DESIGN AND IMPLEMENTATION OF AUTHENTICATION SCHEME BY ENCRYPTED NEGATIVE PASSWORD A Project Presented to the Faculty of California State Polytechnic University, Pomona In Partial Fulfillment Of the Requirements for the Degree Master of Science In Computer Science By Laxmi Chidri 2019 SIGNATURE PAGE PROJECT: DESIGN AND IMPLEMENTATION OF AUTHENTICATION SCHEME BY ENCRYPTED NEGATIVE PASSWORD AUTHOR: Laxmi Chidri DATE SUBMITTED: Fall 2019 Department of Computer Science Dr. Gilbert Young _______________________________________ Project Committee Chair Computer Science Dr. Yu Sun _______________________________________ Computer Science ii ABSTRACT Secure password storage is a vital aspect in systems based on password authentication, which is still the most widely used authentication technique, despite its some security flaws. In this project, we propose a password authentication framework that is designed for secure password storage and could be easily integrated into existing authentication systems. In our framework, first, the received plain password from a client is hashed through a cryptographic hash function (e.g., SHA-256). Then, the hashed password is converted into a negative password. Finally, the negative password is encrypted into an Encrypted Negative Password (abbreviated as ENP) using a symmetric-key algorithm (e.g., AES), and multi-iteration encryption could be employed to further improve security. The cryptographic hash function and symmetric encryption make it difficult to crack passwords from ENPs. Moreover, there are lots of corresponding ENPs for a given plain password, which makes precomputation attacks (e.g., lookup table attack and rainbow table attack) infeasible. The algorithm complexity analyses and comparisons show that the ENP could resist lookup table attack and provide stronger password protection under dictionary attack. It is worth mentioning that the ENP does not introduce extra elements (e.g., salt); besides this, the ENP could still resist precomputation attacks. Most importantly, the ENP is the first password protection scheme that combines the cryptographic hash function, the negative password and the symmetric-key algorithm, without the need for additional information except the plain password. iii TABLE OF CONTENTS SIGNATURE PAGE .......................................................................................................... ii ABSTRACT ....................................................................................................................... iii LIST OF TABLES .............................................................................................................. v LIST OF FIGURES ........................................................................................................... vi CHAPTER 1 ....................................................................................................................... 1 CHAPTER 2 ....................................................................................................................... 4 CHAPTER 3 ....................................................................................................................... 7 CHAPTER 4 ..................................................................................................................... 14 CHAPTER 5 ..................................................................................................................... 17 CHAPTER 6 .................................................................................................................... 28 CHAPTER 7 .................................................................................................................... 33 CHAPTER 8 .................................................................................................................... 37 CHAPTER 9 .................................................................................................................... 45 CHAPTER 10 ................................................................................................................... 48 REFERENCES ................................................................................................................. 49 iv LIST OF TABLES Table 1. Software Requirements ....................................................................................... 12 Table 2. Hardware Requirements ..................................................................................... 12 Table 3. Mode of Operations ............................................................................................ 18 Table 4. User Operations …..……………………………………………………………21 Table 5. 8 bit lookup table ………………………………………………………………43 v LIST OF FIGURES Figure 1: Block Diagram of ENP ...................................................................................... 14 Figure 2: Block Diagram for Registration phase .............................................................. 22 Figure 3:Flow diagram for Authentication phase ............................................................. 23 Figure 4: Block diagram for Verification phase ............................................................... 24 Figure 5: Flow diagram for Verification phase ................................................................. 25 Figure 6: Flow diagram for ENP-As -A-Service .............................................................. 25 Figure 7:Flow Diagram of ENP ........................................................................................ 26 Figure 8: Usage Statistics .................................................................................................. 27 Figure 9:Use case diagram for ENP .................................................................................. 28 Figure 10: Sequence Diagram 1 ........................................................................................ 29 Figure 11: Sequence Diagram 2 ........................................................................................ 29 Figure 12:Sequence Diagram 3 ......................................................................................... 30 Figure 13: Sequence Diagram 4 ........................................................................................ 30 Figure 14: Class diagram 1 ............................................................................................... 31 Figure 15: Class diagram 2 ............................................................................................... 31 Figure 16: Class diagram 3 ............................................................................................... 32 Figure 17: Class diagram 4 ............................................................................................... 32 Figure 18: Program Mapping ............................................................................................ 38 Figure 19: Block diagram of AES Algorithm ................................................................... 41 Figure 20: AddRound Key generation .............................................................................. 42 Figure 21: SubByte generation ......................................................................................... 43 Figure 22:ShiftRows generation ....................................................................................... 44 vi Figure 23:MixColumn generation ..................................................................................... 44 Figure 24:HomePage Screenshot ...................................................................................... 45 Figure 25:Registration Phase Screenshot .......................................................................... 45 Figure 26:Verification Phase Screenshot .......................................................................... 46 Figure 27: ENP-As-A-Service Screenshot ........................................................................ 46 Figure 28:Usage Statistics of ENP service ....................................................................... 47 vii CHAPTER 1 INTRODUCTION 1.1 Problem Identification Owing to the development of the Internet, a vast number of online services have emerged, in which password authentication is the most widely used authentication technique, for it is available at a low cost and easy to deploy. Hence, password security always attracts great interest from academia and industry. Despite great research achievements on password security, passwords are still cracked since users’ careless behaviors. For instance, many users often select weak passwords; they tend to reuse same passwords in different systems; they usually set their passwords using familiar vocabulary for its convenience to remember. In addition, system problems may cause password compromises. It is very difficult to obtain passwords from high security systems. On the one hand, stealing authentication data tables (containing usernames and passwords) in high security systems is difficult. On the other hand, when carrying out an online guessing attack, there is usually a limit to the number of login attempts. However, passwords may be leaked from weak systems. Vulnerabilities are constantly being discovered, and not all systems could be timely patched to resist attacks, which gives adversaries an opportunity to illegally access weak systems. In fact, some old systems are more vulnerable due to their lack of maintenance. Finally, since passwords are often reused, adversaries may log into high security systems through cracked passwords