Privacy-Preserving Application-to-Application Authentication Using Dynamic Runtime Behaviors

TL;DR

This paper introduces a novel application authentication method that uses dynamic runtime behaviors and fuzzy extractors to enhance security and reduce reliance on secret credentials, demonstrating promising real-world performance.

Contribution

It presents a new behavior-based authentication system utilizing fuzzy extractors, providing security against client and vault compromises with minimal server modifications.

Findings

Achieves 0% False Accept Rate in tests

Average authentication time is 51 milliseconds

Secure against client and feature observation attacks

Abstract

Application authentication is typically performed using some form of secret credentials such as cryptographic keys, passwords, or API keys. Since clients are responsible for securely storing and managing the keys, this approach is vulnerable to attacks on clients. Similarly a centrally managed key store is also susceptible to various attacks and if compromised, can leak credentials. To resolve such issues, we propose an application authentication, where we rely on unique and distinguishable application's behavior to lock the key during a setup phase and unlock it for authentication. Our system add a fuzzy-extractor layer on top of current credential authentication systems. During a key enrollment process, the application's behavioral data collected from various sensors in the network are used to hide the credential key. The fuzzy extractor releases the key to the server if the application's behavior during the authentication matches the one collected during the enrollment, with some noise tolerance. We designed the system, analyzed its security, and implemented and evaluated it using 10 real-life applications deployed in our network. Our security analysis shows that the system is secure against client compromise, vault compromise, and feature observation. The evaluation shows the scheme can achieve 0 percent False Accept Rate with an average False Rejection Rate 14 percent and takes about 51 ms to successfully authenticate a client. In light of these promising results, we expect our system to be of practical use, since its deployment requires zero to minimal changes on the server.