SlideShare a Scribd company logo

Keylogging resistant visual authentication Protocols

Download as PPTX, PDF
Vishnu Toparies
Vishnu Toparies

ppt

Education
1 of 27
Keylogging-resistant Visual Authentication Protocols Vishnu U Roll :58 S7CSE
Contents  Introduction  System and threat model  Protocols  Handling issues related to this protocol  Security analysis  Conclusion
Introduction • A keylogger is a software designed to capture all of a user’s keyboard strokes, and then make use of them to impersonate a user in financial transactions. • For example whenever a user types in her password in a bank’s sign in box, the keylogger intercepts the password. The threat of such keyloggers is pervasive and can be present both in personal computers and public kiosks. • Human user’s involvement in the security protocol is sometimes necessary to prevent this type of attacks
Contd.. • visualization can enhance not only security but also usability by proposing two visual authentication protocols. One for password-based authentication and other for one-time- password based authentication.
System and Threat Model • In this system model it consists of four different entities which are a user, a smartphone, a user’s terminal and a server. The user is an ordinary human, user’s terminal is a desktop computer or a laptop. • The third system entity is a smartphone which is equipped with a camera and stores a public key certificate of the server for digital signature verification
Password based authentication protocol 1)The user connects to the server and sends her ID. 2) The server checks the ID to retrieve the user’s public key (PKID) from the database. The server then picks a fresh random string OTP and encrypts it with the public key to obtain EOTP = EncrPKID (OTP). 3) In the terminal, a QR code QREOTP is displayed prompting the user to type in the string.
Contd.. 4) The user decodes the QR code with EOTP =QRDec(QREOTP ). Because the random string is encrypted with user’s public key (PKID), the user can read the OTP string only through the smartphone by OTP = Decrk(EOTP ) and type in the OTP in the terminal with a physical keyboard. 5) The server checks the result and if it matches what the server has sent earlier, the user is authenticated Otherwise, the user is denied. In this protocol, OTP is any combination of alphabets or numbers whose length is 4 or more depending on the security level required.
An Authentication Protocol with Password and Randomized Onscreen Keyboard 1) The user connects to the server and sends user’s ID. 2) The server checks the received ID to retrieve the user’s public key (PKID) from the database. The server prepares , a random permutation of a keyboard arrangement, and encrypts it with the public key to obtain EKBD=EncrPKID (). 3)Then, it encodes the cipher text with QR encoder to obtain QREKBD =QREnc(EkID ()). The server sends the result with a blank keyboard.
3) In the user’s terminal, a QR code (QREKBD) is displayed together with a blank keyboard. Now, the user executes her smartphone application which first decodes the QR code by applying QRDec(QREKBD) to get the cipher text (EKBD). 4) The cipher text is then decrypted by the smartphone application with the private key of the user to display the result (=DecrSKID(EKBD)) on the smartphone’s screen. Contd..
4) When the user sees the blank keyboard with the QR code through an application on the smartphone that has a private key, alphanumeric appear on the blank keyboard and the user can click the proper button for the password. 5)Then the user types in her password on the terminal’s screen while seeing the keyboard layout through the smartphone. The terminal Identities of the buttons clicked by the user are sent to the server by the terminal. Contd..
High level description • 01: user::user.send(server, id) • 02: server::__upon_id_arrival: • 03: if(server.verify(id) == true): • 04: pkid = server.db.find(id) • 05: pi = server.generate_random_kb() • 06: ekbd = server.encrypt(pkid, pi) • 07: qrekbd = server.qrencode(ekbd) • 08: server.send(user, qrekbd) • 09: terminal::__upon_qrekbd_arrival: • 10: terminal.view(qrekbd)
• 11: terminal.view_blank_kb(pi) • 12: smartphone::__upon_qrekbd_view: • 13: qrekbd = smartphone.capture(qrekbd) • 14: ekbd = smartphone.qrdecode(qrekbd) • 15: pi = smartphone.decrypt(skid, ekbd) • 16: smartphone.view(pi) • 17: user::__upon_pi_view: • 18: pw = user.inputpassword(terminal) • 19: terminal::upon_pw_input: • 20: terminal.send(server, pw) Contd..
• 21: server::__upon_pw_arrival: • 22: if(server.verify(id, pw) == true): • 23: server.authenticate(user) • 24: else: • 25: server.deny(user) Contd..
How to handle several issues related to this protocols Password Hashing Passwords are usually stored in a hashed form with a salt to prevent server attacks. In Protocol 2, we can easily support this password hashing by making the server compare the password hash computed from the stored salt value and the transferred password after decrypting it with the stored password hash value.
Message signing To prevent the terminal from misrepresenting the contents generated by the server, one can establish the authenticity of the server and the contents generated by it by adding the following verification process. When the server sends the random permutation to the user, it signs the permutation using the server’s private key and the resulting signature is encoded in a QR code. Before decrypting the contents, the user establishes the authenticity of the contents verifying the signature against the server’s public key
Theft of Smartphone In Protocol 1, theft of smartphone means that the attacker has total control over user’s account if the attacker knows the user’s ID. Protocol1 can be regarded as an authentication protocol requiring only one security token (a smaprtphone) and focusing on user convenience. in Protocol 2, it is not easy to sign in or to make valid transaction requests successfully because it requires not only the smartphone but also the password.
SECURITY ANALYSIS Protocol 1 Authentication in this protocol is solely based on a random string generated by the server. The random string is encrypted by the public key of the user, and verified against her private key.
Protocol 2 A blank keyboard is posted on the terminal whereas a randomized keyboard with the alphanumeric on it is posted on the smartphone. Because the protocol does not require the user to do any keyboard input on the smartphone side, the protocol is immune against the key logger attack.
The user just checks the keyboard layout on the phone and there is no input from a user. Obviously, the terminal might be compromised, but the keylogger will be able to only capture what keystrokes are used on the blank keyboard. Thus, the keylogger will not be able to know which alphanumeric characters are being clicked.
CONCLUSION In this protocols that not only improve the user experience but also resist challenging attacks, such as the keylogger and malware attack. Using user driven visualization improves security and user friendliness These protocols utilize simple technologies available in most out-of-the-box smartphone devices.
[1] —. Google authenticator. http://code.google.com/p/ google-authenticator/. [2] —. Rsa securid. http://www.emc.com/security/rsa-securid.htm. [3] Cronto. http://www.cronto.com/. [4] —. BS ISO/IEC 18004:2006. information technology. automatic identification and data capture techniques. ISO/IEC, 2006. [5] —. ZXing. http://code.google.com/p/zxing/, 2011. [6] D. Boneh and X. Boyen. Short signatures without random oracles. In Proc. of EUROCRYPT, pages 56–73, 2004. [7] J. Bonneau, C. Herley, P. C. Van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 553–567. IEEE, 2012 REFERENCES
Keylogging resistant visual authentication Protocols
Keylogging resistant visual authentication Protocols

Recommended

2FYSH: two-factor authentication you should have for password replacement
2FYSH: two-factor authentication you should have for password replacement2FYSH: two-factor authentication you should have for password replacement
2FYSH: two-factor authentication you should have for password replacement
TELKOMNIKA JOURNAL
 
Moving ATM Applications to Smartphones with a Secured PinEntry Methods
Moving ATM Applications to Smartphones with a Secured PinEntry MethodsMoving ATM Applications to Smartphones with a Secured PinEntry Methods
Moving ATM Applications to Smartphones with a Secured PinEntry Methods
IOSR Journals
 
iGUARD: An Intelligent Way To Secure - Presentation
iGUARD: An Intelligent Way To Secure - PresentationiGUARD: An Intelligent Way To Secure - Presentation
iGUARD: An Intelligent Way To Secure - Presentation
Nandu B Rajan
 
Camera based attack detection and prevention tech niques on android mobile ph...
Camera based attack detection and prevention tech niques on android mobile ph...Camera based attack detection and prevention tech niques on android mobile ph...
Camera based attack detection and prevention tech niques on android mobile ph...
eSAT Journals
 
One-Time Password
One-Time PasswordOne-Time Password
One-Time Password
Ata Ebrahimi
 
IRJET- Implementation of Secured ATM by Wireless Password Transfer and Keypad...
IRJET- Implementation of Secured ATM by Wireless Password Transfer and Keypad...IRJET- Implementation of Secured ATM by Wireless Password Transfer and Keypad...
IRJET- Implementation of Secured ATM by Wireless Password Transfer and Keypad...
IRJET Journal
 
Centers for Disease Control and Prevention
Centers for Disease Control and PreventionCenters for Disease Control and Prevention
Centers for Disease Control and Prevention
Patrick Montgomery
 
11.bluetooth security
11.bluetooth security11.bluetooth security
11.bluetooth security
Pramod Rathore
 

Recommended

2FYSH: two-factor authentication you should have for password replacement
2FYSH: two-factor authentication you should have for password replacement2FYSH: two-factor authentication you should have for password replacement
2FYSH: two-factor authentication you should have for password replacement
TELKOMNIKA JOURNAL
 
Moving ATM Applications to Smartphones with a Secured PinEntry Methods
Moving ATM Applications to Smartphones with a Secured PinEntry MethodsMoving ATM Applications to Smartphones with a Secured PinEntry Methods
Moving ATM Applications to Smartphones with a Secured PinEntry Methods
IOSR Journals
 
iGUARD: An Intelligent Way To Secure - Presentation
iGUARD: An Intelligent Way To Secure - PresentationiGUARD: An Intelligent Way To Secure - Presentation
iGUARD: An Intelligent Way To Secure - Presentation
Nandu B Rajan
 
Camera based attack detection and prevention tech niques on android mobile ph...
Camera based attack detection and prevention tech niques on android mobile ph...Camera based attack detection and prevention tech niques on android mobile ph...
Camera based attack detection and prevention tech niques on android mobile ph...
eSAT Journals
 
One-Time Password
One-Time PasswordOne-Time Password
One-Time Password
Ata Ebrahimi
 
IRJET- Implementation of Secured ATM by Wireless Password Transfer and Keypad...
IRJET- Implementation of Secured ATM by Wireless Password Transfer and Keypad...IRJET- Implementation of Secured ATM by Wireless Password Transfer and Keypad...
IRJET- Implementation of Secured ATM by Wireless Password Transfer and Keypad...
IRJET Journal
 
Centers for Disease Control and Prevention
Centers for Disease Control and PreventionCenters for Disease Control and Prevention
Centers for Disease Control and Prevention
Patrick Montgomery
 
11.bluetooth security
11.bluetooth security11.bluetooth security
11.bluetooth security
Pramod Rathore
 
IRJET- SteganoPIN:Two Faced Human-Machine Interface for Practical Enforcement...
IRJET- SteganoPIN:Two Faced Human-Machine Interface for Practical Enforcement...IRJET- SteganoPIN:Two Faced Human-Machine Interface for Practical Enforcement...
IRJET- SteganoPIN:Two Faced Human-Machine Interface for Practical Enforcement...
IRJET Journal
 
IRJET- Arduino Based Entrance Monitoring System using RFID and Real Time ...
IRJET- Arduino Based Entrance Monitoring System using RFID and Real Time ...IRJET- Arduino Based Entrance Monitoring System using RFID and Real Time ...
IRJET- Arduino Based Entrance Monitoring System using RFID and Real Time ...
IRJET Journal
 
Bg24375379
Bg24375379Bg24375379
Bg24375379
IJERA Editor
 
Cryptanalaysis of an EPCC1G2 Standard Compliant Ownership Transfer Scheme Jor...
Cryptanalaysis of an EPCC1G2 Standard Compliant Ownership Transfer Scheme Jor...Cryptanalaysis of an EPCC1G2 Standard Compliant Ownership Transfer Scheme Jor...
Cryptanalaysis of an EPCC1G2 Standard Compliant Ownership Transfer Scheme Jor...
Information Security Awareness Group
 
000
000000
000
Lakshminarayana Durgam
 
A MODEL FOR REMOTE ACCESS AND PROTECTION OF SMARTPHONES USING SHORT MESSAGE S...
A MODEL FOR REMOTE ACCESS AND PROTECTION OF SMARTPHONES USING SHORT MESSAGE S...A MODEL FOR REMOTE ACCESS AND PROTECTION OF SMARTPHONES USING SHORT MESSAGE S...
A MODEL FOR REMOTE ACCESS AND PROTECTION OF SMARTPHONES USING SHORT MESSAGE S...
IJCSEIT Journal
 
Access control basics-2
Access control basics-2Access control basics-2
Access control basics-2
grantlerc
 
F0391041048
F0391041048F0391041048
F0391041048
inventionjournals
 
CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Findin...
CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Findin...CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Findin...
CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Findin...
CloudIDSummit
 
Access control basics-3
Access control basics-3Access control basics-3
Access control basics-3
grantlerc
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Anumadil1
 
An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobi...
An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobi...An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobi...
An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobi...
CSCJournals
 
INNOVATIVE AUTOMOBILE SECURITY SYSTEM USING VARIOUS SECURITY MODULES
INNOVATIVE AUTOMOBILE SECURITY SYSTEM USING VARIOUS SECURITY MODULESINNOVATIVE AUTOMOBILE SECURITY SYSTEM USING VARIOUS SECURITY MODULES
INNOVATIVE AUTOMOBILE SECURITY SYSTEM USING VARIOUS SECURITY MODULES
Editor IJMTER
 
Report of Advance car security system major project
Report of Advance car security system major projectReport of Advance car security system major project
Report of Advance car security system major project
Ami Goswami
 
FINGERPRINT BASED LOCKER WITH IMAGE CAPTURE
FINGERPRINT BASED LOCKER WITH IMAGE CAPTUREFINGERPRINT BASED LOCKER WITH IMAGE CAPTURE
FINGERPRINT BASED LOCKER WITH IMAGE CAPTURE
Michael George
 
Design of Banking Security System Using Mems And Rfid Technology
Design of Banking Security System Using Mems And Rfid TechnologyDesign of Banking Security System Using Mems And Rfid Technology
Design of Banking Security System Using Mems And Rfid Technology
theijes
 
Desgn&imp authentctn.ppt by Jaseela
Desgn&imp authentctn.ppt by JaseelaDesgn&imp authentctn.ppt by Jaseela
Desgn&imp authentctn.ppt by Jaseela
Student
 
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
Quobis
 
Security and identity management on WebRTC
Security and identity management on WebRTCSecurity and identity management on WebRTC
Security and identity management on WebRTC
Quobis
 
IoT and Fingerprint Based Door Looking System
IoT and Fingerprint Based Door Looking SystemIoT and Fingerprint Based Door Looking System
IoT and Fingerprint Based Door Looking System
rahulmonikasharma
 
IRJET - Three Layered Security for Banking
IRJET - Three Layered Security for BankingIRJET - Three Layered Security for Banking
IRJET - Three Layered Security for Banking
IRJET Journal
 
87559489 auth
87559489 auth87559489 auth
87559489 auth
homeworkping4
 

More Related Content

What's hot

A MODEL FOR REMOTE ACCESS AND PROTECTION OF SMARTPHONES USING SHORT MESSAGE S...
A MODEL FOR REMOTE ACCESS AND PROTECTION OF SMARTPHONES USING SHORT MESSAGE S...A MODEL FOR REMOTE ACCESS AND PROTECTION OF SMARTPHONES USING SHORT MESSAGE S...
A MODEL FOR REMOTE ACCESS AND PROTECTION OF SMARTPHONES USING SHORT MESSAGE S...
IJCSEIT Journal
 
An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobi...
An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobi...An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobi...
An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobi...
CSCJournals
 
INNOVATIVE AUTOMOBILE SECURITY SYSTEM USING VARIOUS SECURITY MODULES
INNOVATIVE AUTOMOBILE SECURITY SYSTEM USING VARIOUS SECURITY MODULESINNOVATIVE AUTOMOBILE SECURITY SYSTEM USING VARIOUS SECURITY MODULES
INNOVATIVE AUTOMOBILE SECURITY SYSTEM USING VARIOUS SECURITY MODULES
Editor IJMTER
 
FINGERPRINT BASED LOCKER WITH IMAGE CAPTURE
FINGERPRINT BASED LOCKER WITH IMAGE CAPTUREFINGERPRINT BASED LOCKER WITH IMAGE CAPTURE
FINGERPRINT BASED LOCKER WITH IMAGE CAPTURE
Michael George
 
IoT and Fingerprint Based Door Looking System
IoT and Fingerprint Based Door Looking SystemIoT and Fingerprint Based Door Looking System
IoT and Fingerprint Based Door Looking System
rahulmonikasharma
 

What's hot (20)

IRJET- SteganoPIN:Two Faced Human-Machine Interface for Practical Enforcement...
IRJET- SteganoPIN:Two Faced Human-Machine Interface for Practical Enforcement...IRJET- SteganoPIN:Two Faced Human-Machine Interface for Practical Enforcement...
IRJET- SteganoPIN:Two Faced Human-Machine Interface for Practical Enforcement...
 
IRJET- Arduino Based Entrance Monitoring System using RFID and Real Time ...
IRJET- Arduino Based Entrance Monitoring System using RFID and Real Time ...IRJET- Arduino Based Entrance Monitoring System using RFID and Real Time ...
IRJET- Arduino Based Entrance Monitoring System using RFID and Real Time ...
 
Bg24375379
Bg24375379Bg24375379
Bg24375379
 
Cryptanalaysis of an EPCC1G2 Standard Compliant Ownership Transfer Scheme Jor...
Cryptanalaysis of an EPCC1G2 Standard Compliant Ownership Transfer Scheme Jor...Cryptanalaysis of an EPCC1G2 Standard Compliant Ownership Transfer Scheme Jor...
Cryptanalaysis of an EPCC1G2 Standard Compliant Ownership Transfer Scheme Jor...
 
000
000000
000
 
A MODEL FOR REMOTE ACCESS AND PROTECTION OF SMARTPHONES USING SHORT MESSAGE S...
A MODEL FOR REMOTE ACCESS AND PROTECTION OF SMARTPHONES USING SHORT MESSAGE S...A MODEL FOR REMOTE ACCESS AND PROTECTION OF SMARTPHONES USING SHORT MESSAGE S...
A MODEL FOR REMOTE ACCESS AND PROTECTION OF SMARTPHONES USING SHORT MESSAGE S...
 
Access control basics-2
Access control basics-2Access control basics-2
Access control basics-2
 
F0391041048
F0391041048F0391041048
F0391041048
 
CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Findin...
CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Findin...CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Findin...
CIS14: Zen and the Art of Cloud Adoption—a Practitioner’s Viewpoint on Findin...
 
Access control basics-3
Access control basics-3Access control basics-3
Access control basics-3
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobi...
An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobi...An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobi...
An Enhancement of Authentication Protocol and Key Agreement (AKA) For 3G Mobi...
 
INNOVATIVE AUTOMOBILE SECURITY SYSTEM USING VARIOUS SECURITY MODULES
INNOVATIVE AUTOMOBILE SECURITY SYSTEM USING VARIOUS SECURITY MODULESINNOVATIVE AUTOMOBILE SECURITY SYSTEM USING VARIOUS SECURITY MODULES
INNOVATIVE AUTOMOBILE SECURITY SYSTEM USING VARIOUS SECURITY MODULES
 
Report of Advance car security system major project
Report of Advance car security system major projectReport of Advance car security system major project
Report of Advance car security system major project
 
FINGERPRINT BASED LOCKER WITH IMAGE CAPTURE
FINGERPRINT BASED LOCKER WITH IMAGE CAPTUREFINGERPRINT BASED LOCKER WITH IMAGE CAPTURE
FINGERPRINT BASED LOCKER WITH IMAGE CAPTURE
 
Design of Banking Security System Using Mems And Rfid Technology
Design of Banking Security System Using Mems And Rfid TechnologyDesign of Banking Security System Using Mems And Rfid Technology
Design of Banking Security System Using Mems And Rfid Technology
 
Desgn&imp authentctn.ppt by Jaseela
Desgn&imp authentctn.ppt by JaseelaDesgn&imp authentctn.ppt by Jaseela
Desgn&imp authentctn.ppt by Jaseela
 
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
VOIP2DAY 2015: "WebRTC security concerns, a real problem?"
 
Security and identity management on WebRTC
Security and identity management on WebRTCSecurity and identity management on WebRTC
Security and identity management on WebRTC
 
IoT and Fingerprint Based Door Looking System
IoT and Fingerprint Based Door Looking SystemIoT and Fingerprint Based Door Looking System
IoT and Fingerprint Based Door Looking System
 

Similar to Keylogging resistant visual authentication Protocols

A secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationA secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authentication
eSAT Journals
 
E voting authentication with qr-codes
E voting authentication with qr-codesE voting authentication with qr-codes
E voting authentication with qr-codes
Md. Hasibur Rashid
 
A Review Study on Secure Authentication in Mobile System
A Review Study on Secure Authentication in Mobile SystemA Review Study on Secure Authentication in Mobile System
A Review Study on Secure Authentication in Mobile System
Editor IJCATR
 
Narrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forwardNarrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forward
Conference Papers
 
Secure3 authentication for sensitive data on cloud using textual, chessboard ...
Secure3 authentication for sensitive data on cloud using textual, chessboard ...Secure3 authentication for sensitive data on cloud using textual, chessboard ...
Secure3 authentication for sensitive data on cloud using textual, chessboard ...
eSAT Journals
 

Similar to Keylogging resistant visual authentication Protocols (20)

IRJET - Three Layered Security for Banking
IRJET - Three Layered Security for BankingIRJET - Three Layered Security for Banking
IRJET - Three Layered Security for Banking
 
87559489 auth
87559489 auth87559489 auth
87559489 auth
 
Two factor authentication.pptx
Two factor authentication.pptxTwo factor authentication.pptx
Two factor authentication.pptx
 
How to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewedHow to do right cryptography in android part 3 / Gated Authentication reviewed
How to do right cryptography in android part 3 / Gated Authentication reviewed
 
A secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authenticationA secure communication in smart phones using two factor authentication
A secure communication in smart phones using two factor authentication
 
A secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authenticationsA secure communication in smart phones using two factor authentications
A secure communication in smart phones using two factor authentications
 
E voting authentication with qr-codes
E voting authentication with qr-codesE voting authentication with qr-codes
E voting authentication with qr-codes
 
A Review Study on Secure Authentication in Mobile System
A Review Study on Secure Authentication in Mobile SystemA Review Study on Secure Authentication in Mobile System
A Review Study on Secure Authentication in Mobile System
 
Two Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time PasswordTwo Factor Authentication Using Smartphone Generated One Time Password
Two Factor Authentication Using Smartphone Generated One Time Password
 
Fingerprint based transaction system
Fingerprint based transaction systemFingerprint based transaction system
Fingerprint based transaction system
 
Security for automation in Internet of Things by using one time password
Security for automation in Internet of Things by using one time passwordSecurity for automation in Internet of Things by using one time password
Security for automation in Internet of Things by using one time password
 
120 i143
120 i143120 i143
120 i143
 
Narrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forwardNarrative of digital signature technology and moving forward
Narrative of digital signature technology and moving forward
 
Secure3 authentication for sensitive data on cloud using textual, chessboard ...
Secure3 authentication for sensitive data on cloud using textual, chessboard ...Secure3 authentication for sensitive data on cloud using textual, chessboard ...
Secure3 authentication for sensitive data on cloud using textual, chessboard ...
 
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATIONAN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
 
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATIONAN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
AN ENHANCED SECURITY FOR GOVERNMENT BASE ON MULTIFACTOR BIOMETRIC AUTHENTICATION
 
IRJET- Two Way Authentication for Banking Systems
IRJET- Two Way Authentication for Banking SystemsIRJET- Two Way Authentication for Banking Systems
IRJET- Two Way Authentication for Banking Systems
 
IRJET- Multi sharing Data using OTP
IRJET- Multi sharing Data using OTPIRJET- Multi sharing Data using OTP
IRJET- Multi sharing Data using OTP
 
IRJET- Security Empowerment using QR Code and Session Tracking for Cued R...
IRJET- Security Empowerment using QR Code and Session Tracking for Cued R...IRJET- Security Empowerment using QR Code and Session Tracking for Cued R...
IRJET- Security Empowerment using QR Code and Session Tracking for Cued R...
 
Advanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSMAdvanced Security System for Bank Lockers using Biometric and GSM
Advanced Security System for Bank Lockers using Biometric and GSM
 

Recently uploaded

Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
KarakKing
 

Recently uploaded (20)

Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Graduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - EnglishGraduate Outcomes Presentation Slides - English
Graduate Outcomes Presentation Slides - English
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.This PowerPoint helps students to consider the concept of infinity.
This PowerPoint helps students to consider the concept of infinity.
 
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Hongkong ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
 
Application orientated numerical on hev.ppt
Application orientated numerical on hev.pptApplication orientated numerical on hev.ppt
Application orientated numerical on hev.ppt
 
General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...General Principles of Intellectual Property: Concepts of Intellectual Proper...
General Principles of Intellectual Property: Concepts of Intellectual Proper...
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
Beyond_Borders_Understanding_Anime_and_Manga_Fandom_A_Comprehensive_Audience_...
 
SOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning PresentationSOC 101 Demonstration of Learning Presentation
SOC 101 Demonstration of Learning Presentation
 
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptxHMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
HMCS Max Bernays Pre-Deployment Brief (May 2024).pptx
 
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdfUGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
UGC NET Paper 1 Mathematical Reasoning & Aptitude.pdf
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
NO1 Top Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Ex...
 
Salient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functionsSalient Features of India constitution especially power and functions
Salient Features of India constitution especially power and functions
 
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdfUnit 3 Emotional Intelligence and Spiritual Intelligence.pdf
Unit 3 Emotional Intelligence and Spiritual Intelligence.pdf
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 

Keylogging resistant visual authentication Protocols

  • 2. Contents  Introduction  System and threat model  Protocols  Handling issues related to this protocol  Security analysis  Conclusion
  • 3. Introduction • A keylogger is a software designed to capture all of a user’s keyboard strokes, and then make use of them to impersonate a user in financial transactions. • For example whenever a user types in her password in a bank’s sign in box, the keylogger intercepts the password. The threat of such keyloggers is pervasive and can be present both in personal computers and public kiosks. • Human user’s involvement in the security protocol is sometimes necessary to prevent this type of attacks
  • 4. Contd.. • visualization can enhance not only security but also usability by proposing two visual authentication protocols. One for password-based authentication and other for one-time- password based authentication.
  • 5. System and Threat Model • In this system model it consists of four different entities which are a user, a smartphone, a user’s terminal and a server. The user is an ordinary human, user’s terminal is a desktop computer or a laptop. • The third system entity is a smartphone which is equipped with a camera and stores a public key certificate of the server for digital signature verification
  • 6. Password based authentication protocol 1)The user connects to the server and sends her ID. 2) The server checks the ID to retrieve the user’s public key (PKID) from the database. The server then picks a fresh random string OTP and encrypts it with the public key to obtain EOTP = EncrPKID (OTP). 3) In the terminal, a QR code QREOTP is displayed prompting the user to type in the string.
  • 7. Contd.. 4) The user decodes the QR code with EOTP =QRDec(QREOTP ). Because the random string is encrypted with user’s public key (PKID), the user can read the OTP string only through the smartphone by OTP = Decrk(EOTP ) and type in the OTP in the terminal with a physical keyboard. 5) The server checks the result and if it matches what the server has sent earlier, the user is authenticated Otherwise, the user is denied. In this protocol, OTP is any combination of alphabets or numbers whose length is 4 or more depending on the security level required.
  • 8.
  • 9. An Authentication Protocol with Password and Randomized Onscreen Keyboard 1) The user connects to the server and sends user’s ID. 2) The server checks the received ID to retrieve the user’s public key (PKID) from the database. The server prepares , a random permutation of a keyboard arrangement, and encrypts it with the public key to obtain EKBD=EncrPKID (). 3)Then, it encodes the cipher text with QR encoder to obtain QREKBD =QREnc(EkID ()). The server sends the result with a blank keyboard.
  • 10. 3) In the user’s terminal, a QR code (QREKBD) is displayed together with a blank keyboard. Now, the user executes her smartphone application which first decodes the QR code by applying QRDec(QREKBD) to get the cipher text (EKBD). 4) The cipher text is then decrypted by the smartphone application with the private key of the user to display the result (=DecrSKID(EKBD)) on the smartphone’s screen. Contd..
  • 11. 4) When the user sees the blank keyboard with the QR code through an application on the smartphone that has a private key, alphanumeric appear on the blank keyboard and the user can click the proper button for the password. 5)Then the user types in her password on the terminal’s screen while seeing the keyboard layout through the smartphone. The terminal Identities of the buttons clicked by the user are sent to the server by the terminal. Contd..
  • 12.
  • 13.
  • 14.
  • 15. High level description • 01: user::user.send(server, id) • 02: server::__upon_id_arrival: • 03: if(server.verify(id) == true): • 04: pkid = server.db.find(id) • 05: pi = server.generate_random_kb() • 06: ekbd = server.encrypt(pkid, pi) • 07: qrekbd = server.qrencode(ekbd) • 08: server.send(user, qrekbd) • 09: terminal::__upon_qrekbd_arrival: • 10: terminal.view(qrekbd)
  • 16. • 11: terminal.view_blank_kb(pi) • 12: smartphone::__upon_qrekbd_view: • 13: qrekbd = smartphone.capture(qrekbd) • 14: ekbd = smartphone.qrdecode(qrekbd) • 15: pi = smartphone.decrypt(skid, ekbd) • 16: smartphone.view(pi) • 17: user::__upon_pi_view: • 18: pw = user.inputpassword(terminal) • 19: terminal::upon_pw_input: • 20: terminal.send(server, pw) Contd..
  • 17. • 21: server::__upon_pw_arrival: • 22: if(server.verify(id, pw) == true): • 23: server.authenticate(user) • 24: else: • 25: server.deny(user) Contd..
  • 18. How to handle several issues related to this protocols Password Hashing Passwords are usually stored in a hashed form with a salt to prevent server attacks. In Protocol 2, we can easily support this password hashing by making the server compare the password hash computed from the stored salt value and the transferred password after decrypting it with the stored password hash value.
  • 19. Message signing To prevent the terminal from misrepresenting the contents generated by the server, one can establish the authenticity of the server and the contents generated by it by adding the following verification process. When the server sends the random permutation to the user, it signs the permutation using the server’s private key and the resulting signature is encoded in a QR code. Before decrypting the contents, the user establishes the authenticity of the contents verifying the signature against the server’s public key
  • 20. Theft of Smartphone In Protocol 1, theft of smartphone means that the attacker has total control over user’s account if the attacker knows the user’s ID. Protocol1 can be regarded as an authentication protocol requiring only one security token (a smaprtphone) and focusing on user convenience. in Protocol 2, it is not easy to sign in or to make valid transaction requests successfully because it requires not only the smartphone but also the password.
  • 21. SECURITY ANALYSIS Protocol 1 Authentication in this protocol is solely based on a random string generated by the server. The random string is encrypted by the public key of the user, and verified against her private key.
  • 22. Protocol 2 A blank keyboard is posted on the terminal whereas a randomized keyboard with the alphanumeric on it is posted on the smartphone. Because the protocol does not require the user to do any keyboard input on the smartphone side, the protocol is immune against the key logger attack.
  • 23. The user just checks the keyboard layout on the phone and there is no input from a user. Obviously, the terminal might be compromised, but the keylogger will be able to only capture what keystrokes are used on the blank keyboard. Thus, the keylogger will not be able to know which alphanumeric characters are being clicked.
  • 24. CONCLUSION In this protocols that not only improve the user experience but also resist challenging attacks, such as the keylogger and malware attack. Using user driven visualization improves security and user friendliness These protocols utilize simple technologies available in most out-of-the-box smartphone devices.
  • 25. [1] —. Google authenticator. http://code.google.com/p/ google-authenticator/. [2] —. Rsa securid. http://www.emc.com/security/rsa-securid.htm. [3] Cronto. http://www.cronto.com/. [4] —. BS ISO/IEC 18004:2006. information technology. automatic identification and data capture techniques. ISO/IEC, 2006. [5] —. ZXing. http://code.google.com/p/zxing/, 2011. [6] D. Boneh and X. Boyen. Short signatures without random oracles. In Proc. of EUROCRYPT, pages 56–73, 2004. [7] J. Bonneau, C. Herley, P. C. Van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In Security and Privacy (SP), 2012 IEEE Symposium on, pages 553–567. IEEE, 2012 REFERENCES