IJIRST –International Journal for Innovative Research in Science & Technology| Volume 4 | Issue 1 | June 2017 ISSN (online): 2349-6010
One Time Keyboard (OTK) Authentication Arjun G S Department of Computer Science & Engineering Sri Jayachamarajendra College of Engineering (SJCE), Mysore, Karnataka, India
Rashmi P D Department of Computer Science & Engineering NIE-IT, Mysore, Karnataka, India
Abstract Recent cloud based web application demands authentication to provide reliable verification and accurate distinguishing between the actual user and the attacker. Presence of many client end vulnerabilities such as the credential stealing attacks have made most of the time the attackers to be treated as legitimate users as the credentials are actually stolen and entered. This affects the reliability of such authentication methods along with the usability due to the cost involved in authenticating each user in terms of storage required, processing time and computational cost. The primary requirement of authentication is the usability, deployability and maintainability along with the security. The aim of this work is to discover a better authentication that is easy to manage with less cost and better protection mechanisms against most of the credential stealing attacks. Keywords: Authentication, Credential - Stealing, Keyloggers, Phishing, Malware, Shoulder-Surfing, Visual Authentication, Cloud Security _______________________________________________________________________________________________________ I.
INTRODUCTION
Authentication is the process or action of verifying user identity. The authentication process can be based on a combination of one or more authentication factors. The widely recognized factors to authenticate humans are: Something the user knows: a password, a passphrase, a PIN code. Something the user owns: a USB token, a phone, a smart card, a software token. Something that qualifies the user: a fingerprint, DNA fragment, voice pattern. Something the user can do: a signature, a gesture. Somewhere the user is: a current location/position, a current time information. . . Authentication plays a key role in information security as it ensures all the other aspects of information security i.e. confidentiality, integrity, authorization, availability and non-repudiation. Current threats to existing authentication techniques are keyloggers, malwares/spywares, phishing, shoulder-surfing and so on. The presence of encapsulated keyloggers are not noticed with most of the current anti-viruses used. Also the use of flash keyboards is not so appropriate to escape from keyloggers or screen-captures[1]. Prevention from phishing can be done only by educating/ training users rather than relying on phishing detection algorithms. Most of the phishing attempts has become successful even with the presence of anti-phishing algorithms, as they rely on clients side data of prior records [2],[3],[4]. Shoulder-surfing is also a serious issue to be addressed w.r.t authentication. Many algorithms are evolving these days to find the android pattern with the shoulder-surfed videos [5]. These days with the presence of surveillance (CCTVs’) and spy cameras everywhere also adds to the automated shoulder-surfing along with the traditional method of shouldersurfing by the actual human attacker. This paper aims at finding a authentication that is robust against credential stealing attacks and also that could provide higher security with less cost in terms of storage, processing time and computational cost. II. LITERATURE SURVEY Static authentication by a shared secret A static authentication protocol means that the device through which the authentication is done has nothing to compute. It embeds some priorly shared secret value but can, at best, show it. The human users, when types his password in a login page or interface, is a static authentication device. This method may also include the use of graphical passwords to verify the user identification where the user has to click on priorly shared image instead of a textual password[6],[7]. The textual password method is widely used in most of the applications starting from social media like facebook, twitter… The main reason for the usage of this authentication method is the ease of use for users and the cost involved for authentication for the organization. Fig.1 shows the traditional authentication method in windows with two fields namely, UserID and password. Most of the applications use the same traditional fields with different user interfaces. Few applications use graphical passwords also, but due to usability and need for training the users has limited the usage of graphical passwords to very few applications.
All rights reserved by www.ijirst.org
173
One Time Keyboard (OTK) Authentication (IJIRST/ Volume 4 / Issue 1/ 029)
Fig. 1: Static Authentication.
This method is vulnerable to most of the attacks like keylogging, phishing and shoulder-surfing. This method relies on antiviruses to prevent against malwares and spywares. To prevent from phishing it relies on phishing detection algorithms. Key logging attacks could have been avoided by the user using the method in [8] earlier, but due to advancement in keyloggers and screen-captures, correlation attacks can help the attacker to find user credentials. The effect of brute force attacks can be based on the password strength. i.e. the use of cryptographically strong keys would be a strong password whereas the commonly used combination of password which is easy to remember for users becomes weak password. Use of graphical passwords with images instead of text may prevent the key logging attacks, but screen-captures, phishing and shoulder-surfing cannot be prevented. 2-Factor authentication (Dynamic) A dynamic authentication protocol is the opposite of static: the device that can compute few things. For example use of One-TimePassword (OTP). Here the user is identified using two devices. The second device being a remote device which is assumed to be secure and only the legitimate user has access to the remote device. As shown in the Fig. 2 the basic idea of scheme is as follows. The user enters user ID and Password (PW) in the terminal. The local system verifies the authenticity of the user based on user ID. Once the local verification is over, the user send login request to the cloud server to verify the password. Upon receiving the login request, the cloud server sends some authentication data based on the specific user. The cloud server sends the onetime password to the mobile network through HTTP/SMS gateway. The mobile network delivers the onetime password to the user via SMS. The user authenticates the server and sends some message based on ID and one time password. The server authenticates user based on data sent by the user in step 6. [9] This method is also vulnerable to the attacks like phishing (redirection method) and some complex attacks which under shouldersurfing (Use of spy cameras or CCTV surveillance videos would make the fastest finger first to get authenticated). The issue here is that the OTP is sent to remote device unencrypted in an unsecure channel i.e. mobile carrier. Also the advancement in android technology has made most of the applications have access to the OTP sent as SMS. Brute force attack is usually difficult here due to the presence of a randomly generated OTP.
Fig. 2: 2-Factor Authentication
All rights reserved by www.ijirst.org
174
One Time Keyboard (OTK) Authentication (IJIRST/ Volume 4 / Issue 1/ 029)
Biometric Authentication It is the process of automatic identification of living individuals by using their physiological and behavioral characteristics. Biometric Authentication depends on measurement of some unique attribute of the user. They presume that these user characteristics are unique, that they may not be recorded and reproductions provided later, and that the sampling device is tamperproof. The Fig.3 lists the currently deployed biometric techniques in the computer security market. Although, biometrics authentication systems have overcome other traditional authentication schemes such as password or (pass codes) and PIN (Personal Identification Number). Till yet, there is no 100 percent guarantee about achieving highest level of performance regarding identification/ verification of a person's identity considering the amount of space required to store the biometric features, processing time and cost of operation of the features i.e. the load on the server processor in order to match the given template to the templates set in the database.
Fig. 3: Broad classification of biometric authentication.
Biometric authentication involves some of the generic steps as shown in Fig 4.
Fig. 4: Generic steps in biometric authentication.
All rights reserved by www.ijirst.org
175
One Time Keyboard (OTK) Authentication (IJIRST/ Volume 4 / Issue 1/ 029)
Enrollment and Verification phases involve Sensing, Feature extraction and template generation steps. The generated templates are stored in database in enrollment phase, whereas is verification the generated template is compared with the ones’ in database to distinguish between actual user and the attacker. Although biometric authentication provides a better security, the cost may be expensive with respect to storing the extracted feature in the database, the time for processing during each time the user wants to get authenticated and the amount of work done in comparing the user feature template with the templates in the database. Thus it could not to more suitable applications like social media, email, etc. III. METHODOLOGY This is an authentication process which uses user driven visualization to improve security and user-friendliness that not only improve the user experience but also can resist challenging credential stealing attacks.
Fig. 5: Shoulder surfing resistant authentication
As shown in the Fig.5 the basic idea of scheme is as follows. 1) The user enters user ID in the terminal. The local system verifies the authenticity of the user based on user ID. 2) Once the local verification is over, the user send login request to the cloud server. 3) Upon receiving the login request, the cloud server generates a random 4X4 keyboard layout which acts as one time keyboard (OTK), encrypts it and finally converts it to a QR code which appears on user terminal. 4) User scans the QR code with the mobile application. User enters his another credential called registration ID. Registration ID entered is sent to server for verification upon which the user will be able to view the keyboard layout. 5) The user authenticates the server and enters his password on the blank keyboard layout present on the user terminal looking at the mobile. 6) The server authenticates user based on data sent by the user in step 6. Use of One Time Keyboard (OTK) suggested in [10] would have a better performance considering the credential stealing attacks and the cost w.r.t storage, processing time and computation. Shoulder surfing could be a serious issue to be addressed as the attacker gets time to understand the visual authentication protocol. This could be improved by using the traditional way of preventing shoulder surfing by using Row clicks and Column clicks[11],[12]. IV. CONCLUSION Currently authentication algorithms are such that even if the user has lost his user credential or one of his device, security can be ensured by measures of 2-factor authentication. Comparatively, visual authentication can be a better solution against credential stealing attacks. But even it is not robust against automated attacks thought bots or shoulder-surfing through surveillance/hidden camera. In next few years, the authentication algorithm should be such that, although the attacker knows the user credentials and also has control over users’ devices the attacker should not be able to get authenticated which can be done by introducing some predefined logics that is done by the user before entering his credentials. REFERENCES [1] [2]
Dadkhah, M. and Jazi, M.D., 2014. A Novel approach to deal with Keyloggers. Oriental Journal of Computer Science & Technology, 7(1), pp.25-28. Dadkhah, M. and Jazi, M.D., 2014. Secure payment in E-commerce: Deal with Keyloggers and Phishing. International Journal of Electronics Communication and Computer Engineering, 5(3), pp.656-660.
All rights reserved by www.ijirst.org
176
One Time Keyboard (OTK) Authentication (IJIRST/ Volume 4 / Issue 1/ 029) [3]
Nirmal, K., Janet, B. and Kumar, R., 2015, February. Phishing-the threat that still exists. In Computing and Communications Technologies (ICCCT), 2015 International Conference on (pp. 139-143). IEEE. [4] Rao, R.S. and Ali, S.T., 2015, April. A computer vision technique to detect phishing attacks. In Communication Systems and Network Technologies (CSNT), 2015 Fifth International Conference on (pp. 596-601). IEEE. [5] Ye, G., Tang, Z., Fang, D., Chen, X., Kim, K.I., Taylor, B. and Wang, Z., 2017. Cracking Android pattern lock in five attempts. [6] Bhand, A., Desale, V., Shirke, S. and Shirke, S.P., 2015, December. Enhancement of password authentication system using graphical images. In Information Processing (ICIP), 2015 International Conference on (pp. 217-219). IEEE. [7] Almulhem, A., 2011, February. A graphical password authentication system. In Internet Security (WorldCIS), 2011 World Congress on (pp. 223-225). IEEE. [8] Herley, C. and Florencio, D., 2006, July. How to login from an Internet cafĂŠ without worrying about keyloggers. In Symposium on Usable Privacy and Security (SOUPS) (Vol. 6). [9] Choudhury, A.J., Kumar, P., Sain, M., Lim, H. and Jae-Lee, H., 2011, December. A strong user authentication framework for cloud computing. In Services Computing Conference (APSCC), 2011 IEEE Asia-Pacific (pp. 110-115). IEEE. [10] Nyang, D., Mohaisen, A. and Kang, J., 2014. Keylogging-resistant visual authentication protocols. IEEE Transactions on Mobile Computing, 13(11), pp.25662579. [11] Kasat, O., Bhadade, U. and Trivedi, M.N., 2015. Study and Analysis of Shoulder-Surfing Methods. [12] Nand, P., Singh, P.K., Aneja, J. and Dhingra, Y., 2015, March. Prevention of shoulder surfing attack using randomized square matrix virtual keyboard. In Computer Engineering and Applications (ICACEA), 2015 International Conference on Advances in (pp. 916-920). IEEE.
All rights reserved by www.ijirst.org
177