Security Enhancement Using SCTP against Password Stealing in Multi-Homed Networks P.Venkadesh, S.V.Rajalakshmi, S.V.Divya

Transcription

1 Security Enhancement Using SCTP against Password Stealing in Multi-Homed Networks P.Venkadesh, S.V.Rajalakshmi, S.V.Divya Abstract SCTP is a young transport layer protocol. It is designed for transferring public switched telephone network signaling over IP networks. SCTP provide improved security mechanism in addition with DTLS. Password stealing attack is the major problem in the web environment. Passwords are stolen by attackers using several methods. An attacker uses this stolen to log into the authenticated users websites. In this paper security against stealing is provided using SCTP in multi-homed networks. Registration, login and recovery are the three processes required for securing the. The registration phase is the initial phase and mandatory. The user s information s are gathered along with the long-term and stored into the server database. Mail address is given as additional input in registration phase. Login process helps the authenticated users to log into the particular website. The recovery process is the final process. It is not mandatory. It is used only in case of either the user wants to change his mobile number or his mobile phone is lost. The mail address is used only during the recovery process. In addition to SCTP a new protocol named opass is also used for processing. Secret exchange mechanism is used to securely transfer the long-term. Index Terms stream control transmission protocol (SCTP), one-time (opass), Datagram transport layer security (DTLS). I. INTRODUCTION Password stealing attack leads to major problems in web environment. Password stealing can be done in several ways they are loggers, phishing attack etc., basically are encrypted using hashed function and stored into the database. Eavesdroppers easily identify and decrypt those hashed. Reusing also leads to many problems. Once the is stolen by eavesdroppers they can make use of it to access several login sites that already used by the authenticated users. There are several methods such as loggers, malware, phishing attack [9], dictionary attack [14], guessing attack etc., which are used for stealing the [1].It is difficult for the users to remember tough so most probably the user choose weak. Some users chooses which relates their date of birth, nick names, user name etc., this becomes easier for the attackers to find the. Reusing a single for several website also leads to many problems. Nowadays hiding as they are typed is the common practice. Hiding the as they are typed is the process to avoid bystanders reading the. The rate at which an attacker can submit the guessed s to the system is the factor in determining system security. Some system uses time out process after a small number of failed entry attempts. Such systems can be effectively secure with relatively simple s, if they have been well chosen and not easily guessed. II. SCTP SCTP is the new transport layer protocol. SCTP supports wireless transmission process [2].compared to other protocols such as TCP, UDP etc., SCTP has additional features such as multi-homing and multi-streaming [2].SCTP places information in chunk. Original message is placed in the data chunk and other information is placed into the control chunk [4]. The differentiation between the chunks is identified using the chunk header. A. Multi-Homing SCTP has additional features such as multi-homing and multi-streaming [4]. In this paper we use multi-homing technique. Consider a message is to be transmitted between two nodes in multi-homed networks i.e., node A wants to transmit message to node B, the message is passed through transport layer, IP layer, access point of node A to the transport layer, IP layer, access point of node B. IP Point A Transport AP IP AP Point B Transport AP1 INTERNE Fig.1. Multi-Homing IP layer consist of several access point. Messages are passed through these access points. If transmission fails retransmission is done via another access point [4]. If any one of the access point continuously fails in transmitting message then that access point is considered to be the failed one and not used further. Point A and Point B has several access point which is helpful to transmitte multiple messages at a time. III. SECRET KEY EXCHANGE MECHANISM Secret exchange mechanism [15] is used to transfer information securely between the two end points. There are several secret exchange scheme they are simple IP AP2 AP3 66

2 exponent exchange scheme (SPEKE), Elliptical curve exponent exchange scheme (ECEKE) etc., In this paper the long-term is encrypted using secret exponent exchange scheme (DHEKE). It uses five values such as G, S, P, and R1and R2 where G stands for great prime number S stands for sequence number, P stands for small prime number R1and R2 is a value not shared through any network. G, S R 1 Q1 P K1 = K1%P K0=K1 IV. IMPLEMENTATION PROCESS This paper uses an existing protocol named opass [1] in addition to SCTP protocol. The implementation process requires a mobile phone, short message service, internet connection, mail service and un-trusted browsers. It includes three process such as registration process, login process and recovery process. A. Registration process In this phase the user must open the mobile in his cell phone and select new registration. Now the registration process begins. During the registration process the user is requested to give information s such as secret question, user name and long term. Q1=Enc (Q1) Q1=Dec (Q1) R2 Open mobile G, s P Select new registration Q2=Dec (Q2) Q2 Q2=Enc (Q2) Registration process with -id Secret exponent exchange QR QR Long term passwor d encrypti Key k0 generation Key k1 generation Multipath data sending Server database Registration success User side Server Fig.2. Secret Exponent Key Exchange Scheme The above specified values are used to generate Q1 and Q2 Q1=Enc (G+S+R1%P) (1) Encryption of Q1 is done using a fixed. After encryption Q1 is send to the receiver end. Receiver decrypts Q1 with the same fixed. Q2 is generated using G, S, P and R2. Q2= Enc (G+S+R2%P) (2) This Q2 value is send back to the sender and decrypted using the same fixed. The intermediate of sender and receiver is generated as follows. Intermediate of sender =QR%P K0= K0%P Intermediate of sender =QR%P side Fig.3. Registration Process In this paper along with that information address is given as additional information. The long-term is encrypted using secret exponent exchange scheme. This encrypted is divided into several pieces and sends through multiple paths of multi-homed networks [4]. The registration process is successful only if this information reaches the server database. If registration fails the message is retransmitted. Registering information is an initial process. Only after registration phase the user can enter into the login phase. All the required information s are given as input and stored into the server database. Encrypting the log-term is the one among process of the registration phase. The encrypted data is send to the server database via multiple paths. Registration success notification comes to the user s cell phone only if the information s are properly stored into the database. 67

3 B. Login process ISSN: In this phase open the particular website and enter user name within Internet browser. The user name is matched with the name present in the server database. Enter userna me with browse r Server database Decryption process Recovery phase is not mandatory. It is used only if it is required by the users, with the help of recovery process it becomes easier for the users to regain the service in case of forgetting the mobile phone number or in case of losing their cell phone. Recovery can be done in two conditions they are forgetting the long-term and if the user changes his mobile number. Recovery process Longterm with mobile User name matchin g process Login failed Loggin g failed Sending onetime to user mobile Matchin g process Onetime Generation In case of forgetting Open mobile Select forget In case of changed mobile number Open mobile Select mobile number changed Secret exponent exchange scheme Encryp tion process Enter one-ti me passw ord with interne t brows Onetime matching Login success Fill out form and submit Server database Matching process Fill out form and submit Server database Matching process Multi path sendin g Login failed Fig.4. Login Process If particular match is found then the user is requested for typing long-term in their mobile. If username does not matches with the name s present in the server database login fails. In case of login success the user types long-term in his mobile phone. This long-term s is encrypted using DHEKE scheme and send via multiple path using multi-homing technique to server database. Server decrypts the information and matches it with the database information. If correct match is found then one-time s [13] is generated and send to users mobile phone. The login process fails if the long term does not match the database information. User now types the onetime in the browser. If this one time matches the server generated one-time then login process is successful. Login fails if a user one-time does not match the server generated one-time. Logging into the corresponding website is the process next to the registration phase. Recovery Process Send new to Recovery success Fig.5.Recovery process In case of forgetting the long-term the first step is to open the mobile and select forget. Fill out the form and submit it. After submission the information reaches the server and matching process is done. If the information matches new one-time is send to . In other case that is changing mobile number the user must initially open the mobile and select mobile number change option. Fill out the form and submit it. The information is send to the server database and matching process is done. If the information matches then the old phone number is replaced by new one and the recovery process is successful. Recovery can be done in two conditions they are forgetting the long-term and if the user changes his mobile number. In case of forgetting the long-term the first step is to open the mobile and select forget. Fill out the form and submit it. After submission the information reaches the server and matching process is done. If the information matches new one-time is send to . In other case that is changing mobile number the user must initially open the mobile and select mobile number change option. Fill out the form and submit it. The information is send to the server database and matching 68

4 process is done. If the information matches then the old phone number is replaced by new one and the recovery process is successful. V. PERFORMANCE ANALYSIS The analysis is conducted in order to identify the effectiveness of SCTPOpass.20 persons are selected and asked to work on the and the time required to send the SMS during the registration and login phase is noted. Table I Performance Analysis Of Registration Process REGISTRATION PROCESS SMS DELAY TOTAL OPASS Fig.8. SMS delay of login process SCTPOPASS Table II.Performance Analysis Of Login Process LOGIN PROCESS SMS DELAY TOTAL OPASS SCTPOPASS Fig.6. SMS Delay Of Registration Process Fig.9.Total Time of Login Process Based on the speed of typing and sending SMS the time varies. The person who types faster registers and login into the website first compared to others. The average time calculated for the SMS delay in registration phase is 8.3second which is less compared to the previous OPass method. As the encrypted long-term are splitted into several pieces and send via multiple paths so the data travels little bit faster. Similarly the average time calculated for SMS delay in login phase is 8.2seconds.In both the case the SMS delay time of SCTPOpass is less compared to previous OPass is less compared to previous OPass phases. The SMS delay, total time of OPass and SCTPOpass is compared and represented in the graphical format.fig.5 and Fig.6 denotes the comparison chart of registration process and where as Fig.7 and Fig.8 denotes the comparison chart of login process. Table I, II represents the values noted during the analysis process of registration and login phase.fig.9. represents the web security. OPass contains 2level security process they are SMS and ordinary encryption process where as SCTPOpass contains 4level security. It includes sms service, , encryption and Key sharing process. Fig.7.Total Time Of Registration Process 69

5 Fig.10.Security Level Indication. V. CONCLUSION In our proposed system named SCTPOPass protocol uses the cell phone, computer browser and service to avoid the stealing and reuse attacks. A unique phone number is assigned with the website for entry process. The registration, login and recovery phases are included in this work. In this SCTPOpass the long-term is the only thing they must remember for logging to website. In this paper the average time spend on registration and login is very less. The login success rate is over 91% except for a few typing errors. Finally it is concluded that the SCTPOpass is more secure than the original login system. REFERENCES [1] Hung-Min Sun, Yao-Hsin Chen, and Yue-Hsun Lin (2012), opass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks, IEEE Transactions on Information Forensics and Security, Vol. 7, No. 2, pp [2] Assad Moini and Azad M. Madni, Fellow (2009), Leveraging Biometrics for User Authentication in Online Learning: A Systems Perspective, IEEE SYSTEMS JOURNAL, VOL. 3, NO. 4, pp [3] P.Venkadesh, Julia Punitha Malar Dhas, S.V.Divya A Simplified Method to Enhance Security of Data Transmission in SCTP Using Hidden Digital Signature Jan 2013, PP [4] Thomas Dreibholz and Erwin P.Rathgeb (2011). Stream control Transmission Protocol:Past, Current, and Future Standardization Activities, IEEE COMMUNICATION MAGAZINE. [5] J. Thorpe and P. van Oorschot, Towards secure design choices for implementing graphical s, presented at the 20th. Annu. Computer Security Applicat. Conf., [6] S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, Passpoints: Design and longitudinal evaluation of a graphical system, Int. J. Human-Computer Studies, vol. 63, no. 1 2, pp , [7] S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget, Design and evaluation of a shoulder-surfing resistant graphical scheme, in AVI 06: Proc. Working Conf. Advanced Visual Interfaces, NewYork, 2006, pp , ACM. [8] J. A. Halderman, B. Waters, and E. W. Felten, A convenient methodfor securely managing s, in WWW 05: Proc. 14th Int. Conf.World Wide Web, New York, 2005, pp , ACM. [9] K.-P. Yee and K. Sitaker, Passpet: Convenient managementand phishing protection, in SOUPS 06: Proc. 2nd Symp. Usable PrivacySecurity, New York, 2006, pp , ACM. [10] S. Chiasson, R. Biddle, and P. C. van Oorschot, A second look at theusability of click-based graphical s, in SOUPS 07: Proc. 3rdSymp. Usable Privacy Security, New York, 2007, pp. 1 12, ACM. [11] J. Thorpe and P. C. van Oorschot, Graphical dictionaries and the memorable space of graphical s, in SSYM 04: Proc. 13th Conf.USENIX Security Symp., Berkeley, CA, 2004, pp , USENIX Association. [12] J. Thorpe and P. C. van Oorschot, Human-seeded attacks and exploiting hot-spots in graphical s, in SS 07: Proc. 16thUSENIX Security Symp. USENIX Security, Berkeley, CA, 2007, pp.1 16, USENIX Association. [13] Kristin S.Fuglerud, Øystein Dale (2011) Secure and Inclusive Authentication with a Talking Mobile One-Time- client IEEE security & privacy selected CS articles and columns are also available for free at http;//computingnow.computer.org. [14] Taekyoung Kwon, Young-Ho park and Hee Jungn Lee(2005), Security Analysis and Improvement of the Efficient Password_based Authentication Protocol IEE communications letters, vol. 9,no.1 [15] Junghyun Nam, Juryon Paik, Ung Mo Kim, and Dongho Won (2008) Security Enhancement to a -Authenticated Group Key Exchange Protocol for Mobile Ad-hoc Networks IEE communications Letters, vol.12, no.2. [16] S.M.Furnell, P.S.Dowland, H.M.Illingworth (2000), and P.l.Reynolds, Authentication and Supervision:A Survey of user attitudes, comput.security,vol.19, no.6,pp AUTHOR S PROFILE P. Venkadesh was born in Nagercoil, TamilNadu, India in 1980.He studied Computer Science & Engineering at C.S.I Institute of Technology, Thovalai,TamilNadu,India.He received Bachelor degree from M.S University, Tirunelveli,in 2001.He received his Master degree from Sathyabama University, Chennai, TamilNadu, India in 2007.Currently, he is working as an Assistant Professor in the Department of Computer Science & Engineering at Noorul Islam Centre for Higher Education, Noorul Islam University, Kumaracoil, TamilNadu,India. He is pursuing his research in the area of Network Security under the supervision of Dr. Julia Punitha Malar Dhas. He had presented a no.of.papers in National Conference and International Conference and his research area includes Network Security, Wireless Communications and Cloud Computing. S.V.Rajalakshmi was born in Nagercoil, TamilNadu India in 1987.She Studied Bachelor 70

6 of computer at Vivekananda College, Agasteeswaram, and TamilNadu, India. She received her Bachelor degree from M.S University, Thirunelveli in 2008; she also received her master degree in Computer from PSN College of engineering affiliated to Anna University during the year 2011 and currently doing ME computer science in Noorul Islam University, kumaracoil, India. She had presented no of papers in National and International Conference and her research area includes Network Security and Wireless networks. S.V.Divya was born in Nagercoil, TamilNadu, and India in 1983.She Studied Information Technology at Jeyamatha Engineering College, Aralvoimozhi, TamilNadu, India. She received Bachelor degree from Anna University, Chennai in 2005 and Master degree from Mepco Schlenk Engineering College, Sivakasi, and TamilNadu, India in Currently, she is working as a Assistant Professor in the Department of Information Technology at Noorul Islam Centre for Higher Education, Noorul Islam University, Kumaracoil, TamilNadu, India. Her research area includes Cloud computing, Wireless Communications and Data Mining. 71