International Journal of Computer Engineering and Applications, Volume XI, Issue III, March 17, ISSN

Transcription

1 International Journal of Computer Engineering and Applications, Volume XI, Issue III, March 17, ISSN ENHANCING THE SECURITY OF SECONDARY AUTHENTICATION SYSTEM BASED ON EVENT LOGGER Priyanka Sonawane 1, Archana Augustine 2 1 Department of Information Technology 2 Department of Information Technology University of Mumbai, India ABSTRACT: Web application provides secondary authentication when user forgets their password. For that user have to select the question from pre defined lists of question which includes user long term history question like What is your first school, what is your birth place etc. Answer of such question will not change over a decade. Answer of this question can be easily break by using social networking sites like Facebook as well as answer of this question will also be guess by brute force attack. So to overcome this problem we present Secondary Authentication System based on mobile data of user. Today smart phones come with inbuilt features like GPS. We used the data for calls, SMS history, calendar, application installment and based on this data are have created the question and categorized them as MCQ, blank filling, True/False.To fetch the user mobile activity SVM algorithm is used and to keep the answer of the question secure we have used RSA algorithm. Keywords: Secondary Authentication, Smart phone data, RSA, Machine learning. [1] INTRODUCTION Secondary Authentication can be categorized in 2 types. The 1)when user forgets their password and want to log in to their account by proving answer to the security Question. And 2) is when the user want to get access to the very secure form of information like banking then also he/she should provide answer to the Security Question. Password recovery questions are widely used by many web Services as the secondary authentication method for resetting the account password when user forgets their primary credential [1]. When User creates their account on usually used websites like Gmail, yahoo, msn etc. user have to choose questions from predetermined list of the Questions. All these are blank fillings. User can reset his account password by providing the correct answer to the security Question. For the easiness of setting and memorizing the answers, most of the secret questions are blank-fillings and that are created based on the long-term remembrance of a user s personal history that may not change over months/years (e.g., What s the model of your first car? ). So the research has revealed that such kind of blank-filling questions created upon the user s Priyanka Sonawane and Archana Augustine 19

2 ENHANCING THE SECURITY OF SECONDARY AUTHENTICATION SYSTEM BASED ON EVENT LOGGER long-term personal history may lead to poor security and reliability as answers of such Questions can be guessed by the usage of social networking sites.[10] The prevalence of smart phone has provided a source of the user s personal data related to the knowledge of his short-term history, i.e., the data collected by the smart phone sensors and apps [9] can be used for creating the secret Questions. Short - term personal history (typically within one month) can be used. Short-term personal history is less likely exposed to a stranger or acquaintance, because the rapid changes of an event that a person has experienced within a short term will increase the resilience to guess attacks [3], [5]. This implies improved security for such secret questions. In this paper we present a Secret-Question based Authentication system, with the advantage of the data of smart phone sensors and apps without violating the user privacy. In this Authentication system we have categorized the questions as MCQ, True/false and blank filling for easier remembrance of user. [2] RELATED WORK This section provides the existing work related to Secondary Authentication and how mobile data can be used for secondary Authentication. In this section we are going to point out the difference between existing and proposed work. For explain this difference we mention the drawbacks of existing system. The answers of 33% questions can be guessed by the significant others who were mainly participants spouses (77%) and close friends (17%). [2] Another similar study was conducted by Podd et al, which revealed a higher rate of successful guessing (39.5%) [3]. Password was purely Cognitive Passwords which are based on personal facts, interest and opinions so they can be easily guessed. [4]. Secondary authentication Questions was based on recent internet activities of the user. So the answers of the questions will be violated by online tools. [5]. If attacker guessed one answer for single security Question then privacy of the account holder will be terminated. [6]. A recent study revealed that nearly 20% users of four famous webmail providers forgot their answers within six months [7]. Moreover, dominant blank filling secret questions with case sensitive answers require the perfect literally matching to the set answer, which also contributes to its poor reliability. Frequently-changing secret questions will be difficult for attackers to guess the answers. However, this research is based on the data related to a user s Internet activities [2][6][7], while our work leverages the mobile phone sensor and app data that can record a user s physical world activities, for creating secret questions. 20

3 International Journal of Computer Engineering and Applications, Volume XI, Issue III, March 17 [3]PROPOSED SYSTEM The system is divided into 2 major parts 3.1 Event Extraction Scheme In this Sensors and mobile apps will capture various events related to a user s daily activities Selection of sensors/apps Secondary authentication system selects a lists of sensors and apps for extracting the user activities. Which includes common sensors equipped on smart phone, Downloaded android apps on mobile and legacy apps like Call, contact, SMS etc. our approach is naturally suitable for smart phone users without introducing any extra hardware costs Client app. Secondary authentication system client app called Event Logger to extract the features for question generation. The client app fetches all the data From Event Extraction As shown in figure Server server is used as the auditor, which can also provide the user authentication service even if the phone is not available. As shown in block diagram of Figure 1, when authentication is needed, users phone can generate questions with local sanitized data and send the answers/results (e.g., how many questions they answered correctly) to auditors via HTTPS channels. Figure 1. Proposed System Architecture 3.2 Challenge-Response As shown in Fig 1 User is authenticated by trusted server. The service is categorized as follows Issuing the Request: The user issues an authentication request to the service provider. The event logger fetch the user activity as shown in Figure 2 and based on that activity generated Question will flash on Event Extraction App Response from User: The user provides answers to the challenge questions according to his/her short term memory. Priyanka Sonawane and Archana Augustine 21

4 ENHANCING THE SECURITY OF SECONDARY AUTHENTICATION SYSTEM BASED ON EVENT LOGGER Authentication Process: The Answer provided by the user is checked with database, if it matches then user is authenticated user and get access to their account. If the authentication failures extends the threshold then server will deny the service to that user. Figure 2. Authentication Process For instance, if a user s mobile phone is stolen/ lost then also user s information will not reveal as we are storing all the user data on the server. We have Categorized Questions into 3 types for reliability of the legitimate user. 1.True /false Questions 2. Multiple Choice Questions 3. Blank Filling Questions i. e W Questions These Questions will be based on 1. GPS 2. Battery 3. Calendar, Camera 4. Contact, call, SMS history 5. App Installment. Table 1.Some of the Examples of Questions Category wise: Parameter True/False MCQ Blank Fillings GPS Did you leave campus yesterday? Where You was day before Yesterday? A. Pune B. Rasayani C. Goa Where you spend max time yesterday? 22

5 International Journal of Computer Engineering and Applications, Volume XI, Issue III, March 17 Battery Was Your mobile What was your mobile s charged 100% battery level Yesterday? yesterday? A. Low NIL B. High C. Medium Calendar, Have you took more With whom you had With whom you Camera than 50 photos days frequent meeting in last have meeting before yesterday?/is week? tomorrow? their any event for A.Mr ABC next week? B.Ms XYZ C. Mr PQR Contact, Call, Have you add any Who was your frequent SMS How many SMS contact in last 2 contact in last week? contacts you days? A.Priya added Yesterday? B.Raj C.CEO Mobile App Did you installed Which app you used Which app You any app yesterday? frequently in last 3 days? installed A.Youcammakeup Yesterday? B.PDF reader C. Amazon We will make the combinations of Questions for reliability of the user. [4] CONCLUSION In this paper, we presenting Secondary Authentication System based on Event Logger in which User s data collected by smart phone will help to improve the security of secret question used in secondary authentication. We have created a set of questions based on mobile data. Event Extractor will fetch all the mobile activities of user, and based on these activities we have categorized the questions as blank filling, MCQ, True/False for reliability of user. For security purpose Answer of these questions will be Stored in database in encrypted form to prevent the data from attacks. Priyanka Sonawane and Archana Augustine 23

6 ENHANCING THE SECURITY OF SECONDARY AUTHENTICATION SYSTEM BASED ON EVENT LOGGER REFERENCES [1] Peng Zhao, Kaigui Bian, Tong Zhao, Xintong Song Understanding Smartphone Sensor and App Data for Enhancing the Security of Secret Questions IEEE [2] R. Reeder and S. Schechter, When the password doesn t work: Secondary authentication for websites, S & P., IEEE, vol. 9, no. 2, pp , March [3] J. Podd, J. Bunnell, and R. Henderson, Cost-effective computer security: Cognitive and associative passwords, in Computer-Human Interaction, Proceedings., Sixth Australian Conference on. IEEE, 1996, pp [4] M. Zviran and W. J. Haga, User authentication by cognitive passwords: an empirical assessment, IEEE, 1990, pp [5] A. Babic, H. Xiong, D. Yao, and L. Iftode, Building robust authentication systems with activity-based personal questions, in SafeConfig. New York, NY, USA: ACM, 2009, pp [6] S. Schechter, A. B. Brush, and S. Egelman, It s no secret. measuring the security and reliability of authentication via secret questions, in S & P., IEEE. IEEE, 2009, pp [7] S. Schechter, C. Herley, and M. Mitzenmacher, Popularity is everything: A new approach to protecting passwords from statistical-guessing attacks, in USENIX Hot topics in security, 2010, pp [8] J. C. Read and B. Cassidy, Designing textual password systems for children, in IDC., ser. IDC 12. New York, NY, USA: ACM, 2012, pp [9] J. Whipple, W. Arensman, and M. S. Boler, A public safety application of gps-enabled smartphones and the android operating system, in SMC. IEEE, 2009, pp [10] W. Luo, Q. Xie, and U. Hengartner, Facecloak: An architecture for user privacy on social networking sites, in CSE, vol. 3. IEEE, 2009, pp Author[s] brief Introduction Priyanka Sonawane Received the B.E.in Information Technology from Kokan Gyanpeeth college of Engineering, Mumbai University in and pursuing M.E. degrees in Information Technology with specialization with Cyber Warfare from Pillai HOC College of Engineering and Technology, Mumbai University in