The 8th International Conference on Computer Science & Education (ICCSE 2013) April 26-28, 2013. Colombo, Sri Lanka SuA3.6

A Steganography-based Framework to Prevent Active Attacks during User Authentication

Sudantha Gunawardena1

attune Consulting / Asia Pacific Institute of

Information Technology

Colombo, Sri-Lanka

sudantha. gunawardena @ attuneconsulting .com

Dhananjay Kulkarni

Asia Pacific Institute of

Information Technology

Colombo, Sri-Lanka

dhananjay @apiit.lk

Balachandran Gnanasekaraiyer

Asia Pacific Institute of

Information Technology

Colombo, Sri-Lanka

bala @apiit.lk

Abstract-User authentication is a vital component in most systems that need to assure security of services and data. Majority of the applications so far depend on alphanumeric text based password schemes for authentication, however, user information management is not as secure in some systems. A weak authentication may also enable hackers to steal user information or bypass authentication.

Increase of social engineering schemes and use of multiple accounts per user has also brought new problems in password authentication schemes.

Social profiles of users available in the public domain has led to exposing personal data and has made privacy a major issue. Users tend to use personal data to create passwords and hence this implies that password based authentication has become more vulnerable.

This paper proposes a new framework of authentication, called imgAuth which is an image steganography based authentication scheme and user profile management. imgAuth image can act as a universal authentication framework, which has a balance between security, integrity and availability. We show that our approach is practical, and resistant against popular attacks that we had planned to overcome in this project. Experimental prototype shows that we do much better than some existing schemes.

Index Terms: Authentication, Steganography, Steganalysis

I. INTRODUCTION

Authentication is the act of confirming the truth of an

attribute of a datum or entity

Due to weaknesses, attacks predestined directly to steal user

information from alphanumeric based authentication schemes

such as phishing attacks, dictionary attacks. Indirectly up rise

of higher attack base on cryptography schemes which pri­

marily used to secure alphanumeric based password schemes

such as Brute-Force attacks, Rainbow cracking attack [1],

Boomerang attack [2] and interpolation attacks. [3]

Increase of social engineering schemes has brought a new

face to alphanumeric passwords which lead it to be further

msecure.

1 Part of this work was done while the author was a student at Asia Pacific Institute of Information Technology and completed under the encouragement and financial grant provided by attune Consulting

Attacks such as shoulder surfing [4], Guessing the pass­

words using users exposed social profiles, immaturity of

password recovery methods made online accounts more vul­

nerable. We overwhelmed stated matters and proposed a

flexible authentication framework using image steganography

[5] which can be used as an universal authentication identity

for all online accounts which eliminate redundancy of multiple

online user profiles.

In Proposed scheme users are able to select any image

they prefer and select a secret point in the image which

they will have to remember and by filling form will capture

personal information which will be embedded to the image

using steganography and framework generate the image which

users can place the image in the authentication canvas.

Afterwards selecting the secret point users will be able to

get authenticated and embedded profile will be fetched and

service web sites can uses the necessary information.

With this framework approach, user personal information

in all the services will remain constant without redundant and

outdated. Furthermore as users personal details are within the

users authentication image, personal details of the users will

not be exposed in public web sites or search engine queries

which will be protect users privacy.

II. MOTIVATION

An authentication process should be easy to use and by

means of per new social media age alphanumeric password

based authentication approach should be enhanced to a new

level with lower risks. Also as the present position authentica­

tion approach which stealth for range of attacks on alphanu­

meric passwords.

As a research done by Symantec corporation shows that

[6] with the flourishing of various internet services number of

online accounts more than 5 accounts per user has increased

up to 80% users which user have to manage authentication for

each account separately.

This survey further proven that large numbers of users

are using their personal information in passwords [6], which

attackers can easily obtain from social engineering. Another

set of users are used simple string combinations such as 1234 ...

or password, where attackers can easily guess these common

sequences.

978-1-4673-4463-0/13/$31.00 ©2013 IEEE 383

Another key concern in alphanumeric passwords are the

difficulty of usability where users are not able to memorize

several strong complex passwords. [7]

Main challenge in implementing a good authentication

scheme is to maintain the balance between security, integrity

and availability. Also provide rich usability functionalities on

an authentication scheme is a necessity in modern distributed

contexts.

III. ApPROACH AND CONTRIBUTIONS

In this paper, we first identify the problems and weakness

of authentication using alphanumeric passwords. To overcome

the weaknesses of password-based authentication, we devel­

oped a secure approach of authenticating using an image with

embedded user profile data.

Following figures will demonstrate a top level flow of the

registration and authentication processes of the framework.

User provides a

__ image I profile data

and a secret location Encrypt the User

Profile using the

Secret location

provided as the

Fails

1 Validate for

image capacity

and data

/ If validates"

-

I Sucess

Key

Using Stegnography

hide the cipher inside

the image

Generate Image hash

Values and place with

secret coordinates into

data store

Secriet

Cordinates

Fig. 1. Registration Process

The main contributions of this paper are following

Authentication framework which is an alternative for

password authentication with high in usability and secure

for current attacks on alphanumeric passwords.

Technique to break redundancy of personal information

and secure the user privacy in multiple online accounts

and a way to keep the users personal information always

at the users end and users control.

Authentication scheme which archives the above ob­

jectives while conserves equilibrium between security,

integrity and availability of the framework.

No

User provides a image

and a secret location ... No If Matches

Generate Image hash

and validate does the Check if clicked secret

location is in range with

register location

" "

�

If validates )>-------yes-

�

I � Stegnalaysis the Image U and generate the �bedded cipher text

1 -

Decrypt the Cipher with

the secret key

1 Send back the

autherication success and

user profile to the

requester

Fig. 2. Authentication Process

Yes

Cover Image (I) , Secret Location (S) , User

Profile (P)

Registration Server I I

�,

Authentication Image

I � Generate Profile � Cipher (e) with I Key as (S) I I I I

D I

Generate the Stegnpgraph y Image (Ix)

SuA3.6

�, (Ix) I �------------------------,

I I

Secret Location: (S) and Image :

hash ( Ix) sends I

to data store

Fig. 3. Registration Sequence

IV. AUTHENTICATION FRAMEWORK

A. Technical Overview

As shown in Figure 3, the registration process mainly in­

volves the registration server and the data store. In anticipated

authentication scheme, unregistered users will able to provide

the preferred cover image (I) and select the preferred secret

384

Fig. 4. Authentication Sequence

location (S). Subsequently user can fill user profile (P).

In the registration server using user profile (P) and secret

location(S) as the symmetric key, cipher text of user profile

(C) will be generated.

This cipher text (C) will be embedded to cover image (I)

using steganography and authentication image (Ix) is gener­

ated. Registration server will save the file hash of Ix and secret

location(S) in the server data store.

As shown in Figure 4, the authentication proceeds as follow.

Process users can place the created authentication image

(Ix).In the web application and select the secret location (S).

Users do not exactly require remembering and repeating the

secret location (S). Providing the range which is close to secret

location (S) will be accept as a correct value S'.

IOpx

lOp"

Fig. 5. Range of Selection

As figure 5 describes when user selected x (size of Ipx)

in the authentication process a range of pixels x + 10 will be

accepted as correct secret location.

In authentication server will check if hash value of provided

(Ix) is registered. If image hash available within the server

using Steganalysis embedded cipher text (C) will be revealed.

Term User Profile Cover Image Authentication Image Secret location

Description Personal details in XML format User chosen image to hide data Image generated by the system User clicked location of the image

TABLE I INDEX TERMS

SuA3.6

If provided secret location S is within stored secret location

(S), using stored (S) cipher text (C) will be decrypted and user

profile (P) will be generated.

V. DESIGN AND IMPLEMENTATION

A. Generating an Image for Authentication

I) Image Pre-Processing: Framework will be provided

with images with various sizes. However, the as the main

concern of acquiring an image is to store users profile within

the image using steganography.

In the process of image pre-processing will confirm that

the image that user provided is sufficient to store the user

profile. The payload of the image using a LSB algorithm can

be calculated as,

hxwxc c= f.e

c = Payload h = Cover image height w = Cover image weight c = Number of payload colors e = number of encoding bits

This procedure is vital because if user provided images

capacity is not suffering enough to store the users profile using

steganography techniques.

2) Using Steganography to Hide User Profile: Specifically

LSB steganography methods [8] which categorized beneath

domain steganography schemes are widespread used in vari­

ous services because faster execution of algorithms and less

complexity while keeping the invisibility of the payload.

In view of these specifics this authentication scheme secure

image, which embeds the user profile and use of authen­

tication, will be created using a LSB based steganography

algorithm because faster execution, to keep the equilibrium

between security, integrity and availability use of LSB based

algorithm will be better.

In Last significant bit, algorithm (LSB) secret information

is hidden using manipulating the last bit of the pixel R, G, B

color values in bitmap images.

However, even first LSB is replaced with hidden data, the

representation of the image will be more likely to be same as

the original image.

3) Use of ASCII decoding to generate binary content: Text

decoding module will obtain the ASCII encoded user profile

and convert it to the corresponding binary sequence.

The process of text decoding module. Initially the module

will receive the ASCII encoded string and translate it to an

ASCII byte sequence.

385

This translated ASCII byte sequence will be transmute to

a memory stream. The memory stream will be written to a

binary stream and finally it will be converted to a binary

byte sequence. Translation of each ASCII character will be

represented in 7 bytes in binary.

4) Use of Encryption to secure user profile: Payload data

will be embedded after protected using symmetric cryptog­

raphy technique because of faster encryption and decryption

process.

TripieDES [9] block cipher cryptography algorithm will

be used as the symmetric cryptography technique. TripieDES

cryptography has a 156-bit key which is relatively stealth to

brute force and rainbow attacks, Also as AES [10] domi­

nated the symmetric key cryptography world currently but

TripleDES is not widely used.

Approach of TripleDES will be used as where the three

encryption keys as

K3 = KJ = K2

K will be the secret coordinates which user selected from

the graphical representation of the image.

5) XML Generation for generate the profile structure: User

Personal information which will be kept with the image will

be converted to a structured XML object.

B. Authentication Process

1) Use of Steganalysis to retrieve profile from image: Pro­

cess of steganalysis [11] will obtain the 24-bit bitmap stego­

image as the input for the module. Subsequently steganalysis

module will trek though the pixel colour values of the image

and last significant bit of (LSB) every pixel will be generated

as a 64base encoded string.

In the process of steganography as the last character of the

ASCII, hidden message an escape character @ is embed. An

escape character is embedding because to identify the length of

the message to generate the ASCII encoded string. Character

@ is preferred because in a base64 encoded string character

@will be never used to encode the string therefore it will not

clutter with the base64 string.

After steganalysis, process of the secreted base64 string

from the image it will be converted to ASCII encoded string,

which can be presented.

2) Use of decryption to retrieve plain profile and Encoding:

In the process of decryption function, function will take the

base64 encoded encrypted string and the symmetric encryption

key. Function will decrypt the string using the symmetric key

and ASCII encoded plain text will be returned. Settings such

as cipher mode and padding mode will be situating same as

the encryption function.

C. Authentication Server

Authentication server is accountable for retrieve the users

authentication image.

Authentication service will retrieve the binary stream and

segmented into meaningful data. The acceptable format of the

binary stream can be defined in using the following figure.

SuA3.6

and the secret click location and process it for validity and

send back the authentication status for the user.

After the segmentation of the binary stream image hashing

module will generate the MD5 value of the image and will

match with the server image register database if the authenti­

cation stego-image is already registered with the server. If the

image hash value is registered with the server , it will take in

to further processing , if not authentication will fails because

image hash values are not matching and which means image

is not registered with the server.

Secret Coordinates. 7(bits) 24bit Stego-Image after the

MD5 hashing value matching process image will be sent to

Steganalysis process and embedded base64 encoded string will

be retrieved. This base64 encoded string contains the user

profile cipher. Subsequent to Steganalysis, the user provided

secret location would be verified.

This verification process will validates that if the user

clicked location which was provided in the authentication is

in range with the coordinates which user provided initially

in the registration. If the coordinates are in range server will

retrieve the symmetric key from the data store, which is the

initial coordinates which user provided when registering, and

retrieved cipher will be propel to cryptanalysis.

If cryptanalysis success users authentication process is a

success and the embedded user profile is sent back to client.

REL ATED WORK

Addressing the security issues in authentication researchers

have worked on two branches as upgrading the alphanumeric

password scheme by using policies and complex passwords

or alternative authentication schemes predominantly graphical

based passwords

iPass Framework [12] is one of the schemes that applying

are enforced to use user password policies which ensure

stronger and rich usability passwords will help users to mem­

orize their password easily and stealth from brute force and

rainbow attacks but still passwords are vulnerable to phishing

attacks and social engineering attacks.

Graphical passwords [13] schemes such as grid based

drawing schemes are widely replaced alphanumeric passwords

in mobile device authentication but there is no evidence on

use of any graphical password schemes to authenticate web

applications.

Another scheme which inspired the proposed authentication

scheme is to use Digital objects as passwords [14] .key theory

is to use hash values of digital objects to generate stronger

strings and use them as password which particularly named

as object based passwords.

As per above information applying policies for alphanu­

meric passwords are addressing only few attacks such as

dictionary attacks but proposed imageAuth scheme addresses

on extensive range of attacks.Also graphical passwords which

does not solve problem of single authentication for multiple

online accounts and even some graphical password schemes

tend users to memorize multiple graphical chunks as its made

usability issues.

386

Attack Elimination Phishing Attacks Partially Eliminated Dictionary Attacks Fully Eliminated Brute Force Eliminated from limiting the attempts Faking Not Possible will corrupt the content Shoulder Surfing Partially Eliminated Content Injection Fully Eliminated

TABLE II SUMMARY OF ADDRESSED ATTACKS

None of above schemes does not solve the problem of re­

dundant user profile information in web sites which imageAuth

proposing a way of handling it.

SECURIT Y ANALYSIS

In this section apprehension on security analysis of proposed

imgAuth authentication scheme in comparing to password

based schemes is done considering about the attacks on

steganography image possibility of breaking the content is

depends on the algorithm used to hide data, Wide ranges of

tools are designed to detect content on LSB steganography

based algorithms But still the retrieval of hidden content is

depends on the cryptanalysis and reverse engineering of the

stenography algorithm.

Phishing Attacks : Phishing is a specific attack designed

to steal user authentication details , this attack also can be

applied to proposed scheme and attacker will able to obtain

the auth image but still attacker is without knowing the secret

coordinates retrieve the information will be not possible.

Dictionary Attacks : As authentication is not based on

alphanumeric strings, dictionary attacks are fully evaded.

Brute Force and Cryptanalysis: Brute force attacks on

this scheme can be defined as partially evaded , in case if

attacker was able to retrieve the cipher after a successful steg­

nlaysis attack still the attacker requires the secrets coordinates.

Circumstance if attacker was able to capture the users clicking

locations on the image on authentication process, still attacker

will have to situate additional effort to cryptanalysis the secret

coordinates as

c = Secret Location + -Upper bound or Lower bound

Faking : Creating fake images with the same visual repre­

sentation or editing the image will corrupt the binary sequence

and attacks use of fake images will be voided.

Social Engineering : Social Engineering schemes such

as shoulder surfing can be still not entirely eliminated as

attackers can gaze the secret coordinates. This can be avoided

by using images with graphical representation and avoiding

using common locations of the image.

Correspondingly guessing authentication details by explor­

ing the public social profiles is totally eliminated.Man in the

middle attacks, content injection attacks are eliminated from

the proposed scheme.

Following table shows a summary of addressed attacks in

the proposed authentication scheme.

SuA3.6

FUTURE WORK

J) Provide Migration features from alphanumeric pass­

words: An outdated alphanumeric password at present dom­

inates the authentication paradigm. Resistance to change of

users from alphanumeric passwords kept back the wide imple­

mentation of other authentication schemes. To overcome the

problem of user resistance to change proposed authentication

scheme can be tailored to facilitate a migration from alphanu­

meric passwords. Users will able to store their username

,passwords details in authentication image and use prepared

image as an intermediate interface for alphanumeric password

based systems.

2) Ability to use of any image type as the authentication

image: Presently authentication system only supports use of

24-bit bitmap images. Cause for limited choice of image for­

mat is because at present algorithm, which used to secure the

data using steganography is an image domain based algorithm

which alters the Last significant bit (LSB). File formats such as

PNG and JPEG are vector-based images which image domain

based steganography algorithms are not supported.

Implementation of steganography algorithms, which sup­

ports both image domain and transform domain images, will

advance the system of using large base of image formats.

CONCLUSIONS

Presently password based schemes as several major fall­

backs but users are still even widely used is due to no proper

alternative frameworks are not suggested. Proposed scheme

will solve the issues of stealth to attack base of password

schemes and mainly, current alternative authentication frame­

works does not address the issue of user profile redundancy in

online services which proposed imageAuth scheme addresses.

At the present steganography is only used for secret com­

munications which has a more weight into unethical com­

munications. This project focuses on an alternative use of

steganography in user authentication research. We think that

steganography techniques can be used to address more real

world problems in other research areas as well.

ACKNOWLEDGMENTS

We would like to specially thank attune Consulting for

the encouragement provided for conducting the research and

financial grant provided for this publication.

The authors would like to thank researches who provided

us with valuable feedback and improvements on the project,

Professor Ron Rivest from Massachusetts Institute of Tech­

nology (MIT), Professor Rob Shaw from Staffordshire Univer­

sity , Professor Ross Anderson from University of Cambridge

and Mr.Cormac Herley from Microsoft Research.

Also we would like to thank Kevin Haley from Symantec

Corporation for sharing their research details on passwords

behaviors which helped to improve this project.

387

REFERENCES

[I] O. Billet and H. Gilbert, "Cryptanalysis of rainbow," in In Security and

Cryptography for Networks, pp. 336-347. [2] S. Murphy, "The return of the boomerang," 2009. [3] T. Jakobsen and L. R. Knudsen, "The interpolation attack on block

ciphers," in In Fast Software Encryption. Springer-Verlag, 1997, pp. 28-40.

[4] M. Kumar, T. Garfinkel, D. Boneh, and T. Winograd, "Reducing shoulder-surfing by using gaze-based password entry."

[5] J. Madison, S. D. Dickman, and S. D. Dickman, "An overview of steganography," 2007.

[6] K. Haley, "Survey: Symantec corporation password survey," 2011. [7] A. A. Martina, A. Adams, M. A. Sasse, and P. Lunt, "Making passwords

secure and usable," 1997. [8] A. Gupta and R. Garg, "Detecting Isb steganography in images." [9] R. C. w. Phan, "Related-key attacks on triple-des and desx variants," in

In Topics in Cryptology - The Cryptographers Track at RSA Conference

(CT-RSA 04) (2004), T. Okamoto, Ed., LNCS 2964. Springer, pp. 15-24. [10] F. 1. Processing and A. The, "Announcing the advanced encryption

standard (aes)." [II] N. F. Johnson and S. Jajodia, "Steganalysis: The investigation of hidden

information," in IEEE Information Technology Conference, 1998, pp. 113-116.

[12] D. Kulkarni and F. C. Sells, "Demo: ipass framework to create secure and usable passwords," in In The 16th ACM Conference on Computer

and Communications Security (CCS, 2009. [13] 1. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. Rubin, "The

design and analysis of graphical passwords," in 8th USENIX Security

Symposium, 1999, pp. 1-14. [14] M. Mannan and P. C. V. Oorschot, "Digital objects as passwords *."

388

SuA3.6