AN ENHANCED MULTILEVEL AUTHENTICATION SCHEME USING GRAPHICAL PASSWORDS
Now-a-days there are several types of technologies to avoid online attacks . Still there are some limitations which are leading to violation of the security. This results in attacks in which the intruder can claim the user’s confidential information.
3.1 Traditional Password Authentication
In the current scenario the main limitation in using the traditional password authentication method is that, a server must maintain a password table that stores each user’s ID and password. If an intruder attacks the server system through attacks like phishing then he can access the entire information from the table. Even if the information is stored in the encrypted format the intruder can affect the system like modifying the user information by replacing correct information with wrong information in data base and thus leading to an attack where even the legitimate user is unable to login to his account etc.,. Such attack is known as Denial of Service (DoS) attack. At the same cost now a day’s online transactions have become very common as well as the online attacks are also increased behind it. So security has become a very important part of human life. Recently authentication has become an important issue among many access control mechanisms. In prevailing systems a new approach such as mutual authentication is going to provide a solution to the online attacks like phishing. Mutual authentication is the one in which both the user as well as the server are authenticated.
3.2 Disadvantages Traditional System
By doing a detailed study about the existing system to avoid phishing attack and the related work that has been done in order to overcome the problem of phishing we have observed the following disadvantages.
‘ In the existing system security level leans.
‘ It produces security which can be violated by the intruder by various attacks.
‘ Complexity in maintaining the tables for user id’s and respective passwords.
‘ It may undergo the online attacks like phishing by intruder.
‘ Not only leading to online attacks there might be a chance of misleading the user with false authentication by phishing websites.
‘ If the confidential information of the user are attacked and known by the intruder it results in lots of loss to the user both financially and personally too.
Hence, we are proposing a new methodology to overcome the issue of Phishing. We are using a concept of Visual Cryptography to implement our idea.
3.3 Multilevel Authentication Scheme
In this approach, we proposed Multilevel authentication using graphical passwords. In this proposed system we are dealing with the authentication using visual cryptography. This methodology is based on the Anti-Phishing image Captcha validation scheme using visual cryptography. It protects password and other confidential information from phishing websites. The approach contains two phases which are registration phase and login phase.
In the registration phase a key string is asked from the user at the time of registration for the secure website. The string is concatenated with randomly generated string in the server and an image Captcha is generated. The image is dissolved into two shares such that one share is kept with the user and the other is kept in the server. The image Captcha is also stored in the actual database of any confidential website as confidential data.
After registration user might change key string.
When the user logs in by entering his username then the user is asked to enter his share. The share is sent to the server where the user’s share and share which is stored in the database of the website for each user is stacked together to produce the image Captcha. The end user is required to enter the displayed after checking it whether it matches with the Captcha at the time of registration. By this the mutual authentication is established.
Advantages of Proposed System
‘ It provides multilevel authentication which increases the security level.
‘ It provides the mutual authentication in which both user and the website are legitimate.
‘ It takes advantage of overcoming the problem of phishing attack.
‘ It boosts the user’s confidence in using the online transactions.
‘ It is an anti-phishing visual cryptographic approach.
The following assumptions were made while during this work.
‘ Captcha is a combination of alphabet and numerals. No special characters are used for generation of Captcha.
‘ User must enter a key which includes alphabet and numerals only and it’s length should be more than four.
‘ Captcha is of length five.
‘ For generating Captcha we have taken the first, third and fifth characters from K1.
‘ For generating K2, two random numbers are generated on the server side using random number generator function in JAVA.
‘ For generating key, the first, third and fifth characters are the ones taken from K2, second and fourth characters are taken from K2.
‘ This key is given as input to Imgjoin.java class which we have developed.
‘ This imgjoin.java class takes corresponding images of alphabet and numbers from database and joins them accordingly to form an image Captcha.
3.5 Registration Phase
In registration phase, initially user is asked to enter his username and then a key (K1) which can be a combination of alphabet and numerals. After this, a key (K2) is randomly generated by server. Using these two keys a string is formed and this string is then used to form an image Captcha.
For Captcha generation, images of every alphanumeric character with some distortions are stored in database. Then, the string that has been generated with user key and server key is given as input to the code which retrieves all the images of the corresponding alphanumeric characters in the string and then joins them to form a Captcha.
If user is satisfied with this Captcha, he is then asked to enter a password. The concept of image processing and visual cryptography is used. Image processing is a technique of processing an input image and to get the output as either improved form of the same image and/or characteristics of the input image. In Visual Cryptography an image is decomposed into shares and in order to reveal the original image appropriate number of shares should be combined.
In (2, 2) Visual Cryptographic Scheme, an image is divided into two shares and combination of these two shares reveals the original image. Then, this Captcha is dissolved into two shares using (2, 2) Visual Cryptographic Scheme namely share1 (S1) and share2 (S2). Share1 is then sent to user and share2 is updated in database along with username, Captcha and password. These credentials are later used to authenticate user as well as server during login.
Generation of Shares
(2, 2) Visual Cryptographic Scheme is used. In this method, each pixel is divided into four sub pixels thus increasing the size of shares by four times to that of the original image Captcha.
Here, we used binary image Captcha. So we obtained the pixel values of each and every pixel in the image Captcha. If the pixel is white, then we used identity matrices and if the pixel is black we used complementary matrices to fill up the four pixels in the shares S1 and S2 corresponding to the pixel in original Captcha where each 2X2 matrix contains two 1s and two 0s in random order.
For example, ‘1’ represents ‘white’ and ‘0’ represents ‘black’.
If the pixel value is 1, then the share can be
Figure 3.1 Pixel values for Share if pixel value is 1
If the pixel value is 0, then the share can be
Figure 3.2 Pixel values for Share if pixel value is 0
In this way all the pixels are divided into four sub pixels and thus shares are generated.
The values of the matrices are given so because while reconstruction if the pixel value in both the shares is same they are assigned the same value in reconstructed image. If the pixel value in both shares is different, then 0 is assigned making it complete black.
So, if the original pixel is white in original image, in reconstructed image we get half black and half white pixels which provides a grayish look, else if the original pixel is black in original image, in reconstructed image we get complete black pixel.
3.5.1 Login Phase
In Login phase, user enters his username and uploads his share i.e. (S1). Then, the (S2) corresponding to the username that is stored in database is retrieved and these two shares are combined using the (2, 2) Visual Cryptographic Scheme to form the Captcha.
Now, if the server is not genuine, then it does not possess the share2 of the user, so the Captcha that was generated during registration cannot be regenerated and thus the server is authenticated.
At the same time, user is also authenticated by the server because only legitimate user possesses the share1 of his. This is first level of authentication.
But there is a chance of sharing his PC or Laptop with his acquaintances and as he stores his share in his PC or Laptop there is a chance of his acquaintances or even people whoever use his laptop logging into his account.
Figure 3.3 Registration Phase
To avoid this problem, we used another level of authentication. Here, user after verifying the regenerated Captcha, if he finds it to be the same that was generated during registration phase, he then enters the Captcha as well as password in order to login. If regenerated Captcha does not match with that was generated during login phase user identifies the website as phishing website.
Then, if both Captcha and password are checked against the password and Captcha that are stored in the database, if they match user is allowed else rejected.
Second level of authentication ensures that the person logging in is legitimate user of the account by asking him to enter the password in addition to share1.
In this way both user and server are authenticated and thus the technique helps in ensuring the safety of the sensitive information of innocent people by preventing phishing attack.
3.6 Advantages of Multilevel Authentication Scheme
This method helps in enabling even a not so well aware user in detecting the Phishing website and hence secures his personal and sensitive information from being gathered by others.
3.7 Results for Multilevel Authentication Scheme
The below screen shows the user his Captcha by taking his share and server’s share and regenerating it. The screen also asks user to enter his password in order to authenticate him.
Figure 3.4 Login Phase
Figure 3.5 Screen Showing Reconstructed Captcha during Login
Figure 3.6 Screen Showing Login Failure
This screen shows the message saying either of user’s password or Captcha has been wrongly entered after checking them against the ones that were stored in database.
Figure 3.7 Screen Showing the Successful Login of a User
The above screen shows successful login of the user.
Figure 3.8 Screen Showing Generated Captcha to User
This figure shows the generated Captcha from user and server keys and requesting user to enter his password for successful registration.
Figure 3.9 Screen Showing Successful Registration Message
This figure shows the screen showing user his share and a success message on his successful registration.
In this Chapter we achieved mutual authentication in which both the user and the website are authenticated. So the user can be free from the tension of phishing websites and the server can be free from mal-users. In this method even if the intruder gets the password he can’t do anything because of the share which will be generated during the registration phase. So we can conclude that this approach is quite better than other approaches. We analyze the performance of this approach of multi-level authentication basing on some metrics including the success rate, response time and efficiency. The result of this approach is well and quite good. When combined with any other authentication techniques its performance could be further improved.
...(download the rest of the essay above)