Implementation of Security for Web Services Using of Trustee- Based Authentications from User Friends.

Transcription

1 Implementation of Security for Web Services Using of Trustee- Based Authentications from User Friends. Talapareddy Susmitha M.Tech(CSE) Audisankara Institute of Technology, Gudur, A.P, India. ABSTRACT: Internet provides different types of services to the users. Electronic mail, chat, photo sharing and social network services are provided by the Internet community. Most of the Internet services perform the user authentication using passwords. Password forgets and password changed by attackers requires user verification with security questions and alternate account support. Backup authentication mechanisms such as security questions and alternate addresses are insecure or unreliable or both Friends based verification is one of the backup authentication mechanism. A user in this system is associated with a few trustees that were selected from the user s friends. When the user wants to regain access to the account, the service provider sends different verification codes to the user s trustees. The user must obtain at least k verification codes from the trustees before being directed to reset his or her password. Forest fire attacks are applied on the trustee based social authentication scheme. In forest fire attacks an attacker initially obtains a small number of compromised users and then the attacker iteratively attacks the rest of users by exploiting trusteebased social authentications. A probabilistic model is constructed to formalize the threats of forest fire attacks and their costs for attackers. Various defense strategies are used to verify the forest fire attacks. The framework is applied to extensively evaluate various concrete attack and defense Endela Ramesh Reddy Assistant Professor Audisankara Institute of Technology, Gudur, A.P, India. strategies using three real-world social network datasets. Keywords: Security model, backup authentication, social networks, Internet, Passwords, Friends. Introduction: The Internet is a global system of interconnected computer networks that use the Internet protocol suite (TCP/IP) to link several billion devices worldwide. It is a network of networks that consists of millions of private, public, academic, business, and government networks of local to global scope, linked by a broad array of electronic, wireless, and optical networking technologies. The Internet carries an extensive range of information resources and services, such as the inter-linked hypertext documents and applications of the World Wide Web (WWW), electronic mail, telephony, and peer-to-peer networks for file sharing. Inexpensive smartphones and 2G subscriptions are expected to help boost Internet usage rates in India over the next two years, according to a new study by the Internet and Mobile Association of India (IAMAI) and KPMG. While city dwellers are quickly upgrading to 3G and 4G, slower but more affordable data plans will enable more people to get online. IAMAI-KPMG estimates that there will be a total of 500 million Internet users (out of a total population of 1.25 billion) in India by 2017, up from a current number of about 350 million. According to the report, the number of mobile Internet users in two years will be 314 million. Page 1715

2 Privacy and security is major concern in such a growth environment. Internet resources, hardware and software components, are the target of malicious attempts to gain unauthorized control to cause interruptions, or access private information. Such attempts include computer viruses which copy with the help of humans, computer worms which copy themselves automatically, denial of service attacks, ransomware, botnets, and spyware that reports on the activity and typing of users. Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. Authentication is a process in which the credentials provided are compared to those on file in a database of authorized users information on a local operating system or within an authentication server. If the credentials match, the process is completed and the user is granted authorization for access. The permissions and folders returned define both the environment the user sees and the way he can interact with it, including hours of access and other rights such as the amount of allocated storage space. The process of an administrator granting rights and the process of checking user account permissions for access to resources are both referred to as authorization. The privileges and preferences granted for the authorized account depend on the user s permissions, which are either stored locally or on the authentication server. The settings defined for all these environment variables are set by an administrator. User authentication occurs within most human-tocomputer interactions other than guest accounts, automatically logged-in accounts and kiosk computer systems. Generally, a user has to enter or choose an ID and provide their password to begin using a system. User authentication authorizes human-to-machine interactions in operating systems and applications as well as both wired and wireless networks to enable access to networked and Internet-connected systems, applications and resources. In private and public computer networks (including the Internet), authentication is commonly done through the use of login IDs (user names) and passwords. Knowledge of the login credentials is assumed to guarantee that the user is authentic. Each user registers initially (or is registered by someone else, such as a systems administrator), using an assigned or selfdeclared password. On each subsequent use, the user must know and use the previously declared password. However, password-based authentication is not considered to provide adequately strong security for any system that contains sensitive data. User names are frequently a combination of the individual s first initial and last name, which makes them easy to guess. If constraints are not imposed, people often create weak passwords -- and even strong passwords may be stolen, accidentally revealed or forgotten. For this reason, Internet business and many other transactions require a more stringent authentication process. Password-based authentication weaknesses can be addressed to some extent with smarter user names and password rules like minimum length and stipulations for complexity, such as including capitals and symbols. However, password-based authentication and knowledge-based authentication (KBA) are more vulnerable than systems that require multiple independent methods. An authentication factor is a category of credential used for identity verification. The three most common categories are often described as something you know (the knowledge factor), something you have (the possession factor) and something you are (the inherence factor). Existing System: Existing backup systems may use secret personal questions and alternate addresses for backup authentication in the event users forget or loses his access credentials. However, these methods are frequently unreliable. For personal questions, users often forget their answers, especially when answers are Page 1716

3 case and punctuation sensitive. It is also common for acquaintances of the respective users to be able to guess the answers, even acquaintances not closely associated with the respective account holders or users. In existing methods, many times the questions are not applicable to the general public, not memorable, ambiguous, easily guessable with no knowledge of the account holder, or easily guessable with minimal knowledge of the account holder. Problems on existing system: 1. An account holder who tries to authenticate an account using an alternate address many times finds that the configured address expired upon a change of job, school or Internet service provider. Since other websites rely on addresses to authenticate their account holders when passwords fail, it is especially important for webmail providers to have a secure and reliable authentication mechanism of last resort. 2. The ubiquity of mobile phones has made them an attractive option for backup authentication. Some entities already send SMS messages containing authorization codes to supplement primary authentication for high-risk transactions. However, authenticating users by their mobile phones alone is risky as phones are frequently shared or lost. Proposed System: A social authentication system for backup account recovery is described. The backup account recovery system provides for an account holder to obtain his or her password in the event the account holder is unable to gain access to an account using the primary authentication method. The social authentication system allows the account holder to contact several trustees that were previously selected and identified. Upon being unable to gain access to an account, the account holder contacts one or more trustees to inform them that the account holder needs to regain access to the account and therefore needs to obtain an account recovery code from each trustee. Each trustee may then contact the account recovery system which resides in servers accessible on the Internet. The account recovery system then verifies that the trustee's contact information matches that of a previously identified trustee for the specified account holder. Once the trustee's contact information has been verified to match that of a previously identified trustee for the specified account holder, the account recovery system begins a back and forth dialog with the trustee, whereby the trustees provide information, transmit a link and code provided by the account recovery system, vouch for their contact with the account holder and pledge that the statements they have provided are accurate and that the trustees agree on the course of action. Once this dialog is successfully completed, each trustee is provided with a unique account recovery code, which is then provided to the account holder. Once the required account recovery codes have been received, the account holder is able to use them to obtain access to the account. Advantages: The social authentication system is a system in which account holders initially appoint and later rely on account trustees to help them authenticate. Architecture:- Implementation: Implementation is the stage of the project when the theoretical design is turned out into a working system. Thus it can be considered to be the most critical stage in achieving a successful new system and in giving the Page 1717

4 user, confidence that the new system will work and be effective. The implementation stage involves careful planning, investigation of the existing system and it s constraints on implementation, designing of methods to achieve changeover and evaluation of changeover methods. Main Modules:- Trustee-Based Social Authentication Module: A trustee-based social authentication includes two phases: Registration Phase: The system prepares trustees for a user Alice in this phase. Specifically, Alice is first authenticated with her main authenticator (i.e., password),and then a few(e.g., 5) friends, who also have accounts in the system, are selected by either Alice herself or the service provider from Alice s friend list and are appointed as Alice s trustees. Recovery Phase: When Alice forgets her password or her password was compromised and changed by an attacker, she recovers her account with the help of her trustees in this phase. Specifically, Alice first sends an account recovery request with her user name to the service provider which then shows Alice an URL. Alice is required to share this URL with her trustees. Then, her trustees authenticate themselves into the system and retrieve verification codes using the given URL. Alice then obtains the verification codes from her trustees via ing them, calling them, or meeting them in person. If Alice obtains a sufficient number (e.g., 3)of verification codes and presents them to the service provider, then Alice is authenticated and is directed to reset her password. We call the number of verification codes required to be authenticated the recovery threshold. Security Module: Authentication is essential for securing your account and preventing spoofed messages from damaging your online reputation. Imagine a phishing being sent from your mail because someone had forged your information. Angry recipients and spam complaints resulting from it become your mess to clean up, in order to repair your reputation. trustee-based social authentication systems ask users to select their own trustees without any constraint. In our experiments (i.e., Section VII), we show that the service provider can constrain trustee selections via imposing that no users are selected as trustees by too many other users, which can achieve better security guarantees. Backup Authentication Module: A user in this system is associated with a few trustees that were selected from the user s friends. When the user wants to regain access to the account, the service provider sends different verification codes to the user s trustees. The user must obtain at least k(i.e., recovery threshold) verification codes from the trustees before being directed to reset his or her password. Backup authentication feature allows you to select three to five friends as your trustees. In cases when you forget your password or your account is hacked, each of these trustees will be able to get a security code for you. With three security codes, you can recover your account. Forest Fire Attacks Module: In a forest fire attack, the attacker first uses traditional methods such as phishing and guessing to compromise some users (these are called seed users), and then the attacker propagates the attacks to other users by exploiting the trusted contacts. Our forest fire attacks consist of Ignition Phase and Propagation Phase: 1. Ignition Phase: An attacker obtains a small number of compromised users which we call seed users. They would be obtained from phishing attacks, statistical guessing, and password database leaks, or they could be a coalition of users who collude each other. Indeed, a large number of social network accounts were reported to be Page 1718

5 compromised. showing the feasibility of obtaining compromised seed users. 2. Propagation Phase: Given the seed users, the attacker iteratively attacks other users. In each attack iteration, the attacker performs one attack trial to each of the uncompromised users according to some attack ordering of them. In an attack trial to a user u, the attacker sends an account recovery request with username to the service provider, which issues different verification codes to trustees. The goal of the attacker is to obtain verification codes from atleast one trustees. If at least one trustees of User are already compromised, the attacker can easily compromised user otherwise, the attacker can impersonate and send a spoofing message to each uncompromised trustee of user to request the verification code. Conclusion: Trustee Based Authentication method is used to recover the user s web service (facebook, gmail etc) account by sending the security code to user s trustee, in case if the users forget their account password or if any hackers hacked their account. The user s friends are selected as the trustees to whom the security codes for recovering the user s mail are sent. The proposed bit stuffing method is used to add duplicate bit to the original security code. With the help of the predefined length of the code in the user s account setting, the forest fire attack becomes impossible for an attacker to hack the user s account. Finally, the users retrieve all the security codes from their trustee friends and regain access to their account. The future work includes the SQL injection based attack in the social networks and also checking of the usability level of bit stuffing length. References: [1] Neil Zhenqiang Gong and Di Wang, On the Security of Trustee-Based Social Authentications, IEEE TRANSACTIONS ON INFORMATION FORENSICS AND SECURITY, VOL. 9, NO. 8, AUGUST 2014 [2] H. Kim, J. Tang, and R. Anderson, Social authentication: Harder than it looks, in Proc. Financial Cryptography (FC), [3] L. A. Adamic and E. Adar, Friends and neighbors on the web, Social Netw., vol. 25, no. 3, pp , [4] BadRank [Online]. Available: [5] J. Bonneau and S. Preibusch, The password thicket: Technical and market failures in human authentication on the web, in Proc. 9th Workshop Econ. Inform. Security (WEIS), [6] J. Brainard, A. Juels, R. Rivest, M. Szydlo, and M. Yung, Fourth-factor authentication: Somebody you know, in Proc. 13th ACM Conf. Comput.Commun. Security (CCS), [7] J. Podd, J. Bunnell, and R. Henderson, Costeffective computer security: Cognitive and associative passwords, in Proc. 6th Australian Conf. Comput.- Human Interact., [8] D. Easley and J. Kleinberg, Networks, Crowds, and Markets: Reasoning About a Highly Connected World,Cambridge, U.K.: Cambridge Univ. Press, [9] Tolga Acar, Mira Belenkiy, Alptekin Küpçü, Single password authentication, Computer Networks (2013). [10] Bing-Zhe He Chien-Ming Chen, Yi-Ping Su, Hung-Min Sun, A defence scheme against Identity Theft Attack based on multiplesocial networks, Expert Systems with Applications (2014). Page 1719