• No results found

(IT Journal of Research, Volume 1, May 2010 SECUREZZA. Prof. Gauri Rao, Lecturer Bharati Vidyapeeth College of Engineering, Pune.

N/A
N/A
Protected

Academic year: 2021

Share "(IT Journal of Research, Volume 1, May 2010 SECUREZZA. Prof. Gauri Rao, Lecturer Bharati Vidyapeeth College of Engineering, Pune."

Copied!
8
0
0

Loading.... (view fulltext now)

Full text

(1)

(IT Journal of Research, Volume 1, May 2010

SECUREZZA

Prof. Gauri Rao , Lecturer

Bharati

Vidyapeeth College of Engineering, Pune

Abstract

The current security systems and authentication systems have much weakness and are prone to break through. Textual password is the most common and mostly used security scheme. However, even after the secure passwords requirements released by Microsoft®, users do not follow them. Users generally choose meaningful words from dictionary, which make it vulnerable to hacking and brute force attacks. The next available option, i.e. thegraphical password has a less password space then the textual password scheme. Smart cards or tokens based have the risk that the tokens are stolen. The most secure security system, the biometrics authentications have been proposed but the users tend to restrict using biometrics because of their intrusiveness and effect on their privacy. The most important defect of the security systems present these days is that if we buy one, then any file with more or less privacy requirements will be locked using the same security level. In this paper, we present and evaluate our contribution, i.e. the Securezza. It is a multifactor authentication scheme'. It includeall the types of security schemes and theusers have the option to choose the level of security required to lock a file based on the requirements of the file. More over we provide a 3D virtual environment for the users to navigate and make use of the graphical password scheme more effectively and productively, The sequence of actions and interactions made by the user .towards the objects inside the 3D environment constructs the user's password.

Keywords: Textual passwords, hacking, brute force attacks, graphical passwords, Smart cards, tokens, required security level, Securezza, 3D virtual environment.

1. INTRODUCTION

The remarkable growth in the usage of computers and dependency on computers has made data safety a major point of concern. Moreover the alarming rate of increase in the number of cyber crime cases made the security aspect of data the most important topic of research and development. One of the major security module, i.e. authentication is theprocess of validating who the user is, and to whom to grant access. In general, authentication techniques can be classified as knowledge based, token based and biometrics.

Further we can have the sub-divisions of the knowledge based authentication as:

1) Recall Based 2) Recognition Based

Recall Based requires the user to reproduce a secret was created before, and recognition based require the user to identify and recognize the secret. The most common example of recall based is the Textual Passwords. Many authentication systems, particularly in banking, require not what the user knows but also what the user possesses. Another authentication

.

scheme is the graphical passwords are based on the idea that the users can recognize pictures better than words. The most secure authentication system till date is the biometrics. Many biometrics techniques such as face recognition, finger print etc has been proposed. AU the different authentication schemes mentioned above have many advantages as well asdisadvantages. Let us see the fallacies in each one those in detail .

(2)

ClT Journal of Research, Volume 1,May 2010

First in the list comes the textual password. The textual passwords are weak and susceptible to numerous attacks.

Strength of textual passwords depends on the user's ability to keep the password secret. The level of security

provided by the textual passwords is inadequate for making financial transactions remotely. Brute force is a sure

shot method to hack such passwords. Next isthe Hardware token scheme. Itinvolves additional costs such as cost of

making the token. The user, in order toget authenticated has to carry the token and produce it every time required:

There is a risk of the hardware token to get stolen and misused. The attack called meet in the middle can easily break

the hardware token scheme. Another system is the software token. This method is somewhat tedious and requires the

users to be trained properly to exploit the level of security provided by it.This method can only be deployed in a

controlled environment and so inapplicable to most of the real world applications. The most secure system is the

biometrics. But it involves additional hardware costs such as scanners. Biometrics are also a slow and complex

process and requires the users to have patience to get authenticated. More over on purchasing anyone ofthe security

system it implies, we implicate same level ofsecurity onall our files. There can be situations where we require more

security for more sensitive information or less security, fastand easy access tosome less sensitive data.After going

through the defects in the above mentioned schemes we will readily agree to the fact that no security system till date

is.as safe as applicable as itappears to be.So, in this paper we come with a better idea, "SECUREZZA".

SECUREZZA empowers its users with all the security systems mentioned till date in single software. Italso enables

its users to decide the level of security and ease of access to every file separately. In our project we have

implemented a folder lock scheme just to show an example of how it makes the required folder secure fromalmost

alltypes of attacks. It is multiuser software and different users can lock their personal files with their own choice of

security scheme ranging from most secure i.e. the biometrics to the most widely used textual passwords. It also

provides a 3D virtual environment for user interaction with the software. This virtual environment totally changes

the current concept of security and makes it more secure and interactive as well as maintaining the simplicity for

unlocking a locked data. Ease of data access and security are like the two opposite sides of a water body. The closer

we go towards one end the farther we are from the other end. The 3D virtual environment is an aid to this

maintaining the balance in an optimal position. Itmakes thesecurity system interactive forthe user and safer for the data. The interactions that the user makes in tills 3D virtual environment creates a special set of passwords for the

user and each element of the created password must match with the password previously set to access the locked

data.

2. SECURITY DETAILS

SECUREZZA combines recognition based as well recall based authentications schemes into one. The usersimply

navigates through the 3D virtual environment and interacts with different objects kept at different places. The

combination and sequence of user's interactions creates aspecial set of passwords. Therefore the user walks into the

virtualenvironment and interacts with various objects kept in the environment for example: two computers are kept

atspecific locations and the user interacts with a specific one and enters a text, this will act as a textual password

module for the user. There can be more virtual objects like table lamps and magic cubes with are set to move on

specific location if interacted by the user. This forms a module of graphical passwords. Another different module of

graphical password is also available where the user has to set or click various images in a particular location to

. .

create a password.There are facilities such as facial recognition as well as finger print recognition and other

authentication schemes placed on different locations in the environment. If the user interacts with that particular object, it will initiate that module to be active and add to the final set of passwords:

Theobjects placed in the virtual environment can be anything like

1. A computer onwhich a user can type.

(3)

(IT Journal of Research, Volume 1, May 2010

3. Alight that can be switched on/off. 4. Objects that changes position when clicked. 5. Any biometric device replica.

6. Any graphical password scheme. (The list of possible objects isendless).

Thus based on the amount of interactions made by the user it makes us possible to increase the amount of security

required to access the sensitive information. Moreover, due to combinations of all the security schemes we are able

to overcome the defects of the various security schemes when used separately.

3. SYSTEM USAGE DETAILS AND SEQUENCE

After having abrief idea about what the system is, let us see the system usage details and the sequence of operations

that are required to be performed by the user to make the information in question, most secure possible till date. Generally this technique can be used in any place where the information has to be made secure. Here we have

applied an example to lock folders which contains some private information about the user.Let us observe the user

i.e. Mr. A about how he manages to lock and unlock his sensitive information with the level of security he wishes to

implement according to the data importance and ease of access he requires.Mr. A has two folders (the last two on

the screen shot below named "folderl" and "folder2") on his personal computer that he wants to lock. He has

different data contained in both of them and the data require different amount of security to be levied on them.He starts the software "SECUREZZA" and a startup screen appears.Now Mr. A has to enter his usemame to log in. If

he is new to the system then he has to create his username and the username will be added to thedatabase with his face and finger print details.

UserName Added in TIle Database

Fig C:New UserCreation Fig D: User Created

After Logging IN Mr. A isasked whether he wants to lock a folder or unlock it and onclicking on"Lock aFolder",

he is asked to enter the target folder path.

(4)

(IT Journal of Research, Volume I, May 2010

Now after specifying the target folder Mr. A is asked toset the passwords. Ifhe leaves a field blank itmeans that the particular module isdisabled.Observing the below two figures we can see that different levels ofsecurity can be

provide for different files.

r

=r=»:

:

.

~ Face RecognitiQr:' I ~456 I

===

========

==

=

======

==

===

===~

r

1

'

341

Graphical f3S,.""ord -

r

-

J

(Ohject:In~r .•"tion&):

.C!Wfirm

Fig G:Setting Passwords forfolder2

As soon as Mr. A confirms the locking aconfirmation message appears on thescreen.Now after thefolded hasbeen

locked and some other user tries to access the folder he/she

i

s

unable and a screenas shown belowappears to

him/her.Now to unlock the folder Mr. A has to log in again and select "Unlock a Folder". As soonas he does that, a

list of the folders locked by him appears. He hastoselect the folder he wants to unlock and after hedoes that a3D virtual environment appears on the screen. Mr.A interacts with the environment to create his password. Some screen shots of the 3D virtual environment is attached.

Fig:Screen Shots of the 3D virtual environment presented to the user to unlock the file

After interacting with different objects of the 3D virtual environment and giving appropriate passwords at the right places the user requests for unlocking the file.The system forms a set of passwords based on the interactions made

by the user inthe environment. Then the system queries the database about theset of passwords given by the user at the time of locking the folder. It then matches each element of the password in detail and if thepassword matches

(5)

(IT Journal of Research, Volume 1, May 2010

4. DATABASE

D

ETA

IL

S

To make the system able to recover from various types of system crashes and to keep the user as well as locking data organized we are using Orac1e® 9i as our backhand. This database can also be on another system which is at a different location geographically. Placing the system at different can be required by the applications like banking as well as Internet security applications. If the database is at different location then the networking module of the software is activated and the database is queried for information as well updated accordingly.If we go into the depth of the database issue used in our system then wehave two tables to maintain. These two tables, namely "users" and

"securezza" keep the entire details of the users ofthe system as well as the folders locked by them separately. The

"users" table contains only the users' names those who have registered with the system. The "securezza" table is the

main table which has fields like "path of the folder locked", "name of the user who locked it", "several password set by the user for that folder", "several password schemes enabled by the user" etc. When a user locks a folder this table is updated according to thepasswords setby the user, andwhen he tries to unlock a folder, this table is queried for the password details. The system then matches the set of passwords and if the passwords match exactly to the

r

:

-

one set, the folder is unlocked and the particular record isdeleted from the table.

5

.

ENC

R

YP

TION

I DECRYPTION

TECHNIQUE

·

To make the system more secure and to make the system safer against attacks we are using encryption/decryption techniques. This encryption/decryption technique enables the system to keep the data in an encoded format which.

makes it almost impossible to read it directly fromthedatabase.Basically encryption is a technique in which a text is encoded before transmitting or storing it according to a particular format. This format is called the key for encryption and the encrypted data is called the cipher text.There are several encryption/decryption techniques available. Some of them are "Substitution encryption", "Positional encryption", "Public Key encryption" etc. We·

can use anyone of them in our project to make it more secure. For now we have used the SUBSTITUTION CIPHER TEXT GENEItA nON scheme. In our scheme wheu a text is entered to the encrypting function then it . manipulates each character separately and generates a cipher text based on a particular key for substitution

algorithm. For eg: if a text like "abed" is given thenit generates a cipher text like "uy"5".This technique makes the data safer and less hack prone because of our system.

7

.

TECHNICAL

DETAILS (DATA FLOW)

The data flow of a system explains the flow of data in the system. It has several levels of details and can be taken to any level of complexity. The levels are like "LEVEL 0 Data flow", "LEVEL

1

Data flow" etc. The Level 0 of our system isshown below:

.

1

T~~1

[-03n

.

-

--',

k

O

~~l

"7~v~"

_1

&

1_

l---.

J

!

---

~

~

-

--

\~

i

=

I

(6)

.

.

-

-

.

(IT Journal of Research, Volume 1,May 2010

Fig: LEVEL 0 DATA FLOW

To explain more detailed information we also have LEVEL I data flowof our system as shown below:

Uo.-dl

'

/~H

'

=

"

'.

"

.

,.

•

.

•!

'j--~._/

!

lliD.' ~

I

-, ,

_--

--

-..

:

.

(

/~ ,j}~~'

>

I

T=-~

I

.

>

-

--~'

/

\

.

'

~

.

I

lj-:n~

1

/

'

\/

~

""

-

"

~

i

~~/

~

~

~

! 3D~.:r.: ) '\. ~...(

-

--

=

=

-

~

\

"

i

~.=

I

"

"\

1

f

u

<

_

1

Fig: LEVEL I DATA FLOW __ ••_.._ ••••_•.••.•.~.•.•••._•._...•_,"",._.•_.,.."'.•..•.._..._.•••.•"".__ •.•_..•._ •.•...•'....""•..~.•.."..'••...•...•..•",._h_,.._'..«.,.:.JV'>"".•,-'.•··-•.,..._"""•..•._ •••.·"4.,.·••·"-N'"'..••""'",...,.~_,4)·.•..••·.••..

·_c_

~

"'· ~

''

"

.

'

~;'''

.

_I

.

,.

.• _..:·._•••..••·••.••~~..••.'-•••.•.• ,••.•." .••••~....•""-"•.,..•'"

7. TECHNICAL

DET AILS (VARIOUS

ALGORITHMS)

L Designing A 3D Virtual Environment

Stepc- I Prepare aparticular plan for the 3D environment.

Step- 2 Using Software Rendering Scheme Develop Codes for various objects in the 3Denvironment.

Step- 3Create aFrame and add containers to the Frame, each container depicting different reasons ofthe3D

environment.

Step- 4 Add different obj ects in thespecific container as required bythe plan.

Step- 5 Implement Action performed function for every action performed in the environment.

Step- 6 Initialize the camera view arid the angle of view for the user.

Step- 7 Add navigation changes using the action performed function.

Step - 8 Monitor each action performed by the user andinitiate actions accordingly,

Step- 9 Use Co-ordinates system to monitor thepoint of interaction by the user.

Step- 10 Initiate different module as per the actions performed by the user.

2.Textual Password Scheme

Step- 1 Create a Frame for the Textual Password Module.

Step - 2 Add a password field in that field for the password input .

Step- 3 Attach various buttons such as Log In as well Cancel to the Frame.

Step - 4 Add respective functions to the buttons attached on the frame.

Step- 5 Accept the password from the user.

Step - 6 Retrieve thetextual password from the Database.

Step- 7 Match the passwords.

3, Face Recognition System

Step- I Create a Frame for the Image capture.

Step-2Initiate Web Cam to capture the Image of the user.

Step- 3 Use Eigen Face Creator to test the face.

Step- 4 Retrieve the Image database of the user.

Step-5 Generate theEigen Value Based on the Eigen Face Computation scheme.

Step -6 Check for the Eigen Value within the Threshold value.

Step- 7 Authenticate if Threshold uncrossed.

4.Graphical Passwords System

Step-I Monitor the interactions made by the user in the 3D virtual environment.

Step- 2 Initiate object moving in theenvironment on interactions.

Step- 3 Develop other graphical passwords scheme.

(7)

(IT Journal of Research, Volume 1,May 2010

5.Database Connection

Step- 1Establish aconnection using type 4 of JDBC connectivity technique,

Step- 2 Create the required tables on the first run of the system, Step- 3 Create a function for new user creation.

Step- 4Create a function for user data retrieval.

Step- 5 Create a function for locking data updating. Step- 6Create a function for locking data retrieval.

6.Folder Locking

Step- 1Input the path for the target folder.

Step- 2 Check for thepresence oftbe target folder.

Step- 3 Use the secret Locking technique to lock the folder.

Step- 4Update thedatabase about the folder locking details,

8. APPLICATIONS

The system can be applied to all the security areas, It is coded on JA V A® using the swing technology instead of application window toolkit making it compatible for all kinds of embedded systems. It can also provide better

security for A TMs and other banking transactions.

9.

PROBABILITY

OF SYSTEM HACK

Let theTextual Password Hack Probability Let the Graphical Password I Hack Probability Letthe Graphical Password I Hack Probability

Let theGraphical Password I Hack Probability

Letthe Graphical Password I Hack Probability

'Let the Face Recognition Hack Probability Combination Probability

IIx l/yJ L/y2 l/y3 l/y4 llz 1/(XYly2y3y4z)

Combinatorics for the Choice of Six 6C6*6C5*6C4 *6C3 *6C2*6C 1

1*6*15*20*15*6 = 162000

SYSTEM BREAK PROBABILITY (l/(xyly2y3y4z) )*( 11162000)

10. CONC~USION

Textual passwords and token-based passwords are the most common user authentication schemes. However, many

different schemes have been used in specific fields. Other schemes are under study yet they have never been applied in the real world. The motivation of this work is to have a scheme that has a huge Password space while also being a combination of any existing, or upcoming, authentication schemes into one scheme. Securezza gives the user the choice of modeling his 3D password to contain any authentication scheme that the user prefers. Users donot have to provide their fingerprints if they do not wish to. Users do not have to carry cards if they do not want to.Users have the choice to model their 3D password according to their needs and their preferences. Securezza probable password space can be reflected by the design of the three-dimensional virtual environment, which is designed by the system administrator. The three-dimensional virtual environment can contain any objects that the administrator feels that the

users are familiar with. For example, football players can use a three dimensional virtual environment of a stadium

where they can navigate and interact with objects that they are familiar with. A study on a large number of people is

required. We are looking at designing different three-dimensional virtual environments that contain objects of all possible authentication schemes. The main application domains of 3D Password are critical systems and resources. Critical systems such as military facilities, critical servers and highly classified areas can be protected by 3D

(8)

(IT Journal of Research, Volume 1, May 2010

Password system with large three dimensional virtual environments. Moreover, a small three dimensional virtu environment can be used to protect less critical systems such as handhelds, ATM's and operating system's logir Acquiring the knowledge of theprobable distribution of a

User's 3D password might show the practical strength of a 3D password. Moreover, finding asolution for should surfing attacks on3D passwords and other authentication schemes is also afield of study.

1

1

.R

EFE

R

E

N

CES

[1] X. Suo, Y. Zhu, and G. S. Owen, "Graphical passwords: A survey," in Proc.z lst Annu. Cornput. Security ApI Conf., Dec. 5-9,2005, pp. 463-472.

[2] D. V. Klein, "Foiling the cracker: A survey of, and improvement to passwords security," in Proc. USENl Security Workshop, 1990, pp. 5-14.

[3] NBC news, ATM Fraud: Banking on Your Money, Dateline Hidden Cameras Show Criminals Owning ATlI .Dec. 11,2003.

[4] T.Kitten, Keeping an Eye onthe ATM. (2005, JuL J 1).[Online]. Available: ATMMarketPlace.com [5] BBC news, Cash Machine Fraud up, Say Banks, Nov. 4,2006.

[6] G. E.Blonder, "Graphical password," U.S. Patent 5 559961, Sep. 24, 1996.

[7] R. Dhamija and A. Perrig, "Deja Vu: A user study using images for authentication," in Proc. 9th USINE Security Symp., Denver, CO, Aug. 2000, pp. 45-58.

[8] S. Wiedenbeck, J. Waters, J.-c. Birget, A. Brodskiy, and N. Memon, " Authentication using graphic passwords: Basic results," inProc. Human-Comput. Interaction Int., Las Vegas, NY, JuL 25-27,2005.

[9] S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, "PassPoints: Design and longitudin evaluation ofa'graphical password system," lot.J. Human-Comput. Stud. (Special Issue on HC} Research inPrivac and Security), vol. 63, no. 112,pp. 102-127, JuL 2005.

[10] I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin, "The design. and analysis of graphic passwords," in Proc. 8th USENIX Security Symp., Washington DC, Aug. 1999,pp. 1-14.

[II] J. Thorpe and P. C. van Oorschot, "Graphical dictionaries andthe memorable space ofgraphical passwords," Proc, USENIX Security, San Diego, CA, Aug. 9-13,2004, p. 10. '

[12] A. Adams and M. A. Sasse, "Users are not the enemy:Why users compromise computer security mechanisn and how totake remedial measures," Commun. ACM, voL 42, no. 12,pp. 40-46, Dec. 1999.

References

Related documents

A statistically significant negative correlation was dem- onstrated in the study cohort between the maternal serum PIGF levels, foetal heart rate (FHR), birth weight and length,

You'll be introduced to topics such as the K virtual machine (KVM) and KJava API used in conjunction with the Connected Limited Device Configuration (CLDC) API, and the

In this paper, we present the absolute stability of the existing 2-point implicit block multistep step methods of step number k = 3 and k = 5 and solving special second order ordinary

Councilman Billy Caudle Councilwoman Jeannie Young Councilman Chris Ruffieux Mayor Pro Tem Johnnie Walton Councilman Michael Brooks Councilman Darius Horton MEMBERS ABSENT:

It is a piece of metadata which describes all the characteristics of a work area: its type (e.g. sort, hash-join, group-by), its current memory requirement to run with minimum,

Leading Source Code Analysis (SCA) tools provide software system architects, development managers, and individual software developers with a graphical view of the design of

In this paper we consider estimation in the Tobit regression context when those conditions do not hold, as well as when the true response is an unspecified nonlinear func- tion

Bayesian model selection for time series using Markov chain Monte Carlo. A reversible jump sampler for autoregressive time series, employ- ing full conditionals to achieve