An Android App: Opasskey to Prevent Password Attacks

C. Bharathi
PG Scholar, Department of IT Anna University, Regional Centre Coimbatore-641047 cbharathi26@gmail.com

Dr. P. Marikkannu
Assistant Professor, Department of IT Anna University, Regional Centre, Coimbatore-641047 pmarikkannu@gmail.com

Abstract Password attacks like password stealing and password reusing causes high vulnerabilities like loss of perceptive information of the user. A protocol which uses the personal device like mobile to reinforce the authentication of password from the adversaries, is get implemented as Opass. By the use of cryptographic algorithms, the authenticated passwords get passed to the mobile and server over the communication channel. Opass generate a one time password for every login of the authorized user with time durability. Usage of mobile network reduces the risk of eavesdropping and password thefting. Opass acts as the defense mechanism against the password stealing attacks.

Index Terms Password attacks, authentication, security.

INTRODUCTION
Most of the users use same password across different websites for their expediency. This may lead to lose in sensitive information if adversaries hack the passwords. Usage of weak passwords also causes the same problem. To overcome these problems we design a user authentication protocol [1] which resists the password attacks like password reusing and password thefting. To snatch passwords some stealing attacks may be used by the adversaries like phishing, keystroke logging, malware, etc. Humans are highly adroit in recollection of graphical passwords than text passwords [2]. The user authentication system still suffers from some substantial drawbacks. It is still susceptible to several attacks like dictionary attacks [3], human seeded attacks [4], etc. Hence we introduced the user authentication protocol which is named as One Time Password (Opass) is a type of password which prevents password attacks by means of generating a password for single time. The main goal of Opass is to generate a non repeated password, which is generated for each and every login of

the authorized user to protect against the password stealing and password reusing attacks, with more security.

RELATED WORKS
avoid compromising user credentials, Wu and etal, secure web authentication with mobile phones [5], anticipated an authentication protocol depending on a trusted proxy and mobile devices. Secure login is legitimated by a token (mobile) on untrusted computers. To ruin phishing sites, a random session name is sent by SMS from proxy to mobile.
To

The security of the existing system depends upon SMS, which are encrypted with A5/1. The algorithm A5/1 has been broken by Barkan and etal, Conditional estimators: An effective attack on A5/1, [6]. But Opass encrypts every SMS before sending it. Mannan and etal, Using a personal device to strengthen password authentication from an untrusted computer [7], introduced an approach called MPAuth protocol. This protocol forces the input of a users text password through a trusted mobile. Before sending the l o n g - t e r m secret to an untrusted kiosk, it get encrypted by an installed public key on a server. It is deliberated to safeguard passwords from attacks like keyloggers and malware. But it suffers from password reuse vulnerability. A hacker can negotiate a weak server, a server without security patches, to obtain a victims password and exploit it to gain his access rights of different websites. On the other hand, it assumes that account and password setup is secure. Users should setup an account and password via physical contact, for example banks requiring users to initialize their account personally or send passwords through postal service. In Opass, it addresses above flaw and removes this assumption. Opass achieves one-time password m e t h o d to thwart the password reuse problem. Parno and etal, Phoolproof phishing preventions [8], utilized mobile as authentication tokens to build an anti-phishing mechanism, called Phoolproof, via mutual authentication between users and websites. To log on the website, user should provide the given public key and username/password combination. It is still susceptible to the password reuse attack and needs physical contacts for security purpose. Usage of system introduces minimal overhead and reduces network based attacks.

 PROBLEM DEFINITION AND ITS ASSUMPTIONS

In this section, we think about the problems in accessible system. Afterwards we introduce the architecture of Opass.

Problem Definition In existing system, shared secret key is used for both the process of encryption and decryption. One Time password, which is generated as a password, was encrypted by a shared secret key. Then it sent that symmetric key and that hash value (encrypted message) to the server via mobile network. Web server decrypted the resulting hash value using that same shared secret key to authenticate the user. They use AES and SHA algorithm for encryption and decryption. The main problem in existing system is to be accessed like normal webpages through mobile network.

Opass Architecture and its assumption In the proposed system, an android mobile application (Opasskey) is getting developed using java for authentication purpose. User has to install that android app in their mobile for secured login. To enhance the security and integrity, a modified symmetric algorithm and a hash function is used respectively. If the adversaries came to know about the password, they cannot hack it without the users mobile.
Internet Wireless Bluetooth

Physical Contact

Figure 1. System Architecture Figure 1. corresponds to the architecture of Opass. User may get connect to the web server through browser or by the mobile network. Physical contact should be made between the user and the mobile for communication. Mobile and web server get connected through wired or Bluetooth connection. User communicates via browser for getting start the communication. Browser and cell phone get connect via internet to the server.

Opass
Opass consists of four phases such as users registration, mobile verification, Opass generation and Opass verification. We introduce the details of these four phases respectively. Overview First of all, user has to register all their details. It gets stored in database of the web server. For the first time of login, the verification code is generated to verify whether that particular mobile number is belongs to that corresponding user or not. If it gets authenticated then the web server allows the user to proceed. After that verification, during every login of the user, the server will generate One-time password which will be encrypted by a key. It gets stored in web servers database. Then the user has to enter that password through that Opasskey along with their user ID (UId). Server decrypts that password using that shared secret key. If both of those passwords get matched then corresponding user is authenticated person and allows the user to access the account. Users Registration In this first phase, the users have to register their details along with their mobile number. After filling up the registration form, it gets submitted to the web server. The web server stores these details in its data base and uses that phone number for further communication.

Mobile verification After the registration of the user, the mobile have to be verified to check whether the particular mobile number is belongs to that particular person or not. Web server generates a random seed (verification code, created by using the systems time) and sends that to the users cell by means of SMS, after saving it in its own

database. User has to type that verification code to the server via home page. Web server verifies that code by checking against its database. If it exists then the mobile corresponds to that authenticated person. Else the mobile number is not belongs to that person or that number may be typed wrong.

Opass Generation Here the One Time Password get generated and sends to the web server for verification. This password is generated only for single time to prevent password thefts like keystroke logging. To generate Opass, a random seed is generated as One Time Password which get encrypted by a key. That password is get transmitted to the web server. Encryption is done by tri-symmetric encryption algorithm for more security, formally presented as Algorithm 1. Algorithm 1: Tri-Symmetric Encryption Input: XYZ(One Time Password) Consider C as character array, A as ASCII data. C(XYZ) P // Converting that Opass to character array. A(P) O // Finding ASCII value of P Convert it into string S. E T(E(x)) = // Encrypt that S with triple DES algorithm. This encryption algorithm is used for the protection of password. It gets stored in its database along with the user id and sends the Opass to the users mobile via SMS. E. Opass verification User has to type that Opass along with the UId in that Opasskey app, which can be available only in the android mobile. Here the person gets authorized to enter into that website by verifying the One Time Password. It is done by decrypting the encrypted password by using the tri-symmetric decryption algorithm. Web server verifies the Opass which is entered by the user with its database. If the decrypted value is get matched with the stored encrypted value then the user

get authorized. Otherwise server would not allow the user to access the website. Here the decryption is done by the following decryption algorithm, simply mentioned as Algorithm 2.

Algorithm 2: Tri-Symmetric Decryption Input: Encrypted Password Server receives the encrypted Opass and key, decrypt it using the following steps. E T(D(x)) = Convert it into string S. Convert that S into ASCII value A A(S) O Find character array of that ASCII value C(O) P Finally convert that character array into corresponding Opass. MD5 [8] is the hash function which used in both process of encryption and decryption. Hash function is used for security purpose which produces 128 bit hash value. The hash value is usually expressed as a hexadecimal integer value. After the process of decryption, the webpage allows the user to use that banking website for transaction.

IMPLEMENTATION
Registration Page During the first time of login users have to register their details along with their phone number for sending and receiving of password. After the completion of registration, form gets stored in database of web server for future verification. The registration page is mainly for the purpose of acquiring users details and creating user id for the valid or authorized user.

Figure 2. Registration Form Figure 2. depicts the registration form for the new user. Mobile verification After registration, the server will send a random seed as verification code to the users cell via SMS. User has to enter that number in that text box for verification. Server will verify the verification code by comparing its database. This is to verify the users mobile number by cross checking the input.

Figure 3. Mobile Verification Page Figure 3. represents the mobile verification page. Here the verification code is checked against DB and mobile verification was successful.

Encrypted Opass Opass generation is done here from PC. This page also contains the grid structure of the servers DB.

Figure 4. Encrypted Opass Figure 4. represents the encrypted Opass. Opass get encrypted before it gets stored in the server. It is stored in the database along with the user id UId and shared secret key.

Android application

Figure 5. Android Opasskey App

Figure 6. Entering Opass Opasskey, an android application is represented in the figure 6. Figure 7. corresponds to the page of getting input (user ID and encrypted password) for verification.

Opass Verification After getting input through the Opasskey, server will decrypt it. If it get matched then it allows the user to access the following webpage, for paying tax in secured manner.

PERFORMANCE EVALUATION
A performance evaluation was conducted on the Opass archetype. By using existing symmetric algorithm, the time taken for processing (encryption and decryption) the password is low. While using the proposed algorithm, the time delay becomes little high, which will improve the security level by the process delay. Typically hacking is impossible because of using the android app. But the time delay for the process of encryption and decryption is also improves the complexity of hacking by the adversaries.

Figure 9. Delay in Process Figure 9. represents the graph of delay in process. It is measured in the unit of clock cycles per second. It will be used in banking application.

CONCLUSION AND FUTURE WORK

Using of android app is highly securable than all. It does not require the factors such as acquaintance factor, possession factor and inherence factor. It avoids the malfunction of active attackers and passive attackers. The degree of reliance (degree of security) on an individuals identity is highly achieved by this system. It is the basement for password reuse prevention and weak password avoidance. General Websites do not need such high security level. Opass is better suitable for pecuniary websites, like online banking or online shopping.

Network coverage is the main problem for sending SMS. To overcome this major problem we have to strengthen the signal by means of introducing new protocols. REFERENCES Hung-Min Sun, Yao-Hsin Chen, and Yue-Hsun Lin, oPass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks, Proc. IEEE Transactions on information forensics and security, vol. 7, no. 2, april 2012 S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle, Multiple password interference in text passwords and click-based graphical passwords, in CCS 09: Proc. 16th ACM Conf. Computer Communications Security, New York, 2009, pp. 500511, ACM. Pinkas and T. Sander, Securing passwords against dictionary attacks, in CCS 02: Proc. 9th ACM Conf. Computer Communications Security, New York, 2002, pp. 161170, ACM. J. Thorpe and P. C. van Oorschot, Human-seeded attacks and exploiting hotspots in graphical passwords, in SS07: Proc. 16th USENIX Security Symp. USENIX Security, Berkeley, CA, 2007, pp. 116, USENIX Association. M. Wu, S. Garfinkel, and R. Miller, Secure web authentication with mobile phones, in DIMACS Workshop Usable Privacy Security Soft- ware, Citeseer, 2004. Barkan and E. Biham, Conditional estimators: An effective attack on A5/1, in Selected Areas in Cryptography. New York: Springer, 2006, pp. 119. M. Mannan and P. van Oorschot, Using a personal device to strengthen password authentication from an untrusted computer, Financial Cryptography Data Security, pp. 88103, 2007. R. Rivest, The MD5 Message-Digest Algorithm, RFC 1321, Apr. 1992. B. Parno, C. Kuo, and A. Perrig, Phoolproof phishing prevention, Financial Cryptography Data Security, pp. 119, 2006.