A Study and Evaluation of Different Authentication Methods and Protocols 1 K. Arthi, 2 N.M. Nandhitha, 3 S.Emalda Roslin

Transcription

1 A Study and Evaluation of Different Authentication Methods and Protocols 1 K. Arthi, 2 N.M. Nandhitha, 3 S.Emalda Roslin 1 Final year software engineering student, Sathyabama University 2 Head/ Academics,Dept. of ECE, Sathyabama University 3 Head/ Academics,Dept. of E&C, Sathyabama University Abstract Authentication is a fundamental aspect of system security. It confirms the identity of any user trying to log on to a domain or access network resources. Text password is the most popular form of user authentication on website due to its convenience and simplicity. Passwords are prone to be stolen under different threats and vulnerabilities. Hence an authentication protocol which protects the user s password from various threats have been used. In this paper, a survey on various protocols that are resistant to password stealing attacks is done and a comparative study is made. 1. INTRODUCTION Authentication is a fundamental aspect of system security. It confirms the identity of any user trying to log on to a domain or access network resources. Due to the numerous advantages of authentication systems, it can be used in various applications. The common application involving authentication is, a computer program using a blind credential to authenticate to another program, Using a confirmation to verify ownership of an address, using an internet banking system, Withdrawing cash from an ATM.The main purpose of these systems is to validate the user's right to access the system and information, and protect against identity theft and fraud. The main types of authentication are Basic single factor authentication, multifactor authentication and cryptographic authentication. The basic authentication is commonly used among the people. It refers to the password based authentication. Example common password, numerical password etc. Multifactor authentication uses the combination of authentication s to validate identity. The final form of authentication uses the cryptography. It includes public key authentication and digital message as authentication code. Password-based authentication is a protocol in which two entities share a password in advance and use the password as the basis of authentication. Existing password-based authentication schemes can be categorized into two types: weak-password authentication schemes and strong-password authentication schemes. In general, strong-password authentication protocols have the advantages over the weakpassword authentication schemes in that their computational overhead are lighter, designs are simpler, and implementation are easier, and therefore are especially suitable for some constrained environments. Logging into an individual computer or a website requires a reliable authentication protocol to run on the back end to establish verification of the user. A variety of protocols are in active use by servers around the world. The Ethernet protocol is by far the most widely network protocols used for authentication. Ethernet uses a multiple access called CSMA/CD (Carrier Sense Multiple Access/Collision Detection). This is a system where each computer listens to the cable or the medium through which data transmission occurs, before sending anything through the network. This allows multiple users accessing the same channel by detecting collision due to congestion. Local Talk is another network protocol that was developed by Apple Computer, Inc. for Macintosh computers. The used by Local Talk is called CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance). It is similar to CSMA/CD except that a computer signals its intent to transmit, before it actually does so. Local Talk adapters and special twisted pair cable can be used to connect a series of computers through the serial port. The access used involves token-passing. In Token Ring, computers are connected in a ring topology. So that the signal travels around the network from one computer to another in a logical ring. A single electronic token moves around the ring from one computer to the next. If a computer does not have information to transmit, it simply passes the token on to the next workstation. Any information is there to transmit then that computer catches the token and passes the information via the ring to the destination. For very large distances and to interconnect two or more local area networks, Fibre Distributed Data Interface (FDDI) is a network protocol that is used primarily. The access used by FDDI involves token-passing. FDDI uses a dual ring physical topology. ATM supports a variety of media such as video, CD-quality audio, and imaging. ATM employs a star topology, which can work with fiber optic as well as twisted pair cable.atm is most often used to interconnect two or more local area networks. In this paper, the various existing authentication protocols in the literature is surveyed. A comparison table is also made on evaluating the existing protocols. The paper is organized as follows: Chapter 2 gives an overview of the different authentication protocols and s. In chapter 3, the various existing authentication protocols in the literature is discussed. A comparative analysis is made in the chapter 4. Conclusion and future work is given in chapter 5. II AN OVERVIEW OF DIFFERENT AUTHENTICATION PROTOCOLS & METHODS In today's highly secure high tech world, there is a need to provide rules and protocols to ensure that data is protected and K. Arthi et.al

2 away from prying eyes. The rules and protocols are constantly being updated to take account of the latest threats both online and offline. A protocol is a set of rules designed to provide communications between peers, by having a controlled conversation. Authentication includes a few more checks to validate security. a) Authentication and Key Agreement (AKA) This protocol is used in mobile 3G networks. It is also capable of generating for Digest access authentication. Symmetric cryptography is used on the basis of a challenge-response type technique. b) Extensible Authentication Protocol (EAP) Primarily used in wireless networks and point-to-point connections, EAP is an authentication mechanism for transporting information and usage parameters for EAP s, of which there are several. As EAP is not a wire protocol it is only used for defining message formats. EAP is widely used and is present in a number of different wireless based network types. challenge value after receiving a user identifier. Password list makes use of the list of which are sequentially used by the person waiting to access the system. h)public key cryptography The public key cryptography is based on the mathematical problems that require very specialized knowledge. It makes use of two keys, one private key and the other is the public key. The two keys are linked together by an extremely complex mathematical equation. Both encryption and verification is accomplished with the public key. c) Kerberos Kerberos is a well-known authentication used on computer networks. It is useful in instances whereby the underlying network is not secure, and is thus used as a mechanism for validating identities between nodes in the network. It is mainly used in a client-server environment. Messages are encrypted to provide protection from interference and interception of messages. d) Secure Remote Password protocol (SRP) The SRP protocol permits authenticate to a server, and is protected against external attacks by eavesdroppers. This protocol has the advantage that it does not require a third party to be involved in the trust process. It is very secure against potential external threats through the mechanisms built in and improved upon over the last decade. e) Digital signature A digital signature is a digest calculated from a signed document. The client verifies the digest signature by decrypting it with the server s public key and compares it to the digest value calculated from the message received. The signature can also be used by the server to verify data the client is sending. f) Password Password is the most widely used form of authentication. Password authentication does not normally require complicated or robust hardware since authentication of this type is generally simple. g) One time password To avoid the problems associated with password reuse, one time password were developed. There are two types of one time password, a challenge response password and a password list. The challenge response password responds with a Fig 1. Classification on various authentication protocols & s III RELATED WORK In [1] the author uses a simple approach to secure and convenient kiosk browsing. The key idea of Session Magnifier is to enable an extended browser on a mobile device and a regular browser on a public computer to collaboratively support a Web session. This approach requires a Session Magnifier browser extension to be installed on a trusted mobile device. A user can securely perform sensitive interactions on the mobile device and conveniently perform other browsing interactions on the public computer. A Session Magnifier has been proposed which is a simple approach to secure and convenient kiosk browsing. Session Magnifier strives to synthesize the usability advantages of a mobile device. In [2] the author introduced and evaluated various s for purely automated attacks against Pass Points-style graphical. For generating these attacks, they introduced a graph-based algorithm to efficiently create dictionaries based on heuristics such as click-order patterns. K. Arthi et.al

3 To generate an attack dictionary based on heuristics, a general graph based algorithm is used. It consists of the following phases: Window clustering algorithm, attack alphabets, dictionary generation algorithm, click order patterns, relaxation and constraints. These results suggested that automated attacks provide an effective alternative to a humanseeded attack against Pass Points-style graphical. Furthermore, they allow continuation of an attack using clickorder patterns (without any prioritization through visual attention models or other means), guessing more overall than human-seeded s. In [3] the author presented a with which it is possible to directly analyse the amount of data harvested through different types of attacks in a highly automated fashion. The ology proposed is to automate the analysis of the attack and harvesting channel as much as possible. To study the attack channel, they used the concept of honey pots, i.e., information system resources whose value lies in unauthorized or illicit use of that resource. The technical challenge of the approach is to automate the analysis process as much as possible and to analyse the large amount of data collected in this fashion. Based on empirical measurements, it is shown that the attackers steal thousands of credentials from the infected machines. This stolen data can then be traded on the underground market. In [4] the author presented a system in which a user leverages a personal mobile device to establish trust in a public computing device, or kiosk prior to resuming the environment on the kiosk, where kiosk is a PC-class platform equipped with a DRTM(discrete ray tracing )-enabled processor and a TPM(trusted platform module). The system consists of a user carrying a mobile device, a kiosk, and a kiosk supervisor. The mobile device is pre-equipped with an application that aids the user in ascertaining the trustworthiness of the kiosk. The kiosk supervisor may be any platform capable of running an IMA verifier. The design of a system in which a user s mobile device serves as a vehicle for establishing trust in a public computing kiosk by verifying the integrity of all software loaded on that kiosk has been proposed. In [5] the author provided a comprehensive overview of published research in the area, covering both usability and security aspects, as well as system evaluation. It catalogues the existing approaches, highlighting novel features of selected schemes and identifying key usability or security advantages. It summarizes evaluation approaches used including user studies, with focus on aspects of special concern for examining graphical password systems. Data collected from such user studies is also critical in the security evaluation. The research reveals a rich palette of ideas and a few schemes that deliver on the original promise of addressing the known problems with text. In [6] the author analyses the security provided by perspectives and describes the experience building and deploying a publicly available implementation. SSH-style host authentication offers a simple and attractive alternative to a heavyweight PKI (public key infrastructure). Trust-on-firstuse leaves users vulnerable to simple MitM attacks, limiting the effectiveness of current Tofu applications and preventing other protocols from being able to take advantage of lightweight SSH(secure style host )authentication. In [7] the author examined frequency of access to a graphical password, interference resulting from interleaving access to multiple graphical and patterns of access while training multiple graphical. The ology consists of four stages: A pre-study questionnaire examining participant demographics and current password strategies, a five-week online study of participants accessing multiple facial graphical, a post-study questionnaire regarding participant experiences and a test of long-term recall conducted four months after the end of the original five-week study. The results underscore the need for more realistic evaluations of the use of multiple graphical, having a number of implications for the adoption of graphical password systems and providing a new basis for comparing proposed graphical password systems. In [8] the author used a report on a laboratory study comparing the recall of multiple text with the recall of multiple click-based graphical and to address the memorability of multiple in user authentication software. The study includes 2 lab-based sessions. Session 1 took 1 hour and was completed by all the participants. For session 2 participants returned to the lab and tried to recall their previously created. The session includes 4 phase : Practice, password generation, retention, 2-week retention. Results of the lab study indicated that in the shortterm, Pass-points are most robust than text against multiple password interference. K. Arthi et.al

4 TABLE 1: COMPARISON ON THE VARIOUS EXSITING AUTHENTICATION METHODS REFERE NCE NO. METHODOLOGY USED METRICS ADVANTAGES DISADVANTAGES [1] Use of Session magnifier in a kiosk browsing environment 1.Web browsing 2.Kiosk 3. Mobile device 1. Uses a trusted PDA. 2. Accessing to remote Web server browser Does not study the use of multiple graphical [2] 1.Windows clustering algorithm 2.Dictionary generation algorithm 1. Edges defined by the points in an image 2.Distance measured 1. Increased validity of the 2.Long-term memorability [3] Analysis Harvesting channel It gives us a much better basis for estimating the size of the underground economy [4] Kiosk computing 1. A new kiosk front-end application 2. An existing IMA Server 3.A modified version of the OSLO secure loader [5] 1. Cued recall 2. Recognition based [6] 1. SSH 2. HTTPS [7] Long term recall [8] Password generation 1.Password Initialization 2. Login 3. Password reset and password change Authentication failure rate 2.Number of attempts required 3.Login time required 1.Graphical 2.Authentication Allowing the user to personalize a kiosk by running her own virtual machine there It helps to authenticate services that do not have certificates signed by a global PKI Provides a new basis for comparing proposed graphical password systems participants could more easily remember multiple click-based graphical than multiple text Do not know exactly on which sites the key logger becomes active 1. Bar code attacks 2. Run time attacks Accessed only by limited users Data redundancy cannot conflict answers to two clients querying about the same service even after compromising It cannot be easily adopted K. Arthi et.al

5 IV CONCLUSION AND FUTURE WORK The goal of authentication is to identify and to verify that the user has access to a system. Various authentication s have been widespread since the personal computer was developed in the 1970s. Many authentication s have been in use for centuries, such as identity cards, visual authentication and. In this paper, a detailed study on the various password authentication protocols has been done and a comparative study is also made. REFERENCES [1]C. Yue and H. Wang, SessionMagnifier: A simple approach to secure and convenient kiosk browsing, in Proc. 11th Int. Conf. UbiquitousComputing, 2009, pp , ACM. [2] P. van Oorschot, A. Salehi-Abari, and J. Thorpe, Purely automated attacks on passpoints - style graphical, IEEE Trans. InformationForensics Security, vol. 5, no. 3, pp , Sep [3] T. Holz, M. Engelberth, and F. Freiling, Learning more about the underground economy:acase-study of keyloggers and dropzones, Proc. Computer Security ESORICS 2009, pp. 1 18, [4] S. Garriss, R. Cáceres, S. Berger, R. Sailer, L. van Doorn, and X. Zhang, Trustworthy and personalized computing on public kiosks, in Proc. 6th Int. Conf. Mobile Systems, Applications Services, 2008, pp , ACM. [5]R. Biddle, S. Chiasson, and P. van Oorschot, Graphical : Learning from the first twelve years, in ACM Computing SurveysCarleton Univ., [6] D. Wendlandt, D. G. Andersen, and A. Perrig, Perspectives: Improving ssh-style host authentication with multi-path probing, in Proc. USENIX 2008 Annu. Tech. Conf., Berkeley, CA, 2008, pp , USENIX Association. [7] K. M. Everitt, T. Bragin, J. Fogarty, and T. Kohno, A comprehensive study of frequency, interference, and training of multiple graphical, in CHI 09: Proc. 27th Int. Conf. Human Factors Computing Systems, New York, 2009, pp , ACM [8] S. Chiasson, A. Forget, E. Stobert, P. C. van Oorschot, and R. Biddle, Multiple password interference in text and click-based graphical, in CCS 09: Proc. 16th ACM Conf. ComputerCommunications Security, New York, 2009, pp , ACM. K. Arthi et.al