Smart phone based authentication and authorization protocol for SPACS

Nowadays smart-phone is becoming multi-purpose device because it has more processing power at affordable cost. The usage of smart-phone is growing and being used for various personal and business activities. Therefore it can be used as authenticator in physical access control system. But due to its openness, organizations are very much concerned about the security, reliability and privacy of the user´s credentials. In this paper, we have described a security protocol for smart-phones which are used for identity verification, authentication and authorization in physical access control system (PACS). The designed authentication protocol is an extension of two-factor authentication FIPS-196 protocol and provides symmetric key based single-sign-on mechanism to achieve efficiency. For authorization, we have used XACML standard for creating and evaluating policies and included pass-code feature in the protocol to ensure the presence of the mobile owner. Furthermore, the implementation of our designed protocol transparently handles the security credentials and is easy to use by the ordinary people. We have verified our protocol by using automated security protocol verification tool, Scyther and have verified that our protocol provides protection against man-in-the-middle attack, replay attack and secrecy of the user´s credentials.