generation of array passwords using petri net for ...

GENERATION OF ARRAY PASSWORDS USING PETRI NET FOR EFFECTIVE NETWORK AND INFORMATION SECURITY S.Vaithyasubramanian1 A. Christy2 D.Lalitha3 1. Research Scholar, Sathyabama University, Chennai, [email protected]. 2. Research Supervisor, Sathyabama University, Chennai, [email protected]. 3. Assistant Professor, Sathyabama University, Chennai, [email protected] Abstract. Over the year’s information and network security in the field of computer is an everlasting troublesome area under discussion. Information and Network Security instigates with the user. The important feature of security is “Password Authentication”. A human created password comes from a small domain. It is just a matter of time for hackers to break security measures with the available computer power and tools. Online services can be accessible by using distinct Passwords with varying strengths. Cracking or decoding the Password has created serious challenges or threats in providing security of the information. Highly secured password generation is therefore has become a challenging task. In this work Petri net based array password generation has been done. The methodology adapted in this paper is novel and more immune. Keywords: Petri net - Authentication – Password – Alphanumeric – Graphical – Biometric – Limitations - Information Security – Network Security

1. Introduction In this Digital World, accesses to the available resources for a wide range of purpose people are using numerous computing devices. Computing devices have become omnipresent and to access people use networks. The foremost distress with the development of the latest standards and applications in the field of computer networks is their security. The leading uncertainties in this area are hacking the system and cracking the passwords. In General Passwords are the first and probably only protection against intrusion. A password affords the first line of security against unfair right of entry to computer [5]. Thought-provoking problem in this field is the Security of the Passwords [4]. People have done some work in this area to improve the security. Still there exists a requirement of better methods to overcome password cracking. The Password is an inert secret string composed of keyboard characters. User name gives the identity about the user while the Password authenticators that he / she is the authorized user. The Password is used as the authentication key. Authentication is only one feature of security. Information and Network Security starts with the user. Human generated passwords come from a small domain. They are easy to guess, common passwords, short and weak passwords. Password that is defiant to guessing attack, hybrid attack, brute force guessing and dictionary attacks are called as Strong Password. Most Strong passwords are computer generated, hard

to remember and not user friendly. Maintaining written catalogs of passwords on scraps of paper, or in a text document on the desktop or mail is insecure and is effortlessly viewed by snooping eyes [5]. Using the unchanged password over and over again across an ample range of systems, web sites form the nightmare scenario [14]. When a password cracker cracks out the password of a particular user, now have access to every part of that user’s life like system, e-mail, retail, financial and work.

2. Types of Existing Authentication methods Passwords are fundamental in this computing world. A usual computer user has passwords for numerous functions: logging into e-mail accounts, accessing social networks, booking online tickets, net banking, accessing applications, and even to read the newspaper online. From using a password to sign in to the operating system to passwords for various communications on the Internet, passwords can be classified as a “necessary evil”. Right of entry to a computer system is based on alphanumeric password or Graphical Password or Biometric Authentication. Alphanumeric Password is a secret word, string, an expression, or a combination of various characters and numerical that authenticates the identity of the user. For remembrance user can create patterns of string passwords using CFG, CSG and strong random password using Markov chain [15, 16]. Alternate to alpha numeric password came in the form of biometric authentication and graphical passwords during late 1970’s and 1996’s respectively. Recognition of users Finger print, face, voice, Iris scan is used as users’ unique biometric identification. In graphical password [9, 12, 18, 19] the user can choose a pass point or image as their password. Picture based and drawn based graphical passwords classifications are used. More research is going on this area.

3. Limitations of Existing Methods Human trend in creating password makes them vulnerable and they are subject to various cyber attacks. The problem with an alpha-numeric password arises largely from boundaries of humans ‘long term memory’ [6], which forces them to choose weak password like common password, dictionary word, obvious password, favorites and easily guessable password [8]. By violating the policies of the service provider user creates their password as short and weak passwords [10, 14]. Cracking those passwords is very easy. They are cracked by various attacks like Guessing, Brute force attack, Dictionary Attack, Hybrid attack [17]. The general issue in the graphical password input is to click outside the tolerance and the users need to understand the degree of precision needed. And they are subject to regular means of attacks like Shoulder surfing, Intersection Analysis, Social Engineering, and Spyware attack [7, 12, 20]. Foremost problems in Biometric authentications are direct hazards. The major issues concerning biometric are false Rejection/Acceptation Rate [11, 13].

4.

Need of a good password

Need of a good password is another vital anxiety. The password problem has led to innovations to improve passwords. As an alternate to the traditional alphanumeric passwords the past decades has seen an emerging attention by means of graphical password and Biometric authentication. These Authentication techniques have their own strength and limitations. The problems with these techniques have led to the innovations of improving passwords. One innovation is array password i.e.) passwords that are based on the generation of array rather than alphanumeric strings, graphical password and Biometric authentication. The basic idea is that using arrays will lead to greater security and decrease the tendency to choose an insecure password. This, in turn, should increase overall security. Several array password systems described in the forthcoming section have been developed.

5. PETRI NET Petri net [1] is a graphical and mathematical modeling tool which can be applied to many systems. Tokens are used to simulate the dynamic and concurrent activities of systems. Petri net was introduced by Carl Adam Petri in 1962. The Petri net graph is a directed, weighted, bipartite graph consisting of two kinds of nodes, called places and transitions. Arcs are either from a place to a transition or from a transition to a place. In the graphical representation places are represented by circles and transitions are represented by bars. Arcs are labeled with their weights (positive integers). Labels for unit one is generally omitted. The weights can also be represented by drawing parallel arcs. A marking assigns to each place a nonnegative integer. If the marking assigns to a place p a non-negative integer k then the place p is said to have k tokens. Pictorially k black dots are placed in p. A marking is denoted by M a m-vector where m is the number of places in the net. The ith component of M denotes the number of tokens in pi. In modeling conditions and events, places represent conditions and transitions represent events. A transition has a certain number of input places and output places representing the pre-conditions and post-conditions of the event, respectively. The presence of a token in a place is interpreted as the condition associated with the place. When a transition fires, (an event takes place) marking of the net changes. Marking changes according to the firing rules which are given below. (i) A transition t is enabled if each input place is marked with at least w (p, t) tokens where w (p, t) is the weight of the arc p to t. (ii) An enabled transition may or may not fire (depending on whether or not the event actually takes place). (iii) Firing an enabled transition t removes w (p, t) tokens from each input place p of t and adds w (t, p) tokens to each output place p of t, where w (t, p) is the weight of the arc from t to p. The graph given below illustrates the firing rules. Figure 1(a) shows the marking before firing transition t which is enabled and Figure 1(b) shows the marking after firing transition t, where t is disabled. Since the weight of the arc from p 1 is two, firing t

removes two tokens from p1. After firing t two tokens are put in p 3 since the weight of the arc to p3 is two. Figure 1(a) Position of tokens before the transition fires

p1

p1 2

2

t 2

p2

Figure 1(b) Position of tokens after the transition fires t

p3

2

p3

p2

The formal definition of a Petri net follows: 5.1 Definition: A Petri Net structure is a four tuple C = (P, T, I, O) where P = {p1, p2,....., pn} is a finite set of places, n ≥ 0, T = {t1, t2,…, tm} is a finite set of transitions m ≥ 0, P∩T= Ø, I: T→P∞ is the input function from transitions to bags of places and O: T→P∞ is the output function from transitions to bags of places. Note: A bag, like a set, is a collection of elements over some domain. Unlike sets, bags allow multiple occurrences of elements. When the weight of an arc from a transition to a place is more than one, then the place is repeated in the bag as many times. The number of tokens put in the place will depend on the number of times it occurs in the bag. If the weight of an arc from a place to a transition is more than one, then again the place is repeated in the set as many times. The number of tokens required in the place, for the transition to be enabled, will depend on the number of times it occurs in the bag. 5.2 Definition: A Petri Net marking is an assignment of tokens to the places of a Petri Net. The tokens are used to define the execution of a Petri Net. The number and position of tokens may change during the execution of a Petri Net. After the basic definitions of Petri net, the Petri net structure that generates rectangular arrays is defined.

6. ARRAY TOKEN PETRI NET STRUCTURE This section defines a Petri net structure [2, 3] to generate rectangular arrays. The basic notations used are first explained. 6.1 Basic Notations:  denotes the arrays made up of elements of  and ++ denotes nonempty arrays made up of. If A and B are two arrays having same number of rows then A B is the column wise catenation of A and B. If two arrays have the same number of columns then AӨB is the row wise catenation of A and B. (x) n denotes a horizontal sequence of n ‘x’ and (x)n denotes a vertical sequence of n ‘x’ where x є . (x)n+1 = (x)n x and (x)n+1 = (x)n Ө x.  denotes either or Ө. The array token Petri net structure retains the four components of C as given in definition 5.1. The tokens positioned in places are taken as rectangular arrays over a

given alphabet. Some of the transitions are labeled in this net structure. Two types of labels have been used. (i) A designated input place, (ii) Catenation rule. Column catenation and row catenation are the two types of catenations that are possible with rectangular arrays. These catenations take place provided the condition for catenation is satisfied. When two arrays have the same number of rows then the arrays can be catenated column wise. When two arrays have the same number of columns then the arrays can be catenated row wise. 6.2 Catenation Rule (i) Column catenation rule as a label for transition Column catenation rule is in the form A B. Here the array A denotes the m x n array in the input place of the transition. B is an array language whose number of rows will depend on ‘m’ the number of rows of A. The number of columns of B is fixed. For example A (x x) m adds two columns of x after the last column of the array A which is in the input place and (x x) m A would add two columns of x before the first column of A. Here ‘m’ would denote the number of rows of the input array A. a a a

For example, if A is the array a a a , then A

(x x)

m

would be

a a a

a a a x x the array a a a x x a a a x x

x x a a a

and (x x) m

A would be the array x x a a a . x x a a a

(ii) Row catenation rule as a label for transition Row catenation rule is in the form A Ө B. Here again the array A denotes the m x n array in the input place of the transition. B is an array language whose number of columns will depend on ‘n’ the number of columns of A. The number of rows of B is always fixed. For example A Ө

 x  x  

n

adds two rows of x after the last row of the n

 x array A which is in the input place. But   Ө A would add two rows of x before  x the first row of the array A. Here ‘n’ would denote the number of columns of the input a a a array A. For example, if A is the array a a a , then A Ө a a a a a a a a a a a a x x x x

x

x

 x and    x

n

ӨA

would be the array

x x x x x x a a a a a a

 x  x  

n

would be the array

.

a a a

Now the firing rules are listed out in the array generating Petri net structure, where arrays are taken as tokens.

6.3 Firing rules In this Petri Net Structure three types of transitions are enabled and can be fired. (i) When all the input places of a transition have the same array as token.  Each input place should have at least the required number of arrays.  Firing t removes arrays (according to the weight of the arc) from all the input places and moves the array to all its output places. Figure 2(a) Transition without label before firing P1

t

A

P3

P2 A

P4

Figure 2(b) Transition without label after firing P1

t

A

P3

P2 A

P4

Figure 2(a) shows the position of the arrays before firing t where it is enabled and Figure 2(b) shows the position of the arrays after firing t where it is disabled. (ii) When all the input places of a transition have different arrays as token  The transition has a designated input place as label.  The designated place has the same array as tokens.  Each input place should have at least the required number of arrays.  Firing t removes arrays from all the input places and moves the array from the designated input place to all its output places. Figure 3(a) Transition t with a designated place as label before firing P1

t (p1)

P2

P1

AA A

Figure 3(b) Firing t puts the array in p1, into the output place t (p1) A A

P3

P3

P2

In Figure 3(a) shows the input place p 1 of the transition t has two tokens of array A and another array A1 in the input place p2. The transition is enabled since the label designates the input place which has the required number copy of the same array. Figure 3 (b) shows the position of the arrays after firing t where it is disabled. The array from the designated place p1 is moved to the output place p3. The array A1 is consumed in this process. (iii) When all the input places of t (with catenation rule as label) have the same array as token  Each input place should have at least the required number of arrays.  The condition for catenation should be satisfied.  Firing t removes arrays from all the input places p and the catenation is carried out in all its output places. An example to explain row catenation rule is given below. Figure 4(a) shows the position of the arrays before firing t where it is enabled and Figure 4(b) shows the position of the arrays after firing t where it is disabled. Since the transition is labeled with a catenation rule it takes place in p3.

Figure 4(a) Transition t with row catenation rule as label before firing P1

P2

Figure 4(b) Row catenation carried out in the output place p3 P1

A

A P3

A

P3 P2

n-1

t (A Ө (x) y)

t (A Ө (x) n-1y)

A A a a a If A is the array a a a , the number of columns of A is 3, n-1 is 2. Firing t adds the a a a

row

x x y

after the last row of A. Hence A1 is the array

a

a

a

a

a

a

a

a

a

x

x

y

6.4 Set of Labels: Three types of labels are assigned to transitions in this model (i) λ – when no label is attached to the transition (ii) pi – when one of the input places of the transition is designated as a label (iii) R1 – when a catenation rule of the form A B or AӨB is used as a label The set of labels L is defined as L = {λ}  P  R1. R1 denotes the catenation rules of the form A B or AӨB, where A is the array that is in the input place of the transition and B is an array language. 6.5 Definition: An Array Token Petri Net Structure (ATPNS) is a five tuple N = (Σ, C, M0, σ, F) where Σ is a given alphabet, C = (P, T, I, O) is a Petri net structure with arrays of Σ** in certain places of P as initial markings, M 0: P → Σ**, σ: T →L a mapping on the set of transitions to the set of labels and a finite set of final places F  P. 6.6 Definition: If N is an ATPNS then the language generated by the Petri net structure is defined as L (N) = {A є Σ** / A is in p for some p in F}. Starting with arrays over a given alphabet as the initial marking, firing the enabled transitions moves the arrays. If the transition has a catenation rule as label the catenation takes place. The arrays change in position, in number and also in size. All arrays reaching the final place or a set of final places is collected as the language generated by the Array Token Petri Net Structure.

7. Model Formulation and Generation of Array Passwords In this section we discuss the model formulation and firing sequence for the generation of array password. Our model generates up to 2 X 2 array passwords with two input symbols and this can be extended. The number of possibilities, running time required to encrypt are listed in the following table. The table gives estimates of running time [4] required on a PDP-11/70 to test all possible characters of length n

chosen from various sets of characters. The time estimation has been given only for the character but not for the order of the array. The major difficulty for the crackers will be (i) identification of the order the array (ii) what type of character used. 7.1 Petri Net to generate all possible 2x2 arrays over the alphabet {a, b}: ATPNS generating 2 X 2 Array is as follows: Let the start arrays be S1 = B1 and S2 = B2. With ∑ = {a, b}; P = {p, p’, p1, p2, p3, p4}; T = {T, T’, t1, t2, t3, t4, t6, t7}; F = {p4}; σ (T) = λ; σ (T) = λ; σ (T’) = λ; σ (t 2) = AθB1; σ (t3) = AθB2; σ (t4) = AФB3; σ (t5) = AФB4; σ (t6) = AФB5; σ (t7) = AФB6. Let the arrays involved in the rules associated with the transition be given as follows.

B1  a ,

B2  b, B3 

a a

,

B4 

a b

,

b b B5  , B6  a b AΦB3

AθB1

T p

t4 P1

1

t2

S1

t5

AΦB4

15

t3 t1

P3 t6

AθB2

AΦB5

18

P2 S2 P'

t7

AΦB6

6

T' Fig.5 Petri net Model generating 2 X 2 array passwords

7.2 Firing Sequences The arrays S1 and S2 are the start arrays of the net. In this example it is the element in the a11 position of the array. Firing T will push the start array S1 into the output place P3. Firing T' t1 will push the start array S2 into the place P3. A copy of the array also remains in P and P '. Firing t2 or t3, adds an element below, so that the array reaching P3 will be of size 2x1. Hence the firing sequence Tt2, T t3 generates the arrays a a respectively. The firing sequence T ' t1 t2, T ‘t1 t3 generates the arrays and a b

P4

b a

and

b b

respectively. Firing t4 adds the column

Firing t6 adds the column

b a

a a

. Firing t5 adds the column

, and firing t7 adds the column

a b

,

b b

Thus there are 16 possible firing sequences T t2t4, T t2t5, T t2t6, T t2t7, T t3t4, T t3t5, T t3t6, T t3t7, T ' t1t2t4, T' t1t2t5, T 't1 t2t6, T ' t1t2t7, T ' t1 t3t4, T ' t1t3t5, T 't1t3t6, T ' t1t3t7 generating the 16 possible combinations of 2x2 arrays over the alphabet{a,b}. Example of generating a 2 x 2 array is illustrated below. t2 b t6 b  t1 b b   aa 

b a 

Example1 Illustration generating a 2 X 2 Array.

The following table gives the clear picture about the order of the Array, the number of possibilities for 2 input symbols, option of character and running time required to estimate the characters. S.NO ORDER NUMBER OF POSSIBILITIES RUNNING / SIZE FOR 2 INPUT SYMBOLS & TIME OPTION OF CHARACTER REQUIRED 1

1X1

2

95

120MILLISEC

2

1X2

4

952

11SEC

3

2X1

4

952

11SEC

4

3X1

8

953

17MIN

5

1X3

8

953

17MIN

6

2X2

16

954

28YRS

7

2X3

64

956

29YRS

8

3X2

64

956

29YRS

9

3X3

512

959

-----

Table.1 Number of possibilities and Estimation time for 95 printable characters

Conclusion In this paper we recommend a new way of creating Array password using Petri nets. With only 2 input symbols and for 3 X 3 Array there are 512 possibilities and 95 9 character options. For 3 X 2 Array there are 64 possibilities and running time require is 29 years, the running time has been calculated for character selection not for the order of the Array. This paves a new way of valuable and protected mechanism for web logins. Our approach can be effectively and securely used as the authentication mechanism for the public and un-trusted terminals. To a great extent further research and user studies are necessary for these password techniques to inclusive advanced levels of development and efficiency. True security, however, is an attribute of the entire human-computer environment, not just what is stored digitally. Upcoming effort in this password generation method should not leave the human out of the equation. With the immense growth in computer power, complexity increasing every day, today’s secure applications will not be so safe tomorrow.

References [1].James.L Peterson, Petri Net Theory and Modeling of systems, Prentice Hall, Inc., Englewood Cliffs, N J ,1981. [2].D. Lalitha and K. Rangarajan. Column and row catenation petri net systems, Proceeding of Fifth IEEE International Conference on Bio-Inspired Computing: Theories and Applications (2010) 1382–1387. [3].D. Lalitha, K. Rangarajan & D.G Thomas, Rectangular Arrays .and Petri Nets, Combinatorial Image Analysis, LNCS. Vol. 7655, pp. 166- 180, 2012. [4].Robert Morris and Ken Thompson, Bell Laboratories “Password Security: A case History” Communication of ACM, Nov 1979, Vol. 22, Page No. 594 – 597. [5].Edward F. Gehringer “Choosing passwords: Security and Human factors” IEEE 2002 international symposium on Technology and Society, (ISTAS’02), ISBN 07803-7284-0, Page No. 369 – 373. [6].Jeff Yan, Alan Blackwell, Ross Anderson, Alasdair Grant “Password Memorability and Security: Empirical Results” IEEE security & privacy Vol: 2, Issue: 5, 2004, Page No. 25 – 31. [7].Susan Wiedenbech, Jim waters, Jean – Camille Birget, Alex Brodskiy, Nasir Memon “Authentication Using Graphical Passwords: Basic Results” In HumanComputer Interaction International (HCII), 2005. [8].Dinei Florencio, Cormac Herley “ A Large-Scale Study of Web Password Habits” Proceedings of the 16th international conference on the World Wide Web, ACM Digital Library, 2007, Page No. 657-666. [9].Alireza Pirayesh Sabzevar, Angelos Stavrou “Universal Multi-Factor Authentication Using Graphical Passwords”, Proceedings of the 2008 IEEE International Conference on Signal Image Technology and Internet Based Systems, Page No. 625-632.

[10].Bander AlFayyadh, Per Thorsheim, Audun Josang and Henning Klevjer “Improving Usability of Password Management with Standardized Password Policies” The Seventh Conference on Network and Information Systems Security SAR-SSI 2012 Cabourg, May 2012, ISBN 978-2-9542630-0-7. [11].Sharifah Mumtazah Syed Ahmad, et al “Technical Issues and Challenges of Biometric Applications as access control tools of Information Security” International Journal of Innovative Computing, Information and Control Volume 8, Number 11, November 2012, ISSN 1349-4198, Page No. 7983 – 7999. [12].Haichang Gao, Wei Jia, Fei Ye, Licheng Ma “A survey on the use of Graphical Passwords in Security”, Journal of software, Vol 8, No.7, July 2013. [13].Monika Bhatnagar, Raina K. Jain, Nilam S. Khairnar “A Survey on Behavioral Biometric Techniques: Mouse vs. Keyboard Dynamics”, IJCA Proceedings on International Conference on Recent Trends in Engineering and Technology 2013, Pg No. 27 -30. [14].Jason Hong “Passwords Getting Painful, Computing Still Blissful” Communications of the ACM I MARCH 2013 I Vol.56 I No. 3. [15].S.Vaithyasubramanian, A. Christy “A Practice to Create user friendly secured password using CFG” Accepted for International Conference on Mathematical & Engineering Sciences – 2014(ICMES 2014). [16].S.Vaithyasubramanian, A. Christy “A Scheme to Create Secured Random Password using Markov Chain” Accepted for International Conference on Artificial intelligence and Evolutionary Algorithms in Engineering Systems – 2014(ICAEES 2014). [17].http://resources.infosecinstitute.com/dictionary-attack-using-burp-suite. [18].Obasan adebola, norafida ithnin, mohd zalisham jali, nicholas akosu “Graphical password Schemes design: enhancing memorability features using Autobiographical Memories” Journal of Theoretical and Applied Information Technology 10th July 2013. Vol. 53 No.1 [19].Sonkar S.K., Paikrao R.L., Awadesh Kumar “Graphical Password Authentication Scheme Based On Color Image Gallery” International Journal of Engineering and Innovative Technology (IJEIT) Volume 2, Issue 4, October 2012. [20].Harsh Kumar Sarohi, Farhat Ullah Khan “Graphical Password Authentication Schemes: Current Status and Key Issues” IJCSI International Journal of Computer Science Issues, Vol. 10, Issue 2, No 1, March 2013