Opass User Authentication Protocol For Web Based Computer Science Essay

Published Date: 02 Nov 2017

Department of Computer Engineering, SSBT’s College of Engineering & Technology, Bambhori, Jalgaon, MH, INDIA.

Abstract

Password authentication is growing concern about identity theft in online correspondence, subscription services and shopping. When people reuse their passwords across multiple accounts, they increase their vulnerability; compromising one password can help an attacker take over several accounts. Text password is the most popular form of user authentication on websites due to its convenience and simplicity. However, user’s passwords are prone to be stolen and compromised under different threats and vulnerabilities. Firstly, users often select weak passwords and reuse the same passwords across different websites. Routinely reusing passwords causes a domino effect; when an adversary compromises one password, user will exploit it to gain access to more websites. Second, typing passwords into untrusted computers suffers password thief threat. An adversary can launch several password stealing attacks to snatch passwords, such as phishing, key loggers and malware. In this paper we proposed the user authentication protocol such as named OPass. This user authentication scheme can be helpful to the user who used text password for staling the password and password reuse attack. His proposed scheme allow user to remember only the long term password for login to all website. For this purpose we proposed telecommunication service provider in registration and recovery phases.

Keywords: Online Password, User Authentication, One Time Password.

INTRODUCTION

People increasingly rely on public computers (e.g. Internet kiosks) to do business over the Internet. But accessing today’s web-based email, online auctions, or banking sites invariably requires typing a username and password to prove one’s identity to the remote service. This creates significant security vulnerability. So the foe securing accessing the internet, people require more security from the remote service. But it require authenticate user so the authentication is most important factor for accessing the internet.

Authentication

Businesses need to authenticate people who have access to company resources. In the physical world this may be a swipe card to enter the building, or a code to enter a locked door. If a person has this swipe card or code

_______________________________________________

Corresponding Author

Ashish T. Bhole

Associate Professor

Department Of Computer Engineering, SSBT’s College of Engineering & Technology, Bambhori, Jalgaon, INDIA.

[email protected]

Sheetal Chaudhari

PG Student

Department Of Computer Engineering, SSBT’s College of Engineering & Technology, Bambhori, Jalgaon, INDIA.

[email protected]

they have been authenticated as someone allowed in that building or room. Authentication is the act of confirming the identity of a person or other entity. In the context of a private computer network, the identities of users or host computers must be established to ensure that only authorized parties can access the network. A key feature of authentication is its support of single sign-on. Single sign-on allows a user to log on to the domain once, using a single password, and authenticate to any computer in the domain.

User Authentication

User authentication is a means of identifying the user and verifying that the user is allowed to access some restricted service. When you log in to your network computer account, you verify that you are authorized to use computing resources, and, additionally, that you are the user who owns a particular set of those resources (files, e-mail, and so on), by giving the correct user id and password.

Authentication Protocol

An authentication protocol is a type of cryptographic protocol with the purpose of authenticating entities wishing to communicate securely.

Table1. Authentication Protocol

Authentication protocols

Description

Kerberos V5 authentication

A protocol that is used with either a password or a smart card for interactive logon. It is also the default method of network authentication for services.

SSL/TLS authentication

A protocol that is used when a user attempts to access a secure Web server.

NTLM authentication

A protocol that is used when either the client or server uses a previous version of Windows.

Digest authentication

Digest authentication transmits credentials across the network as an MD5 hash or message digest.

Passport authentication

Passport authentication is a user-authentication service which offers single sign-in service.

Online Password

Online password which is term is used as OPass is a user authentication protocol that can be used to prevent the user from the password staling and password reuse attacks. This is concept that should be proposed for secure user login by password staling attack and hacking of password by hacker. In this user does not remember the password for every login. User must remember the long term password. For this proposal, this concept is based on three concept such onetime password, SMS, and 3G connection. By using these concepts this protocol can be used as better and strong.

RELATED WORK

Most of various techniques are proposed by many researchers for securing to login a website. These most of techniques are found by to secure login also secure from any phishing attacks. These also techniques are used mobile device trusted platform module (TPM), or public key infrastructure (PKI) to create a onetime password.

To secure or prevent user problems, (Wu et. al 2004) proposed a system which can be used mobile device and trusted proxy for securing a login. In this paper author present a solution to problem using a mobile phone as a hand-held authentication token, and a security proxy which allows the system to be used with unmodified third-party web services which create a system that is both secure and highly usable.

Other known approach for preventing a password hacking attack as a MP-auth protocol presented by Mannan and Oorschot (2007). This protocol is make password based login as very strong and prevent from untrusted proxy or untrusted server. MP-Auth is proposed primarily to protect a user’s long-term password input through an untrusted (or untrustworthy) client PC. The use of a mobile device in MP-Auth is intended to protect user passwords from easily being recorded and forwarded to malicious parties. MP-Auth protects passwords from

keyloggers and various forms of phishing attacks (including deceptive malware, DNS-based attacks or harming, as well as false bookmarks). MP-Auth also protects against session hijacking, by providing transaction integrity through a transaction confirmation step.

Another again various techniques that proposed by various researchers. (Parno et. al. 2007) found a concept as extends using of web browser and mobile devices. In this they found out that anti-phishing mechanism. On the other hand, there is another approach for phishing attacks was explained as SessionMagnifier (C. Yue and H. Wang. 2009).

OPASS

The name OPass is as form Online Password. Over the past few decades, text password has been adopted as the primary mean of user authentication for websites. People select their username and text passwords when registering accounts on a website. In order to log into the website successfully, users must recall the selected password. Generally, password-based user authentication can resist strength and dictionary attacks if users’ select strong passwords to provide sufficient entropy. However, password-based user authentication has a major problem that humans are not experts in memorizing text strings. Thus, most users would choose easy-to-remember passwords (i.e., weak passwords) even if they know the passwords might be unsafe. Another crucial problem is that users tend to reuse passwords across various websites. Password reuse causes users to lose sensitive information stored in different websites if a hacker compromises one of their passwords. This attack is referred to as the password reuse attack. The above problems are caused by the negative influence of human factors. Therefore, it is important to take human factors into consideration when designing a user authentication protocol. In this project, a user authentication protocol named OPass which leverages a user’s cellphone and short message service (SMS) to prevent password stealing and password reuse attacks. In our opinion, it is difficult to spoil password reuse attacks from any scheme where the users’ have to remember something. We also state that the main cause of stealing password attacks is when users type passwords to untrusted public computers. Therefore, the main concept of OPass is free users from having to remember or type any passwords into conventional computers for authentication. Unlike generic user authentication, OPass involves a new component, the cell phone, which is used to generate one-time password and new communication channel, SMS, which is used to transmit authentication messages.

Architecture of OPass

The architecture (and environment) of the OPass system describes in the figure 1. For users to perform secure login on an untrusted computer (kiosk), OPass consists of a trusted cellphone, a browser on the kiosk, and a web server that users wish to access.

Physical Contact

Internet

Wireless or Bluetooth

Untrusted Computer

Cellphone

Browser

User

Web Server

SMS Channel

Figure 1 Architecture of OPass

The user operates her cellphone and the untrusted computer directly to accomplish secure logins to the web server. The communication between the cellphone and the web server is through the SMS channel. The web browser interacts with the web server via the Internet. In our protocol design, we require the cellphone interact directly with the kiosk. The general approach is to select available interfaces on the cellphone, Wi-Fi or Bluetooth.

OPASS SYSTEM

We present OPass from the user perspective to show operation flows in figure 2. OPass consists of registration, login, and recovery phases. We introduce the details of these three phases respectively. Unlike generic web logins, OPass utilizes a user’s cell phone as an authentication token and SMS as a secure channel.

No

Yes

If lost

User

Login

OPass

Output

Registration Phase

Recovery Phase

Mobile Application

Figure 2 General Phases of OPass

In the registration phase, a user starts the OPass program to register its new account on the website that user wishes to visit in the future. Unlike conventional registration, the server requests for the user’s account id and phone number, instead of password. After filling out the registration form, the program asks the user to setup a long-term password. This long-term password is used to generate a chain of one-time passwords for further logins on the target server. Then, the program automatically sends a registration SMS message to the server for completing the registration procedure. The context of the registration SMS is encrypted to provide data confidentiality.

OPass also designed a recovery phase to fix problems in some conditions, such as losing one’s cellphone. Login procedure in OPass does not require users to type passwords into an untrusted web browser. The user name is the only information input to the browser. Next, the user opens the OPass program on her phone and enters the long-term password; the program will generate one-time password and send a login SMS securely to the server. The login SMS is encrypted by the one-time password. Finally, the cell phone receives a response message from the server and shows a success message on user screen if the server is able to verify user identity. The message is used to ensure that the website is a legal website, and not a phishing one.

Registration phase

User enters user id and server id.

Cellphone transmit this info to TSP.

TSP transmit user id, user phone no and shared key to server.

Server generates secure info and send to TSP.

TSP sends server information with shared key to Cellphone.

User enter long term password.

Cellphone compute secret key and generate secured registration message and sent it to server for verify the authenticity.

Login phase

Browser sends user request to server.

Server checks information with database and generate fresh nonce.

Then this message pass to cellphone

User enter long term password.

One time password is generate for current login and cellphone generate nonce and secure login SMS.

Server check and verify the authenticity of login SMS.

Server send successful login message to cellphone through Internet.

Recovery phase

User enters user id and server id.

Cellphone transmit this info to TSP.

TSP transmit user id, user phone no and shared key to server.

Server checks for existence and generates fresh nonce and replies this message to TSP.

TSP sends server information to Cellphone.

User enter long term password.

Cellphone compute secret key and generate one time password and prepared secured recovery message and sent it to server for verify the authenticity.

DISCUSSION

We proposed a user authentication protocol named OPass which leverages cell phones and SMS to thwart password stealing and password reuse attacks. In this system main operation will be as Registration, Login and Recovery. In Registration phase user should be done his registration. In login phase, user should enter long term password and submit by it mobile phone. In recovery phase, user should open recovery services and user should be used recovery services to recover its password. Through OPass, each user only needs to remember a long-term password which has been used to protect her cellphone. Users are free from typing any passwords into untrusted computers for login on all websites. Compared with previous schemes, OPass is the first user authentication protocol to prevent password stealing and password reuse attacks simultaneously. There as OPass adopts the one-time password approach to ensure independence between each login. Also average time will be implemented to login and registration of user and SMS service. That is minimizing the delay time between these services. So execution time can be increased. Performance of the OPass will be measured.

To get the proper result of OPass we must have to study about the usability and performance of OPass. Usability and performance is the main factor of OPass by using this we can measure OPass. Many author research about on that suggest some factors so we can measure the OPass.

For usability we should consider following some points or questions. This fact appears to be consistent with our observation about password reuses and weak password.

How often do I carry my cellphone?

Number of Password based accounts

Number of accounts where password is reused

Number of unique passwords

Number of passwords that are a name or word followed by number

As part of the same study, a performance evaluation should be conducted on the OPass. For this we must have to consider the some factors. For measuring performance, Average time and Min and Max time will be calculated. This can be done in registration phase and login phase. For this both phases main affecting factor is that SMS delay. So for calculating the performance, calculate the average time and min and max for SMS delay.

CONCLUSION

In this paper, we proposed a user authentication protocol named OPass which leverages cell phones and SMS to thwart password stealing and password reuse attacks. We assume that each website possesses a unique phone number. We also assume that a telecommunication service provider participates in the registration and recovery phases. The design principle of OPass is to eliminate the negative influence of human factors as much as possible.

Through OPass, each user only needs to remember a long-term password which has been used to protect her cellphone. Users are free from typing any passwords into untrusted computers for login on all websites. Compared with previous schemes, OPass is the first user authentication protocol to prevent password stealing (i.e., phishing, keylogger, and malware) and password reuse attacks simultaneously. The reason is that OPass adopts the one-time password approach to ensure independence between each login.