A Technique for Web Security Using Mutual ...

International Review on Computers and Software (I.RE.CO.S.), Vol. 9, N. 1 ISSN 1828-6003 January 2014

A Technique for Web Security Using Mutual Authentication and Clicking-Cropping Based Image Captcha Technology K. Suresh Kumar, T. Sasikala Abstract – The major motto of my research is to develop a technique for web security using mutual authentication and clicking and cropping based image CAPTCHA technology. In our technique, we use two sections as registration and login. To create an account to use the application we use the registration section and to access the application we use the login section. We set five mandatory fields to login the application. The mandatory fields we give in login section should similar to the mandatory fields we gave while registration. The mandatory fields are checked with respect to the user id. The mandatory fields we set are user id, password, selecting image, number of clicks on image and cropping image. If the fields are same in the login section and registration section for a particular user id, the system will allow the user to access the application. Here, we incorporate three different features than the usual login section in the applications. The different features are selecting an image from a set of images and doing number clicks on that selected image and cropping a portion in that image. Our technique enhances the web security because of these added features. Copyright © 2014 Praise Worthy Prize - All rights reserved.

Keywords: Web Security, CAPTCHA, Mutual Authentication, Cropping-Clicking

I.

CAPTCHAs are an imperative and broadly used modern Internet technology. They minimize the ability of computerized agents to programmatically use web connected resources such as online e-mail accounts, online polls, Web-based comment systems, Web-based SMS portals and so on. A CAPTCHAs is a challenge that authenticates users as human; human users are generally accepted to be much less able to use Web-connected resources than computerized agents. CAPTCHAs necessitate users to confirm they are human by conveniently displaying human-level intelligence in some manner [3]. A CAPTCHA acts as a security device by requiring an exact answer to a question which a human alone can respond better than a random guess. Humans have speed restriction and hence cannot replicate the impact of a computerized program. Thus, the vital necessity of a CAPTCHA is that computer programs must be slower than humans in responding correctly. The semantic gap amid human understanding and the current level of machine intelligence can be used [2] for that reason. Most existing CAPTCHAs are text-based that minimizes the reliability of security protocols derived from text-based CAPTCHAs. There have been efforts to make these systems harder to break by systematically accumulating noise and distortion, but that often makes them difficult for humans to decipher as well [2]. Textbase system faces one inexorable situation: Human can find the CAPTCHA problem unpleasant as CAPTCHA gets more complicated. This is perhaps why popular websites such as MSN hotmail opted for simple and

Introduction

Our lives have changed permanently since the advent of the web. Web applications have rapidly become the most leading way to offer access to online services. Based on the fact of various users, the web is simple to use and convenient because it offers anytime, anywhere access to information and services. Unfortunately, the success of the web and the lack of technical complexity and understanding of many web users have also fascinated miscreants who aim to make easy. An essential web security research problem is how effectively enable a user who is running a client on an untrusted platform (i.e., a platform that may be under the control of an attacker) to securely communicate with a web application [1]. Inventing an effective solution to address the problem of massive and automated access to web resources is a complex goal. This is due to numerous realistic constraints which characterize the web and do not allow avoiding various subsequent accesses to particular content. This has driven researchers to the idea of CAPTCHA-based security, to guarantee that such attacks [12] are not possible without human involvement, which in turn makes them ineffective. CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) are extensive security measures on the World Wide Web that avert automated programs from abusing online services. CAPTCHAbased security protocols have also been projected for related issues, e.g., countering Distributed Denial-ofService (DDoS) attacks on Web servers [2].

Manuscript received and revised December 2013, accepted January 2014

110

Copyright © 2014 Praise Worthy Prize S.r.l. - All rights reserved

K. Suresh Kumar, T. Sasikala

clean CAPTCHA [13], which could be attacked with a success rate over 80%. Some systems use characteristic color for each character and add colored background using non-text colors, both of these additions can be simply detached by a computerized program, which add no more difficulty for the bot [4]. Image-based CAPTCHAs have been suggested as another option to the text media. CAPTCHAs belonging to this type require the user to solve a visual pattern discovery trouble or understand concepts indicated by images. Image-based CAPTCHA systems appeared in efforts to replace text-based CAPTCHA systems which were rising more complex for humans to solve easily. Despite that the safety measures of image-based tests is superior to the text-based HIPs, they do not possess the same level of dispersal of textual CAPTCHAs. This is primarily due to their intrinsic higher complexity and the larger screen area required displaying images. In addition, the creation of a large, labeled database may also be problematic as well as the possible inconsistency with the specific topic of a web site [5]. By considering these challenges, researchers have been developed more techniques recently in image-based CAPTCHAs with some improvements. In this paper we have used the cropping and clicking based image CAPTCHA technology for web security using mutual authentication. We use this technique for using an application in the web. Everyone cannot access an application in the web because of security reasons. If a person need to use an application in web, he ought to create an account to access that application. Here, we use two sections as registration section and login section. A new user first has to register their details to start an account to use that application and then he have to use the registered user id to login. The registration section and the login section have some mandatory fields to fill. If the mandatory fields are similar in the registration and login section, the system will allow the user to access the application. To enhance the security purpose we incorporate the clicking and cropping based image CAPTCHA technology. The rest of the paper is organized as follows: the second section shows the review of related works and the third section shows our recommended technique and the fourth section shows our result and the fifth section concludes our recommended technique.

II.

CAPTCHA used a low-cost attack. This attack needs no development in Artificial Intelligence or automatic character recognition, the projected path, thus becoming a side-channel attack, based on the previously mentioned CAPTCHAs flaws. They have concluded with some tips for improving this CAPTCHA that could be considered as common guidelines. Alessandro Basso and Stefano Sicco [7] have presented MosaHIP, a Mosaic-based Human Interactive Proof (HIP), which was able to preserve massive computerized access to web resources, whereas the userfriendliness of the system alleviates the user from the discomfort of typing any text before accessing to web content. Experimental result showed that the evidence of the usefulness our system to a series of tests simulating potential bot attacks. Shardul Vikram et al. [4] have presented SEMAGE (Semantically MAtching imaGEs), image-based CAPTCHA that capitalizes on the human ability to describe and comprehend image content and to establish semantic relationships amid them. SEMAGE has a twofactor design where in order to pass a challenge the user needs to figure out the content of each image and then understand and identified semantic relationship amid a subset of them. SEMAGE dissimilar to the current Text based systems was also very user friendly with an elevated fun factor. These features make it very attractive to web service providers. In addition, SEMAGE was language independent and extremely flexible for customizations (both in terms of security and usability levels). SEMAGE was also mobile devices sociable as it does not necessitate the user to type anything. The result showed that the users achieve high accuracy used our system and considered our system to be fun and easy. S. Benson Edwin Raj et al. [9] have proposed a CAPTCHA (Completely Automated Public Turing test to tell Computers and Human Apart) mechanism to mitigate the impact of DoS attacks. Most of the CAPTCHA today were OCR based which was having two fold limitations. Firstly, several automated tools that were capable of reading the CAPTCHA have emerged. Secondly, the CAPTCHA was not comfortable for the human to read and feed the correct information online to send their web request. In order to overcome these difficulties, a new type of CAPTCHA was introduced namely picture based CAPTCHA. It helps the user to overcome the drawbacks of the previous approach since it's easy to use and understand and also more secure than text based CAPTCHA. Their security analysis shown that the redesigned layout yielded better results than other picture based CAPTCHA. Ritendra Datta et al. [10] have proposed Automated Turing tests, called CAPTCHAs which can differentiate humans from machines. While human recognizability was measured on the basis of an extensive user, machine recognizability was based on memory-based content based image retrieval (CBIR) and matching algorithms. They have provided a detailed description of experimental image CAPTCHA system, IMAGINATION that uses systematic distortions at its

Review of Related Works

Literature presents several techniques for image-based CAPTCHA technology for enhancing the web security. Here, we review some of the techniques presented in the literature in recent times. Carlos Javier Hernandez-Castro and Arturo Ribagorda [6] have presented a CAPTCHA referred to as “Math CAPTCHA” or “QRBGS CAPTCHA”, request the user to solve a mathematical problem in order to prove human. They have significant problems both in its design and implemented, and how those flaws could be used to entirely solve this

Copyright © 2014 Praise Worthy Prize S.r.l. - All rights reserved

International Review on Computers and Software, Vol. 9, N. 1

111

K. Suresh Kumar, T. Sasikala

core. B. Zhu et al. [11] have proposed an image recognition CAPTCHAs (IRCs), called Cortcha that was scalable to meet the requirements of large-scale applications. It relies on recognizing objects by exploiting the surrounding context, a task that humans performed well but computers cannot. An infinite number of types of objects were used to generate challenges, which effectively disabled the learning process in machine learning attacks. Cortcha does not require the images in its image database to be labeled. Image collection and CAPTCHA generation was fully automated. Their usability studies indicated that, compared with Google's text CAPTCHA, Cortcha allowed a slightly higher human accuracy rate but on average takes more time to solve a challenge. Matthews P. et al. [8] have proposed a new form of image-based CAPTCHA, termed as "scene tagging". It tested the ability to recognize a relationship between multiple objects in an image that was automatically generated via composition of a background image with multiple irregularly shaped object images, resulting in a large space of possible images and questions without requiring a large object database. This composition process was accompanied by a carefully designed sequence of systematic image distortions that makes it difficult for automated attacks to locate/identify objects present. Automated attacks must recognize all or most objects contained in the image in order to answer a question correctly, thus the approach reduced attack success rates.

The registration of CCC image is as follows: for every registration the user required to give a unique username, password and the details about the user. After giving the details of the user, the server shows a set of images to select an image for crop and click registration. The cropping of an image is based on the position values. Every image is segmented by the position values, the position values are in the form of x and y coordinates. The cropped image in the form of x and y coordinates and the number of clicks on that image will get stored in the database for that particular user’s account. In login section the user needs to give the correct user id with respective password and respective CCC image. After giving the user id and password in the login section, the server ask the user to select an image from a set of images and ask to crop that image and to do number of clicks on that image as done while registration. Thereafter, the system will compare the image selected by the user in login section and then compare the number of clicks on the selected image and then compare the cropped section of that image with already stored data for the respective user id in the database which was given by the user in the registration section. If all the data entered by the user in the login section and the data entered by the user in the registration section which was stored in the database is same, the system will allow the access to that user. If any one of the detail is incorrect while comparing with the data stored in the database, the system will not allow the user to access.

III. Proposed Mutual Authentication and Cropping-Clicking based CAPTCHA Technique

III.1. Mutual Authentication Mutual authentication is the practice of user authenticating themselves to a server and the server authenticating itself back to the user. It is a safety feature that the client and the server should confirm their identity to each other. Mutual authentication prevents the attacks by the third party i.e. who are not the server or user. Typically, the mutual authentication amid the client and the server is required before any transaction between them. The mutual authentication is required because many interactions on the internet take place amid strangers’ i.e. entities with no prior relationship. In our recommended technique, a user is trying to use an application by creating an account to confirm user’s identity to the server. Similarly, the server will authenticate itself to the user by the set of images present in the server which we used to ‘sign up’ and ‘sign in’.

This section explains our recommended mutual authentication and CCC (Cropping and Clicking based CAPTCHA) technique. The Fig. 1 shows the sample block diagram of our recommended technique. Our recommended technique has two sections which are registration section and login section. In registration section the user will register their details with user name, password and cropping and clicking based CAPTCHA (CCC) image.

III.2. Clicking of Image The clicking of image in our proposed work is the number of clicks we done on the image which we selected for cropping. The Fig. 2 shows a sample block diagram of clicking of image. In this figure, the first block shows the x and y coordinates of the image we selected for cropping and clicking.

Fig. 1. Sample block diagram of our proposed technique

Copyright © 2014 Praise Worthy Prize S.r.l. - All rights reserved

International Review on Computers and Software, Vol. 9, N. 1

112

K. Suresh Kumar, T. Sasikala

III.4. Steps for Creating an Account This section explains the steps to create a new account. The steps are as follows:  Open the registration page.  Create a user id uid d and password pd .  Give all the details which are required.  Select an image imd from a set of images IM d .

Fig. 2. Sample block diagram of clicking an image

 Do some clicks cld on the selected image imd .

The marked xy-coordinates in the second block show the number of clicks we made on that image. The count of clicks i.e. the number of clicks on the image made by the user in registration section would get stored in the database. If the number of clicks on the image in login section is not similar to that of the registration section, the system will not allow the user to access a certain application.

 Crop crd the selected image.  Save the things you made while registration.The things you saved while registration would get stored in the database d . If a user needs to access any application in web, he requires creating a new account. Every application in web has a separate page for registration to add a new user to access their application. To create a new account, the user ought to open the registration page and the user needs to fill the required fields in the registration page. Initially users have to give their personal details such as full name of the user, date of birth, address, etc. Thereafter, user ought to create a new user id uid d to

III.3. Cropping of Image The cropping of image is the removal of outer parts of the image to emphasize the subject matter on that image. It can be performed on a photograph, artwork or attained digitally by exploiting image editing software based on the application. The cropping of the image is done based on the position values. The position values are in the form of x and y coordinates. After cropped the image, the x and y coordinates of the outer cropped region will get stored in the database for further authentication. The Fig. 3 shows the sample block diagram for cropping an image.

access the application. After creating the user id uid d , the system will check the user id uid d created by the new user with the user ids UIDd in the data base that were created by the existing users. If the user id uid d created by the new user exists in the user ids UIDd in the database, the system will not allow the user to use that user id. If it not exists in the database, the system will create the user given id as user id for the new user. It is explained by an equation below:

create, if uid d  UIDd Nuid   else  don't create,

Fig. 3. Sample block diagram for cropping an image

The Fig. 3 explains as follows: an image would be in the form of x and y coordinates. We consider the x and y coordinates to crop the image. The first block in Fig. 2 is the x and y coordinates of a selected image and the marked section in the second block shows the region selected for cropping and the third block shows the x and y coordinates of the cropped region. The x and y coordinates of the outer region in the third block i.e. (x3,y2), (x3,y3), (x3,y4), (x4,y2), (x4,y4), (x5,y2), (x5,y3) and (x5,y4) will get stored in the database for further authentication. In our work, cropping of the image is done to check whether the user is authenticated user or not for the entered user id. Initially, the user will crop an image from a set of images after giving user name and password and after doing number of clicks on the image while creating an account. The cropped image would get stored with the corresponding user name after we give save while creating a user account. The user can access the account if he give the correct cropped image as he gave while registration.

where: Nuid  Condition to create new user id uid d  New user id given by the new user to create an account UIDd  Existing user ids in the database d After the user id uid d is created, the user requires creating a new password for that user id uid d created by the new user. When the password is created by the new user, the system asks the user to select an image imd from a set of images IM d which are in the database. Thereafter, the system asks the user to do a number clicks cld on that image. The number of clicks cld made by the user on the image will get stored in the database d . The system then asks the new user to crop the selected image. The cropping would be done based on the position values of that selected image. The outer region of the cropped image crd will get stored in the database d . The entire details i.e. password pd , image

Copyright © 2014 Praise Worthy Prize S.r.l. - All rights reserved

International Review on Computers and Software, Vol. 9, N. 1

113

K. Suresh Kumar, T. Sasikala

selection imd , number of clicks cld and cropped region

password and ask the user to select an image iml from a

crd given by the new user would get stored under the

set of images IM d and ask the user to do number of

new user id uid d .

clicks cll on the selected image and then ask the user to crop the image crl as the user done in the registration section when creating the account. Thereafter, the system will check all the details i.e. password pl , selected image

III.5. Steps to Login This section delineates the steps to login to access a particular application. The steps are as follows:  Give the user id uidl and password pl .

iml , number of clicks cll and cropped image crl given by the user in the login section with the details stored under the user id in the database. If both the details are similar, the system allows the user to access the application. If the details are not same, the system will deny the access to that user. It is explained by an equation below:

 Select an image iml from a set of images IM d as done for the respective user name while registration.  Do the number of clicks cll on the selected image

iml as done while registration.  Crop crl the image as done while registration.

if pl  pd ,iml  imd , allow,  log in   cll  cld ,crl  crd don't allow, else 

 After giving all the required fields for login i.e. user name uidl , password pl , number of clicks cll and the cropped image crl , the server will check whether the user name uidl exists in the database UIDd or not.  If the user id uidl does not exist in the database

where: pl  Password given by the user in login section

pd

UIDd , it will not allow the access to the user.

iml  Image selected by the user in login section from a set of images  Image stored under the user id uidl imd

 If the user name uidl exists in the database UIDd , the server would check whether the password pl , the selected image iml , number of clicks cll on the image and the crop crl done on the image by the user is correct for that respective user id or not.  If the details given by the user are correct for the respective user name, the server will allow the access to the user. The aforementioned steps are explained as follows: If a user needs to access any application in web, he ought to open his account using user id and password he already created in the registration section. In the login section the system asks the user to give the user id uidl . The system

 Number of clicks made by the user in login cll section cld  Number of clicks stored under the user id

uidl crl

 Image cropped by the user in login section

crd

 Cropped image stored under the user id uidl

IV.

Result and Discussion

This section discusses the results we obtained for our recommended technique. This section contains user interface design, attack analysis based on two security attacks and security considerations.

then checks whether the user id uidl exists in the database or not. If the user id uidl given by the user in the login section exists in the database, the system will allow the user for next level of login process. It is shown below by a condition below:

 next level, Luid   not exist,

 Password stored under the user id uidl

IV.1. User Interface Design This section explains the user interface of our recommended technique. When a user needs to access an application in web, he should have an account to access it. While opening an application it would have two options which are login and registration. The Fig. 4 shows the start page of an application. In this figure, it has two options as ‘sign up’ and ‘sign in’. If the user doesn’t have an account to access the application, he needs to select the ‘sign up’ page to open an account and if the user has an account to access the application, he needs to select the ‘sign in’ page. The Fig. 5 shows the registration page of the application.

if uidl  UIDd else

where:  Condition to go next level in login section Luid  User id given by the user in login section uidl UIDd  Existing user ids in the database If the user id uidl given by the user in the login section does not exist in the database, the system will not allow the user to the next level of login process. After user id verification, the system asks the user to enter the

Copyright © 2014 Praise Worthy Prize S.r.l. - All rights reserved

International Review on Computers and Software, Vol. 9, N. 1

114

K. Suresh Kumar, T. Sasikala

Fig. 7. Login page with correct details

Fig. 4. Start Page of an application

The system will give only three chances if user gives incorrect information. If the user didn’t use those three chances, the server will block that ip address of that user for some duration of time. If the user gives the correct details in any one of the three chances, the system will allow that user to access the application. We have used a simple application to perform our recommended technique. Our application contains composing a mail and receiving the mail in inbox. If the user needs to send a mail to another user, he needs to select the ‘compose’ option and if the user needs to check the received mails, he ought to select the ‘inbox’ option. The Fig. 8 shows a simple application for sending and receiving mail. The composing of mail is shown in the Fig. 9 to send it to another user.

Fig. 5. Registration Page

If the user doesn’t have an account to access the application, he will select the ‘sign up’ page. The registration page will get open by selecting the ‘sign up’ page. The user requires filling all the details asked by the registration page. The mandatory fields user needs to give are user name, password, image selection, clicking on image and cropping the image. After all the details given by the user, the system will create an account based on the user name given by the user if the user name does not already exist in the database. The Fig. 6 shows the login page with incorrect details given by the user. If the user has an account to access the application, he will select the ‘sign in’ page. In the ‘sign in’ page, user ought to give all the mandatory fields correctly with respect to the user id. If any of the field is not similar to the fields stored in the database for a respective user id, the system will not allow that user to user that application. The Fig. 7 shows the login page with correct information.

Fig. 8. Application page for sending and receiving mail

Fig. 6. Login page with incorrect details Fig. 9. Page to compose a mail

Copyright © 2014 Praise Worthy Prize S.r.l. - All rights reserved

International Review on Computers and Software, Vol. 9, N. 1

115

K. Suresh Kumar, T. Sasikala

It is done by selecting the ‘compose’ option. The compose mail page contains from address, to address, subject of the mail and text message field to convey our message. The user can check the received mails by selecting the ‘inbox’ option in the application page. All the messages received would get stored in the inbox. The Fig. 10 shows the inbox page of our sample application.

The Table I shows the number of attempts that the hackers hacked correctly when all the five fields are given randomly. The Table I explains as follows: when the hackers attempted to hack ten thousand times, the number of correct attempts they made is zero and the entire attempts are wrong. Similarly, they could not enter into the page even one time when they made fifty thousand attempts, seventy thousand attempts, one lakh attempts and two lakhs attempts. The Table II shows the number of correct attempts made by hacker when the hacker knows the username and gave all the other four fields randomly. Here also, the hacker could not make even one correct attempt among two lakhs attempts. The Table III shows the number of correct attempts that the hacker made when the hacker knows the user name and password and gave all the other three fields randomly. The values in the Table III show that the hacker could not make a single correct attempt among two lakhs attempts.

IV.2. Attack Analysis To analyze our technique, we have considered two methods which are Random security attack and Brute force attack. The methods we considered are explained as follows. IV.2.1. Random Security Attack The random security attack is a simple attack technique used by the hackers. In this type of attack, the users are targeted randomly i.e. the hackers don’t know anything about the user. The hackers would give the user name randomly and give the password randomly. If in case, the user name and password they gave is correct, they will hack that respective user. In this type of attack, the probability of hacking is less because the hackers are trying the user name and password randomly. But even there has less chance to identify a correct user name and password and if the hackers hacked any user id that user is not a targeted user. In our work we have five mandatory fields in login page to get access an account. The mandatory fields are user id, password, image selection, number of clicks and cropped image. If the hackers entered all the fields correctly, they can hack that user. Generally all applications have two mandatory fields in the login page to access an account. So compared to the two mandatory field login applications, five mandatory field login applications would be very difficult to hack using this random security attack. The probability of hacking our technique is very less compared to the other techniques because even if the hackers entered the user name and password correctly, they need to select a correct image from a set of images in database and they need to give correct number of clicks and they have to crop the image correctly.

IV.2.2.

Brute Force Attack

The brute force attack is another technique used by the hackers that knows certain information about a user’s account. This is the widely used technique by the hackers to hack. Using this technique, the probability of giving correct password is high in two mandatory field applications if the hacker knows the user id, because this technique is used if the hacker knows some information about the user’s account i.e. if the hacker knows the length of the password, the hacker can find the correct password but the execution time will get late. In our recommended technique we have used five mandatory field application and the fields are user id, password, image selection, number of clicks and cropped region. TABLE I ALL THE FIVE FIELDS TAKEN RANDOMLY No. of attempts Correct attempts Wrong attempts 10000 0 10000 50000 0 50000 70000 0 70000 100000 0 100000 200000 0 200000 TABLE II USERNAME CONSTANT AND ALL THE OTHER FOUR FIELDS TAKEN RANDOMLY No. of attempts Correct attempts Wrong attempts 10000 0 10000 50000 0 50000 70000 0 70000 100000 0 100000 200000 0 200000 TABLE III USERNAME AND PASSWORD CONSTANT AND ALL THE OTHER THREE FIELDS TAKEN RANDOMLY No. of attempts Correct attempts Wrong attempts 10000 0 10000 50000 0 50000 70000 0 70000 100000 0 100000 200000 0 200000

Fig. 10. Inbox page of our sample application

Copyright © 2014 Praise Worthy Prize S.r.l. - All rights reserved

International Review on Computers and Software, Vol. 9, N. 1

116

K. Suresh Kumar, T. Sasikala

In our recommended technique, we have considered two cases for the information known to use the brute force attack. The first case is that the brute force attack technique knows the length of the password used to login and the second case is that the brute force attack technique knows the size i.e. length and breadth of the cropped image to login. A sample working principle of the brute force attack technique is as follows: consider the password length is two characters and it consist of letters and numbers, and then there would be 3844 diverse ways to find the correct password. For the first character the number of options are 62 i.e. 26 lower case letters, 26 upper case letters and 10 numbers. Similarly the number of options for the second character is also 62 and the total different ways for this two character length password is 3844 i.e. the product of number of options of first character and the second character. The Table IV shows the number of correct attempts that the hackers made when the hackers knows the length of the password but they don’t know the exact password. The hacker will predict the password based on the dictionary words. For instance, if the length of the password is five characters, the hacker will use the five character length dictionary words. Here in this case, all the fields are given randomly by the hackers but they used fixed length for the password field. The Table V shows the number of correct attempts made by the hacker when they know the password length and the size of the cropped image. Here, hackers give all the fields randomly but they used fixed length for password and they used fixed size to crop the image. The number of attempts attempted by the hacker is only for the verification purpose. But in reality, the system will allow three attempts to login the application. If the user could not give the correct combinations in three attempts, the server will block that ip address for certain duration of time.

In our technique, we have used five different mandatory fields. The mandatory fields we used in our technique are user id, password, selecting an image from a set of images, making number of clicks on that image and cropping correct region in that selected image. But generally to access a web application two mandatory fields would be used. In two mandatory fields, the fields used are user id and password. In random security attack, the hackers will use the required fields to login as randomly. We have used three cases in random security attack which are giving all fields as randomly, except user name giving all fields as randomly and except user name and password giving all fields as randomly. When comparing the two mandatory field application and our technique based on the random security attack, our technique is highly secured than the two mandatory field applications. Because in two mandatory field application in the first case of random security attack, the hackers have to give two fields alone randomly but in our technique the hackers have to give five fields randomly to get the correct combination to login the application. So the probability getting correct combination for our technique is very less compared to the probability of getting correct combination for the two mandatory field applications. In the second case of random security attack, the hackers know the user name but the hackers don’t know the other fields. In such case, in two mandatory field application the hackers have to give the password alone randomly but in our technique the hackers have to give the password field, image selection field, number of clicks on the selected image and the cropped region on the selected image as randomly. In this case, if the number of attempts by the hacker is high, the vulnerability of the two mandatory field applications is high but it is low in our technique. Because our technique requires another four fields to give randomly. So the probability of getting the correct combination is less in our technique. Therefore, our technique is better compared to the two mandatory field applications. In the third case of the random security attack, the hacker knows the user id and the password but the hackers don’t know other fields. In this case, the hacker would be the friend of the account holder and the hacker knows the account holders user id and password any way. The two mandatory field applications would exactly get attacked by the hacker in this case but our technique requires that the hacker should know the other three fields. So the probability of getting attacked by the hacker is less in our technique. Therefore, our technique is better compared to the two mandatory field applications. In brute force attack, the hackers know certain information but they don’t know the exact information about an account. We have used two cases in brute force attack which are that the hackers knows the password length and the next case is that the hackers knows the password length and the cropped size of the image. In the first case of the brute force attack, the hacker knows the

IV.3. Security Consideration This section explains the security considerations of our recommended technique. TABLE IV BRUTE FORCE ATTACK KNOWS PASSWORD LENGTH No. of attempts Correct attempts Wrong attempts 10000 0 10000 50000 0 50000 70000 0 70000 100000 0 100000 200000 0 200000 TABLE V BRUTE FORCE ATTACK KNOWS THE PASSWORD LENGTH AND THE SIZE OF THE CROPPED IMAGE No. of attempts Correct attempts Wrong attempts 10000 0 10000 50000 0 50000 70000 0 70000 100000 0 100000 200000 0 200000

Copyright © 2014 Praise Worthy Prize S.r.l. - All rights reserved

International Review on Computers and Software, Vol. 9, N. 1

117

K. Suresh Kumar, T. Sasikala

password length. So the two mandatory field applications is vulnerable in this case because if the number of attempts to hack increases, the probability of finding correct password for the two mandatory field applications is high but for our technique the probability is less because our technique requires that the hacker should know the other three fields correctly. So in this case, our technique is better than the two mandatory field applications. The second case of the brute force attack is not applicable for the two mandatory field applications. In the second case of the brute force attack, even if the hacker knows the password length and the cropped size of the image, the probability of finding the correct combinations to login is very less.

V.

[7]

[8]

[9]

[10]

[11]

Conclusion [12]

In this paper, we have recommended a method for web security using mutual authentication and clicking and cropping based image CAPTCHA technique. Here we have used two sections to open an account and to access the web application. The first section is the registration section that has some mandatory fields such as user id, password, selection of image, number of clicks and cropping image that are filled by the new user. The second section is the login section that has the same mandatory fields which are in the registration section. The different features we incorporated in our recommended technique are image selection from a set of images and number of clicks and the image cropping. Even if the user id and password are same, the user needs to select the correct image and do correct number of clicks on that image and have to crop the correct region in that image to access the application. The security of our technique is shown in the attack analysis section using two different attacks and it shows that the hackers could not made even one correct attempt to hack. It denotes that the security of our technique is enhanced because of these incorporated features.

[13]

Authors’ information K. Suresh Kumar (Krishnamoorthy Suresh Kumar) obtained his Bachelor’s degree in Computer Science from Bharatiyar University. Then he obtained his Master’s degree in Madurai Kamaraj University and He also completed his Master of Technology in Information Technology from Sathyabama University. Currently he is pursuing PhD in Computer Science majoring in Web Security from Anna University Chennai Tamil Nadu India. He is the Life Member of CSI and ISTE. Currently, he is an Associate Professor in Department of Information Technology, at Saveetha Engineering College Chennai. His specializations include Web Security, networking, and Mobile Computing. His current research interests are Web Security, Authentication, and E-commerce. Dr. T. Sasikala received the B.E.CSE, M.E.CSE degree, and the Ph.D. degree from the Sathyabama University, Chennai, Tamil Nadu India. She is having 20 years of experience in teaching. Currently she is the principal of SRR Engineering College, Padur, Chennai. Her research interests are in networks, wireless sensor networks, and heterogeneous wireless networks. Dr. T. Sasikala is a Life Member of CSI. She has published 40 papers in various conferences, including the IEEE International Conference and journals. Currently 16 research scholars are doing research under her guidance.

References [1]

[2]

[3]

[4]

[5]

[6]

141–157, February 2010. Alessandro Basso and Stefano Sicco, “Preventing massive automated access to web resources,” Computers & Security, vol.28, 2009. Peter Matthews, Andrew Mantel, Cliff C. Zou, "Scene tagging: image-based CAPTCHA using image composition and object relationships", in Proceedings of the 5th ACM Symposium on Information, Computer and Communications Security", pp. 345350, 2010. S. Benson Edwin Raj,V. S. Jayanthi and V. Muthulakshmi, “A novel architecture for the generation of picture based CAPTCHA”, Computing, Networking and Security, Pages 568574, 2011. Ritendra Datta, Jia Li and James Z. Wang,, “Exploiting the Human-Machine Gap in Image Recognition for Designing CAPTCHAs”, IEEE transactions on information forensics and security, April 2009. Bin B. Zhu, Jeff Yan, Qiujie Li, Nanjing, Chao Yang, Jia Liu, Ning Xu, Meng Yi, Kaiwei Cai, "Attacks and design of image recognition CAPTCHAs", in Proceedings of the 17th ACM conference on Computer and communications security, pp. 187200, 2010. Priyadharshini, M., Baskaran, R., Balaji, N., Saleem Basha, M.S., Analysis on countering XML-based attacks in web services, (2013) International Review on Computers and Software (IRECOS), 8 (9), pp. 2197-2204. S. Shirali-Shahreza, M. Shirali-Shahreza, M. T. ManzuriShalmani, Easy and Secure Login by CAPTCHA, (2007) International Review on Computers and Software (IRECOS), 2. (4), pp. 393 - 400.

Martin Szydlowski, Christopher Kruegel, Engin Kirda, “Secure Input for Web Applications”, in proceedings of Twenty-Third Annual conference on Computer Security Applications, pp. 375384, 2007. Ritendra Datta, Jia Li, and James Z. Wang, “IMAGINATION: A Robust Image-based CAPTCHA Generation System”, in Proceedings of the 13th annual ACM international conference on Multimedia, pp. 331 - 334, 2005. Graeme Baxter Bell, “Strengthening CAPTCHA-based Web Security”, in proceedings of Annual Computer Security Applications, 2011. Shardul Vikram, Yinan Fan, Guofei Gu, “SEMAGE: A New Image-based Two-Factor CAPTCHA”, in Proceedings of the 27th Annual Computer Security Applications, pp. 237-246, 2011. Alessandro Basso, Stefano Sicco, “Preventing massive automated access to web resources”, Computers & security, vol. 28, no. 3-4, pp. 174–188, 2009. Carlos Javier Hernandez-Castro and Arturo Ribagorda, “Pitfalls in CAPTCHA design and implementation: The Math CAPTCHA, a case study,” Computers & Security, Volume 29, Issue 1, Pages

Copyright © 2014 Praise Worthy Prize S.r.l. - All rights reserved

International Review on Computers and Software, Vol. 9, N. 1

118