2015 ASEE Northeast Section Conference
A Highly Portable Enhanced Password Protection Environment Alaa Alharbi, Khaled Elleithy, Rowida Alharbi, and Wafa Elmannai Department of Computer Science and Engineering, University of Bridgeport, Bridgeport, CT 06604, USA
[email protected],
[email protected], roalharb@ my.bridgeport.edu,
[email protected]
Abstract Nowadays, passwords have become an important tool for authentication and identity verification. Passwords provide the necessary security for bank accounts, social network accounts, etc. In this paper, we introduce an environment that uses a recursive algorithm to calculate the various encryption times and the required time a brute force algorithm will take to crack such encryption algorithms. Furthermore, this tool is highly portable, which supports any operating system and any hardware to calculate the probability of the decryption times. Thus, the user can enhance his password protection using the proposed environment. Keywords Password Protection, Encryption, Brute Force, Decryption, Security Tools. 1.
INTRODUCTION
With the tremendous grow of electronic transactions, authentication using passwords became a major component of any system. The more the facilities available to the user, the greater the number of passwords the user has to deal with. The introduction of large number of passwords for a single user creates significant confusion and the whole process becomes cumbersome. However, there are now easy and simple methods that have been developed to deal with the increasing number of passwords; thus making our life much simpler. The major concern is if passwords lead to other security issues, why do we use them? Exposure of user’s private and confidential matter might lead to financial fraud or loss, public humiliation or any other kind of harm. The level of destruction that can be caused by disclosure of user’s secretive information depends on the data which the individual is protecting by the use of the password. For example, hacking of a company’s account might lead to leakage of the organization’s trade secrets, financial data, target market, future plans, etc. People generally prefer passwords over smart cards, technologies with fingerprint identification, and scanning technology with retinal due to the ease of use and lower cost of the former. The password is considered as a collection of diverse typescripts that confirms the user’s identity. The card number, username, electronic mail address, account are employed along with passwords. Though the former protects the distinctiveness of the individual and prevents exposure of his/ her personal information. The latter helps to identify the individual1.
1 © American Society for Engineering Education, 2015
2015 ASEE Northeast Section Conference
A.
Password Cracking:
Although passwords are one of the most important tools for guarding information, the advancement in technology has made hacking of systems and breaking of password codes much easier. There exists a thin line of difference between the two terms: Hacking and Cracking. Password hacking refers to a user gaining access to a computer system, whereas cracking refers to breaking off the codes. The process of fracturing passwords to get illegal access to user’s personal information or computer is termed as ‘Password Cracking’. There exist a number of different methods and sources which can be effectively used to crack passwords. The most widely used technique is the brute force application using dictionary or guessing the word based on common and exposed words. Today, password cracking has become so common; that if any user types “password cracker” on Packetstorm or Passwordportal.net, the site will display various tools that could be easily applied to figure out passwords. Moreover, password cracking has become one of the favorite topics among authors who write articles. For example, the article which is titled “Security Focus article Password Crackers - Ensuring the Security of Your Password” explicitly addresses the methods of password cracking7. Furthermore, it discusses the use of social engineering for the purpose of cracking passwords which made it possible even for the common man to figure out passwords. The attacker needs to gather a bit of information about the individual whose account they want to hack. The article lists out all the steps in details that lead to password cracking. Sniffers have also been employed lately in this matter. They help in decoding the raw data that is transferred across internet. They can track all the information which a person sends across the net including his/ her password, bank details, etc. B.
High Level of Security:
Most successful techniques in password cracking contain all the alien and rearward words, so that nabbing a password becomes easier. Moreover, the simplest way to expose a password is by requesting the concerned person for the same by making some excuse. On the other hand, the best way to avoid hacking or cracking is by never sharing your password with anybody. The strength of a password varies from case to case. In some cases, it offers high level of protection, whereas in other cases it seems it is just the starting point. To increase the strength of a password, people generally make use of encryption and one-time password techniques. Mangling of the password in order to protect it from sniffers or other onlookers, so that nobody is able to decode it during transmission across the net is known as encryption. In order to enhance the password security, users can adopt Bravenet Password Protect tool. This tool enables users to generate and protect up to 50 user accounts. It is also involved in the use of server-side authentication, creation of custom error pages, etc. Many other similar tools have been developed which perform different functions in relation to password security. One such example is the online form ‘Password Generator’. This produces a series of codes that could be attached to a user Ht access file. For people who do not have an admission to a CGI-BIN, Kit, Password Protecting technique offers services such as Password Protect a web page, generated login form, gate keeper, and produced random passwords. A master password is employed by password management software. It enables greater protection of user’s password automatically entering the undisclosed encrypted strong password for user’s account. This solves the twin problem of the user – now neither he/ she will have to 2 © American Society for Engineering Education, 2015
2015 ASEE Northeast Section Conference
memorize each and every password, nor will have to enable the ‘remember password’ option on the internet; which is potentially very dangerous and leads to password cracking or hacking. These protection services are available in various forms and versions4, 5. MyLOK throws away the user’s anxiety regarding storage of password solutions using a cloud technique, after it gets converted. RoboForm Desktop 7 is the best tool to be considered when it comes to fill up of web forms. This tool possesses some limitations which can be overcome by an application of RoboForm that is called ‘Everywhere.RoboForm’. Everywhere 7 is one of the most widely accepted tools, since it enables the users to install and synchronize RoboForm Desktop on all of their personal computers. Password is popular software among all the Mac appreciators. ‘KeePass Password Safe’ is a well acceptable tool due to its compatibility with almost all the phones’OSs including: Android, Blackberry, PalmOS, etc. Moreover, it performs well on Mac, Windows and Linux. Examples of some other password saving choices that do not call for the need of dedicated software are – Clipperz. It is a well-known password manager that operates online. It hides the identity of the user by creating secret and secure links in a short time. ‘Mitto’ is similar to secure systems which use password as defense such as log in installed in the tool bar. Given a choice to choose any one of all the given options, the users must go for KeePass. It is free of cost and is compatible with Windows, Linux, iOS and Mac OS X. KeePass helps in the generation of a distinct password among the websites. Furthermore, it generates different password each time the user logs in. User can search for the passwords quickly and a complex tree-like structure can be maintained of the folders using KeePass. For most of the people, it is simpler to keep the same password everywhere than to use password manager. You can keep all your unique usernames and passwords in a very secure database, which is encrypted using KeePass. This database is kept behind a single pair of username and password. KeePass does not save the password database on the cloud as in the case with LastPass. Although placing it in the Dropbox is possible, there is a feature in KeePass that generates random password itself, and thus the user does not have to think about a new random password. Moreover, the person has the facility to keep his/her master password and username in a User Account Control (UAC), which is a prompt protected function, and thus needs an administrative access of any key logger to record it. 2.
ORGANIZATIONS AND NETWORK ADMINISTRATORS
By enacting strong policies related to passwords, the websites’ managers can make difference in security and make it better. Hence, every organization must inculcate password policies into their organizational policies. Regular password updates must be enforced. Proper training and lessons must be given for how to protect their data from online hackers’ attacks. Inexperienced users must be trained about best practices to be followed for passwords. Moreover, resources through intranet must be available for securing network and passwords. Ultimately, both password and security policies must be integrated and should be made accepted by everyone2. To make sure that people are using strong passwords, the system admins must use proper measures. An expiration date for passwords must be kept in a flow in the whole organization. 3 © American Society for Engineering Education, 2015
2015 ASEE Northeast Section Conference
The accounts should be locked after 3-5 unsuccessful password attempts. Moreover, the access to these passwords must be kept limited in the organization. To have stronger protocols for authentication more secure password files, updated operating systems must be used. At last, whenever a new account is created, the default password must be changed quickly6. TrueCrypt is one of the strongest and most resistant encryption tools for consumers and is also open source. It can work with lesser security options, but requires a higher level of setup. However, this tool will protect users’ passwords even if they possess a secret file, and were enforced to give away the password. If someone wishes to transmit a secret message via open network without anybody noticing anything suspicious, Steganography is the tool to be used. It uses bits to encode data into normal carrying files such as images, so that only the recipient could decode it. If the users are unable to use any special tools that could hide files from unwanted access to their computers, there exists certain Window tweak that is low security but can secure the user from giving away personal and confidential data into unsolicited hands. There is a simple option in the properties of any file through which it can be made hidden provided the “Don’t Show Hidden Files” option when is checked in the View button. Further, a tool known as Life Hacker Reader Sean can make use of a blank name to hide the folder3. 3.
BRUTE FORCE ALGORITHM
A recursive algorithm to brute force a string can be one of several algorithms such as MD5, SHA1, SHA256, and SHA512. Also, the additional add-on to the string could be a SALT value. Within the program, the user can define this value. Traditionally, it is a random 40-128 byte value, but for demonstration of how it can add additional protection, a simple addition from the user will be added. It can easily make the Brute-Force less operative by obscuring the encoded data. Thus, it will be hard for the attacker to expose the data. The most important point of measuring the asset of any encryption method is the time. How long can the attacker take to expose the encoded data? This technique was represented based on the Brute Force search tool, the universal issues-solving method of itemizing all contenders and examining each one. 4.
THE RECURSIVE ALGORITHM
The Flowchart in Figure 1 shows how the recursive algorithm works on the brute force for decryption. Checking the array length is the first step in initializing the brute force algorithm. We use a stored procedure for counter stamp in order to check for the change in the array length. The flag value is displayed based on the key that is matching values of the array. Multiple iterations take blade to decipher the whole code. The brute force attack utilized in this algorithm, which makes the whole algorithm decipher faster based on the raised flag values and using a counter stamp. A closer look at the data memory section of the enhanced mid-range shows the registers are controlling the peripherals and I/O ports are accessed by reading or writing to specific data memory addresses. This mapping of peripherals to memory address greatly simplifies learning how to program the enhanced mid-range PIC.
4 © American Society for Engineering Education, 2015
2015 ASEE Northeast Section Conference
Start
Check Array Length
Initialize Brute Force Yes
Counter Time Stamp
Display Flags
Print Value
Stop
Figure1: Flow Chart of the Recursive Algorithm on Brute Force algorithm
5.
SIMULATION EXPERIMENTS
Table1 shows various encryptions and the bit length being decrypted. The simulation was implemented using .NET framework for longer bit sizes on a computer with a quad core processor, and windows 8.1 operating system. The tabulated data shows accurate estimations for the required encryptions. The principles of brute force string that is matched are quite simple. We must check for a match between the first characters of the pattern with the first character of the text. If they do not match, we move forward the second character of the text. After that, we compare the first character of the pattern with the second character of the text. If they do not match again, we move forward until we get a match or until we reach the end of the text. Because the first character of the text and the pattern do not match, we move forward to the second character of the text. Now, we compare the second character of the text with the first character of the pattern. In case they match, we move forward the second character of the pattern comparing it with the “next” character of the text. Just because we have found a match between the first characters from the pattern with some character of the text, does not mean that the pattern appears in the text. We must move forward to see whether the full pattern is contained into the text.
5 © American Society for Engineering Education, 2015
2015 ASEE Northeast Section Conference
Bits 1000000 1000000 1000000
Total Iterations 78498 78498 78498
Time Taken
Algorithm
00:00:00.8925925 00:00:00.0680448 00:00:00.0410274
Brute Force Eratosthenes Sundaram
1000000 1000000 10000000 10000000
78498 78498 664579 664579
00:00:00.0420275 00:00:00.0230142 00:00:00.7074686 00:00:00.5553717
Atkins Atkins Optimized Eratosthenes Sundaram
10000000 10000000 30000000 30000000
664579 664579 1857859 1857859
00:00:00.6604359 00:00:00.4172764 00:00:02.2154694 00:00:01.3498962
Atkins Atkins Optimized Eratosthenes Sundaram
30000000 30000000 60000000 60000000 60000000
1857859 1857859 3562115 3562115 3562115
00:00:01.7111325 00:00:00.9476313 00:00:04.2558236 00:00:03.4372806 00:00:04.2388190
Atkins Atkins Optimized Eratosthenes Sundaram Atkins
60000000 70000000 70000000 70000000
3562115 4118064 4118064 4118064
00:00:02.4065895 00:00:03.8966904 00:00:03.1110649 00:00:03.9406178
Atkins Optimized Eratosthenes Sundaram Atkins
Table 1: Comparison of brute force and other algorithms
We compared four algorithms which are Eratosthenes, Sundaram, Atkins, and Atkins Optimized to Brute Force algorithm. Table1 shows that the Brute Force algorithm stands longer in term of decryption process from the first iteration (78498). We increased the number of bits and the number of iterations for more than one cycle in order to know who comes after Brute Force attack. The results show that Atkins Optimized algorithm can be considered as second choice for the user. Figure 3 shows a window form developed to decrypt a password with various encryptions. A variable time stamp with the amount of approximate time required to decrypt a password is generated. This tool will allow users to generate encryptions on any operating systems and get an estimate of the time analysis for the decryption process using various encodings that we have talked about earlier in the paper.
6 © American Society for Engineering Education, 2015
2015 ASEE Northeast Section Conference
Figure 3: Brute force simulator
6.
CONCLUSION
In this paper, we developed a highly reliable tool to calculate the various encryption times and the amount of time a brute force algorithm will take to attack encryption algorithms. Moreover, this tool is portable and can run in any operating system and a combination of any hardware to calculate the probability of the decryption times. Consequently, an individual user or a corporate can enhance their password protection using the proposed tool. Furthermore, the presented tool is highly scalable and is portable to different homogenous and non-homogenous environments. References 1
2 3 4
5 6
7
El-Bakry, Hazem M., and Nikos Mastorakis. "Personal identification through biometric technology." 9th WSEAS International Conference on Applied Informatics and Communications (AIC'09), Moscow, Russia. 2009. Griffith, E. (2011, 12 06). Password Protection: Password Recovery and Control Tools. Retrieved 06 12, 2013, from http://www.pcmag.com: http://www.pcmag.com/article2/0,2817,2368988,00.asp Errico, Stephen. "Systems and Methods for Accessing Secure and Certified Electronic Messages." U.S. Patent Application 12/555,909. Zukerman, E. (2013, 02 01). Tools for the paranoid: 5 free security tools to protect your data. Retrieved 06 12, 2013, from http://www.pcworld.com: http://www.pcworld.com/article/2026561/tools-for-the-paranoid5-free-security-tools-to-protect-your-data.html Trapani, G. (n.d.). Best Free Ways to Protect Your Private Files. Retrieved 06 12, 2013, from http://lifehacker.com: http://lifehacker.com/391555/best-free-ways-to-protect-your-private-files Wright, Steve. PCI Dss: A Practical Guide to Implementing and Maintaining Compliance. IT Governance Ltd, 2011. Cliff, A. "Password Crackers-Ensuring the Security of Your Password. “Security Focus, Retrieved September 10 (2001): 2005.
7 © American Society for Engineering Education, 2015