Namitha Balan Sunder VDepartmentof Computer Science Asst.Professor (Dept of Computer Science) Adi Shankara Institute OfEngineering Adi Shankara Institute Of EngineeringAndTechnology, Kalady And Technology, Kalady Abstract –Theextraordinary growth of online banking and ecommerce systems has led to a hugeincrease in the number of usernames and passwords managed by individual users.Memorizing usernames and passwords for a lot of accounts becomes a cumbersomeand inefficient tasks.
However, as users are required to remember more, longer,and changing passwords, it is evident that a more convenient and securesolution to user authentication is necessary. Conventional static username andpassword protocols suffer from various security issues. Leaking or compromisingone account could cause an attacker to in?ltrate other systems and endangerusers’ security and privacy. This paper, proposes an efficient and practicaluser authentication scheme using personal devices that utilize differentcryptographic primitives such as encryption, digital signature, and hashing. Itis not only secure against password related attacks, but also can resist replayattacks, shoulder sur?ng attacks,phishing attacks, and data breach incidents.Keywords: Security, authentication.I.
INTRODUCTIONTraditionalauthentication schemes such as the username/password combo pose a seriousthreat to the online banking services, financial systems, and their users. Mostcurrent authentication systems assign or allow a user to choose a static andunique user id that acts as a label. This static label is typically attached tothe user for a long time.
Unfortunately, users tend to use the same user id inmany different websites and systems . This common practice might lead tosecurity risks such as insider attacks. Malicious administrators or insiders,who have access to username and password tables, can leverage the informationto access other services and websites.
In this paper, we demonstrate how smartpersonal devices can enhance not only security but also user experience byproposing a one-time username authentication coupled with a secure verificationcode for each login session. The user does not have to memorize many usernamesor recall complex passwords.II. PROPOSED METHODOLOGY Componentsof system model : includes· Client : RegisteredDevices and User’s Terminal. · Server RegisteredDevices : Can be Smart Personal Device to Perform Cryptographic Operations.
· User’s Terminal : Anelectronic device to log in to server and do transactions. · Server : An entity thatperforms cryptographic processing and do verification. Fig. 1: Ticket InformationThe ticket information is described asfollows.
1) One-TimeUsername: Generated randomly using theregistered device.2) SessionKey: A registered device(e.g. smart phone) randomly generates a session key for each login session. 3) TicketValidity Period: limits the lifespan of a ticket.4) Timestamp:time instance at which the registered device issues a ticket.5) AccessControl List: list ofpermissions attached to a ticket Fig 2: The systemmodel of the proposed designThe working of the proposed methodologyis as follows:1. Theuser first sends the request for ticket to the registered device.
Theregistered device generates a ticket M with the following information: arandomly generated one-time username OTU, a randomly generated session key k, atimestamp T, the required permission ACL, and the speci?ed ticket validityperiod TVP.2. Theregistered device signs the login ticket using its private key d1 to get thesignature ? and then encrypts the login ticket using the server’s public keye2.3. Theregistered device sends the encrypted ticket to the server using the GSMnetwork or the Internet.
This message acts as a secure noti?cation for theserver that the client is willing to login within a few minutes. Once theencrypted ticket is received, the server decrypts the ticket using its privatekey d2 to get the ticket information and the signature ?. 4. Theserver stores all the ticket information and logs it in his user login listULL; the server also veri?es the signature ? using the registered device’spublic key e1.5.
Theuser should login to the server using OTU within the ticket validity period TVP.6. Theserver randomly generates a veri?cation code V C, and then encrypts it usingthe session key k. The server sends the encrypted veri?cation code Enck(V C) tothe registered device, which can decrypt the message using the session key k. 7. Theuser enters the veri?cation code at the server, and then the server veri?es theentered veri?cation code and authorizes the user based on the ticket permissionACL. III.
CONCLUSIONThispaper demonstrates how smart personal devices can enhance not only security butalso user experience by proposing a one-time username authentication coupledwith a secure veri?cation code for each login session. This scheme does notrequire an authentication server to maintain static username and passwordtables for identifying and verifying the legitimacy of the login users. It alsopaves the way for user-centric access control. It helps to minimize the risksof many attacks. IV.REFERENCES1.A.
Alrawais, A. Alhothaily, C. Hu, X. Xing, and X. Cheng. An attribute basedencryption scheme to secure fog communications. IEEE Access, 2017.2.
C. Hegde, S. Manu, P.
D. Shenoy, K. Venugopal, and L.
Patnaik. Secureauthentication usingimage processing and visual cryptography for banking applications.In Advanced Computing and Communications, 2008. ADCOM 2008.
16th InternationalConference on, pages 65–72. IEEE, 2008.3. X.
Fang and J.Zhan. Online banking authentication using mobile phones. In Future InformationTechnology (FutureTech), 2010 5th International Conference on, pages 1–5.