Web Uygulamaları için Blokzinciri Tabanlı Güvenli bir Kimlik Doğrulama Çözümü

Abstract

İçinde bulunduğumuz bilgi ve teknoloji çağında web uygulamaları günlük yaşamının önemli bir parçası haline gelmiştir. Önemli kişisel ve kurumsal bilgilerin yönetildiği bu web uygulamalarının dış dünya ile irtibatı kimlik doğrulama yöntemleri ile sağlanmaktadır. Günümüzde çoğu uygulama kimlik doğrulama için geleneksel kullanıcı adı-şifre yöntemini kullanmaktadır. Kaba Kuvvet (Brute force) saldırılarına karşı savunmasız olan bu yöntem ciddi güvenlik açıklarına neden olmaktadır. Bu yöntemde çoğu kullanıcı aynı giriş bilgilerini farklı uygulamalarda kullandığından dolayı bir saldırı birçok uygulamayı etkileyebilmektedir. Bazı uygulamalar da kimlik doğrulaması için Google ve Facebook gibi üçüncü taraf sistemlere güvenmeyi tercih etmektedir. Bu sistemler de veri güvenliği ve tek nokta hatası gibi nedenlerden dolayı riskler barındırmaktadır. Kimlik doğrulama alanındaki daha fazla güvenlik için iki Faktörlü Kimlik Doğrulama (2FA) yöntemi üzerinde çalışmalar yapılmıştır. Bu yöntemin de GMS şebeke problemleri, SMS maliyeti, merkezi yapılara bağımlılığı gibi sorunları bulunmaktadır. Bu yaşanan sorunların üstesinden gelmek için blockchain, dağıtık, şeffaf, güvenli ve değişmez yapısı sayesinde uygun bir çözüm olarak karşımıza çıkmaktadır. Kimlik doğrulama gibi önemli ve hassas bir konuda henüz gelişimi devam eden blokzinciri teknolojisini tek yöntemin olarak sunulmasının da riskli olabileceği düşünülmüştür. Mevcut durum değerlendirildiğinde bu çalışmada halihazırda hizmet veren web uygulamaları için çalışan kimlik doğrulama yöntemlerine ek olarak blokzinciri tabanlı güvenli bir çözümün alternatif olarak sunulmasına ilişkin bir öneride bulunulmuştur. Önerilen çözümde kullanılan yeni teknoloji ve araçlar görsellerle desteklenerek açıklanmıştır.

Keywords

• Blokzinciri
• Güvenlik
• Kimlik doğrulama
• web uygulaması
• Web3
• Ethereum

Blockchain-Based Secure Authentication Solution for Web Applications

Abstract

In the age of information and technology, web applications have become an important part of daily life. The communication of these web applications, where important personal and corporate information is managed, with the outside world is provided by authentication methods. Today, most applications use the traditional username-password method for authentication. This method, which is vulnerable to brute force attacks, causes serious security vulnerabilities. In this method, since most users use the same login credentials in different applications, an attack can affect many applications. Some applications also prefer to rely on third-party systems such as Google and Facebook for authentication. Due to their nature, these systems have risks such as data security and single point failure. For more security in the authentication area, studies have been carried out on the Two-Factor Authentication (2FA) method This method has serious disadvantages such as GSM network problems, SMS cost or centralization. To overcome these problems, blockchain is a suitable solution thanks to its distributed, transparent, secure and immutable structure. In an important and sensitive issue such as identity control, it is thought that it may be risky to present blockchain technology, which is still under development, as the only method. Considering the current situation, in this study, a proposal has been made to offer a secure blockchain-based solution as an alternative to the authentication methods that currently work for web applications. The new technologies and tools used in the proposed solution are explained with visuals.

Keywords

• Blockchain
• Security
• Authentication
• Web application
• Web3
• Ethereum
• MetaMask

References

1. [1] A. Szymkowiak, B. Melović, M. Dabić, K. Jeganathan, and G. S. Kundi, “Information technology and Gen Z: The role of teachers, the internet, and technology in the education of young people,” Technology in Society, vol. 65, p. 101565, May 2021. doi:10.1016/J.TECHSOC.2021.101565
2. [2] W. Liang, Y. Wang, Y. Ding, H. Zheng, H. Liang, and H. Wang, “An efficient blockchain-based anonymous authentication and supervision system,” Peer-to-Peer Networking and Applications, vol. 16, no. 5, pp. 2492–2511, Sep. 2023. doi:10.1007/S12083-023-01518-5/FIGURES/6
3. [3] J. Zhu, Y. Wei, and X. Shang, “Decentralized Dynamic Identity Authentication System Based on Blockchain,” Proceedings - 2021 International Conference on Networking Systems of AI, INSAI 2021, 2021, pp. 1–4. doi:10.1109/INSAI54028.2021.00012
4. [4] W. Ao, S. Fu, C. Zhang, Y. Huang, and F. Xia, “A Secure Identity Authentication Scheme Based on Blockchain and Identity-based Cryptography,” in 2019 IEEE 2nd International Conference on Computer and Communication Engineering Technology (CCET), 2019, pp. 90–95. doi:10.1109/CCET48361.2019.8989361
5. [5] L. Xiong, F. Li, S. Zeng, T. Peng, and Z. Liu, “A Blockchain-Based Privacy-Awareness Authentication Scheme with Efficient Revocation for Multi-Server Architectures,” IEEE Access, vol. 7, pp. 125840–125853, 2019. doi:10.1109/ACCESS.2019.2939368
6. [6] K. Greene, D. Rodgers, H. Dykhuizen, K. McNeil, Q. Niyaz, and K. Al Shamaileh, “Timestamp-based defense mechanism against replay attack in remote keyless entry systems,” Digest of Technical Papers - IEEE International Conference on Consumer Electronics, vol. 2020-January, Jan. 2020, doi:10.1109/ICCE46568.2020.9043039
7. [7] M. Tanriverdi, “Design and Implementation of Blockchain Based Single Sign-On Authentication System for Web Applications,” Sakarya University Journal of Computer and Information Sciences, vol. 3, no. 3, pp. 343–354, Dec. 2020. doi:10.35377/SAUCIS.03.03.757459
8. [8] R. F. Sari and S. Hidayat, “Integrating web server applications with LDAP authentication: Case study on human resources information system of UI,” 2006 International Symposium on Communications and Information Technologies, 2026, pp. 307–312. doi:10.1109/ISCIT.2006.340053

9. [9] S. Nakamato, “Bitcoin: A Peer-toPeer Electronic Cash System.” bitcoin.org, 2008. [Online]. Available: https://bitcoin.org/bitcoin.pdf. [Accessed: Oct. 15, 2023].
10. [10] X. Li, Z. Zheng, and H. N. Dai, “When services computing meets blockchain: Challenges and opportunities,” Journal of Parallel and Distributed Computing, vol. 150, pp. 1–14, Apr. 2021. doi:10.1016/J.JPDC.2020.12.003
11. [11] C. Delgado-Von-eitzen, L. Anido-Rifón, and M. J. Fernández-Iglesias, “Blockchain Applications in Education: A Systematic Literature Review,” Applied Sciences 2021, vol. 11, no. 24, p. 11811, Dec. 2021. doi:10.3390/APP112411811
12. [12] J. Park, “Promises and challenges of Blockchain in education,” Smart Learning Environments, vol. 8, no. 1, Dec. 2021. doi:10.1186/S40561-021-00179-2
13. [13] R. Raimundo and A. Rosario, “Blockchain System in the Higher Education,” European Journal of Investigation in Health, Psychology and Education 2021, vol. 11, no. 1, pp. 276–293, Mar. 2021. doi:10.3390/EJIHPE11010021
14. [14] S. Saberi, M. Kouhizadeh, J. Sarkis, and L. Shen, “Blockchain technology and its relationships to sustainable supply chain management,” International Journal of Production Research, vol. 57, no. 7, pp. 2117–2135, Apr. 2018. doi:10.1080/00207543.2018.1533261
15. [15] A. A. Khan, A. A. Laghari, A. A. Shaikh, S. Bourouis, A. M. Mamlouk, and H. Alshazly, “Educational Blockchain: A Secure Degree Attestation and Verification Traceability Architecture for Higher Education Commission,” Applied Sciences 2021, vol. 11, no. 22, p. 10917, Nov. 2021. doi:10.3390/APP112210917
16. [16] S. Salamatian, W. Huleihel, A. Beirami, A. Cohen, and M. Medard, “Centralized vs Decentralized Targeted Brute-Force Attacks: Guessing with Side-Information,” IEEE Transactions on Information Forensics and Security, vol. 15, pp. 3749–3759, 2020. doi:10.1109/TIFS.2020.2998949
17. [17] P. G. Shah and J. Ayoade, “An Empricial Study of Brute Force Attack on Wordpress Website,” Proceedings - 5th International Conference on Smart Systems and Inventive Technology, 2023, pp. 659–662. doi:10.1109/ICSSIT55814.2023.10060966 [18] R. A. Grimes, Brute‐Force Attacks: Hacking Multifactor Authentication. New Jersey: Wiley, 2020, pp. 295–306. doi:10.1002/9781119672357.CH14
18. [19] A. Nursetyo, D. R. Ignatius Moses Setiadi, E. H. Rachmawanto, and C. A. Sari, “Website and Network Security Techniques against Brute Force Attacks using Honeypot,” Proceedings of 2019 4th International Conference on Informatics and Computing, Oct. 2019. doi:10.1109/ICIC47613.2019.8985686
19. [20] A. Rustemi, F. Dalipi, V. Atanasovski, and A. Risteski, “A Systematic Literature Review on Blockchain-Based Systems for Academic Certificate Verification,” IEEE Access, vol. 11, pp. 64679–64696, 2023. doi:10.1109/ACCESS.2023.3289598
20. [21] A. Reyna, C. Martín, J. Chen, E. Soler, and M. Díaz, “On blockchain and its integration with IoT. Challenges and opportunities,” Future Generation Computer Systems, vol. 88, pp. 173–190, Nov. 2018. doi:10.1016/j.future.2018.05.046
21. [22] F. Glaser, “Pervasive Decentralisation of Digital Infrastructures: A Framework for Blockchain enabled System and Use Case Analysis,” HICSS, 2017. [Online]. Available: https://www.semanticscholar.org/paper/Pervasive-Decentralisation-of-Digital-A-Framework-Glaser/859d0535e16095f274df4d69df54954b21258a13. [Accessed: Oct. 15, 2023].
22. [23] S. Johar, N. Ahmad, W. Asher, H. Cruickshank, and A. Durrani, “Research and Applied Perspective to Blockchain Technology: A Comprehensive Survey,” Applied Sciences 2021, vol. 11, no. 14, p. 6252, Jul. 2021. doi:10.3390/APP11146252
23. [24] A. Lewis, “So, You Want to Use a Blockchain for That?” CoinDesk, Jul. 16, 2022. [Online]. Available: https://www.coindesk.com/want-use-blockchain/. [Accessed: Oct. 15, 2023].
24. [25] K. Burgess, “The Promise of Bitcoin and the Blockchain,” Consumers’ Research Primary, 2015. [Online]. Available: https://www.academia.edu/23117440/The_Promise_of_Bitcoin_and_the_Blockchain_A_product_of. [Accessed: Oct. 15, 2023].
25. [26] M. Swan, Blockchain: Blueprint for a New Economy. California: O'Reilly Media, 2015. doi:10.1109/CANDAR.2017.50
26. [27] J. L. Zhao, S. Fan, and J. Yan, “Overview of business innovations and research opportunities in blockchain and introduction to the special issue,” Financial Innovation, vol. 2, no. 1, p. 28, Dec. 2016. doi:10.1186/s40854-016-0049-2
27. [28] D. Puthal, N. Malik, S. P. Mohanty, E. Kougianos, and G. Das, “Everything You Wanted to Know about the Blockchain: Its Promise, Components, Processes, and Problems,” IEEE Consumer Electronics Magazine, vol. 7, no. 4, pp. 6–14, Jul. 2018. doi:10.1109/MCE.2018.2816299
28. [29] BBC News, “Bitcoin consumes,” BBC News, Feb. 10, 2021, [Online]. Available: https://www.bbc.com/news/technology-56012952. [Accessed: Oct. 15, 2023].
29. [30] S. Wang, R. Pei, and Y. Zhang, “EIDM: A Ethereum-Based Cloud User Identity Management Protocol,” IEEE Access, vol. 7, pp. 115281–115291, Aug. 2019. doi:10.1109/access.2019.2933989
30. [31] L. Xiong, F. Li, S. Zeng, T. Peng, and Z. Liu, “A Blockchain-Based Privacy-Awareness Authentication Scheme with Efficient Revocation for Multi-Server Architectures,” IEEE Access, vol. 7, pp. 125840–125853, 2019. doi:10.1109/ACCESS.2019.2939368
31. [32] W. Jiang, H. Li, G. Xu, M. Wen, G. Dong, and X. Lin, “PTAS: Privacy-preserving Thin-client Authentication Scheme in blockchain-based PKI,” Future Generation Computer Systems, vol. 96, pp. 185–195, Jul. 2019. doi:10.1016/j.future.2019.01.026
32. [33] C. Fromknecht and S. Yakoubov, “CertCoin: A NameCoin Based Decentralized Authentication System 6.857 Class Project,” 2014.
33. [34] L. Axon and M. Goldsmith, “PB-PKI: A privacy-aware blockchain-based PKI,” in ICETE 2017 - Proceedings of the 14th International Joint Conference on e-Business and Telecommunications, SciTePress, 2017. pp. 311–318. doi:10.5220/0006419203110318
34. [35] U. Khalid, M. Asim, T. Baker, P. C. K. Hung, M. A. Tariq, and L. Rafferty, A decentralized lightweight blockchain-based authentication mechanism for IoT systems: Cluster Computing. New York: Springer, 2020, pp. 1–21. doi:10.1007/s10586-020-03058-6
35. [36] Y. Ezawa, M. Takita, Y. Shiraishi, S. Kakei, M. Hirotomo, Y. Fukuta, M. Mohri, M. Morii, “Designing Authentication and Authorization System with Blockchain,” 14th Asia Joint Conference on Information Security (AsiaJCIS), IEEE, Aug. 2019, pp. 111–118. doi:10.1109/AsiaJCIS.2019.00006
36. [37] S. Patel, A. Sahoo, B. K. Mohanta, S. S. Panda, and D. Jena, “DAuth: A Decentralized Web Authentication System using Ethereum based Blockchain,” International Conference on Vision Towards Emerging Trends in Communication and Networking, ViTECoN 2019, Institute of Electrical and Electronics Engineers Inc., 2019. doi:10.1109/ViTECoN.2019.8899393
37. [38] A. Petcu, B. Pahontu, M. Frunzete, and D. A. Stoichescu, “A Secure and Decentralized Authentication Mechanism Based on Web 3.0 and Ethereum Blockchain Technology,” Applied Sciences 2023, vol. 13, no. 4, p. 2231, Feb. 2023. doi:10.3390/APP13042231
38. [39] J. Chen, Z. Zhan, K. He, R. Du, D. Wang, and F. Liu, “XAuth: Efficient Privacy-preserving Cross-domain Authentication,” IEEE Transactions on Dependable and Secure Computing, 2021. doi:10.1109/TDSC.2021.3092375
39. [40] R. F. Olanrewaju, B. U. I. Khan, M. A. Morshidi, F. Anwar, and M. L. B. M. Kiah, “A Frictionless and Secure User Authentication in Web-Based Premium Applications,” IEEE Access, vol. 9, pp. 129240–129255, 2021. doi:10.1109/ACCESS.2021.3110310
40. [41] M. P. Rodríguez Bolívar, A. Pozzebon, A. Mohammad, and S. Vargas, “Barriers Affecting Higher Education Institutions’ Adoption of Blockchain Technology: A Qualitative Study,” Informatics 2022, vol. 9, no. 3, p. 64, Aug. 2022. doi:10.3390/INFORMATICS9030064
41. [42] A. Mohammad and S. Vargas, “Challenges of Using Blockchain in the Education Sector : A Literature Review,” Applied Sciences, vol. 12, no. 13, Jul. 2022. doi:10.3390/APP12136380
42. [43] Etherscan, “Ethereum Charts and Statistics | Etherscan,” etherscan.io, [Online]. Available: https://etherscan.io/charts. [Accessed: Sep. 15, 2023].
43. [44] Metamask, “MetaMask,” metamask.io, [Online]. Available: https://MetaMask.io/. [Accessed: Oct. 15, 2023].
44. [45] Trust Wallet, “Trust Wallet,” trustwallet.com, [Online]. Available: https://trustwallet.com/.[Accessed: Oct. 15, 2023].
45. [46] MetaMask, “MetaMask Statistics 2023,” earthweb.com, Mar. 16, 2023. [Online]. Available: https://earthweb.com/MetaMask-statistics/#Detailed_MetaMask_Statistics_2023. [Accessed: Oct. 15, 2023].
46. [47] Pragathoys, “GitHub pragathoys,” github.com, Apr. 28, 2022. [Online]. Available: https://github.com/pragathoys/web3-simple-login-with-MetaMask. [Accessed: Sep. 18, 2023].
47. [48] Skiff, “Skiff-Log in with MetaMask,” skiff.com, Fab. 12, 2021. [Online]. Available: https://skiff.com/blog/log-in-with-metamask. [Accessed: Oct. 16, 2023].
48. [49] A. Zohar, “Bitcoin,” Communications of the ACM, vol. 58, no. 9, 2015. doi:10.1145/2701411