Sarower of the Department of Computer Science and Engineering, Daffodil International University, has been accepted as satisfactory in partial fulfillment of the requirements for the degree of M.Sc. I hereby declare that this project was carried out by me under the supervision of Dr. The proposed model uses steganography to hide user credentials with the aim of reducing the risk caused by MITM and session hijacking attacks.
Furthermore, the SMFA model requires the user to have an additional USB device as an additional factor to prove his/her identity, along with a proposed multi-server authentication scheme to alleviate the problem of the traditional single-server authentication mechanism. This indicates the username, password or some questions directly related to the user whose answer is known to the system. This indicates the user's biometric information, which means unique information such as the user's fingerprint, retina and DNA.
The proposed multi-factor authentication model uses steganography and cryptography for data security; it also uses a USB device such as U2F [7] to prove the identity of the user along with the username and password.
LITERATURE REVIEW
In the last decade, various elegant approaches have been proposed that propose using an additional device to authenticate the user. This has led to some research studies promoting the use of smart card, USB and additional online devices as another factor. But apart from the presence of the limitation of this model that it can only work for Windows PC and not for any network environment, there are still some security threats of this authentication process.
Steganography and cryptography can be combined to improve data security and hide the existence of sensitive credentials. Some researchers suggest using steganography and hashing or encryption together to achieve highly reliable data security in digital communication. The advantage of this method is that it prevents misuse of information on the merchandise website.
The limitation of this method is the use of OTP for greater security: since there are two OTPs, there is a concern about synchronization between the client and the server. Here, LSB and AES steganography are used to hide the text password to ensure good security of the android authentication system. After reviewing the papers discussed above, it can be understood that many initiatives and models have been proposed for a secure authentication process.
However, there has been limited research on the multi-factor authentication system and steganography jointly. The contribution of this study amounts to the design of a multi-factor authentication model that uses steganography for secure credentials transfer. Designed in a way where two different servers can be used to reduce risk and increase efficiency.
RESEARCH METHODOLOGY
FIDO
This operation is performed once, and the token can then be used for authentication.' In this mechanism, the computer forwards the user's login details and password to the server. The browser generates a payload containing the URL of the server and challenge, session is signed by token. This section gives a detailed demonstration of the proposed MFA model that can be used for a secure and reliable authentication process.
Assuming that there are three different roles in this proposed scheme: the user, the authentication server and the application server, the functions can be placed in a defined process, that is, thus the proposed USB-based, multi-server authentication scheme exists basically from three phases—the registration phase, the login phase and the verification phase. Upon receiving the registration request, the authentication server issues a USB device to the user so that it can be used to generate the one-time token.
For the case of the loss or breakage of the USB device, this research finding came to a conclusion by proposing two different approaches. The reporting mechanism should be effectively convenient for users, and the authentication server will recall the stegao validator and OTT of the lost USB device after confirming that the loss or breakage report is true. For this proposed model, any image steganography technique with a good security level can be used.
Security measurement can be done by considering PSNR (peak signal to noise ratio) and MSE (mean square error) of Cover object and Stego object. In the above equations, ij refers to the pixel value at positions i and j of the cover image, while bij refers to the pixel value at positions i and j of the Stego image. So, any image steganography technique that achieves at least 40 dB PSNR can be used in this model to achieve the goal of hiding the presence of credentials.
MODEL ANALYSIS
Once the main AU is satisfied, it will send a message to AP with a time stamp, decrypt the session of U, OTT, POTT with also its own shared key with the private key of AP. The full message decrypts with the shared key between AU and AP it checks: if the session is also recently created, it will decrypt it. Once this master AP is satisfied, it will continue to use the session key of U and grant access to the replay of U. So, if it can be proven that the main AU believes the main U, and the main AP believes AU, then the main AP must believe in the main U. Therefore, the model will be validated.
KUAU – Shared key between user and authentication server KUAP – Shared key between user and application server KAUDB – Shared key between authentication server and database. KAU – Authentication Server Public Key KAU – Authentication Server Secret Key KAP – Application Server Public Key KAP – Application Server Secret Key. The first three assumptions on the left are about the shared keys between the three drivers and the database.
The four assumptions on the right indicate that the principals and the database server believe that timestamps generated elsewhere are fresh, indicating that the model relies heavily on the use of synchronized clocks. The following set of three assumptions indicates the trust that principals and DBs have in the server to generate a good encryption key. The analysis of the idealized model is carried out by implementing the proposed rules of assumptions.
The main steps of the proof are as follows: AU receives Message 1. You pass UID, UPASS and OTT to AU, together with a message containing a time stamp. By the meaning of the message and the postulated non-verification the following can be deduced:. Here, with AU send a message to AP, so that it can be replaced by U. Message that will actually send over U's UID, UPASS and OTT).
RESULT AND DISCUSSION
CONCLUSION
An authentication protocol called SMFA is proposed which is able to withstand various attacks and is better than other protocols. The SMFA protocol is based on a USB device, Cryptography and Steganography to implement secure credential transfer and authentication. In this study, it was observed that integration of a steganography and authentication mechanism results in better security and solves existing security issues.
The protocol is efficient and can protect the integrity, confidentiality and authenticity of the data transmitted over the Internet. The BAN logic method is used to validate the security features and key agreement procedure for the proposed SMFA protocol. Extensive analysis and comparative results indicate that the use of USB in the client side, dedicated authentication server and the use of steganography in the transmission process have a great impact on the hardening of the security, hence the reliability of users.
Finally, the research findings showed that the proposed SMFA is invulnerable to user impersonation attacks, replay attacks, DOS attacks, session hijacking attacks, offline password guessing attacks and also provides mutual authentication. Although the protocol requires a slightly higher computational cost due to the layered protection, it reduces the frequency of MITM attacks and the damage they cause. To overcome, implementation and implementation of the proposed scheme in a real-world application and possible future improvement are also provided.
ACKNOWLEDGEMENT
Chao, "(N, 1) secret sharing approach based on gray digital image steganography", 2010 IEEE International Conference on Wireless Communications, Networks and Information Security, 2010. Ravindranath, "Design of a Secure Authentication Protocol three-factor authentication for wireless sensor networks,” 2017 International Conference on Nextgen Electronics Technologies: Silicon in Software (ICNETS2), 2017. He, “A Lightweight Mutual Authentication Scheme for User and Server in Cloud,” 2015 First International Conference on Theory of Computational Intelligence, Systems and Applications (CCCCITSA), 2015.
Lin, "An ID-Based Authentication User Scheme for Cloud Computing", 2014 Tenth International Conference on Intelligent Information Hiding and Multimedia Signal Processing, 2014. Li, "One-Pass Authentication and Key Agreement Procedure in IP Multimedia Subsystem forUMTS," 21st Conference on Advanced Information Networking and Applications (AINA '07), Ujëvara Niagara, ON, 2007, fq. , Përpunimi i sinjalit dhe rrjetëzimi (WiSPNET), 2016.
Wang, “NFC Unlock: Secure Two-Factor Computer Authentication Using NFC,” 2017 IEEE 14th International Conference on Mobile Ad Hoc and Sensor Systems (MASS), 2017. Rama Rao, “Strong authentication using dynamic hashing and steganography,” International Conference on Computer Science, Communication Automation, 2015. Gnanasekaraiyer, “A Steganography-Based Framework for Preventing Active Attacks During User Authentication,” 2013, 8th International Conference on Computer Science Education, 2013.
Hudaib, "Secure Online Shopping Using Biometric Personal Authentication and Steganography," 2006 2nd International Conference on Information Communication Technology. Abubakar, “Stegano Image as a Digital Signature to Improve Security Authentication System in Mobile Computing,” 2016 International Conference on Informatics and Computing (ICIC), 2016. Hardjianto, “Data Security Using LSB Steganography and Vigenere Chiper in an Android environment," 2015 Fourth International Conference on Cyber Security, Cyber Warfare and Digital Forensics (CyberSec), 2015.
