zuruck zur Themenseite

Articles and background information on the topic

Systems (M2M)
BackPrint versionPrint versionSend recommendationSend recommendation

SSV Software Systems

Klaus-Dieter Walter | Meinrad Happacher,

The tricky question of authentication

In electronic transactions, users and applications are automatically identified on a daily basis using various security factors. In many IoT applications, however, there is a gap between what is technically possible and what is actually used in practice.

The tricky question of authenticationImages
© Jackie Niam/stock.adobe.com Jackie Niam

If you want to use a service in the digital world, you first have to authenticate yourself to the service provider using suitable factors. This means that you have to provide the clearest possible proof so that the user identity can be authenticated. There are various server-side methods for this, which depend on the respective factors - they can be divided into three categories:

  • Knowledge (knowledge factors): This involves proving knowledge of a very specific piece of information, such as knowing a password, a Personal Identification Number (PIN) or the answer to a specific question.
  • Possession (Ownership Factors): The service user is in possession of a specific object, such as an ID card, a smartphone with a specific hardware feature or special software, or a security token in the form of a USB stick. An RFID-based microchip implant or digital certificates also fall into this category.
  • Physical characteristic/biometrics (inherence factors): This category includes various physical characteristics or biometric features that are evaluated as proof of identity. Measurement and evaluation methods for fingerprint, iris and retina structure as well as facial recognition data can be used for this purpose.

Identity verification methods can be used individually (single-factor authentication) or in combination (multi-factor authentication). For example, a password can be combined with an ID card. On closer inspection, however, the first two categories only enable implicit identity verification by the service provider. The password as a secret that was assigned to a specific person when the user account was created can ultimately fall into the possession of third parties accidentally or through a cyber attack; a smartphone with a SIM card, telephone number and app can be stolen. Only biometrics provides more or less unambiguous proof of identity under reasonably normal circumstances.

Secure practice: e-banking

Two-factor authentication (2FA) is currently the state of the art in the IT world. The first identity verification factor is the user name/password or a PIN, i.e. a classic proof of secret knowledge. The second factor is often formed by possession of a smartphone with or without an app. In the first case, a text message is sent with a one-time password that must be entered within a specified period of time during a login procedure. Alternatively, it is also possible to manually enter a time-based one-time password via an app or even scan a QR code, which is displayed as an image object in the web browser of a second device and becomes invalid after just a few seconds.

Advertisement
The tricky question of authentication

Before using a digital service, both human and machine users must first authenticate themselves to the service provider. The overall complexity of this topic is still often underestimated in practice. For this reason, cyberattacks are often carried out via user interfaces.

© SSV

As 2FA has been mandatory within the European banking system since 2018, many banks now use the "password plus authenticator app" variant for customer access: For example, the user logs on to a service provider's website from a PC via a web browser using a username/password as the first factor and must then provide the second factor via a smartphone app within a certain period of time. Particularly important: 2FA smartphone apps use a different transmission channel than the web-based login via password. This means that both factors are transmitted to the server via different connections. This is why the app is also referred to as out-of-band authentication (OoBA). OoBA-based 2FA procedures offer additional protection against man-in-the-middle attacks.

Insecure innovation: e-charging stations

With the exception of sending a one-time password via SMS, the 2FA-OoBA combination is considered a relatively secure procedure overall. It should therefore be used at least for applications that involve cashless payments or other money transfers. From a security perspective, it must therefore be assumed that relatively new technologies and processes will also use these functions - especially if the market launch and penetration are also coordinated by government authorities and the users are predominantly private individuals.

A practical example of validating current authentication procedures in a high-growth IoT application is the public charging infrastructure for electromobility. There are currently around 50,000 to 55,000 public charging points in Germany. According to political targets, there should be one million by 2030. Over time, tens of millions of people will authenticate themselves at these infrastructure points to draw electricity and pay for it, in order to charge their vehicles after successful authentication. At the moment, simple one-factor authentication via RFID customer card or smartphone app, i.e. ownership factors, still dominate the currently available e-charging stations. Many charging service providers have simply transferred the high risk of these highly insecure procedures to the user via the general terms and conditions. On the other hand, the charging process is very convenient: simply hold the correct RFID card in front of the reader or scan a QR code at the charging point using a smartphone app and the charging current flows into the vehicle battery. Days, weeks or even months later, the costs are then debited from the user's account.

The tricky question of authentication

The public charging infrastructure for electric cars is a highly complex IoT application due to the large number of parties involved. Among other things, sensitive billing-relevant data is exchanged between various participants. The new ISO 15118 series of standards is intended to authenticate a vehicle at the charging point using public key infrastructure (PKI) and X.509 certificates.

© SSV

Another negative example is provided by the e-charging stations of a telecommunications company with regard to payment by credit card for ad-hoc charging, i.e. spontaneous charging without registering for an RFID card or app. Here, the user is shown a QR code that takes them to a website where they enter their full credit card details in a form. The problem: Due to the acute risk of fraud, you should never make payments via websites accessed via a QR code. It could be a fake website.

The reasons why billing and e-mobility service providers and charging infrastructure operators have opted for predominantly insecure authentication procedures for billing charging processes may have something to do with the fact that e-mobility as a whole is still in a pioneering phase. On the other hand, there are numerous stakeholders involved from completely different sectors and economic areas who want to capture market share as quickly as possible - in other words, not exactly ideal conditions for user-friendly and secure solutions with a high level of international acceptance.
From an IoT perspective, however, the conditions for the use of modern communication methods are ideal. After all, two devices with relatively modern hardware and software are connected to each other by cable for a charging process. One of the two devices can even be clearly assigned to a natural or legal person through the approval of a road traffic authority and therefore already has at least a relatively forgery-proof analog identity.

Do standards help?

The standardization organizations recognized this fact very early on and began developing the ISO 15118 series of standards for a standardized "communication interface between vehicle and charging station" just over twelve years ago. It includes a so-called Plug'n Charge (PnC) function. The charging process is automatically started and ended by connecting or disconnecting the charging cable. PnC data communication for billing takes place via TCP/IP over the charging cable. A public key infrastructure (PKI) with X.509 certificates is used for authentication, whereby the first certificate is already installed in the vehicle by the manufacturer.

SSV Software Systems

The author: Klaus-Dieter Walter is a member of the management board at SSV Software Systems.

© SSV Software Systems

However, you should not expect one hundred percent authentication security even with an ISO 15118-based TLS handshake between two devices. There are still numerous possibilities for errors and attacks. In addition to faulty TLS protocol implementations and configuration problems, various man-in-the-middle attack scenarios are conceivable, for example with forged certificates. Manipulative attacks are conceivable, particularly in the case of charging stations that are standing around unobserved and freely accessible somewhere in the landscape, in order to collect access data for payments unnoticed. In this respect, a 2FA smartphone app with out-of-band communication makes sense in addition to the PKI and certificate.

  • Xing Icon
  • LinkedIn Icon
Advertisement
Back to topic page
Advertisement

You might also be interested in

Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Subscribe to our newsletter
BackPrint versionPrint versionSend recommendationSend recommendation
Advertisement
Back to home