Active Authentication by one Time Password Based on Unique Factor and Behavioral Biometric

Transcription

1 International Journal of Computer Networks and Security, ISSN: , Vol.23, Issue Active Authentication by one Time Password Based on Unique Factor and Behavioral Biometric Khalid Waleed Hussein Nor Fazlida Mohd. Sani Ramlan Mahmod Mohd. Taufik Abdullah ABSTRACT Multi factor authentication technology based on one time password (OTP) is utilized in many fields because of this technology's high security. However, existing OTP schemes suffer from several drawbacks. Moreover, OTP schemes are vulnerable either because of a weakness in hardware devices (e.g., token devices that apply OTP schemes) or because of the use of weak algorithms or methods to generate OTP. A novel authentication scheme based on OTP is presented in this paper. The scheme generates OTP based on unique numbers in addition to the user's behavioral biometric. The purpose of the proposed system is to make the OTP more difficult, thereby restricting unauthorized access. The OTP is made extremely secure and unpredictable. The proposed system can ensure that the user who misuses the system is made liable. Therefore, the system is fit for fields that require high security guarantees, such as e-banking systems, e-government systems, and e-commerce systems. Keywords authentication, one time password, behavioral biometric, Security, multi factor, nonrepudiation I. INTRODUCTION Authentication of communicating entities and the securing transmitted data are essential procedures in establishing secure communications over a public unsecure network[1]. Face-to-face communication cannot be established in electronic authentication; the identity of a user accessing the system cannot be confirmed[2]. The number of malicious Web pages designed to steal users' credentials increased by 258% at the end of Q2 in 2008 compared with the same period in Therefore, protecting users from fraud attacks is extremely important. Many studies have proposed authentication schemes to confirm legitimate users and protect users' credentials from theft [3-6]. One-time Password (OTP) authentication scheme was one of the proposed schemes. OTP is a password valid for only one login session or transaction. OTPs address a number of shortcomings associated with traditional authentication schemes (username and password)[7].the weakness of the OTP authentication scheme is related to the hardware devices responsible for OTP generation, such as the token device [8-11], or the use of weak algorithms or methods to generate OTP [12-15]. Two types of solutions were proposed to overcome the shortcoming related to the token device by utilizing the user's mobile phone to generate OTP [16-18] or by using the mobile device to receive OTP through SMS such as e- bank systems, create new user account in (yahoo, Gmail), and others [19-21]. Using a mobile device in user authentication can be a challenge[22]. The use of a mobile device for user authentication presents the following drawbacks. The user enters a password periodically to initialize a mobile application. As a result, the user is compelled to either save the passwords on their devices or select weak passwords that can be easily inputted on devices[23]. When a user's mobile device is lost or stolen, others could use it to access the user's information[24]. Most solutions employed to generate OTP on mobile devices require connecting the user s mobile device to a PC by Bluetooth or Wi-Fi to install the software on the mobile phone [22]. However, more than 370 mobile malwares are in circulation, most of which are spread through installed software (applications) from the Internet or by connecting mobile devices to infected PCs [25]. The International Mobile Equipment Identity (IMEI) number is utilized by a Global System for Mobile Communications (GSM) network to identify valid devices and can therefore be employed to prevent unauthorized access to a stolen phone[26, 27].

2 International Journal of Computer Networks and Security, ISSN: , Vol.23, Issue Physiological and behavioral characteristics are two strong factors that can be utilized to identify users. Physiological characteristics are those characteristics biologically inherent to the user such as fingerprints and iris scans. Behavioral characteristics are characteristics that indicate the user s habits such as mouse movements and handwriting [28, 29]. The use of physiological characteristics has a drawback, namely, special hardware is required. This special type of hardware is extremely complex and costly [30]. The use of behavioral characteristics does not require a special hardware and is inexpensive. It also allows for the collection of true information from users (every user has his or her own identification) and can be easily merged with existing systems[31, 32]. A new OTP authentication scheme based on unique factors in addition to the behavioral biometrics of the user is proposed in this paper. The proposed scheme is different from traditional authentication schemes because it will work to authenticate user and mobile device which uses to receive OTP. This paper is organized in the following order. Chapter 2 provides an overview of existing studies on OTP. Chapter 3 presents the secure authentication method proposed in this research. Chapter 4 describes the experimental environment and provides the results of comparison with existing mechanisms. Chapter 5 presents the conclusion of this research. 2. RELEVANT RESEARCHES OTP authentication is applied in various fields because it is highly secure. However, existing OTP schemes suffer from several drawbacks; OTP schemes are vulnerable either because of a weakness in the device that implements OTP authentication [8, 9, 33] or because of the use of weak algorithms or methods to generate OTP[13, 34-36]. 2.1 Unsecure Hardware Devices Existing OTP authentication systems are utilized variety devices such as tokens devices, mobile devices, USB devices, and smart cards token to generate OTP. A token device cannot prevent the man in the middle attacks (MITM). This costly device authenticates a user in one server and cannot be utilized with multiple servers [8, 10, 11]. A mobile phone employs a token as software by installing an application in the mobile device to generate OTP. The problem is that when the device is lost or stolen, others can penetrate the system [9, 16]. In addition, most OTP authentication system has no security for mobile holder. USB tokens, and smart cards tokens cannot protect from session based attacks, Trojan and malware attacks as well as password reuse [8, 10, 33]. 2.2 Weakness of OTP generation OTP generation depends on the factors utilized to configure the OTP or on the algorithm employed to generate the OTP. Researchers proved OTP is weak when it depends on a random number[15]. Ku proposed algorithm to generate OTP is a hash-based strong password; however, other researchers proved that the algorithm is not secure enough [34]. Several other researchers proposed algorithms to generate OTPs based on password; however, this method of OTP generation is not secure [37]. OTP generation based on fingerprints is a good scheme but is costly because it requires a special hardware; thus, the method cannot be applied in small- and medium-scale projects [12]. The most popular OTP generation method is HOTP algorithm based on hash function SHA-1. This method is a cornerstone of initiative for open authentication (OATH), it was published as information IETF RFC 4226 in December 2005[38]. However, studies conducted in 2010 showed the weakness of the hash function [36]. Time-based OTP algorithm is also utilized widely in various fields [39]. However, server authentication and the user token must be maintained at the same time; otherwise, user authentication would fail [7]. 3. PROPOSED SYSTEM The problem related to OTP security is resolved in this study by leveraging existing communication infrastructures. The main contribution of this study is the creation of a new algorithm that generates an OTP based on behavioral biometrics and other unique factors. In addition, the security of the mobile holder is enhanced before the OTP is sent to the user. 3.1 Traditional Login Phase The User is prompted to log in after he completed his registration in the registration phase. In the registration phase, the user is asked to provide his information, such as username and password, IMEI, phone number, ID card number, PIN (symmetric key consisting of four to six numbers), address, and security question and answer. After the user provides his username and password in the login phase, he is transferred to another login phase responsible for checking who holds the mobile phone (is the mobile phone in the hands of its owner). 3.2 Checking Who Holds the Mobile Phone The user will not receive an OTP until the server confirms that the mobile phone is in the hand of the rightful owner. The proposed system requires each user to have a unique phone number, mobile device, and PIN. In this phase, the user is compelled to input his real phone number, real PIN (symmetric key for decrypt SMS that hold the OTP), and the IMEI number of his mobile device to receive the OTP because the server can verify who is holding the mobile phone through the IMEI number. After the user provides his information, the server checks the user's information with the user's information stored in the database. If the information matches, then the user is legitimate and the mobile device is in the right hands. The server then generates an OTP and encrypt and send it to the user by

3 International Journal of Computer Networks and Security, ISSN: , Vol.23, Issue SMS. If the user information do not match, the server will transfer the user to the first login phase (traditional login phase) as shown in Figure Generating OTP Mouse movements express the behavioral biometrics of users. As the user navigates a website, the server tracks the user's mouse movements through Xlib. Xlib is an X Windows system protocol. It contains functions that interact with an X server. The core of the X Windows system consists of a program called X, which runs on a machine. It follows the mouse movements, screen navigation, and pressing of the keyboard. It waits for the other programs to tell it what to do. When the user transfers from the traditional login phase to the confirmation phase (checking who holds the mobile phase), X begins to track mouse movements. However, data would not be saved in the database until the user confirms his information successfully. If the inputted information does not match the information in the database, the server will order X to discard the data. These data will not be saved in the database because the server will not give the order to generate an OTP (suspicious user). If the user confirms his information successfully, the server will save the data (mouse movements) in the database and utilize it to generate OTP. OTP generation depends on the various elements of the user's information and not just on the behavioral biometrics of the user. After the user confirms his information, the server gives the order to generate the OTP by combining the user's phone number (10 digits), IMEI (15 digits), PIN (4 to 6 digits), and mouse movements (coordinates X and Y). Six random numbers are obtained from the combination of elements (phone number, IMEI, PIN, and mouse movements). These random numbers represent the OTP. The user will not be provided the same OTP when he logs in at another time. An OTP is unpredictable because it is totally different from one user to another. If a user loses his cell phone, he can notify the system administrator to disable his account. A different user cannot utilize the stolen cell phone to authenticate himself in the system; he cannot impersonate the legal user (each user has a unique phone number, IMEI, and PIN) nor obtain an OTP. The impersonator must complete the process of authentication without being detected. When the impersonator attempts to enter the system as the legal user to legally register himself, the system can track the impersonator based on his information such as phone number, IMEI, and ID card number. If the user loses his cell phone after receiving an SMS (rare case because the OTP session is 10 minutes), the impersonator still cannot obtain an OTP because he must provide the symmetric key (PIN) for decrypt SMS that hold the OTP. The proposed system utilizes Rijndael AES 256 for encryption. The process of OTP generation is shown in Figure 2. After the user receives the encrypted message that holds the OTP, he is transferred to another screen where he is asked to prove the validity of his PIN and to decrypt the OTP. If the inputted PIN is wrong, the session will end. Figure1. Sequence Diagram of the system

4 International Journal of Computer Networks and Security, ISSN: , Vol.23, Issue COMPARISON AND ANALYSIS 4.1 Comparison and Analysis The performance of the proposed and existing OTP systems is compared and analyzed based on six performance evaluation elements, namely, non repudiation, block user s mobile phone, authenticate user and mobile phone, user's information reuse prevention, cell phone reuse prevention, and OTP security and ease of integration with the existing system Non-repudiation Because the proposed mechanism works to authenticate the user and his or her mobile phone (IMEI plus mobile number), so the proposed system has all important information about the user such as ID card number, mobile number, and IMEI, all of which are unique. Thus the proposed system can ensure the liability of the person that misuses the system Block User s Mobile The location of the mobile device can be determined through IMEI. The device can also be made unusable in any network or blacklisted. The proposed system requires IMEI to authenticate the user s device and to obtain necessary precautions in the event of system tampering. If the administrator of the proposed system discovers any attempts to tamper with the system he will be able to Figure 2. OTP generation cancel the user's account and block the user and his or her mobile device from registering in the system. While an existing OTP system cannot prevent the use of the same device, the illegal user can return to register himself (if the administrator discovers illegal attempts being carried out by the user) as a legal user to access the system Authenticate User & Mobile Phone Compared with other authentication systems which utilize mobile phone to generate OTPs or for receive SMS, these systems attempt to authenticate the user and neglect other parties which are used in the process of electronic authentication such as the user s mobile phone. However, the user is not the only party that needs to be authenticated to ensure the security of transactions on the Internet[40]. The proposed system works to authenticate both the user and mobile device, in addition to mutual authentication between the user and the server through a Secure Socket Layer (SSL) User's info Reuse Prevention The proposed system utilizes the OTP approach. Every user has a completely different set of information, which means there is no need to separate data as other systems. This method enhances privacy protection and minimizes the probability of data matching Cell Phone Reuse Prevention

5 International Journal of Computer Networks and Security, ISSN: , Vol.23, Issue The proposed system can prevent cell phones from being reused by others because the proposed system requires every user to possess unique phone and IMEI numbers. If the user s cell phone is lost or stolen, the thief cannot use it to access the system Secure OTP and easy to integrate with exist system The proposed method generates a more unpredictable OTP compared with existing methods that generate OTP based on time or password. The proposed system can be easily merged with existing systems and is less costly compared with OTP systems based on fingerprints. The generated OTP differs from one user to another and from time to time. In addition, the OTP is not sent directly to the user. The proposed system requires the user to prove his identity and the identity of the mobile device before receiving an SMS. SMS encryption is implemented with Rijndael AES 256 to increase OTP security. SMS is decrypted on the same Web site, and there is no need to install any software the in mobile device. 5. CONCLUSION A secure method for OTP generation is proposed in this paper. The proposed system can reinforce the security of authentication, and the mechanism guarantees nonrepudiation by authenticating the user and the device. The proposed system cannot ensure the proper use of the system; however, it can ensure that the user who misuses the system is made liable. Unlike existing systems, the mechanism of the proposed system requires the user to prove his identity and the identity of the mobile device. It utilizes a secure method to generate an OTP based on unique numbers and behavioral biometrics of the user. The proposed system enhances security by transferring the OTP to the trusted user. Therefore, the proposed system is suitable for fields where security is extremely important, including authentication in Internet banking, authentication in electronic payment, electronic government authentication, and cloud computing authentication. REFERENCES [1] Mijin Kim, et al., Weaknesses and Improvements of a One-time Password Authentication Scheme. Springer Link, : p [2] Miloš Milovanovic, et al., Choosing Authentication Techniques in e-procurement System in Serbia, in International Conference on Availability, Reliability and Security2010, IEEE Xplore. p [3] Chuan Yue and HAINING WANG, BogusBiter: A Transparent Protection Against Phishing Attacks. ACM, (2): p. 31. [4] Chun-Ying Huang, Shang-Pin Ma, and Kuan- TaChen, Using one-time passwords to prevent password phishing attacks. Science Direct, [5] Heng Yin, et al., Panorama: capturing system-wide information flow for malware detection and analysis, in ACM conference on Computer and communications security2007, ACM: USA. p [6] Scott Garriss, et al., Trustworthy and Personalized Computing on Public Kiosks, in 6th international conference on Mobile systems, applications, and services, 2008, ACM: USA. p [7] K.Aravindhan and R.R.Karthiga, One Time Password: A Survey. International Journal of Emerging Trends in Engineering and Development, (3): p [8] D.Parameswari and L.Jose, SET with SMS OTP using Two Factor Authentication. Journal of Computer Applications (JCA), (4): p. 4. [9] Fred Cheng, A Novel Rubbing Encryption Algorithm and The Implementation of a Web Based One-time Password Token. IEEEXplore, 2010: p [10] Jing-Chiou Liou and S. Bhashyam, On Improving Feasibility and Security Measures of Online Authentication. International Journal of Advancements in Computing Technology, (4.1): p. 11. [11] Mohammed Alzomai and Audun Jøsang, The Mobile Phone as a Multi OTP Device Using Trusted Computing in Fourth International Conference on Network and System Security (NSS)2010, IEEEXplore: Melbourne, VIC. p [12] ByungRae Cha and ChulWon Kim, Password Generation of OTP System using Fingerprint Features, in International Conference on Information Security and Assurance (ISA)2008, IEEEXplore: Busan,Korea p [13] Hyun-Chul Kim, et al., A Design of One-Time Password Mechanism using Public Key Infrastructure, in Fourth International Conference on Networked Computing and Advanced Information Management,2008, IEEEXplore: Gyeongju, Korea. p [14] Young Sil Lee, HyoTaek Lirn, and HoonJae Lee, A Study on Efficient OTP Generation using Stream Cipher with Random Digit, in 12th International Conference on Advanced Communication Technology (ICACT)2010, IEEEXplore: Phoenix Park,. p [15] Yu tao, F. and S. Gui ping, Design of Two-Way One- Time-Password Authentication Scheme Based on True Random Numbers, in Second International Workshop on Computer Science and Engineering2009, IEEEXplore: Qingdao. p [16] Gianluigi Me, Daniele Pirro, and R. Sarrecchia, A mobile based approach to strong authentication on Web, in International Multi-Conference on Computing in the Global Information Technology2006, IEEE Xplore. p. 67

6 International Journal of Computer Networks and Security, ISSN: , Vol.23, Issue [17] Havard Raddum, Lars Hopland Nestas, and K.J. Hole', Security Analysis of Mobile Phones Used as OTP Generators, in international conference on Information Security and Privacy of Pervasive Systems and Smart Devices,, International Federation for Information Processing (IFIP), Editor 2010, ACM: Berlin. p [18] Trupti Hemant Gurav and Manisha Dhage, Remote Client Authentication using Mobile phone generated OTP. International Journal of Scientific and Research Publications, (5): p. 4. [19] Parekh Tanvi, Gawshinde Sonal, and Sharma Mayank Kumar, Token Based Authentication using Mobile Phone, in International Conference on Communication Systems and Network Technologies (CSNT)2011, IEEEXplore: Katra, Jammu p [20] Steffen Hallsteinsen, Ivar Jørstad, and Do Van Thanh, Using the mobile phone as a security token for unified authentication, in Second International Conference on Systems and Networks Communications,2007, IEEEXplore: Cap Esterel. p. 68 [21] Xing Fang and J. Zhan, Online Banking Authentication Using Mobile Phones, in 5th International Conference on Future Information Technology (FutureTech),2010, IEEEXplore: Busan p [22] Hung-Min Sun, Yao-Hsin Chen, and Y.-H. Lin, opass: A User Authentication Protocol Resistant to Password Stealing and Password Reuse Attacks. IEEEXplore, (2): p [23] Xing Fang and Justin Zhan, Online Banking Authentication Using Mobile Phones, in 5th International Conference on Future Information Technology (FutureTech),2010, IEEEXplore: Busan p. 1-5 [24] Mahendra Singh Bora and Amarjeet Singh, Cyber Threats and Security for Wireless Devices. Journal of Environmental Science, Computer Science and Engineering & Technology (JECET), : p [25] Lei Liu, et al. Exploitation and Threat Analysis of Open Mobile Devices. in 5th ACM/IEEE Symposium on Architectures for Networking and Communications Systems ACM. [26] GSM Association, IMEI Allocation and Approval Guidelines, Official Document TS.06 (DG06), Editor p. 33. [27] Jörg Eberspächer, et al., GSM Architecture, Protocols and Services 2009, John Wiley & Sons: UK. p [28] Angelos Yannopoulos, Vassiliki Andronikou, and Theodora Varvarigou, Behavioural Biometric Profiling and Ambient Intelligence, in Profiling the European Citizen: Cross-Disciplinary Perspectives2008, Springer Netherlands. p [29] Saurabh Singh and Dr. K.V.Arya, Mouse Interaction based Authentication System by Classifying the Distance Travelled by the Mouse. International Journal of Computer Applications, : p [30] Jing-Chiou Liou and Sujith Bhashyam, A feasible and cost effective two-factor authentication for online transactions, in 2nd International Conference of Software Engineering and Data Mining (SEDM)2010, IEEEXplore: Chengdu, China p [31] Harini Jagadee san and Michael S. Hsiao, A Novel Approach to Design of User Re-Authentication Systems in IEEE 3rd International Conference on Biometrics: Theory, Applications and Systems2009, IEEEXplore: Washington, USA. p [32] Nazirah Abd Hamid, Suhailan Safei, and Siti Dhalila Mohd Satar, Mouse Movement Behavioral Biometric Systems, in User Science and Engineering (i-user), 2011 International Conference2011, IEEEXplore. p [33] OWASP, OWASP TESTING GUIDE 2008, Open Web Application Security Project (OWASP). [34] Neng-Wen Wang and Yueh-Min Huang, User s Authentication in Media Services by using One-Time Password Authentication Scheme, in Third International Conference on Intelligent Information Hiding and Multimedia Signal Processing2007, IEEEXplore: Kaohsiung p [35] Shuren Liao, et al., A unidirectional one-time password authentication scheme without counter desynchronization, in ISECS International Colloquium on Computing, Communication, Control, and Management2009, IEEEXplore: Sanya, China. p [36] Young Sil Lee, HyoTaek Lim, and HoonJae Lee, A Study on Efficient OTP Generation using Stream Cipher with Random Digit, in The 12th International Conference on Advanced Communication Technology (ICACT)2010, IEEEXplore: Phoenix Park,South Korea. p [37] Yang Jingbo and Shen Pingping, A secure strong password authentication protocol in 2nd International Conference on Software Technology and Engineering(ICSTE)2010, IEEEXplore: San Juan, PR p. V V2-357 [38] David M Raihi, et al., HOTP: An HMAC-Based One-Time Password Algorithm, 2005, Network Working Group. [39] David M Raihi, et al., TOTP: Time-Based One-Time Password Algorithm, REC, Editor p

7 International Journal of Computer Networks and Security, ISSN: , Vol.23, Issue [40] Audun Jøsang, et al., Service Provider Authentication Assurance, in Tenth Annual International Conference on Privacy, Security and Trust2012, IEEE Xplore. p