Computer hacking, website hacking and other security compromising threats are major factors troubling the anti cyber crime agencies these days. These threats are likely to rise even more in the near future. Security has become a major concern with the increasing use of internet for monitory transactions and sensitive communications. The availability of vast data stores online further increases the demand for online security.
Having a user name and password cannot guarantee the safety of data in today’s world. Something more than just a username and password is needed here. But at the same time it should not be too difficult to remember along with having a low possibility of being misused or stolen.
So the main objective of developing this system must be that a person accessing his system from anywhere in the world has to be guaranteed that no one can crack his password by any available means and his system is resistant to hacking. It start with an analysis of first studying the current risks, threats and vulnerabilities in the current web environment. This includes all the potential hacking attacks that can be carried out to compromise a user’s password. The last step here would be to try to fill in these vulnerabilities with smart solutions.
We will first study some potential threats to the current system. These include password theft, dictionary attacks, brute force attacks, man in the middle attack, key stroke logging and more. A password is nothing more than a string of characters. When a user enters a password, an attacker may try to capture it on his computer or while it travels through the wired media. A dictionary attack and brute force attack use different techniques to try exhaustive character, number and special character combinations to crack passwords. A man in the middle attack is staged by acting as an intermediary between two parties. Consider a client-server communication where an attacker communicates to server on behalf of the client. The client thinks it is communicating directly with the server whereas it is actually sending its data to the attacker who monitors it and forwards the data to server. A keystroke logging software may directly record the users username and password as he/she enters it through a keyboard.
To overcome the problems that have been discussed above there is a need to implement a system that uses multi-factor authentication.
- The technique used to overcome problems like key stroke loggers, screen capturing software, spyware and spy cam is that the user has to select 1 image from the 25 images in the Image grid.
- The image containing a hidden string will be the part of the password without the user knowing about it.
- The location of the image is noted with respect to the frame i.e.(x,y).
- Similarly the user selects 2 more images on 2 different image grids which will again add up a hidden string to the password without the user knowing about it.
- These three images together form a combination of strings which will be used to decrypt the user password.
- The location of each image is noted with respect to its frame i.e.
- Image1 = (x,y)
- Image2 = (x1,y1)
- Image3 = (x2,y2)
- Now to enter into the system the user must remember the 3 images he has assigned during creation of his account.
- The user has to overlap these three images as shown in the figure below. The user move the image grid with a combination of keys the 1st screen is moved using Arrow keys the 2nd screen is moved using Alt+Arrow keys and the 3rd screen is moved using Ctrl+Arrow keys.
- After overlapping these images the user has to press the enter key which will extract the hidden string from the overlapped images and start the process of decryption using DES algorithm.
- The password will be automatically filled in the password box which is locked and cannot be edited by the user.
- What happens is, even when someone tries to see what your password is it is quite difficult for the eve’s dropper to make out your set of images since there are a number of images that are getting overlapped at the same time
- Also if there is a key stroke logger installed on your system, what it can record is the combination of keys pressed which will contain Arrow, Alt and Ctrl keys. But since when the Image grid is loaded the images appear at random location every time, one combination wont work second time
- The user also can overlap the images in space leaving the screen area blank. Now even if there is a screen capturing software or a spy cam the images used as passwords cannot be identified.
- The position of the grid is then calculated with respect to an index point on the screen which makes it possible for the user to overlap his images in space.
- The decryption process will not start until the correct images are overlapped and so even a good brute force won’t be able to crack the password.
The solution to the problem of already being on the inside of the database is to modify the design.
- The technique used to overcome the problem of already being on the inside of the database is designed in such a manner that even if the person working for the organization having access to the database cannot figure out what the user selected images and the key for encryption is.
- The EPwd field in the database contains all the information of the password i.e. the images keys and the co-ordinates of the images. So the user accessing the data base cannot figure out the actual password.
- The encrypted password stored in the database is of no use to the hacker since the way the password is decrypted solely lies on the image overlapping process and DES algorithm which computes the actual password.
To overcome the weak encryption problem and weak password selection by the user the following technique is implemented.
- The user password is created using DES algorithm where the password suggested by the user is just a key to encryption. So no matter what password the user chooses the final password would be long enough and alpha numeric.
- The weak encryption problem is taken care by the DES algorithm implementation.
- How DES works is DES is a block cipher–meaning it operates on plaintext blocks of a given size (64-bits) and returns cipher text blocks of the same size. Thus DES results in a permutation among the 2^64 (read this as: “2 to the 64th power”) possible arrangements of 64 bits, each of which may be either 0 or 1. Each block of 64 bits is divided into two blocks of 32 bits each, a left half block L and a right half R. (This division is only used in certain operations.)
Thus by eliminating all these security threats we get a secure login system that protects the user data from falling into wrong hands.