(IT Journal of Research, Volume 1, May 2010 SECUREZZA. Prof. Gauri Rao, Lecturer Bharati Vidyapeeth College of Engineering, Pune.

Transcription

1 SECUREZZA Prof. Gauri Rao, Lecturer Bharati Vidyapeeth College of Engineering, Pune Abstract The current security systems and authentication systems have much weakness and are prone to break through. Textual password is the most common and mostly used security scheme. However, even after the secure passwords requirements released by Microsoft, users do not follow them. Users generally choose meaningful words from dictionary, which make it vulnerable to hacking and brute force attacks. The next available option, i.e. the graphical password has a less password space then the textual password scheme. Smart cards or tokens based have the risk that the tokens are stolen. The most secure security system, the biometrics authentications have been proposed but the users tend to restrict using biometrics because of their intrusiveness and effect on their privacy. The most important defect of the security systems present these days is that if we buy one, then any file with more or less privacy requirements will be locked using the same security level. In this paper, we present and evaluate our contribution, i.e. the Securezza. It is a multifactor authentication scheme'. It includeall the types of security schemes and the users have the option to choose the level of security required to lock a file based on the requirements of the file. More over we provide a 3D virtual environment for the users to navigate and make use of the graphical password scheme more effectively and productively, The sequence of actions and interactions made by the user.towards the objects inside the 3D environment constructs the user's password. Keywords: Textual passwords, hacking, brute force attacks, graphical passwords, Smart cards, tokens, required security level, Securezza, 3D virtual environment. 1. INTRODUCTION The remarkable growth in the usage of computers and dependency on computers has made data safety a major point of concern. Moreover the alarming rate of increase in the number of cyber crime cases made the security aspect of data the most important topic of research and development. One of the major security module, i.e. authentication is the process of validating who the user is, and to whom to grant access. In general, authentication techniques can be classified as knowledge based, token based and biometrics. Further we can have the sub-divisions of the knowledge based authentication as: 1) Recall Based 2) Recognition Based Recall Based requires the user to reproduce a secret was created before, and recognition based require the user to identify and recognize the secret. The most common example of recall based is the Textual Passwords. Many. authentication systems, particularly in banking, require not what the user knows but also what the user possesses. Another authentication scheme is the graphical passwords are based on the idea that the users can recognize pictures better than words. The most secure authentication system till date is the biometrics. Many biometrics techniques such as face recognition, finger print etc has been proposed. AU the different authentication schemes mentioned above have many advantages as well as disadvantages. Let us see the fallacies in each one those in detail. j."

2 ClT Journal of Research, Volume 1, May 2010 First in the list comes the textual password. The textual passwords are weak and susceptible to numerous attacks. Strength of textual passwords depends on the user's ability to keep the password secret. The level of security provided by the textual passwords is inadequate for making financial transactions remotely. Brute force is a sure shot method to hack such passwords. Next is the Hardware token scheme. It involves additional costs such as cost of making the token. The user, in order to get authenticated has to carry the token and produce it every time required: There is a risk of the hardware token to get stolen and misused. The attack called meet in the middle can easily break the hardware token scheme. Another system is the software token. This method is somewhat tedious and requires the users to be trained properly to exploit the level of security provided by it. This method can only be deployed in a controlled environment and so inapplicable to most of the real world applications. The most secure system is the biometrics. But it involves additional hardware costs such as scanners. Biometrics are also a slow and complex process and requires the users to have patience to get authenticated. More over on purchasing anyone of the security system it implies, we implicate same level of security on all our files. There can be situations where we require more security for more sensitive information or less security, fast and easy access to some less sensitive data.after going through the defects in the above mentioned schemes we will readily agree to the fact that no security system till date is.as safe as applicable as it appears to be. So, in this paper we come with a better idea, "SECUREZZA". SECUREZZA empowers its users with all the security systems mentioned till date in single software. It also enables its users to decide the level of security and ease of access to every file separately. In our project we have implemented a folder lock scheme just to show an example of how it makes the required folder secure from almost all types of attacks. It is multiuser software and different users can lock their personal files with their own choice of security scheme ranging from most secure i.e. the biometrics to the most widely used textual passwords. It also provides a 3D virtual environment for user interaction with the software. This virtual environment totally changes the current concept of security and makes it more secure and interactive as well as maintaining the simplicity for unlocking a locked data. Ease of data access and security are like the two opposite sides of a water body. The closer we go towards one end the farther we are from the other end. The 3D virtual environment is an aid to this maintaining the balance in an optimal position. It makes the security system interactive for the user and safer for the data. The interactions that the user makes in tills 3D virtual environment creates a special set of passwords for the user and each element of the created password must match with the password previously set to access the locked data. 2. SECURITY DETAILS SECUREZZA combines recognition based as well recall based authentications schemes into one. The user simply navigates through the 3D virtual environment and interacts with different objects kept at different places. The combination and sequence of user's interactions creates a special set of passwords. Therefore the user walks into the virtual environment and interacts with various objects kept in the environment for example: two computers are kept at specific locations and the user interacts with a specific one and enters a text, this will act as a textual password module for the user. There can be more virtual objects like table lamps and magic cubes with are set to move on specific location if interacted by the user. This forms a module of graphical passwords. Another different module of graphical password is also available where the user has to set or click various images in a particular location to.. create a password.there are facilities such as facial recognition as well as finger print recognition and other authentication schemes placed on different locations in the environment. If the user interacts with that particular object, it will initiate that module to be active and add to the final set of passwords: The objects placed in the virtual environment can be anything like 1. A computer on which a user can type. 2..A white board that a user can draw on.

3 3. A light that can be switched on/off. 4. Objects that changes position when clicked. 5. Any biometric device replica. 6. Any graphical password scheme. (The list of possible objects is endless). Thus based on the amount of interactions made by the user it makes us possible to increase the amount of security required to access the sensitive information. Moreover, due to combinations of all the security schemes we are able to overcome the defects of the various security schemes when used separately. 3. SYSTEM USAGE DETAILS AND SEQUENCE After having a brief idea about what the system is, let us see the system usage details and the sequence of operations that are required to be performed by the user to make the information in question, most secure possible till date. Generally this technique can be used in any place where the information has to be made secure. Here we have applied an example to lock folders which contains some private information about the user.let us observe the user i.e. Mr. A about how he manages to lock and unlock his sensitive information with the level of security he wishes to implement according to the data importance and ease of access he requires.mr. A has two folders (the last two on the screen shot below named "folderl" and "folder2") on his personal computer that he wants to lock. He has different data contained in both of them and the data require different amount of security to be levied on them.he starts the software "SECUREZZA" and a startup screen appears.now Mr. A has to enter his usemame to log in. If he is new to the system then he has to create his username and the username will be added to the database with his face and finger print details. UserName Added in TIle Database Fig C: New User Creation After Logging IN Mr. A is asked whether he is asked to enter the target folder path. Fig D: User Created he wants to lock a folder or unlock it and on clicking on "Lock a Folder", Fig F: Specifying the Target Folder.

4 (IT Journal of Research, Volume I, May 2010 Now after specifying the target folder Mr. A is asked to set the passwords. Ifhe leaves a field blank it means that the particular module is disabled.observing the below two figures we can see that different levels of security can be provide for different files. r=r=»: :. ~ Face RecognitiQr:' I ~456 1'341 ri ============================~ Graphical f3s,.""ord - r-j (Ohject: In~r. "tion&):.c!wfirm Fig G: Setting Passwords for folder2 As soon as Mr. A confirms the locking a confirmation message appears on the screen.now after the folded has been locked and some other user tries to access the folder he/she is unable and a screen as shown below appears to him/her.now to unlock the folder Mr. A has to log in again and select "Unlock a Folder". As soon as he does that, a list of the folders locked by him appears. He has to select the folder he wants to unlock and after he does that a 3D virtual environment appears on the screen. Mr. A interacts with the environment to create his password. Some screen shots of the 3D virtual environment is attached. Fig: Screen Shots of the 3D virtual environment presented to the user to unlock the file After interacting with different objects of the 3D virtual environment and giving appropriate passwords at the right places the user requests for unlocking the file. The system forms a set of passwords based on the interactions made by the user in the environment. Then the system queries the database about the set of passwords given by the user at the time of locking the folder. It then matches each element of the password in detail and if the password matches the folder is unlocked and the user,;s granted access.

5 4. DATABASE DETAILS To make the system able to recover from various types of system crashes and to keep the user as well as locking data organized we are using Orac1e 9i as our back hand. This database can also be on another system which is at a different location geographically. Placing the system at different can be required by the applications like banking as well as Internet security applications. If the database is at different location then the networking module of the software is activated and the database is queried for information as well updated accordingly.if we go into the depth of the database issue used in our system then we have two tables to maintain. These two tables, namely "users" and "securezza" keep the entire details of the users of the system as well as the folders locked by them separately. The "users" table contains only the users' names those who have registered with the system. The "securezza" table is the main table which has fields like "path of the folder locked", "name of the user who locked it", "several password set by the user for that folder", "several password schemes enabled by the user" etc. When a user locks a folder this table is updated according to the passwords set by the user, and when he tries to unlock a folder, this table is queried for the password details. The system then matches the set of passwords and if the passwords match exactly to the r:- one set, the folder is unlocked and the particular record is deleted from the table. 5. ENCRYPTION I DECRYPTION TECHNIQUE To make the system more secure and to make the system safer against attacks we are using encryption/decryption techniques. This encryption/decryption technique enables the system to keep the data in an encoded format which. makes it almost impossible to read it directly from the database.basically encryption is a technique in which a text is encoded before transmitting or storing it according to a particular format. This format is called the key for encryption and the encrypted data is called the cipher text.there are several encryption/decryption techniques available. Some of them are "Substitution encryption", "Positional encryption", "Public Key encryption" etc. We can use anyone of them in our project to make it more secure. For now we have used the SUBSTITUTION CIPHER TEXT GENEItA non scheme. In our scheme wheu a text is entered to the encrypting function then it. manipulates each character separately and generates a cipher text based on a particular key for substitution algorithm. For eg: if a text like "abed" is given then it generates a cipher text like "uy"5".this technique makes the data safer and less hack prone because of our system. 7. TECHNICAL DETAILS (DATA FLOW) The data flow of a system explains the flow of data in the system. It has several levels of details and can be taken to any level of complexity. The levels are like "LEVEL 0 Data flow", "LEVEL 1 Data flow" etc. The Level 0 of our system is shown below:. 1T~~1 [-03n.---', k O~~l "7~v~" _1&1_l---.J!---~~---\~i = I \i h>< i

6 ., (IT Journal of Research, Volume 1, May 2010 Fig: LEVEL 0 DATA FLOW To explain more detailed information we also have LEVEL I data flow of our system as shown below: Uo.-dl! llid.' ~ I -,, _ :.( '/~H 'j--~._/ '="'.".,..! /~,j}~~' > I T=-~ I.>---~' / \.'~. I lj-:n~ 1/' \/ ~""-"~ i ~~/ ~~~! 3D~.:r.: ) '\. ~...( ---==-~\"i ~.=I ""\1fu<_1 Fig: LEVEL I DATA FLOW _.._ _.... ~ _,"",._. _.,.."' ""... _._ '."".~..... "'......, 7. TECHNICAL DET AILS (VARIOUS ALGORITHMS). "._h_,.._'..«.,.:.jv'>"".,-'. -.,..._"""..._. "4.,. "-N'"'.. ""'",...,.~_,4) _c_ ~ "' ~''"'..~;''',.._I. _..:._... ~~...'-..,.."..~... ""-".,.. '"..--. L Designing A 3D Virtual Environment Step c- I Prepare a particular plan for the 3D environment. Step - 2 Using Software Rendering Scheme Develop Codes for various objects in the 3D environment. Step - 3 Create a Frame and add containers to the Frame, each container depicting different reasons of the 3D environment. Step - 4 Add different obj ects in the specific container as required by the plan. Step - 5 Implement Action performed function for every action performed in the environment. Step - 6 Initialize the camera view arid the angle of view for the user. Step - 7 Add navigation changes using the action performed function. Step - 8 Monitor each action performed by the user and initiate actions accordingly, Step - 9 Use Co-ordinates system to monitor the point of interaction by the user. Step - 10 Initiate different module as per the actions performed by the user. 2. Textual Password Scheme Step - 1 Create a Frame for the Textual Password Module. Step - 2 Add a password field in that field for the password input. Step - 3 Attach various buttons such as Log In as well Cancel to the Frame. Step - 4 Add respective functions to the buttons attached on the frame. Step - 5 Accept the password from the user. Step - 6 Retrieve the textual password from the Database. Step - 7 Match the passwords. 3, Face Recognition System Step - I Create a Frame for the Image capture. Step-2Initiate Web Cam to capture the Image of the user. Step - 3 Use Eigen Face Creator to test the face. Step - 4 Retrieve the Image database of the user. Step-5 Generate the Eigen Value Based on the Eigen Face Computation scheme. Step -6 Check for the Eigen Value within the Threshold value. Step - 7 Authenticate if Threshold uncrossed. 4. Graphical Passwords System Step -I Monitor the interactions made by the user in the 3D virtual environment. Step - 2 Initiate object moving in the environment on interactions. Step - 3 Develop other graphical passwords scheme.

7 5. Database Connection Step - 1 Establish a connection using type 4 of JDBC connectivity technique, Step - 2 Create the required tables on the first run of the system, Step - 3 Create a function for new user creation. Step - 4 Create a function for user data retrieval. Step - 5 Create a function for locking data updating. Step - 6 Create a function for locking data retrieval. 6. Folder Locking Step - 1 Input the path for the target folder. Step - 2 Check for the presence oftbe target folder. Step - 3 Use the secret Locking technique to lock the folder. Step - 4 Update the database about the folder locking details, 8. APPLICATIONS The system can be applied to all the security areas, It is coded on JA V A using the swing technology instead of application window toolkit making it compatible for all kinds of embedded systems. It can also provide better security for ATMs and other banking transactions. 9. PROBABILITY OF SYSTEM HACK Let the Textual Password Hack Probability Let the Graphical Password I Hack Probability Let the Graphical Password I Hack Probability Let the Graphical Password I Hack Probability Let the Graphical Password I Hack Probability 'Let the Face Recognition Hack Probability Combination Probability IIx l/yj L/y2 l/y3 l/y4 llz 1/(XYly2y3y4z) Combinatorics for the Choice of Six 6C6*6C5*6C4 *6C3 *6C2*6C 1 1*6*15*20*15*6 = SYSTEM BREAK PROBABILITY (l/(xyly2y3y4z) )* ( ) 10. CONC~USION Textual passwords and token-based passwords are the most common user authentication schemes. However, many different schemes have been used in specific fields. Other schemes are under study yet they have never been applied in the real world. The motivation of this work is to have a scheme that has a huge Password space while also being a combination of any existing, or upcoming, authentication schemes into one scheme. Securezza gives the user the choice of modeling his 3D password to contain any authentication scheme that the user prefers. Users do not have to provide their fingerprints if they do not wish to. Users do not have to carry cards if they do not want to. Users have the choice to model their 3D password according to their needs and their preferences. Securezza probable password space can be reflected by the design of the three-dimensional virtual environment, which is designed by the system administrator. The three-dimensional virtual environment can contain any objects that the administrator feels that the users are familiar with. For example, football players can use a three dimensional virtual environment of a stadium where they can navigate and interact with objects that they are familiar with. A study on a large number of people is required. We are looking at designing different three-dimensional virtual environments that contain objects of all possible authentication schemes. The main application domains of 3D Password are critical systems and resources. Critical systems such as military facilities, critical servers and highly classified areas can be protected by 3D

8 Password system with large three dimensional virtual environments. Moreover, a small three dimensional virtu environment can be used to protect less critical systems such as handhelds, ATM's and operating system's logir Acquiring the knowledge of the probable distribution of a User's 3D password might show the practical strength of a 3D password. Moreover, finding a solution for should surfing attacks on 3D passwords and other authentication schemes is also a field of study. 11.REFERENCES [1] X. Suo, Y. Zhu, and G. S. Owen, "Graphical passwords: A survey," in Proc.z lst Annu. Cornput. Security ApI Conf., Dec. 5-9,2005, pp [2] D. V. Klein, "Foiling the cracker: A survey of, and improvement to passwords security," in Proc. USENl Security Workshop, 1990, pp [3] NBC news, ATM Fraud: Banking on Your Money, Dateline Hidden Cameras Show Criminals Owning ATlI.Dec. 11,2003. [4] T. Kitten, Keeping an Eye on the ATM. (2005, JuL J 1). [Online]. Available: ATMMarketPlace.com [5] BBC news, Cash Machine Fraud up, Say Banks, Nov. 4,2006. [6] G. E. Blonder, "Graphical password," U.S. Patent , Sep. 24, [7] R. Dhamija and A. Perrig, "Deja Vu: A user study using images for authentication," in Proc. 9th USINE Security Symp., Denver, CO, Aug. 2000, pp [8] S. Wiedenbeck, J. Waters, J.-c. Birget, A. Brodskiy, and N. Memon, " Authentication using graphic passwords: Basic results," in Proc. Human-Comput. Interaction Int., Las Vegas, NY, JuL 25-27,2005. [9] S. Wiedenbeck, J. Waters, J.-C. Birget, A. Brodskiy, and N. Memon, "PassPoints: Design and longitudin evaluation of a' graphical password system," lot. J. Human-Comput. Stud. (Special Issue on HC} Research in Privac and Security), vol. 63, no. 112,pp , JuL [10] I. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. D. Rubin, "The design. and analysis of graphic passwords," in Proc. 8th USENIX Security Symp., Washington DC, Aug. 1999, pp [II] J. Thorpe and P. C. van Oorschot, "Graphical dictionaries and the memorable space of graphical passwords," Proc, USENIX Security, San Diego, CA, Aug. 9-13,2004, p. 10. ' [12] A. Adams and M. A. Sasse, "Users are not the enemy:why users compromise computer security mechanisn and how to take remedial measures," Commun. ACM, vol 42, no. 12, pp , Dec