Having been a core feature of IT systems for several decades, passwords continue to represent both one of the most familiar and most maligned aspects of security technology. While their potential weaknesses have been well recognized mainly over the past decade, no permanent solution has come up yet as in terms of all-round usage and applicability. Shoulder surfing, simple guessing, external eavesdropping, side channel attacks etc are the common methods which lead to password leakages. The situation gets worse when a user puts a very obvious password which can be easily guessed by anyone knowing the person even vaguely. Most systems propose to improve both identification and verification of user but this method of mind-metrics can augment the current password based systems by strengthening the identification process. Mind-metrics utilizes personal secret data instead of a login id to identify a user uniquely. The proposed system also creates a scenario where two servers cooperate to authenticate a client and if one server is compromised, the attacker still cannot pretend to be the client with the information from the compromised server. The proposed system presents a symmetric solution for two-server key encryption, where the client can establish different cryptographic keys with the two servers, respectively.
Keywords: Mindmetrics, PAKE protocol, Diffie-Hellman algorithm, ElGamal encryption algorithm, key generation, identification phase, and verification phase.
Traditionally the identification is performed with a username or login ID and the verification is done with a password. Computer systems employ an authentication mechanism to allow access only to legitimate users. The authentication procedure is composed of two parts, identification & verification. The identification is for answering the question, “who am I?”, and the verification is for answering, “Am I who I claim I am?”
While passwords are supposed to be random characters, login IDs are not random. They are used for communication or accounting purposes, and must carry a meaningful pattern. It may be part of users’ first and/or last names, part of social security number, combination of names and numbers, account number, or email addresses. Thus login IDs are publicly known or can be guessed easily. In other words, obtaining the login ID is generally not a barrier for the attackers, and the success of an attack depends on the difficulty of the password. While a great emphasis was given to the verification, i.e., password system, somewhat less attention was given to the identification, i.e., login ID. By fortifying the identification part, the overall authentication system can be strengthened.
The goal is to improve the security of the authentication system as well as verification system by supplementing it with a secure identification process. To make false login attempts difficult, our method does not use a publicly known login ID for identification. Instead it uses private information known only to the computer system and the user. This process makes the stolen password files unusable for the attackers. For password security we are using PAKE protocol to acquire secure channel and spilt the password and store it on different servers.
- Goals and Objectives
i. To provide security by means of Mindmetrics and overcome drawbacks of biometrics. This will prevent the ways of exploitation by hackers and result in a strong security system.
ii. This is a product based project to build a better and secure system without hardware dependencies.
II. Proposed System
1. Concept of Mind metrics
-Mindmetrics uses some secret data instead of human characteristics as a token to identify the user.
-It utilizes personal secret data instead of a login ID to identify a user uniquely, hence mindmetrics.
There are two parts in the Mindmetrics- based authentication process:-
i. Mindmetrics token is requested in the login page. A user specifies the token with which a computing system can identify a user account. Then the identification server looks up the registered access tokens to find a matching token and login ID.
ii. The server presents multiple login IDs to the user, with one of the login IDs being the correct login ID for the user account and some more real or fake IDs. To prevent the attackers from recognizing the login IDs, the login IDs are partially obscured. Among these partial login IDs, a legitimate user can still recognize the correct login ID and choose it.
- Above two steps are carried out in the identification phase. Once the server is identified then the conventional password verification method is used for granting the access.
- Mindmetrics-based system allows only the legitimate users to pass the identification stage. Here the password verification server is kept hidden, and users cannot access it unless they pass the identification server.
2. Algorithms used
a. Diffie-Hellman Algorithm
Diffie-Hellman Key Exchange establishes a shared secret between two parties that can be used for secret communication for exchanging data over a public network. The following conceptual diagram illustrates the general idea of the key exchange by using colors instead of very large numbers.
The process begins by having the two parties, Alice and Bob, agree on an arbitrary starting color that does not need to be kept secret (but should be different every time); in this example the color is yellow. Each of them selects a secret color-red and aqua respectively-that they keep to themselves.