3-way handshake approach towards secure authentication schemes
TRANSCRIPT
8/9/2019 3-Way Handshake Approach towards Secure Authentication Schemes
http://slidepdf.com/reader/full/3-way-handshake-approach-towards-secure-authentication-schemes 1/6
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 17
3-Way Handshake Approach towards
Secure Authentication Schemes
Gaurav Kumar Tak, Ashok Rangnathan andPankaj Srivastava
Abstract—Computer crime can easily be defined as the criminal activity that involves an information technology infrastructure,including illegal access (unauthorized access), illegal interception, data interference (unauthorized damaging, deletion,deterioration, alteration or suppression of computer data),unethical access of information and web services , disturbance ofsocial-peace, systems interference (interfering with the functioning of a computer system by inputting, transmitting, damaging,deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (ID theft), and electronic fraud.
This paper introduces a new methodology against the intruder as well as phishing attackers. Proposed methodology is basedon the 3-way handshake concept between end user and the online portal server. The methodology provides a secureenvironment for the online transactions using 3 layers: 1
stlayer following username and password authentication, 2
ndand 3
rd
layers following the cross validation via e-mail and SMS respectively.
Index Terms—Cross Validation, e-mail, Handshake, Phishing.
—————————— ——————————
1 INTRODUCTION
In the field of computer security or network security,hacking is the criminally fraudulent process ofattempting to acquire sensitive information such asusernames, passwords, security key and credit card (ordebit card details , master card details) details bymasquerading as a trustworthy entity in an electroniccommunication. Communications purporting to be frompopular social web sites, auction sites, online paymentgateway or IT administrators are commonly used to lure
the unsuspecting public.A secure system depends upon the following factors:
Confidentiality, Authenticity, Integrity and Non-Repudiation constituting the acronym “CAIN” [10].IP spoofing (usurp the IP-address of certain PC), TCP(transmission control protocol) hijacking (Interception
————————————————
Gaurav Kumar Tak, is with the Department of Informationand Communication Technology, ABV- Indian Institute of Information Technology and Management Gwalior (M.P.),INDIA.
Alok Ranjan is with the Department of Information and
Communication Technology, ABV- Indian Institute of Information Technology and Management, Gwalior (M.P.),INDIA.
Rajeev Kumar is with the Department of Information andCommunication Technology, ABV- Indian Institute of Information Technology and Management, Gwalior (M.P.),INDIA.
Ashok Rangnathan is with the Department of Information andCommunication Technology, ABV- Indian Institute of Information Technology and Management, Gwalior (M.P.),INDIA.
Pankaj Srivastava is with the Department of Applied Sciences, ABV- Indian Institute of Information Technology and
Management Gwalior (M.P.), INDIA.
of TCP-session), ARP spoofing (re-link the network trafficfrom one or more PCs to the PC of malefactor), DNS(Domain Name System) spoofing (Basically DNS IPspoofing and DNS cache poisoning) are the commonattacks over any type of network [1], [2].
2
RELATED
WORK
Many Scientists and researchers have proposed several
schemes to secure the password and to prevent theexternal attacks, but it has yet been proved to beimpossible to build a completely (100%) secure system. In[11], Yang et al. presented couple password validationschemes based on smart cards. One validation approachuse timestamp approach and the other is nonce-basedapproach. In these schemes, a user can choose accordingto its choice and it can, any time, modify its passwordindependently. The remote web server does not need tomaintain the users’ passwords directory for theirvalidation or a verification table to authenticated users,
and the login validation can be carried out without thedisturbance of a third party.
An OTP card schemes also proposed to provide thesecurity of authentication. It generates single timepasswords, single-time password sheets; a laptop armedusing the protocols of secure validation and it also showsthe good transparency [12]. But this scheme has its ownlimitations.
Chan and Cheng (2001) introduced some ofvulnerabilities to forgery attacks of YS scheme. Theyfocused on the attackers’ approach that an attacker can
8/9/2019 3-Way Handshake Approach towards Secure Authentication Schemes
http://slidepdf.com/reader/full/3-way-handshake-approach-towards-secure-authentication-schemes 2/6
8/9/2019 3-Way Handshake Approach towards Secure Authentication Schemes
http://slidepdf.com/reader/full/3-way-handshake-approach-towards-secure-authentication-schemes 3/6
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 19
approach, the user enters his correct username
and password and he receives a key on his email.
The user has to enter this key and has to give the
same answer to the private question asked
during the registration phase page to log in as an
authenticated user. This method is less secure as
the
key
is
sent
without
encryption.
3. Send the key on SMS and private question: At
the time of login, if the email cannot be sent due
to temporary problem with email service, the
proposed methodology has an alternate approach
which is less secure. In this alternate approach,
the user enters his correct username and
password and he receives a key on his mobile
phone corresponding to the contact number used
at the time of registration. The user has to enter
this key and has to give the same answer to the
private question asked during the registration
phase page to log in as an authenticated user. This method is less secure as the key is sent
without encryption.
Fig. 1. Screen when user enters valid username and password
Fig. 2. Screen when user receives encrypted keys and enters thedecrypted key
We have implemented the 3‐Way Handshake Approach
using HTML, script languages, AJAX, XML, MySQL and
Javascript for the online transaction portal and recorded
all activities of the genuine user and intruder over the
portal. We have analyzed all security aspects of the online
transaction.
3 SECURITY ANALYSIS AND DISCUSSIONS
In this section, the security of the proposed methodology
is examined. In the proposed methodology, after selecting
one of the 3 options, the key is sent via email and/or SMS,
the box is displayed for entering the decrypted key and/or
the private question is displayed and the box for its
answer
is
displayed.
These
functions
are
accomplished
using AJAX and XML technology , which provides for a
secure communication between the website and the
confidential database.
The encrypted key is randomly generated every time the
user logs in and is stored corresponding to the user in the
temporary database at the server. The key is destroyed
after the transaction session is over.
The 3‐Way Handshake Approach provides security in the
following ways:
1. Prevent intruders’ attack on the user’s
transactions:
If an intruder tries to log in with the username and
password of a user, he will not be able to log in as
he does not know the email id of the user to which
the encrypted key is sent and does not have the
mobile phone access to the user to which the
encrypted key is sent. The intruder needs to access
both the email id as well as the mobile phone of
user to be able to log in successfully. Thus he will
not be able to enter the decrypted key and log in as
authenticated user. If the intruder tries to log in
8/9/2019 3-Way Handshake Approach towards Secure Authentication Schemes
http://slidepdf.com/reader/full/3-way-handshake-approach-towards-secure-authentication-schemes 4/6
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 20
using the alternate approaches, he will not be able
to log in because he does not know the answer to
the private question of the user. Even if he answers
the private question correctly, he would not be able
to log in as he does not know the email id of the
user and does not have the mobile phone of the
user.
2. Verifies whether the website is a genuine websiteor a phishing website:
If the website is a phishing website, then it cannot
access the confidential database for email id and
contact number that the original site accesses for
sending the encrypted key.
Fig. 3. User performs account registration for the online portal
Fig. 4. User logs in into the secure website
Fig. 5. Intruder logs in into the secure website
8/9/2019 3-Way Handshake Approach towards Secure Authentication Schemes
http://slidepdf.com/reader/full/3-way-handshake-approach-towards-secure-authentication-schemes 5/6
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 21
Fig. 6. In case of phishing website
4 CONCLUSION AND LIMITATION
Currently phishing attacks are so common because it can
attack globally and capture and store the users’
confidential information. This information is used by the
attackers (which are indirectly involved in the phishing
process). In this paper, 3‐way Handshake approach
provides a more secure platform to the end users for their
online transactions. In this methodology, attackers can’t
attack on the email and SMS simultaneously. Information
stealing will be minimized and more secure
communication (transmission) will occur using the
proposed methodology.
If
any
intruder
wants
to
peek
into
the transmission of the confidential data, he will not be
able to recognize the patterns of encrypted data. So the
data will be more secure. The Proposed methodology is
useful to prevent the attacks of intruder as well as
phishing websites on financial web portal, payment
gateway portal, banking portal, e‐shopping market (e.g.
eBay, PayPal, etc.). We can also work on the survey
analysis from the data generated using the concept of
proposed methodology.
The above methodology needs more hardware for the
implementation. Thus, it increases the workload of the
mail server
as
well
as
SMS
server.
Owing
to
more
hardware specification, the cost of implementation of
proposed methodology is relatively higher.
ACKNOWLEDGEMENT
The authors would like to thank ABV‐Indian Institute of
Information Technology and Management, Gwalior for
the kind support provided for this work.
REFERENCES
[1] Ollmann G., The Phishing Guide Understanding & PreventingPhishing Attacks, NGS Software Insight Security Research
[2] Yu, W.D.; Nargundkar, S.; Tiruthani, N., "A phishing vulnerabilityanalysis of web based systems," Computers and Communications, 2008.ISCC 2008. IEEE Symposium on, vol., no., pp.326-331, 6-9 July 2008
[3] Maher Ragheb Aburrous, Alamgir Hossain, Keshav Dahal, FadiThabatah, "Modelling Intelligent Phishing Detection System for E-banking Using Fuzzy Data Mining," cw, pp.265-272, 2009 International
Conference on CyberWorlds, 2009[4] Abu-Nimeh, S.; Nair, S., "Bypassing Security Toolbars and PhishingFilters via DNS Poisoning," Global Telecommunications Conference,2008. IEEE GLOBECOM 2008. IEEE , vol., no., pp.1-6, Nov. 30 2008-Dec.4 2008
[5] Alnajim, A. and Munro, M. 2009. An Anti-Phishing Approach that UsesTraining Intervention for Phishing Websites Detection. In Proceedingsof the 2009 Sixth international Conference on information Technology:New Generations (April 27 - 29, 2009). ITNG. IEEE Computer Society,Washington, DC, 405-410. DOI=http://dx.doi.org/10.1109/ITNG.2009.109
[6] Juan Chen and Chuanxiong Guo, Online Detection and Prevention ofPhishing Attacks, in Proc. Chinacom 06
[7] Beginning PHP5, Apache, and MySQL Web Development by ElizabethNaramore, Jason Gerner, Yann Le Scouarnec, Jeremy Stolz, Michael K.Glass; ISBN: 9780764579660
[8] PHP, AJAX, MySql and JavaScript Tutorials,http://www.w3schools.com/
[9] Luis von Ahn, Manuel Blum, Nicholas Hopper, and John Langford.CAPTCHA: Using Hard AI Problems for Security. In Eurocrypt
[10] Gedam,Dhiraj Nilkanthrao, RSA BASED CONFIDENTIALITY ANDINTEGRITY ENHANCEMENTS IN SCOSTA-CL, A thesisreport,Department of Computer Science and engineering,IndianInstitute of Technology ,Kanpur,India, July, 2009
[11] Yang,W.H., and S.P.Shieh(1999). Password authentication schemes withsmart cards. Computers & Security,18(8),727–733
[12] M. Naor and B. Pinkas. Visual authentication and identification. In Proc.Advances in Cryptology, pages 322–336, 1999
[13] Chan, C.K., and L. M. Cheng . Cryptanalysisof time stamp-basedpassword authentication scheme. Computers & Security, 21(1),74–76,2001
[14] Chen, K.F. and S. Zhong .Attackson the (enhanced)Yang–Shiehauthentication. Computer & Security,22(8),725–727, 2003
[15] Chan, C. K., and L. M. Cheng Cryptanalysis of timestamp-basedpassword authentication scheme. Computers & Security, 21(1),74–76,2001
[16] Sun, H. M., and H. T. Yeh. Further cryptanalysis of a passwordauthentication scheme with smart cards IEICE TransactionsonCommunications, E86-B(4),1412–1415, 2003
[17] Real User Corporation. The Science Behind Passfaces. Inhttp://www.realuser.com/published/ScienceBehindPassfaces.pdf ,
June, 2004[18] R. Dhamija and A. Perrig. Deja vu: A user study using images for
authentication. In Proc. 9th USENIX Security Symposium, 2000.[19] Y. Zhu X. Suo and G. Scott. Owen. Graphical passwords: A survey. In
Proc. 21st Annual Computer Security Applications Conference, 2005[20] S. Li and H.-Y. Shum. SecHCI: Secure human-computer identification
(interface) systems against peeping attacks, 2003.[21] T. Matsumoto. Human-computer cryptography: an attempt. In Proc.
Conf. on Computer and communications security, pages 68 – 75, 1996[22] T. Matsumoto. Human-computer cryptography: an attempt. In Proc.
Conf. on Computer and communications security, pages 68 – 75, 1996
About the Authors
8/9/2019 3-Way Handshake Approach towards Secure Authentication Schemes
http://slidepdf.com/reader/full/3-way-handshake-approach-towards-secure-authentication-schemes 6/6
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 22
Ashok Ranganathan is astudent of Atal Bihari VajpayeeIndian Institute of InformationTechnology and Management,Gwalior pursuing 2
ndyear of
B.Tech in InformationTechnology. His areas ofresearch are Internet security,trust and privacy, Database
management, Cloud computingand applications.
Gaurav Kumar Tak is astudent of 4th Year IntegratedPost Graduate Course (B.Tech.+ M.Tech. in Information andCommunication Technology) inABV-Indian Institute ofInformation Technology andManagement Gwalior, India.His fields of research are datamining, internet security andwireless ad-hoc network.
Dr. Pankaj Srivastava is anAssistant Professor in the
area of Applied Sciences(Physics) of the Institute. Heachieved his doctoral degreein physics from physicsdepartment, AllahabadUniversity, India. His currentarea of research isnanotechnology investigatingvarious physical properties ofmaterials in the form of
nanowires, nanoclusters and nanotubes w.r.t. electronicdevices and information technology applications. Dr.Srivastava is also working in the area of QuantumComputing and Information and many other projects onnanoCMOS and nanoMOSFET technology. He has till nowpublished more than 43 research papers in reputedinternational and national journals, conferences and
seminars.