[ieee 2013 8th international conference on computer science & education (iccse) - colombo, sri...
TRANSCRIPT
The 8th International Conference on Computer Science & Education (ICCSE 2013) April 26-28, 2013. Colombo, Sri Lanka SuA3.6
A Steganography-based Framework to Prevent Active Attacks during User Authentication
Sudantha Gunawardena1
attune Consulting / Asia Pacific Institute of
Information Technology
Colombo, Sri-Lanka
sudantha. gunawardena @ attuneconsulting .com
Dhananjay Kulkarni
Asia Pacific Institute of
Information Technology
Colombo, Sri-Lanka
dhananjay @apiit.lk
Balachandran Gnanasekaraiyer
Asia Pacific Institute of
Information Technology
Colombo, Sri-Lanka
bala @apiit.lk
Abstract-User authentication is a vital component in most systems that need to assure security of services and data. Majority of the applications so far depend on alphanumeric text based password schemes for authentication, however, user information management is not as secure in some systems. A weak authentication may also enable hackers to steal user information or bypass authentication.
Increase of social engineering schemes and use of multiple accounts per user has also brought new problems in password authentication schemes.
Social profiles of users available in the public domain has led to exposing personal data and has made privacy a major issue. Users tend to use personal data to create passwords and hence this implies that password based authentication has become more vulnerable.
This paper proposes a new framework of authentication, called imgAuth which is an image steganography based authentication scheme and user profile management. imgAuth image can act as a universal authentication framework, which has a balance between security, integrity and availability. We show that our approach is practical, and resistant against popular attacks that we had planned to overcome in this project. Experimental prototype shows that we do much better than some existing schemes.
Index Terms: Authentication, Steganography, Steganalysis
I. INTRODUCTION
Authentication is the act of confirming the truth of an
attribute of a datum or entity
Due to weaknesses, attacks predestined directly to steal user
information from alphanumeric based authentication schemes
such as phishing attacks, dictionary attacks. Indirectly up rise
of higher attack base on cryptography schemes which pri
marily used to secure alphanumeric based password schemes
such as Brute-Force attacks, Rainbow cracking attack [1],
Boomerang attack [2] and interpolation attacks. [3]
Increase of social engineering schemes has brought a new
face to alphanumeric passwords which lead it to be further
msecure.
1 Part of this work was done while the author was a student at Asia Pacific Institute of Information Technology and completed under the encouragement and financial grant provided by attune Consulting
Attacks such as shoulder surfing [4], Guessing the pass
words using users exposed social profiles, immaturity of
password recovery methods made online accounts more vul
nerable. We overwhelmed stated matters and proposed a
flexible authentication framework using image steganography
[5] which can be used as an universal authentication identity
for all online accounts which eliminate redundancy of multiple
online user profiles.
In Proposed scheme users are able to select any image
they prefer and select a secret point in the image which
they will have to remember and by filling form will capture
personal information which will be embedded to the image
using steganography and framework generate the image which
users can place the image in the authentication canvas.
Afterwards selecting the secret point users will be able to
get authenticated and embedded profile will be fetched and
service web sites can uses the necessary information.
With this framework approach, user personal information
in all the services will remain constant without redundant and
outdated. Furthermore as users personal details are within the
users authentication image, personal details of the users will
not be exposed in public web sites or search engine queries
which will be protect users privacy.
II. MOTIVATION
An authentication process should be easy to use and by
means of per new social media age alphanumeric password
based authentication approach should be enhanced to a new
level with lower risks. Also as the present position authentica
tion approach which stealth for range of attacks on alphanu
meric passwords.
As a research done by Symantec corporation shows that
[6] with the flourishing of various internet services number of
online accounts more than 5 accounts per user has increased
up to 80% users which user have to manage authentication for
each account separately.
This survey further proven that large numbers of users
are using their personal information in passwords [6], which
attackers can easily obtain from social engineering. Another
set of users are used simple string combinations such as 1234 ...
or password, where attackers can easily guess these common
sequences.
978-1-4673-4463-0/13/$31.00 ©2013 IEEE 383
Another key concern in alphanumeric passwords are the
difficulty of usability where users are not able to memorize
several strong complex passwords. [7]
Main challenge in implementing a good authentication
scheme is to maintain the balance between security, integrity
and availability. Also provide rich usability functionalities on
an authentication scheme is a necessity in modern distributed
contexts.
III. ApPROACH AND CONTRIBUTIONS
In this paper, we first identify the problems and weakness
of authentication using alphanumeric passwords. To overcome
the weaknesses of password-based authentication, we devel
oped a secure approach of authenticating using an image with
embedded user profile data.
Following figures will demonstrate a top level flow of the
registration and authentication processes of the framework.
User provides a
__ image I profile data
and a secret location Encrypt the User
Profile using the
Secret location
provided as the
Fails
1 Validate for
image capacity
and data
/ If validates"
-
I Sucess
Key
Using Stegnography
hide the cipher inside
the image
Generate Image hash
Values and place with
secret coordinates into
data store
Secriet
Cordinates
Fig. 1. Registration Process
The main contributions of this paper are following
Authentication framework which is an alternative for
password authentication with high in usability and secure
for current attacks on alphanumeric passwords.
Technique to break redundancy of personal information
and secure the user privacy in multiple online accounts
and a way to keep the users personal information always
at the users end and users control.
Authentication scheme which archives the above ob
jectives while conserves equilibrium between security,
integrity and availability of the framework.
No
User provides a image
and a secret location ... No If Matches
Generate Image hash
and validate does the Check if clicked secret
location is in range with
register location
" "
�
If validates )>-------yes-
�
I � Stegnalaysis the Image U and generate the �bedded cipher text
1 -
Decrypt the Cipher with
the secret key
1 Send back the
autherication success and
user profile to the
requester
Fig. 2. Authentication Process
Yes
Cover Image (I) , Secret Location (S) , User
Profile (P)
Registration Server I I
�,
Authentication Image
I � Generate Profile � Cipher (e) with I Key as (S) I I I I
D I
Generate the Stegnpgraph y Image (Ix)
SuA3.6
�, (Ix) I �------------------------,
I I
Secret Location: (S) and Image :
hash ( Ix) sends I
to data store
Fig. 3. Registration Sequence
IV. AUTHENTICATION FRAMEWORK
A. Technical Overview
As shown in Figure 3, the registration process mainly in
volves the registration server and the data store. In anticipated
authentication scheme, unregistered users will able to provide
the preferred cover image (I) and select the preferred secret
384
Fig. 4. Authentication Sequence
location (S). Subsequently user can fill user profile (P).
In the registration server using user profile (P) and secret
location(S) as the symmetric key, cipher text of user profile
(C) will be generated.
This cipher text (C) will be embedded to cover image (I)
using steganography and authentication image (Ix) is gener
ated. Registration server will save the file hash of Ix and secret
location(S) in the server data store.
As shown in Figure 4, the authentication proceeds as follow.
Process users can place the created authentication image
(Ix).In the web application and select the secret location (S).
Users do not exactly require remembering and repeating the
secret location (S). Providing the range which is close to secret
location (S) will be accept as a correct value S'.
IOpx
lOp"
Fig. 5. Range of Selection
As figure 5 describes when user selected x (size of Ipx)
in the authentication process a range of pixels x + 10 will be
accepted as correct secret location.
In authentication server will check if hash value of provided
(Ix) is registered. If image hash available within the server
using Steganalysis embedded cipher text (C) will be revealed.
Term User Profile Cover Image Authentication Image Secret location
Description Personal details in XML format User chosen image to hide data Image generated by the system User clicked location of the image
TABLE I INDEX TERMS
SuA3.6
If provided secret location S is within stored secret location
(S), using stored (S) cipher text (C) will be decrypted and user
profile (P) will be generated.
V. DESIGN AND IMPLEMENTATION
A. Generating an Image for Authentication
I) Image Pre-Processing: Framework will be provided
with images with various sizes. However, the as the main
concern of acquiring an image is to store users profile within
the image using steganography.
In the process of image pre-processing will confirm that
the image that user provided is sufficient to store the user
profile. The payload of the image using a LSB algorithm can
be calculated as,
hxwxc c= f.e
c = Payload h = Cover image height w = Cover image weight c = Number of payload colors e = number of encoding bits
This procedure is vital because if user provided images
capacity is not suffering enough to store the users profile using
steganography techniques.
2) Using Steganography to Hide User Profile: Specifically
LSB steganography methods [8] which categorized beneath
domain steganography schemes are widespread used in vari
ous services because faster execution of algorithms and less
complexity while keeping the invisibility of the payload.
In view of these specifics this authentication scheme secure
image, which embeds the user profile and use of authen
tication, will be created using a LSB based steganography
algorithm because faster execution, to keep the equilibrium
between security, integrity and availability use of LSB based
algorithm will be better.
In Last significant bit, algorithm (LSB) secret information
is hidden using manipulating the last bit of the pixel R, G, B
color values in bitmap images.
However, even first LSB is replaced with hidden data, the
representation of the image will be more likely to be same as
the original image.
3) Use of ASCII decoding to generate binary content: Text
decoding module will obtain the ASCII encoded user profile
and convert it to the corresponding binary sequence.
The process of text decoding module. Initially the module
will receive the ASCII encoded string and translate it to an
ASCII byte sequence.
385
This translated ASCII byte sequence will be transmute to
a memory stream. The memory stream will be written to a
binary stream and finally it will be converted to a binary
byte sequence. Translation of each ASCII character will be
represented in 7 bytes in binary.
4) Use of Encryption to secure user profile: Payload data
will be embedded after protected using symmetric cryptog
raphy technique because of faster encryption and decryption
process.
TripieDES [9] block cipher cryptography algorithm will
be used as the symmetric cryptography technique. TripieDES
cryptography has a 156-bit key which is relatively stealth to
brute force and rainbow attacks, Also as AES [10] domi
nated the symmetric key cryptography world currently but
TripleDES is not widely used.
Approach of TripleDES will be used as where the three
encryption keys as
K3 = KJ = K2
K will be the secret coordinates which user selected from
the graphical representation of the image.
5) XML Generation for generate the profile structure: User
Personal information which will be kept with the image will
be converted to a structured XML object.
B. Authentication Process
1) Use of Steganalysis to retrieve profile from image: Pro
cess of steganalysis [11] will obtain the 24-bit bitmap stego
image as the input for the module. Subsequently steganalysis
module will trek though the pixel colour values of the image
and last significant bit of (LSB) every pixel will be generated
as a 64base encoded string.
In the process of steganography as the last character of the
ASCII, hidden message an escape character @ is embed. An
escape character is embedding because to identify the length of
the message to generate the ASCII encoded string. Character
@ is preferred because in a base64 encoded string character
@will be never used to encode the string therefore it will not
clutter with the base64 string.
After steganalysis, process of the secreted base64 string
from the image it will be converted to ASCII encoded string,
which can be presented.
2) Use of decryption to retrieve plain profile and Encoding:
In the process of decryption function, function will take the
base64 encoded encrypted string and the symmetric encryption
key. Function will decrypt the string using the symmetric key
and ASCII encoded plain text will be returned. Settings such
as cipher mode and padding mode will be situating same as
the encryption function.
C. Authentication Server
Authentication server is accountable for retrieve the users
authentication image.
Authentication service will retrieve the binary stream and
segmented into meaningful data. The acceptable format of the
binary stream can be defined in using the following figure.
SuA3.6
and the secret click location and process it for validity and
send back the authentication status for the user.
After the segmentation of the binary stream image hashing
module will generate the MD5 value of the image and will
match with the server image register database if the authenti
cation stego-image is already registered with the server. If the
image hash value is registered with the server , it will take in
to further processing , if not authentication will fails because
image hash values are not matching and which means image
is not registered with the server.
Secret Coordinates. 7(bits) 24bit Stego-Image after the
MD5 hashing value matching process image will be sent to
Steganalysis process and embedded base64 encoded string will
be retrieved. This base64 encoded string contains the user
profile cipher. Subsequent to Steganalysis, the user provided
secret location would be verified.
This verification process will validates that if the user
clicked location which was provided in the authentication is
in range with the coordinates which user provided initially
in the registration. If the coordinates are in range server will
retrieve the symmetric key from the data store, which is the
initial coordinates which user provided when registering, and
retrieved cipher will be propel to cryptanalysis.
If cryptanalysis success users authentication process is a
success and the embedded user profile is sent back to client.
REL ATED WORK
Addressing the security issues in authentication researchers
have worked on two branches as upgrading the alphanumeric
password scheme by using policies and complex passwords
or alternative authentication schemes predominantly graphical
based passwords
iPass Framework [12] is one of the schemes that applying
are enforced to use user password policies which ensure
stronger and rich usability passwords will help users to mem
orize their password easily and stealth from brute force and
rainbow attacks but still passwords are vulnerable to phishing
attacks and social engineering attacks.
Graphical passwords [13] schemes such as grid based
drawing schemes are widely replaced alphanumeric passwords
in mobile device authentication but there is no evidence on
use of any graphical password schemes to authenticate web
applications.
Another scheme which inspired the proposed authentication
scheme is to use Digital objects as passwords [14] .key theory
is to use hash values of digital objects to generate stronger
strings and use them as password which particularly named
as object based passwords.
As per above information applying policies for alphanu
meric passwords are addressing only few attacks such as
dictionary attacks but proposed imageAuth scheme addresses
on extensive range of attacks.Also graphical passwords which
does not solve problem of single authentication for multiple
online accounts and even some graphical password schemes
tend users to memorize multiple graphical chunks as its made
usability issues.
386
Attack Elimination Phishing Attacks Partially Eliminated Dictionary Attacks Fully Eliminated Brute Force Eliminated from limiting the attempts Faking Not Possible will corrupt the content Shoulder Surfing Partially Eliminated Content Injection Fully Eliminated
TABLE II SUMMARY OF ADDRESSED ATTACKS
None of above schemes does not solve the problem of re
dundant user profile information in web sites which imageAuth
proposing a way of handling it.
SECURIT Y ANALYSIS
In this section apprehension on security analysis of proposed
imgAuth authentication scheme in comparing to password
based schemes is done considering about the attacks on
steganography image possibility of breaking the content is
depends on the algorithm used to hide data, Wide ranges of
tools are designed to detect content on LSB steganography
based algorithms But still the retrieval of hidden content is
depends on the cryptanalysis and reverse engineering of the
stenography algorithm.
Phishing Attacks : Phishing is a specific attack designed
to steal user authentication details , this attack also can be
applied to proposed scheme and attacker will able to obtain
the auth image but still attacker is without knowing the secret
coordinates retrieve the information will be not possible.
Dictionary Attacks : As authentication is not based on
alphanumeric strings, dictionary attacks are fully evaded.
Brute Force and Cryptanalysis: Brute force attacks on
this scheme can be defined as partially evaded , in case if
attacker was able to retrieve the cipher after a successful steg
nlaysis attack still the attacker requires the secrets coordinates.
Circumstance if attacker was able to capture the users clicking
locations on the image on authentication process, still attacker
will have to situate additional effort to cryptanalysis the secret
coordinates as
c = Secret Location + -Upper bound or Lower bound
Faking : Creating fake images with the same visual repre
sentation or editing the image will corrupt the binary sequence
and attacks use of fake images will be voided.
Social Engineering : Social Engineering schemes such
as shoulder surfing can be still not entirely eliminated as
attackers can gaze the secret coordinates. This can be avoided
by using images with graphical representation and avoiding
using common locations of the image.
Correspondingly guessing authentication details by explor
ing the public social profiles is totally eliminated.Man in the
middle attacks, content injection attacks are eliminated from
the proposed scheme.
Following table shows a summary of addressed attacks in
the proposed authentication scheme.
SuA3.6
FUTURE WORK
J) Provide Migration features from alphanumeric pass
words: An outdated alphanumeric password at present dom
inates the authentication paradigm. Resistance to change of
users from alphanumeric passwords kept back the wide imple
mentation of other authentication schemes. To overcome the
problem of user resistance to change proposed authentication
scheme can be tailored to facilitate a migration from alphanu
meric passwords. Users will able to store their username
,passwords details in authentication image and use prepared
image as an intermediate interface for alphanumeric password
based systems.
2) Ability to use of any image type as the authentication
image: Presently authentication system only supports use of
24-bit bitmap images. Cause for limited choice of image for
mat is because at present algorithm, which used to secure the
data using steganography is an image domain based algorithm
which alters the Last significant bit (LSB). File formats such as
PNG and JPEG are vector-based images which image domain
based steganography algorithms are not supported.
Implementation of steganography algorithms, which sup
ports both image domain and transform domain images, will
advance the system of using large base of image formats.
CONCLUSIONS
Presently password based schemes as several major fall
backs but users are still even widely used is due to no proper
alternative frameworks are not suggested. Proposed scheme
will solve the issues of stealth to attack base of password
schemes and mainly, current alternative authentication frame
works does not address the issue of user profile redundancy in
online services which proposed imageAuth scheme addresses.
At the present steganography is only used for secret com
munications which has a more weight into unethical com
munications. This project focuses on an alternative use of
steganography in user authentication research. We think that
steganography techniques can be used to address more real
world problems in other research areas as well.
ACKNOWLEDGMENTS
We would like to specially thank attune Consulting for
the encouragement provided for conducting the research and
financial grant provided for this publication.
The authors would like to thank researches who provided
us with valuable feedback and improvements on the project,
Professor Ron Rivest from Massachusetts Institute of Tech
nology (MIT), Professor Rob Shaw from Staffordshire Univer
sity , Professor Ross Anderson from University of Cambridge
and Mr.Cormac Herley from Microsoft Research.
Also we would like to thank Kevin Haley from Symantec
Corporation for sharing their research details on passwords
behaviors which helped to improve this project.
387
REFERENCES
[I] O. Billet and H. Gilbert, "Cryptanalysis of rainbow," in In Security and
Cryptography for Networks, pp. 336-347. [2] S. Murphy, "The return of the boomerang," 2009. [3] T. Jakobsen and L. R. Knudsen, "The interpolation attack on block
ciphers," in In Fast Software Encryption. Springer-Verlag, 1997, pp. 28-40.
[4] M. Kumar, T. Garfinkel, D. Boneh, and T. Winograd, "Reducing shoulder-surfing by using gaze-based password entry."
[5] J. Madison, S. D. Dickman, and S. D. Dickman, "An overview of steganography," 2007.
[6] K. Haley, "Survey: Symantec corporation password survey," 2011. [7] A. A. Martina, A. Adams, M. A. Sasse, and P. Lunt, "Making passwords
secure and usable," 1997. [8] A. Gupta and R. Garg, "Detecting Isb steganography in images." [9] R. C. w. Phan, "Related-key attacks on triple-des and desx variants," in
In Topics in Cryptology - The Cryptographers Track at RSA Conference
(CT-RSA 04) (2004), T. Okamoto, Ed., LNCS 2964. Springer, pp. 15-24. [10] F. 1. Processing and A. The, "Announcing the advanced encryption
standard (aes)." [II] N. F. Johnson and S. Jajodia, "Steganalysis: The investigation of hidden
information," in IEEE Information Technology Conference, 1998, pp. 113-116.
[12] D. Kulkarni and F. C. Sells, "Demo: ipass framework to create secure and usable passwords," in In The 16th ACM Conference on Computer
and Communications Security (CCS, 2009. [13] 1. Jermyn, A. Mayer, F. Monrose, M. K. Reiter, and A. Rubin, "The
design and analysis of graphical passwords," in 8th USENIX Security
Symposium, 1999, pp. 1-14. [14] M. Mannan and P. C. V. Oorschot, "Digital objects as passwords *."
388
SuA3.6