Study on Computer Generated Electromagnetic Effects on Computer Users

377

Copyright © 2011-15. Vandana Publications. All Rights Reserved.

Volume-5, Issue-2, April-2015

International Journal of Engineering and Management Research

Page Number: 377-382

SuperSec Protocol

Jubin James C1, Anuvind S2, Aswin K V3, Avaneeth P R4

1,2,3,4

Seventh Semester, B. Tech, CSE, Vidya Academy of Science & Technology, Thrissur, INDIA

ABSTRACT

The most popular form of user authentication is the text password, which is the most convenient and the simplest. Users mostly choose weak passwords and reuse the same password across different websites and thus, a domino effect. ie., when an adversary compromises one password, she exploits, gaining access to more websites. Also typing passwords into public computers (kiosks) suffers password thief threat, thereby the adversary can launch several password stealing attacks, such as phishing, keyloggers and malware. Therefore user’s passwords tend to be stolen and compromised under different threats and vulnerabilities. A user authentication protocol named SuperSec, which benefits a user’s cellphone and short message service to prevent password stealing and password reuse attacks. SuperSec adopts the one-time password strategy, which free users from having to remember or type any passwords into conventional public computers for authentication.

Keywords — encryption, hash function, network security, one-time password, password reuse attack, password stealing attack, user authentication.

I.

I

One of the ancient ways to prove identity or gain access to a resource is passwords. A password is nothing that consists to be of any secret word or string of characters that is used for authentication purpose. A typical computer user may require passwords for many purposes: logging in to computer accounts , retrieving the email from servers , accessing programs, databases, networks, web sites, and even reading the morning newspaper online. In websites in order to maintain privacy to greater extent and provide high level of security we use passwords. Over the past few decades, text password has been adopted as the primary mean of user authentication for websites. People select their username and text passwords when registering accounts on a website. In order to log into the website successfully, users must recall the selected passwords. As humans are not experts in memorizing passwords they easily forget the passwords and these users firstly often select weak passwords and reuse the same passwords across different websites. Routinely reusing passwords causes a domino effect; when

an adversary compromises one password, they will exploit it to gain access to more websites.

Second, typing passwords into untrusted computers suffers password thief threat. An adversary can launch several password stealing attacks to snatch passwords, such as phishing, keyloggers and malware. The first commonly used method is the password-based user authentication can resist brute force and dictionary attacks if users select strong password to provide sufficient entropy. However, password-based user authentication has a major problem that humans are feel hard to keep those passwords in memory. Thus, most users would choose easy-to-remember passwords (i.e., weak passwords) even if they know the passwords might be unsafe. Another crucial problem is that users tend to reuse passwords across various websites. Password reuse causes users to lose sensitive information stored in different websites if a hacker compromises one of their passwords. This attack is referred to as the password reuse attack. The above problems are caused by the negative influence of human factors. Therefore, it is important to take human factors into consideration when designing a user authentication protocol.

Researchers have investigated a variety of technology to reduce the negative influence of human factors in the user authentication procedure. Since humans are more adept in remembering graphical passwords than text passwords many graphical password schemes were designed to address human’s password re-call problem. Using password management tools is an alternative. These tools automatically generate strong passwords for each website, which addresses password reuse and password re-call problems. The advantage is that users only have to remember a master password to access the management tool. Despite the assistance of these two technologies— graphical password and password management tool—the user authentication system still suffers from some considerable drawbacks.

378

Copyright © 2011-15. Vandana Publications. All Rights Reserved.

lack of security knowledge.

Besides the password reuse attack, it is also important to consider the effects of password stealing attacks. Adversaries steal or compromise passwords and impersonate users’ identities to launch malicious attacks, collect sensitive information, perform unauthorized payment actions, or leak financial secrets. Phishing is the most common and efficient password stealing at-tack. Many previous studies have proposed schemes to defend against password stealing attacks.

Some researches focus on three-factor authentication rather than password-based authentication to provide more reliable user authentication. Three-factor authentication depends on what you know (e.g., password), what you have (e.g., token), and who you are (e.g., biometric). To pass the authentication, the user must input a password and provide a pass code generated by the, and scan her biometric features (e.g., finger-print or pupil). Three-factor authentication is a comprehensive defense mechanism against password stealing attacks, but it requires comparative high cost.

Thus, two-factor authentication is more attractive and practical than three-factor authentication. Although many banks support two-factor authentication, it still suffers from the negative influence of human factors, such as the password reuse attack. Users have to memorize another four-digit PIN code to work together with the token.

A user authentication protocol named SuperSec which leverages a user’s cellphone and short message service (SMS) to prevent password stealing and password reuse attacks. It is difficult to thwart password reuse attacks from any scheme where the users have to remember something. The main cause of stealing password attacks is when users type passwords to un-trusted public computers.

Therefore, the main concept of SuperSec is free users from having to remember or type any passwords into conventional computers for authentication. Unlike generic user authentication, SuperSec involves a new component, the cellphone, which is used to generate one-time passwords and a new communication channel, SMS, which is used to transmit authentication messages.

SuperSec presents the following advantages:

1) Anti-malware—Users are able to log into web services with entering encrypted passwords obtained from the application in the mobile on giving the OTP that is get from the server site to their computers. Thus, malware cannot obtain a user’s password from untrusted computers. 2) Phishing Protection—Allows users to successfully log into websites with the help of encrypted passwords obtained by the operations of both server and the application.

3) Secure Registration and Recovery—OTP generated by the mobile application aids Supersec protocol in establishing a secure channel for message exchange in the registration and recovery phases between the user.

4) Password Reuse Prevention and Weak Password Avoidance—Users do not need to remember any password

for log-in. They only keep a long term password for accessing their cellphones, and leave the rest of the work to Supersec.

5) Cellphone Protection—An adversary can steal users’ cell-phones and try to pass through user authentication. However, the cellphones are protected by a long-term password. The adversary cannot impersonate a legal user to login without being detected.

II.

PROBLEM

DEFINITION

AND

ASSUMPTIONS

A.

Widely deployed web services facilitate and enrich several applications, e.g., online banking, e-commerce, social networks, and cloud computing. But user authentication is only handled by text pass-words for most websites. Applying text passwords has several critical disadvantages.

First, users create their passwords by themselves. For easy memorization, users tend to choose relatively weak passwords for all websites. This behavior causes a risk of a domino effect due to pass-word reuse. To steal sensitive information on websites for a specific victim (user), an adversary can extract her password through com-promising a weak website because she probably reused this pass-word for other websites as well.

Second, humans have difficulty remembering complex or meaningless passwords. Some websites generate user passwords as random strings to maintain high entropy, even though users still change their passwords to simple strings to help them recall it. Phishing attacks and malware are threats against password protection. Protecting a user’s password on a kiosk is infeasible when keyloggers or backdoors are already installed on it. Considering the current mechanisms, authenticating users via passwords is not a best solution.

Therefore, a user authentication, called SuperSec, to thwart the above attacks. The goal of is to prevent users from typing their memorized passwords into kiosks. By adopting one-time pass-words, password information is no longer important. A one-time password is expired when the user completes the current session. Different from using Internet channels, SuperSec leverages Server and application in user’s cellphones to avoid password stealing attacks. Application in our phone is a suitable and secure medium to transmit important information between cellphones and website. Based on response message from the application to the server, a user identity is authenticated by websites without inputting any passwords to un-trusted kiosks. User password is only used to restrict access on the user’s cellphone. In SuperSec, each user simply memorizes a term password for access her cellphone. The long-term pass-word is used to protect the information on the cellphone from a thief.

Problem Definition

III.

D

379

Copyright © 2011-15. Vandana Publications. All Rights Reserved.

password is the most popular form of user authentication on websites due to its convenience and simplicity. Text passwords are not always strong enoughand are very easily stolen and changed under different vulnerabilities. Intruders can easily acquire a text password when a person creates a weak password or a password that is completely reused in many sites. The hacking of just one password can then lead to the loss of security of all websites to which he/she gains access through that password. Another risky environment is when a person enters his/her password in a computer that is not trust-worthy. This paper gives a review on different methods that were introduced for safeguarding of password on a network is lost or the SuperSec App is lost we can recover it using recovery key in the server.

SuperSec, is basically a user authentication protocol which is aimed to overcome the disadvantages in using the text passwords. For easy memorization, users tend to choose relatively weak passwords for all websites. And more over humans are not the best when comes to remembering meaningless and long passwords.Our primary goal is to prevent users from typing their memorized passwords into kiosks. SuperSec leverages users smartphones to avoid password stealing attacksusing an Android App. In contrast to the other authentication techniques SuperSec only requires the user to remember only one long term password for accessing his/her cell phone. It is this feature that makes the SuperSec user authentication protocol a much better authentication technique than others.

IV.

L

R

Recognition-based graphical authentication systems (RBGSs) using images as passwords have been proposed as one potential solution to the need for more usable authentication. The rapid increase in the technologies requiring user authentication has increased the number of passwords that users have to remember. But nearly all prior work with RBGSs has studied the usability of a single password. In this paper, we present the first published comparison of the usability of multiple graphical passwords with four different image types: Mikon, doodle, art and everyday objects (food, buildings, sports etc.). A longi-tudinal experiment was performed with 100 participants over a period of 8 weeks, to examine the usability performance of each of the image types. The re-sults of the study demonstrate that object images are most usable in the sense of being more memorable and less time-consuming to employ, Mikon images are close behind but doodle and art images are significantly inferior. The results of our study complement cognitive literature on the picture superiority effect, vis-ual search process and nameability of visually complex images.

Text password is the most popular form of user authentication on websites due to its convenience and simplicity.However, users’ passwords are prone to be stolen and compromised under different threats and vulnerabilities. Firstly, users often select weak passwords

and reuse the same passwords across different websites. Routinely reusing passwords causes a domino effect; when an adversary compromises one password, she will exploit it to gain access to more websites. Second, typing passwords into untrusted computers suffers password thief threat. An adversary can launch several password stealing attacks to snatch passwords, such as phishing, keyloggers and malware. In this paper, we design a user authentication protocol named oPass which leverages a user’s cellphone and short message service to thwart password stealing and password reuse attacks. oPass only requires each participating website possesses a unique phone number, and involves a telecommunication service provider in registration and recovery phases. Through oPass, users only need to remember a long-term password for login on all websites. After evaluating the oPass prototype, we believe oPass is efficient and affordable compared with the conventional web authentication mechanisms.

Many people desire ubiquitous access to their personal computing environments. We present a system in which a userleverages a personal mobile device to establish trust in a public computing device, or kiosk, prior to resuming her environment on the kiosk. We have designed a protocol by which the mobile device determines the identity and integrity of all software loaded on the kiosk, in order to inform the user whether the kiosk is trustworthy. Our system exploits emerging hardware security technologies, namely the Trusted Platform Module and new support in x86 processors for establishing a dynamic root of trust. We have demon strated the viability of our approach by implementing and evaluating our system on commodity hardware. Through a brief survey, we found that respondents are generally willing to endure a delay in exchange for an increased assurance of data privacy, and that the delay incurred by our unoptimized prototype is close to the range tolerable to the respondents.

We have focused on allowing the user to personalize a kiosk by running her own virtual machine there. However, our work is generally applicable to establishing trust on public computing devices before revealing any sensitive information to those devices.

We have presented the design of a system in which a user’s mobile device serves as a vehicle for establishing trust in a public computing kiosk by verifying the integrity of all software loaded on that kiosk. This procedure leverages several emerging security technologies, namely the Trusted Platform Module, the Integrity Measurement Architecture, and new x86 support for establishing a dynamic root of trust.

380

Copyright © 2011-15. Vandana Publications. All Rights Reserved.

V.

M

M

A. Proposed System

The system that we are proposing is named as SuperSec. SuperSec is an user authentication protocol whose primary goal is to avoid the drawbacks in the conventional authentication systems.

The conventional authentication systems are : • Opass

• Graphical Passwords • ProcurePass

Our proposed system consist of four phases , • Setup Phase

• Registration Phase • Login Phase • Recovery Phase

B. Design Description

1. Setup phase

This is the first phase of the proposed system. Here we needs to install the SuperSec mobile program in the users cell phone.First of all we enters a long term password which has to remember all the time.Once the password is entered it will return an APPKEY .The APPKEY is encrypted with the long term password that we have entered. At the time of recovery if we remember the very long password then we can skip this step and after recovery we can directly login to the system.The very long password that is entered in this phase is to be remembered all the time otherwise we cannot login to the SuperSec mobile program.

2. Registration phase

In this phase,first we will have to login to the App and then the user goes to the registration page.From there we will get a AppOTP for registration.Then the user enters the AppOTP along with the user details into the server and the server returns a QR code and an encrypted OTP to the user. The QR code contains information such as user ID , user key , service name and the user name which are

encrypted with app OTP.Encrypted OTP contains server OTP encrypted with app OTP.This QR code is scanned using the users cellphone .The app decrypts the QR code using app OTP and the APP saves the details in its database . Then the APP sends a message to the server encrypted using the server OTP. Message to the server contains the recover key and the OK message.

3. Login phase

In this phase, firstly, we will login to the APP using the long time password. Then we will go to the login page in the server , which contains a login form and an QR Code. Then inorder to select the service we need we will go to the APP and scans the QR Code that we received from the server. After scanning the QR Code we will get a password. Using this password we will login to the server.

4. Recovery phase

381

Copyright © 2011-15. Vandana Publications. All Rights Reserved.

VI.

A

F

E

A. Applications

• Online Banking

• Social Networking Sites • Online Transcations

B. Future Enhancements

• Enhance our system by reducing the users effort • Try to recover the Mobile App even if the

password is lost

• Try to increase the secure communication between the cellphone server

VII.

S

C

SuperSec which leverages cellphones to thwart password stealing and password reuse attacks. The design principle of SuperSec is to eliminate the negative influence of human factors as much as possible. Through SuperSec, each user only needs to remember a long-term password which has been used to protect his/her cellphone. Users are free from typing any memorized passwords into untrusted computers for login on all websites. Compared with previous schemes, SuperSec is the first best efficient user authentication protocol to prevent password stealing (i.e., phishing, keylogger, and malware) and password reuse attacks simultaneously. The reason is that SuperSec adopts the one-time password approach to ensure independence between each login. To make SuperSec fully functional, password recovery is also considered and supported when users lose their cellphones.They can recover our SuperSec system without considering the SIM cards. Therefore,we believe SuperSec is acceptable and reliable for users.

VIII. ACKNOWLEDGMENT

We would like to thank the Lord Almighty, the foundation of all wisdom who hasbeen guiding us in every step. We wish to record our indebtedness and thankfulnessto all who helped us to prepare this paper titled SUPERSEC,and present it in a satisfactory way. This

paper is part of our work related to the subject CS09 709(P) : MAIN PROJECT.Our sincere thanks to Dr.Sudha Balagopalan Ph.D, MISTE, MIEEE, MIETour Principal, for providing us all the necessary facilities. We take this opportunityto extend our thanks to Col M.P Induchudan (Retd) ME, FITE the Head of Computer Science & Engineering for valuable guidance in developing thisproject. We are extremely thankful to our guides and supervisors Ms.Nitha K P , M.Tech, MBA, MISTE, Asst.Professor, Ms.Remya P S, B.Tech, MISTE,Asst.Professor in the Department of Computer Science & Engineering for giving us valuable suggestions and critical inputs in the preparation of this paper. We express our heartfelt thanks to our Lab Instructors for their valuable support and assistance for our work. Our sincere thanks to our parents and friends who have helped us during the course of the project work and have made it a great success.

REFERENCES

[1] Mariam M. Kassim, A. Sujitha, ”Procurepass: A User Authentication Protocol To Resist Password Stealing And Password Reuse Attacks,” International Journal Of Scientific Engineering Research, Volume 4, Issue 6, June-2013

[2] Meenu Alex, Neena Alex, ”A Survey On Password Attack Resist Tools,” International Journal Of Research In Computer And Communication.

[3] K. M. Everitt, T. Bragin, J. Fogarty, And T. Kohno, ”A Comprehensive Study Of Frequency, Interference, And Training Of Multiple Graphical Passwords,”

In Chi 09: Proc. 27th Int. Conf. Human Factors Computing Systems, New York, 2009, Pp. 889898, Acm

[4] Sonia Chiasson , Alain Forget , Robert Biddle , P.C. Van Oorschot,” User Interface Design Affects Security : Patterns In Click-Based Graphical Passwords ,” International Journal Of Information Security (2009) 8:387-398

[5] R. Biddle, S. Chiasson, And P. Van Oorschot, ”Graphical Passwords: Learning From The First Twelve Years,” In Acm Computing Surveys, Carleton Univ., 2010. [6] S. Garriss, R. Cceres, S. Berger, R. Sailer, L. Van Doorn, And X.Zhang, ”Trustworthy And Personalized Computing On Public Kiosks,” In Proc. 6th Int. Conf. Mobile Systems, Applications Services, 2008,Pp. 199210, Acm.

[7] Hung-Min Sun, Yao-Hsin Chen, And Yue-Hsun Lin”Opass: A User Authentication Protocol Resistant To Password Stealing And Password Reuse Attacks,” Ieee Transactions On Information Forensics And Security, Vol. 7, No. 2, April 2012

[8] Thorsten Holz, Markus Engelberth, Felix Freiling, ”Learning More About The Underground Economy: A Case-Study Of Keyloggers And Dropzones,” Laboratory For Dependable Distributed Systems, University Of Mannheim, Germany , Secure Systems Lab, Vienna University Of Technology, Austria

382

Copyright © 2011-15. Vandana Publications. All Rights Reserved.

Strategies For Online Accounts,” In Soups 06: Proc. 2nd Symp. Usable Privacy . Security, New York, 2006, Pp. 4455, Acm.

[11] D. Florencio And C. Herley, ”A Large-Scale Study Of Web Password Habits,” In Www 07: Proc. 16th Int. Conf. World Wide Web., New York, 2007, Pp. 657666, Acm. [12] S. Chiasson, A. Forget, E. Stobert, P. C. Van Oorschot, And R. Biddle, ”Multiple Password Interference In Text Passwords And Click-Based Graphical Passwords,” In Ccs 09: Proc. 16th Acm Conf. Computer Communications Security, New York, 2009, Pp. 500511, Acm.

[13] I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, And A. D. Rubin, ”The Design And Analysis Of Graphical Passwords,” In Ssym99: Proc. 8th Conf. Usenix Security Symp., Berkeley, Ca, 1999, Pp. 11, Usenix Association. [14] A. Perrig And D. Song, ”Hash Visualization: A New Technique To Improvereal World Security,” In Proc.Int.Workshop Cryptographic Techniques Ecommerce, Citeseer, 1999, Pp. 131138.

[15] J.Thorpe And P.Van Oorschot,”Towards Secure Design Choices Forim Plementing Graphical Passwords,” Presented At The 20th. Annu. Com- Puter Security Applicat. Conf., 2004.

[16] S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, And N. Memon,” Passpoints:Design And Longitudinal Evaluation Of A Graphical Password System,”,Int. J. Human-Computer Studies, Vol. 63, No. 12, Pp. 102127, 2005.

[17] S. Wiedenbeck, J. Waters, L. Sobrado, And J.-C. Birget, ”Design And Evaluation Of A Shoulder Surng Resistant Graphical Password Scheme,” In Avi 06: Proc. Working Conf. Advanced Visual Interfaces, New York, 2006, Pp.177184, Acm.

[18] B. Pinkas And T. Sander,”Securing Passwords Against Dictionary Attacks,”In Ccs 02: Proc. 9th Acm Conf. Computer Communications Security, New York, 2002, Pp. 161170, Acm.

[19] J. A. Halderman, B. Waters, And E. W. Felten, ”A Convenient Method For Securely Managing Passwords,” In Www 05: Proc. 14th Int. Conf. World Wide Web, New York, 2005, Pp. 471479, Acm.

[20] K.-P.Yee And K.Sitaker,”Passpet:Convenient Password Management And Phishing Protection,”In Soups 06: Proc. 2nd Symp. Usable Privacy Security, New York, 2006, Pp. 3243, Acm.

[21] S. Chiasson, R. Biddle, And P. C. Van Oorschot, ”A Second Look At The Usability Of Click-Based Graphical Passwords,”In Soups07:Proc.3rd Symp. Usable Privacy Security, New York, 2007, Pp. 112, Acm.

[22] K. M. Everitt, T. Bragin, J. Fogarty, And T. Kohno, ”A Comprehensive Study Of Frequency,Interference,And Training Of Multiple Graphical Passwords,”In Chi 09: Proc. 27th Int. Conf. Human Factors Computing Systems, New York, 2009, Pp. 889898, Acm.