Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617 HTTPS://SITES.GOOGLE.C OM/SITE/JOURNALOFCOMPUTING/WWW.JOURNALOFCOMPUTING.ORG 17 3-Way Handshake Approach towards Secure Authentication Schemes Gaurav Kumar Tak, Ashok Rangnathan and Pankaj Srivastava Abstract—Computer crime can easily be defined as the criminal activity that involves an information technology infrastructure, including illegal access (unauthorized access), illegal interception, data interference (unauthorized damaging, deletion, deterioration, alteration or suppression of computer data),unethical access of information and web services , disturbance of social-peace, systems interference (inter fering with the functioning of a c omputer system by inputting, transmitting, dama ging, deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (ID theft), and electronic fraud. This paper introduces a new methodology against the intruder as well as phishing attackers. Proposed methodology is based on the 3-way handshake concept between end user and the online portal server. The methodology provides a secure environment for the online transactions using 3 layers: 1 st layer following username and password authentication, 2 nd and 3 rd layers following the cross validation via e-mail and SMS respectively . Index Terms—Cross Validation, e-mail, Handshake, Phishing. —————————— —————————— 1INTRODUCTIONIn the field of computer security or network security, hacking is th e criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords, security key and credit card (or debit card details , master card details) details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment gateway or IT administrators are commonly used to lure the unsuspecting public. A secure system depends upon the following factors: Confidentiality, Authenticity, Integrity and Non- Repudiation constituting the acronym “CAIN” [10]. IP spoofing (usurp the IP-address of certain PC), TCP (transmission control protocol) hijacking (Interception ————————————————Gaurav Kumar Tak, is with the Department of Information and Communication Technology, ABV- Indian Institute ofInformation Technology and Management Gwalior (M.P.), INDIA. Alok Ranjan is with the Department of Information and Communication Technology, ABV- Indian Institute ofInformation Technology and Management, Gwalior (M.P.), INDIA. Rajeev Kumar is with the Department of Information and Communication Technology, ABV- Indian Institute ofInformation Technology and Management, Gwalior (M.P.), INDIA. Ashok Rangnathan is with the Department of Information and Communication Technology, ABV- Indian Institute ofInformation Technology and Management, Gwalior (M.P.), INDIA. Pankaj Srivastava is with the Department of Applied Sciences, ABV- Indian Institute of Information Technology and Management Gwalior (M.P.), INDIA. of TCP-session), ARP spoofing (re-link the network traffic from one or more PCs to the PC of malefactor), DNS (Domain Name System) spoofing (Basically DNS IP spoofing and DNS cache poisoning) are the common attacks over any type of network [1], [2]. 2RELATED WORKMany Scientists and researchers have proposed several schemes to secure the password and to prevent the external attacks, but it has yet been proved to be impossible to build a completely (100%) secure system. In [11], Yang et al. presented couple password validation schemes based on smart cards . One validation approach use timestamp approach and the other is nonce-based approach. In these schemes, a user can choose according to its choice and it can, any time, modify its password independently. The remote web server does not need to maintain the users’ passwords directory for their validation or a veri fication table to authenticated users, and the login validation can be carried out without the disturbance of a third party. An OTP card schemes also proposed to provide the security of authentication. It generates single time passwords, single-time password sheets; a laptop armed using the protocols of secure validation and it also shows the good transparency [12]. But this scheme has its own limitations. Chan and Cheng (2001) introduced some of vulnerabilities to forgery attacks of YS scheme. They focused on the attackers’ approach that an attacker can
6
Embed
3-Way Handshake Approach towards Secure Authentication Schemes
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
8/9/2019 3-Way Handshake Approach towards Secure Authentication Schemes
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 17
3-Way Handshake Approach towards
Secure Authentication Schemes
Gaurav Kumar Tak, Ashok Rangnathan andPankaj Srivastava
Abstract—Computer crime can easily be defined as the criminal activity that involves an information technology infrastructure,including illegal access (unauthorized access), illegal interception, data interference (unauthorized damaging, deletion,deterioration, alteration or suppression of computer data),unethical access of information and web services , disturbance ofsocial-peace, systems interference (interfering with the functioning of a computer system by inputting, transmitting, damaging,deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (ID theft), and electronic fraud.
This paper introduces a new methodology against the intruder as well as phishing attackers. Proposed methodology is basedon the 3-way handshake concept between end user and the online portal server. The methodology provides a secureenvironment for the online transactions using 3 layers: 1
stlayer following username and password authentication, 2
ndand 3
rd
layers following the cross validation via e-mail and SMS respectively.
Index Terms—Cross Validation, e-mail, Handshake, Phishing.
—————————— ——————————
1 INTRODUCTION
In the field of computer security or network security,hacking is the criminally fraudulent process ofattempting to acquire sensitive information such asusernames, passwords, security key and credit card (ordebit card details , master card details) details bymasquerading as a trustworthy entity in an electroniccommunication. Communications purporting to be frompopular social web sites, auction sites, online paymentgateway or IT administrators are commonly used to lure
the unsuspecting public.A secure system depends upon the following factors:
Confidentiality, Authenticity, Integrity and Non-Repudiation constituting the acronym “CAIN” [10].IP spoofing (usurp the IP-address of certain PC), TCP(transmission control protocol) hijacking (Interception
————————————————
Gaurav Kumar Tak, is with the Department of Informationand Communication Technology, ABV- Indian Institute of Information Technology and Management Gwalior (M.P.),INDIA.
Alok Ranjan is with the Department of Information and
Communication Technology, ABV- Indian Institute of Information Technology and Management, Gwalior (M.P.),INDIA.
Rajeev Kumar is with the Department of Information andCommunication Technology, ABV- Indian Institute of Information Technology and Management, Gwalior (M.P.),INDIA.
Ashok Rangnathan is with the Department of Information andCommunication Technology, ABV- Indian Institute of Information Technology and Management, Gwalior (M.P.),INDIA.
Pankaj Srivastava is with the Department of Applied Sciences, ABV- Indian Institute of Information Technology and
Management Gwalior (M.P.), INDIA.
of TCP-session), ARP spoofing (re-link the network trafficfrom one or more PCs to the PC of malefactor), DNS(Domain Name System) spoofing (Basically DNS IPspoofing and DNS cache poisoning) are the commonattacks over any type of network [1], [2].
2
RELATED
WORK
Many Scientists and researchers have proposed several
schemes to secure the password and to prevent theexternal attacks, but it has yet been proved to beimpossible to build a completely (100%) secure system. In[11], Yang et al. presented couple password validationschemes based on smart cards. One validation approachuse timestamp approach and the other is nonce-basedapproach. In these schemes, a user can choose accordingto its choice and it can, any time, modify its passwordindependently. The remote web server does not need tomaintain the users’ passwords directory for theirvalidation or a verification table to authenticated users,
and the login validation can be carried out without thedisturbance of a third party.
An OTP card schemes also proposed to provide thesecurity of authentication. It generates single timepasswords, single-time password sheets; a laptop armedusing the protocols of secure validation and it also showsthe good transparency [12]. But this scheme has its ownlimitations.
Chan and Cheng (2001) introduced some ofvulnerabilities to forgery attacks of YS scheme. Theyfocused on the attackers’ approach that an attacker can
8/9/2019 3-Way Handshake Approach towards Secure Authentication Schemes
eBay, PayPal, etc.). We can also work on the survey
analysis from the data generated using the concept of
proposed methodology.
The above methodology needs more hardware for the
implementation. Thus, it increases the workload of the
mail server
as
well
as
SMS
server.
Owing
to
more
hardware specification, the cost of implementation of
proposed methodology is relatively higher.
ACKNOWLEDGEMENT
The authors would like to thank ABV‐Indian Institute of
Information Technology and Management, Gwalior for
the kind support provided for this work.
REFERENCES
[1] Ollmann G., The Phishing Guide Understanding & PreventingPhishing Attacks, NGS Software Insight Security Research
[2] Yu, W.D.; Nargundkar, S.; Tiruthani, N., "A phishing vulnerabilityanalysis of web based systems," Computers and Communications, 2008.ISCC 2008. IEEE Symposium on, vol., no., pp.326-331, 6-9 July 2008
[3] Maher Ragheb Aburrous, Alamgir Hossain, Keshav Dahal, FadiThabatah, "Modelling Intelligent Phishing Detection System for E-banking Using Fuzzy Data Mining," cw, pp.265-272, 2009 International
Conference on CyberWorlds, 2009[4] Abu-Nimeh, S.; Nair, S., "Bypassing Security Toolbars and PhishingFilters via DNS Poisoning," Global Telecommunications Conference,2008. IEEE GLOBECOM 2008. IEEE , vol., no., pp.1-6, Nov. 30 2008-Dec.4 2008
[5] Alnajim, A. and Munro, M. 2009. An Anti-Phishing Approach that UsesTraining Intervention for Phishing Websites Detection. In Proceedingsof the 2009 Sixth international Conference on information Technology:New Generations (April 27 - 29, 2009). ITNG. IEEE Computer Society,Washington, DC, 405-410. DOI=http://dx.doi.org/10.1109/ITNG.2009.109
[6] Juan Chen and Chuanxiong Guo, Online Detection and Prevention ofPhishing Attacks, in Proc. Chinacom 06
[7] Beginning PHP5, Apache, and MySQL Web Development by ElizabethNaramore, Jason Gerner, Yann Le Scouarnec, Jeremy Stolz, Michael K.Glass; ISBN: 9780764579660
[8] PHP, AJAX, MySql and JavaScript Tutorials,http://www.w3schools.com/
[9] Luis von Ahn, Manuel Blum, Nicholas Hopper, and John Langford.CAPTCHA: Using Hard AI Problems for Security. In Eurocrypt
[10] Gedam,Dhiraj Nilkanthrao, RSA BASED CONFIDENTIALITY ANDINTEGRITY ENHANCEMENTS IN SCOSTA-CL, A thesisreport,Department of Computer Science and engineering,IndianInstitute of Technology ,Kanpur,India, July, 2009
[12] M. Naor and B. Pinkas. Visual authentication and identification. In Proc.Advances in Cryptology, pages 322–336, 1999
[13] Chan, C.K., and L. M. Cheng . Cryptanalysisof time stamp-basedpassword authentication scheme. Computers & Security, 21(1),74–76,2001
[14] Chen, K.F. and S. Zhong .Attackson the (enhanced)Yang–Shiehauthentication. Computer & Security,22(8),725–727, 2003
[15] Chan, C. K., and L. M. Cheng Cryptanalysis of timestamp-basedpassword authentication scheme. Computers & Security, 21(1),74–76,2001
[16] Sun, H. M., and H. T. Yeh. Further cryptanalysis of a passwordauthentication scheme with smart cards IEICE TransactionsonCommunications, E86-B(4),1412–1415, 2003
[17] Real User Corporation. The Science Behind Passfaces. Inhttp://www.realuser.com/published/ScienceBehindPassfaces.pdf ,
June, 2004[18] R. Dhamija and A. Perrig. Deja vu: A user study using images for
authentication. In Proc. 9th USENIX Security Symposium, 2000.[19] Y. Zhu X. Suo and G. Scott. Owen. Graphical passwords: A survey. In
Proc. 21st Annual Computer Security Applications Conference, 2005[20] S. Li and H.-Y. Shum. SecHCI: Secure human-computer identification
(interface) systems against peeping attacks, 2003.[21] T. Matsumoto. Human-computer cryptography: an attempt. In Proc.
Conf. on Computer and communications security, pages 68 – 75, 1996[22] T. Matsumoto. Human-computer cryptography: an attempt. In Proc.
Conf. on Computer and communications security, pages 68 – 75, 1996
About the Authors
8/9/2019 3-Way Handshake Approach towards Secure Authentication Schemes
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 22
Ashok Ranganathan is astudent of Atal Bihari VajpayeeIndian Institute of InformationTechnology and Management,Gwalior pursuing 2
ndyear of
B.Tech in InformationTechnology. His areas ofresearch are Internet security,trust and privacy, Database
management, Cloud computingand applications.
Gaurav Kumar Tak is astudent of 4th Year IntegratedPost Graduate Course (B.Tech.+ M.Tech. in Information andCommunication Technology) inABV-Indian Institute ofInformation Technology andManagement Gwalior, India.His fields of research are datamining, internet security andwireless ad-hoc network.
Dr. Pankaj Srivastava is anAssistant Professor in the
area of Applied Sciences(Physics) of the Institute. Heachieved his doctoral degreein physics from physicsdepartment, AllahabadUniversity, India. His currentarea of research isnanotechnology investigatingvarious physical properties ofmaterials in the form of
nanowires, nanoclusters and nanotubes w.r.t. electronicdevices and information technology applications. Dr.Srivastava is also working in the area of QuantumComputing and Information and many other projects onnanoCMOS and nanoMOSFET technology. He has till nowpublished more than 43 research papers in reputedinternational and national journals, conferences and