This document presents a technique to enhance password-username authentication by addressing SQL injection and online password guessing attacks. The technique combines cryptographic hashing of passwords, recognition-based graphical passwords, and parameterized queries. Users register with a username, password, and graphical password. The password is hashed with a salt during registration. Login allows two attempts with the username and password before requiring the graphical password. IPs are blocked after one failed graphical attempt to prevent brute force attacks while still allowing legitimate users access. Security testing showed the technique prevented SQL injection and online password guessing attacks.
Database Security Two Way Authentication Using Graphical PasswordIJERA Editor
As data represent a key asset for today's organizations. The problem is that how to protect this data from
attackers, theft and misuse is at the forefront of any organization’s mind. Even though today several data
security techniques are available to protect database and computing infrastructure, many such as network
security and firewalls tools are unable to prevent attacks from insider. Insider is a person working in
organization who can try to access the sensitive data. This paper proposes a two-way authentication method
which fuses knowledge-based secret and personal trait information.
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDIJNSA Journal
In a distributed system, authentication protocols are the basis of security to ensure that these protocols function properly. Passwords are one of the most common authentication protocol used nowadays. Because of low entropy of passwords makes the systems vulnerable to password guessing attacks. This paper presents a simple scheme that strengthens password-based authentication protocols and helps prevent dictionary attacks, replay attacks and man in the middle attacks etc., The proposed scheme presents a new password authentication protocol by using the user and server system identification/serial number. Here there is no possibility to store the user passwords so an attacker who gets the password cannot use it directly to gain immediate access and compromise security.
An Overview on Authentication Approaches and Their Usability in Conjunction w...IJERA Editor
The usage of sensitive online services and applications such as online banking, e-commerce etc is increasing day by day. These technologies have tremendously improved making our daily life easier. However, these developments have been accompanied by E-piracy where attackers try to get access to services illegally. As sensitive information flow through Internet, they need support for security properties such as authentication, authorization, data confidentiality. Perhaps static password (User ID & password) is the most common and widely accepted authentication method. Online applications need strong password such as a combination of alphanumeric with special characters. In general, having one password for a single service may be easy to remember, but controlling many passwords for different services poses a tedious task on users online applications . Usually users try to use same password for different services or make slight changes in the password which can be easy for attacker to guess adding increased security threat. In order to overcome this, stronger authentication solutions need to be suggested and adapted for services based network.
Information security plays an important role in
governments. Its realm has been increased nowadays, especially
with resent viruses’ attacks in different governmental
organizations. The authentication is aspect of information
security, its current scheme used nowadays in the systems is
depend on the login by user name and password in addition to
one-time password or traditional secret questions, which in turn
is usually easy to predicate. This paper proposes enhanced
knowledge based authentication solution which ensures and
provides more security and usability levels for governmental
organizations.
Database Security Two Way Authentication Using Graphical PasswordIJERA Editor
As data represent a key asset for today's organizations. The problem is that how to protect this data from
attackers, theft and misuse is at the forefront of any organization’s mind. Even though today several data
security techniques are available to protect database and computing infrastructure, many such as network
security and firewalls tools are unable to prevent attacks from insider. Insider is a person working in
organization who can try to access the sensitive data. This paper proposes a two-way authentication method
which fuses knowledge-based secret and personal trait information.
AN EFFICIENT IDENTITY BASED AUTHENTICATION PROTOCOL BY USING PASSWORDIJNSA Journal
In a distributed system, authentication protocols are the basis of security to ensure that these protocols function properly. Passwords are one of the most common authentication protocol used nowadays. Because of low entropy of passwords makes the systems vulnerable to password guessing attacks. This paper presents a simple scheme that strengthens password-based authentication protocols and helps prevent dictionary attacks, replay attacks and man in the middle attacks etc., The proposed scheme presents a new password authentication protocol by using the user and server system identification/serial number. Here there is no possibility to store the user passwords so an attacker who gets the password cannot use it directly to gain immediate access and compromise security.
An Overview on Authentication Approaches and Their Usability in Conjunction w...IJERA Editor
The usage of sensitive online services and applications such as online banking, e-commerce etc is increasing day by day. These technologies have tremendously improved making our daily life easier. However, these developments have been accompanied by E-piracy where attackers try to get access to services illegally. As sensitive information flow through Internet, they need support for security properties such as authentication, authorization, data confidentiality. Perhaps static password (User ID & password) is the most common and widely accepted authentication method. Online applications need strong password such as a combination of alphanumeric with special characters. In general, having one password for a single service may be easy to remember, but controlling many passwords for different services poses a tedious task on users online applications . Usually users try to use same password for different services or make slight changes in the password which can be easy for attacker to guess adding increased security threat. In order to overcome this, stronger authentication solutions need to be suggested and adapted for services based network.
Information security plays an important role in
governments. Its realm has been increased nowadays, especially
with resent viruses’ attacks in different governmental
organizations. The authentication is aspect of information
security, its current scheme used nowadays in the systems is
depend on the login by user name and password in addition to
one-time password or traditional secret questions, which in turn
is usually easy to predicate. This paper proposes enhanced
knowledge based authentication solution which ensures and
provides more security and usability levels for governmental
organizations.
Prevention of SQL injection in E- Commerceijceronline
Structured Query Language (SQL) injection, in present scenario, emerges as one of the most challenging fact to effect on the online business, as it can expose all of the business transaction related sensitive information which is stored in online database, inclusive of most highly secured sensitive information such as credit card passwords , usernames, login ids, credentials, phone, email id etc. Structured Query Language injection remain a responsibility that when intruder gets the ability with SQL related queries which is passed to a back-end database. The query which is passed by the intruder to the data, can allow the query to data which is an assisting element with database and required operating system. Every SQL Query that allows the inputs from the attacker sides can defect our real web application. Intruder which attempts to insert defective SQL query into an entry field to extract the query so that they can dump the database or alter the database which is known as "code injection technique" and this type of attacker is also called attack vector for websites and usually used by any type of SQL database. Through this research paper, our endeavour is to understand the methodology of SQL injection and also to propose solution to prevent SQL Injection in one of the most vulnerable field of E commerce.
Android Based Total Security for System AuthenticationIJERA Editor
In this Paper [5], A highly severe menace to any computing device is the impersonation of an authenticate user. The most frequent computer authentication scheme is to use alphanumerical usernames and passwords. But the textual passwords are prone to dictionary attacks, eves dropping, shoulder surfing and social engineering. As such, graphical passwords have been introduced as an alternative to the traditional authentication process. Though the graphical password schemes provide a way of making more user friendly passwords, while increasing the level of security, they are vulnerable to shoulder surfing. To address this problem, text can be used in combination with the colors and images to generate the session passwords, thereby making a stronger authentication means. In general, session passwords are those that can be used only once and for every new session, a new password is engendered. This paper [7] describes a method of implementing two factor authentication using mobile phones. The proposed method guarantees that authenticating to services, such as online banking or ATM machines, is done in a very secure manner. The proposed system involves using a mobile phone as a software token for One Time Password generation. The generated One Time Password is valid for only a short user defined period of time and is generated by factors that are unique to both, the user and the mobile device itself. Additionally, an SMS-based mechanism is implemented as both a backup mechanism for retrieving the password and as a possible mean of synchronization. The proposed method has been implemented and tested. Initial results show the success of the proposed method.
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)IJNSA Journal
Despite their proven security breaches, text passwords have been dominating all other methods of human authentication over the web for tens of years, however, the frequent successful attacks that exploit the passwords vulnerable model raises the need to enhance web authentication security. This paper proposes BMBAT; a new authentication technique to replace passwords, that leverages the pervasive user mobile
devices, QR codes and the strength of symmetric and asymmetric cryptography. In BMBAT, the user’s mobile device acts as a user identity prover and a verifier for the server; it employs a challenge-response model with a dual mode of encryption using AES and RSA keys to mutually authenticate the client to the server and vice-versa. BMBAT combats a set of attack vectors including phishing attacks, man in the middle attacks, eavesdropping and session hijacking. A prototype of BMBAT has been developed and evaluated; the evaluation results show that BMBAT is a feasible and competitive alternative to passwords.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Confident Technologies provide out-of-band, multifactor authentication using a highly secure and easy-to-use, image-based approach. Learn more at www.confidenttechnologies.com
This Slide contain information about the SQL injection.
Types of SQL injection and some case study about the SQL injection and some technique so we prevent our system
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDIJCI JOURNAL
Today, the use of distinct internet services and their applications by people are increase in very large amount. Due to its usage, it results the increase in data complexity. So, web services turn their focus on multi-tier design where web server acts as front-end and database server acts as back-end. Attackers try to hack personal data by targeting database server, hence it need to provide more security to both web server and database server. In this paper, the doubleguard system proposes an efficient intrusion detection and prevention system which detects and prevents various attacks in multi-tier web applications. This IDS system keeps track of all user sessions across both web server and database server. For this, it allocates the dedicated web container to each user’s session. Each user is associated with unique session ID which enhances more security. The system built well correlated model for website and detects and prevents various type of attacks. The system is implemented by using Apache webserver with MySQL.
An Enhanced Security System for Web Authentication IJMER
Web authentication has low security in these days. Todays, For Authentication purpose,
Textual passwords are commonly used; however, users do not follow their requirements. Users tend to
choose meaningful words from dictionaries, which make textual passwords easy tobreak and vulnerable
to dictionary or brute force attacks. Also, Textual passwords can be identified by 3rd
party software’s.
Many available graphicalpasswords have a password space that is less than or equal to the textual
passwordspace. Smart cards or tokens can be stolen.There are so many biometric authentications have
been proposed; however, users tend to resistusing biometrics because of their intrusiveness and the effect
on their privacy. Moreover,biometrics cannot be evoked.In this paper, we present and evaluate our
contribution,i.e., the OTP and 3-D password. A one-time password (OTP) is a password that isvalid for
only one login session or transaction. OTPs avoid a number of shortcomingsthat are associated with
traditional (static) passwords. The most important shortcoming that is addressed by OTPs is that, in
contrast to static passwords, they are not vulnerable to replay attacks. It means that a potential intruder
who manages to record an OTPthat was already used to log into a service or to conduct a transaction
will not be able toabuse it, since it will be no longer valid. The 3-D password is a multifactor
authenticationscheme. To be authenticated, we present a 3-D virtual environment where the
usernavigates and interacts with various objects. The sequence of actions and interactionstoward the
objects inside the 3-D environment constructs the user’s 3-D password.
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
An actionable guide for website application developers to successfully ward off threats to vulnerabilities in a range of functionalities: user authentication, payment records, cross-site scripting, search, registration, file loading and privilege escalation.
Prevention of SQL injection in E- Commerceijceronline
Structured Query Language (SQL) injection, in present scenario, emerges as one of the most challenging fact to effect on the online business, as it can expose all of the business transaction related sensitive information which is stored in online database, inclusive of most highly secured sensitive information such as credit card passwords , usernames, login ids, credentials, phone, email id etc. Structured Query Language injection remain a responsibility that when intruder gets the ability with SQL related queries which is passed to a back-end database. The query which is passed by the intruder to the data, can allow the query to data which is an assisting element with database and required operating system. Every SQL Query that allows the inputs from the attacker sides can defect our real web application. Intruder which attempts to insert defective SQL query into an entry field to extract the query so that they can dump the database or alter the database which is known as "code injection technique" and this type of attacker is also called attack vector for websites and usually used by any type of SQL database. Through this research paper, our endeavour is to understand the methodology of SQL injection and also to propose solution to prevent SQL Injection in one of the most vulnerable field of E commerce.
Android Based Total Security for System AuthenticationIJERA Editor
In this Paper [5], A highly severe menace to any computing device is the impersonation of an authenticate user. The most frequent computer authentication scheme is to use alphanumerical usernames and passwords. But the textual passwords are prone to dictionary attacks, eves dropping, shoulder surfing and social engineering. As such, graphical passwords have been introduced as an alternative to the traditional authentication process. Though the graphical password schemes provide a way of making more user friendly passwords, while increasing the level of security, they are vulnerable to shoulder surfing. To address this problem, text can be used in combination with the colors and images to generate the session passwords, thereby making a stronger authentication means. In general, session passwords are those that can be used only once and for every new session, a new password is engendered. This paper [7] describes a method of implementing two factor authentication using mobile phones. The proposed method guarantees that authenticating to services, such as online banking or ATM machines, is done in a very secure manner. The proposed system involves using a mobile phone as a software token for One Time Password generation. The generated One Time Password is valid for only a short user defined period of time and is generated by factors that are unique to both, the user and the mobile device itself. Additionally, an SMS-based mechanism is implemented as both a backup mechanism for retrieving the password and as a possible mean of synchronization. The proposed method has been implemented and tested. Initial results show the success of the proposed method.
A BASTION MOBILEID-BASED AUTHENTICATION TECHNIQUE (BMBAT)IJNSA Journal
Despite their proven security breaches, text passwords have been dominating all other methods of human authentication over the web for tens of years, however, the frequent successful attacks that exploit the passwords vulnerable model raises the need to enhance web authentication security. This paper proposes BMBAT; a new authentication technique to replace passwords, that leverages the pervasive user mobile
devices, QR codes and the strength of symmetric and asymmetric cryptography. In BMBAT, the user’s mobile device acts as a user identity prover and a verifier for the server; it employs a challenge-response model with a dual mode of encryption using AES and RSA keys to mutually authenticate the client to the server and vice-versa. BMBAT combats a set of attack vectors including phishing attacks, man in the middle attacks, eavesdropping and session hijacking. A prototype of BMBAT has been developed and evaluated; the evaluation results show that BMBAT is a feasible and competitive alternative to passwords.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Confident Technologies provide out-of-band, multifactor authentication using a highly secure and easy-to-use, image-based approach. Learn more at www.confidenttechnologies.com
This Slide contain information about the SQL injection.
Types of SQL injection and some case study about the SQL injection and some technique so we prevent our system
INTRUSION DETECTION IN MULTITIER WEB APPLICATIONS USING DOUBLEGUARDIJCI JOURNAL
Today, the use of distinct internet services and their applications by people are increase in very large amount. Due to its usage, it results the increase in data complexity. So, web services turn their focus on multi-tier design where web server acts as front-end and database server acts as back-end. Attackers try to hack personal data by targeting database server, hence it need to provide more security to both web server and database server. In this paper, the doubleguard system proposes an efficient intrusion detection and prevention system which detects and prevents various attacks in multi-tier web applications. This IDS system keeps track of all user sessions across both web server and database server. For this, it allocates the dedicated web container to each user’s session. Each user is associated with unique session ID which enhances more security. The system built well correlated model for website and detects and prevents various type of attacks. The system is implemented by using Apache webserver with MySQL.
An Enhanced Security System for Web Authentication IJMER
Web authentication has low security in these days. Todays, For Authentication purpose,
Textual passwords are commonly used; however, users do not follow their requirements. Users tend to
choose meaningful words from dictionaries, which make textual passwords easy tobreak and vulnerable
to dictionary or brute force attacks. Also, Textual passwords can be identified by 3rd
party software’s.
Many available graphicalpasswords have a password space that is less than or equal to the textual
passwordspace. Smart cards or tokens can be stolen.There are so many biometric authentications have
been proposed; however, users tend to resistusing biometrics because of their intrusiveness and the effect
on their privacy. Moreover,biometrics cannot be evoked.In this paper, we present and evaluate our
contribution,i.e., the OTP and 3-D password. A one-time password (OTP) is a password that isvalid for
only one login session or transaction. OTPs avoid a number of shortcomingsthat are associated with
traditional (static) passwords. The most important shortcoming that is addressed by OTPs is that, in
contrast to static passwords, they are not vulnerable to replay attacks. It means that a potential intruder
who manages to record an OTPthat was already used to log into a service or to conduct a transaction
will not be able toabuse it, since it will be no longer valid. The 3-D password is a multifactor
authenticationscheme. To be authenticated, we present a 3-D virtual environment where the
usernavigates and interacts with various objects. The sequence of actions and interactionstoward the
objects inside the 3-D environment constructs the user’s 3-D password.
A Multidimensional View of Critical Web Application Security Risks: A Novel '...Cognizant
An actionable guide for website application developers to successfully ward off threats to vulnerabilities in a range of functionalities: user authentication, payment records, cross-site scripting, search, registration, file loading and privilege escalation.
International Journal of Engineering Research and Applications (IJERA) is an open access online peer reviewed international journal that publishes research and review articles in the fields of Computer Science, Neural Networks, Electrical Engineering, Software Engineering, Information Technology, Mechanical Engineering, Chemical Engineering, Plastic Engineering, Food Technology, Textile Engineering, Nano Technology & science, Power Electronics, Electronics & Communication Engineering, Computational mathematics, Image processing, Civil Engineering, Structural Engineering, Environmental Engineering, VLSI Testing & Low Power VLSI Design etc.
Survey on detecting and preventing web application broken access control attacksIJECEIAES
Web applications are an essential component of the current wide range of digital services proposition including financial and governmental services as well as social networking and communications. Broken access control vulnerabilities pose a huge risk to that echo system because they allow the attacker to circumvent the allocated permissions and rights and perform actions that he is not authorized to perform. This paper gives a broad survey of the current research progress on approaches used to detect access control vulnerabilities exploitations and attacks in web application components. It categorizes these approaches based on their key techniques and compares the different detection methods in addition to evaluating their strengths and weaknesses. We also spotted and elaborated on some exciting research gaps found in the current literature, Finally, the paper summarizes the general detection approaches and suggests potential research directions for the future.
AN INNOVATIVE PATTERN BASED PASSWORD METHOD USING TIME VARIABLE WITH ARITHMET...ijistjournal
In today’s world, securing the assets is necessary that can be done by password. But imagine if password is stolen or hacked then what about the security of assets? In this Paper, we have discussed the major attacks as well as password authentication / security methods and techniques. We have proposed a password security method, where arithmetic operations are performed on user selected pattern from time variables to generate secure password. The task of validating the password or authentication of user can be done on both client and server side. We have analysed how proposed scheme defends across brute force, dictionary, phishing, shoulder surfing, key logger, video recording and replay attacks. To the best of our knowledge, our pattern based time variable password method with arithmetic operation is the one which is able to defend against the all major attacks together.
A Review paper on Securing PHP based websites From Web Application Vulnerabil...Editor IJMTER
In today’s Era, Web applications are one of the most part ubiquitous platforms for
information sharing and services over Internet which play significant role in individual life as well
as in any country’s growth. Web applications have gone through a very rapid Growth As they are
increasingly used for the financial organization, government, hospitality and many critical services.
Web applications become a popular and precious target for security attacks. at the present time,
billions of transactions are done online through net banking, online shopping, online billing and
many more. Even though these applications are used by lots of people modern web applications
often implements the complex structure requires for user to carry out actions in given order, in
many cases the security level is too low, which makes them vulnerable to get compromised. Even
though a large number of techniques have been developed to build up web applications and
mitigate the attacks toward web applications, there is little effort constant to drawing relations
among these techniques and building a big picture of web application security(WAS) research. In
this paper, we present a survey on various types of web application vulnerabilities(WAV).
ABSTRACT
Authentication based on passwords is used largely in applications for computer security and privacy. However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as ”the weakest link” in the authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, we proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability.
Keywords:- Graphical Passwords, Authentication, Shoulder Surfing Attack.
SECURITY ANALYSIS ON PASSWORD AUTHENTICATION SYSTEM OF WEB PORTALcscpconf
Portal site is not only providing search engine and e-mail service but also various services including blog, news, shopping, and others. The fact that average number of daily login for Korean portal site Naver is reaching 300 million suggests that many people are using portal sites. One of the most famous social network service, Facebook subscribers to reach 1.2 billion 30 million people at the time of the February 2014. With the increase in number of users
followed by the diversity in types of services provided by portal sites and SNS, the attack is also increasing. Therefore, the objective of this study lies in analysing whole procedure of password authentication system of portal sites, SNS and analysing the security threat that may occur accordingly. Also, the security requirement corresponding to analysed security threat was extracted and the analysis on implementation of security requirements by portal sites and SNS
was conducted.
A Novel Passwordless Authentication Scheme for Smart Phones Using Elliptic Cu...ADEIJ Journal
Today, a large number of people access internet through their smart phones to login to their bank accounts, social networking accounts and various other blogs. In such a scenario, user authentication has emerged as a major security issue in mobile internet. To date, password based authentication schemes have been extensively used to provide authentication and security. The password based authentication has always been cumbersome for the users because human memory is transient and remembering a large number of long and complicated passwords is impossible. Also, it is vulnerable to various kinds of attacks like brute force, rainbow table, dictionary, sniffing, shoulder surfing and so on. As the main contribution of this paper, a new passwordless authentication scheme for smart phones is presented which not only resolves all the weaknesses of password based schemes but also provide robust security. The proposed scheme relieves users from memorizing and storing long and complicated passwords. The proposed scheme uses ECDSA which is based on Elliptic Curve Cryptography (ECC). ECC has remarkable strength and efficiency advantages in terms of bandwidth, key sizes and computational overheads over other public key cryptosystems. It is therefore suitable for resource constraint devices like smart phone. Furthermore, the proposed scheme incorporate CAPTCHA which play a very important role in protecting the web resources from spamming and other malicious activities. To the best of our knowledge, until now no passwordless user authentication protocol based on ECC has been proposed for smart phones. Finally, the security and functionality analysis shows that compared with existing password based authentication schemes, the proposed scheme is more secure and efficient.
Intrusion detection architecture for different network attackseSAT Journals
Abstract Now these days most of the work is carried out by internet. So web application becomes important part of today’s life, such as online banking, social networking, online shopping, enabling communication and management of personal information. So web services now have shifted to multi-tier design to accommodate this increase in web application and data complexity. Due to this high use of web application networks attacks increased with malicious purpose. DoubleGuard is an Intrusion Detection System helps to detect and prevent the networks attacks. DoubleGuard is able to find out attacks after checking web and database requests. Along with this, in this paper adding one more level that is admin, it is responsible for the training to the system, log generation, blacklist and employee entry. This IDS system provides security to prevent both the web server and database server. Key Words: DoubleGuard; Web Application; Multitier; IDS; Attacks.
The International Journal of Engineering and Science (The IJES)theijes
The International Journal of Engineering & Science is aimed at providing a platform for researchers, engineers, scientists, or educators to publish their original research results, to exchange new ideas, to disseminate information in innovative designs, engineering experiences and technological skills. It is also the Journal's objective to promote engineering and technology education. All papers submitted to the Journal will be blind peer-reviewed. Only original articles will be published.
A CRYPTOGRAPHIC MUTUAL AUTHENTICATION SCHEME FOR WEB APPLICATIONSIJNSA Journal
The majority of current web authentication is built on username/password. Unfortunately, password replacement offers more security, but it is difficult to use and expensive to deploy. In this paper, we propose a new mutual authentication scheme called StrongAuth which preserves most password authentication advantages and simultaneously improves security using cryptographic primitives. Our scheme not only offers webmasters a clear framework which to build secure user authentication, but it also provides almost the same conventional user experience. Security analysis shows that the proposed scheme fulfills the required user authentication security benefits, and can resist various possible attacks.
Count based hybrid graphical password to prevent brute force attack and shoul...eSAT Publishing House
IJRET : International Journal of Research in Engineering and Technology is an international peer reviewed, online journal published by eSAT Publishing House for the enhancement of research in various disciplines of Engineering and Technology. The aim and scope of the journal is to provide an academic medium and an important reference for the advancement and dissemination of research results that support high-level learning, teaching and research in the fields of Engineering and Technology. We bring together Scientists, Academician, Field Engineers, Scholars and Students of related fields of Engineering and Technology.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
I1804015458
1. IOSR Journal of Computer Engineering (IOSR-JCE)
e-ISSN: 2278-0661,p-ISSN: 2278-8727, Volume 18, Issue 4, Ver. I (Jul.-Aug. 2016), PP 54-58
www.iosrjournals.org
DOI: 10.9790/0661-1804015458 www.iosrjournals.org 54 | Page
An Enhanced Password-Username Authentication System Using
Cryptographic Hashing and Recognition Based Graphical
Password
Tivkaa, M.L.1
; Choji, D. N.2
; Agaji, I.3
; Atsa‟am, D.4
1, 2, 3, 4
(Department of Mathematics/Statistics/Computer Science, University of Agriculture, Makurdi, Nigeria)
Abstract: Password-username authentication is a critical component of today’s web application technology
that is commonly used to control access to restricted resources. However, poor design, coding flaws and weak
user login credentials exposes this functionality to Sequel Query Language Injection (SQLI) and online
password guessing attacks. Current techniques advanced by researchers to address authentication attacks only
focus on either one of them, thus failing to envisage a scenario where the login form can be used to launch both
SQLI and online password guessing attacks. To address this challenge, this paper presents an authentication
solution that addresses the issue of SQLI and online password guessing attacks on login form as implemented in
generic web applications. The solution combines the use of plain text credentials that are cryptographically
hashed at runtime with recognition based graphical login credentials. The goal is to always guarantee access to
a user account even when such account is under attack while at the same time ensuring convenient and secure
login experience by legitimate users. This is achieved by blocking the Internet Protocol (IP) addresses from
which there are unsuccessful login attempts. Security test shows that the solution is not vulnerable to SQLI and
online password guessing attacks.
Keywords: Authentication, Password Guessing, Graphical Password, SQL Injection, Web Application Security
I. Introduction
Web applications have become popular internet services and are critical to the survival of many
enterprises that rely on them. To restrict access to privilege information stored on the web, various
authentication schemes such as biometrics, unregistered user requirements, public key cryptography, keystrokes
dynamics, click pattern, graphical passwords, one-time password, digital signatures, authentication panel, zero-
knowledge proof as well as password/username are implemented in various web applications [1][2]. However,
the most commonly used method of authentication is the password/username combination which is implemented
using traditional HTML login form with input fields that allow users to enter their username and text based
password [1][3].
Though prominent, the vulnerabilities associated with the implementation of Password/Username
authentication pattern in web applications include the threat of password guessing and Sequel Query Language
Injection (SQLI) attacks [4][5]. Various studies have shown that the cause of SQLI is largely poorly sanitized
input from the users [6][7]. Password guessing attacks on the other hand are usually successful against weak
passwords, poor password enforcement policies, and poor design of the authentication functionality as well as
its implementation [8].
To address the problem of SQL Injection Attacks (SQLIAs), researchers have advanced several
techniques ranging from defensive coding best practices to automated frameworks for detection and prevention
of these forms of attacks [9]. In the same way, techniques such as account lock out, Completely Automated
Public Turin Test to Tell Computers and Humans Apart (Captcha) and the use of graphical passwords have
been proposed by researchers to solve the problem of online password guessing attacks on login forms
[8][10][11]. Though these techniques are contextually efficient, they fail short of combining SQLI and password
guessing attacks in one solution, thus researchers have failed to preconceive the possibility of an attacker using
the login form to launch both SQLI and online password guessing attacks.
II. Related Works
2.1 Password Guessing Attacks
A password guessing attack is an attempt by a malicious user to gain unauthorized access to an
application resource by using a repeated set of large word lists to guess login credentials [4]. These attacks
manifest in various forms such as manual, brute-force and dictionary attacks. The cause of password guessing
attacks is the use of weak passwords as well as poor password implementation policies. To defend against this
threat, [12] proposed a system known as the Password Guessing Resistant Protocol. This approach sought to
minimize the use of Completely Automated Public Turing Test to tell Computers and Human Apart (Captcha).
2. An Enhanced Password-Username Authentication System Using Cryptographic Hashing and….
DOI: 10.9790/0661-1804015458 www.iosrjournals.org 55 | Page
It enforces Captcha after a limited failed login attempts from a computer that is known to the system or user
which according to the technique is identified by their IP addresses as well as cookies sent by the browser which
are stored as white-list on the server. Though this approach will slow down the rate of attack, it has a drawback
of associating a legitimate user with so many IP addresses that in the long run will be difficult to manage.
Similarly, if the user uses different browsers or more than one operating system on the same machine then it will
be difficult to effectively identify the user in all cases. The identity of the user can also be manipulated if
browser cookies are altered by way of cookie theft.
In a similar way, [13] proposed a hybrid graphical password system that requires the user who has
registered with a username, password and a graphic image to provide the username, password and redraw the
graphic image to match with the stored graphic during the process of authentication. However this system will
be easy to use for the technology savvy users, it will be a challenge for non-technology friendly individuals.
Another drawback of the system will be the challenge of drawing the graphics to exact coordinates as the stored
one. Another issue with this approach is that it is better suited for smart screens making it difficult for users who
do not have such devices to gain authentication.
Another obvious method quite often deployed by developers to mitigate online password guessing
attack is the use of account lock out security pattern [10]. Account lockout simply means denying access to a
specific account after a failed number of incorrect password attempts. Account lockout can last a specific
duration, such as one hour, or the affected account could remain blocked until manually unblocked by the
account administrator. Wrongful implementation of this strategy could lead to a manifestation of other forms of
attacks such as denial of service (DoS). Also if this functionality is not implemented properly it can be a fertile
place for reconnaissance.
2.2 SQL Injection Attacks
SQL Injection is an attack vector that allows a malicious user to inject harmful SQL query statements
that are executed by the application logic [6][11][14]. The cause of SQL Injection attack is when the application
is designed to process user data without proper validation. SQLIAs represent one of the main security issues in
database driven web applications [15]. According to Open Web Application Security Project [16], SQL
Injection attacks remains one of the most dangerous attack vectors today and is on top of their annual report.
SQL injection is mainly launched through web forms such as login functionality and altering query string
parameters. There are various forms of SQLIAs such as tautology, piggy-backed, union queries and blind
injection attacks [17][11][6]. Though their attack methodologies vary, the intent is the same: Data theft, Damage
to corporate image, Denial of Service etc.
To address the challenge of SQLIAs, [18] proposed a technique that checks user credentials against
encrypted values against placeholders in stored procedures. This technique is efficient in attacking code
injection, however the technique is based on the assumption that the developer is approaching the development
in a particular way especially in the coding of stored procedures, if they are written insecurely, then the
approach will be ineffective, again it gives flexibility to the attacker to launch another attack vector such as
password guessing attacks.
Another method that is often applied in solving SQLIAs is the application of defensive coding
techniques such as pattern matching, input validation etc. [19] argue that the best approach in tackling these
vulnerabilities is the use of suitable and applicable defensive and secure coding practices such as proper input
sanitization, use of parameterized queries, guiding against input sources, input type checking and hiding default
application errors. This explains that secure code is rooted in the behavior, orientation and awareness of
developers about security issues as it relates to web applications they develop. This is indeed a convincing
reason for proper usage of defensive coding techniques.
Most of these defensive coding practices come at the expense of performance and ease of use which is
largely due to the fact that security is treated as add-ons rather considering it as part of the goal of the system
right from the design stages [20].
III. Proposed Technique
To mitigate online password guessing and SQLI attacks on our authentication functionality, we present
a technique that combines the use of cryptographic hashing algorithm, recognition based graphical password and
parameterized queries. A randomly generated salt which is stored in the user‟s database table is combined with
the user‟s chosen plain text password to produce and save the final encrypted password at the plain text
registration phase. A user is also expected to setup his graphical login details as a second stage in the
registration process by selecting an image category and choosing a specific image under such category to
complete the registration phase. During authentication a user is allowed two login attempts using his plain text
credentials, the password is computed at runtime using the salt generated at the registration phase. After two
failed attempts, a user is allowed to login using his graphical password. The user who is identified by IP address
is subsequently blocked after one failed graphical login attempt. The entire algorithm is summarized in Fig. 1
below:
3. An Enhanced Password-Username Authentication System Using Cryptographic Hashing and….
DOI: 10.9790/0661-1804015458 www.iosrjournals.org 56 | Page
Fig 1: Flowchart of the proposed technique
IV. Materials/Methods
The proposed solution used the Microsoft Secure Development Life-Cycle as the software development
model. The program structure was designed using the .NET Code-Behind programming structure while
ADO.NET 2.0 was used as the underlying data access logic and MS SQL served as the database server.
Microsoft threat modeling methodology was used to model the security of the authentication functionality. To
achieve this effectively, Microsoft Threat Modeling Tool (TMT) was used to draw the application Data Flow
Diagrams (DFDs) which represent different component of the application. The TMT then classified threats
using the in-built Microsoft STRIDE model and rated them using the in-built DREAD model. The proposed
authentication solution has been tested using TamperIE to evaluate the effectiveness of the solution.
V. Results
In this section, we present the result obtained by implementing the proposed technique, which is
deployed locally as a web application over a secured communication channel using Secure Socket Layer (SSL).
Figure 2: SQLI attack scenario
Fig. 2 shows a SQL attack on the login form. Upon submission of a login form, TamperIE
automatically intercepts the data as shown in Fig. 2 without sending it to the server. To manipulate the name
pair values in the TamperIE read/write mode, * „OR „1‟= „1 which is a tautology attack is selected and ran
4. An Enhanced Password-Username Authentication System Using Cryptographic Hashing and….
DOI: 10.9790/0661-1804015458 www.iosrjournals.org 57 | Page
against the login form by clicking “send altered data” button at the top right corner. Several other SQLI
constructs in the TamperIE were also selected and ran against the login form. The result was unsuccessful SQLI
automated attacks as seen in Fig. 3.
Figure 3: Failed SQLI attack
Figure 4: Graphical login page attack
Fig. 4 shows TamperIE used to manipulate the graphical login page by changing image Identity (ID)
numbers in an automated attack. This attack scenario is unsuccessful because only one login attempt is allowed
using the graphical login details. It prevents a malicious user from launching effective dictionary or brute force
attacks on a login functionality based on the user logged IP address, this forces the user to request a password
reset while the account is locked against the suspected IP address.
This security feature is important because it does not prevent a legitimate user from accessing his
account even when an account is locked against an IP address. This signifies the failure of Denial of Service
(DoS) through the login functionality. However it makes life difficult for an attacker to launch password
guessing attacks unless the attacker changes IP address which is a cumbersome endeavour in the circumstance.
VI. Conclusion
The paper presents an authentication solution that combines the use of traditional password-username
with graphical image login credentials. The solution gives the user the flexibility and convenience of use while
at the same time maintaining the security considerations regarding the design of the solution. The test result
showed that the use of threat modeling in the design of an application had tremendous impact on the application
security, this is because security considerations were part of the development process.
The result showed that the application was not vulnerable to SQLI and online password guessing
attacks. Remarkably, it was able to block malicious users based on their IP addresses but allowed access to
legitimate users. This technique can be used in web applications that use password-username authentication
scheme. In the future a solution will be proposed to enable the application learn automatically from previous
attacks.
References
[1]. Kiiski, Lauri. "Security Patterns in Web Applications." Publications in Telecommunications Software and Multimedia Laboratory,
Available at: http://www. tml. tkk. fi/Publications/C/25/papers/Kiiski_final. pdf (Last Accessed: November 2011) (2007).
[2]. Jesudoss, A, and N Subramaniam. "A Survey on Authentication Attacks and Countermeasures in a Distributed Environment."
Indian Journal of Computer Science and Engineering, 5(2) (2014).
[3]. Kienzle, Darrell M, and Matthew C Elder. "Final technical report: Security patterns for web application development." DARPA,
Washington DC (2002).
[4]. Dave, Mr Sachin R, and Vaishali B Bhagat. "Defecating online password guessing attack using 3 tier security." International
Journal of Application or Innovation in Engineering & Management 2(12) (2013)
5. An Enhanced Password-Username Authentication System Using Cryptographic Hashing and….
DOI: 10.9790/0661-1804015458 www.iosrjournals.org 58 | Page
[5]. Kindy, Diallo Abdoulaye, and Al-Sakib Khan Pathan. "A detailed survey on various aspects of sql injection in web applications:
Vulnerabilities, innovative attacks, and remedies." arXiv preprint arXiv:1203.3324 (2012).
[6]. Gandhi, Mihir. "JwalantBaria, s “SQL Injection Attacks in Web Application” International Journal of Soft Computing and
Engineering 2(6) (2013).
[7]. Balasundaram, Indrani, and E Ramaraj. "An authentication mechanism to prevent SQL injection attacks." International Journal of
Computer Applications, 19 (1) (2011): 30-33.
[8]. Pinkas, Benny, and Tomas Sander. "Securing passwords against dictionary attacks." Proceedings of the 9th ACM conference on
Computer and communications security 18 Nov. 2002: 161-170.
[9]. Halfond, William GJ, and Alessandro Orso. "Detection and prevention of sql injection attacks." Malware Detection (2007): 85-109.
[10]. Scambray, Joel, Mike Shema, and Caleb Sima. Hacking exposed: Web applications. San Francisco: McGraw-Hill, 2006.
[11]. Kumar, K. V. & Das, D. J. “Advanced Detecting and Defensive Coding Techniques to Prevent SQLIAs in Web Applications: A
Survey.” International Journal of Science and Modern Engineering (6) (2013)
[12]. Garg, Nitin, Raghav Kukreja, and Pitambar Sharma. "Revisiting Defences against Large Scale Online Password Guessing Attacks."
International Journal of Scientific and Research Publications 3.4 (2013).
[13]. Khan, Wazir Zada, Mohammed Y Aalsalem, and Yang Xiang. "A graphical password based system for small mobile devices."
arXiv preprint arXiv:1110.3844 (2011).
[14]. Shehu, Bojken, Aleksander Xhuvani, and Shqiponja Ahmetaj. "Methods of Identifying and Preventing SQL Attacks" International
Journal of Computer Science 9(6) (2012).
[15]. Ali, Shaukat, Azhar Rauf, and Huma Javed. "Sqlipa: An authentication mechanism against sql injection." European Journal of
Scientific Research 38(4) (2009): 604-611.
[16]. Wichers, Dave. "OWASP Top-10 2013." OWASP Foundation, February (2013).
[17]. Anley, Chris. "Advanced SQL injection in SQL server applications." 31 Jan. 2002.
[18]. Rani, D.R., Kumar,B.S., Rao, T.R., Jagadish, V.T. and Pradeep, M., (2012) Web Security by Preventing SQL Injection Using
Encryption in Stored Procedure. International Journal of Computer Science and Information Technologies 3(2) (2012):3689-3692
[19]. Borade, Monali R, and Neeta A Deshpande. "Extensive Review of SQLIA„s Detection and Prevention Techniques." International
Journal of Emerging Technology and Advanced Engineering 3(10) (2013).
[20]. Yee, Ka-Ping. "Aligning security and usability." IEEE Security & Privacy 5 (2004): 48-55.