IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.11, November 2010 135
An Image Based Authentication System- Using Needham Schroeder Protocol
Raman Kumar1, Asmita Puri 2,Vivek Gautam 3 and Saumya Singla4
1,2,3,4 Department of Computer Science and Engineering, 1,2,3,4 D A V Institute of Engineering and Technology, Jalandhar, Punjab, India.
Summary key that only we should know. The username is used to With the upcoming technologies available for hacking text based identify us and the password validates us. But with time passwords, there is a need to provide users with a secure the various weaknesses associated with a password have environment that protect their resources against unauthorized come to surface. It is always possible for people other than access by enforcing control mechanisms. To counteract the the authenticated user to posses its knowledge at the same increasing threat, Image Based Authentication (IBA) has been time. Password thefts can and do happen on a regular basis, introduced. Apart from being more secure than usual text based passwords, IBA has proved to be an asset as it is user friendly. so there is a need to protect them. Rather than using some IBA generally encapsulates the Needham Schroeder Protocol random set of alphabets and special characters as the (NSP) and provides client a completely unique and secured passwords we need something new and something authentication tool to work on. This paper however proposes a unconventional to ensure safety. At the same time we need hypothesis regarding the use of Needham Schroeder Protocol and to make sure that it is easy to be remembered by you as is a comprehensive study on the subject of using images as the well as difficult enough to be hacked by someone else. password set. This forms the basis for a secure communication This is where the Image Based Authentication system between the communicating entities. The assortment of image set comes into picture. It is based on a well understood truism as client’s password set aims at thwarting reply attacks. The that the human brain is more adept at recalling a paper also evaluates the performance of this method in terms of its efficiency and time taken. Password authentication protocols previously seen image than a previously seen text. In a are important mean of user authentication on network. Several recent study conducted at the University of California at password authentication protocols have been introduced each Berkeley, image-based authentication (IBA) systems have claiming to withstand to the several attacks, including replay, been found more user friendly than the usual text based password file compromise, denial of service, etc. Then, we systems. Besides being user friendly we need to strengthen present an improvement to the Needham-Schroeder Protocol, in the security during authentication also. order to remove two possible attacks. Therefore, the proposed scheme is secure and efficient against notorious conspiracy attacks. 2. Needham Schroeder Protocol Key words: Image Based Authentication (IBA), Needham Schroeder Protocol The term Needham Schroeder protocol can refer to one of (NSP), Protocol, Attacks, Shoulder Attack, Tempest Attack, Brute two communication protocols intended for use over an Force Attack, Replay Attack and Other Attacks. insecure network, both proposed by Roger Needham and Michael Schroeder [1]. Needham Schroeder Protocol is 1. Introduction one of the earliest computer network authentication protocol designed for use on insecure networks (e.g. Authentication plays an important role in protecting internet). It allows individuals communicating over a resources against unauthorized use. Since the advent of the network to prove their identity to each other while also computers, man has been looking for various possible preventing eavesdropping. These are: means to make communication among entities secure via 1. The Needham Schroeder Symmetric Key Protocol is various authentication processes which range from simple based on a symmetric encryption algorithm. It forms the password based authentication system to costly and basis for the Kerberos protocol. This protocol aims to computation intensive biometric authentication systems. establish a session key between two parties on a network, Passwords have proved to be very handy. They are not just typically to protect further communication. some key but also serve several purposes. They authenticate us to a machine to prove our identity a secret
Manuscript received November 5, 2010 Manuscript revised November 20, 2010
136 IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.11, November 2010
2. The Needham Schroeder Public-Key Protocol, based on public-key cryptography. This is intended to provide mutual authentication between two parties communicating on a network, but in its proposed form it is insecure. A. The symmetric protocol Here, Alice (A) initiates the communication to Bob (B). Also, • S is a server trusted by both parties. Figure – 1 The symmetric key protocol • KAS is a symmetric key known only to A and S.
• KBS is a symmetric key known only to B and S.
• NA and NB are nonce. A. The public-key protocol The protocol can be specified as follows in security This assumes the use of a public-key encryption algorithm. protocol notation: Here, Alice (A) and Bob (B) use a trusted server (S) to distribute public keys on request. These keys are: A Æ S: A, B, NA • KPA and KSA, respectively public and private halves of Alice sends a message to the server identifying herself an encryption key-pair belonging to A and Bob, telling the server she wants to communicate with Bob. • KPB and KSB, similar belonging to B
S Æ A:{ NA, KAB,B,{KAB,A}KBS}KAS • KPS and KSS, similar belonging to S. (Note this has the property that KSS is used to encrypt and KPS to The server generates KAB and sends back to Alice a decrypt). copy encrypted under KBS for Alice to forward to Bob and also a copy for Alice. Since Alice may be requesting keys The protocol runs as follows: for several different people, the nonce assures Alice that A Æ S: A, B the message is fresh and that the server is replying to that particular message and the inclusion of Bob's name tells A requests B's public keys from S Alice who she is to share this key with. S Æ A: {KPB, B}KSS
A Æ B:{KAB, A}KBS S responds. B's identity is placed alongside KPB for Alice forwards the key to Bob who can decrypt it with confirmation. the key he shares with the server, thus authenticating the A Æ B: {N , A} data. A KPB A invents NA and sends it to B. B Æ A: {NB}KAB B Æ S: B, A Bob sends Alice a nonce encrypted under KAB to show that he has the key. B requests A's public keys.
A Æ B: {NB-1}KAB S Æ B: {KPA, A}KSS Alice performs a simple operation on the nonce, re- Server responds. encrypts it and sends it back verifying that she is still alive B Æ A: {N , N } and that she holds the key. A B KPA B invents NB, and sends it to A along with NA to prove The protocol is vulnerable to a replay attack. If an ability to decrypt with K . attacker records one run of this protocol, then SB subsequently learns the value KAB used, she can then A Æ B: {NB}KPB replay the message {KAB,A}KBS to Bob, who will accept it, A confirms N to B, to prove ability to decrypt with being unable to tell that the key is not fresh. This flaw is B KSA fixed in the Kerberos protocol by the inclusion of a At the end of the protocol, A and B know each other's timestamp. identities, and know both NA and NB. These nonces are not known to eavesdroppers.
IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.11, November 2008 137
3.3 Brute Force Attack
To crack a password, an attacker has to sit and try all the combinations possible. This is not possible in the IBA systems. Reason being the calculations involved are too large to be sorted out. And the time restriction makes ensures the safety.
3.4 Replay Attack
If an attacker uses an older compromised value for KAB, he can then replay the message {KAB,B}KBS to B, who will Figure – 2 The public key protocol accept it, being unable to tell that the key is not fresh. The replay attack is combat by using a little modification based on the Needham Schroeder Protocol. This is done by the ’ 3. Attacks on the protocol introduction of a new nonce NB in the starting itself. Before contacting the server A sets up connection with B ’ sending its ID,A. B then replies with the nonce NB This section discusses the security performance of the Needham Schroeder Protocol system. This also includes encrypted under KAB. This nonce ensures that the session the various preventive measures that have been used to is fresh. Note that NB' is a different nonce from NB.The protect the system against these attacks and to show how inclusion of this new nonce prevents the replaying of a compromised version of {KAB,B}KBS since such a message image based methods are way better than the conventional ’ text based passwords. would need to be of the form {KAB,A,N B}KBS which the attacker can't forge since she does not have KBS. 3.1 Shoulder Attack 3.5 Other Attacks As we know the image set used for password authentication consists of images that are unique and Unfortunately, this protocol is vulnerable to a man-in-the- abstract, not easily describable and differ widely in their middle attack [5]. If an impostor I can persuade A to color schemes and structures. This helps counter the initiate a session with him, he can relay the messages to B shoulder attack. Also this system facilitates that the image and convince B that he is communicating with A. selected is not highlighted, and so the attacker has Ignoring the traffic to and from S, which is unchanged, absolutely no clue as to what image 800x600 pixels, so the the attack runs as follows: entire image grid does not fit in the screen and all the A Æ I: {NA, A}KPI images cannot be seen all at once. A sends NA to I, who decrypts the message with KSI I Æ B: {NA, A}KPB I relay the message to B, pretending that A is 3.2 Tempest Attack communicating B Æ I: {NA, NB}KPA This IBA system ensures that the image that the user B sends N selects is not displayed on the screen but stored in the B background. This is done to make sure that the attacker I Æ A: {NA, NB}KPA gets absolutely no idea about the color coding. Because I relay it to A electromagnetic emanations from a moNSPor can be read by sensitive receiver kept at a certain distance from it. This A Æ I: {NB}KPI aids the attacker to extract the color information from the A decrypts NB and confirms it to I, who learns it images. Even if the attacker manages to extract I Æ B: {N } information of the displayed image grid, he would still B KPB have to figure out the password from the grid which in Here, we re-encrypts NB, and convinces B that he's itself is a tedious task. Also for further security, another decrypted it feature has been introduced wherein the image so selected At the end of the attack, B falsely believes that A is by the user to be viewed appears black and white as well communicating with him, and that NA and NB are known as blurred so as to send out no signal that can be detected only to A and B. by the eavesdropper.
138 IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.11, November 2010
The attack was first described in a 1995 paper by Gavin BÆ A: {NA, NB} KPA Lowe. The paper also describes a fixed version of the B invents N , and sends it to A along with N to prove scheme, referred to as the Needham-Schroeder-Lowe B A ability to decrypt with K . protocol. The fix involves the modification of message six, SB that is we replace: AÆ B: {NB} KPB B Æ A: {N , N } A B KPA A confirms N to B, to prove ability to decrypt with K With the fixed version: B SA At the end of the protocol, A and B know each other's B Æ A: {NA, NB, B}KPA identities, and know both NA and NB. These nonces are not known to eavesdroppers. 4. The Proposed Scheme
Alice (A) and Bob (B) use a trusted server (S) to distribute 5. CONCLUSION public keys on request. These keys are: In this paper, we have shown the various attacks on • K and K , respectively public and private PA SA Needham-Schroeder protocol, possible attacks on protocol, halves of an encryption key-pair belonging to A and the proposed scheme can be able to remove two
• KPB and KSB, similar belonging to B possible attacks on Needham-Schroeder protocol. This scheme is vulnerable to a server spoofing attack and • KPS and KSS, similar belonging to S. (Note this stolen-verifier attacks. In essence, IBA generally has the property that KSS is used to encrypt and encapsulates the Needham Schroeder Protocol (NSP) and KPS to decrypt). provides client a completely unique and secured authentication tool to work on. Comparison of major • KA and KB are encryption keys belonging to respectively Alice (A) and Bob (B). password techniques has been shown in Appendix - I This paper however proposes a hypothesis regarding the use of Needham Schroeder Protocol (NSP) and is a comprehensive study on the subject of using images as the password set. This forms the basis for a secure communication between the communicating entities
Acknowledgments
I (Raman Kumar) deeply indebted to my beloved master, supervisors, my parents and my research laboratory whose help, stimulating suggestions and encouragement helped me in all the time of research for and writing of this paper Figure – 3 The Proposed Scheme for journal. The authors also wish to thank many The protocol runs as follows: anonymous referees for their suggestions to improve this paper. A Æ S: {A, B, KA}KAS References A requests B's public keys from S [1] Andrew S. Tanenbaum and Maarten Van Steen, Distributed S Æ A: {K , B} Systems, Pearson Education. PB Ka [2] C. M. Chen, and W. C. Ku, “Stolen-verifier Attack on two S responds. B's identity is placed alongside KPB for New Strong-password Authentication Protocol,” IEICE confirmation. Transactions on Communications, Vol. E85-B, No. 11, pp. 2519—2521, November 2002. A Æ B: {NA, A}KPB [3] Cristian Darie, Bogdan Brinzarea, Filip Chereches-Tosa, and Mihai Bucica, AJAX and PHP: Building Responsive A invents NA and sends it to B. Web Applications, Paperback, March 1, 2006. B Æ S: {B, A, K } [4] F. Belli, “A Holistic view for Modeling and Testing User B KBS Interactions using Finite-State Techniques,” Proceedings of B requests A's public keys. the 1st South-East European Workshop on Formal Methods, SEEFM'03,Thessaloniki, Greece, November 2003. S Æ B: {KPA, A} KB [5] F. Belli, “Finite-State Testing and Analysis of Graphical Server responds. User Interfaces”, Proc. 12th ISSRE, pp. 34-43, 2001.
IJCSNS International Journal of Computer Science and Network Security, VOL.8 No.11, November 2008 139
[6] F. Belli, K.-E. Grosspietsch, “Specification of Fault- [14] William Stallings, “Cryptography and network security Tolerant System Issues by Predicate/Transition Nets and design and principles”. Regular Expressions – Approach and Case Study”, IEEE [15] Y, Xiao, Security in Distributed and Networking Systems Trans. On Softw. Eng. 17/6, pp. 513-526, 1991. (Computer and Network Security, Hardcover - September [7] Gavin Lowe, “An attack on the Needham-Schroeder public 30, 2007. key authentication protocol”, Information Processing Letters, 56(3):131—136, November 1995. Mr. Raman Kumar working as a [8] John Rushby, “The Needham-Schroeder Protocol in SAL,” Lecturer with the Department of CSL Technical Note, October 2003 (Updated June 2005). Computer Science and Engineering, [9] Richard E. Newman, Piyush Harsh, and Prashant Jayaraman, D A V Institute of Engineering and “Security Analysis of and Proposal for Image Based Technology, Jalandhar. Before joining Authentication,” IEEE Carnahan, 2005. D A V Institute of Engineering and [10] Roger Needham and Michael Schroeder, “Using encryption Technology, Jalandhar, for authentication in large networks of computers. He did his Bachelor of Technology Communications of the ACM”, Journal, 21(12), December with honours in Computer Science and 1978. Engineering from Guru Nanak Dev [11] Sandirigama, A. Shimizu, and M. T. Noda, “Simple and University; Amritsar (A 5 Star NAAC University). He did his secure password authentication protocol (SAS),” IEICE Master of Technology with honours Computer Science and Transactions on Communications, vol.E83-B, pp.1363-1365, Engineering from Guru Nanak Dev University; Amritsar (A 5 June 2000. Star NAAC University). His major area of research is [12] Security Guidelines: Prevention and Response and Hacker Cryptography, Security Engineering and Information security. Attacks, Digital Edition, June 1, 2001. He has various publications in National as well as International [13] Vijay K. Bhargava, H. Vincent Poor, Vahid Tarokh, and Conferences and Journals on his research areas. Seokho Yoon, Communications, Information and Network Security, Hardcover, December 31, 2002. Appendix – I
Techniques Usability Security issues Authentication process Memorability Password space Possible attack methods Text-based Type in password, can be Depends on the password. 94^K(there are 94 printable characters Dictionary attack, password very fast Long and random passwords excluding SPACE,N is the length of the brute force search, are hard to remember. password).The actual password space is guess, spyware, usually much smaller. shoulder, surfing , etc.
Perring and Song Pick several pictures out of Limited user study showed N!/K!(N-K)!(N is the total number of Brute force search, many choices. Takes longer that more people pictures; K is the number of pictures in guess, shoulder to create than to text remembered pictures than the graphical password) surfing password text-based passwords.
Sobrado and Birget Click within area bounded Can be hard to remember N!/K!(N-K)!(N is the total number of Brute force search, by pre-registered picture when large numbers of pictures objects; K is the number of pre- guess objects, can be very fast objects are involved registered objects)
Man, et al., Hong, Type in code of pre- Users have to memorize both Same as the text based password Brute force search, et al. registered picture objects; picture objects and their spyware can be very fast codes. More difficult than text based password
Passface Recognize and pick the pre- Faces are easier to N^K(K is the number of rounds of Dictionary attack, registered pictures; takes remember, but the choices authentication, N is the total number of Brute force search, longer than the text based are still predictable pictures at each round) guess, shoulder password surfing
Jansen et al User register as a sequence Pictures are organized N^K(N is the total number of pictures, K Brute force search, of images; slower than text according to different themes is the number of rounds of guess, shoulder based password to help users remember authentication. N is the small due to the surfing size limit of mobile devices)
140 IJCSNS International Journal of Computer Science and Network Security, VOL.10 No.11, November 2010
Takada and Koike Recognize and click on the Users can use their favorite (N+1)^K(K is the number of rounds of Brute force search, pre-registered images; images; easy to remember authentication, N is the total number of guess, shoulder slower than text based than system assigned pictures at each round) surfing password pictures
Jermyn, et al. Users draw something on a Depends on what users draw. Password space is larger than text based Dictionary attack, Thorpe and van 2D grid User studies showed the password. But the size of DAS password shoulder surfing Oorscho drawing sequence is hard to space decreases significantly with the remember fewer strokes for a fixed password length Syukri, et al. Draw signatures using Very easy to remember but Infinite password space Guess, Dictionary mouse. Need a reliable hard to recognize attack, shoulder signature recognition surfing program Guess, Dictionary attack, shoulder surfing Goldberg et al. Draw something with a Depends on what users draw Infinite password space stylus onto a touch sensitive screen
Blonder, Passlogix, Click on several pre- Can be hard to remember N^K(N is the number of pixels or Brute force search, Wiedenbeck, et al. registered locations of a smallest units of a picture, K is the guess, shoulder picture in the right sequence number of locations to be clicked on surfing