Web Uygulamaları için Blokzinciri Tabanlı Güvenli bir Kimlik Doğrulama Çözümü

Year 2023, Volume: 9 Issue: 3, 477 - 489, 01.01.2024

Mustafa Tanrıverdi

Abstract

İçinde bulunduğumuz bilgi ve teknoloji çağında web uygulamaları günlük yaşamının önemli bir parçası haline gelmiştir. Önemli kişisel ve kurumsal bilgilerin yönetildiği bu web uygulamalarının dış dünya ile irtibatı kimlik doğrulama yöntemleri ile sağlanmaktadır. Günümüzde çoğu uygulama kimlik doğrulama için geleneksel kullanıcı adı-şifre yöntemini kullanmaktadır. Kaba Kuvvet (Brute force) saldırılarına karşı savunmasız olan bu yöntem ciddi güvenlik açıklarına neden olmaktadır. Bu yöntemde çoğu kullanıcı aynı giriş bilgilerini farklı uygulamalarda kullandığından dolayı bir saldırı birçok uygulamayı etkileyebilmektedir. Bazı uygulamalar da kimlik doğrulaması için Google ve Facebook gibi üçüncü taraf sistemlere güvenmeyi tercih etmektedir. Bu sistemler de veri güvenliği ve tek nokta hatası gibi nedenlerden dolayı riskler barındırmaktadır. Kimlik doğrulama alanındaki daha fazla güvenlik için iki Faktörlü Kimlik Doğrulama (2FA) yöntemi üzerinde çalışmalar yapılmıştır. Bu yöntemin de GMS şebeke problemleri, SMS maliyeti, merkezi yapılara bağımlılığı gibi sorunları bulunmaktadır. Bu yaşanan sorunların üstesinden gelmek için blockchain, dağıtık, şeffaf, güvenli ve değişmez yapısı sayesinde uygun bir çözüm olarak karşımıza çıkmaktadır. Kimlik doğrulama gibi önemli ve hassas bir konuda henüz gelişimi devam eden blokzinciri teknolojisini tek yöntemin olarak sunulmasının da riskli olabileceği düşünülmüştür. Mevcut durum değerlendirildiğinde bu çalışmada halihazırda hizmet veren web uygulamaları için çalışan kimlik doğrulama yöntemlerine ek olarak blokzinciri tabanlı güvenli bir çözümün alternatif olarak sunulmasına ilişkin bir öneride bulunulmuştur. Önerilen çözümde kullanılan yeni teknoloji ve araçlar görsellerle desteklenerek açıklanmıştır.

Keywords

Blokzinciri, Güvenlik, Kimlik doğrulama, web uygulaması, Web3, Ethereum

Blockchain-Based Secure Authentication Solution for Web Applications

Abstract

In the age of information and technology, web applications have become an important part of daily life. The communication of these web applications, where important personal and corporate information is managed, with the outside world is provided by authentication methods. Today, most applications use the traditional username-password method for authentication. This method, which is vulnerable to brute force attacks, causes serious security vulnerabilities. In this method, since most users use the same login credentials in different applications, an attack can affect many applications. Some applications also prefer to rely on third-party systems such as Google and Facebook for authentication. Due to their nature, these systems have risks such as data security and single point failure. For more security in the authentication area, studies have been carried out on the Two-Factor Authentication (2FA) method This method has serious disadvantages such as GSM network problems, SMS cost or centralization. To overcome these problems, blockchain is a suitable solution thanks to its distributed, transparent, secure and immutable structure. In an important and sensitive issue such as identity control, it is thought that it may be risky to present blockchain technology, which is still under development, as the only method. Considering the current situation, in this study, a proposal has been made to offer a secure blockchain-based solution as an alternative to the authentication methods that currently work for web applications. The new technologies and tools used in the proposed solution are explained with visuals.

Keywords

Blockchain, Security, Authentication, Web application, Web3, Ethereum, MetaMask

References

• [1] A. Szymkowiak, B. Melović, M. Dabić, K. Jeganathan, and G. S. Kundi, “Information technology and Gen Z: The role of teachers, the internet, and technology in the education of young people,” Technology in Society, vol. 65, p. 101565, May 2021. doi:10.1016/J.TECHSOC.2021.101565
• [2] W. Liang, Y. Wang, Y. Ding, H. Zheng, H. Liang, and H. Wang, “An efficient blockchain-based anonymous authentication and supervision system,” Peer-to-Peer Networking and Applications, vol. 16, no. 5, pp. 2492–2511, Sep. 2023. doi:10.1007/S12083-023-01518-5/FIGURES/6
• [3] J. Zhu, Y. Wei, and X. Shang, “Decentralized Dynamic Identity Authentication System Based on Blockchain,” Proceedings - 2021 International Conference on Networking Systems of AI, INSAI 2021, 2021, pp. 1–4. doi:10.1109/INSAI54028.2021.00012
• [4] W. Ao, S. Fu, C. Zhang, Y. Huang, and F. Xia, “A Secure Identity Authentication Scheme Based on Blockchain and Identity-based Cryptography,” in 2019 IEEE 2nd International Conference on Computer and Communication Engineering Technology (CCET), 2019, pp. 90–95. doi:10.1109/CCET48361.2019.8989361
• [5] L. Xiong, F. Li, S. Zeng, T. Peng, and Z. Liu, “A Blockchain-Based Privacy-Awareness Authentication Scheme with Efficient Revocation for Multi-Server Architectures,” IEEE Access, vol. 7, pp. 125840–125853, 2019. doi:10.1109/ACCESS.2019.2939368
• [6] K. Greene, D. Rodgers, H. Dykhuizen, K. McNeil, Q. Niyaz, and K. Al Shamaileh, “Timestamp-based defense mechanism against replay attack in remote keyless entry systems,” Digest of Technical Papers - IEEE International Conference on Consumer Electronics, vol. 2020-January, Jan. 2020, doi:10.1109/ICCE46568.2020.9043039
• [7] M. Tanriverdi, “Design and Implementation of Blockchain Based Single Sign-On Authentication System for Web Applications,” Sakarya University Journal of Computer and Information Sciences, vol. 3, no. 3, pp. 343–354, Dec. 2020. doi:10.35377/SAUCIS.03.03.757459
• [8] R. F. Sari and S. Hidayat, “Integrating web server applications with LDAP authentication: Case study on human resources information system of UI,” 2006 International Symposium on Communications and Information Technologies, 2026, pp. 307–312. doi:10.1109/ISCIT.2006.340053
• [9] S. Nakamato, “Bitcoin: A Peer-toPeer Electronic Cash System.” bitcoin.org, 2008. [Online]. Available: https://bitcoin.org/bitcoin.pdf. [Accessed: Oct. 15, 2023].
• [10] X. Li, Z. Zheng, and H. N. Dai, “When services computing meets blockchain: Challenges and opportunities,” Journal of Parallel and Distributed Computing, vol. 150, pp. 1–14, Apr. 2021. doi:10.1016/J.JPDC.2020.12.003
• [11] C. Delgado-Von-eitzen, L. Anido-Rifón, and M. J. Fernández-Iglesias, “Blockchain Applications in Education: A Systematic Literature Review,” Applied Sciences 2021, vol. 11, no. 24, p. 11811, Dec. 2021. doi:10.3390/APP112411811
• [12] J. Park, “Promises and challenges of Blockchain in education,” Smart Learning Environments, vol. 8, no. 1, Dec. 2021. doi:10.1186/S40561-021-00179-2
• [13] R. Raimundo and A. Rosario, “Blockchain System in the Higher Education,” European Journal of Investigation in Health, Psychology and Education 2021, vol. 11, no. 1, pp. 276–293, Mar. 2021. doi:10.3390/EJIHPE11010021
• [14] S. Saberi, M. Kouhizadeh, J. Sarkis, and L. Shen, “Blockchain technology and its relationships to sustainable supply chain management,” International Journal of Production Research, vol. 57, no. 7, pp. 2117–2135, Apr. 2018. doi:10.1080/00207543.2018.1533261
• [15] A. A. Khan, A. A. Laghari, A. A. Shaikh, S. Bourouis, A. M. Mamlouk, and H. Alshazly, “Educational Blockchain: A Secure Degree Attestation and Verification Traceability Architecture for Higher Education Commission,” Applied Sciences 2021, vol. 11, no. 22, p. 10917, Nov. 2021. doi:10.3390/APP112210917
• [16] S. Salamatian, W. Huleihel, A. Beirami, A. Cohen, and M. Medard, “Centralized vs Decentralized Targeted Brute-Force Attacks: Guessing with Side-Information,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 3749–3759, 2020. doi:10.1109/TIFS.2020.2998949
• [17] P. G. Shah and J. Ayoade, “An Empricial Study of Brute Force Attack on Wordpress Website,” Proceedings - 5th International Conference on Smart Systems and Inventive Technology, 2023, pp. 659–662. doi:10.1109/ICSSIT55814.2023.10060966 [18] R. A. Grimes, Brute‐Force Attacks: Hacking Multifactor Authentication. New Jersey: Wiley, 2020, pp. 295–306. doi:10.1002/9781119672357.CH14
• [19] A. Nursetyo, D. R. Ignatius Moses Setiadi, E. H. Rachmawanto, and C. A. Sari, “Website and Network Security Techniques against Brute Force Attacks using Honeypot,” Proceedings of 2019 4th International Conference on Informatics and Computing, Oct. 2019. doi:10.1109/ICIC47613.2019.8985686
• [20] A. Rustemi, F. Dalipi, V. Atanasovski, and A. Risteski, “A Systematic Literature Review on Blockchain-Based Systems for Academic Certificate Verification,” IEEE Access, vol. 11, pp. 64679–64696, 2023. doi:10.1109/ACCESS.2023.3289598
• [21] A. Reyna, C. Martín, J. Chen, E. Soler, and M. Díaz, “On blockchain and its integration with IoT. Challenges and opportunities,” Future Generation Computer Systems, vol. 88, pp. 173–190, Nov. 2018. doi:10.1016/j.future.2018.05.046
• [22] F. Glaser, “Pervasive Decentralisation of Digital Infrastructures: A Framework for Blockchain enabled System and Use Case Analysis,” HICSS, 2017. [Online]. Available: https://www.semanticscholar.org/paper/Pervasive-Decentralisation-of-Digital-A-Framework-Glaser/859d0535e16095f274df4d69df54954b21258a13. [Accessed: Oct. 15, 2023].
• [23] S. Johar, N. Ahmad, W. Asher, H. Cruickshank, and A. Durrani, “Research and Applied Perspective to Blockchain Technology: A Comprehensive Survey,” Applied Sciences 2021, vol. 11, no. 14, p. 6252, Jul. 2021. doi:10.3390/APP11146252
• [24] A. Lewis, “So, You Want to Use a Blockchain for That?” CoinDesk, Jul. 16, 2022. [Online]. Available: https://www.coindesk.com/want-use-blockchain/. [Accessed: Oct. 15, 2023].
• [25] K. Burgess, “The Promise of Bitcoin and the Blockchain,” Consumers’ Research Primary, 2015. [Online]. Available: https://www.academia.edu/23117440/The_Promise_of_Bitcoin_and_the_Blockchain_A_product_of. [Accessed: Oct. 15, 2023].
• [26] M. Swan, Blockchain: Blueprint for a New Economy. California: O'Reilly Media, 2015. doi:10.1109/CANDAR.2017.50
• [27] J. L. Zhao, S. Fan, and J. Yan, “Overview of business innovations and research opportunities in blockchain and introduction to the special issue,” Financial Innovation, vol. 2, no. 1, p. 28, Dec. 2016. doi:10.1186/s40854-016-0049-2
• [28] D. Puthal, N. Malik, S. P. Mohanty, E. Kougianos, and G. Das, “Everything You Wanted to Know about the Blockchain: Its Promise, Components, Processes, and Problems,” IEEE Consumer Electronics Magazine, vol. 7, no. 4, pp. 6–14, Jul. 2018. doi:10.1109/MCE.2018.2816299
• [29] BBC News, “Bitcoin consumes,” BBC News, Feb. 10, 2021, [Online]. Available: https://www.bbc.com/news/technology-56012952. [Accessed: Oct. 15, 2023].
• [30] S. Wang, R. Pei, and Y. Zhang, “EIDM: A Ethereum-Based Cloud User Identity Management Protocol,” IEEE Access, vol. 7, pp. 115281–115291, Aug. 2019. doi:10.1109/access.2019.2933989
• [31] L. Xiong, F. Li, S. Zeng, T. Peng, and Z. Liu, “A Blockchain-Based Privacy-Awareness Authentication Scheme with Efficient Revocation for Multi-Server Architectures,” IEEE Access, vol. 7, pp. 125840–125853, 2019. doi:10.1109/ACCESS.2019.2939368
• [32] W. Jiang, H. Li, G. Xu, M. Wen, G. Dong, and X. Lin, “PTAS: Privacy-preserving Thin-client Authentication Scheme in blockchain-based PKI,” Future Generation Computer Systems, vol. 96, pp. 185–195, Jul. 2019. doi:10.1016/j.future.2019.01.026
• [33] C. Fromknecht and S. Yakoubov, “CertCoin: A NameCoin Based Decentralized Authentication System 6.857 Class Project,” 2014.
• [34] L. Axon and M. Goldsmith, “PB-PKI: A privacy-aware blockchain-based PKI,” in ICETE 2017 - Proceedings of the 14th International Joint Conference on e-Business and Telecommunications, SciTePress, 2017. pp. 311–318. doi:10.5220/0006419203110318
• [35] U. Khalid, M. Asim, T. Baker, P. C. K. Hung, M. A. Tariq, and L. Rafferty, A decentralized lightweight blockchain-based authentication mechanism for IoT systems: Cluster Computing. New York: Springer, 2020, pp. 1–21. doi:10.1007/s10586-020-03058-6
• [36] Y. Ezawa, M. Takita, Y. Shiraishi, S. Kakei, M. Hirotomo, Y. Fukuta, M. Mohri, M. Morii, “Designing Authentication and Authorization System with Blockchain,” 14th Asia Joint Conference on Information Security (AsiaJCIS), IEEE, Aug. 2019, pp. 111–118. doi:10.1109/AsiaJCIS.2019.00006
• [37] S. Patel, A. Sahoo, B. K. Mohanta, S. S. Panda, and D. Jena, “DAuth: A Decentralized Web Authentication System using Ethereum based Blockchain,” International Conference on Vision Towards Emerging Trends in Communication and Networking, ViTECoN 2019, Institute of Electrical and Electronics Engineers Inc., 2019. doi:10.1109/ViTECoN.2019.8899393
• [38] A. Petcu, B. Pahontu, M. Frunzete, and D. A. Stoichescu, “A Secure and Decentralized Authentication Mechanism Based on Web 3.0 and Ethereum Blockchain Technology,” Applied Sciences 2023, vol. 13, no. 4, p. 2231, Feb. 2023. doi:10.3390/APP13042231
• [39] J. Chen, Z. Zhan, K. He, R. Du, D. Wang, and F. Liu, “XAuth: Efficient Privacy-preserving Cross-domain Authentication,” IEEE Transactions on Dependable and Secure Computing, 2021. doi:10.1109/TDSC.2021.3092375
• [40] R. F. Olanrewaju, B. U. I. Khan, M. A. Morshidi, F. Anwar, and M. L. B. M. Kiah, “A Frictionless and Secure User Authentication in Web-Based Premium Applications,” IEEE Access, vol. 9, pp. 129240–129255, 2021. doi:10.1109/ACCESS.2021.3110310
• [41] M. P. Rodríguez Bolívar, A. Pozzebon, A. Mohammad, and S. Vargas, “Barriers Affecting Higher Education Institutions’ Adoption of Blockchain Technology: A Qualitative Study,” Informatics 2022, vol. 9, no. 3, p. 64, Aug. 2022. doi:10.3390/INFORMATICS9030064
• [42] A. Mohammad and S. Vargas, “Challenges of Using Blockchain in the Education Sector : A Literature Review,” Applied Sciences, vol. 12, no. 13, Jul. 2022. doi:10.3390/APP12136380
• [43] Etherscan, “Ethereum Charts and Statistics | Etherscan,” etherscan.io, [Online]. Available: https://etherscan.io/charts. [Accessed: Sep. 15, 2023].
• [44] Metamask, “MetaMask,” metamask.io, [Online]. Available: https://MetaMask.io/. [Accessed: Oct. 15, 2023].
• [45] Trust Wallet, “Trust Wallet,” trustwallet.com, [Online]. Available: https://trustwallet.com/.[Accessed: Oct. 15, 2023].
• [46] MetaMask, “MetaMask Statistics 2023,” earthweb.com, Mar. 16, 2023. [Online]. Available: https://earthweb.com/MetaMask-statistics/#Detailed_MetaMask_Statistics_2023. [Accessed: Oct. 15, 2023].
• [47] Pragathoys, “GitHub pragathoys,” github.com, Apr. 28, 2022. [Online]. Available: https://github.com/pragathoys/web3-simple-login-with-MetaMask. [Accessed: Sep. 18, 2023].
• [48] Skiff, “Skiff-Log in with MetaMask,” skiff.com, Fab. 12, 2021. [Online]. Available: https://skiff.com/blog/log-in-with-metamask. [Accessed: Oct. 16, 2023].
• [49] A. Zohar, “Bitcoin,” Communications of the ACM, vol. 58, no. 9, 2015. doi:10.1145/2701411