Blockchain based Approach to Enhance Big Data

Download PDF
0 downloads 0 Views 234KB Size Report
Comment
Blockchain authentication was initially introduced in Bitcoin for transaction .... public-key cryptography for both initial authentication of clients (TGT) and ..... [13] Z. Whittaker, “6.46 million LinkedIn passwords leaked online,”. ZDNet. [Online].
Blockchain based Approach to Enhance Big Data Authentication in Distributed Environment Nazri Abdullah, Anne Håkansson School of Information and Communication Technology, KTH Royal Institute of Technology, Kista, Sweden

Esmiralda Moradian Department of Computer and System Sciences, Stockholm University, Kista, Sweden [email protected]

{nazri, annehak}@kth.se

Abstract—Existing authentication protocols for Big Data system such as Apache Hadoop is based on Kerberos. In the Kerberos protocol, there are numerous security issues that have remained unsolved; replay attacks, DDoS and single point of failure are some examples. These indicate potential security vulnerabilities and Big Data risks in using Hadoop. This paper presents drawbacks of Kerberos implementations and identifies authentication requirements that can enhance the security of Big Data in distributed environments. The enhancement proposed is based on the rising technology of blockchain that overcomes shortcomings of Kerberos. Keywords-Big Data; Authentication; Hadoop; Distributed Network; Security; Blockchain.

I.

INTRODUCTION

Security of Big Data has become important because of continuously increasing exchange of sensitive data. Big Data is the collection of complex and large amount of structured (in relational databases) and unstructured data (document files, images, video). Data are being collected by multitude independent sources, where they are often then fused and analysed to generate knowledge. Enterprises and organizations use knowledge to optimize corporate decision making processes, predict future trends and more. Hence, these data are a valuable asset in today’s economy. While people require the benefits of Big Data, security and privacy of Big Data, stored on distributed cloud storage, has become an important issue. Concerns have focused on security and protection of sensitive information, where these relate to new threats to information security and adopting existing traditional security measures is not adequate. Cloud Security Alliance (CSA) published a document that lists the top ten challenges to protecting Big Data systems [1] and one of the ten challenges stated and most critical is granular access control. The current authentication system of Apache Hadoop [2] exposes the entire Big Data solution to a security issue due to Kerberos’ system vulnerabilities. Limitations of Kerberos [3] are evident in version 4 and early drafts of version 5; replay attacks, key exposure and time synchronization are vulnerabilities identified.

Briefly, the Kerberos Authentication System [4] uses a series of encrypted messages to prove to a verifier that a client is running on behalf of a particular user. The Kerberos protocol is based on the Needham and Schroeder authentication protocol [5], but it includes support for the needs of the environment for which it was developed. Among these changes are the use of timestamps, which reduce the number of messages needed for basic authentication [6], a ticket-granting service that supports subsequent authentication without re-entry of a principal's password and different approaches to cross-realm authentication. This paper presents the structural drawbacks and identify authentication requirements that can enhance security of Big Data in distributed environments. Generally, authentication requirements are policies that dictate how a user must authenticate before access is granted to a protected service. This paper improves policies by enabling disintermediation of a third-party entity, empowered user control, durability and reliability of an authentication protocol. The intent is to take advantage of blockchain technology such as passwordless/keyless authentication, data encryption and a lack of need for a third party or a central database. Blockchain authentication was initially introduced in Bitcoin for transaction verification [7]. II.

MOTIVATION AND BACKGROUND

Kerberos provides mutual authentication and authorization for applications of clients and servers by using secret-key cryptography [8]. The cryptography protocol behind Kerberos is to ensure that a client can prove his/her identity to a server or vice versa across insecure network communications. However, there are limitations in using Kerberos for Hadoop authentication that exposes the entire Big Data solution into a variety of security issues such as data theft and hacks. The security of Hadoop is based on Kerberos enhancements after Intel launched an open source effort called Project Rhino in 2013 [9]. In the project, Token-Based Authentication and Single Sign-On were introduced, which initially were planned to support tokens for many authentication mechanisms such as Lightweight Directory Access Protocol (LDAP) [10], Kerberos X.509 Certificate

authentication [11] and Security Assertion Markup Language (SAML) [12]. The solution in Project Rhino is mainly focused on how to extend the existing authentication framework to a standard interface for supporting different types of authentication protocols. III.

SECURITY ISSUES OF BIG DATA AUTHENTICATION

The need and application of Big Data has presented a number and wide variety of security challenges for Kerberos. Below, examples of different types of identified challenges are indicated for Kerberos before a blockchain solution is presented. A. Password-based Authentication Password-based authentication is commonly used in an authentication protocol including Kerberos. A session key for data encryption is derived from the user’s password during the initial communication phase to the Key Distribution Center (KDC). Unfortunately, as has been shown in many cases, passwords are relatively easy to break [13]. For example, breaches have occurred due to mistakes of handling clients’ passwords and all other passwords in an affected database where they were encrypted with the same key [14]. The problem is that the encryption algorithm does not handle identical plaintexts, which results in similar passwords being encrypted into similar ciphers. Disclosure of KDC passwords allows attackers to capture user’s credentials, which, in turn, makes Hadoop’s security to be useless. In fact, compromised passwords and credentials were indicated as major data breaches in 2015 [15]. B. Replay Attacks A replay attack occurs when an intruder steals a packet from the network and forwards the packet to a service or application as if the intruder was the user who originally sent the packet. When the packet is an authentication packet, the intruder can use the replay attack to authenticate on the behalf of another person and, consequently, access that person's resources or data. The feature of the Authenticator embedded in the Kerberos protocol mitigates this effect. The protocol sends additional data, such as an encrypted IP list, a timestamp of the client and a ticket lifetime. If a packet is replayed, the timestamp is checked again, otherwise the timestamp is only checked when a packet is replayed. If the timestamp is checked earlier or is the same as a previous authenticator, the packet is rejected because of the replay. However, the protocol cannot handle cases when the same authenticator is used in a simultaneous session. C. Brute Force Attacks Kerberos is vulnerable to password guessing since it cannot detect a dictionary attack [16]. Brute-force passwordcracking attacks target the encrypted timestamp that is embedded in the Kerberos pre-authentication data [17]. The timestamp is encrypted using a key based on the user’s password. Because timestamps are relatively easy to recognize, it is possible to mount brute-force attacks against the encrypted pre-authentication data and derive the user’s password. There are ways to protect against this attack; for

example, using Windows smartcard logon with Kerberos extension or encrypt the network traffic between the client and the KDC using IP Security (IPSec). D. Keys Exposure Kerberos makes use of random session keys for authentication transactions as well as secret keys. These keys are commonly stored in the user’s workstation. The keys are used to prove the identity and verify the authenticity of messages. The secrecy of keys is critical to the integrity of the Kerberos system. If one of the keys is compromised, then anything authenticated by that key cannot be trusted. Kerberos version 5 defines a new form of cryptography key exchange using Diffie-Hellman, which provides stronger shared secrets with perfect forward secrecy [18, p. 5]. However, Logjam is a new attack against the Diffie-Hellman key exchange protocol used in the TLS protocol. This allows the attacker to read and modify any data passed over a connection [19]. E. Single Point of Failure Centralized services of Kerberos lies in having a single point of failure [20]. When the KDC is out of service, the entire big data system suffers from Kerberos unavailability. Even though it can be mitigated by using multiple Kerberos servers, the pairwise key exchange requires many key exchanges for a multiple realm. Because Kerberos depends on a third-party database for its keys, if any attacker has access to the KDC, the entire Kerberos authentication infrastructure is compromised and the attacker can gain root access to the database of encrypted passwords. The attacker also has access to the Kerberos software and configuration files, both of which the attacker can modify to make the system perform authentication differently [21]. This issue highlights threats in Kerberos, including protection against an administrator who has the privilege to install hardware/software key loggers or malware to steal a user’s credentials and other sensitive data (e.g., password, session keys and data). F. Time Synchronization In the centralized system, time synchronization is the coordination of time among independent clocks of servers or clients in the network environment. It is part of security in Kerberos authentication, which is based on the timestamps of tickets and, hence, it is critical to have accurate synchronous clocks on Kerberos servers to prevent replay attacks. However, in a distributed environment, perfection of this function is hard to achieve. Network Time Protocol (NTP) used for time synchronization is exploitable and exposed to remote attackers that can cause a denial-of service (DoS) condition [22]. DNS hijacking and Man-In-The-Middle attacks have recently been commonly deployed against NTP due to their wide use across the Internet with no encryption, such as SSL, and without authentication. G. Denial-of-Service (DoS) Attacks DoS is an attack from multiple systems used to target a single system that causes a system failure. Kerberos does not

protect against DoS attacks [23]. There are some weaknesses in the protocol, where an intruder can avoid an application from participating in the proper authentication steps. Secret key sharing or key theft can allow impersonation attacks. If intruders somehow steal a user’s master key, they will be able to disguise themselves as that user or service [24]. The Kerberos protocol does not protect against typical password vulnerabilities, such as password guessing. If a user chooses a poor password, an attacker might successfully mount an offline dictionary attack by repeatedly attempting to decrypt messages that are encrypted by a key derived from the user’s password [3]. H. Unscalable Protection The scalability problem of Kerberos makes it difficult to expand its services easily. Security architecture of Kerberos was designed, to some extent, to follow evolutionary-proven tendencies. The responsibilities of managing unique identity, or Identity Management System, are to act as security servers so that clients and generic servers do not have to maintain, secure and coordinate individual databases. The responsibility of managing unique identity, including principal and password information, is to act as security servers so that clients and generic servers do not have to maintain, secure and coordinate individual databases. Security, however, is an obstacle when approaching a larger network like the Internet. Existing solutions use public-key cryptography for both initial authentication of clients (TGT) and cross-realm authentication. However, the primary drawback of these authentication approaches is the assumption that the host on the network has to be trusted. However, there are cases where the attacker compromises the host and non-expired tickets, which remain in the host’s cache memory, can be used by attackers. I. Certificate Authorities Certificate Authorities (CA) is a third-party entity that is responsible for issuing and managing digital certificates for a network of users [25]. The purpose of CA is to facilitate verification of a user who holds a certain public key and look up whether or not public keys correspond to particular users. The main role of CA in the network is as an agent of trust for the network since anyone that trusts the CA should also trust certificates they provide. CA is a centralized entity, which if exposed into numerous incidents of attacks, could cause the unavailability of service. DigiNotar [26], for example, faced a security breach that resulted in a fraudulent issuing of certificates and declared bankruptcy after the incident. Additionally, since CA backs up users’ signing keys, those would allow the CA to impersonate the key owner. IV.

REQUIREMENTS OF BIG DATA AUTHENTICATION

Because Big Data utilize a complex distributed system where the main challenge is the complexity of managing a large implementation, new approaches to security are required. Authentication and data access control should be managed by a decentralized, flexible, scalable, strong authentication and authorization that deny any malicious user

from getting access to Big Data servers. Hence, new requirements need to overcome the shortcomings of security flaws in existing implementation. This section briefly discusses new requirements that can enhance authentication of Big Data. A. Decentralized Authentication Decentralized authentication replaces username/password generated keys and the client-side SSL certificate with elliptic curve cryptographic generated keys; this is the same method used in a blockchain protocol [7], [27]. This eliminates central database storing of user information, which is vulnerable to hackers who compromise entire credentials. The user password in this authentication is only used in the user’s own machine to access the private key. The private key is never revealed through the network or server and cannot be exchanged between the server and client over a side channel. This authentication protocol is based on irrefutable identity verification using digital signatures based on public keys. A user is verified when the message or transaction was assigned by an approved private key. It is inferred that whoever has access to the private key is the owner and the exact identity of the owner is irrelevant. B. Passwordless & Anonymous Authentication A passwordless authentication has for years been an ideal method for security. In this method, there are plenty of ways to handle authentication, such as, biometric-, PKI- and QRCode-based authentication. However, these three methods are coupled to a central identity database, a central authority and it is not anonymous. Recently, blockchain based identity presented a possible solution to replace username and password with more secure authentication and access control. This identity system is similar to other blockchain-based cryptocurrencies, such as Bitcoin. A totally digital identity that is securely used for any type of transaction with any online system is Secure Identity Number (SIN) [28]. A SIN is the unique record identifier by which an identity will be known. And no centralized infrastructure or entity is required. The identity is secure and under full control of the owner. SIN can support the full range of identity and authentication requirements. SIN generates based on a cryptographic key pair according to the following calculation: Base58check(0x0F + 0x02 + ripemnd160(sha256(k1)) k1 is 0x0F

user public key from an ECDSA secp256k1 key pair, is the special byte for SINs and 0x02 is the type of

SIN. C. No Session Keys Using SIN is considered to be more secure than session key sharing in an existing authentication protocol like Kerberos. The SIN can be shared openly for everyone, as the corresponding private key is kept on the client-side and never transmitted over the wire, and not shared with any entity. During authentication process, server verifies a user by validating their digital signature against the user-shared public key and the SIN user shared previously. It confirms

that the signed nonce is greater than this SIN’s previous nonce to prevent against replay attacks and subsequently authenticate the user request. The advantage of using SIN in identity is in portability, where the same identity can be used on multiple devices without exposing your credentials and session keys. D. Zero Single Point of Failure System Blockchain is a distributed and decentralized data storage technology that maintains a continuously growing list of ordered records. It eliminates the risks that come with data being held centrally and also reduces the vulnerability of network hackers or point of failure. Every blockchain server used for mining purposes has a copy of the blockchain. Data quality is maintained by massive database replication and is cryptographically trusted. Blockchain used in an authentication system creates a tamper-proof digital identity potentially to reduce the effectiveness of phishing attacks. The decentralized nature of the entire blockchain network would make it impossible for the infrastructure to fail under an excess of requests. Hence, as an authentication method, which is based on blockchain technology, it would be immune to DDoS attacks. E. Prevent Data Theft The increase in the amount of hacking incidents and data theft that has caused consternation concerning the accessing of sensitive information, in particular financial data including bank accounts, credit cards and medical records. Petland, who is a Professor in MIT has explored blockchain to build Enigma [29], which could potentially allow databases to retain sensitive information and process them without risking exposure to malicious parties. Enigma is described as a peerto-peer network, enabling different parties to jointly store and run computations on data while keeping the data completely private. The technology of blockchain does not completely hinder theft; the technology makes it harder to break into a system. The entire infrastructure of its implementation enhances privacy, security and freedom of conveyance of data. F. Unbreakable Record Blockchain technology is a new type of database, which can be directly shared by a group of non-trust parties without requiring a central administration, unlike SQL or NoSQL databases. Blockchain is a type of distributed database that maintains an irreversibly growing list of ordered records called blocks. Each block contains a timestamp and a link to a previous block [7]. The records are computationally impractical to alter or reverse; it would be possible to protect transactions from fraudulent actions or theft. By using the principle of hash and block [30], the data cannot be changed once data has been written to blockchain. None of the users, even administrators, are able to change or delete the existing chain of blocks. Every copy of blockchain, in the network, has to be the same through the network. Then, consensus is achieved by a proof-of-work protocol in the mining process [31]. A proof-of-work protocol is a piece of data, which is difficult to produce but easy to verify by others. This makes

blockchain suitable for recording sensitive information, such as identity, medical and monetary information. V.

RELATED WORK

Wang and Feng [32] proposed improvement for Kerberos based on dynamic user passwords and implemented key security exchange by using a Diffie-Hellman algorithm. The result helps to solve data packet issues when carrying user credentials, such as passwords, which are vulnerable to brute force attacks (i.e., if the system uses traditional DES encrypted forms). Moreover, the dynamic user password is commonly applied as a One Time Password (OTP) [33]. The main dynamic password design idea is based on a private cryptographic algorithm. The dynamic password uses the user pin and random number as input parameters to get a dynamic result. This password has the characteristics of being disposable and when it is being used again, a server would no longer accept it. If the attacker intercepts key information packets and uses a brute force attack on it, successfully, the password cannot be used more than once, rendering the brute force attack as meaningless [32]. However, this solution does not take away the risk of a single point of failure or service unavailability. Hardware-based authentication proposed by Khalil et al. [27] use Trusted Platform Module (TPM) in Apache Hadoop. A TPM-based authentication protocol utilizes the binding and sealing function of TPM to secure the authentication credentials (e.g., session keys). The authors also implement a periodic platform remote attestation mechanism to guard against insider malicious tampering with Hadoop entities. The advantage of sealing the session keys is to protect against the possibility of disclosure of the encrypted data in any platform other than the one that matches the trusted configurations specified by the communicating entities. The use of the protocol could eliminate the trusted third party requirement like Kerberos KDC with all its associated issues, such as single point of failure, online availability and concentration of trust and credentials. However, the authors are not able to finish this entire authentication framework implementation in the TPM-based Hadoop. Instead, the authors used a RPC-based session to seal and unseal the session keys [34]. This solution, nevertheless, is highly dependent on a specific hardware and is not scalable, making it unsuitable for a Big Data environment. Rahun [28] introduces an authentication framework that uses cryptographic functions, such as private and public keys, hashing and a random number generator. The framework enhances Hadoop security by adding a unique key to be used along with all clients.  Data will be stored along with the newly derived authentication key to differentiate between clients and their respective data sets. This key is used to provide data privacy and proper authentication for clients and services used by clients. This authentication framework requires two servers to be named, which are the user server and data server. The user server

computes a SHA-2 hash value with input of a username and random number generated by the server. Each client data is stored along with the generated key. The block id of DataNode, where the user data is stored in Hadoop, is also an encrypted mode. All types of communication are also encrypted with a symmetric key [35]. However, sharing the unique key in this solution with a Big Data server is vulnerable to unauthenticated internal access. Such a configuration is not secured for use in an open distributed environment. Dependency to third party CA makes it more difficult to implement in large scale such as in Big Data. A token-based authentication, using elliptic curve cryptography (ECC) specifically for a Hadoop distributed file system (HDFS), is introduced by Jeong and Kim in 2015 [29]. This scheme protects sensitive data stored in HDFS against reply and impersonation attacks. HDFS clients are authenticated by DataNode via block access tokens. The token is generated based on ECC and used to enhance the security of authentication messages communicated between NameNode and DataNode [36]. The ECC is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. The primary benefit of ECC is a smaller key size, reducing storage and transmission requirements and providing the same level of security afforded by an RSA-based key with larger size. However, a weakness observed is when users share public and private keys in both TLS and SSH implementation within cloud environments [37]. VI.

CONCLUSION AND FUTURE WORKS

This paper presents common security problems associated with Kerberos. These limitations have been addressed; however, as large networks, such as the Internet, are increasingly used, particularly in a Big Data environment, security vulnerabilities are common. New solutions are needed in an era where greater security requirements are needed as the scale of use and integration of data rapidly increase. Blockchain technology, first introduced by Bitcoin, have provided a scalable solution to many common security issues faced as Big Data become common. Existing authentication techniques using Kerberos would position Big Data to depend on many security risks and vulnerabilities. Several enhancements of authentication protocols in the distributed environment must apply decentralized infrastructure that is scalable and reliable. Therefore, suggestions of utilizing the advantages of blockchain technology could be leveraged to harden security systems, including authentication and authorization of Big Data. What is needed is a new identity system and authentication framework based on blockchain technology.

REFERENCES [1]

[2] [3] [4] [5] [6] [7] [8] [9] [10] [11]

[12] [13]

[14] [15] [16]

[17]

[18] [19]

[20] [21]

[22]

“CSA Releases the Expanded Top Ten Big Data Security & Privacy Challenges : Cloud Security Alliance.” [Online]. Available: https://cloudsecurityalliance.org/media/news/csa-releases-theexpanded-top-ten-big-data-security-privacy-challenges/. [Accessed: 19-Jan-2016]. “Welcome to ApacheTM Hadoop®!” [Online]. Available: https://hadoop.apache.org/. [Accessed: 12-Jan-2016]. S. M. Bellovin and M. Merritt, “Limitations of the Kerberos Authentication System,” SIGCOMM Comput Commun Rev, vol. 20, no. 5, pp. 119–132, Oct. 1990. D. Davis and D. E. Geer, “Kerberos Security with Clocks Adrift.,” in USENIX Security, 1995. R. M. Needham and M. D. Schroeder, “Using Encryption for Authentication in Large Networks of Computers,” Commun ACM, vol. 21, no. 12, pp. 993–999, Dec. 1978. D. E. Denning and G. M. Sacco, “Timestamps in Key Distribution Protocols,” Commun ACM, vol. 24, no. 8, pp. 533–536, Aug. 1981. S. Nakamoto, “Bitcoin: A peer-to-peer electronic cash system,” Consulted, vol. 1, no. 2012, p. 28, 2008. B. C. Neuman and T. Ts’o, “Kerberos: an authentication service for computer networks,” IEEE Commun. Mag., vol. 32, no. 9, pp. 33–38, Sep. 1994. “intel-hadoop/project-rhino,” GitHub. [Online]. Available: https://github.com/intel-hadoop/project-rhino. [Accessed: 23-Mar2016]. “Lightweight Directory Access Protocol,” Wikipedia, the free encyclopedia. 20-Mar-2016. “ISO/IEC 9594-8:2014 - Information technology -- Open Systems Interconnection -- The Directory -- Part 8: Public-key and attribute certificate frameworks,” ISO. [Online]. Available: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm ?csnumber=64854. [Accessed: 14-Jan-2017]. “SAML XML.org | Online community for the Security Assertion Markup Language (SAML) OASIS Standard.” [Online]. Available: http://saml.xml.org/. [Accessed: 29-Apr-2016]. Z. Whittaker, “6.46 million LinkedIn passwords leaked online,” ZDNet. [Online]. Available: http://www.zdnet.com/article/6-46million-linkedin-passwords-leaked-online/. [Accessed: 23-Mar2016]. A. Hern, “Did your Adobe password leak? Now you and 150m others can check,” The Guardian, 07-Nov-2013. D. McCandless, “World’s Biggest Data Breaches & Hacks | Information is Beautiful.” . D. Wang and P. Wang, “Offline Dictionary Attack on Password Authentication Schemes Using Smart Cards,” in Proceedings of the 16th International Conference on Information Security - Volume 7807, New York, NY, USA, 2015, pp. 221–237. M. Dell’Amico, P. Michiardi, and Y. Roudier, “Password Strength: An Empirical Analysis,” in Proceedings of the 29th Conference on Information Communications, Piscataway, NJ, USA, 2010, pp. 983– 991. “kinit — MIT Kerberos Documentation.” [Online]. Available: http://web.mit.edu/kerberos/krb51.12/doc/user/user_commands/kinit.html. [Accessed: 22-Mar-2016]. D. Adrian et al., “Imperfect Forward Secrecy: How Diffie-Hellman Fails in Practice,” in Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, New York, NY, USA, 2015, pp. 5–17. K. Bashir and M. K. Khan, “Modification in Kerberos assisted authentication in mobile Ad-Hoc networks to prevent ticket replay attacks,” Int. J. Eng. Technol., vol. 4, no. 3, p. 307, 2012. I. Cervesato, A. D. Jaggard, A. Scedrov, and C. Walstad, “Specifying Kerberos 5 Cross-realm Authentication,” in Proceedings of the 2005 Workshop on Issues in the Theory of Security, New York, NY, USA, 2005, pp. 12–26. A. Malhotra and S. Goldberg, “Attacking NTP’s Authenticated Broadcast Mode,” SIGCOMM Comput Commun Rev, vol. 46, no. 2, pp. 12–17, May 2016.

[23] “MIT Kerberos : List of security vulnerabilities.” [Online]. Available: https://www.cvedetails.com/vulnerability-list/vendor_id42/product_id-61/MIT-Kerberos.html. [Accessed: 23-Mar-2016]. [24] “Kerberos Security Advisories.” [Online]. Available: http://web.mit.edu/kerberos/advisories/. [Accessed: 23-Mar-2016]. [25] M. R. Thompson, A. Essiari, and S. Mudumbai, “Certificate-based Authorization Policy in a PKI Environment,” ACM Trans Inf Syst Secur, vol. 6, no. 4, pp. 566–588, Nov. 2003. [26] N. Leavitt, “Internet Security under Attack: The Undermining of Digital Certificates,” Computer, vol. 44, no. 12, pp. 17–20, Dec. 2011. [27] G. Wood, “Ethereum: A secure decentralised generalised transaction ledger,” Ethereum Proj. Yellow Pap., vol. 151, 2014. [28] “Identity protocol v1 - Bitcoin Wiki.” [Online]. Available: https://en.bitcoin.it/wiki/Identity_protocol_v1. [Accessed: 14-Jan2017]. [29] G. Zyskind, O. Nathan, and A. Pentland, “Enigma: Decentralized Computation Platform with Guaranteed Privacy,” ArXiv Prepr. ArXiv150603471, 2015. [30] “Hash-based message authentication code,” Wikipedia. 14-Jan-2017. [31] “The Proof-of-Work Concept | Satoshi Nakamoto Institute.” [Online]. Available: http://nakamotoinstitute.org/mempool/the-proofof-work-concept/. [Accessed: 14-Jan-2017].

[32] C. Wang and C. Feng, “Security Analysis and Improvement for Kerberos Based on Dynamic Password and Diffie-Hellman Algorithm,” in 2013 Fourth International Conference on Emerging Intelligent Data and Web Technologies, 2013, pp. 256–260. [33] C. Adams, “One-Time Password,” in Encyclopedia of Cryptography and Security, H. C. A. van Tilborg, Ed. Springer US, 2005, pp. 446– 446. [34] I. Khalil, Z. Dou, and A. Khreishah, “TPM-Based Authentication Mechanism for Apache Hadoop,” in International Conference on Security and Privacy in Communication Networks, J. Tian, J. Jing, and M. Srivatsa, Eds. Springer International Publishing, 2014, pp. 105–122. [35] P. K. Rahul and T. GireeshKumar, “A Novel Authentication Framework for Hadoop,” in Artificial Intelligence and Evolutionary Algorithms in Engineering Systems, L. P. Suresh, S. S. Dash, and B. K. Panigrahi, Eds. Springer India, 2015, pp. 333–340. [36] Y.-S. Jeong and Y.-T. Kim, “A token-based authentication security scheme for Hadoop distributed file system using elliptic curve cryptography,” J. Comput. Virol. Hacking Tech., vol. 11, no. 3, pp. 137–142, Feb. 2015. [37] J. W. Bos, J. A. Halderman, N. Heninger, J. Moore, M. Naehrig, and E. Wustrow, “Elliptic Curve Cryptography in Practice,” in Financial Cryptography and Data Security, N. Christin and R. Safavi-Naini, Eds. Springer Berlin Heidelberg, 2014, pp. 157–175.