... D. S. Nikitov, Z. A. Snovida, and. V. A. Borodin, Inf. Tekhnol., No. 5, 112 (2003). 5. MySQL AB. http://www.mysql.com/. 6. Net. Framework. Developer. Center.
ISSN 1064-2269, Journal of Communications Technology and Electronics, 2009, Vol. 54, No. 11, pp. 1319–1321. © Pleiades Publishing, Inc., 2009. Original Russian Text © V.V. Perminov, V.E. Antciperov, D.S. Nikitov, S.A. Nikitov, 2009, published in Radiotekhnika i Elektronika, 2009, Vol. 54, No. 11, pp. 1391–1393.
APPLICATIONS OF RADIOTECHNOLOGY AND ELECTRONICS IN BIOLOGY AND MEDCINE
Preventing Unauthorized Access to User Accounts in a Telemedicine Consultation System V. V. Perminov, V. E. Antciperov, D. S. Nikitov, and S. A. Nikitov Received June 22, 2009
Abstract—Problems of authentication in telemedicine systems and methods for preventing account cracking are considered. A simple approach to prevention of account-password matching without complicating the authentication procedure is proposed. PACS numbers: 87.57.R-, 84.40.Xb DOI: 10.1134/S1064226909110138
INTRODUCTION Medical secrecy is an important aspect of doctor practice; therefore, in developing a telemedicine system, the issue of providing information security inevitably arises. In the present paper, we consider the problem of unauthorized access to the accounts of the system users. Authentication, i.e. verification of the correspondence between a user and his (her) account stored in the information system, is the basic software–hardware means of providing security of the information system. It may be onesided, when one side is proving its authenticity to the other side (e.g., when the user is attempting to get access to a server), or two-sided, when the process is a two-way one, i.e., when both the user and the server are proving their authenticities. Logging into an operating system provides an example of one-sided authentication. The authentication of a user is usually carried out by the software–hardware means of the system to which the user wants to get a direct or remote access. This is usually a twostage process. At the initial stage the system generates a ”standard” of the authentication information, e.g., requests the user’s name and password, which are then used in recognizing the user as a legitimate. The password may automatically be generated and assigned to the user by the system. As a rule, this system of authentication retains the standards of the authentication information in a special user–standard correspondence table. At the final stage, in the process of the authentication proper, the user is requested to present this unique information, which is compared to the standard. If the comparison is successful, the user is granted access to the system. The authentication mechanisms may be divided into three types: (1) information-based: the user knows a certain special information and demonstrates the knowledge of this infor-
mation to the system. Conventional login and password are examples of this information; (2) property-based: the user possesses an object that contains unique information or has unique characteristics. Smart cards and USB keys are the examples; (3) biometrics-based: the user himself (herself) is a carrier of the authentication information. This principle is used in the biometric-authentication systems, which make use of the unique traits of an individual. Fingerprints and DNA are the examples. Accordingly, in order to implement the property-based and biometrics-based authentication mechanisms, special equipment is required, without which the authentication is impossible. 1. PASSWORD AUTHENTICATION A password is the simplest authentication mechanism built in nearly every information system. To log into the system, the user types in his (her) name and password, which are then checked against the data base. If the values of these two identifiers coincide with the standard values contained in the data base, the user is authenticated. The passwords are stored in an encrypted form. In order to remember the passwords, users often use simple ones (the date of birth, the name of a friend, the name of a favorite film, etc.). However, these passwords are unreliable, and a man closely acquainted with the user can easily guess the password. Moreover, the personal acquaintance is not necessary. The lists of passwords made annually by computer-security experts show that certain passwords are most frequently used. In connection with this, the problem of their reliability arises [1]. There exist a great number of methods for intercepting a plaintext password and using it to obtain authentication under a borrowed name. Therefore, it is usually advisable to change passwords as often as possible and make them as
1319
1320
PERMINOV et al.
20 500 Fig. 1. The number of errors made by the user (upper rectangle) and by the attacker (lower rectangle).
500 20 Fig. 2. The number of errors allowed to the account owner (500) and to the other clients (20).
UserAddress
UserAddress
Field
User
Field
User
UserId
identity
Id
identity
Address
binary [4]
CountP
int
LastLogin
date
CountN
int
Fig. 3. Structure of the user-address table.
long and as irregular as possible. This is necessary for preventing password cracking. The most universal method for password cracking is that of brute-force attack. The attacker attempts to log in by methodically trying one password after another. This approach is usually not very efficient. For example, the number of possible six-letter password combinations is 266 ≈ 3 × 108. If trying a password takes 0.01 s (typical dynamic-page access time on the Internet), the matching of such an easy password takes a month of net computing time. To simplify the matching, dictionary attacks are implemented. This approach to password matching is based on the assumption that, in order to facilitate the memorization of the password, the user makes use of natural-language words, most often, of native-language words. For this language, the attacker compiles a dictionary or takes a readymade one and tries to match symbols not one by one but by groups. Such a dictionary includes typically 500000 words. In our simple case, we may assume that a six-symbol password corresponds approximately to one word. It is obvious that the dictionary reduces the matching complexity by a factor of 1000. An interesting method for password matching was demonstrated by the Kido virus [2] in early 2009. Its code contained a list of 246 most-used passwords, which were employed in the matching.
2. COUNTING PASSWORD-INPUT ERRORS During the development of the telemedicine consultation system [3, 4], we were inevitably faced with a problem of system security. The use of property-based and biometrics-based authentication mechanisms complicates the access to the system, since additional equipment has to be employed. For this reason, the task was to protect the accounts on the telemedicine consultation system against cracking without complicating the user interface. The accounts are most vulnerable if weak passwords are used. Instead of the passwords, authentication smart cards can be used, but this approach also presents additional difficulties for the user. To protect the account against a password-cracking attack, the system reacts to isolated password-input errors and counts them. To each user, a counter of failed access attempts is assigned that is set to a limited number of allowed attempts. With each failed attempt, the count is decreased by a unity. The difference between the attacker trying to match the password and the user trying to recollect the password is in the number of matching attempts required to succeed: it is unlikely that the user will make more than 20 attempts (in this case, it is easier and more advisable to recover the password), whereas the attacker has to make hundreds and thousands of attempts (Fig. 1). Under normal circumstances, when the user remembers the password, an input error is unlikely. When the count reaches zero, the user is requested to recover the password. This scheme can be supplemented by measures against probable mass attack: if somebody methodically tries matching the passwords to access the system’s accounts, the system can be locked for the attacker, since zeroing of the counters is undesirable in this case. A more complicated version of this scheme can be employed to distinguish the account owner from other users by his (her) network address and, on the basis of the found difference, assign a privileged state (e.g., an increment in the error count) to the owner who often makes mistakes and for whom the default setting is too low. However, the required count can be preset by the administrator on the user’s request. In order to implement such a scheme, it is necessary to store the user’s addresses in the data base in accordance with a one-to-many scheme and to introduce a privileged and non-privileged password-error counters (Fig. 3). The address can be checked for coincidence by making request of the form [5, 6] select LastLogin from UserAddress where UserId=162 and Address=0xc27b050b This scheme exhibits minor vulnerability when the owner of the account makes access from the address that will later be used for launching an attack. This is possible if
JOURNAL OF COMMUNICATIONS TECHNOLOGY AND ELECTRONICS
Vol. 54
No. 11
2009
PREVENTING UNAUTHORIZED ACCESS TO USER ACCOUNTS
the access is made from a public access point like an Internet caf? or from a local-area network with access via network address translation (NAT) or with the use of dynamic address allocation, when the same address can be assigned to another LAN computer. Such a situation is less probable than that of a common attack from the outside. CONCLUSIONS Problems of authentication security in telemedicine systems are considered. A method for preventing password matching that is based on counting password-input errors is proposed. With this method, an error counter is assigned to each user, and, after 20 errors are made, the user is requested to recover the password. In contrast to conventional schemes, this scheme provides a better protection against attacks with the use of dictionaries and lists of frequently used passwords and also requires no security schemes involving material objects like smart cards.
1321
ACKNOWLEDGMENTS This study was conducted at the Moscow Engineering Physics Institute (State University) and Institute of Radio Engineering and Electronics, Russian Academy of Sciences, and was supported by the Russian Foundation for Basic Research, project 07-07-00354a. REFERENCES 1. M. Burnett, Perfect Passwords: Solution, Protection, Authentication (Syngress, Boston, 2005). 2. Virus Encyclopedia: Net-Worm.Win32.Kido, http://www.securelist.com/ru/viruses/encyclopeda?virusid= 21782733 3. D. S. Nikitov, Z. A. Snovida, V. E. Antciperov, et al., Usp. Sovrem.Radioelektron., Nos. 5–6, 133 (2004). 4. V. E. Antciperov, D. S. Nikitov, Z. A. Snovida, and V. A. Borodin, Inf. Tekhnol., No. 5, 112 (2003). 5. MySQL AB. http://www.mysql.com/ 6. Net Framework Developer Center. http://msdn2.microsoft.com/ru-ru/netframework/
JOURNAL OF COMMUNICATIONS TECHNOLOGY AND ELECTRONICS
Vol. 54
No. 11
2009
