25-10-2016, 10:58 AM
1460988090-k2015.pdf (Size: 670.1 KB / Downloads: 7)
Abstract- Phishing is one of the most common attacks on the
networks today and a primary enabler for fraud and identity theft,
and the increasing sophistication of the phishers makes it very
difficult for users to distinguish between genuine and fake. Thus,
it is important to mutually authenticate each other. The mutual
authentication between two entities is essential to establish a
secure link over public/closed insecure networks. This paper gives
an overview of proposed secure authentication system which
includes the authentication server, one-time password generator,
and database server. The system achieves mutual authentication
by exchanging two one-time password (OTP) where OTP is a
security mechanism, will be expired after single use/ some period
of time and provides several advantages with respect to most of the
available solutions at the state of the art. First, it enables
transparent mutual authentication between two entities.
Moreover, it guarantees authenticity of both entities within the
same session. Finally, the proposed system ensures secure data
transmission and protected access between two entities as well as
to prevent from known attacks.
INTRODUCTION
In the current network-centric world, hundreds of millions of
users are relying on the Internet to communicate, to work and to
do business. Unfortunately, the current means to identify
individuals and businesses and to protect communication and
business transactions are primitive and piece-meal. Every day a
massive volume of personal communications and online
transactions such as online conference and online trading are
conducted over the Internet without adequate authentication of
the participating parties. Improper authentication of Internet
users by businesses gives hackers the opportunity to access
unauthorized information and to conduct fraudulent
transactions, leading to monetary and proprietary damages.
Improper authentication of business servers by users expose
people to increasingly sophisticated online scams such as
phishing and pharming. Without appropriate authentication solutions, more and more Internet businesses and users are
becoming victims of fraudulent transactions and identity theft.
The concern of user authentication as well as authorization
in public/closed network was always a matter of concern in the
area of computer networking as well as security system
Authentication is the method of verifying the user while
authorization is the methods of verifying that user have an access
to resources. The public network is basically characterized with
presence of multiple users in multiple locations with undefined
score of vulnerable motives of internet usage. Such vulnerability
poses a potential amount of threats in using various sensitive
premium based application. It was also seen that password based
protocols is much in use by almost all the secure application
because it is much easier, comfortable, and due to its higher
adoption by majority of the users. However, the frequent usage
of password based authentication system in public network is
not much recommended by security experts. Even, in current era
of security modernization, password based authentication
system are much frequently in use for the purpose of user
authentication. As password are formulated using various
sensitive and confidential information, therefore unauthorized
access of user sensitive password in large scale networking
system is highly studied in the past research work as in [I].
In this paper, we propose a new secure authentication
system. It ensures a secure mutual authentication between two
entities by requiring both entities to provide a verifiable onetime
password to each other. The one-time password would
expire after a single use/some period of time. It guarantees
authenticity of both entities within the same session. The system
achieves mutual authentication by exchanging two one-time
password.
The rest of the paper is organized as follows. Section II
presented the general background and related work about
authentication schemes and two factor authentication systems.
Section III presents the detailed design of the proposed system.
The security analysis of the proposed system with respect to the
known vulnerable attacks are presented in section IV. Section
VI concludes the paper.
BACKGROUND AND RELATED WORKS
A. Hash-based password authentication scheme
A hash-based password authentication scheme that mutually
authenticates the client and the server successfully, although it
is immune from server's data eavesdropping and impersonation
attacks, vulnerable to reply attack. Develop an improved mutual
authentication framework with two factor i.e. email-id of
registered user but require formal security proofmg techniques
and techniques for preserving the privacy of the user's
information provided to the server the offline password guessing
attack, stolen-verifier attack and denial of service attack for
Islam-Biswas's remote user authentication scheme as in [2].
B. Static password-based authentication scheme
Password-based authentication scheme is vulnerable to
various attacks. The offline password guessing attack, stolenverifier
attack and denial of service attack for Islam-Biswas's
remote user authentication scheme as in [2].
C. Dynamic password-based authentication scheme
Dynamic password-based authentication scheme is
vulnerable to perfect Man in the Middle attack. The hackers
created a special software for launching an automatic replay
attack, and able to send the detected password to the server
before the authenticating user as in [3].
D. One-time password-based authentication scheme
One-time password scheme vulnerable to the ten attacks. The
Replay attack, the Forgery attack, the Impersonation attack, and
the DoS attack are defined as in [4]. The SV attack is defined as
in [5]. The Theft attack and the Server Modification attack are
defined as in [6]. The SV DoS attack is defined as in [7].
Two-factor authentication is based on the concept of
"something you have" and "something you know". Two -Factor
Authentication is vital for effective network security. Hence
three types of T-FA are used generally in networks as in [8]:
1. Challenge Response Authentication
In this method, there are five steps defined in which the user
authenticates himself and proves his identity.
• Firstly the user enters his username and password.
• The Server sends an 8 digit challenge.
• Now the user enters the 8 digit challenge.
• 8-digit response is displayed on the token.
• Then the user enters the 8 digit response and thus validated
to access the data.
Challenge Response Method proceeds through a laborious
five steps process and it is much prone to user error.
2. Event Synchronous Authentication
In this method, there are only three steps in which the token
code is based on the next number in the sequence, not the
random number generation scheme which makes it much prone
to the hacking.
User activates the next token code by pushing the button the
token.
• User enters the username and passcode (the passcode is an
event produced token code and the user's PIN).
• Then the server authenticates by matching the user passcode
with the server passcode (Server Passcode is based on the
next event in the sequence).
3. Time Synchronous Authentication
In this method also, we have three steps for the
authentication but here the difference is that both the user and
the server have the internal clocks that are synchronized hence
they are called time synchronous. And they also have the
identical seeds. A seed is the starting values used by the random
number generation to create a pseudo random number.
• The user enters the username and Passcode (the passcode is
a 4 to 8 digit random token code and the User's PIN).
• The Server and the token create the token code by combining
seed record and current Greenwich Mean Time.
• The Server authenticates the user passcode with the server
passcode and thus validated if found correct.
A dynamic authentication scheme, TSPass. It employs both
the time factor and the space factor (such as MAC address), to
provide a secure and efficient authentication means. It is robust
against attacks including the Perfect-Man-In-The-Middle attack
as in [9].
A novel password authentication scheme where the user
devices generate OTPs from an initial germ using the proposed
scheme. The initial seed is generated in both servers side as well
as in user side as in [I].
III. THE PROPOSED SYSTEM
In this section, we present a new secure authentication
system. It ensures a secure mutual authentication between two
entities. Our proposed system is involved with three
components, authentication server, OTP generator, and database
server. The authentication server communicatively couples the
second party and the database server (DB server). The OTP
generator residing on the first entity, which is an application.
Two entities are communicatively coupled through a network.
The OTP generator is a security mechanism which
generates a one-time password and verifies the one time
password received from the second entity. The authentication
server is configured to generate and verifies the one-time
password, and token. The one-time password is used for
authenticating the first entity as well as the second entity. The
database server stores the token and registration infonnation.
The operation of secure authentication system is
described as follows. It is composed of three phases, namely, the
registration phase, the authentication phase, and the password
change phase. For ease of understanding, the description made
is in the context of electronic communication between a user and
a computing server as shown in Fig.l. The registration phase and
password change phase is performed only once, and the authentication phase is executed every time the user (i.e. first
entity) wishes to access the computing server (i.e. second entity)
Registration Phase
The first phase of our proposed system is the user registration
as shown in Fig.2. This phase is invoked whenever a user
registers to the computing server. The user chooses user 10,
password and submits it along with his personal details to the
remote system. Upon receiving the registration request, the
computing server forwards the received information to the
authentication server.
The authentication server generates the token and stored it
along with received information in the database server. The
token will be used by both the entities during the computation of
one-time password. The token (i.e. pre-shared key) is shared
between two entities. The token along with OTP generator is
distributed to the user by online or offline mode. In online mode
encrypted token along with OTP generator distributed to the
user. In offline mode the token along with OTP generator are
distributed to the user physically.
Authentication Phase
The second phase of our proposed system IS the
authentication as shown in Fig.3. This phase is invoked
whenever a user wishes to access the computing server. Both the
user and computing server uses token to compute a one-time
password. Computation of the one-time password is usually
done through a predefined cryptographic algorithm consisting of
programmed computational steps and cryptographic operations.
• The user seeks to connect with the computing server
through the network in order to submit a user ID and static
password.
• The computing server forwards the received user ID and
static password to the authentication server.
• The authentication server searches for a static password
corresponding to the user ID in the database server. Once
the static password is located, the authentication server
match it with received static password from user.
• If both the passwords match, then the authentication server
uses token to compute a one-time password and sends it to
the user via the computing server and the network.
• When the user receives the one-time password, it
authenticates the computing server by veritying the
received one-time password. To do this, the user uses token
to compute a one-time password using OTP generator and
matches it with the received one-time password,
Verification is successful if the computed one-time
password and the received one-time password match.
• Upon successful verification, user uses token to compute
one-time password using OTP generator and sends it to the
authentication server via the network and computing server.
• The authentication server authenticate the user by veri tying
the received one-time password. To do this, the
authentication server uses token to compute a one-time
password and matches it with the received one-time
password, Verification is successful if the computed onetime
password and the received one-time password match.
• Upon verifying the one-time password, mutual
authentication is accomplished, and the user can commence
trusted communication with the computing server via the
network.
CONCLUSION
In this paper, we have described an overview of a proposed
secure authentication system. The system achieved mutual
authentication by exchanging two one-time password (OTP)
where OTP is a security mechanism, will be expired after single
use/ some period of time and provides several advantages with
respect to most of the available solutions at the state of the art.
First, it enables transparent mutual authentication between two
entities. Moreover, it guarantees authenticity of both entities
within the same session. Finally, the proposed system ensures a
high level of security, and secure data transmission and
protected access between two entities as well as to prevent from
known attacks. Our future work is to enhance the proposed
system with more secure algorithm