StudyMoose App
24/7 writing help on your phone
Save to my list
Remove from my list
The personal identification of a user for maintaining confidentiality of the user’s data is known as authentication. Even the required security level varies from organization to organization. For example armed forces of a nation require a high level secured environment when compared to a user of Facebook. Based on these calculations various techniques are evolved and some of them are given below.
Biometric authentication: This technique uses physical characteristics of an individual to check his/her identity. Face recognition system, voice recognition system, fingerprint scanner, Iris scanner, DNA scanner, signature recognition system are some of the biometrics authentication systems.
Out of all authentication systems this biometrics provide well secured environment so the setup and maintenance of this biometrics is also expensive. Also it is time conservative as it take time to match required attribute with all the components of the database.
Smart card Authentication: This mechanism falls under token based approach. Various smart cards are ATM card, personal identification card, STK card [2] (new crypto currency for transactions at a sale) etc.
5 (204)
“ She followed all my directions. It was really easy to contact her and respond very fast as well. ”
Banking sector evidences most of these smart card identification system during the transactions. Fraudsters even read the card data and they can misuse the information for illegal transactions. Shoulder surfing attacks like recording the pin number and stealing the cards may also possible and it is counted as the drawback of this authentication system.
Password Authentication: Most conventional approach in the whole authentication system and it is the most familiar approach for everyone. The authentication works in a way that the user should prompted to enter the username and the password and if it is correctly matched authentication is done otherwise leads to failure and retry.
Graphical passwords also comes in the same section with some images or cartoons given in an order and user should select some of them and every login session user need to select the reacted image out of different images. Pass-face authentication system, recognition based technique, recall technique [3] comes under graphical passwords.
All the token based, text based, graphical based passwords come under knowledge based authentication (KBA) systems and this KBA is of two types:
Static KBA: The static KBA is defined as the conventional approach like setting up the username and passwords and remember it throughout the life but there are some drawbacks in this setup as they can forget the password and also the details of the password is vulnerable to different types of attacks.
Dynamic KBA: The dynamic KBA is based on reflecting a new password each time when the user login. Basharzad and Fazeli [4] proposed an algorithm for the dynamic actions of a password based on the rigidity level. Their theory states that at the initial phase the account setup is done with all the information accordingly user’s intention like selecting the pictures and then user asked to enter the rigidity level which was like rigidity level 1 or level 2 or level 3 which reflects the level easy, medium, hard respectively. After the completion of initial information phase at every login session user enter the details with the given rigidity level. If the data is not very much important user can select level 1 or if its moderate or very important he/she can use the level 2 or level 3 security level.
They developed all the three algorithms for all the three levels this is a good idea to use different security levels as it is dependent on data. It is tough to crack the password using replay attack because of number of login requests is based on the input of number of images. So if n value is 4, the hacker only have 7 login requests to crack the password [4]. But there some drawbacks too in this proposed system that rigidity level was statically given by the user at the initial phase itself. Using the cryptographic functions intruder can crack the password.
This paper propose a three level password technique which enhance the security system for maintaining confidentiality of a system. This multilevel password technique consists of not only static password or the dynamic password but the combination of both.
Using this multifactor technique it is hard to crack the password because it consists of three different security mechanisms. Those mechanisms are 1) text-based password 2) Image based authentication and 3) One time password.
The text based approach is quiet conventional but in fact it has some specialized characteristics so that it will be hard for a hacker to guess or crack it. The Image based authentication (IBA) is divided into two sub groups which is based on selection of group of images in the first level and color pixels in preceding level.
In the final level one-time password comes into play which produces a dynamic password for every login session. The user should have to provide his/her email or mobile number to get a notification of the one-time password. At every login session a new OTP is generated and it is hard to guess the OTP for an attacker unless he has the user’s email credentials.
Many applications can use this three level technique and it has an ample amount of selections provided. So it is hard to guess for the attacker about of password. For example an attacker will definitely face problems in selecting the image orders and color pixels as there thousands of color existed. So any wrong selection results in the failure case.
This design is very much user friendly and robust with providing forgot password mechanisms and using the existed OTP session he can reset the text, images and colors. So there is an option for the retransformation of the passwords.
This scheme doesn’t have any shared keys or hints which might be a closed way for an attacker in the search of the password.
In the primary level of the scheme the user is registered with his details and asked to enter the username and password of his choice. These text passwords should meet the following requirements.
Along with the password user was asked to enter a security question of his choice and the answer. It should be quiet confidential and personal so that no one should know about the answer of that question.
With the above conditions and encryption of the passwords gives the passwords strength and it is difficult for an attacker to perform shoulder surfing attack, sniffing, snooping and guessing attacks. The shoulder surfing attack is hard because of the provided conditions users are prompted to register with the password without any hint so it is very hard to guess the password. The sniffing attack will be controlled because the password is encrypted and he cannot sniff the password through the network traffic.
The snooping attack is same as the sniffing attack but the only difference is the hacker will communicate with the user through the network traffic as a legal user and the response from the user will lead to a hacking of the system. So if the password is encrypted even if his/her system is hacked the attacker cannot get any user related information. After a desired number of trails the account is locked if the password entered is incorrect/wrong.
Many business officials and also the banking sector using the internet and today is very easy to perform any transaction with the help of a smart phone. So to save the privacy of the particular user and maintain his/her account confidentially many banks are providing their internet banking application with safety measures and authentication but still many incidents are happening in hacking the bank accounts and illegal transactions through the stolen cards. So by the addition of such conditions the level of the security is increased.
In this section user has a choice of selecting an image from the group of images and in the preceding sub level color pixels of his choice will be considered.
The set of images are shown to the user during the registration phase and he/she needs to select a subset of images from the larger set. This is the registered set and also the order of those images. During each and every login session the user asked to select the same images from a larger set of images then after a given number of trails if the original images are not selected the system will be locked [5].
This image ordering system is quiet useful during the shoulder surfing attack because an attacker have to identify all the images in a sequential manner as they were selected during the registration time else it leads to failure case.
For example, in the above image there are certain set of images and user should select any number of images of his need in a certain order. Let us consider user selected 3 images out of those 12 images during registration phase and at login phase user need to select same three picture in the same order.
This is the second sublevel in 3 level authentication. There are many colors provided in the registration phase and user can select any color or colors of his choice. Let user selected one or two colors and he need to specify them at each and every session of his/her login. The user should be very careful about the color selection because there are many number of mixed colors in the same color like different shades in blue and different shades in red etc. So there are many chances of wrong selection. After a certain number of trails if the user didn’t selected the specified colors the system will be blocked.
There is also another way of authentication using these colors like user asked select a set of colors from a large set of colors and at registration time user can select his choice of colors from a presented set. At every time of login user need to select the exact set which is merged along with the other colors. Through this color pixels authentication an attacker can definitely fall into the trap because it is highly difficult to match one or two out of these number of colors. Even shoulder surfing attack also may fail to capture the exact color as there are different shades existed in the same color.
This is a final level of the password and it is a dynamic form of passwords, also very secured and reliable technique for achieving privacy. Now a days many applications and systems using this OTP as a primary feature for securing their private information from fraudsters. Using some cryptographic algorithms OTP is generated. The mechanism will be much secured as the user needs to register with his personal details along with contact details. The contact details are very important in this part and plays major role. After registering with their details at every login session the system will send an OTP to the registered email-id and user need to fill that code or password into the system. Then he can login into the system.
Let us see deep into the mechanism of the one-time password. The user will enter his details and system and the web part will produce the OTP at the same time. This OTP is dynamic password so for every login session a unique password is produced. Also the code is valid for a particular time like it is between 5 to 7 minutes. After this session the code is not valid and the user need to generate a new OTP. This OTP is generated using cryptographic hash algorithms and different types of algorithms are MD5 (Message Digest) algorithm, SHA-1 (Secure Hash algorithm) and SHA-256. But SHA-256 is better than all the other algorithm as it produces 256 bit hash value. Both MD5 and SHA-1 algorithms produce 128 bit and 256 bit hash values respectively. So using this algorithm the hash value is generated with the details of his/her account. Along with the system, web part also generates a hash value and OTP and whenever user enters the OTP generated by the web part into the system. Both the OTPs are compared and if it matches then the login is successful otherwise after some trails the account will be locked. The SHA-256 algorithm provides a secured environment with necessary encryption and hash value production [6]. The details of the user are taken into the count and hash value for that details are calculated and those hash value is converted into numerical value and from that hash value 5 digit code is taken in count and used as an OTP.
For example, Let us consider a scenario of a customer in bank. While registering for a new account in that bank, he/she will be asked to give their personal and contact information.
Description Details
Name XYZ
Date of birth dd/mm/yyyy
Residential address 1111 abc st
Identity card 1234567890
contact xyz@gmail.com
Now the details of the person are “XYZdd/mm/yyyy1111abcst1234567890xyz@gmail.com“and using SHA-256 algorithm hash value for the above data is calculated and it is called as message digest [6]. Let the message digest will be like this “3F846343D157CEB3B6249316C9675FCDB103D45DF83705DA8B8704EC2D612748” which is in the hex-decimal format of 256 bits length. Now this string is converted into number and the number will be around 15-20 digits and in that number leaving the first 6 digits and counting from 7 digit with following 5 digits is counted as OTP. So the OTP is generated both sides and when they were compared and if it matches login will be successful.
NOTE: The OTP is valid for only 5 minutes and after that user need to do the same process for getting the new OTP. Once the OTP is submitted in time user can access the system or his/her particular account. This is the most secured part of the whole process and most effective approach for providing privacy. After this session all the three levels are completed and if the user succeeded in these levels he is may be real user as the attacker or intruder cannot be able attack all the three levels.
Modern world has provided us many techniques and mechanisms and either to use them in a positive way or in a negative way is in our hands. Fraudsters and attackers are showing their presence in each and every part of the modernization world and this makes us to keep our personal information in a safe zone. Three level password authentication can be used as a safety entry gate to access the information of a valid user. To improve the features of this authentication system, cryptographic passwords, adding noise for image based authentication and OTPs connected to the user’s smart phone will act as key techniques. Let us see in detail.
The cryptographic functions are generally used to produce hash functions and using these hash functions keys are derived. The key derivation function is used for encrypting the passwords which enhance the security of the passwords. For deriving keys the password should be reconstructed into large set of keys which is known as salt [8]. In this context the user need a password, iteration count, salt and key derivation function. The result will be derived keys.
After salt is derived the real password and the salt is concatenated to produce the derived key. Here‘s’ is salt and ‘p’ is password and DK= KDF (P, S) [8]. As the iteration count and length of the derived key are also taken into context and “Password based key derivation function 1” is used to derive the key 1 which is represented as PBKDF1 (P, S, I, dklen). Same as the above process key 2 is produced using another value from the larger set of salt and it is represented as PBFDF2 (P, S, I, dklen). So on obtaining both the outputs of the above functions such as DK1 and DK2 a concatenation function is used to combine the messages into a single encrypted message. A message authentication code is derived from the encrypted message. The password and the derived key is verifies the message authentication code under the MAC scheme. So if the MAC is verified the password is correct otherwise the password is wrong. In this way the passwords are secured with the help of cryptographic functions. The hash values can be produced with the help of MD2, MD5, SHA-1 hash functions where they produce the hash value of length 16, 16, 20 respectively.
The images in the IBA are processed to change their properties with the addition new techniques or methods. The registered set of images are added with some noise, some of them are combined with grain properties etc. By doing this the image will definitely confuse the attackers as the properties are changed. Only a valid user can remember the exact image so that he can crack the password.
The above image is example of grain image which is compare to original image here the originality of the image is never missed but there are slight changes in the edited image. There are also some other properties like adding noise, RGB color changes. In the RGB R stands for RED, G stands for GREEN, B stands for BLUE and the combination of this triad give us a new color. Each color has its limit from 0 to 255, so red can produce different shades from 0 to 255, green can produce different shades from 0 to 255 and respectively blue also. So by changing the shades of the original picture at different sectors we can make images looks like different from the original one. Algorithm can be designed like this.
The OTP generation and usage of the OTP is explained in the previous section, now by adding some extra features like sending the OTP in the form of a short message service or in the form of a voice message to the user can be a very ideal way of authentication. In this part during the registration phase the user asked to enter the mobile number so that the generated OTP is sent to that registered number and using that OTP in a specified time limit the user need to login into the system. Even the OTP is sent to the user in a specified time after the generation. After the user entered the OTP it will check with the database information to confirm whether it is same or not and if it same user is permitted to login otherwise his permission was denied.
Internet Security Technologies: Three Level Password Technique. (2024, Feb 19). Retrieved from https://studymoose.com/internet-security-technologies-three-level-password-technique-essay
👋 Hi! I’m your smart assistant Amy!
Don’t know where to start? Type your requirements and I’ll connect you to an academic expert within 3 minutes.
get help with your assignment
