International Journal of Emerging Technology & Research ( ISSN (E): 2347

Transcription

1 Volume 1, Issue 7, Nov - Dec, 2014 International Journal of Emerging Technology & Research ( ISSN (E): 2347 Network Security Using Multiserver Authentication Mr. Yogesh R. Bhuyar 1, Dr G. R. Bamnote 2 1 Research student, Computer science &Engineering P.R.M.I.T&R.(Badnera), Maharashtra, India 2 H.O.D. Computer Science Deparment, P.R.M.I.T&R.(Badnera), Maharashtra, India ISSN (E): ISSN (P): Abstract- In this paper, we propose multi server authentication system with user protection in network security. We first propose a single-server server system and then apply this technique to a multi-server system. Addition to user authentication and key distribution, it is very useful for providing privacy for users. The key factors include. The privacy of users can be secured. A user can freely choose his own password. The computation and communication munication cost is very low. Servers and users can authenticate each other. Index Terms Network security, privacy protection, session key, smart card, user authentication. cryptosystems. For basically security and efficient requirements, the following criteria are important for remote user authentication and key agreement schemes with smart cards II. PROTECTION CRITERIA A. Privacy protection: When the user authenticates successfully to the server, the adversary cannot derive the user s identity. I. INTRODUCTION In order to use services by service providers in a network environment, the user must login to the provider s server. In general, the user gives a message of user authentication to the server, and then the server must be able to check the identity of the user and give him the right of using permitted services. Typically, ly, the user passes a password as a secret token to the server. The server first verify if the user s identity and the password are matching. The server rejects the user s request if his Identity or the password is not matching. If the password is matching, the server gives the user the right for using the permitted services. Password authentication scheme at both the point of the communication. cation. Since then, many technic have been proposed posed to point out its drawback and improve the security and efficiency of Lamport s scheme.[3] Only passing a password for authenticating between the user and the server is not sufficient, since it contain less amount safety and is easily hack by the intruders. Before two parties can do secure communication, a session key is required for protecting subsequence communications. Also, using smart cards, remote user authentication and key agreement can be simplified, flexible and efficient for creating a secure distributed computers environment. It is also useful for providing identity privacy for the users. [5] In two efficient authentication and key agreement schemes for single server, and multi server environments. But both Juang s schemes have no ability of anonymity for the user. Yang et. al. Proposed user identification and key distribution scheme with the ability of privacy protection but we point out it is less efficient because of using public-key B. Freely chosen password: Users can freely chosen and change his/her passwords for protecting their smart cards. C. Low communication cost: Since capacity and communication limitations of smart cards, they may not offer a powerful computation capability and high bandwidth. D. Authentication : Authentication is a direct need of each and every organization and so it is becoming important for an organization not because it copes with security threats only but for the reason it deals with and develops policies, procedures and mechanisms that provide administrative, physical and logical security. Whenever an user requests an access to a pool of resources, to use them or update them as desired, then to authenticate such an individual is referred to as authentication [2]. Computer industry has created an array of identification and authentication technologies like userid/passwords, One Time Password, Biometrics, Smartcards, Kerberos, Secure Socket Layer, Lightweight Directory Access Protocol, Security Assertion Markup Language(SAML), OpenID and CardSpace to address varying business and security requirements [11]. Each organization adopts one or more of these technologies to secure information against intruders and un-authorized access. In networked environment, users are granted access to the network only when they provide their access information (e.g. user name & password) securely to check and validate their identity. If a person can prove that who he is, also knows something that only he could knows, it Copyright reserved by IJETR (Impact Factor: 0.997) 99

2 1.1 Factors and identity The ways in which someone may be authenticated fall into three categories, based on what are known as the factors of authentication: something the user knows, something the user has, and something the user is. Each authentication factor covers a range of factors used to authenticate or verify a person's identity prior to being granted access, approving a transaction request, signing a document or other work product, granting authority to others, and establishing a chain of authority security research has determined that for a positive authentication, elements from at least two, and preferably all three, factors should be verified. The three factors (classes) and some of elements of each factor are The knowledge factors: Something the user knows (e.g., a password, pass phrase, or personal identification number(pin), challenge response (the user must answer a question), pattern. The ownership factors: Something the user has (e.g., wrist band, ID card, security token, cell phone with built-in hardware, software token, or cell phone holding a software token) III. VARIOUS FACTORS OF AUTHENTICATION: Authentication systems can be categorized according to the number of identification factors required to ascertain identity Req. Rejct. Req.Rect. Req.Rejct User login/sign up 1 st Auth(PW) 2 ND Auth token 3 RD Auth BIOMAT Secure login Chq Log TM DB1 Check threshold value(ttl) Chq HBP DB2 DB3 A] SINGLE-FACTOR AUTHENTICATION (SFA): user Logout login Fig -1: Data flow Diag. of Multiserver Authentication Check authentic ation data DB Single-factor authentication is the traditional security process that requires a user name and password before granting access to the user.sfa security based on the diligence of the user, user should take additional precautions.for example, creating a strong password and ensuring that no one can access it. For applications that require greater security, it may be advisable to implement more complex systems, such as multifactor authentication IV. TWO-FACTOR AUTHENTICATION (TFA): A. It requires two components, usually a combination of something the user knows (Such as a password) and something the user possesses (such as a physical token Secure ID card). In this case the user login to a network and Ticket is given to the user.the ticket contain client ip, server ip,client id,login and TTL (Time to leave). TFA check the current time and the login time if the login time is less than TTL.So user login else if the current time is more than TTL which result in logout the session. V. THREE-FACTOR AUTHENTICATION (TFA): Adds a biometric heart beat, a measurement of a human body characteristic. The more authentication factors used, the more secure the process. Security with the heart beat while sign up the heart beat of the user is then saved in data Copyright reserved by IJETR (Impact Factor: 0.997) 100

3 base.so while login we record the heart beat of the user in the database it then check the heart beat pattern in the database.if the pattern is having varience is less than the TTL then the user is login else logout. However, the more factors you add, the more you add complexity, cost, and management overhead. Every factor will offer a different break-even point in the tradeoff between simplicity and security. Single-factor authentication with user ID and password is the most common authentication system today. It s very familiar to users, and can provide a high level of security if strong password is provided. Legacy password systems have had some challenges, however, since multiple strong passwords are very hard for users to remember. The recommendations in this section will show how this problem can be minimized with a Single Strong Password system. Tokens such as system ip, client ip and login time are added as a second factor in many authentication systems requiring that the user have physical possession of the token. An attacker would similarly have to have possession of the user s token in order to gain system access.[10] The higher level of authentication comes with additional system cost, however, due to the necessary tokens and token readers. In addition, tokens can be easily lost or destroyed, which can present a high administration overhead for reissuing. Biometric factors for authentication measure characteristics of the user s body such as fingerprint, handprint, retina, iris, or voice characteristics. Biometric measurements are a useful additional factor and add an even higher level of authentication security. A biometric authentication system entails a measurement proving who the person actually is, rather than proving they have something such as a token or proving that they know something such as a password. Unfortunately, biometric measurements are not 100 percent effective; with the present state of the technology,but it provid high level of security it is possible to register false positives and false negatives. Biometric authentication systems also require biometric readers at system access points, adding new system costs. Strong cryptographicallybased authentication can be provided through the use of digital certificates issued to users and stored on tokens or within the user s computer memory. Cryptographic SHAL secure hashing algorithms are used to ensure that a particular certificate has been actually issued to the user. A system ip Infrastructure is used to enable the issuance and maintenance of digital certificates.[7] Strong cryptographically-based systems provide very stringent authentication. However, these systems are expensive and incur additional management overhead. Therefore, they are currently being adopted only in very secure environments. VI. KNOWLEDGE FACTORS Knowledge factors ("something only the user knows") are the most commonly used form of authentication. In this form, the user is required to prove knowledge of a secret in order to authenticate A password is a secret word or string of characters that is used for user authentication. This is the most commonly used mechanism of authentication. Many multi-factor authentication techniques rely on password as one factor of authentication A personal identification number (PIN) is a secret numeric password and is typically used in ATMs. Credit and ATM cards do not contain the PIN or CVV on the magnetic stripe.[4] This aligns with the principle that the PIN is not part of "something the user has" for this use. A pattern factor is a regular or stochastic sequence or array of sets of information, used for authenticating the users. For example, pattern factor based authentication may be presented by the bearer to a sensor unit to get authenticated by a processing unit Examples of pattern factors are listed below in a onedimensional bar code or in a two-dimensional matrix code or in a fingerprint- heart beat like set in any n-dimensional stack in any physical representation, as with, for example: electronic mechanical, optical, or any other automatically detectable and process able coding Secret questions such as "Where were you born?", which an authenticating entity arranges ahead of time with the user, are also a knowledge factor. VII. Possession factors: A.The security tokens contain client ip, client id, server ip login time and TTL(time to leave) if the current ip address of the client matches with the ip address in the ticket then the user is not under attack.but if the current ip and the ip present in the ticket do not match then the user is under attack.so user logout the session. B. Possession factors ("something only the user has") have been used for authentication for decades, in the form of a key to a locker. The basic principle is that the key embodies a secret which is shared between the lock and the key, and the same principle underlies possession factor authentication in computer systems. C. There are several ways of attacking such a system, including: An attacker can determine the shared secret, for example by attacking the authenticator or a management system,[5] reverse-engineering the possession factor, or intercepting the secret during authentication. In the case of a lock and key, the lock can be picked.[6] In an inadequately secured computer system, for example, a database containing the shared secrets can be attacked through SQL injection. An attacker can steal the possession factor. In the case of a lock and key, the attacker can steal the key and use it before the rightful owner notices the loss and has the lock changed. Copyright reserved by IJETR (Impact Factor: 0.997) 101

4 Fig -2: Authentication reference model VIII. Disconnected tokens: The generates during the second factor are unique for an individual at a specific time if the current time and the login time should not have more difference if the login time is less than TTL then the user can login the process but if the login time is more than the current time than if disconnect the tokens and close the session. In a "sequence-based" token, the token may have a button that is pressed to switch it on and display a new pass code. The cumulative number of button pushes can be used as the challenge. The server, however, must assume that the button may have been pressed a number of times since the last actual use, and attempt the authentication with all likely numbers of button pushes. In a "time-based" token, the token generally contains a specific time source, allowing the absolute time to be used as the challenge and a new pass code to be displayed (usually) every 30 or 60 seconds. In this case, the authentication server must allow for a drift in the time source by trying the authentication with a previous and subsequent time as well as the current time. It can hence keep track of the drift in the clock. Display tokens have the advantage that no drivers or electronic interfaces are required on the user access device. Often, it is possible to arrange for the pass code from the display to be appended to a password in an existing password field, so that the only modifications required are in the authentication server. A disadvantage in some sectors is that the display is usually small, and may be difficult to read for visually impaired users. XI. Biometric Factor In the present times, security has becomes a critical issue in automated authentication systems, Biometrics is a science of identifying a person using his/her physiological and behavioral characteristics, Biometrics traits are difficult to counterfeit and hence results in higher accuracy when compared to other methods such as using passwords and ID cards, Human physiological or behavioral can be used as biometric characteristic when it satisfies the requirements like universality, distinctiveness, permanence, and collectability. One need focus on some major issues performance, acceptability, and circumvention, Keeping all these requirements in mind, biometric like fingerprints, hand geometry, hand written signatures, retinal patterns, facial images, ear pattern, voice. Are used extensively in the areas that require security access. Most of the biometric traits mentioned above have certain disadvantages that threaten the level of security. Some of the traits can easily to forged to create false identities. And few other traits can be used even in the absence of the person and even he is dead. Hand vein pattern is one trait that cannot be used in the person unlike the other traits like finger print, palm print, etc. This is a more secure approach, but it suffers from disadvantages like alteration due to hand injury, Even though this can be overcome, 100% accuracy cannot be achieved due to limitations on the threshold. Such problem can be solved using heartbeat as the biometric trait. And it cannot be copied to fake identity, and it cannot be altered to hide identity, The heartbeat of a person is captured in the form of an electrocardiogram recording. The ECG of a person varies from person to person due to change in size, position, and anatomy of the heart, chest configuration, and various factors. As a biometric trait, electrocardiographic (ECG) signals have very appealing characteristics as they provide intrinsic liveliness detection and are strongly correlated to the subjects arousal level [1]. Therefore, the application of ECG for biometric purposes has been studied for long, both under controlled and unrestrained scenarios [2]. Recent work has shown the validity of the ECG signals for human identification [6]. While results enhance the potential of these signals, user acceptance may be limited by the data acquisition methods and apparatus. State-of-the-art research has revealed that, for biometric applications, a 1-lead setup suffices; nonetheless, a chest-mounted sensor apparatus with propelled electrodes is typically used [9]. Given this constraint, work in the field has begun to focus on ECG acquired at the finger tips. In a nonmedical data, acquisition setup is explored, which uses two electrodes connected at the subjects thumb tips; data acquisitions and performance evaluation were done for data collected within a group of 50 subjects. The authors process the collected signals for P- QRS-T segmentation and align the resulting waves to extract a mean wave. Classification results are obtained through the use of a distance metric based on wavelet coefficients, computed by doing a wavelet representation of Copyright reserved by IJETR (Impact Factor: 0.997) 102

5 the extracted mean waves. We propose an ECG-based biometric system for human identification that recurs to a minimally intrusive 1-lead setup for signal acquisition at the fingers. Our apparatus uses Ag/AgCl electrodes without gel as interface with the skin, further improving its usability. X. CONCLUSION In this paper, we have proposed two user authentication and Biometric schemes with privacy protection for single server and multi-server environments. Regarding the single server scheme in network security, it is more simple and efficient. Regarding the multi-server scheme, users only need to register one time and can use all provided services by service providers. Both our proposed schemes have the ability of privacy protection. Our systems also have low communication and using one-way functions. Also, our schemes successfully solve the serious time-synchronization problem in a distributed computers environment since our proposed schemes are nonce-based. REFERENCES [1] [1]. M. Alzomai, '' Identity Management : Strengthening One Time Password Authentication Through Usability ''. PhD thesis May [2] [2]. H.C. Kim, H.W. Lee, K.S.Lee, M.S. Jun, '' Design of One-Time Password Mechanism using Public Key Infrastructure '' / IEEE DOI /NCM [3] [3]. J.L. Tsai, Efficient multi-server authentication scheme based on one-way hash function without verification table, Computers & Security, Vol. 27, No. 3-4, pp , May-June [4] [4]. Y.P. Liao, S.S. Wang, A secure dynamic ID based remote user authentication scheme for multi-server environment, Computer Standards & Interfaces, Vol. 31, [5] [5]. S. Bellovin and M. Merritt, Encrypted key exchange: Passwordbased protocols secure against dictionary attacks, in Proceedings of IEEE Symposium on Research in Security and Privacy, pp , [6] [6]. M. Burrows, M. Abadi, and R. Needham, A Logic of Authentication, ACM Transactions on Computer Systems, vol. 8, no. 1, pp , [7] [7]. Y. Chang and C. Chang, Authentication schemes with no verification table, Applied Mathematics and Computation, vol. 167, pp , Copyright reserved by IJETR (Impact Factor: 0.997) 103