User Authentication Protocol

Transcription

1 opass: A User Authentication Protocol Sao Vikram B., Gore Vishwanath P., Sankhe Bhakti A., Rananaware Rahul C., ABSTRACT Password security is significant for user authentication on small networking system as well as large networking system. Text password is the most standard form of user authentication on websites due to its convenience and ease. Though, users passwords are likely to be taken and compromised under different threats and vulnerabilities. usual user uses text passwords for authentication which select while registering accounts on a website. Weak password is selected by the user and uses that among different websites causes domino effect. Additional, typing passwords into untrusted computers undergoes password thief threat. Anrival can launch several password stealing attacks to grab passwords, such as phishing, key loggers and malware. opass named a user authentication protocol is designed in this paper.the purpose of this system is to introduce the concept and methodology which helps organization and users to implement stronger password policies. The proposed system is an OTP user authentication protocol which leverages a user s cell phone and short message service to resist password stealing and password reuse attacks.opass only requires each contributing website possesses a unique phone number, In registration and recovery phases a telecommunication service provider involved. Through opass, users only need to remember a long-term password for login on all website.after calculating the opass prototype, we believe opass is efficient and inexpensive compared with the conventional web authentication mechanisms. KEYWORDS Network security, authentication, reuse attack,telecommunication service provider(tsp), message digest 5. 1.INTRODUCTION In the current public networks, since most of the activities are available on internet, user authentication is the most important part as far as security is concerned. Text password is used as primary means of user authentication from past few decades. In order to register in websites people selects username and passwords. So that you can once you have logged into the web page successfully, users must remember these passwords.in general, password based user authentication can oppose brute force and dictionary attacks if the user choose the strong passwords. But, users have problem in memorizing the text passwords. Users choose their passwords which can be easily remembered even they know that password might be unsafe.crucial problem is that they use same password in different websites [6]. Password-reuse can causes users to lose their sensitive information stored in different websites if a hacker compromises one of their passwords. These sort of attacks are usually referred to as password-reuse attack. The problems are caused due to negative influence of human factors. When we design a user authentication, the vitalsss consideration is human factors. Alternatives used are graphical password [3] [9] [10] and other password management tool [7][9] and also three factor authentication. But graphical password cannot implement practically [4]. Apart from reuse 21 Sao Vikram B., Gore Vishwanath P., Sankhe Bhakti A., Rananaware Rahul C.,

2 attack it is important to consider about other stealing attacks like phishing. Although a lot of research has been made to protect passwords used in online accounts [5] [2] and other sites from dictionary attacks [8] using many hash visualization[11] current defenses are still limited in terms of accuracy and efficiency. In this paper we target to prevent both password reuse and password stealing attacks using a user authentication protocol called opass [1] that uses user s cell phone that is used to generate one time password and Short Message Service which is used to transmit the message. The main concept of opass is free users from having to remember or type any passwords into conventional computers for authentication. A basic user authentication, opass involves a new component, to generate one-time passwords cellphone is used and to transmit authentication messagesa communication channel, SMS, is used.opass presents the following advantages. 1) Phishing Protection- Sometimes users are forged to enter websites by cheating them using phishing attacks. Users who propose opass are able to withstand phishing attacks. 2) Anti-malware- Retrieving sensitive information from users mainly password is called Malware (e.g.,keylogger).in opass, users can enter into different sites without typing passwords on their computers.malware is not allowed here. 3) Secure Registration and Recovery- In opass, an out-of-band communication interface is SMS.oPass cooperates with the telecommunication service provider (TSP) in order to obtain the correct phone numbers of websites and users correspondingly. SMS aids opass in establishing a secure channel for message exchange in the registration and recovery phases. To deal with cases recovery phase is designed where a user loses his cellphone. With the support of new SIM cards, opass works on new cell phones. 4) Password Reuse Prevention and Weak Password Avoidance- opass performs one-time password approach. For each time login the cell phone automatically derives one time password.so there is no need of remembering the password at all. 2.IMPLEMENTATION DETAILS: The proposed system is novel architecture for a user authentication to thwart phishing and password reusing attacks. The purpose of protocol is to avoid users from typing their memorized passwords into public kiosks. By adopting one-time passwords, password information is no longer useful. A one- time password is expired when the user finishes the existing session. Different from using internet channels, leverages SMS and user s cell phones to prevent password stealing attacks. We believe SMS is a secure and suitable medium to pass on important information between cell phones and websites. On the basis of SMS, a user identity is authenticated by websites without inputting any passwords to untrusted kiosks. User password is only used to limit access on the user s cell phone. In system, each user simply memorizes a longterm password to access her cell phone. The long-term password is used to guard the information on the cell phone from a theft. The assumptions made in system are as follows. 1) Every web server owns a unique phone number. Through a SMS channel, users can interact with each website using the phone number. 2) The telecommunication service provider plays a role in the registration and recovery phases. The TSP module is a link between subscribers and web servers which 22 Sao Vikram B., Gore Vishwanath P., Sankhe Bhakti A., Rananaware Rahul C.,

3 resides at server only. It offers a service for subscribers to perform the registration and recovery progress with each web service e.g., a subscriber inputs her id and a web server s id to execute the registration phase. Afterwards, the TSP module sends the request and the subscriber s phone number to the related web server based on the received. 3) Subscriber s (i.e., users) establishes connection to the server with TSP module through 3G connections. 4) If a user loses her cell phone, he can inform his service provider (TSP) to disable her misplaced SIM card and keeps a new card with the same phone number. Hence, the user finishes the recovery phase. 3.SYSTEM ARCHITECTURE Figure 1.System Architecture 4.MODULE DESCRIPTIONS There are three modules: 5.TSP sends server information with shared key to Cellphone. 6.User enter long term password. 7.Cell phone compute secret key and generate secured registration message and sent it to server for verify the authenticity. Figure 2.Procedure of registration phase. 4.2 LOGIN PHASE: 1.Browser sends user request to server 2.Server checks information with database and generate fresh nonce. 3.Then this message pass to Cellphone 4.User enter long term password. 5.One time password is generate for current login and Cellphone generate nonce and secure login SMS. 6.Server check and verify the authenticity of login SMS. 7.Server send successful login message to Cellphone through Internet. 4.1 Registration Phase. 4.2 Login Phase. 4.3 Recovery Phase 4.1REGISTRATION PHASE: 1.User enters user id and server id. 2.Cellphone transmit this info to TSP. 3.TSP transmit user id, user phone no and shared key to server. 4.Server generates secure info and send to TSP. Figure 3.Procedure of login phase. 4.3 RECOVERY PHASE: 1.User enters user id and server id. 2.Cellphone transmit this info to TSP. 23 Sao Vikram B., Gore Vishwanath P., Sankhe Bhakti A., Rananaware Rahul C.,

4 3.TSP transmit user id, user phone no and shared key to server. 4.Server checks for existence and generates fresh nonce and replies this message to TSP. 5.TSP sends server information to Cellphone. 6.User enter long term password. 7.Cellphone compute secret key and generate one time password and prepared secured recovery message and sent it to server for verify the authenticity. Figure 4.Procedure of recovery phase. 5.PLATFORM: Windows (Windows 7, Windows XP), Tools for programming: Android 2.2 SDK and its emulator must be installed, Eclipse IDE (versions and higher), SQLite database, Apache server, MYSQL database. Hardware: Processor-Intel Core2 Duo, RAM-1GB, Android device osv2.0 and above, GSM modem. Technology: Java, Html, Xml, Android API, PHP, SMS Lib (Open source library). 6.CONCLUSION: Proposed user authentication protocol which leverages cell phone and system to thwart unusual stealing and password reuse attacks.the design principle of system is try to eliminate the negative influence of human factors as much as possible. We assume that each website possesses a unique phone number. We assume that a telecommunication service provider participates in the registration and recovery phases.through this protocol, each user only needs to remember a long-term password which has been used to protect cell phone. Users can type any passwords into untrusted computers for login on all websites. Compared with preceding schemes, this method would be the first user authentication protocol to reduce the risk of password stealing and password reuse attacks simultaneously. For the reason that Proposed opass adopts the one-time password strategy to ensure independence between each login. 7.FURTURE SCOPE: In certain countries' online banking, the bank sends to the user a list of OTPs that are printed on paper. the user is required to enter a specific OTP from that list for every transaction. In Brazil and many other countries like Austria, those OTPs are typically called TANs (for 'transaction authentication numbers'). Some banks eventransmit such TANs to the user's mobile phone via SMS, in which case they are called mtans (for 'mobile TANs'). Recently Google has started offering OTP to mobile and landline phones for all Google accounts.otp can be received through a text message. In case none of the user's registered phones is accessible, the user can even use one of a set of (up to 10) previously generated one-time backup codes as a secondary authorization factor in place of the dynamically generated OTP, once signing in with their account password. A mobile phone keeps expenses low because a large customer-base previously owns a mobile phone for purposes other than generating OTPs. The computing power and storage space required for OTPs is usually irrelevant compared to that which modern camera- phones and smart phones typically 24 Sao Vikram B., Gore Vishwanath P., Sankhe Bhakti A., Rananaware Rahul C.,

5 use. Mobile phones as well support any number of tokens within one installation of the application, allow a user the ability to authenticate to multiple resources from one device. This result also provides modelspecific applications to the user's mobile phone. Thus, our user authentication protocol is acceptable and reliable for users, and more secure than the original login system. REFERENCES: [1]Hung-Min Sun, Yao-Hsin Chen, and Yue-Hsun Lin opass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks, IEEE Transactions On Information Forensics And Security, Vol. 7, No. 2, April 2012 [2]D. Florencio and C. Herley, A largescale study of web password habits, in WWW 07: Proc. 16th Int. Conf. World Wide Web., New York, 2007, pp , ACM. [3]S.Chiasson, A. Forget, E. Stobert, P. C.et.al, Multiple password interference in text passwords and click-based graphical passwords, in CCS 09: Proc. 16th ACM Conf. Computer Communications Security, New York, 2009, pp , ACM. [4]S. Wiedenbeck, J. Waters, L. Sobrado, and J.-C. Birget, Design and evaluation of a shoulder-surfing resistant graphical password scheme, in AVI 06: Proc. Working Conf. Advanced Visual Interfaces, New York, 2006, pp , ACM. [6]B. Ives, K. R. Walsh, and H. Schneider, The domino effect of password reuse, Commun. ACM, vol. 47, no. 4, pp , [7]S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N.Memon, Passpoints: Design and longitudinal evaluation of a graphical password system, Int. J. Human- Computer Studies, vol. 63, no. 1 2, pp , [8]B. Pinkas and T. Sander, Securing passwords against dictionary attacks, in CCS 02: Proc. 9th ACM Conf. Computer Communications Security, New York, 2002, pp , ACM. [9]J. Thorpe and P. van Oorschot, Towards secure design choices for implementing graphical passwords, presented at the 20th. Annu. Computer Security Applicat. Conf., [10] I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin, The design and analysis of graphical passwords, in SSYM 99: Proc. 8thConf. USENIX Security Symp., Berkeley, CA, 1999, pp. 1 1, USENIX Association. [11] A. Perrig and D. Song, Hash visualization: A new technique to improve real-world security, in Proc. Int.Workshop Cryptographic Techniques-Commerce, Citeseer, 1999, pp [5]S. Gawand, E. W. Felten, Password management strategies for online accounts, in SOUPS 06: Proc. 2nd Symp. Usable Privacy. Security, New York, 2006, pp , ACM. 25 Sao Vikram B., Gore Vishwanath P., Sankhe Bhakti A., Rananaware Rahul C.,