Abstract— Security is one of the important aspects in this world. In order to protect against malicious attack, many Sofwares and secure algorithms are used. The password authentication technique is one of the commonly used despite its flaws. Several password protection techniques are used to provide security and help in remembering and recovering password soon. A literature survey of different password protection and authentication technique is provided in this paper. Also a study on how passwords are created and set by a user is done and presented in this paper.
Keywords—Security, Protection, Authentication, Password
I Introduction
Passwords are used in almost every digital system. Everyone is familiar with logging-in to a system or a website, accessing their email or signing-in to a social network, but passwords does one of the important task that is to protect access to many other systems like banking terminals and social network, ecommerce websites .Many vendors were successful in implementing their own approach to safeguarding those passwords and this has resulted in a mix of safe and insecure systems .Maintaining password security is one of the biggest problem . With the increase in online services, the amount of credentials per person has also increased dramatically and the news reports that hackers are trying to break the security and are try to access credentials or other Information
Various ways of setting passwords
While setting password, there are various strength metrics present to inform whether the strength of the password is strong or weak[9] . this helps us to use a stronger password so that it cannot be cracked easily. To remember password better techniques such as geopass and geopassnote [10] can be used. Here instead of remembering the password we can select a location on a digital map and then annotate it with a related text [memory from that place ]so that we can authenticate ourselves whenever we want by zooming into a location on a digital map and then answering a question about a memory of that place.
1.2 Security issues in Authentication
Development of strong authentication is one of the key areas in computer security research i.e., developing new types of authentication schemes, as there is a lack of proper authentication which is resulting in hacking. If the hackers gain access to the system, they can do many illegal and harmful activities, such as launch, deface web sites, denial of service attacks ,steal personal information, steal financial information, make fraudulent purchases, , etc. To authenticate users and processes, passwords and IDs play an important role. The passwords should be secure and need to be always accessible for proper authentication. If many passwords are reused, those passwords can be cracked easily[5].personal information such as aadhar number, phone number , etc may be present in password or database which should be protected with high security[8].
.
Existing Methods in Securing User Authentication
Many different techniques have been developed to make authentication system secure and robust . For example, , security tokens (or sometimes a hardware token, authentication token or cryptographic token), password managers, the Challenge Handshake Authentication Protocol (CHAP), one-time passwords, single sign-on (SSO), personal identification numbers (PINs) Callback, and graphical password All the existing approaches are designed rely on positive identification database directly during the authentication process for secure authentication. However, this method is dangerous. However The password information table could be read or altered by any one. A hacker or anyone can append a new ID and password into the table. In reality most of the security penetrations occur when the security validation information is exposed in some way or the other .usually when people try to set new complex passwords, there will be some pattern, hackers try to attack using different techniques to crack the hashes and reveal the plain text[2]. SPAM can be used to provide high-security properties while optimizing the handover latency and the computation overhead but it is still vulnerable to replay and malicious insider attacks, as well as the compromise of a single node[3]. one important point about password strength metric is that No password strength metric by itself is better than all other metric for all kinds of passwords[6].password metric should evolve overtime to adjust itself to new password selection trends of the user[7].
Existing Methods in Securing User Authentication
Many different techniques have been developed to make authentication system secure and robust . For example, , security tokens (or sometimes a hardware token, authentication token or cryptographic token), password managers, the Challenge Handshake Authentication Protocol (CHAP), one-time passwords, single sign-on (SSO), personal identification numbers (PINs) Callback, and graphical password All the existing approaches are designed rely on positive identification database directly during the authentication process for secure authentication. However, this method is dangerous. However The password information table could be read or altered by any one. A hacker or anyone can append a new ID and password into the table. In reality most of the security penetrations occur when the security validation information is exposed in some way or the other . A PAKR (Password-Authenticated Key Retrieval) protocol and its multi-server system allow one party(say, client), who has a memorable password, to retrieve a long-term static key in an exchange of messages with at least one other party (say, server) that has a private key associated with the password[4] so that messages can be exchanged easily without having the user to authenticate himself again and again.
Methods used to secure passwords
As computer systems became more important in daily life, the need to protect passwords became clear. Some of the methods are used commonly to protect these systems. To store a password in a file or database, one of these methods are applied to the original password string. The resulting output is what is ultimately written to the storage place and are used to properly authenticate and the system must be able to apply the same methods to a user’s credentials whenever they try to log in. Each of these approaches may be combined with others to strengthen the security that they provide, but some of them are not useful if they are implemented by themselves.
2-3a Plain-text databases
A plain-text database is one type of database where the information is stored in a way that can be read back with the original meaning. The use of this method is that storing passwords in plain-text is the simplest method. It means writing the characters to a file or database. the user is allowed access When the password that is entered is compared to the string stored and if they match,.the password is recoverable if the user forgets it and if needed the online services email the password back if requested .one of the threat is that hacker might gain access to them.
2-3b Hashing
A hash produces digest i.e, regardless of the size of the input it produces a fixed size length of the output. As hashing is a one way function it is impossible to reverse, meaning that it is not possible to get input from the digest.When hashing is implemented by a password database , the entries in the database contain the digests for the passwords and the plain-text passwords will not be present. When a user tries to authenticate, the password that he enters will be hashed using the same algorithm that the database used. The user is allowed access if the digest is same as the one stored. In this way one can be used to hide real passwords and retain the ability to authenticate a user. This is the reason why they are the most valuable part of password security. a small change
in input can create a large difference in digest.. This makes the deciphering of the digest much more difficult, since there should not be any relationship between input and output.
2-3c Salting In cryptography
a salt is a data that is added to the message before it is hashed. When applied to passwords, it is usually a set of characters that is either appended or prepended to the original password before hashing. The salt makes the password longer than before and makes the input string to the hashing function different from each other in systems or users that chose the same password. The characters can be same for every entry, or random for each user.The password database includes digest of the password that was incremented with the salt. the authentication process needs the same salt To obtain the same digest.
2-3d Strenching
It involving repeated use of a hashing algorithm to increase the time taken to calculate the digest. The password would be used as input and a digest is calculated, then the digest would become the input for the next iteration and this process is repeated many times. Some algorithms implemented a fixed number of iterations and some allow for a variable number to be given as input to the function. stretching helps protect passwords from being guessed.
Other methods
Methodology
NEGATIVE AUTHENTICATION SYSTEM
Hash function stores which each user password in a cryptographic form. Hashing results in converting a string of
any length at the input and generating a bit-string of fixed length (hash) at the output. It has, however, two main characteristics: even a minor modification in the input string leads to change of the output hash value; and it’s practically impossible to find the input string knowing the hash value (irreversible) [2, 7, 8].
Figure 4: The basic concept of the Negative Selection Algorithm (NSA). Illustrate the concept of self (password) by green coloured shapes and the non-self (anti-password) space covered by different circles represented as detectors (Anti-P) [10, 12].
Figure 5: Flow Chart for Generation of detectors (Anti-P’s) and Validation against Anti-P’s
A negative selection for user authentication is used i.e. filtering the invalid users, which should improve security posture in user authentication systems. The user will first be verified using the negative image of the password dataset instead of the actual image itself.
Advantages-
1. This system is capable of filtering out all illegitimate users (crackers, hackers, etc.) before allowing the legal users to access the positive password verification system.
2. It puts an additional layer of protection (invisible) to the user and therefore provides a robust solution in immunizing authentication systems (local, remote or online).
3. The user first be verified using the negative image of the password dataset instead of the actual.
4. When a user enters his/her credentials it is first checked against the bad passwords (Anti P’s) only after that it is sent for further verification.
Disadvantages-
1. The major security threat are password cracking tools as they allow hackers gain access to the system and performing harmful activities. These tools can decrypt passwords or otherwise disable password protection.
2. The password information table could be read or altered by an intruder. An intruder can also append a new ID and password into the table.
2nd methodology
Every entry in an NDB contains three symbols: ‘0’, ‘1’, and ‘*’. The symbol ‘0’ only match the bit 0, and the symbol ‘1’ only match the bit 1; The symbol ‘*’ can match either the bit 0 or 1. Every entry in an NDB consists of two kinds of positions: specified positions and unspecified positions. Positions where the symbols are ‘0’ or ‘1’ are called specified positions, while positions where the symbols are ‘*’ are called unspecified positions. Accordingly, both ‘0’ and ‘1’ are specified symbols, and the ‘*’ is the unspecified symbol. A sequence of bits is covered by one entry in an NDB; that is to say, the bits of the sequence are matched by the symbols of the entry at the specified positions. If a sequence of bits is covered by one entry in an NDB, we say that the sequence is covered by the NDB. If an NDB covers every entry in the (U-DB), we say that the NDB is complete; otherwise, it is incomplete. The NDB converted from a DB with only one entry is called the single NDB; otherwise, it is called the multiple NDB. There are two types of NDB generation algorithms, one for single NDBs and one for multiple NDBs
Fig. 1. The data flow diagram of the generation procedure of the ENP.
Fig. 2. The data flow diagram of the verification procedure of the ENP.
The registration phase has six steps to be followed:
1. On the client side, a user has to enter the username and password. Then, there is a secure channel through which the username and plain password are transmitted to the server.
2. If the username sent by the user already exists in the authentication data table, “The username already exists!” is displayed, signifying that the server has rejected the registration request, and the registration phase gets terminated.
Else, go to Step (3).
3. The password received by the server is then hashed using the selected cryptographic hash function.
4. With the help of a NDB generation algorithm the hashed password is then converted into a negative password.
5. The selected symmetric-key algorithm encrypts the negative password to an ENP, where the key is the hash value of the plain password.
6. The authentication data table stores the username and the resulting ENP and “Registration success” is displayed, signifying that the server has accepted the registration request.
The authentication phase has five steps to be followed:
1. On the client side, a user has to enter the username and password. Then, there is a secure channel through which the username and plain password are transmitted to the server.
2. If the username sent by the user does not exist in the authentication data table, then “Incorrect username or password!” is displayed, signifying that the server has rejected the authentication request, and the authentication phase gets terminated. Else, go to Step (3).
3. Search the authentication data table for the ENP corresponding to the received username.
4. Using the selected symmetric-key algorithm, the ENP is decrypted (one or more times according to the encryption setting in the registration phase) where the key is the hash value of the plain password; thus, the negative password is obtained.
5. If the hash value of the received password is not the solution of the negative password then “Incorrect username or password!” is displayed, signifying that the server has rejected the authentication request and the authentication phase gets terminated.
Else, “Authentication success” is displayed, signifying that the server has accepted the authentication request.
Advantages-
1. It can be easily integrated into existing authentication systems.
2. Password cracking from ENPs is a tedious job due to cryptographic hash function and symmetric encryption techniques used in the system.
3. Precompuational attacks are made infeasible without even adding extra elements to the system.
4. ENP resists lookup table attack and provides a stronger password protection under dictionary attack and no dependence on salts.
5. It combines the cryptographic hash function, the negative password and also the symmetric-key algorithm, without the need for any other additional information except the plain password.
6. ENP not only increases the number of encryptions, but it also replaces the cryptographic hash function with a key stretching algorithm.
Disadvantages-
1. Other Negative Database (NDB) generation algorithms are not yet introduced to the ENP to further improve password security.
2. The techniques such as multi–factor authentication and challenge–response authentication not yet introduced into our password authentication framework.
Results
Negative authentication
The author has focused on developing negative authentication system (password immunizer), which is a unique and a better approach to eliminate brute-force attacks on password databases/servers. During login process , the password immunizer first checks for negative authentication before any positive verification[1]. before allowing to access the positive password verification system, the Anti-P system can filter out all illegal users such as hackers, crackers, etc ,providing an additional layer of protection (invisible) to the user. with active monitoring of user activities, this approach can identify if someone use a stolen password and can block all types of password guessing, . The password immunizer not only advances our knowledge in developing next generation authentication system, but also helps in learning lessons from the biological defense system and how to build a secure password protection system.
Encrypted negative password
The author has proposed a frame work for designing authentication using encrypted negative password and reports can be used to provide better authentication and security. Some of the advantages of using this framework are as follows. When compared to the salted passwords, the ENP has no dependence on salts and selects a pair of symmetric-key algorithm and cryptographic hash function without the need for extra elements (such as salt), which indicates that this scheme is programmer-friendly. In a Given a plain password, there are lots of corresponding ENPs, i.e ,the ENPs converted from the same password are almost always different, so it makes it effectively resist lookup table attack. And even for the same passwords of a user in different systems, because the corresponding ENPs are almost always different, even if an adversary obtains two ENPs in different authentication data tables from different systems, the adversary cannot determine whether the original plain passwords corresponding to the two ENPs are the same. In this way it provides resistant to look up table attack. In case of dictionary attack, to defend against it, the ENP multi- iteration encryption is used by making every password attempt consume more time.
Conclusion
Many organizations fail to implement even the most basic measures. In this survey paper we report on how the passwords were set, protected and we presented some of the authentication framework which are used in present .we hope that in near future more security be implemented as password authentication scheme is more widely used even though it has some flaws.
References
[1] W. Luo, Y. Hu, H. Jiang and J. Wang, “Authentication by Encrypted Negative Password,” in IEEE Transactions on Information Forensics and Security, vol. 14, no. 1, pp. 114-128,Jan.2019.doi: 10.1109/TIFS.2018.2844854
[2] Tatlı, Emin Islam. “Cracking more password hashes with patterns.” IEEE Transactions on Information Forensics and Security 10, no. 8 (2015):1656-1665.
[3] Chuang, Ming-Chin, Jeng-Farn Lee, and Meng-Chang Chen. “SPAM: A secure password authentication mechanism for seamless handover in proxy mobile IPv6 networks.” IEEE systems Journal 7, no. 1 (2013): 102-113.
[4] Shin, SeongHan, and Kazukuni Kobara. “Security analysis of password-authenticated key retrieval.” IEEE Transactions on Dependable and Secure Computing 14, no. 5 (2017): 573-576.
[5] Han, Weili, Zhigong Li, Minyue Ni, Guofei Gu, and Wenyuan Xu. “Shadow attacks based on password reuses: a quantitative empiricalanalysis.” IEEE Transactions on Dependable and Secure Computing 15, no. 2 (2018): 309-320.
[6] Galbally, Javier, Iwen Coisel, and Ignacio Sanchez. “A new multimodal approach for password strength estimation—Part I: Theory andalgorithms.” IEEE Transactions on Information Forensics and Security 12, no. 12 (2017): 2829-2844.
[7] Galbally, Javier, Iwen Coisel, and Ignacio Sanchez. “A New Multimodal Approach for Password Strength Estimation—Part II: Experimental Evaluation.” IEEE Transactions on Information Forensics and Security 12, no. 12 (2017): 2845-2860.
[8] Li, Yue, Haining Wang, and Kun Sun. “Personal information in passwords and its security implications.” IEEE Transactions on Information Forensics and Security 6013 (2017): 1-1.
[9] Ji, Shouling, Shukun Yang, Xin Hu, Weili Han, Zhigong Li, and Raheem Beyah. “Zero-sum password cracking game: A large-scale empirical study on the crackability, correlation, and security of passwords.” IEEE transactions on dependable and secure computing 14, no. 5 (2017): 550-564.
[10] MacRae, Brent, Amirali Salehi-Abari, and Julie Thorpe. “An exploration of geographic authentication schemes.” IEEE Transactions on Information Forensics and Security 11, no. 9 (2016): 1997-2012
[11] Dasgupta, Dipankar, Denise Ferebee, Sanjib Saha, Abhijit Kumar Nag, Kul Prasad Subedi, Alvaro Madero, Abel Sanchez, and John Williams. “G-NAS: a grid-based approach for negative authentication.” In Computational Intelligence in Cyber Security (CICS), 2014 IEEE Symposium on, pp. 1-10. IEEE, 2014.
[12] Dasgupta, Dipankar, and Rukhsana Azeem. “A Negative Authentication System.”
[13] Dasgupta, Dipankar, and Sudip Saha. “Password security through negative filtering.” In 2010 International Conference on Emerging Security Technologies, pp. 83-89. IEEE, 2010.
2018-11-24-1543093421