Scholarly article on topic 'Secure Mindmetrics Authentication Mechanism with Log Files'

Secure Mindmetrics Authentication Mechanism with Log Files Academic research paper on "Computer and information sciences"

CC BY-NC-ND
0
0
Share paper
Academic journal
Procedia Technology
OECD Field of science
Keywords
{"Mindmetrics ;Authentication ;Security ;"}

Abstract of research paper on Computer and information sciences, author of scientific article — Jerrin Sebastian, Arun Madhu, Deepu Job

Abstract Security is inevitable feature of any web application. Most of the web applications have some kind of design or developmental fault which can be easily exploited by hackers. These faults help them to gain illegal access to the system. Hence majority of attacks are focused on applications thereby stealing user's sensitive data and information.Authentication is an important factor of securityin computing system. Usually login ID's are used for identification and passwords are used for verification. Other mechanisms like secondary or graphical passwords,One time password, Challenge response, Biometric login, Behavioral pattern and Location based authentication can be used.But implementation of these mechanisms requires specialized devices which are not reliable. This paper deals with an enhanced version of Mindmetric authentication mechanism, which grants access only to valid users and helps the admin to determine malicious users with the help of logfiles. It can also be used for preventing users from various attacks. It can augment the current password based system by strengthening the identification process.Mindmetrics system raises security of authentication system over single or double password systems. Even If password is hacked, login attempts by attackers will be blocked by the identification server. It is very simple, scalable and does not require any specialized devices or complex algorithms.

Academic research paper on topic "Secure Mindmetrics Authentication Mechanism with Log Files"

Available online at www.sciencedirect.com

ScienceDirect

Procedia Technology 25 (2016) 384 - 391

Global Colloquium in Recent Advancement and Effectual Researches in Engineering, Science and

Technology (RAEREST 2016)

Secure Mindmetrics Authentication mechanism with Log files

Jerrin Sebastian*, Arun Madhub, Deepu Job*

M.Tech student, St. Joseph's College of Engineering and Technology,Palai, Kottayam, India Asst. Professor, St. Joseph's College of Engineering and Technology,Palai, Kottayam, India

Asst. Professor, St. Joseph's College of Engineering and Technology, Palai, Kottayam, India

Abstract

Security is inevitable feature of any web application. Most of the web applications have some kind of design or developmental fault which can be easily exploited by hackers. These faults help them to gain illegal access to the system. Hence majority of attacks are focused on applications thereby stealing user's sensitive data and information.Authentication is an important factor of securityin computing system. Usually login ID's are used for identification and passwords are used for verification. Other mechanisms like secondary or graphical passwords,One time password, Challenge response, Biometric login, Behavioral pattern and Location based authentication can be used.But implementation of these mechanisms requires specialized devices which are not reliable. This paper deals with an enhanced version of Mindmetric authentication mechanism, which grants access only to valid users and helps the admin to determine malicious users with the help of logfiles. It can also be used for preventing users from various attacks. It can augment the current password based system by strengthening the identification process.Mindmetrics system raises security of authentication system over single or double password systems. Even If password is hacked, login attempts by attackers will be blocked by the identification server. It is very simple, scalable and does not require any specialized devices or complex algorithms.

©2016 The Authors.PublishedbyElsevierLtd. This is an open access article under the CC BY-NC-ND license (http://creativecommons.Org/licenses/by-nc-nd/4.0/).

Peer-review under responsibility of the organizing committee of RAEREST 2016

Keywords:Mindmetrics;Authentication;Security;

1. Introduction

Many challenges are faced by the designers and developers of web applications. Each application is different and the stateless nature of HTTP implies tracking per user session is the responsibility of the application. So the application must be able to identify the user by using some form of authentication [1]. It is essential that the

2212-0173 © 2016 The Authors. Published by Elsevier Ltd. This is an open access article under the CC BY-NC-ND license (http://creativecommons.org/licenses/by-nc-nd/4.0/).

Peer-review under responsibility of the organizing committee of RAEREST 2016 doi:10.1016/j.protcy.2016.08.122

application should have a secure authentication and session handling mechanism. Designing secure authentication and session management mechanisms are some of the important issues faced by the designers and developers.

Authentication consists of two processes: Identification and Verification. Generally usernames are used for identifying a user and passwords are used for verifying credibility of a user. In traditional authentication systems, password entered by user will be converted to hash value using a hash function and it will be stored in a password hash file. During verification stage, once the user enters a password, it will be converted to a new hash value and compared with the stored hash value [1]. Access will be granted on successful match.Mindmetrics system replaces the current username-password based authentication system [2].Mindmetric authentication process starts by asking for a Mindmetric token, which can be a personal secret data consisting of word, phrase or even a sentence. On successful validation of Mindmetrictoken, the user will be asked to choose the correct login ID among multiple choices of partially obscured ids. After selecting the id, user should enter the password to continue [2].Mindmetrics authentication mechanism raises the security of authentication process as a stolen password is of no use unless the attacker provides a valid Mindmetric token, which gives the account owners sufficient time to change their credentials before attackers crack in.

Password verification is the vital part in an authentication system. Attackers can get hold of passwords by using malwares or key loggers and they even opt for trial and error method in which they make different guesses on possible passwords [1]. Another main attack is password cracking attack, in which attackers obtain the stored password hash file and proceeds with different inputs to find an input that creates the same stored hash value. Once the password is hacked, attackers can gain access to the system using known login IDs or the password. Cracking a login ID is comparatively an easy process as it might be part of users first or last name, Social security number, email id. Success of an attack is mainly depending on strength of the password. Security Mechanisms focussing on identification part in authentication systems are weak at present. Usage of Mindmetric authentication mechanism with log files adds up strength of Authentication system [2]. Log files can be used to detect attack attempts and all the events can be monitored. It should be taken care to adopt proper encryption strategies, to save attack on log files.

The outline of the paper is as follows: Section II presents related works. Section III describes the proposed system, section IV displays the implementation details and section V shows the analysis. Finally section IV concludes the paper.

2. Related Works

Different Authentication mechanisms were designed and implemented with security given utmost importance. Two main processes in an authentication mechanism are Identification and Verification. Identification process answers the question 'Who am I'. Verification is for answering 'Am I Whom I Claim to be'[2].

2.1. Mechanisms

Different methods are designed and implemented for replacing the traditional authentication system. They combine methods based on 'what you know', 'what you have', 'what you are' and 'where you are'. Combination of any two of these mechanisms forms the basis of two factor authentication [3].

2.1.1 Methods based on what you know

Different authentication mechanisms are based on passwords what you know. Secondary Passwords, it is an additional password which is having same style as that of primary password or personalized data such as mother's maiden name, favorite superhero etc. But this can also be subjected to password cracking or theft attack. Secondary passwords will be different from the main password. Access can be granted on entering matching primary and secondary passwords. Graphical password authentication system works by having the user select from images, in a specific order, presented in a graphical user interface (GUI). For this reason, the graphical-password approach is

also known as Graphical User Authentication (GUA). In this authentication mechanism, user is asked to click on few chosen regions in an image that appears on screen. For successful login, users need to click in some regions again. But only preprocessed images can be chosen and the click regions can only be chosen from certain predesigned regions in the image [4].

2.1.2 Methods based on what you have

These methods focus on tokens which the user is having. Tokens can be One Time Password (OTP), Challenge Response or Out of Band Messaging.OTPis a security token generated by a special hardware device. OTP consists of numeric or alphanumeric characters [5]. It is valid for only one login session or transaction on a digital system.In some of the cases, there will be an expiry time associated with OTP and are unusable beyond that time.Challenge Response consists of set of protocols in which one entity presents a challenge and the other entity has to produce a valid response for getting authenticated [6]. A classic example is traditional password based authentication mechanism, in which the user is asked to enter a password for getting authenticated (Challenge) and user providing a valid password to access is the response. Depending upon the required security level, these challenges can be varied.Out of Band Messagingis a two factor authentication mechanism that requires a secondary verification method which is being sent through a separate channel along with typical ID and password. An attacker needs to put in more effort to break this authentication mechanism since they need two separate and unconnected authentication channels need to be compromised for gaining illegal access [7]. In most of the online banking sites, user has to enter a One Time Password (OTP) other than username and password,before transferring funds online and this will be sent to the registered phone number.

2.1.3 Methods based on what you are

Authentication mechanisms are also designed based on 'what you are'. These comprises mainly of Behavioral Patterns and Biometrics. In case of Behavioral Patterns, Guna et al. shows that some of the authentication mechanisms rely on behavior of a person like typing patterns [8,9], gesture [10] and mouse pressing force pattern [11]. Some of the behaviors are difficult to forge and some are easy to impersonate.Biometric authentication systems use physical characteristics of user like fingerprints, palm prints, retina pattern, facial patterns and even footprints [12]. Biometric data is used for identification and verification process as well. Proper biometric use is application dependent. Certain biometric data are better than others based on required levels of convenience and security. According to Dileep Kumar et al. no single biometric will meet all the requirements of every possible application.

2.1.4 Method based on where you are

Location based authentication mechanism is a type of authentication based on the location or proximity of user. Access is allowed only to specific IP addresses, systems or to specific geographic locations [13]. As per FengZhang et al. this mechanism starts with identification of valid user using one of the other authentication mechanisms and then the user produces an authentication factor that can be recognized only at a distinct location. Hence for this authentication system, there should be well defined separation of locations as well as equally well defined proximity of the applying individual to this location [13].

2.1.5 Mindmetrics Authentication System

It is an authentication mechanism supplemented with a strong and secure identification process [2]. Usernames are known to public since it is used for many applications like email, SSN... Soan alternate secret which is known as Mindmetrictoken is used in identification stage. Mindmetric token will be known only to user and the system allows only the user with valid mindmetric token to pass the identification stage, so stolen passwords are of no use since the attacker will not be able to cross the identification phase. Separate servers are used for identification and verification. Verification server can be accessed only after passing identification server. According to Juyeon et

al. Mindmetrics tokens are stored in hashed form in token hash file as {token hash value, index} tuple and the corresponding matching login IDs are stored in the index file as {index, fake login ID, fake login ID, true loginID, fake login ID...} tuple and the password hash file contains <login ID, password hash value> [2].Users token will be stored in Token Hash table with Token hash value and index as columns. The entered Token will be converted to hash value and will be compared with Hash values in token hash table. For a match, index value from second column will be obtained and that will be searched in Index Table. As a result, Set of fake ids along with original id (partially obscured) will be shown to user. Then the user can select his id from the list of ids displayed.Both these tables are present in Identification server itself. If no match is found, set of fake ids will be shown. On selecting valid user id, user will be asked to enter a password. A new hash value is generated from the newly entered password and it will be compared with stored hash value in password hash file which is residing in the verification server. Access will be granted on match ofhash values [2].

All these authentication mechanisms have different kind of vulnerabilities which are exploited by an attacker. Passwords can be captured from users with the help of key loggers or malwares. Passwords are also cracked by getting hold of a password hash file and then providing dummy inputs so as to compare the hash values getting generated. This malicious attempt gives the password to the attacker [1]. Biometric authentication is not accurate and digitized information's can be stolen or misused. After enrolling biometric data, it is difficult to change the data or to update it. Different factors can block a valid user to access [12]. Some dedicated attackers replace the mobile numbers of valid users so as to break the two factor authentication mechanisms. In case of location based authentication, limiting the granted time for access is one of the major challenges. Another main challenge is associated with detecting the exit and closing the granted access. Integrating this mechanism with other authentication factor is also a difficult task.

In case of Mindmetrics authentication mechanism, there is no limit for token attempts and there are no effective preventive mechanisms associated with it. Log files are not used currently in mindmetric systems and there is no provision for resetting password which is an important factor for ensuring security in the world of web applications.

3. Proposed System

The proposed system addresses different drawbacks of the existing mindmetrics system. Different new methods and functionalities are added for increasing the degree of security. Some of them are discussed below.

3.1Home Screen

A new home screen with the following options:

• Registration

• Login

• Change Credentials

Registration option allows a user to setup a new account with the mindmetric system. While setting token, username and password, proper guidelines will be shown like none of them should be similar, id should have minimum 10 characters, Password should have special characters present in it etc.Last three characters of the username will be assigned by server itself. Users also have the provision to mention the fake ids to be shown with the particular token or this can be given by server randomly. During login, while presenting the login ids server obscures all characters except last four characters. Hence only the valid user will be able to identify his account. Users also have an option to change their credentials if they are suspecting an attack using their credentials.

3.2 Log File Mechanism

Log files are maintained by server for tracking user activities and for tracking attack attempts. This aids in preventing some malicious attacks like Trial and Error attacks, Man in the Middle attacks, Password Cracking attacks etc.Structure of a log file is described in the following table.Log files record all the events happening in server and they are encrypted so that the attackers will not be able to deduce any information from the data even if they get hold oflog files.

Table 1. Log File in Mindmetric system.

IP AddressMindmetric Token User ID Password(Hash) Time Status

192.168.1.3 Spider force$A634 27663B7YH32 1:00 Success

192.168.2.23 Rabbits Foot star!@*112 CE1C63DS80 4:00 Success

192.168.5.12 Tiger force$A634 27663B7YH32 10:00 Fail

Log file keeps track of IP Address, Mindmetric Token of user, User ID, Hash value of password, Time of Log in, Login Status. Three consecutive failure login attemptslead to user account lock for a period of two hours. User will be notified about the lock through mail, phone or both. A link will be provided in mail so that the valid user can remove the block in case of urgency. But he/she will have to reset the account credentials to continue. On analyzing log files we can also determine whether there is any attack planned on with any particular id. If there are multiple entries with one of the credential being true, we can confirm that someone deduced one of the account credential and he is trying to get other credentials.

3.3 Periodic Updation

Users account credentials will have a validity of 30 days. So after every 30 days or before, they have to change their credentials in order to carry on. During update none of the old credentials can be reused. Change credential option is also given to the user in the home screen. similartext() function can be used to check existing tokens and can be rejected if they are already existing. If two strings are given, the function returns similarity value in percentage [14].

Some important features of Mindmetricsystems with log files are scalability and usability. It doesn't involve usage of complex algorithms andexisting password systems can be upgraded to mindmetric system by adding identification server, existing mindmetricsystems can be leveraged by adding log files which does not require huge storage space.Whenever user types the token correctly, user will be correctly identified.If there is any mismatch in given credentials, user will be displayed 'Invalid Login. Try again'. So in case an attacker tries to compromise an account, he will not be able to identify which of the credential is wrong, thereby making the process complicated for him.

4. Implementation Details

User will be displayed a menu with the following options:

• Registration

• Login

• Change Credentials

Figure l.a gives a snapshot of the different options given to user and l.b shows the snapshot of changing credentials.

Fig. 1. (a) Mindmetrics Authentication Menu; (b) Screen for Changing Credentials.

The user should register an account with the Mindmetrics authentication mechanism. During registration, he/she should provide a mindmetrictoken whichwill be associated with therespective account. It can be a unique word, phrase or even a sentence. Increasing number of characters in token will increase the complexity of token and security of system as well. But if it's too long, it will be inconvenient for the user to remember or to type it correctly considering case difference, misspellings and special characters. If the user selects long sentences as token, each word will be stored separately and user will be granted access even if one or two characters are not matching.Then user can move on to the next step where he/she have to provide a user id for his/her account. The Mindmetric server adds 3 random numbers to the user id specified by user for ensuring uniqueness at the time of registration. Users also have an option to provide the list of fake ids which will be shown with the original id.Once idis given, user can provide password for his/her account. Passwords are generally alphanumeric strings with special characters in it. Token and password should not be same. similartext() function can be used to determine the difference between them [14]. After providing password, user will see all the enrolled data.On confirmation, registration process is completed.

In thelogin process as shown in Fig 2, initially user will be asked to enter theMindmetric token which is known only to him. A tolerance of 5 % is allowed for convenience of user. So if the token is 100 characters in length, Even if five characters are wrong user will be presented with set of login idswhich are partially obscured, provided only last four characters will be visible. User will be able to identify his/her id and select it to proceed to the next level. In the last step, user can enter password. Three consecutive failure attempts lead to blocking account for 2 hours and the system will notify the user about the same. User can reset the credentials and continue. All the events are recorded by the server in log files and they are used for detecting anomalies.

MINDMETRIC AUTHENTICATION MINDMETRIC AUTHENTICATION MINDMETRIC AUTHENTICATION

User Login

Select your id

© ••••"M12

«,.».„773

««•■kSlS»

# «•»•••h278

Submit

User Login

Password l.mn.l

Fig. 2. (a) Providing Token; (b) Selecting User ID; (c) Providing Password.

5. Analysis

We implemented a concept model of the system and asked a scientific community to evaluate it. A total of 10 staffs volunteered. Scientific community consists ofstaffs and network admins.

5.1 Questionnaires for Scientific Community

1. Is the system easy to implement?

• Easy 4

• Normal 4

• Difficult 2

2. Where you able to locate attackers using this system?

• Yes 7

• No 3

3. Is it convenient to use log files?

• Yes 8

• No 2

4. How do you rate the security of the system?

• Secure 4

• Somewhat secure 3

• Not Secure 2

• Weak 1

5. Is it feasible to use this system with the available resources?

• Feasible 6

• Not Feasible 4

We can see that the enhancements to the existing system are acceptable to most of the users even though test community was small. Users feel that they are protected and are willing to use this system in high security demanding situations. Following Table shows a comparison between the existing mindmetric mechanism and the proposed secure mindmetric authentication mechanism.

Table 2.Comparison between Normal Mindmetric and Secure Mindmetric.

Mechanism Level Of Security Log Files Periodic Updation Restriction on

of Tokens Token Attempts

Normal Mindmetric Normal Not Used Not Possible Not present

Secure Mindmetric High Uses Possible Present

If the size and strength of passwords and tokens are same, attackers need to crack two password hashes in double password system. On Assuming each password is 'i' letters long with c character set, average search space size for each password will be (c')/2. Hence average search space for two passwords will be (c1). The attack is independent of size of hash file. In case of mindmetrics system, the attacker needs to identify the correct token which leads to valid login ID. Here also average search space for each token will be (c')/2, under the assumption that size of the token is same as that of password. But there are multiple accounts in the token hash file. Let the number of accounts in the token hash file be 'j'. So search space will be j * (c')/2 on average. The attacker should crack the password also which again takes (c')/2. Therefore total complexity to attack a user account is j * (c')/2 + (c')/2 =

(j+l)(c')/2. The search space will be growing as number of accounts in token hash file and (j) and length of token (i) grows.

In a double password system, complexity and patterns in both files are likely to be similar for a given user.If one of the passwords is weak, the other one will also be weak. Two passwords of length 'i' has an average search space of (c1) while a single password with length of '2i' has (c21). So using a single long password is stronger than using two short passwords. In case of single password system, chance of account theft is more. However in Mindmetrics letter pattern in token is different from passwords. So users have to use sentences (long or short) which they should remember.

6. Conclusion

Conventional authentication systems are vulnerable to variety of attacks. Even though different multifactor authentication mechanisms are used, identification part is still based on public login ID. Mindmetrics authentication mechanism strengthens identification process with personal secret information and usage of log files prevents various attacks. User should enter mindmetric token instead of login ID to pass the identification phase. The mindmetric token, user ID and the passwords are stored separately. Even if the password file is stolen by the attacker, login attempts will be blocked by the identification server. So it slows down attackers and account holders can change their credentials before the attackers gain access. If the password hash file is stolen, the attacker has a pair of login ID and a cracked password. But Mindmetrics system does not accept login ID during authentication, so there is no immediate threat. Even if a cracking attack is successful or a plaintext token file is stolen, the attacker only finds login IDs. At that point, the security of the system comes down to the same level of a conventional password system. If the attacker steals the log files, he will not be able to deduce any information from that file since they are encrypted properly. It is simple, easy to implementand does not require any specialized hardware devices or complicated algorithms.

References

[1] StuttardDafydd, Pinto Marcus. The Web Application Hackers Handbook.Wiley Publishing Inc;2008. p. 1-19

[2] Juyeon Jo, Yoohwan Kim, Sungchul Lee. Mindmetrics : Identifying users withouttheir login IDs. IEEE International Conference on Systems, Man, and Cybernetics.San Diego, CA, USA;2014.

[3] Joseph Bonneau, Cormac Herley, Paul C Van Oorschot, and FrankStajano.The Quest to Replace Passwords: A Framework forComparative Evaluation ofWeb Authentication Schemes. IEEESymposium on Security and Privacy; 2012.p. 553 - 567.

[4]Bin B. Zhu, Jeff Yan, GuanboBao, MaoweiYang andNingXu. Captcha as Graphical Passwords—A New Security Primitive BasedonHard AI Problems. IEEE Transactions on Information ForensicsAnd Security; Vol. 9. No. 6: 2014. p. 891 - 904;

[5] N. Sklavos and C. Efstathiou.SecurlD Authenticator: On the Hardware Implementation Efficiency.l4th IEEE International Conference onElectronics, Circuits and Systems; 2007.p. 589 - 592.

[6] Anna Vapen, David Byers, and NahidShahmehri.2-clickAuth -Optical Challenge-Response Authentication.2010 InternationalConferenceon Availability, Reliability and Security; 2010. p. 79 - 86.

[7] M. Alzomai, A. Josang, A. McCullagh, E. Foo. Strengthening SMSBasedAuthentication through Usability.International Symposium on Paralleland Distributed Processing with Applications; 2008. p. 683 - 688.

[8] Mariusz Rybnik, MarekTabedzki, and Khalid SaeedA Key strokedynamics based system for user identification.7th Computer InformationSystems and Industrial management Applications; 2008.p. 225 - 230.

[9]Zahid Syed, Sean Banerjee, Qi Cheng, BojanCukic. Effects of userhabituation in keystroke dynamics on password security policy.IEEE 13th International Symposium on High-Assurance SystemsEngineering; 2011.p. 352 - 359.

[10]JozeGuna, IztokHumar, and MatevzPoga^nik.Intuitive GestureBased User Identification System.35th International Conference onTelecommunications and Signal Processing (TSP); 2012.p. 629 - 633.

[11] Chao Shen, ZhongminCai, Xiaohong Guan, Youtian Du, and Roy A.Maxion. User Authentication Through Mouse Dynamics. IEEE Transon Information Forensics and Security v. 8, no. 1: 2013. p. 16 - 30.

[12] Jaeseok Yun, Gregory Abowd, Woontack Woo, JehaRyu. BiometricUser Identification with Dynamic Footprint. 2nd International Conferenceon Bio-Inspired Computing: Theories and Applications;2007. p. 225-230.

[13]FengZhang, A. Kondoro and S. Muftic.Location-BasedAuthentication and Authorization Using Smart Phones.IEEE llthInternational Conference on Trust, Security andPrivacy in Computingand Communications (TrustCom); 2012.p. 1285-1292.

[14] Ian Oliver. Programming Classics : Implementing the World's Best Algorithms. Prentice Hall;1994.