2011 Seventh International Conference on Intelligent Information Hiding and Multimedia Signal Processing

An Anti-Phishing User Authentication Scheme without Using a Sensitive Key Table

Wei-Bin Lee, Hsing-Bai Chen, Shun-Shyan Chang, and Chia-Chi Yang

Department of Information Engineering and Computer Science Feng Chia University Taichung, Taiwan 40724 {wblee@fcu.edu.tw, hsingbai@gmail.com, asimon@asimon.idv.tw, oberonki@gmail.com}

AbstractPhishing is a popular technique that attackers use for the obtainment of sensitive information about users. Last year, over 44 million users became victims of phishing websites. Mutual authentication between user and server is an essential part of anti-phishing mechanisms. Lee et al. proposed a scheme that achieves mutual authentication to protect users from phishing attacks. However, a sensitive key table is necessary if users want to achieve mutual authentication on different servers. This attracts attackers attention and increases the cost of maintaining the key. In this paper, a novel anti-phishing authentication scheme without a sensitive key table is presented. No sensitive key table is needed if the user is present at that time. Moreover, the proposed scheme can prevent guessing and replay attacks, which are serious threats to user authentication. Keywords: authentication; biometrics; CAPTCHA; phishing; visual cryptography

I.

INTRODUCTION

Due to a substantial increase in internet content and resources, coupled with the evolution of communications, surfing social network sites and online shopping using mobile devices are popular. Some people even use mobile devices to access cloud services, such as reading/sending emails, editing documents, executing programs and so on. Presently, there are more than 90 million people who use Gmail in the world [3]. Web services usually use simple password-based methods for user authentication. Even in cloud services, such a method is applied to recognize the user. If the username and password input are the same as the ones stored in the registered server, users can be recognized by the server and get personalized services. In a cloud computing environment, users are authenticated only once and then can get all services in the same cloud. For protection against unauthorized access, the security of the system is based on the complexity of the password and the protection of a sensitive table used to store the password. In other words, a short and simple password is easily guessed and a sensitive table that stores all users passwords in the server side or records passwords used for different web servers in the users side arrests attackers attention. In addition, the socalled replay attack, re-sending an authentication message in the previous session to successfully fool the server or the user, can be mounted on such a password-based method.
978-0-7695-4517-2/11 $26.00 2011 IEEE DOI 10.1109/IIHMSP.2011.91 141

Apart from guessing, replay attacks, and sensitive table problems, phishing has become more and more popular for attackers. Phishing is a type of social engineering technique used to acquire sensitive information about users. During phishing, an attacker fakes a website which is the same as the real website. Sequentially, the attacker sends e-mail to invite users to the fake interface using DNS Spoofing technology or Cross Site Scripting (XSS). If the users transfer their sensitive information via the fake website, the attackers can intercept it and redirect the users to the real website. In such a way, users have no way to authenticate the server and therefor leak sensitive assets or information about themselves unknowingly; this caused over 44 million users to become victims in 2010 [4]. In order to combat phishing attacks, many solutions have been proposed, such as HTTPS/TLS [6] or Sign-In Seal [9]. Sign-In Seal requests users to upload a picture and to save authentication information in cookies. The browser will show the picture when user logs in the server next time. The disadvantage of Sign-In Seal is that it is ineffective when the cookies are deleted or the user changes computers then visits the website again. On the other hand, HTTPS/TLS uses the X.509 certificate to identify the server. In such a way, verification of the server certificate is demanded, which is a complicated process and is inconvenient for users. In addition, there are also many B/W lists, for instance, that detect phishing websites in APWG [2]. However, the new phishing website will be not immediately detected since it is not recorded in a B/W list. Even though laws prohibit phishing attacks, attacks are still inevitable. Recently, Lee et al. employed [7] Visual Secret Sharing (VSS) [8], Completely Automated Public Test to tell Computers and Humans Apart (CAPTCHA) [1], and OneTime Password (OTP) to design an anti-phishing user authentication mechanism. In their scheme, a user secretly shares a key with a visited server. The server generates an OTP and then uses the shared key to separate the OTP into two shadows. Only the legal user who possesses the shared key can derive the OTP from the two shadows. Since the OTP changes every session, guessing and replay attacks will be detected. The user can be authenticated if the OTP sent back to the server is correct. Moreover, the server can be authenticated by the user if the OTP cannot be derived from the shadows received from the server. The Lee et al.s scheme can provide mutual authentication which prevents phishing attacks. For the purpose of mutual authentication,

every user has to privately maintain keys shared with different visited servers in a key table. However, a sensitive key table still exists. In this paper, a novel user authentication scheme without a sensitive key table is proposed. During the authentication, the server can be authenticated by the users, but sensitive information about users need not be transferred to the server. Different from the previous methods, the idea of linking a shared key to an individual user with biometrics is introduced. Apart from resistance against guessing and replay attacks, as well as mutual authentication, the proposed scheme does not use a sensitive key table and allows the server to keep only one master key which is only retrievable by a specific user whenever she/he is present. II. RELATED WORKS

CAPTCHA [1] is the technique that uses rotating, resizing, distorting, truncating, noise and variant to interfere with pictures with words. CAPTCHA can prevent attackers from using Optical Character Recognition (OCR) technique to identify the words. Only human can recognize those words on CAPTCHA image through Human Visual System (HVS). By using CAPTCHA, it is easy to determine whether a user participates in the process that recognizes the words on CAPTCHA image. CAPTCHA is usually used in free email registration, message postings, and e-commerce systems to prevent robot software. C. One-Time Password In password-based authentication system, the server checks whether the password entered by the user is the same as saved one. Users personal information would be misused if the password is stolen. In order to address this issue, OTP is proposed. OTP can only be used once, and theres no relation between any two OTPs. On the other hand, if the attacker captures the OTP this time, she/he cannot login the server by reply attack. Moreover, the attacker cannot get any sensitive information about the user from intercepting OTP. D. Fuzzy Extractor Since biometric information need not be memorized, biometric-based authentication currently has become popular and widely used to differentiate legitimate user from pretender. In this paper, we will employ the biometric-based mechanism, Dodis et al.s fuzzy extractor [5], to generate cryptographic keys from biometrics so the user does not need to memorize or protect any keys. In fuzzy extractor, the biometrics Bi is the input of generation function Gen(.), which results in the output of Ri and a helper string Pi, written as Gen(Bi) (Ri, Pi). Please note that Pi needs to be safely public because any altered Pi cannot restore actual Ri. In terms of resolving the nonuniformity problem, Pi can be used to extract actual R which remains uniformly random via the reproduction function Rep(.) if and only if Bi is close enough to Bi. The process can be written as Rep(Bi, Pi) (Ri). Please refer to [5] for more detailed process of Gen(.) and Rep(.). III. THE PROPOSED SCHEME

In this section, the related techniques include VSS [8], CAPTCHA [1], OTP, and fuzzy extractor [5], which are reviewed respectively as following: A. Visual Secret Sharing In 1995, Naor et al. proposed the VSS scheme. In the VSS scheme, a synopsis as Table 1 is designed and an image that includes content such as words is separated into two shadows. The size of shadow is expanded to quadruples. The pixels of the first shadow could be selected randomly, and the others should be chosen in terms of the first shadow and original image. If the pixel of original image is white, the second shadow would have the same pixels as the first one. If the pixel is black, the second shadow would choose the pixel that is complementary to the first shadow. The content on the original image can be identified if the two shadows are overlapped. The VSS model is shown in Figure 1.
TABLE I. VSS TABLE

Figure 1. VSS Scheme Model

B. CAPTCHA Nowadays there are many free network service in the Internet for users, such as e-mail, blog, and so on. Attackers usually use robot software to simulate users behavior. For example, hackers may register the same server with different accounts or execute repeatable action. As a result, the system would be occupied for heavy loading.

The proposed scheme is composed of two phases: registration, login and mutual authentication. The notations used throughout this paper are listed as follows: an unique identity of user. ID i: MK: a long-term master key of server. a bit-wise XOR. : OTP: one time password. TS: current system time. H(.): a collision-free hash function. FC(.): a CAPTCHA image generation function whose output is ImgOP and input is OTP. F1(.): a shadow image generation function whose output is ImgOPS1 and input are TS and ImgOP.

142

F2(.): FR(.): AB: M:

a shadow image generation function whose output is ImgOPS2 and input are ImgOPS1 and ImgOP. an image recovery function with AND operation. a data M sent from entity A to entity B.

3-3) 3-4) 3-5) 3-6) 3-7)

A. Registration Phase If a user visits a website first time, the user must register the server. Assume that the connection between the user and the server in the registration is in a secure channel. 1) UserServer: IDi, Pi, SKi The user will make a registration request as follows: 1-1) Prepare the biometric trait Bi extracted from his/her own physiological feature. 1-2) Perform Gen(Bi)(Ri, Pi). 1-3) Compute secret key SKi = H(IDi, Ri). 2) ServerUser: AKi Upon receiving the registration request from the user, the server performs the following tasks: 2-1) Check the format of IDi. 2-2) Compute a user key UKi = H(IDi, MK) for the user. 2-3) Compute token AKi = UKi SKi. 2-4) Record IDi. After receiving the response from the server, the user preserves the disclosed triplet (IDi, Pi, AKi) from alternations in a secure way, such as signature on the triplet. B. Login and Mutual Authentication Phase Whenever the user wants to access the service from the registered server. 1) UserServer: IDi The user sends IDi to the server as a request for login authentication. 2) ServerUser: TS, ImgOPS2 Upon receiving IDi from the user, the server obtains current system time TS and performs the following procedures: 2-1) Check whether or not IDi is the same as the one stored in the record. If IDi does not exist in the record, stop the following steps. 2-2) Compute UKi = H(IDi, MK) with MK. 2-3) Generate an OTP. 2-4) Compute ImgOP=FC(OTP) by inputting OTP. 2-5) Compute ImgOPS1=F1(UKi, TS). 2-6) Compute ImgOPS2=F2(ImgOPS1,ImgOP). 3) UserServer: OTP Upon receiving TS and ImgOPS2 from the server, the user obtains Bi from his/her own physiological information and performs the following tasks: 3-1) Check whether |TSTS |T is satisfied, where TS is the current time of users system. If it does not hold, requests the server to send a pair of fresh (TS, ImgOPS2). 3-2) Perform Rep(Bi, Pi)(Ri)

Compute secret key SKi = H(IDi, Ri). Derive token UKi = AKi SKi. Compute ImgOPS1 =F1(UKi, TS). Compute ImgOP =FR(ImgOPS1, ImgOPS2). Recognize OTP from ImgOP through HVS. If OTP cannot be recognized, requests the server to send a pair of fresh (TS, ImgOPS2).

4) ServerUser: Login Success (or Login Failed) Upon receiving OTP from the user, the server authenticates the user as follows: 4-1) Check whether |TSTS |<T is satisfied, where TS is current system time of the server. If it does not hold, return message Login Failed and stop the connection with the user. 4-2) Check whether OTP = OTP is satisfied. If it does not hold, return message Login Failed and stop the connection with the user. Otherwise, return message Login Success to the user. IV. ANALYSIS OF THE PROPOSED SCHEME

Prior to the analysis, some assumptions are given. Assumption 1. The long-term master key of the server is kept secret, which is the security baseline. Assumption 2. The integrity of the public triplet (IDi, Pi, AKi) corresponding to a user is protected from any modification. In this section, the security requirements are examined to show that our proposed scheme not only fulfill the security requirements resistances against guessing, replay attacks and mutual authentication summarized in Lee et al.s scheme [7], but also overcome shortcoming of the scheme. A. Resistance against Guessing Attack Since the password of the traditional user authentication mechanism is usually fixed during a period of time, its security is vulnerable to guessing attack mounted by a robot software. In the proposed scheme, the password for user authentication is an OTP and a human must be present to recognize the OTP that is processed through CAPTCHA. If the OTP sent from the user back to the server is wrong, OTP will be changed in next session, which implies that robot software cannot mount so-called guessing attack to guess the OTP in a CAPTCHA image in the proposed scheme. B. Resistance against Replay Attack In the login and mutual authentication phase, the challenge and response in steps 2) and 3), are transferred over the communications between the server and the user. The messages are essential to user authentication. Hence, it is an obvious way that an attacker would intercept these messages and attempt to replay them to pass the verification of user authentication. To overcome replay attack, timestamp mechanism is applied in the proposed scheme. Resistance against replay attack is examined as follows: An attacker attempts to replay the previously intercepted message in step 2) to disguise as the server. The cheating will be detected by the user in

143

sub-step 3-1) because timestamp involved in the replayed message is not fresh. An attacker changes the timestamp in step 2) to pass the check in sub-step 3-1). Without knowledge of UKi, the modification will be detected in sub-step 37) by the user because a wrong ImgOP is derived in sub-step 3-5). An attacker attempts to replay the intercepted message of step 3) in past sessions to disguise as the user. Since each OTP varies in different sessions, the replay work will be detected in sub-step 4-2) or 4-1).

master key secure instead of a sensitive table for maintaining a mass of the key corresponding to each user. On the other hand, the user does not need to store or memorize privately his/her own user keys corresponding to different servers. Hence, theres no need for the server and the user to maintain sensitive key tables. In sum, the requirements resistances against guessing, replay attacks, mutual authentication and no sensitive key table are confirmed in the proposed scheme. V. CONCLUSION This paper has introduced a novel anti-phishing user authentication scheme without a sensitive key table. It is worthwhile to note that the key needed to have access to the server is skillfully tied to a users biometrics, and achieves mutual authentication between the server and the user which withstands phishing problems. Neither guessing attacks nor replay attacks occurred in our scheme. No matter the number of users or visited servers, each server or user does not need to maintain a sensitive key table that securely records the corresponding keys used for mutual authentication. We believe that the proposed scheme will be a safer and more practical form of user authentication. ACKNOWLEDGMENT The authors would like to thank the National Science Council of the Republic of China, Taiwan, for financially supporting this research under Contract No. NSC 99-2218-E035-001 and 099-2811-E-035-006. REFERENCES
[1] L. von Ahn, M. Blum, N. Hopper, and J. Langford, Telling humans and computers apart automatically, Communications of the ACM, vol. 47, no. 2, pp. 5660, Feb. 2004. [2] APWG, Jun. 2011, Available at http://www.antiphishing.org/report_ phishing.html. [3] M. Brownlow, Email and webmail statistics, Jun. 2011, Available at http://www.email-marketing-reports.com/metrics/email-statistics. htm. [4] China National News, Phishing websites pocket $3 billion in China, Jan. 2011, Available at http://story.chinanationalnews.com/ index.php/ct/9/cid/9366300fc9319e9b/id/731905/cs/1/. [5] Y. Dodis, L. Reyzin, and A. Smith, Fuzzy extractors: How to generate strong keys from biometrics and other noisy data, SIAM Journal of Computing, vol. 38, no. 1, pp. 97138, Mar. 2008. [6] A. O. Freier, P. Karlton, and P. C. Kocher, The SSL protocol version 3.0, Jun. 2010, Available at http://tools.ietf.org/html/draft-ietf-tlsssl-version3-00. [7] W. B. Lee, C. C. Lin, S. S. Chang, H. B. Chen, and P. H. Chiang, An anti-phishing user authentication mechanism, Proc. TANET2010, Tainan, Taiwan, Oct. 2010. (in Chinese) [8] M. Naor and A. Shamir, Visual cryptography, Advances in Cryptology: Eurpocrypt94, Springer-Verlag, Berlin, pp. 112, 1995. [9] Nitin, V. K. Sehgal, D. S. Chauhan, M. Sood, and V. Hastir, Image based authentication system with sign-in seal, Proc. the World Congress on Engineering and Computer Science, pp. 263266, 2008. [10] U. Uludag, S. Pankanti, S. Prabhakar, and A. K. Jain, Biometric cryptosystems: Issues and challenges, Proc. the IEEE, vol. 92, no. 6, pp. 948960, Jan. 2004.

C. Mutual Authentication between the User and the Server In the proposed scheme, user key UKi is treated as a clue to authenticity of both the server and the authorized subscriber who has registered at the server before. The user key is the output of a one-way hash function whose input is the users identity IDi and the servers master key MK. In the login and mutual authentication phase, mutual authentication between the user and server is examined as follows: User authentication: The user key can be derived from token AKi that is the XOR operation result of the user key UKi and the secret key SKi. Based on Assumption 2, only using the valid SKi can derive UKi from AKi. Due to the characteristic of fuzzy extractor,each Ri is bound to a specific user. Moreover, a biometric trait is extremely difficult to copy, share, and distribute [10]. Hence, any attacker cannot extract a valid Ri from his/her biometric to compute SKi. As a result, except the legal user, no one can derive UKi from AKi. On the other hand, the OTP is processed by CAPTCHA and VSS for authentication. According to the above analysis, the only way to get the knowledge of the OTP is for legal user to derive UKi and perform sub-steps 3-2) to 3-7). In sum, the server can authenticate the user. Server authentication: An attacker wants to disguise as the server to fool the user by transferring the fake message in step 2). According to the analysis of Resistance against Replay Attack, any fake message will be detected by the user. If the attacker attempts to obtain UKi, it is necessary that the attacker derives UKi from AKi or computes UKi by using the servers master key MK. In the former, the attacker cannot derive UKi from AKi according to the above analysis of user authentication. In the latter, according to Assumption 1, the attacker has no idea to compute UKi without the knowledge of MK. Therefore, the user can authenticate the server and the phishing server can be detected by the user. D. No Sensitive Key Table The user key UKi is crucial to mutual authentication between user and server. The number of keys used for mutual authentication is independent on the number of users or servers. From the perspective of the server, every user key is constructed by using the servers master key in sub-step 22). It implies that the server spends for keeping only one

144