Hacking Resistance Protocol for Securing Passwords Using Personal Device

C. Shyamala Kumari1 and M. Deepa Rani2

Department of Computer Science and Engineering, Pandian Saraswathi Yadav Engineering College,

Arasanoor, Sivagangai Dt., Tamil Nadu, India

E-mail: Ishyamala.cl@gmail.com;2deepa.murugan24@gmail.com

Abstract-Users passwords are prone to be stolen and compromised under different threats and vulnerabilities. Firstly, users often select weak passwords and reuse the same passwords across different websites. An adversary can launch several password stealing attacks to snatch passwords, such as phishing, key loggers and malware. In this paper, we design a hacking resistance protocol for system access (login) and other applications requiring authentication that is secure against passive attacks based on replaying captured reusable passwords. This protocol was evolved from the SIKEY (SIKEY is a trademark of Bell core). The authentication system described in this document uses a secret pass-phrase to generate a sequence of one-time passwords. With this system, the user's secret pass-phrase never needs to cross the network at any time such as during authentication or during pass-phrase changes. Thus, it is not vulnerable to replay attacks. Added security is provided by the property that no secret information need be stored on any system, including the server being protected The security of the system is based on the non-invert ability of a secure hash function. Such a function must be tractable to compute in the forward direction, but computationally infeasible to invert. This protocol leverages a user's cell phone and short message service to thwart password hacking.

Keywords: Network Security, Hacking Resistance, Password Stealing, One-Time Password, Hash Function.

I. INTRODUCTION

Generally, password-based user authentication can resist brute force and dictionary attacks [10], [18] if users select strong passwords to provide sufficient entropy. However, password-based user authentication has a major problem that humans are not experts in memorizing text strings[3]. Thus, most users would choose easy-to-remember passwords [13]. Figure 1 shows the analysis of password selection by user. Another problem is that users tend to reuse passwords across various websites. Password reuse causes users to lose sensitive information stored in different websites if a hacker compromises one of their passwords [14]. The above problems are caused by the negative influence of human factors. Therefore, it is important to

978-1-4673-4603-0/12/$31.00 ©2012 IEEE

take human factors into consideration when designing a hacking resistance protocol. Up to now, researchers have investigated a variety of technology to reduce the negative influence of human factors in the user authentication procedure. Since humans are more adept in remembering graphical passwords [15], [1] many graphical password schemes were designed to address human's password recall problem. Using password management tools is an alternative. These tools automatically generate strong passwords for each website, which addresses password reuse and password recall problems. The advantage is that users only have to remember a master password to access the management tool. Despite the assistance of these two technologies- graphical password [8] and password management tool the user authentication system still suffers from some considerable drawbacks.

Some researches focus on the three-factor authentication rather than password-based authentication to provide more reliable user authentication. Three-factor authentication [12] depends on what you know (e.g., password), what you have (e.g., token), and who you are (e.g., biometric). To pass the authentication, the user must input a password and provide a pass code generated by the token (e.g., RSA SecureID), and scan her biometric features (e.g., fingerprint or pupil). Three-factor authentication is a comprehensive defense mechanism against password stealing attacks, but it requires comparative high cost.

Although many banks support two-factor authentication [6] [7], it still suffers from the nonnegative influence of human factors, such as the password reuse attack. Users have to memorize another four-digit PIN code to work together with the token, for example RSA Secure ID. In addition, users easily forget to bring the token. In this paper, a hacking resistance protocol is proposed which leverages a user's cell phone and short message service (SMS) to prevent the password stealing and password reuse attacks. It is difficult to thwart password reuse attacks from any scheme where the users have to remember something. The main cause of stealing password attacks is when users type passwords to the main concept of this protocol is free users from having to remember or type any passwords into conventional

Hacking Resistance Protocol for Securing Passwords Using Personal Device 459

computers for authentication. Unlike generic and the user authentication, this protocol involves a new component, the cell phone, which is used to generate one­time passwords and a new communication channel used to transmit messages.

II. BACKGROUND

Hacking resistance protocol adopts the one-time password strategy therefore, the strategy is given later. We also describe the secure features of SMS channel and explain why SMS can be trusted. Finally, we introduce the security of 3G connection used in the registration and recovery phases.

• Only upper case

• Only lower case

• Only numeric

• Contains special chara(ters

FIG. 1: ANALYSIS OF PASSWORD SELECTION

A. One-Time Password

The one-time passwords are generated by a secure one-way hash function. With a given input, the set of one- time passwords is established by a hash chain through multiple hashing [16]. Assuming we wish to prepare one-time passwords, the first of these passwords is produced by performing hashes on input c.

00= Jt(c) . . . (1)

The next one-time password is obtained by performing N -1 hashes.

0, = J!'-'(c) ... (2)

Hence, the general formula is given as follows:

OJ=J!'·j(c) . . . (3)

For security reasons, we use these one-time passwords in reverse order, i.e., using ON.'ON_2 ....... oo. If an old one-time password is leaked, the attacker is unable to derive the next one. Besides, the input c is derived from a long-term password (Pu), the identity of server (IDs), and a random

seed (<p) generated by the server.

C = H(PuIIIDsll<p) ... (4)

Note that function is a hash which IS irreversible in general cryptographic assumption.

B. SMS Channel

As we know, SMS is a fundamental service of telecom, which belongs to 3GPP standards [17]. SMS represents the most successful data transmission of telecom systems; hence, it is the most wide- spread mobile service [11] in the world. Besides the above advantages, we chose SMS channel because of its security benefits. SMS represents the most successful data transmission of telecom systems; hence, it is the most wide spread mobile service in the world. Besides the above advantages, we chose SMS channel because of its security benefits. Unlike conventional authentication protocols, users securely transfer sensitive messages to servers without relying on untrusted kiosks. This protocol resists password stealing attacks since it is based on SMS channels.

C. 3 G Connection

The hacking resistance protocol utilizes the security features of 3G connection [19] to develop the convenient account registration and recovery procedures. Users can securely transmit and receive information to the web site through a 3G connection.

III. ARCHITECTURE AND ASSUMPTIONS

In this section we introduce the architecture of our hacking resistant protocol system and make some reasonable assumptions.

A. Architecture

For users to perform secure login on an untrusted computer (kiosk), the protocol consists of a trusted cell phone, a browser on the kiosk, and a web server that users wish to access. The user operates her cell phone and the untrusted computer directly to accomplish secure logins to the web server. The communication between the cell phone and the web server is through the SMS channel. The web browser interacts with the web server via the Internet. In our protocol design, we require the cell phone interact directly with the kiosk. The general approach is to select available interfaces on the cell phone, Wi-Fi or Bluetooth. Fig. 2 shows the architecture of hacking resistance protocol.

r e ,--., �

L iiI»))- � • + SlI5U ..... 1

"''.'' I ./" ......... "inorll!u'_h " ,o'

FIG. 2: ARCHITECTURE OF HACKING RESISTANCE PROTOCOL

460 Proceedings of7'h International Conference on Intelligent Systems and Control (ISCO 2013)

B. Assumptions

The assumptions in resistant protocol system are as follows: • Each web server possesses a unique phone number.

Via the phone nwnber, users can interact with each website through an SMS channel.

• The users' cell phones are malware-free. Hence, users safely input the long-term passwords into cell phones.

• The telecommunication service provider (TSP) will participate in the registration and recovery phases. The TSP is a bridge between subscribers and web servers. It provides a service for subscribers to perform the registration and recovery progress with each web service.

• Users connect to the TSP via 3G connections [19] to protect the transmission.

• The TSP and the web server establish a secure sockets layer (SSL) tunnel. Via SSL protocol, the TSP can verify the server by its certificate to prevent phishing attacks. With the aid of TSP, the server can receive the correct T"sent from the subscriber.

• If a user loses her cell phone, she can notify her TSP to disable her lost SIM card and apply a new card with the same phone nwnber. Therefore, the user can perform the recovery phase using a new cell phone.

IV. HACKING RESISTANCE PROTOCOL

In this section, we present a protocol from the user perspective to show operation flows. This protocol consists of registration, login, and recovery phases. We introduce the details of these three phases respectively.

A. Overview

The protocol utilizes a user's cell phone as an authentication token and SMS as a secure channel. Different from regular login processes, additional steps are required for the protocol. In the registration phase, a user starts the protocol program to register her new account on the website. Unlike conventional registration, the server requests for the user's account id and phone number, instead of password.

The program automatically sends a registration SMS message to the server for completing the registration procedure. The protocol also designed a recovery phase to fix problems in some conditions, such as losing one's cell phone. The login procedure in protocol does not require users to type passwords into an un trusted web browser. Finally, the cell phone receives a response message from the server and shows a success message on her screen if the server is able to verify her identity.

B. Registration Phase

The aim of this phase is to allow a user and a server to negotiate a shared secret to authenticate succeeding logins for this user. The user begins by opening the protocol

program installed on her cell phone. She enters ID (account id she prefers) and ID (usually the website URL or domain name) to the program. Once the TSP received the ID and the ID, it can trace the user's phone number based on user's SIM card. The TSP also plays the role of third­party to distribute a shared key between the user and the server. The cell phone computes a secret credential by the following operation:

c= J[(PuIIIDsll<p) (5)

To prepare a secure registration SMS the cell phone encrypted the computed credential c with the key Ksd and generates the corresponding MAC. Then, the cell phone sends an encrypted registration SMS to the server by phone number as follows:

Cellphone s�s s: IDu, {CIl4>}K.d,IV, HMAC 1 ·

C. Login Phase

(6)

The protocol starts when user u wishes to log into her favourite web server S (already registered). However, u begins the login procedure by accessing the desired website via a browser on an un trusted kiosk. The browser sends a request to S with u's account IDu .. Next server S supplies the IDs and a fresh nonce 1L; time password for OJ for current login is recommended using the following operations:

c = (-{(Pu IIIDs 114» fJi = (-{lV-iCC).

( 7 )

(8)

The next action on the cell phone is sending the following SMS message to server:

SMS Cellphone ----t S: IDn, {ndllns}6i,IV,

HMAC2 · (9)

After receiving the login sms the server recomputes OJ, to decrypt and verify the authenticity of the login sms.

D. Recovery Phase

The protocol is able to recover the setting on her new cell phone asswning she still uses the same phone number (apply a new SIM card with old phone number).Once user u installs the protocol program on her new cellphone, she can launch the program to send a recovery request with her account IDu and requested server IDs to predefmed TSP through a 3G connection. As we mentioned before, ID can be the domain name or URL link of server S.

Once server S receives the request, S probes the account information in its database to confirm if account u is registered or not. If account IDu exists, the information used

Hacking Resistance Protocol for Securing Passwords Using Personal Device 461

to compute the secret credential c will be fetched and be sent back to the user. The server S generates a fresh nonce

11s and replies a message which consists of ID, <p, Ts, i, and 11s.This message includes all necessary elements for generating the next one-time passwords to the user u. When the mobile program receives the message, like registration, it forces the user u to enter her long-term password to reproduce the correct one-time password ()i+) (assuming the last successful login before u lost her cell phone is ()i ).

During the last step, the user's cell phone encrypts the secret credential c and server nonce 11s to a cipher text. The recovery SMS message is delivered back to the server S for checking. Similarly, the server S computes ()i+l and decrypts this message to ensure that user u is already recovered. At this point, her new cell phone is recovered and ready to perform further logins. For the next login, one-time password ()i+2 will be used for user authentication.

TABLE 1: NOTATIONS Name Description

IDx Identity of entity x.

Ty Entity y's phone number

0 Random seed

N Pre-define length of hash chain ({ 00 - ON.) }).

nz Nonce generated by entity z.

Pu User u 's long-term password.

Ksd Shared secret key between cell phone and the server.

c Secret shared credential between cell phone and the

a, server

II ith one-time password.

{h Concatenate operation.

0(0) Symmetric encryption) with key k.

IV Hash function 02 with input o.

HMAC1 Initialization vector of AES-CBC.

HMAC2 The HMAC-SHAI digest of IDIIIIIVII {c110 }ksd under the Ksd

HMAC3 The HMAC-SHA 1 digest of IDIII IIVI I {ndlln,j}ai under the ai.

The HMAC-SHA 1 digest of IDIII IIVI I {clln,j}ai+ 1 under the a,+ I.

I Symmetric encryption algorithm in protocol is AES-256. 2 Hash function is SHA-256.

V. EXPERIMENT DESIGN

We implemented a prototype and conducted a user study to analyze the performance and usability.

A. Prototype Implementation

The prototype consists of three components: a mobile program running on Android smart phones (Android OS v2.1); an extension on Firefox browser; and a web server. The server offers a web service by an Apache server running on a workstation with Windows XP, and SMS service with a GSM modem connected to itself. The communication interface between the phone and the browser extension is based on a client/server model.

The client program is developed on Android OS due to its popularity and generality. In the web server implementation, we developed a server program which consists of main server codes (PHP) and setup scripts for database (MYSQL). Server program can be installed and performed on an Apache HTTP server. On the other hand, capacity of sending/receiving SMS via a GSM modem relies on an open source library SMS Lib. For simulating TSP, partial PHP codes and related information were also established by the database.

B. User Study

Before starting the study, participants are to be first asked to complete a demographics questionnaire. They then to be introduced to the protocol system. Then they would be setting up the system, registering an account, and logging in via a cell phone. Further, they have to be instructed to choose a strong long-term password that should be at least eight digits long. They then have to proceed to complete a formal test which consisted of the following steps:

1. Setting up the System: Different from the ordinary user authentication system, users should install cell phone software and a browser extension to setup the protocol system.

2. Registering for an Account: Users first open the registration software on the cell phone. Users then fill out a form, which includes an account id, a website's id, and a long-term password, and submit it to the website.

3. Logging into the Website: Users first enter their account id into the browser on the kiosk and submit it to the server. Users then type their long-term password into the cell- phone and submit to the server. The login succeeds if a success message is shown on the screen of cell phone. If login fails, participants should try again until they are successful.

VI. RELATED WORK

A number of previous researchers have proposed to protect user credentials from phishing attacks in user authentication. The proposed systems leverage variable technologies, f o r example, mobile devices, trusted platform module (TPM), or public key infrastructure (PKI). However, these solutions were short of considering the negative influence of human factors, such as password

462 Proceedings of7'h International Conference on Intelligent Systems and Control (ISCO 2013)

reuse and weak password problems. To strengthen password­based authentication in untrusted environment [9], MP­Auth forces the input of a long- term secret (typically a user's text password) through a trusted mobile device.

Before sending the password to an untrusted kiosk, the password is encrypted by a pre installed public key on a remote server. MP-Auth is intended to guard passwords from attacks raised by untrusted kiosks, including key loggers and malware. On the other hand, some literature represents different approaches to prevent phishing attacks [2]. Session Magnifier enables an extended browser on a mobile device and a regular browser on a public computer to collaboratively secure a web session.

A. Comparisons between Resistance Protocol

and Other Systems

Many of proposed systems require user involvement in certificate confirmation (UICC) in order to setup a secure SSL tunnel. However, prior research concluded that users do not understand SSL and often ignore the SSL warnings caused by illegal certificates [4], [5]. Consequently, users often accept the received certificates without verification. This inattentive behavior causes users to suffer from potential attacks, such as MITM and DNS spoofing attacks. From previous literature, users should pay attention to confirming server certificate validities by themselves. The significant difference between resistance protocol and other related schemes is that protocol reduces the negative impact of user misbehaviors as much as possible.

In the protocol system, the SSL tunnel is established between a TSP and a web site server. From the perspective of users, they feel comfortable since there is no further need to verify the server certificate by themselves. In other words, overhead on verifying server certificates for users is switching to the TSP. The TSP acts as a users' agent to validate server certificates and also establish SSL tunnels correctly. Therefore, this protocol still resists phishing attacks even if users misbehave.

VII. CONCLUSION

In this paper, hacking resistance protocol is developed which leverages the cell phones and SMS to thwart password stealing and password reuse attacks. It is assumed that each website possesses a unique phone number. Also assume that a telecommunication service provider participates in the registration and recovery phases.

The design principle of this protocol is to eliminate the negative as much as possible. Through protocol, each user only needs to remember a long-term password which has been used to protect her cell phone. Users are free from typing any passwords into untrusted computers for login on all websites. Compared with previous schemes, this resistance protocol is the first user authentication

protocol to prevent password stealing (i.e., phishing, key logger, and malware) and password reuse attacks simultaneously. The reason is that it adopts the one-time password approach to ensure independence between each login. To make the protocol fully functional, password recovery is also considered and supported when users lose their cell phones. They can recover our protocol system with reissued SIM cards and long-tenn passwords.

A prototype of resistance protocol is also implemented to measure its performance. The average time spent on registration and login is 21.8 and 21.6 s, respectively. According to the result, SMS delay occupies more than 40% of total execution time. The delay could be shorter by using advanced devices. Besides, the perfonnance of login of the protocol is better than graphical password schemes, for example, Pass faces. The login time of Pass faces is from 14 to 88s, which is longer than resistance protocol. Therefore, we believe the protocol is acceptable and reliable for users. Most participants could easily operate all procedures of the protocol system. The login success rate is over 90%, except for a few typing errors. Consequently, this protocol is more secure than the original login system. Certainly, the participants prefer this resistance protocol to the original system.

REFERENCES

[I ] P. van Oorschot, A. Salehi-Abari, and J. Thorpe, "Purely automated attacks on pass points-style graphical passwords," IEEE Trans. Information Forensics Security, vol. 5, no. 3, pp. 393-405, Sep. 2010.

[2] B. Parno, C. Kuo, and A. Perrig, "Phoolproof phishing prevention", Financial Cryptography Data Security, pp. 1-19, 2006.

[3] Shepard, R.N., 1967. Recognition memory for words, sentences, and pictures. Journal of Verbal Learning and Verbal Behavior 6, 156-163.

[4] D. Wendlandt, D. G. Andersen, and A. Perrig, "Perspectives: Improving ssh-style host authentication with multi-path probing," in Proc. USENIX 2008 Annu. Tech. Conf., Berkeley, CA, 2008, pp. 321-334, USENIX Association.

[5] S. E. Schechter, R. Dhamija, A. Ozment, and I. Fischer, "Emperor's new security indicators: An evaluation of website austhentication and the effect of role playing on usability studies," in Proc. 2007 IEEE Symp. Security Privacy, 2007.

[6] K. J. Hole and V. Moen and T. Tjostheim. Case Study: Online banking Security. IEEE Security & Privacy Magazine, 2006.

[7] Zviran, M. & Haga, W. J. Password Security: An Empirical Study. Journal of Management Information Systems 15, 4 (1999), 161-185

[8] M Zviran, WJ Haga, "A comparison of password techniques for multilevel authentication mechanisms", in Computer Journal v 36 no 3 (93) pp 227{237

[9] M. Mannan and P. van Oorschot, "Using a personal device to strengthen password authentication from an untrusted computer," Financial Cryptography Data Security, pp. 88-103, 2007.

Hacking Resistance Protocol for Securing Passwords Using Personal Device 463

[10] S. Bellovin and M. Merritt. Encrypted key exchange: password-based protocols secure against dictionary attacks. In Proc. IEEE Security and Privacy Symposium, pages 72-S4. IEEE Computer Society, 1992.

[11] I. T. Report, ITU Internet Rep. 2006: Digital. Life [Online]. Available: http://www.itu.inti

[12] L. O'Gorman, "Comparing passwords, tokens, and biometrics for user authentication," Proc. IEEE, vol. 91, no. 12, pp. 2021-2040, Dec. 2003.

[13] D. Florencio and C. Herley, "A large-scale study of web password habits," in WWW '07: Proc. 16th Int. Conf. World Wide Web., New York, 2007, pp. 657-666, ACM.

[14] S. GAW and E.W. Felten, "Password management strategies for online accounts," in SOUPS '06: Proc. 2nd Symp. Usable Privacy. Security, New York, 2006, pp. 44-55, ACM.

[15] I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin, "The design and analysis of graphical passwords," in

SSYM'99: Proc. Sth Conf. USENIX Security Symp., Berkeley, CA, 1999, pp. 1-1, USENIX Association.

[16] A. Perrig and D. Song, "Hash visualization: A new technique to improve real-world security," in Proc. Int. Workshop Cryptographic Techniques E-Commerce, Citeseer, 1999, pp. 131-13S.

[17] TS 23.040: Technical Realization Short Message Service (SMS) 3GPP [Online]. Available: http://www.3gpp.org/

[I S] B. Pinkas and T. Sander, "Securing passwords against dictionary attacks," in CCS '02: Proc. 9th ACM Conf. Computer Communications Security, New York, 2002, pp. 161-170, ACM.

[19] TS 35.202: Specification 3GPP Confidentiality Integrity Algorithms Document 2: KASUMI Specification 3GPP [Online]. Available: http://www.3gpp.org