers over the wireless link will not be in clear text format; instead it will be encrypted and authenticated using a session key. The creation of symmetric session key is done based on Diffie-Hellman Key Exchange Agreement/Algorithm [7]. The system uses the U.S. government standard 128-Bit Advanced Encryption Standard (AES) [8] to encrypt all laptop-mobile phone communication, we chose this method because it is the current Advanced Encryption Standard (AES) chosen by the National Institute of Standards and Technology (NIST), and it is fast enough to run efficiently with limited memory resources and processing time.
Disconnection and Reconnection: The system periodically sense mobile phone to ensure that the user is still present, when the mobile phone is out of the range the laptop take step to secure it self. There are two reason why laptop not receive a response from the mobile phone, the mobile phone and the user are truly be away, or the link may have dropped the packet. For the latter the system uses expected round trip time between laptop and mobile phone, because this is a single, uncontested network hop, this time is relatively stable. Laptop retries request if responses are not received within twice the expected round trip time.  The mobile phone acts as server side in the piconets, it performs same client function except that instead of initializing and opening connection it creates a server connection using the L2CAP and waiting for connections, accept and open connections, and perform security application I/O messages. Before creating the connection the application get the local device, and make it to discoverable however the client (laptop) can establish a connection to it. When mobile phone receives a L2CAP connection request it accept and open connection and start to perform security I/O messages and mange connection according to its results. Implementation: The model is implemented in application layer it consists of a client runs on the user's laptop and server runs on the user's mobile phone, communicating via Bluetooth wireless secured channel [10]. All programs are written using pure Java technology: Java 2 Standard Edition (J2SE), Java 2 Micro Edition (J2ME)/Connected Limited Device Configuration (CLDC)/Mobile Information Device Profile (MIDP) and Java APIs for Bluetooth (JSR-82). Figure 3 illustrates Java APIs with communicating layers.

Fig. 3: Using Java APIs in Communication Module
We chose Java over other programming languages because of the availability of the numerous functions in the Java API, which allowed us to focus more on the abstract ideas rather than low-level programming.

RESULTS
System declares user absent after three tries to connect to mobile phone without response. The line in Figure 4 show the time required by laptop program to declare user absent and secure laptop by run semi screen sever threaded program.Laptop continues sense the return of the mobile phone and hence the user to stop security program and reconnect user. The line in Figure 5 show the time required by laptop program to reconnect user and stop security thread. Comparison with Existing Related Work: Zero Interaction Authentication (ZIA), The first system that provide encrypted filing services that defend against physical attack while imposing negligible usability and performance burdens on a trusted user is ZIA. The authentication based ZIA is depend on providing decryption services for encryption key used in laptop and stored on it in encryption format, the user with ZIA    Table 1 shows comparison between LABM and ZIA system. Microsoft Windows 2000 provides user reauthentication feature in case of sensing absent of user according to tracing keyboard, and mouse movement rather than real departure of the authorized user. The reauthenticate feature depends on screen saver to get access where the user must resupply his/her identity. The user may disable the screen saver after finding it intrusive. Biometric authentication still has some problems like false-negative rate. And for transient authentication it also needs reauthentication by user. Future Work: The cell phone application could include more additional security functions, if the laptop uses a data encryption technique to encrypt data on its hard disk that can deal with the transient authentication mechanism like ZIA [9], the mobile phone can provide a decryption service to laptop data encryption key, which stored in laptop in encrypted format using a pre defined decryption key stored in mobile phone. Also the mobile phone can provide storing and management services for key used in laptop encryption instead of storing the key inside laptop itself. The cell phone with Bluetooth technology and java APIs for Bluetooth could be uses for in many useful authentication systems.
ACKNOWLEDGMENT The first author would like to acknowledge her fellowship for graduate study (M.Sc. in Computer System Engineering) from Third World Organization for Women in Science (TWOWS) and research partially support by IRPA Grant No. 04-02-04-0186EA001.