Abstract
Pluggable authentication modules (PAMs) primarily provide authentication services to system software on a machine. PAM simplifies the job for both software developers and system administrators by providing a unified method to manage user access to the system. Therefore, software developers do not need to write user authentication subroutines because they can safely rely on well-studied and tested modules to provide the required services. The default authentication mechanism provided by PAM is password-based; while this is sufficient, the security is highly dependent on the strength of the password, which can vary based on the individual or the organization setting the associated password policies. To address this problem, we present an identity-based identification (IBI) module that works as a PAM, specifically for Linux-PAM. The security of the authentication mechanism provided by our work is only dependent on the fixed cryptographic strength of the user keys, which is generally much more secure than passwords. In addition, IBI also has comparatively simpler operations and provides easier ways to manage users compared to existing cryptographic alternatives.
Supported by the Ministry of Higher Education of Malaysia through the Fundamental Research Grant Scheme under Grant FRGS/1/2019/ICT04/MMU/02/5.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
GNU/Linux is often referred to as Linux, which is just the kernel of the operating system.
- 2.
An application using PAM for authentication.
- 3.
Libsodium is a fork of the popular NaCL written by Daniel Bernstein.
- 4.
A watched variable to indicate memory access violation or buffer overflow attacks.
- 5.
See Sect. 3.2 “User Matching” on OpenSC’s PAM PKCS#11 operation manual.
- 6.
The module is not mentioned in our survey as the developers maintain it as a demo project rather than an actual authentication use case.
References
Samar, V., Schemers, R.: Unified login with pluggable authentication modules (PAM). RFC 86.0, Open Software Foundation, October 1995. https://opensource.apple.com/source/pam/pam-31/pam/doc/specs/rfc86.0.txt.auto.html
Samar, V.: Unified login with pluggable authentication modules (PAM). In: Proceedings of the 3rd ACM Conference on Computer and Communications Security, CCS 1996, New York, NY, USA, pp. 1–10. Association for Computing Machinery (1996). https://doi.org/10.1145/238168.238177
Garfinkel, S., Spafford, G., Schwartz, A.: Pluggable Authentication Modules, pp. 114–116. O’Reilly (2003)
Kukuk, T., Mráz, T., Levin, D.V., Morgan, A.G.: Pluggable authentication modules for Linux, December 1997. https://www.linuxjournal.com/article/2120. Accessed 1 Dec 1997
Geisshirt, K.: Pluggable Authentication Modules: The Definitive Guide to PAM for Linux SysAdmins and C Developers. Packt Publishing, Birmingham (2007)
Morgan, A.G., Kukuk, T.: The Linux-PAM system administrators’ guide, August 2010. http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html
Comparison of the usage statistics of Linux vs. windows for websites. https://w3techs.com/technologies/comparison/os-linux,os-windows. Accessed 27 May 2021
OS/Linux distributions using Apache. https://secure1.securityspace.com/s_survey/data/man.202104/apacheos.html. Accessed 1 May 2021
PADL Software Pty Ltd: pam\(\_\)ldap(1) Linux User’s Manual (2000)
Cusack, F., Salomon, A., Allbery, R.: pam-krb5, March 2021. https://www.eyrie.org/~eagle/software/pam-krb5/
Mantova, V. (2013). http://www1.maths.leeds.ac.uk/~pmtvlm/pam-sasl.html. Accessed 23 July 2013
Kukushkin, A.: pam-oauth2 (2017). https://github.com/CyberDem0n/pam-oauth2
Velissek, O.: pam-oauth2-device (2018). https://github.com/ondrejvelisek/pam_oauth2_device
Motoki, S.: pam-exec-oauth2 (2017). https://github.com/shimt/pam-exec-oauth2
Lindfors, K., Josefsson, S., Thulin, F., S., H., Babioch, K.: pam-yubico (2008). https://github.com/Yubico/yubico-pam
Mauro, A.D., Martelletto, P., Michaelsson, L., Bierbaumer, B.: pam-u2f (2014). https://github.com/Yubico/pam-u2f
Strasser, M., Martinez, J.A.: pam\(\_\)pkcs11(8) Linux User’s Manual (2005)
Moody, P., Harrington, B., Shuffler, S.: pam-ussh (2018). https://github.com/uber/pam-ussh
Witts, J.: The top 5 biggest cyber security threats that small businesses face and how to stop them, May 2021. https://expertinsights.com/insights/the-top-5-biggest-cyber-security-threats-that-small-businesses-face-and-how-to-stop-them/
Tunggal, A.T.: What is an attack vector? 16 common attack vectors in 2021, May 2021. https://www.upguard.com/blog/attack-vector
Password security best practices in 2021, November 2020. https://www.swisscyberforum.com/blog/is-your-password-secure/
Most hacked passwords revealed as UK cyber survey exposes gaps in online security. National Cyber Security Centre, April 2019. https://www.ncsc.gov.uk/news/most-hacked-passwords-revealed-as-uk-cyber-survey-exposes-gaps-in-online-security
Swinhoe, D.: The 15 biggest data breaches of the 21st century. CSO, January 2021. https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
Srinivas, S., Balfanz, D., Tiffany, E., Czeskis, A.: Universal 2nd factor (U2F) overview, April 2017. https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-overview-v1.2-ps-20170411.html
Pkcs #11 v2.20: Cryptographic token interface standard. RSA Laboratories Public Key Cryptography Standards, June 2004
Igoe, K., Stebila, D.: X.509v3 Certificates for Secure Shell Authentication. RFC 6187, March 2011. https://rfc-editor.org/rfc/rfc6187.txt
Conti, M., Dragoni, N., Lesyk, V.: A survey of man in the middle attacks. IEEE Commun. Surv. Tutor. 18, 1 (2016)
Kurosawa, K., Heng, S.-H.: From digital signature to ID-based identification/signature. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 248–261. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24632-9_18
Bellare, M., Namprempre, C., Neven, G.: Security proofs for identity-based identification and signature schemes. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 268–286. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_17
Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakley, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985). https://doi.org/10.1007/3-540-39568-7_5
Yang, G., Chen, J., Wong, D.S., Deng, X., Wang, D.: A new framework for the design and analysis of identity-based identification schemes. Theoret. Comput. Sci. 407(1), 370–388 (2008)
Fujioka, A., Saito, T., Xagawa, K.: Security enhancements by OR-proof in identity-based identification. In: Bao, F., Samarati, P., Zhou, J. (eds.) ACNS 2012. LNCS, vol. 7341, pp. 135–152. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31284-7_9
Chin, J.-J., Heng, S.-H., Goi, B.-M.: An efficient and provable secure identity-based identification scheme in the standard model. In: Mjølsnes, S.F., Mauw, S., Katsikas, S.K. (eds.) EuroPKI 2008. LNCS, vol. 5057, pp. 60–73. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-69485-4_5
Tan, S.-Y., Heng, S.-H., Phan, R.C.-W., Goi, B.-M.: A variant of Schnorr identity-based identification scheme with tight reduction. In: Kim, T., et al. (eds.) FGIT 2011. LNCS, vol. 7105, pp. 361–370. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-27142-7_42
Chin, J.J., Tan, S.Y., Heng, S.H., Phan, R.: Twin-Schnorr: a security upgrade for the Schnorr identity-based identification scheme. Sci. World J. 2015, 237514 (2015)
Chin, J.J., Tan, S.Y., Heng, S.H., Phan, R.C.W.: Twin-beth: security under active and concurrent attacks for the beth identity-based identification scheme. Cryptogr. Commun. 8(4), 579–591 (2015)
Chia, J., Chin, J.: An identity based-identification scheme with tight security against active and concurrent adversaries. IEEE Access 8, 61711–61725 (2020)
Chia, J., Chin, J.J., Yip, S.C.: A pairing-free identity-based identification scheme with tight security using modified-Schnorr signatures. Symmetry 13(8) (2021). https://www.mdpi.com/2073-8994/13/8/1330
Fujioka, A., Saito, T., Xagawa, K.: Applicability of OR-proof techniques to hierarchical identity-based identification. In: Pieprzyk, J., Sadeghi, A.-R., Manulis, M. (eds.) CANS 2012. LNCS, vol. 7712, pp. 169–184. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-35404-5_14
Vangujar, A., Chin, J., Tan, S., Ng, T.: A hierarchical identity-based identification scheme without pairing. Malays. J. Math. Sci. 13, 93–109 (2018)
Katz, J., Lindell, Y.: Introduction to Modern Cryptography, 2nd edn. Chapman & Hall/CRC, Boca Raton (2014)
Youngblood, C.: An introduction to identity-based cryptography, March 2005. https://courses.cs.washington.edu/courses/csep590/06wi/finalprojects/youngblood_csep590tu_final_paper.pdf
Bai, Q.-H.: Comparative research on two kinds of certification systems of the public key infrastructure (PKI) and the identity based encryption (IBE). In: Cross Strait Quad-Regional Radio Science and Wireless Technology Conference (CSQRWC), pp. 147–150, July 2012
Chia, J., Chin, J.-J., Yip, S.-C.: Evaluating pairing-free identity-based identification using curve25519. In: Anbar, M., Abdullah, N., Manickam, S. (eds.) ACeS 2020. CCIS, vol. 1347, pp. 179–193. Springer, Singapore (2021). https://doi.org/10.1007/978-981-33-6835-4_12
Boneh, D., Franklin, M.: Identity-based encryption from the Weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44647-8_13
Morgan, A.G., Kukuk, T.: The Linux-PAM module writers’ guide, August 2010. http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_MWG.html
Bernstein, D., Lange, T., Schwabe, P.: The security impact of a new cryptographic library. IACR Cryptology ePrint Archive 2011, 646, January 2011
Ylonen, T.: The secure shell (SSH) protocol architecture. RFC 4521, January 2006. https://www.rfc-editor.org/rfc/rfc4251.txt
Percival, C., Josefsson, S.: The scrypt Password-Based Key Derivation Function. RFC 7914, August 2016. https://rfc-editor.org/rfc/rfc7914.txt
Denis, F.: Secure memory, May 2018. https://libsodium.gitbook.io/doc/memory_management
Hamilton, C., Olmstead, A.: Database multi-factor authentication via pluggable authentication modules. In: 2017 12th International Conference for Internet Technology and Secured Transactions (ICITST), pp. 367–368 (2017)
Elaine, B.: Recommendation for Key Management, Part 1: General, 5th edn. U.S. Department of Commerce, National Institute of Standards and Technology (2020)
Acknowledgments
The authors would like to acknowledge the support of the Ministry of Higher Education of Malaysia through the Fundamental Research Grant Scheme under Grant FRGS/1/2019/ICT04/MMU/02/5.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Chia, J., Chin, JJ., Yip, SC. (2021). Pluggable Authentication Module Meets Identity-Based Identification. In: Abdullah, N., Manickam, S., Anbar, M. (eds) Advances in Cyber Security. ACeS 2021. Communications in Computer and Information Science, vol 1487. Springer, Singapore. https://doi.org/10.1007/978-981-16-8059-5_10
Download citation
DOI: https://doi.org/10.1007/978-981-16-8059-5_10
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-16-8058-8
Online ISBN: 978-981-16-8059-5
eBook Packages: Computer ScienceComputer Science (R0)