K. Arthi
et.al.
1298
www.ijcsmr.org
A Study and Evaluation of Different Authentication
Methods and Protocols
1K. Arthi, 2N.M. Nandhitha, 3S.Emalda Roslin
1
Final year software engineering student, Sathyabama University
2
Head/ Academics ,Dept. of ECE, Sathyabama University
3
Head/ Academics ,Dept. of E&C, Sathyabama University Abstract—Authentication is a fundamental aspect of system security.
It confirms the identity of any user trying to log on to a domain or access network resources.Text password is the most popular form of user authentication on website due to its convenience and simplicity. Passwords are prone to be stolen under different threats and vulnerabilities. Hence an authentication protocol which protects the user’s password from various threats have been used. In this paper, a survey on various protocols that are resistant to password stealing attacks is done and a comparative study is made.
1. INTRODUCTION
Authentication is a fundamental aspect of system security. It confirms the identity of any user trying to log on to a domain or access network resources. Due to the numerous advantages of authentication systems, it can be used in various applications. The common application involving authentication is, a computer program using a blind credential to authenticate to another program, Using a confirmation E-mail to verify ownership of an e-mail address, using an internet banking system, Withdrawing cash from an ATM .The main purpose of these systems is to validate the user's right to access the system and information, and protect against identity theft and fraud. The main types of authentication are Basic single factor authentication, multifactor authentication and cryptographic authentication. The basic authentication is commonly used among the people. It refers to the password based authentication. Example common password, numerical password etc. Multifactor authentication uses the combination of authentication methods to validate identity. The final form of authentication uses the cryptography. It includes public key authentication and digital message as authentication code.
Password-based authentication is a protocol in which two entities share a password in advance and use the password as the basis of authentication. Existing password-based authentication schemes can be categorized into two types: weak-password authentication schemes and strong-password authentication schemes. In general, strong-password authentication protocols have the advantages over the weak-password authentication schemes in that their computational overhead are lighter, designs are simpler, and implementation are easier, and therefore are especially suitable for some constrained environments. Logging into an individual computer or a website requires a reliable authentication protocol to run on the back end to establish verification of the user. A variety of protocols are in active use by servers around the world. The Ethernet protocol is by far the most widely
network protocols used for authentication. Ethernet uses a multiple access method called CSMA/CD (Carrier Sense Multiple Access/Collision Detection). This is a system where each computer listens to the cable or the medium through which data transmission occurs, before sending anything through the network. This allows multiple users accessing the same channel by detecting collision due to congestion. Local Talk is another network protocol that was developed by Apple Computer, Inc. for Macintosh computers. The method used by Local Talk is called CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance). It is similar to CSMA/CD except that a computer signals its intent to transmit, before it actually does so. Local Talk adapters and special twisted pair cable can be used to connect a series of computers through the serial port. The access method used involves token-passing. In Token Ring, computers are connected in a ring topology. So that the signal travels around the network from one computer to another in a logical ring. A single electronic token moves around the ring from one computer to the next. If a computer does not have information to transmit, it simply passes the token on to the next workstation. Any information is there to transmit then that computer catches the token and passes the information via the ring to the destination. For very large distances and to interconnect two or more local area networks, Fibre Distributed Data Interface (FDDI) is a network protocol that is used primarily. The access method used by FDDI involves token-passing. FDDI uses a dual ring physical topology. ATM supports a variety of media such as video, CD-quality audio, and imaging. ATM employs a star topology, which can work with fiber optic as well as twisted pair cable.ATM is most often used to interconnect two or more local area networks.
In this paper, the various existing authentication protocols in the literature is surveyed. A comparison table is also made on evaluating the existing protocols. The paper is organized as follows: Chapter 2 gives an overview of the different authentication protocols and methods. In chapter 3, the various existing authentication protocols in the literature is discussed. A comparative analysis is made in the chapter 4. Conclusion and future work is given in chapter 5.
IIAN OVERVIEW OF DIFFERENT AUTHENTICATION PROTOCOLS
&METHODS
In today's highly secure high tech world, there is a need to provide rules and protocols to ensure that data is protected and
International Journal of Computer Science and Management Research Vol 2 Issue 1 January 2013
ISSN 2278-733X
K. Arthi
et.al.
1299
www.ijcsmr.org
away from prying eyes. The rules and protocols are constantly being updated to take account of the latest threats both online and offline. A protocol is a set of rules designed to provide communications between peers, by having a controlled conversation. Authentication includes a few more checks to validate security.
a) Authentication and Key Agreement (AKA)
This protocol is used in mobile 3G networks. It is also capable of generating passwords for Digest access authentication. Symmetric cryptography is used on the basis of a challenge-response type technique.
b) Extensible Authentication Protocol (EAP)
Primarily used in wireless networks and point-to-point connections, EAP is an authentication mechanism for transporting information and usage parameters for EAP methods, of which there are several. As EAP is not a wire protocol it is only used for defining message formats. EAP is widely used and is present in a number of different wireless based network types.
c) Kerberos
Kerberos is a well-known authentication method used on computer networks. It is useful in instances whereby the underlying network is not secure, and is thus used as a mechanism for validating identities between nodes in the network. It is mainly used in a client-server environment. Messages are encrypted to provide protection from interference and interception of messages.
d) Secure Remote Password protocol (SRP)
The SRP protocol permits authenticate to a server, and is protected against external attacks by eavesdroppers. This protocol has the advantage that it does not require a third party to be involved in the trust process. It is very secure against potential external threats through the mechanisms built in and improved upon over the last decade.
e) Digital signature
A digital signature is a digest calculated from a signed document. The client verifies the digest signature by decrypting it with the server’s public key and compares it to the digest value calculated from the message received. The signature can also be used by the server to verify data the client is sending.
f) Password
Password is the most widely used form of authentication. Password authentication does not normally require complicated or robust hardware since authentication of this type is generally simple.
g) One time password
To avoid the problems associated with password reuse, one time password were developed. There are two types of one time password, a challenge response password and a password list. The challenge response password responds with a
challenge value after receiving a user identifier. Password list makes use of the list of passwords which are sequentially used by the person waiting to access the system.
h)Public key cryptography
The public key cryptography is based on the mathematical problems that require very specialized knowledge. It makes use of two keys, one private key and the other is the public key. The two keys are linked together by an extremely complex mathematical equation. Both encryption and verification is accomplished with the public key.
Fig 1. Classification on various authentication protocols & methods
III RELATED WORK
In [1] the author uses a simple approach to secure and convenient kiosk browsing. The key idea of Session Magnifier is to enable an extended browser on a mobile device and a regular browser on a public computer to collaboratively support a Web session. This approach requires a Session Magnifier browser extension to be installed on a trusted mobile device. A user can securely perform sensitive interactions on the mobile device and conveniently perform other browsing interactions on the public computer.A Session Magnifier has been proposed which is a simple approach to secure and convenient kiosk browsing. Session Magnifier strives to synthesize the usability advantages of a mobile device.
In [2] the author introduced and evaluated various methods for purely automated attacks against Pass Points-style graphical passwords. For generating these attacks, they introduced a graph-based algorithm to efficiently create dictionaries based on heuristics such as click-order patterns.
K. Arthi
et.al.
1300
www.ijcsmr.org
To generate an attack dictionary based on heuristics, a generalgraph based algorithm is used. It consists of the following phases: Window clustering algorithm, attack alphabets , dictionary generation algorithm, click order patterns, relaxation and constraints. These results suggested that automated attacks provide an effective alternative to a human-seeded attack against Pass Points-style graphical passwords. Furthermore, they allow continuation of an attack using click-order patterns (without any prioritization through visual attention models or other means), guessing more passwords overall than human-seeded methods.
In [3] the author presented a method with which it is possible to directly analyse the amount of data harvested through different types of attacks in a highly automated fashion. The methodology proposed is to automate the analysis of the attack and harvesting channel as much as possible. To study the attack channel, they used the concept of honey pots, i.e., information system resources whose value lies in unauthorized or illicit use of that resource. The technical challenge of the approach is to automate the analysis process as much as possible and to analyse the large amount of data collected in this fashion. Based on empirical measurements, it is shown that the attackers steal thousands of credentials from the infected machines. This stolen data can then be traded on the underground market.
In [4] the author presented a system in which a user leverages a personal mobile device to establish trust in a public computing device, or kiosk prior to resuming the environment on the kiosk, where kiosk is a PC-class platform equipped with a DRTM(discrete ray tracing method)-enabled processor and a TPM(trusted platform module). The system consists of a user carrying a mobile device, a kiosk, and a kiosk supervisor. The mobile device is pre-equipped with an application that aids the user in ascertaining the trustworthiness of the kiosk. The kiosk supervisor may be any platform capable of running an IMA verifier. The design of a system in which a user’s mobile device serves as a vehicle for establishing trust in a public computing kiosk by verifying the integrity of all software loaded on that kiosk has been proposed.
In [5] the author provided a comprehensive overview of published research in the area, covering both usability and security aspects, as well as system evaluation. It catalogues the existing approaches, highlighting novel features of selected schemes and identifying key usability or security advantages. It summarizes evaluation approaches used including user studies, with focus on aspects of special concern for examining graphical password systems. Data collected from such user studies is also critical in the security evaluation. The research reveals a rich palette of ideas and a few schemes that deliver on the original promise of addressing the known problems with text passwords.
In [6] the author analyses the security provided by perspectives and describes the experience building and deploying a publicly available implementation. SSH-style host authentication offers a simple and attractive alternative to a heavyweight PKI (public key infrastructure). Trust-on-first-use leaves Trust-on-first-users vulnerable to simple MitM attacks, limiting the effectiveness of current Tofu applications and preventing other protocols from being able to take advantage of lightweight SSH(secure style host )authentication.
In [7] the author examined frequency of access to a graphical password, interference resulting from interleaving access to multiple graphical passwords and patterns of access while training multiple graphical passwords. The methodology consists of four stages: A pre-study questionnaire examining participant demographics and current password strategies, a five-week online study of participants accessing multiple facial graphical passwords, a post-study questionnaire regarding participant experiences and a test of long-term recall conducted four months after the end of the original five-week study. The results underscore the need for more realistic evaluations of the use of multiple graphical passwords, having a number of implications for the adoption of graphical password systems and providing a new basis for comparing proposed graphical password systems.
In [8] the author used a report on a laboratory study comparing the recall of multiple text passwords with the recall of multiple click-based graphical passwords and to address the memorability of multiple passwords in user authentication software. The study includes 2 lab-based sessions. Session 1 took 1 hour and was completed by all the participants. For session 2 participants returned to the lab and tried to recall their previously created passwords. The session includes 4 phase : Practice, password generation , retention, 2-week retention. Results of the lab study indicated that in the short-term, Pass-points passwords are most robust than text passwords against multiple password interference.
International Journal of Computer Science and Management Research Vol 2 Issue 1 January 2013
ISSN 2278-733X
K. Arthi
et.al.
1301
www.ijcsmr.org
TABLE 1:COMPARISON ON THE VARIOUS EXSITING AUTHENTICATION METHODS
REFERE NCE NO.
METHODOLOGY USED
METRICS ADVANTAGES DISADVANTAGES
[1] Use of Session magnifier in a kiosk browsing environment 1.Web browsing 2.Kiosk 3. Mobile device
1. Uses a trusted PDA. 2. Accessing to remote Web server browser
Does not study the use of multiple graphical passwords [2] 1.Windows clustering algorithm 2.Dictionary generation algorithm
1. Edges defined by the points in an image
2.Distance measured
1. Increased validity of the passwords
2.Long-term memorability
--- [3] Analysis method Harvesting channel It gives us a much better
basis for
estimating the size of the underground economy
Do not know exactly on which sites the key logger becomes active [4] Kiosk computing 1. A new kiosk front-end
application 2. An existing IMA Server
3.A modified version of the OSLO secure loader
Allowing the user to personalize a kiosk by running her own virtual machine there
1. Bar code attacks 2. Run time attacks
[5] 1. Cued recall method 2. Recognition based method
1.Password Initialization 2. Login
3. Password reset and password change --- Accessed only by limited users [6] 1. SSH method 2. HTTPS method --- It helps to authenticate services that do not have certificates signed by a global PKI
Data redundancy cannot conflict answers to two clients querying about the same service even after compromising [7] Long term recall
method
1.Authentication failure rate 2.Number of attempts required
3.Login time required
Provides a new basis for comparing proposed graphical password systems
It cannot be easily adopted [8] Password generation method 1.Graphical passwords 2.Authentication
participants could more easily remember multiple click-based graphical passwords than multiple text passwords
K. Arthi
et.al.
1302
www.ijcsmr.org
IV
CONCLUSION AND FUTURE WORK
The goal of authentication is to identify and to verify that the user has access to a system. Various authentication methods have been widespread since the personal computer was developed in the 1970s. Many authentication methods have been in use for centuries, such as identity cards, visual authentication and passwords. In this paper, a detailed study on the various password authentication protocols has been done and a comparative study is also made.
REFERENCES
[1]C. Yue and H. Wang, “SessionMagnifier: A simple approach to secure and convenient kiosk browsing,” in Proc. 11th Int. Conf. UbiquitousComputing, 2009, pp. 125–134, ACM.
[2] P. van Oorschot, A. Salehi-Abari, and J. Thorpe, “Purely automated attacks on passpoints - style graphical passwords,” IEEE Trans. InformationForensics Security, vol. 5, no. 3, pp. 393–405, Sep. 2010. [3] T. Holz, M. Engelberth, and F. Freiling, “Learning more about the underground economy:Acase-study of keyloggers and dropzones,” Proc. Computer Security ESORICS 2009, pp. 1–18, 2010.
[4] S. Garriss, R. Cáceres, S. Berger, R. Sailer, L. van Doorn, and X. Zhang, “Trustworthy and personalized computing on public kiosks,” in Proc. 6th Int. Conf. Mobile Systems, Applications Services, 2008, pp. 199–210, ACM. [5]R. Biddle, S. Chiasson, and P. van Oorschot, “Graphical passwords: Learning from the first twelve years,” in ACM Computing SurveysCarleton Univ., 2010.
[6] D. Wendlandt, D. G. Andersen, and A. Perrig, “Perspectives: Improving ssh-style host authentication with multi-path probing,” in Proc. USENIX 2008 Annu. Tech. Conf., Berkeley, CA, 2008, pp. 321–334, USENIX Association. [7] K. M. Everitt, T. Bragin, J. Fogarty, and T. Kohno, “A comprehensive study of frequency, interference, and training of multiple graphical passwords,” in CHI ’09: Proc. 27th Int. Conf. Human Factors Computing Systems, New York, 2009, pp. 889–898, ACM
[8] S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle, “Multiple password interference in text passwords and click-based graphical passwords,” in CCS ’09: Proc. 16th ACM Conf. ComputerCommunications Security, New York, 2009, pp. 500–511, ACM.
