International Journal on Advanced Computer Theory and Engineering (IJACTE)

________________________________________________________________________

Two Factor Framework for Web Based Social Network Based on PKI

1S. Thiraviya Regina Rajam, ²S.Britto Ramesh Kumar Department of Computer Science

St. Joseph’s College (Autonomous) Tiruchirappalli., India Email : ¹srajicic10@gmail.com, ²brittork@gmail.com

Abstract Passwords provide security mechanism for authentication and protection services against unwanted access to resources. A graphical based password is one promising alternatives of textual passwords. and it must protected by assigning a password to gain unauthorized access to that data, because the Privacy, integrity and confidentiality are the most important elements of information security, and it must be for each user to assign a password to gain access to his own data safely and does not even provide an opportunity for illegal access to data Usually When the user wants to set a password putting in his mind some of the following considerations: Can be alphanumeric or letter or both password and can be an easy password , in order to remember it later, can be meaningful password; and can be date password; for example : (date of birth, date of marriage and date of joining job).All these considerations indicates that the previous password ware sat by the user can be easily known by attackers, because they use soft-ware and the dictionaries for the purpose of finding a huge sense of the words to detect passwords. The main objective of a good authentication system is to provide a two factor of secure password called two factor Framework for user authentication which based on PKI password rather than alphanumeric password. This paper presents a Multi-tiered Framework of having an effective authentication system, which provides strong password hard for the attackers to guess and easily remembered graphical passwords for the users with a high level of security.

On the other hand, is to reduce the guessing attacks as well as encouraging users to assign a difficult password to guess by the attackers and easy for him to remember it.

Index Terms— Authentication, Computer security, Confidentiality, Graphical password, Guessing attacks, Information technology, Privacy (key words)

I. INTRODUCTION

All Current secure systems suffer because they mostly ignore the importance of human factors in security. An ideal security system considers security, reliability, usability, and human factors. All current security systems have flaws which make them specific for well trained and skilled users only. A password is a secret that is shared by the verifier and the customer.

”Passwords are simply secrets that are provided by the user upon request by a recipient.” There are many things that are “well know” about passwords; such as that user can't remember strong password and that the passwords they can remember are easy to guess [1-6]. Pass-word become in recent years a necessary in all electronic transactions, whether it was used to confirm the identity of deals with automated teller machines, or used to access the e-mail or social networking, and others. It has become the need to manufacture passwords encrypted with high reliability and confidence. So that no one can guess or break nor the software can configure to guess passwords. Password is a series of letters, numbers, or symbols, or combination thereof, with the user name used to confirm the credibility and validity of the identity used. Although the development of technology and methods of information security in recent times is still the problem of piracy, and this threatens to primarily large corporations, which fears the confidentiality of their information. It should be noted that the main reason that the password represents the firewall vulnerable to hacking attacks, is its lack of force necessary to repel the attacks, due to the nature of human and his limited ability to remember many and different passwords, which means that most people

avoid the problem of forgotten passwords making them very weak which is easy for the attackers to guess.

According to a recent Computerworld news article, the security team at a large company ran a network password cracker and within 30 seconds, they identified about 80% of the pass-words [7]. On the other hand, passwords that are hard to guess or break are often hard for user to remember . Studies showed that since user can only remember a limited number of pass-words, they tend to write them down or will use the same passwords for different accounts [8, 9]. The alternative authentication method is using both “secret key” and

“Graphical password schemes” as a passwords instead of text based schemes authentication, which humans can remember pictures better than text; psychological studies supports such assumption [10]. The problems of knowledge-based authentication, typically text-based passwords, are well known. Users often create memorable passwords that are easy for attackers to guess, but strong system-assigned passwords are difficult for users to remember [11]. A password authentication system should produce a strong passwords instead of creating weak passwords. The proposed framework allowing users to choose stronger passwords, easy to remember and hard toguess from the attackers side. In fact, this approach makes choosing a more secure password rather than increasing the burden on users to remember a lot for characters, numbers and special characters.

II. AUTHENTICATION METHODS

Figure1 : Classification of authentication method The above Figure 1: shows that, authentication methods can be divided into three main areas: Token based authentication, Biometric based authentication and Knowledge based authentication, the following are the description for each of them:

 Token based authentication techniques:

Such as key cards, bank cards and smart cards are widely used. Many token-based authentication systems also use knowledge based techniques to enhance security. For example, ATM cards are generally used together with a PIN number.

 Biometric based authentication techniques:

Such as fingerprints, iris scan, or facial recognition, are not yet widely adopted. The major drawback of this approach is that such systems can be expensive, and the identification process can be slow and often unreliable and hence not preferred by many. [12,13].

 Knowledge based techniques:

The most widely used authentication techniques and include both text-based and picture-based passwords.

The picture-based techniques can be further divided into two categories: recognition-based and recall-based graphical techniques. Using recognition-based techniques, a user is presented with a set of images and the user passes the authentication by recognizing and identifying the images he or she selected during the registration stage. Using recall-based techniques, a user is asked to reproduce something that he or she created or selected earlier during the registration stage.

The specific hypotheses with respect to multiple password interferences were:

 Participants will have lower recall success rates with text passwords than with Pass Points passwords.

 Participants in the Text condition are more likely than Pass Points participants to use patterns across their own pass-words.

 Participants will recall text passwords more slowly than Pass Points passwords.

 Participants in the Text condition are more likely than Pass Points participants to create passwords that are directly related to their corresponding accounts.

 Participants in the Text condition will make more recall errors than participants in the Pass Points condition.

III. EXISTING SYSTEMS

Existing approaches to Users often create memorable pass words that are easy for attackers to guess, but strong system-assigned passwords are difficult for users

to remember [14]. Authenticate the user's computer through a user name and password in the form of text, number, or both together, where the most common way that this has become a very well-known because the user puts a weak password in order to remember and so they become weak password is easy to guess by hackers.

Studies have shown that users tend to pick short passwords or passwords that are easy to remember.

Unfortunately, these passwords can also be easily guessed or broken. According to a recent Computer world news articles, the security team at a large company ran a network password cracker and within 30 seconds, they identified about 80% of the passwords[3].

On the other hand, passwords that are hard to guess or break are of-ten hard to remember. Studies showed that since user can only remember a limited number of passwords, they tend to write them down or will use the same passwords for different ac-counts, which has several drawback’s as follows:

 The problems of knowledge-based authentication, typically text-based passwords, are well known.

Users often create memorable passwords that are easy for attackers to guess, but strong system- assigned passwords are difficult for users to remember.

 Text passwords are the most popular user authentication method, but have security and usability problems.

 Users maintaining same password for multiple applications. Because of easy to remember.

IV. PROBLEM STATEMENT

A human brain is not good of remembering the alphanumeric password, but it's a good in remembering the pictures. On the other hand guessing the alphanumeric password become very easy by using specific software and dictionaries, but guessing the graphical password is too difficult. A major goal of this paper is to discover how to create knowledge based authentication schemes that are memorable, usable, and secure called Multi-tiered Framework for user authentication which based on multimedia password rather than alphanumeric password .

V. PROPOSED FRAMEWORK

 Proposed framework

To solve the problems with traditional username password authentication, alternative authentication methods, such as Graphical Password have been used which allowing user to choice stronger password by click on images rather than type alphanumeric characters. It’s easy for user to remember his password and too difficult for attackers to guess the password. The

proposed framework is a new design and more secure graphical password system, called two factor framework for user authentication.

The proposed framework proposes the concept of creating graphical password to provide secured authentication. This system solves the problem of remembering alphanumeric or several click-points by replacing multiple image sequence with a single window containing a one set of images.

The visual representation of 4 sets of graphical image authentication will be given to user, in which the first three set contains several sentences. And the 4^th set contains set of images. User can choose any one of the four sets . All the sets are in form of 4x8 matrix . Since the window frame contains 32 images it is completely impossible for the attackers to guess the sequence of click-points on the images. Additionally the proposed work introduces a secret key technique that improves the remembrance of the password. Also includes shuffling the sequence of images contained in the window frame. The proposed system figure 2 performs well in terms of security, accuracy and ease of use.

 Objectives of the proposed framework

 To prevent an unauthorized user from gaining access to confidential information of an individual or organization and to increase the performance of a knowledge-based authentication mechanism in security systems. Since existing graphical password schemes make use of larger memory space and require long-term password memorabilia, unlike the proposed framework provides higher level of security with reduce chances to guess from attackers.

 To satisfy the information security triangle (C.I.A):

a. Confidentiality: The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.

b. Integrity: The property of safeguarding the accuracy and completeness of information’s.

c. Availability: The property of being accessible and usable upon demand by an authorized user.

 The proposed framework allowing users to choice stronger passwords, easy to remember and hard to guess from the attackers side. In fact, this approach makes choosing a more secure password rather than increasing the burden on users to remember a lot for characters and numbers and special characters, it is easier to follow the system’s suggestions for a secure password.

 Features of proposed Framework

 The probability of guessing the password is relatively low when compared to earlier techniques.

 The non-elements present in the window also pretends to be as original click-points when an adversary attempts to compromise the system.

 The viewpoint in existing system is suggested by the system whereas in proposed framework the

choice of click-point ( selecting images) are user friendly.

 Access to the system is provided only when the image sequence and audio signature are synchronized.

 The system finds its application in protecting confidential information of an individual or an organization as a whole.

Figure 2 System Architecture

Figure 3. . Module Description

VI. IMPLEMENTATION

 Implementation module

The implementation has mainly three modules: New user registration, Existing user Login and Recovering Password. The figure 3 shows module description A . New user registration:

Registration phase

In this phase, the client requester is authenticated by registering oneself in the authentication server. At the time of registration, the user provides his personal data such as name, email, address, gender, birth date, login etc. Email entered by the user will be validated and if it is a invalid email, user will get error message. Also user needs to answer a set of security authentication (Questions for security verification). 4 sets of graphical image authentication will be given to user, in which the first three set contains several sentences. And the 4^th set contains set of images. User can choose any one of the four sets. If the user chooses the any one of the first 3 sets, user need to drag the words from various sentences and place it in the given box. The arrangement of words will be the password. If the user chooses 4^th set of graphical authentication, user needs to arrange a set of random images in an order to create password. After completing the registration, the user will be able to login to the website by entering login id and Graphical image authentication (i.e. arranging the set of random images in the same order ,which user arranged during the time of registration). Then the user will be able to login to their profile page. Thus secure registration is provided using this phase.

Key generation phase

In this phase, a Graphical User Key is generated during the registration phase which needs to be arranged by the user in any order. Once the registration is completed a unique key is generated for each user. And whenever the user tries to login to the website the Graphical image authentication is displayed in random order every time and the user needs to arrange the images in the same order which they arranged during registration. Once the user login to the website, in order to use any features in the website such as uploading/downloading photos, chatting with friends etc. User needs to answer a set of security authentication which was answered during registration phase, If the answers are correct, key generator generates the unique key immediately to access the features in the Framework.

B. Existing user Login:

If the username and password is correct the server authenticates the user to access the website else displays a error message. Once the users log in to the website, in order to access any features they need a unique key. In order to get the unique key, users needs to click “find key” link, once the link is clicked it will display the set of security authentication which was answered during the registration. If the answers are correct, AS authenticates the user and provides the unique key else displays a error message. After getting the unique key, the user will be able to use the features such as chat, video chat, post etc in the proposed framework

Existing users should give user ID and enter secret key.

C. Recovering Password:

If the username and password is entered incorrectly for more than 3 times. The user could retrieve password ( the sequence of selected six images) by using the security question that he entered during the registration

process. The user retrieve password by getting the current shuffled picture.

 Use Case Diagram:

A use case diagram in the Unified Modeling Language (UML) is a type of behavioral diagram defined by and created from a Use-case analysis. Its purpose is to present a graphical over-view of the functionality provided by a system in terms of actors, their goals (represented as use cases), and any dependencies between those use cases. The main purpose of a use case diagram is to show what system functions are performed for which actor. Roles of the actors in the system can be depicted.

Figure 4. Use Case Diagram

 Implementation Procedure Software :1.Java Scrip 2. HTML 3. JSP.

Hardware

The hardware implementation is done on

 Microsoft Windows XP

 Professional version 2002

 Service packet 2

 Intel Pentium processor

 CPU 230@160 GHZ

 1.60 GHZ

 0.99 GHZ of RAM.

The project consists of three pages for accessing. They are: New user Registration page, Existing user page, Recovering the Password. The User registration page consists of details required for a user to register to the application form. The required coding for the project is done and back-end database created in MS SQL Server with the required data and the front end is linked and configured with the back-end database. After completion of the designing, coding and configuration with the

back-end the project is executed. The various steps of implementation for the proposed framework are:

Step-1: Registration of the New User

 Enter profile details

 Click the any one of the sets as password (Set1:

Text , Set2: Number, Set 3: Character, Set 4 Images )

Step 2 Administrator

 Admin permission

Step-3: Login of the Registered User

 Authentication through any one of the sets

 Find Key

 Enter Secret key Step-4: Recovering the password

 Security images

The implementation of the Registration phase is shown above. Any users who have Email Id can register in this Social Network. The following figure 5 shows the registration phase. User can access the Social Network, only if Admin gives permission. The admin gives permission by clicking the “active” option. After typing the username, user needs to choose the images in correct sequence as they have chosen in the registration phase.

The login phase of SFFSN is shown in the following figure 6.After logging in to the account successfully, users should provide their own unique key to use the various features of framework such as chat, etc. In order to get the unique key the user need to click on the “find key” button on the screen. It will lead the user to security authentication page, in which the user needs to answer for the security questions which were answered during the time of registration.. After completing the security authentication, public key and private key will be automatically generated using RSA algorithm on the screen The security Secret key is shown in figure 8. The entries of each user are stored in the admin database.

VII. CONCLUSION

Here we explained the existing authentication method.

The most common computer authentication method is for a user to submit a user name and password consisting of text, numbers or together even with special characters. The vulnerabilities of this method have been well known for attackers to guess, because the users often create memorable passwords that are easy for attackers to guess, but strong system assigned passwords are difficult for users to remember. The use of strong passwords reduces the risk of unauthorized access, and difficult task of trying to break all the password. The empirical studies have proven that human are better at memorizing graphical passwords

compared to textual passwords [15, 16, 17].This paper gives an idea of having a secured effective authentication system, which provides strong and easily remembered graphical passwords with dynamic security level. A major advantage of this proposed framework, is to large password space over alphanumeric passwords.

There is a growing interest for Graphical passwords since they are better than text based passwords, although

the main argument for graphical passwords is that people are better at memorizing graphical passwords than text-based passwords. As soon as the user enter the name the new key generated. That is called private key and public key. We use this framework graphical image and Secret key as a password to communicate any features in the in the Web Based Social Network

Figure 5. Registration phase

Figure 6. Login Phase

Figure 8. Security Secret Key

VIII. ACKNOWLEDGEMENT

The authors would like to thank department of Computer Science and the college for allowing this work and the involving research.

REFERENCES

[1] S. Chiasson, R. Biddle, and P. van Oorschot, “A Second Look at the Usabil-ity of Click-Based Graphical Passwords,” Proc. ACM Symp. Usable Priva-cy and Security (SOUPS), July 2007.

[2] S. Chiasson, A. Forget, R. Biddle, and P. van Oorschot, “Influencing Users towards Better Passwords: Persuasive Cued Click-Points,” Proc.

British HCI Group Ann. Conf. People and Computers: Culture, Creativity, Inter-action, Sept. 2008. towards Better Passwords: Persuasive Cued Click-Points,” Proc. British HCI Group Ann. Conf. People and Computers: Culture, Creativity, Inter-action, Sept. 2008.

[3] S. Chiasson, A. Forget, E. Stobert, P. van Oorschot, and R. Bddle, “Multiple Password Interference in Text and Click-Based Graphical Passwords,” Proc. ACM Conf. Computer and Comm. Security CCS), Nov. 2009.

[4] E. Stobert, A. Forget, S. Chiasson, P. van Oorschot, and R.Biddle, “Explor-ing Usability Effects of Increasing Security in Click-Based Graphical Pass-words,” in Proc. Ann. Computer Security Applications Conf. (ACSAC), 2010.

[5] S. Chiasson, A. Forget, R. Biddle, and P.C. van Oorschot, “User Interface Design Affects Security: Patterns in Click-Based Graphical Passwords,” International Journal of Information Security, vol. 8, no. 6, pp. 387-398, 2009.

[6] J. Yan, A. Blackwell, R. Anderson, and A. Grant,

“The Memorability and Security of Passwords,”

in proc. of Security and Usability: Designing Secure Systems , pp. 129-142, 2005.

[7] K. Gilhooly, "Biometrics: Getting Back to Business," in Computerworld, May 09, 2005.

[8] R. Dhamija and A. Perrig, "Deja Vu: A User Study Using Images for Authentication," in Proc. of 9th USENIX Security Symposium, 2000.

[9] M. Kotadia, "Microsoft: Write down your passwords," in ZDNet Austral-ia, May 23, 2005.

[10] R. N. Shepard, "Recognition memory for words, sentences, and pictures," Journal of Verbal Learning and Verbal Behavior, vol. 6, pp. 156- 163, 1967.

[11] S. Chiasson, P. van Oorschot, and R. Biddle,

“Graphical Password Authentication Using Cued Click Points,” Proc. European Symp. Research in Computer Security (ESORICS), pp. 359-374, Sept. 2007.

[12] Jain, L. Hong, and S. Pankanti, "Biometric identification," Communications of the ACM, vol. 33, pp. 168-176, 2000.

[13] Jain, A. Ross, and S. Pankanti, “Biometrics: A Tool for Information Security,” IEEE Trans.

Information Forensics and Security (TIFS), vol.

1, no. 2, pp. 125-143, June 2006.

[14] Salehi-Abari, J. Thorpe, and P. van Oorschot,

“On purely automated at-tacks and click-based graphical passwords,” in Annual Computer Security Applications Conf. (ACSAC), 2008.

[15] R. Dhamija and A. Perrig. “Déjà vu: A User Study Using Images for Authentication”, In Procs of the 9thUSENIX Security Symposium, 2000.

[16] R. N. Shepard, “Recognition memory for words, sentences, and pictures”, Journal of Verbal Learning and Verbal Behavior, vol. 6,, pp. 156- 163,2007.

[17] S. Brostoff and M. A. Sasse, “Are Passfaces more usable than passwords: A Field Trial Investigation”, In Proc. of HCI. Sunderland, U.K.: Springer –Verlag, 2010.

