ABSTRACT
Authentication is unavoidable in any environment where sensitive information is utilized. In accessing resources via the Internet, the most common means of identification required for authentication is the user’s identity and a secret passphrase known as a password. Studies have shown that the birth of graphical password which uses images/pictures/objects was out of the trivial password generated by users because of the inability to remember complex passwords when using text-based password. Graphical password is stronger and increases memorability. However, graphical-based password is faced with several challenges including, a high storage capacity for all the images/pictures/objects, no assistance for users in browsing through an array of images/pictures/objects and vulnerability to shoulder surfing attacks.
This work develops a graphical authentication for web based application that tackles the aforementioned issues by using cued recall technique which utilizes a grid system populated with pair of values and set of colored rows and columns. A shoulder surfing resistant interface was designed to assist users in generating a robust password.To improve the security of the system, One Time Password (OTP) was used. The technologies and tools used were Apache web server, MySQL database management system, PHP Hypertext Pre-processor (PHP) all running on the WAMP platform, Hypertext Markup Language (HTML), cascading style sheet (CSS) and JavaScript.
The graphical authentication scheme was evaluated using Magic Triangle Evaluation model. The results showed that the password space and entropy were2.61*104and 14.39 respectively. The scheme showed a level of resistance of about 85% towards shoulder surfing attacks.
The study concluded that the graphical authentication scheme has a high level of resistance against shoulder surfing attacks but a low password space and entropy making it vulnerable to brute force attacks. It is therefore recommended to be used in an environment where shoulder surfing is inevitable and additional security mechanism should be added to reduce its vulnerability to brute force attacks. It can also be used as a Completely Automated Turing Test to tell Computers and Humans Apart (CAPTCHA).
CHAPTER ONE
INTRODUCTION1.1 Background to the Study
Networking in computer science is simply the connection of multiple electronic devices known as nodes for the purpose of exchanging information and this concept was groomed out of the need for man to connect and share information (which may be in the form of voice, video or data). The largest network in the world is the Internet and is described as a collection of vast mixture of networks in terms of topologies, architecture and communication technologies which however, utilizes a common set of protocols to offer certain services. In short, it is termed the network of networks (Ciubotaru & Muntean, 2013; Forcht & Fore, 1995). The Internet has aided in many major advancement and development today in our society. There has been an alarming rate of internet users from 400 million in 2000 to more than 3 billion internet users in 2015 (International Telecommunication Union, 2015).
Many organizations utilize the World Wide Web (www), one of the major and widely used service of the Internet to share information. The World Wide Web (www) is an information space in which relevant items, known as resources (e.g. image, audio, video or any other file), are identified by global identifiers called Uniform Resource Identifiers (URI) (Berners-Lee, et al., 2004); in 2001 Google, a multinational technology company announced it provided customers direct ac1cess to 3 billion web documents on the Internet (Googlepress, 2001).
This technical wizardry of communication around the world has begotten the proliferation of computers and other ubiquitous devices since the 1960s and with it, a demand for organization to protect their digital information from unauthorized users and provide services to authorized users. The concern to protect information is a product of the Internet being a fully decentralized network and depends on voluntary cooperation between the thousands of network administrators throughout the world to provide individuals with access to this network of tremendously varied resources. Thus, the Internet is a public network owned by no one and sensitive information should be made exclusive to only the rightful recipient (Forcht & Fore, 1995; Menezes, Van Oorschot & Vanstone, 1997).
Furthermore, by the very nature of the Internet, access is very easy, attracting individuals of different kind and with different aim. While some individualsare aimed at sharing information others tend to conduct malicious activities. As a result, information security is of great importance to any service provider.Information security can be described asactions that implement services which assure adequate protection for information systems used by or hosted within an organization.From the description, services are technical or managerial methods used with respect to the information being protected.Information systems are computer systems or communication systems that handle the information being protected, and protection implies the conjunction of integrity, confidentiality, authenticity, and availability (Shimeall & Spring, 2014).
Confidentiality, availability, data integrity and authentication are few of the major security features provided by information security in ensuring the reliability of information. The importance of each of these varies depending on the type of organization (e.g. confidentiality will be of most importance to the military).Authentication is related to identification and it is the most fundamental procedure to ensure security and provide access to sensitive web resources to users over the Internet. The most utilized and popularauthentication method is the Text-based password authentication which requires a valid user I.D. (Identity) and password in other to prevent unauthorized access (Liao & Lee, 2010; Menezeset al, 1997). This mechanism is easy and inexpensive to implement; however, this static password comes with major security drawbacks. For example, users tend to implement easy to guess password, use the same password in multiple accounts, write the passwords or store them on their machines making it susceptible to numerous attacks including dictionary attack, brute force attack, phishing attack, shoulder surfing etc.(Prakash, Infant & Shobana, 2010).
This trivial password mania by users has become a bedrock for computer hackers/crackers and therefore, the focus of this work is to create a platform to enable users to generate a stronger password that is easy to remember and implement but difficult for unauthorized personnel.
1.2 Statement of the Problem
Over the years, other authentication methods have been developed which involves the use of secondary object (token based authentication) or biometric system (biometric based authentication) (Abdulkader, Ayman & Mostafa, 2015). Though more secured, these methods require more infrastructure/equipment.
Since the mid-1990s, several graphical based password schemes have been developed aimed at strengthening security and enhancing the password memorability. (Alsaiari, Papadaki, Dowland & Furnell, 2016). Graphical password is based on the use of images/pictures rather than text. The idea of graphical passwordhasstirred several experiments, theories and assumptions showing that presenting items as pictures is easier to remember than presenting items as words. Thus, the pictures superiority effect appears to significantly increase memorability. (Paivio, 1991; Standing, Conezio & Haber, 1970). Graphical based password provides some benefits such as enlarging the passwords space (in some graphical authentication), reducing choice oftrivial passwords, and making it difficult to share and write passwords (Golofit, 2007). However, this method is still vulnerable to various types of attacks especiallyshoulder-surfing (Biddle, Chiasson & Oorschot, 2011). In addition, in some graphical schemes, users have to browse through the entire set of images/pictures/objects, pictures have larger size than text, and therefore the server is expected to allocate a reasonable amount of space in storing these pictures. (Wiedenbeck, Waters, Birget, Brodskiy & Memon, 2005).
Therefore, this research proposes a graphical authentication that increases memorability, resistant to shoulder surfing, aid in searching and requires no upload of pictures/imagesduring registration and authentication.
1.3 Objective of the Study
The main objective of this study is to develop a secure graphical authentication for web based applications. The specific objectives are to:
1. present a comparativeanalysis of existing graphical authentication technique;
2. design a shoulder surfing resistant graphical technique for generating user’s graphical password;
3. perform a One-Time password challenge response for every authentication and
4. evaluate the password space, entropy and resistance to shoulder surfing attack.
1.4 Methodology
To achieve the set of objectives, existing graphical authentication schemes were analysed for improvements. HTML (Hyper Text Mark-up Language), CSS (Cascading Style Sheet) and JavaScript (front and back end)were utilized for the design of the authentication scheme, interaction between clientand server and for generating graphical password.
Storing of user’s credentials, handling of the One-Time password and performing authentication was done by the application suite, WAMP (Windows Apache MySQL PHP). The scheme was evaluatedusing magic triangle evaluation.
1.5 Significance of the Study
Thisresearch provides a graphical environment to assist users in implementing a robust password and increase memorability, optimize storage utilization capacity of the server makes it impractical to share password, therefore immune to phishing attacks and contributes to the existing solutions which researchers have developed in mitigating attacks such as dictionary, brute force, and most especially shoulder surfing attack.
1.6 Scope of the Study
The study focused on the development of an authentication scheme for identification and authorization of users in accessing web systems/applications, particularly, on the interface that interacts with the user in generatingunique passwords. In addition, given the size of the image (in terms of height and width) utilized for this research, a device of very large screen size of about 650 by 450 pixels is used in order to provide the full description of the work. The research will cover the aspect of user registration and authentication.
================================================================
Item Type: Project Material | Size: 75 pages | Chapters: 1-5
Format: MS Word | Delivery: Within 30Mins.
================================================================
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.