Professional Documents
Culture Documents
ANovel3-LayerUserAuthenticationSystemforRemoteAccessibility
ANovel3-LayerUserAuthenticationSystemforRemoteAccessibility
net/publication/261393150
CITATIONS READS
2 172
2 authors, including:
Kamruddin Nur
American International University-Bangladesh
47 PUBLICATIONS 323 CITATIONS
SEE PROFILE
All content following this page was uploaded by Kamruddin Nur on 13 April 2024.
Abstract—User authentication through password matching retina detection, iris detection, fingerprint detection,
is an age-old issue. It has been popularly being used in the face recognition, voice recognition, movement detection,
computing world for its simplicity, flexibility and remote palm-print detection, hand-geometry detection and
accessibility. Although people later developed and deployed
some other authentication systems like Biometrics Authen- other popular biometric detections [3].
tication and Token-Based Authentication; despite proving
higher degree of security, they all suffer from an orthodox Clearly, the third authentication system is much
problem- remote accessibility to an Internet-Based System. more secured and robust as compared to the first and
Again, for remote access, the general trend of using textual second ones since it is itself capable of ensuring the
passwords is not guaranteed to be highly secured and,
most often, they are seen breached by the intruders using authenticity of the user without any confusion. All this
some common password breaking algorithms. Hence, a more system suffers from is just the requirement of the user
reliable, robust, secured and allover simple authentication to be physically present before the system. Moreover,
system for remote accessibility is yet needed in digital world. many people do not always like to let their biological
In this paper, we propose a 3-Layer user authentication data be used for authentication purpose. In some
system for remote access of Internet-based systems that
is guaranteed to be more secured, robust and reliable as legal regards like government security concerns, users
compared to its existing counterparts. Besides, the proposed may be forced to do so. Consequently, the biometric
system ensures flexibility, reduced complexity and simplicity based authentication is suitable for being deployed
as well. in a legal-physical environment, not for a virtual
environment where remote accessibility is a must.
Index Terms—User Authentication System, Secured Re- Likewise, we cannot easily make use of the token-based
mote Accessibility, Layerd Authentication Architecture, authentication system for accessing an E-mail or Social
Graphical-Textual Based Authentication, Robust LogIn Network Server. Thus, whenever the question of secured
Mechanism.
remote access arises, we have to yet depend on the
textual password based user authentication systems.
I. Introduction Nevertheless, studies conducted by Klein [4] observed
Present user authentication systems can be categorized that users of textual based authentication system have a
in three types [1], [2]. First, a textual password based common trend of using simple phrases and meaningful
authentication system where the principle is what dictionary words 25% of which can be breached by
you know. A user needs to assign a password prior to using a small subset of full password space. Again, they
perform his authentication to the system. Once assigned, are very much vulnerable to Hacking and Brute-Force
the system just checks whether the given user-id and Attacks [5]. Therefore, the textual password based
password matches with the one stored in the database. authentication system requires special attention and
Although this scheme has been in widespread use, further improvement since we cannot go without it for
the universal trade-off of making a textual password secured access to remote systems.
easy to remember but difficult to guess ever leads this
system to a riddling stage. Second, a token-based An alternative to simple textual password based
authentication system where the system’s principle is authentication system is using graphical passwords [6].
to verify what you have. In this system, the user has It demonstrates the fact that human being is supposed
to carry a token or smart card with him in order to to remember a picture better than they do for a text.
access the system. The system first takes the card and Although the graphical passwords prove higher security
then takes a password from the user and finally gives as compared to textual passwords against Brute-Force
access if both the information provided by the user Attacks, Dictionary Attacks, Spyware and Shoulder
complies with its database. This authentication system Surfing to some extents, it is still in immature stage and
is popular in banking sectors with tokens such as ATM, requires more research to be completely deployed in the
Debit and Credit Cards [1]. The third authentication market [7].
system requires neither a password nor a token, rather,
it directly verifies who you are through a biometric In this paper, we present a 3 layer secured user
detection system. This detection can be the user’s authentication scheme for accessing remote systems.
Method Knowledge Based Token Based Biometric Based Graphics Based Graphical-Textual Based
Security Level Low Low High Moderate High
Remote Accessibility Yes No No Yes No
A. Signing Up Phase asks him/her to find the region ki . Since each region is
Let us consider a user trying to access a system for the predefined by the system, the users need not carry the
first time. Hence, s/he requires to set up an account first. dimension in mind, rather, he should just properly click
After taking the personal details of the user, the system on the particular region. After successful recognition of
will ask the user for choosing his/her authentication the region, the user is asked to provide his secret key
keys in three consecutive steps. At the first step the user (password). Now, the secret key is XORed with average
has to select an image from the ones available in the pixel value APi and the result is matched with the one
system or may choose one of his own after uploading stored in database. Whenever the database information
to the system. This step poses the first layer of security agrees, the authentication process is completed and the
in the proposed system. Let the user choose the image user is allowed to access the system. If any selection or
i from the set of n images. This set of n images is recognition at any step is failed, the system immediately
further subdivided into several subsets like n1 , n2 , blocks the user.
n3 ,....,nn each representing a category of the images like
nature, animals, sports etc. While further accessing to C. Pseudocode Representation
the system, the user must know which category his/her
The complete process can be viewd as a pseudocode
previously chosen picture falls to (selection of subset
as give in algorithm 1.
ni ) and which image s/he chose (selection of image i). If
the user fails to properly recognize the exact subset and
exact image, the system does not let the user access the IV. Performance Studies
system. In the background of the system, a simple index This section considers how much robustness the
of the subsets and the images has to be maintained proposed system can achieve. At first step, when
which will help the system recognize the user. the subset is to be selected, if there is n subsets of
images, the intruder has 1/n probability to breach this
At second stage, the selected image i is divided into section successfully. Later, when the image i is to be
k number of m × n blocks, each block is chosen such selected, if subset ni contains p number of images,
that it represents a particular region or subregion of the intruder has to again deal with the probability
an image. The dimension of each block is fixed by the 1/p. Now, if the selected image contains x regions, the
system that chooses it based on the region information intruder has to face a breaching probability 1/x once
of the image. In this step, the user has to select one such again. Additionally, the intruder has to find out the
block. Let the user select ki block (a region of his/her 24 bits long user password which has the 1/16777216
choice) whose dimension is m × n. The block ki contains probability [23]. According to probability theory, the
m × n number of pixels and the system takes the average intruder has the probability 1/n × 1/p × 1/x × 1/16777216
pixel value of the block to its nearest possible integer. to breach the authentication [23], whereas, for the
present textual base password system, the probability
Finally, the user is required to provide a textual of breaching the authentication is only 1/Sp , where Sp
numeric password of his own choice. But this password is the total number of digits the user uses. It is true
should not cross the limit of 24 bits. That is, the chosen that the more the length of Sp , the more secured the
password should be a combination from available password; however, it again conflicts with the trade-off:
1,67,77,216 various types. Now, the user given password the longer passwords are stronger against attacks but difficult
is simply XORed with the 24 bits average pixel value to remember [24].
of the m × n number of pixels of block ki obtained
from previous step. The reason for choosing XOR The proposed system has been tested against
function is that it is only XOR that generates unique a 24 bits textual password system. The matlab
bit stream while performed with a key. However, implementation shows that a chosen password in
other cryptographic approaches are also allowed if the a textual password based system is breached most often
system wants higher level of security. Figure 1 shows a while the proposed system does not. Table II shows a
schematic diagram of the proposed system. comparative performance study conducted during our
experiment phase in order to find out how much time it
may take to breach a password in the proposed system
B. System Accessing Phase and in an existing textual based password system.
During accessing phase, the system first lets the user
find the subset ni he fixed up before. If it is successful, Table III lists a portion of our detailed performance
the system then lets him/her find the image i. If the studies conducted for different passwords commonly
user can successfully recognize the image i, the system used today. It shows that maximum easy to remember
passwords of the existing textual password based [4] D. V. Klein, Foiling the cracker: A survey of, and improvement to
authentication systems are very much vulnerable while passwords security, in Proc. USENIX Security Workshop, pp. 514,
1990.
the same passwords used in the third layer of the [5] Prof. Gauri Rao, “SECUREZZA,” CIT Journal of Research, vol. 1,
proposed system helped block the intruder attack. May 2010.
[6] R. Dhamija and A. Perrig, ”Deja Vu: A User Study Using Images
for Authentication,” in Proceedings of 9th USENIX Security Sym-
V. Conclusion posium, 2000.
[7] Xiaoyuan Suo, Ying Zhu and G. Scott. Owen, “Graphical Pass-
This paper presents a three layer user authentication words: A Survey,”
system for remote accessibility. This study explored [8] Xiyu Liu, Lizi Yin and Zhaocheng Liu, “A Stroke-Based Tex-
the existing user authentication systems and observed tual Password Authentication Scheme,” First International Work-
shop on Education Technology and Computer Science, vol. 3,
which systems do not fit for remote access even having DOI:10.1109/ETCS.2009.544, pp. 90-95, 2009.
the higher degree of robustness. Further, our study takes [9] Gayathiri Charathsandran, “Text Password Survey: Transition from
into account the problems of the existing systems and First Generation to Second Generation,”
[10] Horng-Twu L. and Chin-Laung L, “An efficient password authen-
discusses their relevant studies properly. Then this study tication scheme based on a unit circle,” Computer and Security,
proposed a new authentication system that combines Elsevier, Vol. 14, No. 3, pp. 220-220, 1995.
the robustness of graphical passwords with the remote [11] K. Gilhooly, ”Biometrics: Getting Back to Business,” in Comput-
erworld, May 2005.
accessibility of textual password schemes in a three
[12] A. Adams and M. A. Sasse, ”Users are not the enemy:why
layer architecture. The performance analysis section users compromise computer security mechanisms and how to take
of this paper proved the robustness of the proposed remedial measures,” Communications of the ACM, vol. 42, pp. 41-
system as compared to its existing counterparts. In 46, 1999.
[13] NBC news, “ATM Fraud: Banking on Your Money, Dateline
addition, the implementation of the proposed scheme Hidden Cameras Show Criminals Owning ATMs,” Dec. 11, 2003.
is as simple as doing for an existing textual password [14] T. Kitten, “Keeping an Eye on the ATM,” July 2005. [Online
based authentication system thus suitable for any Available: ATMMarketPlace.com]
[15] BBC news, “Cash Machine Fraud up, Say Banks,” November 2006.
remote authorization.
[16] Ross, A. and Prabhakar, S., “An introduction to biometric recog-
nition,” vol. 14, issue. 1, DOI:10.1109/TCSVT.2003.818349, pp. 4-20,
January 2004.
References [17] Siddhesh Angle, Reema Bhagtani and Hemali Chheda, “BIOMET-
[1] Fawaz A. Alsulaiman and Abdulmotaleb El Saddik, “Three- RICS : A FURTHER ECHELON OF SECURITY,”
Dimensional Password for More Secure Authentication,” IEEE [18] Massimo Tistarelli and Mark S Nixon, “Advances in Biometrics,”
Transaction on Instrumentation and Measurement, Vol. 57, No. 9, SpringerLink, ISBN: 9783642017933 3642017932 9783642017926
pp. 1929-1938, September 2008. 3642017924, 2009.
[2] Ayannuga Olanrewaju O., Folorunso Olusegun, Akinwale Adio T. [19] G. E. Blonder, Graphical password, U.S. Patent 5 559 961, Sep. 24,
and Asiribo E. O., “A Secure Usability Design System for User 1996.
Authentication,” International Journal of Computer Science and [20] Huanyu Zhao and Xiaolin Li, “S3PAS:A Scalable Shoulder-Surfing
Network Security, vol. 11 No. 4, pp. 151-158, April 2011. Resistant Textual-Graphical Password Authentication Scheme,”
[3] Ms. Vidya Mhaske-Dhamdhere and Prof. G. A. Patil, “Three Di- [21] C Singh and L Singh, “Investigating the Combination of Text and
mensional Object Used for Data Security,” International Conference Graphical Passwords for a more secure and usable experience,”
on Computational Intelligence and Communication Networks, International Journal of Network Security & Its Applications, Vol.
DOI:10.1109/CICN.2010.83, pp. 403-408, 2010. 3, No. 2, pp. 78-95, March 2011.
24 bits Textual Password System Average Breaking Time 24 bits Proposed Password System Average Breaking Time
Numeric Alphabetic Alphanumeric Numeric Alphabetic Alphanumeric
6.5 Minutes 7 Minutes 25 Minutes Not until 2 Hours Not until 2 Hours Not until 3 Hours
TABLE III
One Minute Experiment Results upon the Commonly used Passwords
Password 1 Minute Experiment for Textual Password Based System 1 Minute Experiment for Proposed System
123456 Breached at 56th second Could not breach the FIRST level
000111 Breached at 5th second Could not breach the FIRST level
abcd01 Could not breach within 1 min Could not breach the FIRST level
abcdef Breached at 59th second Could not breach the SECOND level
111111 Breached at 21st second Could not breach the FIRST level