A Scheme to Create Secured Random Password Using Markov Chain ...

A Scheme to Create Secured Random Password Using Markov Chain S. Vaithyasubramanian and A. Christy

Abstract Habitually, access to computer systems is based on the use of alphanumeric passwords. Password affords the foremost line of protection against illicit access to computer. Password security is of course only one factor of overall system security. Even though it is an essential component, passwords are measured as the fragile link in computer security. Most users will make use of simple passwords. Simple passwords are easy to memorize, but in the same sense easy to crack!! However, the common user is likely to use simple password and more often the same password for different login. This makes them vulnerable to various types of cyber attacks. To create/generate secured random passwords, in this paper, we describe a new scheme of creation/generation of passwords using Markov chain technique. The tree structure of creation/generation of passwords using Markov chain technique is also specified.







Keywords System security Alphanumeric password Graphical password Biometric authentication Vulnerabilities Cracking Markov chain TPM
















1 Introduction Security has been the major concern with the evolution of new standards and applications in the field of computer networks and their processing. Hacking the system and cracking the passwords are the major concerns in this area. People have done some work in this area to improve the security at transmission and information processing. Still there exists high degree of need to improve or develop better methods to avoid or to control the hacking. Security of a password is an exciting S. Vaithyasubramanian (&) Department of Mathematics, Sathyabama University, Chennai, India e-mail: [email protected] A. Christy Sathyabama University, Chennai, India e-mail: [email protected] © Springer India 2015 L.P. Suresh et al. (eds.), Artificial Intelligence and Evolutionary Algorithms in Engineering Systems, Advances in Intelligent Systems and Computing 325, DOI 10.1007/978-81-322-2135-7_85

809

810

S. Vaithyasubramanian and A. Christy

commonsense and mathematical problem [1]. Password security is essential to the security of information systems. It is often recommended that passwords should not be short, should not be words found in a dictionary, and that they should be changed frequently [2–4]. When a user has access to many accounts or systems, different passwords should be used so that no single incident will lead to the compromise of all of these accounts [5]. Unfortunately, human fallibility makes it nearly impossible to follow all of these rules simultaneously. A user with many different passwords, frequently changing, will be forced to write them down somewhere [6]. Some systems constrain them to have a certain minimum length or require them to contain a combination of letters and numbers. Some systems also impose maximum lengths, and some prohibit special characters. The lack of common standards for passwords makes it difficult for a user to remember which password is used for which system [6–8]. For long-term remembrance, strings expressed in the form of patterns can be used as passwords [9].

2 Types of Password Access to computer systems is most often based on the use of alphanumeric passwords. However, users have difficulty remembering a password that is long and random appearing. Instead, they create short, simple, and insecure passwords [7, 10]. Later, graphical passwords have been designed to try to make passwords more memorable and easier for people to use and, therefore, more secure [11–13]. Using a graphical password, users click on images rather than type alphanumeric characters. In late 1970, biometric systems were initiated. Biometric refers to recognition of the users by their uniqueness. Face identification, voice recognition, iris recognition, and finger print are used as biometric security system to identify a user. But the biometric authentication has its own strength and limitations [14, 15].

2.1 Limitations of Alphanumeric and Graphical Passwords The problem with alphanumeric password arises largely from limitations of humans’ long-term memory [11], which forces them to choose weak password such as dictionary word, obvious password, favorites, and easily guessable password. Cracking those passwords is very easy [3, 10]. They are cracked by various attacks such as guessing, brute force attack, dictionary attack, and hybrid attack [12, 16]. Meanwhile if random password is chosen, remembering it becomes tedious or unmanageable. The general issue in the graphical password input is to click outside the tolerance and the users need to understand the degree of precision needed [11]. And they are subject to regular means of attacks such as shoulder surfing, intersection analysis, social engineering, and spyware attack [17]. False reject rate and false accept rate are major issues concerning biometric authentications [14].

A Scheme to Create Secured Random …

811

2.2 Need of Good Password Need of good password is another important concern. The password problem has led to innovations to improve passwords. One innovation is Markov chain-based password, i.e., passwords that are based on the creation/generation of current character and previous character chosen. The basic idea is that using these passwords will lead to greater security and decrease the tendency to choose insecure password. This, in turn, should increase overall security. The tree structure of creating/generating the password is described in the next section.

3 Model Formulation and Generation/Creation of Password 3.1 Markov Chain Markov chain named after Russian mathematician Andrei A. Markov (1856–1922) originated in mid-twentieth century. In this day and age, applications of Markov chains are far and wide in sciences [18]. Markov chain is a stochastic model describing a sequence of possible events in which the probability of each event depends only on the state attained in the previous event [19]. A Markov chain is a sequence of random variables fX1 ; X2 ; X3 . . .g; Xi ’s from a countable set called state space of the chain, having the property that given the present state; the future and past states are independent. Formally, PðXnþ1 =Xn ; Xn1 ; . . .X2 ; X1 Þ ¼ PðXnþ1 =Xn Þ [20]. Markov chains are described by means of digraph; in which each vertex refers the state and edges are labeled by probability called transition probability. Each variables of the state space are described by probability called initial state probability distribution denoted as P ¼ fPðX1 Þ; PðX2 Þ; PðX3 Þ. . .g: The transitions in Markov chain are described by matrix called transition probability matrix (TPM) denoted as Pij where Pij ¼ PfXnþ1 ¼j=Xn ¼ig:

3.2 Preliminaries Password can be generated using the following nomenclature. State Space = {L, U, N, S}, where L = {a, b, c, d …z}—26 lower case characters U = {A, B, C, D …Z}—26 upper case characters N = {0, 1, 2, 3 …9}—10 numeric characters S = {!, @, #, …?}—32 special characters

812

S. Vaithyasubramanian and A. Christy

1—step TPM and 2—step TPM along with the initial state probability distribution is as follows: 0 pij ¼

&P ¼

1 5 5 5 1 16 16 16 16 B5 1 5 5C B 16 16 16 16 C B5 5 1 5C @ 16 16 16 16 A 5 5 5 1 16 16 16 16 f1=4; 1=4; 1=4; 1=4g

0 : p2ij ¼

76 256 B 60 B 256 B 60 @ 256 60 256

60 256 76 256 60 256 60 256

60 256 60 256 76 256 60 256

60 1 256 60 C 256 C 60 C A 256 76 256

3.3 Proposed Scheme Typical example of creating/generating random password using the above taxonomy would be as follows: Step 1: Select the length (say ‘) of the password according to the necessary criteria of the service provider. Step 2: The first character of the password is chosen from any of the four criteria mentioned above. Step 3: Assuming that L is chosen first, choose a character from L as the first character of the password, i.e., L generates the first character of the password. The probability of selection is P ½X1 . Step 4: The second character is chosen from the remaining of the nomenclature leaving the character set chosen in step 1, i.e., if L is chosen first, either of U, N, S generates the second character of the password. The probability of selecting the second character is based on the first character selected, i.e., P ½X2 =X1 . Step 5: The third character of the password is chosen in such a way that it is neither preferred from the nomenclature of the previous two character choice, i.e., excluding the character selected in step 3 and step 4. Probability of selection of the third character is based on the first and second characters selected, i.e., P ½X3 =X2  & P ½X3 =X1 : Step 6: The selection of nth character of the password depends on (n − 1)th as well as (n − 2)th character set. Probability of selection of the nth character is based on the (n − 1)th and (n − 2)th characters selected, i.e., P½Xn =Xn1  & P ½Xn =Xn2 : Step 7: Proceed until it equals the length ‘ of the password Step 8: The password combination would be depending on the length; however, creation/generation depends on step 3, 4, and 5 (Fig. 1).

A Scheme to Create Secured Random …

813

L

U

S

N

L

S

S

N

L

N

L

S

L

U

N

S

U

U

L

U

L

N

Fig. 1 Tree structure for password generation/creation

4 Conclusion Password complexity is a double-edged sword. Complex passwords are hard to crack but equally hard to remember. In this paper, a new way of creating/generating random password for the secured data transfer using Markov chain is presented. This paves for the new generation password creation that ensures the reliability of data processing in computer networks and processing systems. Our approach can be effectively and securely used as user evidence mechanism for their Web logins. To a great extent, further research and user studies are required for this password creation/generation technique to complete higher levels of maturity and utility. A strong password does not guarantee 100 % protection from hackers. However, a strong password/robust password system is an effective deterrent against 90 % of the commonly used modes of attack.

814

S. Vaithyasubramanian and A. Christy

References 1. R. Morris, K. Thompson, Password security: a case history. Commun. ACM 22, 594–597 (1979) 2. S. Granger, The simplest security: a guide to better password practices (2011) 3. E.F. Gehringer, Choosing passwords: security and human factors, in IEEE 2002 international symposium on Technology and Society (ISTAS’02) pp. 369–373 4. D. Florencio, C. Herley, B. Coskun, Do strong web passwords accomplish anything?, in Proceeding HOTSEC’07 Proceedings of the 2nd USENIX workshop on Hot topics in security, ACM Digital Library (2007) 5. www.ghacks.net/2013/10/26/4-simple-password-creation-rules-x-common-sense-tips/ 6. Jeff Yan, Alan Blackwell, Ross Anderson, A. Grant, Password memorability and security: empirical results. IEEE Secur. Priv. 2(5), 25–31 (2004) 7. D. Florencio, C. Herley, A large-scale study of web password habits, in Proceedings of the 16th international conference on the World Wide Web, ACM Digital Library (2007), pp. 657–666 8. J. Hong, Passwords getting painful, computing still blissful. Communic. ACM I. 56(3), (2013) 9. S. Vaithyasubramanian, A. Christy, A practice to create user friendly secured password using CFG, in Accepted for International Conference on Mathematical & Engineering Sciences 2014. (2014) 10. B. AlFayyadh, P. Thorsheim, A. Josang, H. Klevje, Improving usability of password management with standardized password policies, in The Seventh Conference on Network and Information Systems Security—SAR-SSI 2012 (Cabourg, 2012) 11. S. Wiedenbech, J. waters, J.C. Birget, A. Brodskiy, N. Memon, Authentication using graphical passwords: basic results, in Human-Computer Interaction International (HCII) (2005) 12. A. P. Sabzevar, A. Stavrou, Universal multi-factor authentication using graphical passwords, in Proceedings of the 2008 IEEE International Conference on Signal Image Technology and Internet Based Systems pp. 625–632 13. X. Suo, Y. Zhu, G.S. Owen, Graphical passwords: a survey, in 21st Annual Computer Security Applications Conference (2005), pp. 463–472 14. S.M.S. Ahmad et al., Technical issues and challenges of biometric applications as access control tools of information security. Int. J. Innov. Comput., Inf. Control. 8(11), 7983–7999 (2012) 15. M. Bhatnagar, Raina K. Jain, Nilam S. Khairnar, A Survey on Behavioral Biometric Techniques: Mouse vs. Keyboard Dynamics, in IJCA Proceedings on International Conference on Recent Trends in Engineering and Technology. (2013), (pp. 27–30) 16. http://resources.infosecinstitute.com/dictionary-attack-using-burp-suite 17. H. Gao, W. Jia, F. Ye, L. Ma, A survey on the use of graphical passwords in security. J. Softw. 8(7), (2013) 18. B. Hayes, First links in the Markov chain. Mag. Sigma Xi, Sci. Res. Soc. 101(2), 92 (2013) 19. www.oxforddictionaries.com/us/definition/american_english/Markov-chain 20. http://mathworld.wolfram.com/MarkovChain.html