A Secure Mobile Banking Using Kerberos Protocol

Because th e net work is an open environment, a l ot of car e mu st b e ta ken when transferring sensitive information especially when related with financial data. This depends on the principals to b e trusted which is a problematic and since the first step in network security is the a uthentication, this p aper p resents a p roposed modal fo r secure mo bile banking (m-banking) applications using Kerberos (the network authentication protocol). The aim o f this p aper is t o establish a secure co mmunication between the clien ts a nd mobile-bank application server in which they can use their mobile phone to securely access their bank accounts, make and receive payments, and check their balances. T he integration of sm art c ard into classic K erberos e nhances th e se curity fo r c lient authentication b y storing the cryptographic k eys and perform dua l fac tor authentication. Other enhancement to Kerberos is the P KINIT in w hich the sha red key is mapped with public-private key. To b uild a robust client au thentication the client uses his/her mobile phone to au thor K erberos's me ssages, process th e repla y and est ablish secure communication with the application server.


Introduction
The security of the banking operations is a tricky subject because of the cheaters who find any opportunity to deceive and take the others money.The customers' identification is the most important subject in the banking operations, which passes through several development stages.In the past and in the computerless society it depends on the bankers' knowledge of the customer identity, which was accepted because of the small community in those days.
After the invention of the computers and the development of the technologies with the growth of the network appeared the automatic banking in the cashless society.This is called the electronic banking or ebanking.The rapid expansion in the smart card application especially in the e-banking strengthens the security, but still some vulnerabilities must be taken in consideration.The wireless communication with the mobile device and smart card helps to adopt the e-banking using the customer's mobile phone and hence it is called now mobile banking or m-banking for short.The latter performs more security and takes a wide range of enhancement to take care of the customer demand of protection and the ease of use [1].

Kerberos Protocol
In Greek mythology Kerberos is a threeheaded dog guarding the entrance to the underworld.Kerberos (in the concept of this paper) is a network authentication protocol developed by the Massachusetts Institute of Technology (MIT) as part of Athena project in mid 1980's.Kerberos is designed to provide strong authentication for client/server applications by using secret-key cryptography.Kerberos still relies on the user providing some form of credentials to verify their identity.The exchange of credentials is encrypted throughout the entire authentication process, enabling a secure authentication mechanism.From the user point of view, it does not differ much from a normal sign-on process.The major difference is that after an identity is proven, a temporary ticket is issued to the client.This ticket allows the user to access other systems and applications that exist within the circle of trust, or more correctly, the Kerberos realm.1127 addressed to the domain's KDC.Kerberos is based on the idea of tickets.A ticket is just a data structure that wraps a cryptographic key, along with some other bits of information.A KDC distributes Kerberos tickets to authenticated users.A KDC issues two types of tickets:

Microsoft introduced
• A master ticket, also known as the ticket granting ticket (TGT) • A service ticket A KDC first issues a TGT to a client.The client can then request several service tickets against his or her TGT.To explain how TGTs and service tickets work, let's consider the following key exchange scenario: 1.A client sends a message to the KDC requesting a TGT.The request includes the username of the client, but does not include his password (the password is used to generate user's key).2. The KDC issues a TGT reply message to the client that contains a session key in encrypted form.To encrypt the session key, the KDC uses a key derived from the client's password which is already stored in the KDC's database.The KDC also issues a TGT ticket for the TGS. 3. The client decrypts the encrypted part of the reply message and extracts the session key from it.The client then authors a request for a service ticket.A service ticket is valid only for communication between two parties (the client and the server whom the client wants to communicate).The server should be already registered with the KDC. 4. The KDC authors a service ticket for the server.This ticket contains the client's authentication data and a new cryptographic key, called a sub-session key.The KDC encrypts the service ticket with the secret key of the server (the secret key is a shared secret between the KDC and the server).This means that only the server can decrypt the service ticket.The client copy of the sub-session key is in the encrypted part of the message and encrypted using the session key that the client extracted from the previous message.
5. The client decrypts the message received from the KDC and fetches the sub-session key inside the message as well as the service ticket.It sends the service ticket to the server.6.The server receives the service ticket and decrypts it to fetch the authentication data of the requesting client as well as the subsession key.The server then acknowledges the client's request, and a new secure session is established between the client and the server.Both client and server now possess the same sub-session key, which they can use for secure communication with each other.Figure ( 1) illustrates the Kerberos protocol and message exchange.The client can repeat steps 3 through 6 above for another server application.This means that our Kerberos service can be used to share authentication data and that the same client (which represents a single user) can authenticate with different applications.This effectively enables Single Sign On (SSO) [1,4,5] 2.1 Integration of Smart Card into Kerberos A smart card is a plastic card embedded with a computer chip as an Integrated Circuit Card (ICC) that stores and logs data transaction.This data can either be a value, information or both.It is stored and processed within the card's chip.Smart cards have some advantages; they can easily store large passwords, perform advanced security functions like storage of cryptographic keys and have ability to perform cryptographic algorithms.Smart cards are also provide tamper-resistant storage for protecting sensitive information like private keys, account numbers, passwords, and other forms of personal information.They can isolate securitycritical computations that involve authentication, key exchange and digital signatures from other parts of the system.The weaknesses in the Kerberos 5 Protocol have long been known to have vulnerabilities: -offline password-guessing attacks -network spoofing -key storage (master key and session key) PDF created with pdfFactory Pro trial version www.pdffactory.com3. To validate the request and the digital signature on it, the KDC will first validate the client's certificate.The KDC will then query the Active Directory for a mapping between the certificate and a Windows account.If it finds a mapping, it will issue a TGT to the corresponding account.4. The KDC sends back the TGT to the client.The client's copy of the session is encrypted with his public key. 5. To retrieve his copy of the session key, he uses his private key.When a smart card is used in place of a password, a private/public key pair stored on the user's smart card is substituted for the shared secret key derived from the user's password.In the public key extension to the Kerberos protocol, the initial AS Exchange is modified so that the KDC encrypts the user's logon session key with the public half of the user's key pair.The client decrypts the logon session key with the private half of the pair [2,8].

The Wireless Communication
Wireless communications is a huge field, encompassing everything from radio and television broadcasting through pagers, mobile phones, and satellite communications.The field of mobile phones is expanding very fast at the same time that standards and protocols are being adopted, used, updated, and sometimes discarded.
Mobile Commerce (M-Commerce) is the ability to conduct commerce, using a mobile device e.g. a mobile phone (or cell phone), a Personal Digital Assistants (PDA), a smartphone while on the move, and other emerging mobile equipment, like dashtop mobile devices.Banks and other financial institutions are exploring the use of mobile commerce to allow their customers not only to access account information, but also make transactions, e.g.purchasing stocks, remitting money, via mobile phones.This service is often referred to as Mobile Banking or M-Banking [9].

The Proposed Model Design
The proposed model in this paper is designed to perform a robust client PDF created with pdfFactory Pro trial version www.pdffactory.com