Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply



Published on

International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of …

International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Humaira Dar et al Int. Journal of Engineering Research and Application ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881 RESEARCH ARTICLE OPEN ACCESS Secure Scheme For User Authentication And Authorization In Android Environment Humaira Dar1, Wajdi Fawzi Mohammed Al-Khateeb2 And Mohamed Hadi Habaebi3 1( Department of Computer and Information Engineering, Kulliyyah of Electrical and Electronic Engineering, International Islamic University Malaysia) 2( Department of Computer and Information Engineering, Kulliyyah of Electrical and Electronic Engineering, International Islamic University Malaysia) 3( Department of Computer and Information Engineering, Kulliyyah of Electrical and Electronic Engineering, International Islamic University Malaysia) Abstract Providing ultimate security in sensitive transaction and communication of online premium application is still a question mark of standardization in the area of networking and security. It has been seen that currently majority of the authentication and authorization techniques are usually designed on the top of One Time Password on user trusted hand held device. However, due to various lethal threats on mobile security systems, it can be said that existing security is not sufficient. Keeping in viewpoint of security on effective authentication and authorization, this paper proposes a technique that exponentially minimizes the operational cost by using secure hash algorithms that has the potential to generate mobile-based One Time Passwords (OTPs) scheme on Android environment ensuring enhanced protection with respect to password security. Experimented on java platform, the implementation techniques discussed in the paper are found to be very robust Keywords-component-Authentication and Authorization, Hash Function, MD5,One Time Password, SHA-3 I. INTRODUCTION The concern of user authentication as well as authorization in public network was always a matter of concern in the area of computer networking as well as security system. Authentication is the method of verifying the user while authorization is the methods of verifying that user have an access to resources. The public network is basically characterized with presence of multiple users in multiple locations with undefined score of vulnerable motives of internet usage. Such vulnerability poses a potential amount of threats in using various sensitive premium based application e.g. banking transactions and data storage in cloud. It was also seen that password based protocols is much in use by almost all the secure application because it is much easier, comfortable, and due to its higher adoption by majority of the users. However, the frequent usage of password based authentication system in public network is not much recommended by security experts. Even, in current era of security modernization, password based authentication system are much frequently in use for the purpose of user authentication. As password are formulated using various sensitive and confidential information, therefore unauthorized access of user sensitive password in large scale networking system is highly studied in the past research work [1][2][3][4]. One of the significant issue with traditional password based security system is that user have higher propensity to select intrinsically unsafe passwords which can be easily memorized by the user. This phenomenon directly leads to surfacing of dictionary attacks [5], where the adversary over network attempt various permutation and combination of strings leading them finally to arrive at the correct password by the genuine user. With the current availability of various password hacking tools [6][7][8] as well as keylogger softwares [9], the task of password retrieval has become much easier for the attacker. Not only in public network even in private network is not secured in existing system. Various events has been reported in the past, where it can be found that various reputed enterprises like eBay, ICICI bank, World Bank, Walmart etc has been literally hacked costing massive loss of property and highly confidential data [10][11][12]. This paper intends to exhibit a secure framework and architecture that addresses such issues of user authentication. Architecture is a notion about the process to structure an application that is possibly shared through natural language documentation and highly structured methods. However, framework is basically an execution of architecture that the designer deploys it as a basis of building skeleton of the desired application. The paper will illustrate briefly the adoption of a cost effective technique that can be applied to any premium based application ensuring privacy, confidentially, non-repudiation and hence safeguarding the interest of enterprises as well as 1874 | P a g e
  • 2. Humaira Dar et al Int. Journal of Engineering Research and Application ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881 clients in secure user authentication and authorization. Prior research work is discussed in Section 2 followed by Problem Identification in Section 3. Section 4 discusses about the proposed system. Research methodology is discussed in Section 5 followed by implementation in Section 6 and finally in section 7 we make some concluding remarks. II. RELATED WORK The various problems pertaining to security and authentication of accessing private and highly privileged information have been studied by many researchers as discussed below. Research work conducted below highlights various techniques adopted in past to mitigate various types of attacks on authentication system of user & solves problem of security issues. In the process of exploring various techniques adopted in past and even existing system, it was found that usage of One-Time Password or commonly known as OTP seems to guarantee better security in access management in public as well as private network [13]. One-Time Password is valid for only one attempt of access while trying to make a unit of transactions. One of the obvious advantages of using OTP is its fail-proof security towards replay attack [12] which means that unique password once generated will never be repeated for second time and hence if the password is in possession of attacker, it will be of no use. Thereby usage of OTP has been investigated to explore a better possibility of make further more secure system in user authentication. Various OTP technologies are also seen patented however standardization of the OTP technique is challenging step due to its diverse format of usage and architecture proposed by many previous researchers and protocol makers Tao et al [14] have demonstrated a new authentication scheme based on OTP is presented. The scheme generates random numbers quickly by physical methods and applies them in aspects of the whole authentication process. It can guarantee the dynamic and secure property of passwords. Therefore, it can defense many attacks of human sources and is fit for the use of fields which need high security guarantee like finance systems and stock exchange systems. Kim et al. [15] have proposed a secure and fast one-pass authentication procedure bundling NACF and IMS authentications under enhanced security. Proposed scheme considerably reduces the complexity of authentication procedure compared to existing approaches. This paper mainly focuses on method authenticating federation Single Sign-on (SSO) about application service and IMS service based on network id in the Next Generation Networks (NGN) environment. Federation SSO is the one method of Single Sign-on which user can select the subscription of federation operator in real-time. For comprising this system, they need Service Control Function (SCF), Network Access Control Function (NACF), Web Application Service Control Function (WASCF) and NGN Terminal Function (NTF). Eldefrawy et al. [16] have presents a novel two-factor authentication scheme whereby a user’s device produces multiples OTPs from an initial seed using the proposed production scheme. The initial seed is produced by the communications partners’ unique parameters. Applying the many from one function to a certain seed removes the requirement of sending SMS-based OTPs to users, and reduces the restrictions caused by the SMS system. Srivastava et al.[17] have presented an improved authentication scheme over the existing port knocking methods. The existing port knocking methods are prone to reasonable attacks and vulnerabilities. The paper addresses those vulnerabilities, and accordingly provides mechanism to circumvent on the port knocking mechanism. In a client-server communication, request for services from the clients is done by providing them connection to a specific port on the server. For security concerns, all the ports on the server are initially closed and no connection is possible. Hsieh et al.[18] have propose a novel authentication scheme which exploits volatile passwords – One-Time Passwords (OTPs) based on the time and location information of the mobile device to transparently and securely authenticate users while accessing Internet services, such as online banking services and e-commerce transactions. Compared to a permanent password base scheme, an OTP based one can prevent users from being eavesdropped. In addition to a memory less feature, the scheme restricts the validness of the OTP password not only in a certain time period but also in a tolerant geometric region to increase the security protection. Ren et al. [19] have demonstrated a secure dynamic user authentication scheme. Unlike the traditional password authentication (where a static password is used) or two-factor authentication (where two pieces of authentication information are required), their proposed authentication scheme will use a dynamic one-time password (OTP), based on user’s password, the authenticating time, as well as a unique property that the user possesses at the moment of authentication (that is, “something the user has”, for example, the MAC address of the machine that the user uses for authentication). Moon et al. [20] have presented three solutions for fuzzy fingerprint vault that are more useful, secure and effective method. First, they propose geometric hash table as automatic fingerprint alignment. Second, they propose secure fuzzy fingerprint vault, which can be resistant to the correlation attack. Third is fuzzy fingerprint vault using One Time Template (OTT). The OTT is generates a different biometrics template each time, which like onetime password. Shin et al. [21] have proposed an efficient and lightweight multi-user authentication scheme 1875 | P a g e
  • 3. Humaira Dar et al Int. Journal of Engineering Research and Application ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881 based on cellular automata (CA) in cloud computing environments. In the proposed scheme, an authentication process is securely performed by a CAbased One-time Password (OTP) authentication which is a randomized evolution. The experiments prove the security of the proposed scheme. Indu et al. [22] have proposed system involves using a mobile phone as a software token for One Time Password generation. OTP algorithm powered with user’s unique identifications like International Mobile Equipment Identification and Subscriber Identification Module; makes a finite alphanumeric token valid for a session and for a single use. Fan et al. [23] propose an active onetime password (AOTP) mechanism for user authentication to overcome two abovementioned problems, password stealing and reuse, utilizing cell phone and short message service. Through AOTP, there is no need for additional tokens, card readers and drivers, or unfamiliar security procedures and user can choose any desirous password to register on all websites The above discussion shows various prior research studies that have attempted to propose technique using OTP for ensuring security over various online transactions. It can be noted that Eldefrawy [16] has proposed a work titled “OTPBased Two-Factor Authentication Using Mobile Phones” which was found to exhibit two factor authentication schemes. The results show that the time required for computation was less and was independent of use of public key techniques that posses a motivation to consider the work of Eldefrawy [22] to design a framework for ensuring better computational model. Furthermore, the authentication password is generated in 128 bit of data that is neither user-friendly nor storage efficient that posses further authentication issues with its bigger size. So, we chose to perform further enhancement from this point. III. PROBLEM IDENTIFICATION The problem statement of the proposed study is as follows: Although the usage of OTP ensures security in user authentication but the phenomenon generation of OTP from GSM based server in current mobile based authentication system can be compromised and will require serious cost effective protocol for user authentication. OTP is classified into two types e.g. i) time based OTP and ii) event based OTP. In time based OTP, the OTO alters at every frequent instance of time whereas in an event based OTP, the OTP is generated on hardware device of the user. A significant investigation related to the use of an eventbased OTP is that the OTP score doesn't mechanically expire in a given quantity of verification time. This suggests that if a OTP is somehow maliciously obtained by an attacker, there is a higher chances that it can be used later to interrupt into the user’s account. It is to be noted that the compromised OTP score is merely valid till the legitimate user next carries out an authentication procedure. This can be as a result of the actual fact that when the legitimate user authenticates, the present sequence variety is updated to the one on the device, creating all previous sequence numbers (and their associated OTP values) invalid. Additionally to the on top of, unobserved physical access to the OTP device is needed for completing this attack. If an attacker will acquire physical access to the device, then it will be able to really extract multiple OTP values by pressing the button variety of times. However, there's not abundant distinction between this and getting one OTP and remaining logged on. We visualize all the above discusses security compromization as unrivaled. On the one hand, in event-based OTP, there's no got to use the password instantly, as within the case for time-based OTP. However, in event-based OTP unseen physical access to the device is needed, whereas in time-based OTP it are often abundant easier to get a sound OTP. In either case, the threat highlighted by these attacks isn't as vital because it could seem. This can be as a result of the actual fact that OTP systems usually have faith in two-factor authentication and then the user contains a short 4-digit PIN (or longer password) that's conjointly required. Thus, getting the OTP isn't enough. It is to be noted that the large scope for an attacker is restricted in each cases. Additionally, OTP systems usually lock the user once variety of unsuccessful logon tries. IV. PROPOSED SYSTEM Authentication and authorization plays a key role in ensuring security system over any communication network especially over GSM network. The review of the literature explores that existing security system over GSM is not enough for ensuring efficient security in terms of authentication as well as authorization. The current study is inspired from the work of Eldefrawy [1] titled “OTP-Based Two-Factor Authentication Using Mobile Phones” where the author has discussed about utilization of two factor authentication using OTP. However, after in-depth scrutinizing the work of Eldefrawy, it was found that generated OTP was a large enough (68606061177919188523363813602016333158) which are neither user-friendly nor storage efficient. The major security loopholes found in the usage of OTP is that it generates the secure password that floats into GSM network where there is a higher degree of intrusion. Another prominent issue found in majority of the OTP usage (as used by Eldefrawy) is that it is not preferred for mobile phones due to timesynchronization that are usually based on an internal clock synchronization system. Moreover, the author has deployed the hash function using SHA-1 and MD5 where there already exists the attack report on usage of SHA-1 in vulnerable public network. Hence, we choose to perform first enhancement to the work 1876 | P a g e
  • 4. Humaira Dar et al Int. Journal of Engineering Research and Application ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881 conducted by Eldefrawy by adopting the usage of SHA-3. One of the prime reasons behind this is SHA3 uses different patterns of design architecture compared to SHA-1 for which reason, common attacks applicable over SHA-1 will never work on SHA-3. Eldefrawy has used single hash function for first time OTP generation, whereas we choose to integrate two different hash functions at the every time in OTP generation. Adopting this second technique of enhancement will yield an OTP that is potentially strong compared to Eldefrawy’s approach. The third enhancement is towards the length of the OTP generated. The length of OTP in Eldefrawy’s approach is 128 bit where entering 128 bit of data even in numeric format is highly complex and errorprone. We choose to amend this third technique of enhancement by using byte-to-word conversion by using alternative dictionary encoding for the OTP generated that make the OTP long enough for security and short enough for the user. The proposed study attempts to minimize the operational cost by generation the authentication & authorization components on user trusted handheld device. Because of generation of authentication and authorization component, the system is rendered further more secure because it is not accessible to other networks. The proposed system is designed on windows as well as on Android mobile environment using Java as programming tool. The proposed study is designed to be accomplished in two stages e.g. OTP Generation stage and authentication stage. In the OTP Generation stage, all the user private details along with hardware profiles of the user (e.g. IMEI, IMSI, and timestamp) will be used for generation of OTP from server. However, this method is same as existing system, the turning point of the proposed system is when user sends the challenge to the server, and the server before starting using the user-generated password will require coordinates that were never a part of any experiment in the past. Coordinates is set of two numbers, where the first number represents iterations of SHA3 hash function and second number represents iteration of MD5 hash function. This coordinates will be generated by server by using two independent random functions, but however, in order to mitigate any types of attacks, the server is designed to have another substituted password system that cannot be either accessed by user or by any other user over network. This password will be basically used as triple layer of security of authenticating the challenges generated by the server to verify the originality of client. The number of iteration for SHA3 and MD5 is a coordinate that is generated by two independent random functions. The prime objectives of the research undertaken are:  To design a unique OTP generator scheme.  To enhance the OTP generator scheme by using latest and highly secure hash function SHA-3 as well as MD5.     To design a module to generate 2 random coordinates (x, y) by using two independent random function. To generate mobile-based One Time Passwords (OTPs) scheme on Android environment that ensures enhanced protection with respect to password security. To ensure the user identification by considering the hardware profiles of user mobile handset (IMEI, IMSI, and Timestamp of the user handset) To induce byte-to-word conversion of generated 128 bit of the OTP. V. RESEARCH METHODOLOGY The research methodology of the current study is as discussed below. Stage-1: To design User Profile: In this stage, the initial OTP will be designed to generate in both server sides as well as in user side. A user interface will be designed where user will register himself with the server. The tools used for this purpose will be JDK, JSP, Apache Tomcat as softwares and hardware will consist of standards 32 bit Windows OS with Windows XP and minimum 1 GB Ram and 1.84 GHz processor speed. Stage-2: Designing Hardware Profile: For the OTP generation, the hardware profile consist two hash functions (SHA-3 and MD5), IMEI (International Mobile Equipment Identity), IMSI (International Mobile Subscription Identity) and timestamp. The coordinates is represented as (x, y). SHA3 and MD5 are used as standard algorithm. However, the proposed system doesn’t use any conventional encryption or decryption technique. The proposed system considers the digital signature of the data (seed) and digital signature will be authenticated or matched on server side as well as on client side. It should be noted that digital signature does not carry any information about the data however it is just an identification of the data but the cipher text of the data contains the original data in interchanged format. This will mean that intrusion on digital signature does not yield data however; there is a fair feasibility of data retrieval from cipher text. Hence, we chose not to perform encryption and decryption technique. It generates the values of x and y (co-ordinates) by using two independent random functions where ‘x’ is number of iterations for SHA-3 and ‘y’ - number of iterations for MD5. And it results in 128-bit keys of MD5 but it will require to manually feed the OTP. However, OTP systems are designed in such a way that it gives privilege to enter manually and not automated. It is computationally complex process for feeding the 128 bit data as it gives rise to error prone processes. Hence, it is to be converted into byte-toword format by using alternative dictionary encoding. For that, the 128-bit collapses it to 64-bit result, which is further decomposed to pairs of bits that are summed 1877 | P a g e
  • 5. Humaira Dar et al Int. Journal of Engineering Research and Application ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881 together. The 2 least significant bits of this sum are encoded in the last 2 bits of the 6 word sequence with the least significant bit of the sum as the end bit encoded. All the complaint servers should be in agreement with the 6 word input that deploys the standard dictionary. Input Parameters User Registration 1 IMEI Number Hardware profile 2 Server IMSI Number 5/10 of authentication. Majority of the work conducted in literature survey considering OTP has focused on user authentication only, however, in order to ensure better security, the contribution of the proposed work is introduce a novelty by utilizing the concept that neither user nor server can be blindly trusted to each other. Therefore, we introduce the novel in methodology by considering an initial step where user will be given a chance to verify the authenticity of their server and if scored success in this authentication, then server will be given chance to authenticate user. Authorization steps follow only after successful authentication from both parties. challenge Timestamp Byte-to-Word Conversion 9 Generate Dig. Signature 4 8 Mobile Android Interface 6 3 SHA3 (x-iteration) User Generated Challenge Server Generated Challenge (Seq.No) MD5(y-Iteration) 7 Resource Access Management 11 12 Transmit Secure Status VI. IMPLEMENTATION The proposed study is implemented in following environment:  Operating System: Windows XP (on x86-32 and x86-64), Android OS.  IDE : Eclipse 3.5  Software Package : JDK 1.6, 1.7 ,  Software Technologies : JSP, Android  Browser : Firefox 15.0.1, Google Chrome, Internet Explorer 7 and above  Programming Language : Core-Java/J2EE  Web Server: Apache Tomcat 5.5  Processor : 2GHz CPU  Memory : 1 GB RAM Figure 1: Schematic Diagram of the Study Stage-3: Designing Hybrid OTP: The authorization enclosed by a 64-bit key could be enclosed by six words from the standard dictionary with space present over for parity and that six words will be long enough for security and short enough for user-friendly. Authentication will draw closer on action as a security purpose for the initial (static) password. 1. User will login with initial (static) password. 2. Initial password is generated during registration phase. 3. The initial (static) password will be authenticated. 4. Then the server will request for OTP. 5. The user will generate OTP by using their Android Phone and reply back to the server. 6. It is the biggest challenge for the server that they should generate same OTP for authentication. The server will check the generated OTP by using x and y coordinates entered by user as mentioned in the above step. Once the server is authenticated, the server will generate the OTP by using user-seed and new random generated coordinate. The server will send the challenge to the user by sending coordinate only. 7. Based on the above challenge, the user must be able to generate a password, and the generated OTP will be checked on the server side. If both the passwords match, then it is said to be authenticated and can access the application. It can be seen from the above research methodology, that we are introducing a novel concept OTP User Registration OTP Authentication User ID OTP Genarator Seed Challen ge Access Privileges Challenge First Hash Function OTP 160 bit data Second Hash Function Digital Signature Hex Conversion Figure 2: Structure Chart of Proposed Implementation The primary model in the implementation phase is the user registration module as shown in Fig.3. The main purpose of this module is to design a web based application for enrolling or registering the user profiles for the proposed authentication system. After generating the user interface on the Android platform, it designs considers the hardware profile parameters (IMEI, IMSI, Time-stamp) that leads to the formation of the seed. The seeds acts as input data for the process that transmits it over TCP/IP. The 1878 | P a g e
  • 6. Humaira Dar et al Int. Journal of Engineering Research and Application ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881 input to this implementation module will be user details along with hardware details of mobile device while the output will be using the seed for user registration completion. Start Input Seed to Client App Generate user interface on android Create instance of Telephony Manager Get Device Id, get subscriber Id, Built Time Display Send Seed to Server Over TCP/IP authentication, the server asks the user for the OTP’s current status. If the user has generated numerous OTPs without using them, he might have reached an OTP status. The user will submit his current status to the server to allow the server to calculate the current seed. After that the server sends a random challenge value of new indexes which means the user has to calculate his session OTP. The generated 160 bit hash using SHA-3 is converted to Hex format. The input to this module will be current status of the user generated on Mobile device while the output will be new human readable OTP. Seed Storage Formation of Seed Start Figure 3: Flowchart of User Registration The secondary module considered for the implementation is the secure hash function as shown in Fig.4. The main purpose of the hash function implementation is for securing the communication. The design uses hash-based OTPs for cryptographic hashing algorithms to compute the password. A cryptographic hash is a one-way function that maps an arbitrary length message to a fixed-length digest. Thus, a hash-based OTP starts with the inputs (synchronization parameter, secret key, PIN), runs them through the one-way function, and produces the fixed-length password. The system also uses two hash functions. The input to this module will be instances of hash while the output will be encrypted data. Start Message Digest md=MessageDigest.getI nstance(algorithm) Get user data md.update(data) Byte[] Hash=md.digest() Start Figure 4: Flowchart of Hash Function Implementation The 3rd implementation phase was to generate a new OTP as shown in Fig.5. The purpose of this module is to generate the human readable OTP on the mobile device that will be used for authentication purpose. After logging into the service provider’s website using a different and static username and password, the first factor of Figure 5: Flowchart of New OTP Generation at Client The fourth module of the development of the proposed system will be to come up with ultimate OTP Generation as shown in Fig.6. The purpose of this module is to generate the ultimate OTP on the mobile device that will be used for final authentication purpose. After the challenge is generated from the server, it is read and split to generate the final hash output using the SHA-3. Also, the final feed of the output of the SHA-3 is given to the MD5, which finally generates the final OTP. The input to this module will be server generated challenge while output will be final generated OTP. The final module of the proposed study will be to design a OTP authentication at a server as shown in Fig.7. The purpose of this module is to perform final authentication of the human readable OTP when it is fed to the server. The user gets the two 1879 | P a g e
  • 7. Humaira Dar et al Int. Journal of Engineering Research and Application ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881 different hash functions along with seed. To ensure that the information is completely shared with the service provider, the seed is produced by the shared and unique parameters of the host and user. The browsing performance received special attention. Figure 8 visualizes the average access time on OTP lists of typical sizes. As can be seen, the access time shows linear growth (with an outlier on lists of size 400, but with a control sample of only 10 values this can be expected). Also, the average access time is below 1 second for lists of sizes from 100 to 500 OTPs, which is acceptable. Figure 8: Average access time for OTP password lists of differing sizes Figure 6: Flowchart of Final OTP Generation at Client The server randomly challenges the user with new indexes. The user enters those indexes, in his OTP generator to get the corresponding OTP. The user responds with this corresponding OTP. The server compares the received OTP with the calculated one. According to the server check, done in the previous step, the server will transfer an authorization execution or a communication termination. The input of the module will be an user details along with hardware details of mobile device while the output will be a final authentication of OTP at Server. Start Read userid and password Send server challenge to user Send authentication privileges to server No If successfully authenticated Generate final OTP using challenge at client & server Yes Login page at client No If OTP(C)=OTP(S) Generate new OTP on android Yes Grant access priviliges Send current status & generate OTP to server If successfully authenticated Yes Stop No Figure 7: Flowchart of OTP Authentication at Server VII. CONCLUSION The current study proposes the description plan of a novel approach that aims at securing/authenticating the user that may use online applications like banking system and many other systems. The study shows that there is the need for to design and develop conventional one-time password using mobile android interface which should support the performance with continued existence. The prior literature has discussed various schemes using OTP which was found with results that are not so efficient over mobile communication network. This proposal presents a novel password authentication scheme where the user devices generate OTPs from an initial germ using the proposed scheme. The initial seed is generated in both servers side as well as in user side. For this generation, two hash functions i.e. SHA-3, MD5 are used, and IMEI (International Mobile Equipment Identity), IMSI (International Mobile Subscription Identity) and timestamp are also required. It also generates the values of x and y, xnumber of iterations for SHA-3 and y-number of iterations for MD5. And that MD5 results in 128-bit data and later it collapses to 64-bit result. According to RFC-1751, they started with a dictionary of 2048 English words, ranging in measurement lengthwise from one to four characters. The liberty enclosed by a 64-bit key could be enclosed by six words from the dictionary with space present over for parity and that six words will be in user readable format. The proposed research work can be visualized with following point of scope that may arrive to commercial usage in future:  The framework design will be highly resilient to dictionary attack, spoofing attack, internet spamming and any sorts of unauthorized accessed 1880 | P a g e
  • 8. Humaira Dar et al Int. Journal of Engineering Research and Application ISSN : 2248-9622, Vol. 3, Issue 5, Sep-Oct 2013, pp.1874-1881 due to its multiple layer of security that is highly impossible to imitate or accessed by attacker.  The proposed framework is developed and experimented on Android based mobile environment which is increasingly growing accepted by users worldwide over smart-phones and tablet PCs. Hence, technical adoptability of the proposed framework is highly ensured.  As the proposed system do not use any sorts of complex cryptography, so it ensures an optimal verification as well as authentication time that was reflected as major trade-off in previous research work. Therefore, it highly guarantees large scope of future enhancement by researcher for much better security prospects in their problems. Hence, by recapping the above critical points, it can be said that the proposed study can be highly adopted in securing user authentication as well as user authorization in the area of banking transaction and any premium based applications that calls of higher security REFERENCES [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] Zhao, Z., Dong, Z., Wang, Y. (2006). Security analysis of a password-based authentication protocol proposed to IEEE 1363, Elsevier. Conklin, A., Dietrich, G., Walz, D. (2004). Password-Based Authentication: A System Perspective, Proceedings of the 37th Hawaii International Conference on System Sciences. Elftmann (2006) Secure Alternatives to Password-based Authentication Mechanisms, Doctorial Thesis Marshall, B.K. (2007). Tips for Avoiding Bad Authentication Challenge Questions, White Paper Narayanan, A., Shmatikov, V. (2005). Fast Dictionary Attacks on Passwords Using TimeSpace Trade-off, ACM Content/Top-5-Hacker-Tools-Google-hackerpassword-cracker-WLAN-detector adline-reports-ebay-hacked/ 0/online-fraud-happened-hacking-my-icicibank-credit-card rld-bank-under-cyber-siege-in-unprecedentedcrisis/ Aravindhan, K., Karthiga, R.R. (2013). Onetime Password: A Survey, International Journal of Emerging Trends in Engineering and Development, Issue 3, Vol.1. Fan Yu Tao; Su Gui Ping, "Design of TwoWay One-Time-Password Authentication [15] [16] [17] [18] [19] [20] [21] [22] [23] Scheme Based on True Random Numbers," Computer Science and Engineering, 2009. WCSE '09. Second International Workshop on , vol.1, no., pp.11,14, 28-30 Oct. 2009 Kwihoon Kim; Sengkyun Jo; Hyunwoo Lee; Won Ryu, "Implementation for federated Single Sign-on based on network identity," Networked Computing (INC), 2010 6th International Conference on , vol., no., pp.1,3, 11-13 May 2010 Eldefrawy, M.H.; Alghathbar, K.; Khan, M.K., "OTP-Based Two-Factor Authentication Using Mobile Phones," Information Technology: New Generations (ITNG), 2011 Eighth International Conference on , vol., no., pp.327,331, 11-13 April 2011 Srivastava, V.; Keshri, A.K.; Roy, A.D.; Chaurasiya, V.K.; Gupta, R., "Advanced port knocking authentication scheme with QRC using AES," Emerging Trends in Networks and Computer Communications (ETNCC), 2011 International Conference on , vol., no., pp.159,163, 22-24 April 2011 Wen-Bin Hsieh; Jenq-Shiou Leu, "Design of a time and location based One-Time Password authentication scheme," Wireless Communications and Mobile Computing Conference (IWCMC), 2011 7th International , vol., no., pp.201,206, 4-8 July 2011 Xuguang Ren; Xin-Wen Wu, "A novel dynamic user authentication scheme," Communications and Information Technologies (ISCIT), 2012 International Symposium on , vol., no., pp.713,717, 2-5 Oct. 2012 Ki Young Moon; Daesung Moon; Jang-Hee Yoo; Hyun-Suk Cho, "Biometrics Information Protection Using Fuzzy Vault Scheme," Signal Image Technology and Internet Based Systems (SITIS), 2012 Eighth International Conference on , vol., no., pp.124,128, 25-29 Nov. 2012 Sang-Ho Shin; Dong-Hyun Kim; Yoo, KeeYoung, "A lightweight multi-user authentication scheme based on cellular automata in cloud environment," Cloud Networking (CLOUDNET), 2012 IEEE 1st International Conference on , vol., no., pp.176,178, 28-30 Nov. 2012 Indu, S.; Sathya, T.N.; Saravana Kumar, V., "A stand-alone and SMS-based approach for authentication using mobile phone," Information Communication and Embedded Systems (ICICES), 2013 International Conference on , vol., no., pp.140,145, 21-22 Feb. 2013 Chun-I Fan, Chien-Nan Wu, Chi-Yao Weng, Chung-Yu Lin.,” Active One-Time Password Mechanism for User Authentication”, Lecture Notes in Computer Science Volume 7861, pp 464-471, 2013 1881 | P a g e