Key logging-resistant Visual Authentication
The design of secure authentication protocols isquite challenging, considering that various kinds of root kitsreside in PCs (Personal Computers) to observe user’s behavior and to make PCs untrusted devices. Involving human inauthentication protocols, while promising, is not easy becauseof their limited capability of computation and memorization.Therefore, relying on users to enhance security necessarilydegrades the usability. On the other hand, relaxing assumptionsand rigorous security design to improve the user experiencecan lead to security breaches that can harm the users’ trust.In this paper, we demonstrate how careful visualization designcan enhance not only the security but also the usability ofauthentication. To that end, we propose two visual authenticationprotocols: one is a one-time-password protocol, and the otheris a password-based authentication protocol. Through rigorousanalysis, we verify that our protocols are immune to many of thechallenging authentication attacks applicable in the literature.Furthermore, using an extensive case study on a prototype ofour protocols, we highlight the potential of our approach forreal-world deployment: we were able to achieve a high level ofusability while satisfying stringent security requirements.
PROJECT OUTPUT VIDEO:
Whenever a user types in her password in a bank’s signin box, the keylogger intercepts the password. The threat of such keyloggers is pervasive and can be present both in personal computers and public kiosks; there are always cases where it is necessary to perform financial transactions using a public computer although the biggest concern is that a user’s password is likely to be stolen in these computers. Even worse, keyloggers, often rootkitted, are hard to detect since they will not show up in the task manager process list.
DISADVANTAGES OF EXISTING SYSTEM:
- It is non Security for Stored data
- Security level is low
Our approach to solving the problem is to introduce an intermediate device that bridges a human user and a terminal. Then, instead of the user directly invoking the regular authentication protocol, she invokes a more sophisticated but user-friendly protocol via the intermediate helping device. Every interaction between the user and an intermediate helping device is visualized using a Quick Response (QR) code. The goal is to keep user-experience the same as in legacy authentication methods as much as possible, while preventing keylogging attacks.
ADVANTAGES OF PROPOSED SYSTEM:
- It Support reasonable Image security and usability and appears to fit well with some practical applications for improving online security.
- System Model
- Linear and Matrix Barcodes
- Message signing
- Prevention of Session Hijacking with Visual Signature Validation
- System Model:
Our system model consists of four different entities (or participants), which are a user, a Smartphone, a user’s terminal, and a server. The user is an ordinary human, limited by human’s shortcomings, including limited capabilities of performing complex computations or remembering sophisticated cryptographic credentials, such as cryptographically strong keys. With a user’s terminal such as a desktop computer or a laptop, the user can log in a server of a financial institution (bank) for financial transactions. Also, the user has a Smartphone, the third system entity, which is equipped with a camera and stores a public key certificate of the server for digital signature verification. Finally, the server is the last system entity, which belongs to the financial institution and performs back-end operations by interacting with the user (terminal or Smartphone) on behalf of the bank.
- Linear and Matrix Barcodes :
A barcode is an optical machine-readable representation of data, and it is widely used in our daily life since it is attached to all types of products for identification. In a nutshell, barcodes are mainly two types: linear barcodes and matrix (or two dimensional, also known as 2D) barcodes. While linear barcodes—have a limited capacity, which depends on the coding technique used that can range from 10 to 22 characters, 2D barcodes—have higher capacity, which can be more than 7000 characters. For example, the QR code— a widely used 2D barcode—can hold 7,089 numeric, 4,296 alphanumeric, or 2,953 binary characters, making it a very good high-capacity candidate for storing plain and encrypted contents alike.
- Message signing :
For the generality of the purpose of this protocol and the following protocols, and to prevent the terminal from misrepresenting the contents generated by the server, one can establish the authenticity of the server and the contents generated by it by adding the following verification process. When the server sends the random permutation to the user, it signs the permutation using the server’s private key and the resulting signature is encoded in a QR code. Before decrypting the contents, the user establishes the authenticity of the contents verifying the signature against the server’s public key. Both steps are performed using the Sign and Verf algorithms. Verification is performed by the smart phone to avoid any man-in-the-middle attack by the terminal.
- Prevention of Session Hijacking with Visual Signature Validation:
1) A user requests via terminal to the server money transfer denoted as T that describes sender name/account, recipient name/account, a timestamp, and amount of money to transfer.
2) The server checks the ID to retrieve the user’s public key (PKID) from the database. Then, it picks a fresh OTP to prepare,PrK is a signing key of the server. Then, it sends QR to the user to authorize the transaction.
3) On the terminal, a QR code QR is displayed prompting the user to type in the OTP string.
4) The user decodes the QR code to get with her smartphone application. Here the application verifies the time stamp and the signatureto show the result (Valid/Invalid) on the screen with the decrypted OTP and T. If the application fails to validate the signature, it doesshow neither the decrypted OTP nor T, but displays an error message to alert the user. When the user is confirmed with the signature verification result and with T, she inputs the OTP to the terminal, which is sent back to the server.
5) The server checks the result and if it matches with the OTP that the server has sent earlier, the user is authenticated. Otherwise, the user is denied.
- System : Pentium IV 2.4 GHz.
- Hard Disk : 40 GB.
- Floppy Drive : 44 Mb.
- Monitor : 15 VGA Colour.
- Mouse : Logitech
- Ram : 512 Mb.
- Operating system : Windows XP/7.
- Coding Language : net, C#.net
- Tool : Visual Studio 2010
- Database : SQL SERVER 2008