3-way handshake approach towards secure authentication schemes

8/9/2019 3-Way Handshake Approach towards Secure Authentication Schemes

http://slidepdf.com/reader/full/3-way-handshake-approach-towards-secure-authentication-schemes 1/6

Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/

WWW.JOURNALOFCOMPUTING.ORG 17

3-Way Handshake Approach towards

Secure Authentication Schemes

Gaurav Kumar Tak, Ashok Rangnathan andPankaj Srivastava

Abstract—Computer crime can easily be defined as the criminal activity that involves an information technology infrastructure,including illegal access (unauthorized access), illegal interception, data interference (unauthorized damaging, deletion,deterioration, alteration or suppression of computer data),unethical access of information and web services , disturbance ofsocial-peace, systems interference (interfering with the functioning of a computer system by inputting, transmitting, damaging,deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (ID theft), and electronic fraud.

This paper introduces a new methodology against the intruder as well as phishing attackers. Proposed methodology is basedon the 3-way handshake concept between end user and the online portal server. The methodology provides a secureenvironment for the online transactions using 3 layers: 1

stlayer following username and password authentication, 2

ndand 3

rd

layers following the cross validation via e-mail and SMS respectively.

Index Terms—Cross Validation, e-mail, Handshake, Phishing.

—————————— ——————————

1 INTRODUCTION

In the field of computer security or network security,hacking is the criminally fraudulent process ofattempting to acquire sensitive information such asusernames, passwords, security key and credit card (ordebit card details , master card details) details bymasquerading as a trustworthy entity in an electroniccommunication. Communications purporting to be frompopular social web sites, auction sites, online paymentgateway or IT administrators are commonly used to lure

the unsuspecting public.A secure system depends upon the following factors:

Confidentiality, Authenticity, Integrity and Non-Repudiation constituting the acronym “CAIN” [10].IP spoofing (usurp the IP-address of certain PC), TCP(transmission control protocol) hijacking (Interception

————————————————

Gaurav Kumar Tak, is with the Department of Informationand Communication Technology, ABV- Indian Institute of Information Technology and Management Gwalior (M.P.),INDIA.

Alok Ranjan is with the Department of Information and

Communication Technology, ABV- Indian Institute of Information Technology and Management, Gwalior (M.P.),INDIA.

Rajeev Kumar is with the Department of Information andCommunication Technology, ABV- Indian Institute of Information Technology and Management, Gwalior (M.P.),INDIA.

Ashok Rangnathan is with the Department of Information andCommunication Technology, ABV- Indian Institute of Information Technology and Management, Gwalior (M.P.),INDIA.

Pankaj Srivastava is with the Department of Applied Sciences, ABV- Indian Institute of Information Technology and

Management Gwalior (M.P.), INDIA.

of TCP-session), ARP spoofing (re-link the network trafficfrom one or more PCs to the PC of malefactor), DNS(Domain Name System) spoofing (Basically DNS IPspoofing and DNS cache poisoning) are the commonattacks over any type of network [1], [2].

2

RELATED

WORK

Many Scientists and researchers have proposed several

schemes to secure the password and to prevent theexternal attacks, but it has yet been proved to beimpossible to build a completely (100%) secure system. In[11], Yang et al. presented couple password validationschemes based on smart cards. One validation approachuse timestamp approach and the other is nonce-basedapproach. In these schemes, a user can choose accordingto its choice and it can, any time, modify its passwordindependently. The remote web server does not need tomaintain the users’ passwords directory for theirvalidation or a verification table to authenticated users,

and the login validation can be carried out without thedisturbance of a third party.

An OTP card schemes also proposed to provide thesecurity of authentication. It generates single timepasswords, single-time password sheets; a laptop armedusing the protocols of secure validation and it also showsthe good transparency [12]. But this scheme has its ownlimitations.

Chan and Cheng (2001) introduced some ofvulnerabilities to forgery attacks of YS scheme. Theyfocused on the attackers’ approach that an attacker can





approach, the user enters his correct username

and password and he receives a key on his email.

The user has to enter this key and has to give the

same answer to the private question asked

during the registration phase page to log in as an

authenticated user. This method is less secure as

the

key

is

sent

without

encryption.

3. Send the key on SMS and private question: At

the time of login, if the email cannot be sent due

to temporary problem with email service, the

proposed methodology has an alternate approach

which is less secure. In this alternate approach,

the user enters his correct username and

password and he receives a key on his mobile

phone corresponding to the contact number used

at the time of registration. The user has to enter

this key and has to give the same answer to the

private question asked during the registration

phase page to log in as an authenticated user. This method is less secure as the key is sent

without encryption.

Fig. 1. Screen when user enters valid username and password

Fig. 2. Screen when user receives encrypted keys and enters thedecrypted key

We have implemented the 3‐Way Handshake Approach

using HTML, script languages, AJAX, XML, MySQL and

Javascript for the online transaction portal and recorded

all activities of the genuine user and intruder over the

portal. We have analyzed all security aspects of the online

transaction.

3 SECURITY ANALYSIS AND DISCUSSIONS

In this section, the security of the proposed methodology

is examined. In the proposed methodology, after selecting

one of the 3 options, the key is sent via email and/or SMS,

the box is displayed for entering the decrypted key and/or

the private question is displayed and the box for its

answer

is

displayed.

These

functions

are

accomplished

using AJAX and XML technology , which provides for a

secure communication between the website and the

confidential database.

The encrypted key is randomly generated every time the

user logs in and is stored corresponding to the user in the

temporary database at the server. The key is destroyed

after the transaction session is over.

The 3‐Way Handshake Approach provides security in the

following ways:

1. Prevent intruders’ attack on the user’s

transactions:

If an intruder tries to log in with the username and

password of a user, he will not be able to log in as

he does not know the email id of the user to which

the encrypted key is sent and does not have the

mobile phone access to the user to which the

encrypted key is sent. The intruder needs to access

both the email id as well as the mobile phone of

user to be able to log in successfully. Thus he will

not be able to enter the decrypted key and log in as

authenticated user. If the intruder tries to log in





using the alternate approaches, he will not be able

to log in because he does not know the answer to

the private question of the user. Even if he answers

the private question correctly, he would not be able

to log in as he does not know the email id of the

user and does not have the mobile phone of the

user.

2. Verifies whether the website is a genuine websiteor a phishing website:

If the website is a phishing website, then it cannot

access the confidential database for email id and

contact number that the original site accesses for

sending the encrypted key.

Fig. 3. User performs account registration for the online portal

Fig. 4. User logs in into the secure website

Fig. 5. Intruder logs in into the secure website





Fig. 6. In case of phishing website

4 CONCLUSION AND LIMITATION

Currently phishing attacks are so common because it can

attack globally and capture and store the users’

confidential information. This information is used by the

attackers (which are indirectly involved in the phishing

process). In this paper, 3‐way Handshake approach

provides a more secure platform to the end users for their

online transactions. In this methodology, attackers can’t

attack on the email and SMS simultaneously. Information

stealing will be minimized and more secure

communication (transmission) will occur using the

proposed methodology.

If

any

intruder

wants

to

peek

into

the transmission of the confidential data, he will not be

able to recognize the patterns of encrypted data. So the

data will be more secure. The Proposed methodology is

useful to prevent the attacks of intruder as well as

phishing websites on financial web portal, payment

gateway portal, banking portal, e‐shopping market (e.g.

eBay, PayPal, etc.). We can also work on the survey

analysis from the data generated using the concept of

proposed methodology.

The above methodology needs more hardware for the

implementation. Thus, it increases the workload of the

mail server

as

well

as

SMS

server.

Owing

to

more

hardware specification, the cost of implementation of

proposed methodology is relatively higher.

ACKNOWLEDGEMENT

The authors would like to thank ABV‐Indian Institute of

Information Technology and Management, Gwalior for

the kind support provided for this work.

REFERENCES

[1] Ollmann G., The Phishing Guide Understanding & PreventingPhishing Attacks, NGS Software Insight Security Research

[2] Yu, W.D.; Nargundkar, S.; Tiruthani, N., "A phishing vulnerabilityanalysis of web based systems," Computers and Communications, 2008.ISCC 2008. IEEE Symposium on, vol., no., pp.326-331, 6-9 July 2008

[3] Maher Ragheb Aburrous, Alamgir Hossain, Keshav Dahal, FadiThabatah, "Modelling Intelligent Phishing Detection System for E-banking Using Fuzzy Data Mining," cw, pp.265-272, 2009 International

Conference on CyberWorlds, 2009[4] Abu-Nimeh, S.; Nair, S., "Bypassing Security Toolbars and PhishingFilters via DNS Poisoning," Global Telecommunications Conference,2008. IEEE GLOBECOM 2008. IEEE , vol., no., pp.1-6, Nov. 30 2008-Dec.4 2008

[5] Alnajim, A. and Munro, M. 2009. An Anti-Phishing Approach that UsesTraining Intervention for Phishing Websites Detection. In Proceedingsof the 2009 Sixth international Conference on information Technology:New Generations (April 27 - 29, 2009). ITNG. IEEE Computer Society,Washington, DC, 405-410. DOI=http://dx.doi.org/10.1109/ITNG.2009.109

[6] Juan Chen and Chuanxiong Guo, Online Detection and Prevention ofPhishing Attacks, in Proc. Chinacom 06

[7] Beginning PHP5, Apache, and MySQL Web Development by ElizabethNaramore, Jason Gerner, Yann Le Scouarnec, Jeremy Stolz, Michael K.Glass; ISBN: 9780764579660

[8] PHP, AJAX, MySql and JavaScript Tutorials,http://www.w3schools.com/

[9] Luis von Ahn, Manuel Blum, Nicholas Hopper, and John Langford.CAPTCHA: Using Hard AI Problems for Security. In Eurocrypt

[10] Gedam,Dhiraj Nilkanthrao, RSA BASED CONFIDENTIALITY ANDINTEGRITY ENHANCEMENTS IN SCOSTA-CL, A thesisreport,Department of Computer Science and engineering,IndianInstitute of Technology ,Kanpur,India, July, 2009

[11] Yang,W.H., and S.P.Shieh(1999). Password authentication schemes withsmart cards. Computers & Security,18(8),727–733

[12] M. Naor and B. Pinkas. Visual authentication and identification. In Proc.Advances in Cryptology, pages 322–336, 1999

[13] Chan, C.K., and L. M. Cheng . Cryptanalysisof time stamp-basedpassword authentication scheme. Computers & Security, 21(1),74–76,2001

[14] Chen, K.F. and S. Zhong .Attackson the (enhanced)Yang–Shiehauthentication. Computer & Security,22(8),725–727, 2003

[15] Chan, C. K., and L. M. Cheng Cryptanalysis of timestamp-basedpassword authentication scheme. Computers & Security, 21(1),74–76,2001

[16] Sun, H. M., and H. T. Yeh. Further cryptanalysis of a passwordauthentication scheme with smart cards IEICE TransactionsonCommunications, E86-B(4),1412–1415, 2003

[17] Real User Corporation. The Science Behind Passfaces. Inhttp://www.realuser.com/published/ScienceBehindPassfaces.pdf ,

June, 2004[18] R. Dhamija and A. Perrig. Deja vu: A user study using images for

authentication. In Proc. 9th USENIX Security Symposium, 2000.[19] Y. Zhu X. Suo and G. Scott. Owen. Graphical passwords: A survey. In

Proc. 21st Annual Computer Security Applications Conference, 2005[20] S. Li and H.-Y. Shum. SecHCI: Secure human-computer identification

(interface) systems against peeping attacks, 2003.[21] T. Matsumoto. Human-computer cryptography: an attempt. In Proc.

Conf. on Computer and communications security, pages 68 – 75, 1996[22] T. Matsumoto. Human-computer cryptography: an attempt. In Proc.

Conf. on Computer and communications security, pages 68 – 75, 1996

About the Authors





Ashok Ranganathan is astudent of Atal Bihari VajpayeeIndian Institute of InformationTechnology and Management,Gwalior pursuing 2

ndyear of

B.Tech in InformationTechnology. His areas ofresearch are Internet security,trust and privacy, Database

management, Cloud computingand applications.

Gaurav Kumar Tak is astudent of 4th Year IntegratedPost Graduate Course (B.Tech.+ M.Tech. in Information andCommunication Technology) inABV-Indian Institute ofInformation Technology andManagement Gwalior, India.His fields of research are datamining, internet security andwireless ad-hoc network.

Dr. Pankaj Srivastava is anAssistant Professor in the

area of Applied Sciences(Physics) of the Institute. Heachieved his doctoral degreein physics from physicsdepartment, AllahabadUniversity, India. His currentarea of research isnanotechnology investigatingvarious physical properties ofmaterials in the form of

nanowires, nanoclusters and nanotubes w.r.t. electronicdevices and information technology applications. Dr.Srivastava is also working in the area of QuantumComputing and Information and many other projects onnanoCMOS and nanoMOSFET technology. He has till nowpublished more than 43 research papers in reputedinternational and national journals, conferences and

seminars.

3-way handshake approach towards secure authentication schemes

Documents