This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
Text password is the most popular form of user authentication on websites. Users select weak passwords and reuse the same passwords across different websites. Typing of password into untrusted system suffers password thief threat. Password reuse causes users to lose sensitive information stored in different websites if a hacker compromises one of their passwords. This attack referred to as password reuse attack. Password stealing attack is the adversaries compromises passwords and impersonate users identities to launch malicious attacks, collect sensitive information perform unauthorized payment actions or leak financial secrets. In this project a user authentication protocol named oPass which combines a user's cell phone and short message service against password stealing and password reuse attacks. oPass requires each participating website possesses a unique phone number; and involves a telecommunication provider in registration and recovery phases. Through oPass, users only need to remember a long-term password for login on all websites. oPass is a conventional and efficient web authentication mechanism.
Keywords: Network security, User authentication, Password stealing attack, Password reuse attack.
Network security consists of the provisions and policies adopted by a network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. Users choose or assigned an ID and password or other authenticating information that allows them access to information and programs within their authority.
Over the past few decades, text password has been adopted as the primary mean of user authentication for websites. People select their username and text passwords when registering accounts on a website. In order to log into the website successfully, users must recall the selected passwords. However, password-based user authentication has a major problem that humans are not experts in memorizing text strings. Thus, most users would choose easy-to-remember passwords (i.e., weak passwords) even if they know the passwords might be unsafe. Another crucial problem is that users tend to reuse passwords across various websites. Password reuse causes users to lose sensitive information stored in different websites if a hacker compromises one of their passwords. This attack is referred to as the password reuse attack. The above problems are caused by the negative influence of human factors. Therefore, it is important to take human factors into consideration when designing a user authentication protocol. The advantage is that users only have to remember a master password to access the management tool. Three-factor authentication depends on what you know (e.g., password), what you have (e.g., token), and who you are (e.g., biometric). To pass the authentication, the user must input a password and provide a pass code generated by the token (e.g., RSA Secure ID), and scan her biometric features (e.g., fingerprint or pupil). Three-factor authentication is a comprehensive defence mechanism against password stealing attacks, but it requires comparative high cost. Thus, two-factor authentication is more attractive and practical than three-factor authentication. Although many banks support two-factor authentication, it still suffers from the negative influence of human factors, such as the password reuse attack. Users have to memorize another four-digit PIN code to work together with the token, for example RSA Secure ID. In addition, users easily forget to bring the token.
In this paper propose a user authentication protocol named OPass which leverages a user's cell phone and short message service (SMS) to prevent password stealing and password reuse attacks. In our opinion, it is difficult to towards password reuse attacks from any scheme where the users have to remember something. We also state that the main cause of stealing password attacks is when users type passwords to untrusted public computers. Therefore, the main concept of oPass is free users from having to remember or type any passwords into conventional computers for authentication. Unlike generic user authentication, oPass involves a new component, the cell phone, which is used to generate one-time passwords and a new communication channel, SMS, which is used to transmit authentication messages.
II. RELATED WORK
1.Comparing passwords, tokens, and biometrics for user authentication.
For decades, the password has been the standard means for user authentication on computers. However, as users are required to remember more, longer, and changing passwords, it is evident that a more convenient and secure solution to user authentication is necessary. This paper examines passwords, security tokens, and biometrics which we collectively call authenticators and compares these authenticators and their combinations. We examine effectiveness against several attacks and suitability for particular security specifications such as compromise detection and non-repudiation. The paper endeavors to offer a comprehensive picture of user authentication solutions for the purposes of evaluating options for use and identifying deficiencies requiring further research. Three factor authentications is a comprehensive defence mechanism against password stealing attacks, but it requires comparative high cost.
2.Securing passwords against dictionary attacks.
Passwords are the most common method of authenticating users, and will most likely continue to be widely used for the foreseeable future, due to their convenience and practicality for service providers and end-users. Although more secure authentication schemes have been suggested in the past, e.g., using smartcards or public key cryptography, none of them has been in widespread use in the consumer market. It is a well known problem in computer security that human chosen passwords are inherently insecure since a large fraction of the users chooses passwords that come from a small domain. A small password domain enables adversaries to attempt to login to accounts by trying all possible passwords, until they find the correct one. This attack is known as a "dictionary attack". Successful dictionary attacks have, e.g., been recently reported against eBay user accounts, where attackers broke into accounts of sellers with good reputations in order to conduct fraudulent auctions. When trying to improve the security of password based authentication, one wants to prevent attackers from eavesdropping on passwords in transit, and from mounting offline dictionary attacks, namely attacks that enable the attacker to check all possible passwords without requiring any feedback from the server. Eavesdropping attacks can be prevented by encrypting the communication between the user and the server, for example using SSL. Offline dictionary attacks are prevented by limiting access to the password file (and can be made even harder by adding well-known measures such as the use of salt). In our discussion here we assume that the security measures described above are already implemented and therefore the attacker can only mount online dictionary attacks. Namely, attacks where the only way for the attacker to verify whether a password is correct is by interacting with the login server. This might be a reasonable assumption for an Internet based scenario, where SSL is used to encrypt passwords and the server uses reasonable security measures to secure its password file. The countermeasures such as delayed response and account locking can be quite useful only in a single computer environment.
3. A second look at the usability of click-based graphical passwords.
Click-based graphical passwords, which involve clicking a set of user-selected points, have been proposed as a usable alternative to text passwords. While initial results were optimistic with respect to usability, they acknowledged that further work was needed to address several remaining questions. These included conducting a field study assessing the usability of Pass Points in a more realistic setting, investigating the effect of screen size on usability, examining whether hotspots cause security concerns, and looking at the effect of interference, i.e., whether having to remember multiple graphical passwords might cause memorability or usability problems. It also appears that the type of image impacts memorability, with some images being too difficult to use. We further found that interference appears to be a problem. Participants who had two passwords had significantly lower success rates than those who had only one. Interference in multiple graphical passwords affects usability.
III SYSTEM ARCHITECTURE
Figure 1: Architecture of OPASS
A system architecture or systems architecture is the conceptual design that defines the structure and/or behaviour of a system. An architecture description is a formal description of a system, organized in a way that supports reasoning about the structural properties of the system. It defines the system components or building blocks and provides a plan from which products can be procured, and systems developed, that will work together to implement the overall system. This may enable one to manage investment in a way that meets business needs the fundamental organization of a system, embodied in its components, their relationships to each other and the environment, and the principles governing its design and evolution. The composite of the design architectures for products and their life cycle processes representation of a system in which there is a mapping of functionality onto hardware and software components, a mapping of the software architecture onto the hardware architecture, and human interaction with these components. An allocated arrangement of physical elements which provides the design solution for a consumer product or life-cycle process intended to satisfy the requirements of the functional architecture and the requirements baseline. Architecture is the most important, pervasive, top-level, strategic inventions, decisions, and their associated rationales about the overall structure (i.e., essential elements and their relationships) and associated characteristics and behaviour.
For users to perform secure login on an untrusted computer, OPASS consists of a trusted cell phone, a browser on the kiosk, and a web server that users wish to access. The user operates her cell phone and the untrusted computer directly to accomplish secure logins to the web server. The communication between the cell phone and the web server is through the SMS channel. The web browser interacts with the web server via the Internet. In our protocol design, it requires the cell phone interact directly with the kiosk. The general approach is to select available interfaces on the cell phone, Wi-Fi or Bluetooth. Each web server possesses a unique phone number. Via the phone number, users can interact with each website through an SMS channel. The users' cell phones are malware-free. Hence, users can safely input the long-term passwords into cell phones. The Telecommunication Service Provider (TSP) will particÂipate in the registration and recovery phases. The TSP is a bridge between subscribers and web servers. It provides a service for subscribers to perform the registration and reÂcovery progress with each web service. For example, a subÂscriber inputs id and a web server's id IDs to start to execute the registration phase. Then, the TSP forÂwards the request and the subscriber's phone number to the corresponding web server based on the received ID. Subscribers (i.e., users) connect to the TSP via 3GconnecÂtions to protect the transmission. The TSP and the web server establish a Secure Sockets Layer (SSL) tunnel. Via SSL protocol, the TSP can verify the server by its certiï¬cate to prevent phishing attacks. With the aid of TSP, the server can receive the correct Tu sent from the subscriber. If a user loses her cell phone, she can notify her TSP to disable her lost SIM card and apply a new card with the same phone number. Therefore, the user can perform the recovery phase using a new cell phone.
Text password has been adopted as the primary mean of user authentication for websites. People select their username and text passwords when registering accounts on a website. Password-based user authentication can resist brute force and dictionary attacks. Password reuse causes users to lose sensitive information stored in different websites if a hacker compromises one of their passwords. This attack is referred to as the password reuse attack.
OPass consists of registration, login, and recovery phases. It utilizes a user's cell phone as an authentication token and SMS as a secure channel. In the registration phase, a user starts the OPass program to register new account on the website. Login procedure in OPass does not require users to type passwords into an untrusted web browser. It also designed a recovery phase to fix problems in losing user's cell phone. It resists the malicious threats in different phases that are Threat Model, Attacks on Registration, Attacks on Login, and Attacks on Recovery respectively. It provides the security against keylogger, phishing, Password reuse attack and session hijacking.
The assumptions in oPass system are as follows.
1) Each web server possesses a unique phone number. Via the phone number, users can interact with each website through an SMS channel.
2) The users' cellphones are malware-free. Hence, users can safely input the long-term passwords into cellphones.
3) The telecommunication service provider (TSP) will participate in the registration and recovery phases. The TSP is a bridge between subscribers and web servers. It provides a service for subscribers to perform the registration and recovery progress with each web service. For example, a subscriber inputs her id ID and a web server's id ID to start to execute the registration phase. Then, the TSP forwards the request and the subscriber's phone number to the corresponding web server based on the received ID .
4) Subscribers (i.e., users) connect to the TSP via 3G connections to protect the transmission.
5) The TSP and the web server establish a secure sockets layer (SSL) tunnel. Via SSL protocol, the TSP can verify the server by its certificate to prevent phishing attacks. With the aid of TSP, the server can receive the correct sent from the subscriber.
V. RESULTS AND DISCUSSION
A user starts the oPass program to register new account on the website. The server requests for the user's account id and phone number, instead of password. After filling out of the registration form using cellphone the program asks the user to setup a long-term password. Then, the program automatically sends a registration SMS message to the server for completing the registration procedure. The user id is the only information input to the browser. Next the user opens the oPass program on phone and enters the long-term password, the program will generate a one-time password and send a login SMS securely to the server. The SMS is encrypted by one-time password. Finally the cellphone receives a response message on the screen if the server is able to verify the identity. If a user lose the cellphone, the protocol is able to recover setting on new mobile with the same phone number.
Phone number is a critical factor of oPass since we adopt the SMS channel for message exchanging. The potential issue is how users ensure that the phone number received is actually from the desired website rather than a forged phishing website. To address this difficulty, registration and recovery phases involve a telecommunication service provider (TSP). We assume that TSP provides a service (e.g., cellphone application) to support registration and recovery procedures of oPass. Users input the identity of the desired websites (e.g., Facebook) to the TSP's service. TSP will establish an SSL tunnel with the website before forwarding messages sent from users to it. Based on the SSL protocol, TSP can verify the website's certificate to prevent phishing attacks. Therefore, we can ensure that the phone number is actually from the correct website rather than phishing websites. In addition, the SSL tunnel provides data confidentiality. The communication interface between cellphone and TSP is 3G.
Password reuse is a serious problem in the present user authentication systems. To repair this problem, oPass adopts an OTP approach. Even if the long-term password is used for every account, the OTP approach still ensures that all logins are independent. Based on the design, is one of inputs to compute the credential ideally, different web servers randomize different to compute distinct. Then distinct derives distinct OTP sequence for login. Therefore, oPass users do not reuse same passwords for different accounts since generated OTP sequences guarantee randomness for each login. Regarding the weak password problem, users tend to pick weak passwords because the passwords are easy to remember. In oPass system, a user just remembers a long-term password for all accounts. The impact of choosing a weak password is eliminated so that users are willing to choose strong passwords. Unfortunately, user behaviour is not easy to change. To help users, oPass adopts a checker to evaluate the security strength of passwords in the registration phase. If the selected password cannot satisfy the preferred security, oPass would suggest a random strong password or allow the users picking a new one again. The hash chain of a one-time password will be consumed entirely. We introduce parameter to solve this problem. The server checks the status of hash chain after receiving a legal login SMS. If the rest of the one-time passwords are less than the server sends a new seed to the cellphone at of the login procedure. Once the cellphone gets the new seed, it computes a new credential and sends it to the server through the SMS channel. Hence, the user and the server will use the new hash chain for the next login. This facility can be automatically completed without user effort. The out-of sequence problem is another issue to the hash chain. For example, the server's index is and the cellphone's index is due to some unpredictable errors. To address this problem, oPass adopts a fault-tolerant mechanism. The server keeps a previous round OTP when its index moves. At the round, the server utilizes to decrypt and verify the authenticity of the login SMS. If the verification failed, the server checks the login SMS again by using. This mechanism provides one fault-tolerant capability.
A proposed user authentication protocol named OPASS which combines cellphones and SMS to thwart password stealing and password reuse attacks. The design principle of OPASS is to eliminate the negative inï¬‚uence of human factors as much as possible Through OPASS, each user only needs to remember a long-term password which has been used to protect her cellphone. Users are free from typing any passwords into untrusted computers for login on all websites. Compared with previous schemes, OPASS is the first user authentication protocol to prevent password stealing (i.e., phishing, keylogger, session hijacking and malware) and password reuse attacks simultaneously. The reason is that OPASS adopts the one-time password approach to ensure independence between each login. The login success rate is over 95%, except for a few typing errors. The average time spent on registration and login is 10.8 and 10.6 s, respectively that can prove from the output. If users lose their cellphones, it cannot recover our OPASS system.
In future, design the recovery phase. If users lose their cellphones, it can recover our OPASS system with reissued SIM cards and long-term passwords. One Time Password can refresh only up to certain number of times. To rectify that problem make changes in the algorithm. A proto type of OPASS is also implemented to measure its perÂformance. According to the result, SMS delay occupies more than 40% of total execution time. The delay could be shorter by using advanced devices.