Multilayered Password Security for Banking Application - IJETAE

International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013)

Multilayered Password Security for Banking Application Raut Shashank1, Raut Ankita2, Pardeshi Aditi3, Chaudhari Kavita4 Late G. N. Sapkal College of Engineering, Anjaneri, Nasik Abstract-- The world in which we are working and surviving our day to day life is going more and more close to Computers. Today if anyone think not to use computers at all, then it will be almost impossible to work. Mostly, today all the sectors use computers, where their most of the work load is handled using computers. Everywhere we use online processing like Banking, communication, Reservations, Bill paying, Online shopping, etc. and all these processing needs to be done through secure network. Thus there is need of powerful authentication system which will provide guarantee of secure transaction over the network. For that purpose we use many authentication systems like Textual Password, Graphical Password, Biometric Password and Token Based Password but there are some disadvantages of current authentication systems. So need arises to develop such a system which will overcome disadvantages of existing system and also it will provide powerful authentication system. Thus in this paper, we present and evaluate our contribution, i.e., the combination of textual password, OTPS and 3-D password. A proposed system combines the 3 different password authentication systems. First is Normal textual password system, after successfully login to textual password system, server (system) will send OTP password in decrypted form through SMS to valid user which will be valid for only that session. Once the user enter correct password which he had received from server user will successfully pass through OTPS (i.e. One Time Password System) phase, and user will enter to 3D authentication phase. To be authenticated, we present a 3-D virtual environment where the user navigates and interacts with various objects. The sequence of actions and interactions toward the objects inside the 3-D environment constructs the user’s 3-D password. The design of the 3-D virtual environment and the type of objects selected determine the 3-D password key space. After successful login to these three different authentication systems user can use the services of the secured system.

Fig.1: Authentication

In “Knowledge Based” (what you know) approach every user must keep the secret information in mind and will apply the same as required. But in second scenario “Token Based” (what you have) token should be acquired from the concerned authority which can be used for further transactions.In “Biometrics” (what you are) our “genuine” characteristics of body will be used for authentication purpose. 1.1 Existing System Textual passwords are commonly used. One major drawback of the textual password is its two conflicting requirements: the selection of passwords that are easy to remember and, at the same time, are hard to guess. Even though the full textual password space for eight-character passwords consisting of letters and Numbers is almost 2 × 1014 possible passwords; it is easy to crack 25% of the passwords by using only a small subset of the full password space. Many biometric authentications have been proposedin which physical characteristics of the human being are used for authentication process, such as Retina scan, Iris scan, finger print, palm vein recognition etc. But the problem with the Biometric System is high cost of additional devices as well as features of human body changes during his/her lifetime. A token is a physical device that an authorized user of computer services is given to ease of authentication. The term may also refer to software tokens. Security tokens are used to prove one's identity electronically.And there is a overhead to carry the token every time for authentication purpose, which can be stolen.

Keywords-- Authentication, 3D virtual environment, One Time Password (OTP), Graphical password, Token based system, Textual password, Biometrics, 3D password, Multilevel.

I.

INTRODUCTION

As the number of computer users has been increased this has given rise to many security issues. One major security issue is authentication, which is the process of validating that only legitimate user can get access to the system.

379

International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013) Graphical passwords are classified as follows: 1) Recognition based and 2) Recallbased. Various graphical password schemes have been proposed. As we know the human tendency that is they can remember images better than text. As we have to select points from images which we consider as password it will take longer time to perform. Moreover, most of the graphical passwords can be easily observed or recorded while the legitimate user is performing the graphical password; thus, it is vulnerable to shoulder surfing attacks.Recall-based techniques require the user to repeat or reproduce a password that the user created before. Recognition based techniques require the user to identify and recognize the password, that the user selected at the time of registration. Textual Password is one of the examples of recall based authentication technique [1] [4] . Current Net-banking systems use textual, OTP, Virtual Keyboard and RSA Adaptive Authentication's risk engine for authentication. In textual password authentication only limited number of combination for creating passwords are possible so it does not provide strong password and can easily guessed by intruders. And also virtual keyboard authentication is same as that of textual password authentication system, in which shoulder surfing attack can be possible as user needs to enter password using virtual keyboard.

The server sends a challenge that includes the appropriate generation of parameters to the generator, and also verify the one-time password it has received, must store the last valid one-time password it received, as well as store the corresponding one-time password sequence number. The One-Time Password (OTP) system is a Two-Factor Authentication system where the password constantly alternates. This greatly reduces the risk of an unauthorized intruder gaining access to the account. In OTP Password Generation it uses hash function for generation of password. The one-time password system works by starting with an initial seed s, then generating passwordsas many times as necessary. Using, ( ) ( ( ))

( ( ( )))

Where, s: seed ( ) Hash function A sequence of one-time passwords is produced by applying thesecure hash function multiple times to the output of the initial step (called s). That is, the first onetime password to be used is produced by passing s through the secure hash function a numberof times (N) specified by the user. The next one-time password tobe used is generated by passing s though the secure hash functionN-1 times.The security of the OTP system is based on the non-invertability of asecure hash function. Such a function must be tractable to compute inthe forward direction, but computationally infeasible to invert. The OTP system generator passes the user's secret passphrase, along with a seed received from the server as part of the challenge, through multiple iterations of a secure hash function to produce a one-time password. After each successful authentication, the number of secure hash function iterations is reduced by one. Thus, a unique sequence of passwords is generated. The server verifies the one-time password received from the generator by computing the secure hash function once and comparing the result with the previously accepted one-time password. This technique was first suggested by Leslie Lamport. It is the user’s choice to select which type of authentication techniques will be part of their 3-D password. This is achieved through interacting only with the objects that acquire information with which the user is comfortable in providing and ignoring the objects that request information which the user does not prefer to provide.

1.2 Proposed System Online banking has become a major customer interface for Bank as well as Business sector. Therefore the primary business objective was to reduce online fraud and the number of attacks which are increasing day by day. Other objectives included increasing customer confidence and creating overall trust for the channel and as we have seen earlier, every single authentication system has some disadvantages. So if we combine various authentication systems we can take benefits of those systems which in turn provide most powerful authentication system. In this paper, we combine three different authentication systems which are Textual Password, OTP (One Time Password) and 3D Password Authentication Systems. One-time password systemprovides a mechanism for logging on to a network or service using a unique password which can only be used once, as the name suggests. OTPs avoid a number of shortcomings that are associated with traditional (static) passwords. There are two entities in the operation of the OTP (one-time password system). The generator must produce the appropriate one-time password from the user's secret pass-phrase and from information provided in the challenge from the server.

380

International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013) Moreover, giving the large number of objects and items in the environment, the number of possible 3-D passwords will increase. Thus, it becomes much more difficult for the attacker to guess the user’s 3-D password[2]. It is easier to answer multiple-choice questions than essay questions because the correct answer may be recognized. To be authenticated in 3D password authentication stage, we present a 3-D virtual environment where the user navigates and interacts with various objects. The sequence of actions and interactions performed by the user inside the 3-D virtual environment will create the user’s 3-D password. The design of the 3-D virtual environment and the type of objects selected determine the 3-D password key space. As compare to virtual keyboard in 3D chess board environment user has to interact with the environment in which user needs to drag and drop the objects from the provided virtual environment instead of simply entering the password using virtual key board.Fig. 2 shows the initial 3D virtual environment provided to the user. Fig. 3 shows how environment will look after user’s interaction towards 3D virtual environment.

Fig.3: After interaction with the 3D virtual environment

In the registration form after filling all the details of new user, user must have to click of create password button to select the environment .The Fig.2 and Fig.3 shows the snapshots of the environment this environment is for chess game. In which it has total 32 objects-16white objects and 16 red objects. As the numbers of objects are 32 and the numbers of blocks are 64 so number of possible passwords will be more. And it also includes total 7 buttons such as: New Button: Before clicking on this button the provided environment is empty. As user click on this button all objects will be initialized. Swap Button: With the help of this button user can swap the position of red and white objects. Record Button: Before performing the sequence of actions and interactions user has to click on this button compulsory. Stop Button:User can end the recording of actions and interactions by clicking on this button and the starting position, ending position, and that particular object will be saved as a 3D password in the form of string. Play Button:If user wishes to recall what he/she has perform as an action and interaction then for that user required to click on play button.

Fig.2:3D Virtual Environment

381

International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013) Confirm Button:Once the user is agreed with the movements then he/she must click on this button and after that user cannot change 3D password. Close Button:After clicking on this button user will come out from that environment. If the large number of objects and items are given in the environment, then the number of possible 3-D passwords will increase. Thus, it becomes much more difficult for the attacker to guess the user’s 3-D password. II.

The encryption process is made of two permutations i.e. P-boxes.DES uses both transposition and substitution and for that reason is sometimes referred to as a product cipher. The cipher consists of 16 rounds or iterations. Each round uses a separate key of 48-bits. 2.2 Advanced Encryption Standard (AES): AES is fast in both software and hardware, is relatively easy to implement, and requires little memory. Unlike its predecessor DES, AES does not use a Feistel network. AES has a fixed block size of 128 bits and a key size of 128, 192, or 256 bits, whereas Rijndael can be specified with block and key sizes in any multiple of 32 bits, with a minimum of 128 bits and a maximum of 256 bits. Assuming one byte equals 8 bits, the fixed block size of 128 bits is 128 ÷ 8 = 16 bytes. AES operates on a 4×4 array of bytes, termed the state (versions of Rijndael with a larger block size have additional columns in the state). Most AES calculations are done in a special finite field. The AES cipher is specified as a number of repetitions of transformation rounds that convert the input plain-text into the final output of cipher-text. Each round consists of several processing steps, including one that depends on the encryption key. A set of reverse rounds are applied to transform cipher-text back into the original plain-text using the same encryption key.

PROVIDING SECURITY

The following are the schemes used for encryption:

III.

PROPOSED SYSTEM MODEL

The OTP system generator passes the user's secret passphrase, along with a seed received from the server as part of the challenge, through multiple iterations of a secure hash function to produce a one-time password. After each successful authentication, the number of secure hash function iterations is reduced by one. Thus, a unique sequence of passwords is generated. The server verifies the one-time password received from the generator by computing the secure hash function once and comparing the result with the previously accepted one-time password. This technique was first suggested by Leslie Lamport. To determine the 3-D password space, we have to count all possible 3-D passwords that have a certain number of actions, interactions, and inputs toward all objects that exist in the 3-D virtual environment.We assume that the length of the 3-D password is Lmax, and the probability of the 3-D password of size greater than Lmax is zero. To measure the 3-D password space, we will calculate (Lmax,G) on a 3-D virtual environment that has the space (G × G × G) for a 3-D password of a length (number of actions, interactions, and inputs) of Lmax or less[2].

Fig.4: Password for Retrieving Information

2.1 The Data Encryption Standard: It is(DES) is a block cipher (a method for encrypting information) that was selected by NBS as an official Federal Information Processing Standard (FIPS) for the United States in 1976 and which has subsequently enjoyed widespread use internationally. It is based on a Symmetrickey algorithm that uses a 56-bit key. The algorithm was initially controversial with classified design elements, a relatively short key length, and suspicions about a National Security Agency (NSA) backdoor. DES consequently came under intense academic scrutiny which motivated the modern understanding of block ciphers and their cryptanalysis. DES is a symmetric key block cipher published by the National Institute of Standards and Technology (NIST). It encrypts data in 64-bit block. The same algorithm and key is used for both encryption and decryption.

382

International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013) In the following expression, AC represents the possible actions toward the 3-D virtual environment; whereas π represents the total number of possible 3-D passwords of length Lmaxor less:

∏(

)

∑ (

(

3.2 Phase-2 OTP: After login successfully to the textual password phase user will enter into this stage. OTP is the One Time Password System in which password is valid only for one session. In this phase server will generate OTP password which will be stored in encrypted form in database using AES algorithm and at the same time it will be displayed on user’s mobile in decrypted form. And at the time of verification password entered by user will be encrypted first and then will be matched with the password stored in database, if it matches then server will remove the OTP password from database as it is valid only for one session.

))

Here, m:All possible actions and interaction towards all existing objects. g (AC) : Count of total number of action ,input towards the environment. Lmax:The maximum length of password [2]. When user wants to interact with system or user wants to use the services of the system first time, he has to register himself. During login phase user needs to pass successfully through Textual, OTP and 3D password phases. On which user can receive OTP passwords. Also he has to select one unique username and textual password. And at the same time user has to create 3D password, which user will use at the time of login.

3.3 Phase-3 3D Password: Now the last stage is 3D password. In this phase at the time of registration 3D chess board virtual environment will be provided to user from which user will select his 3D password which will be stored in encrypted form in database and at the time of login user needs to recall his previously recorded password which is encrypted and matched with the stored encrypted password and if it matches with the stored password then the user will get access to the system. And after that user can perform transaction and can use the services which particular bank will provide.

3.1 Phase-1 Textual Password: During registration phase user needs to provide his or her basic information including personal mobile number and at the time of login user needs to provide his valid username and password which is string of alphanumeric characters and special symbols in order to get access to the resources.

IV.

CONCLUSION

Currently there are many authentication schemes some techniques are based on user’s physical characteristics as well as behavioral properties, and some other techniques are based on user’s knowledge such as textual and graphical passwords. Moreover, there are some other important authentication schemes that are based on what you have, such as token based techniques. Among the various authentication schemes, textual password and token-based schemes, or the combination of both, are commonly applied. However, as mentioned before, both authentication schemes are vulnerable to certain attacks. The Implicit 3D password authentication system is multilevel authentication system because it combines three different authentication system i.e. textual password, one time password and 3D password.So it is difficult to break the system and also provides large password space over alphanumeric password. The proposed system avoids different types of attacks like brute force attack, dictionary attack and well-studied attack. One-time password systems provide a mechanism for logging on to a network or service using a unique password which can only be used once, as the name suggests.

Fig.5:System Architecture

383

International Journal of Emerging Technology and Advanced Engineering Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 3, Issue 3, March 2013) [4]

S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, “Authentication using graphical passwords: Effects of tolerance and image choice,” in Proc. Symp. Usable Privacy Security, Pittsburgh, PA, Jul. 2005, pp. 1–12. [5] S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, “ Authentication using graphical passwords: Basic results,” in Proc. Human-Comput. Interaction Int., Las Vegas, NV, Jul. 25–27, 2005. [6] S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, “PassPoints: Design and longitudinal evaluation of a graphical password system,” Int. J. Human-Comput. Stud. (Special Issue on HCI Research in Privacy and Security), vol. 63, no. 1/2, pp. 102– 127, Jul. 2005. [7] Haichang, G. L. Xiyang, et al.(2009). “Design And Analysis of Graphical Password Scheme”, Innovative Computing, Information and Control (ICICIC), 2009 fourth International Conference On Graphical Password. [8] Renaud, K. (2009). “On user involvement in production of images used in visual authentication”. J. Vis. Lang. Comput. 20(1):1-15. [9] Soon Dong Park, JoongChae Na, Young-Hwan Kim, dong Kyue Kim, "Efficient OTP(One Time Password) Generation using AESbased MAC," Journal of Korea Multimedia Society, vol. 11, No. 6, pp. 845-851, June. 2008. [10] Young Sil Lee, “A study on efficient OTP generation using stream cipher with random digit”, Advanced Communication Technology (ICACT), 2010 The 12th International Conference, vol. 2, pp 16701675. Feb. 2010. [11] Prof. Sonkar S. K., Dr. Ghungrad S. B., “Minimum Space and Huge Security in 3D Password Scheme”, International Journal of Computer Applications(0975-8887), vol. 29-No. 4,Sept. 2011.

The 3D virtual environment can contain any existing authentication scheme or even any upcoming authentication schemes by adding it as a response to actions performed on an object. Therefore, the resulted password space becomes very large compared to any existing authentication schemes. Thus it provides powerful mechanism in Nuclear and Military application, Airplanes and jet fighters,personal digital assistants, desktop computers and laptop logins, web authentication and critical servers. Designing various kinds of 3-D virtual environments, deciding on password spaces, and interpreting user feedback and experiences from such environments will result in enhancing and improving the user experience of the 3-D password.The use of the OTP system only provides protections against passivereplay attacks. It does not provide for the privacy of transmitted data, and it does not provide protection against active attacks so to overcome this problem we can work on it. REFERENCES [1]

[2]

[3]

R. Dhamija and A. Perrig, “Déjà Vu: A user study using images for authentication,” in Proc. 9th USINEX Security Symp., Denver, CO, Aug. 2000, pp. 45–58. Fawaz A. Alsulaiman and Abdulmotaleb El Saddik, “ThreeDimensional Password for More Secure Authentication,” IEEE, http://ieeexplore.ieee.org., Last Updated – 6 Feb 2008. D. Davis, F. Monrose, and M. K. Reiter, “On user choice in graphical password schemes,” in Proc. 13th USENIX Security Symp., San Diego, CA, Aug. 2004, pp. 1–14.

384