(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 7, 2011
Development of enhanced token using picture password and public key infrastructure mechanism for digital signature
1
Oghenerukevwe E. Oyinloye /Achievers UniversityOwo
1
Department of Computer and Information Systems,Achievers University, OwoAchievers University, Owo, AUOOndo, Nigeria.rukkivie@yahoo.com
4
Akinbohun Folake/ Rufus Giwa Polytechnic,Owo
4
Department of Computer Science, Rufus GiwaPolytechnic, OwoRufus Giwa Polythenic, OwoOndo, Nigeria.folakeakinbohun@yahoo.com
3
Ayodeji .I. Fasiku,
2
Boniface K.Alese (PhD)
2,3
Department of Computer Science, Federal Universityof Technology, AkureFederal University of Technology, Akure, FUTAAkure, Nigeria.
3
Iretiayous76@yahoo.com,
2
kaalfad@yahoo.com
Abstract
the recent advances in actualizing a highly networkedenvironment where data is been exchanged from one person toanother electronically has given great concern for data integrity,confidentiality and security. It is stated that the exchange of information range from telephone conversation, computer files,signals e.t.c. The vulnerability of networks makes data exchangeprone to a high level of security threats. Security mechanisms arebeen employed in the transport layer but there is a need to extendsecurity mechanisms to the information/data been exchanged. Severalsecurity measures have been deployed so far Which include PINS,textual passwords (which are vulnerable to brute force, dictionaryattack, complex meaningless password), graphical passwords andPKIs to reduce the risk of loss which can be valued at great amounts,but all of these have not provided the user the convenience andinterest required to achieve full human capabilities in securing data.This paper proffers an improved solution for data security, integrityand confidentiality via the development of enhanced token for datasignature using the underlining technologies of picture passwordalgorithm and public key infrastructure.
Keyw ords-
Digital Signature, Enhanced Token Private Key, Enhanced Token Public Key, Secure Hash Algorithm, Public Key Infrastructure, Picture Password algorithm, RSA
I.
I
NTRODUCTION
The recent advances in actualizing a highly networkedenvironment where data is been exchanged from one person toanother electronically has given great concern for dataintegrity, confidentiality and security. Steven [1999] statedthat the exchange of information range from telephoneconversation, computer files, signals e.t.c.As LAN Technology continues to spread across organization,the security of documents as well as its integrity andconfidentiality is essential due to the high rate at whichnetworks are prone to several security attacks called threats.These threats range from objects, persons e.t.c.The vulnerability of documents exchange across networksmakes security threats easy. Mark [1997] stated that securitythreats are threats that break through security mechanism of anorganizations network due to the vulnerability of the network.As security mechanisms are been employed in the transportlayer, it is important to extend these security mechanisms tothe information been exchanged.It has been observed that despite the security measuresemployed so far ranging from PINS, textual passwords hasresulted in ease to generate PINs as they are mostly four-digitentry with pas 0-9digits which are vulnerable to brute forceattacks, textual passwords are vulnerable to dictionary attacks,and the use of meaningless strong passwords therebydefeating the purpose of strong passwords and the use of passwords in general, graphical passwords have beenemployed but do not ascertain the integrity, confidentiality of the data, Public Key Infrastructure (PKI) (symmetric andasymmetric) Public Key Infrastructure was developed tomanage security, confidentiality and integrity of data but it use
164http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 7, 2011
creates high cost overhead and leaves the user out of the datasecurity, confidentiality and integrity process.In the present day, information handling is moving from the eraof hardcopies to the use of electronic devices (computersystem) for the processing of data, storage and are mostlyexchanged or accessed by users in a network. Most informationare termed critical and are of great relevance that a change inthe original content of the information can result in greatdisaster or loss.Mark [1997] has described security threat as not only theft orburglary but anything that poses danger to the network. It holdsthat every organization has information as a high-level priorityasset and mostly kept electronically with the advances intechnology.Most of the systems that are autonomously interconnectedcontain information that has been referred to as assets. Mostassets have been secured by using PINS, textual passwords,Feldmier et.al 1989; Morris et.al 1979; wu 1990 observed thatpins and textual passwords are vulnerable to dictionary attacks.Graphical passwords have been also used to overcome theproblems of textual passwords and Pins but these passwordscannot ascertain the identity of the sender of a particulardocument as well as prove that the information received havenot be altered.The use of Public Key Infrastructure was developed to improveon data security, integrity and confidentiality overcoming thelimitations of textual passwords and Pins. This techniquepresents to the user no choice of responsibility to securing hisdocuments by using alphanumeric data encryption which maynot be the actual choice of the user, although the technique hasproven to be reliable over the years as the keys are most timeunforgeable, but the best choice of security is one in which theuser is largely part of. The Public Key Infrastructures availableare expensive to install and mostly platform dependent.A possible solution to these problems is the use of EnhancedToken designed to cover the limitations discussed above. Thistoken is a software application which provides a means toauthenticate users and sign documents for the purpose of integrity, confidentiality and security. This application makesthe user the prime maker as an extra measure of security.Proffering better means of securing documents as the usersinterest is the first step to securing data.FIELD
OF
STUDYThe design and implementation of enhanced token to sign datatransferred across a network conveniently and improvedsecurity technique is the major goal of this research.Enhanced token is a two-tier architecture which proffers aconvenient technique to sign data across a Network. Itachieves this by using graphical password mechanism forgathering data, creating authentication, creating graphicalPublic/ Private Keys for users, a registry to store usercredentials as well as publish public picture keys with identityand Public Key Infrastructure for signature & verificationoperation of the data before transfer.RELATED
WORKSPass-face was developed in 2000, it uses objects for password,user determines their pass-face either male or female picturesduring enrolment. Users use four faces for password selectedfrom, the database. During enrolment a trial version is shownto the user to learn the steps to authenticating using pass-face.Enrolment will be completed by correctly identifying theirfour pass faces twice in a row with no prompting. During thelogin a grid that contains 9 pictures (pass-face) is shown to theuser, each grid, the order of faces is randomized at each gridprotecting the pass-face combination against detection throughshoulder surfing and packet-sniffing. The algorithm is prone toguessing attack as users selected attractive faces of their ownrace gender. The method is resistant to shoulder surfing withpass-face using keyboard, spyware, social engineering, lessvulnerable to password description,, vulnerable to brute force ,dictionary, guessing attacks [Sacha; 2000].Deja vu was proposed in 2000, it allows users select specificnumber of pictures among large image portfolio reducing thechance for description attack. The pictures are createdaccording to random art (one of the hash visualizationalgorithm). One initial seed (a binary string) is given and thenone random mathematical formula is generated which definesthe colour value for each pixel in the image. The imagedepends only on pixels so only the seeds need to be stored inthe trust server. During authentication phase, the portfolio of auser mixes with decoys. It is resistant to dictionary attacks,spyware, social engineering attacks, vulnerable to brute force,guessing attack and shoulder surfing [Rachna; 2000].Triangle was proposed by a group which created severalnumbers of schemes which can overcome shoulder surfingattacks in 2002, the system randomly puts a set of N-objectswhich could be a hundred or a thousand on the screen. Thereis a subset of K-objects are the user passwords. During loginthe system will randomly select a placement if the N-objectsthen the user must find three of his password objects and click inside the invisible triangle created by those three objects orclick inside the convex hull of the pass objects that aredisplayed. For each login this challenge is repeated a fewtimes using a different makes the screen [Sobrado et al; 2002].Moveable frame proposed in 2002 the user must locate threeout of K-objects which are the user passwords. Only threepass-objects are displayed at any given time and only one of them is placed in a moveable frame. During login phase theuser moves the frame and the objects contained in it bydragging the mouse around until the password object placedon the frame is minimized by repeating the procedure fewtimes. The algorithm is confusing, time consuming andunpleasant. It is subject to brute force attack, spyware,shoulder-surfing, resistant to dictionary attack [Furkan et al;2006].Picture password proposed in 2003 designed for handhelddevice; PDA. It has 2 distinct parts; initial password enrolmentand subsequent password verification. During enrolment a
165http://sites.google.com/site/ijcsis/ISSN 1947-5500
(IJCSIS) International Journal of Computer Science and Information Security,Vol. 9, No. 7, 2011
selects a theme identifying the thumbnail photos to be appliedand then registers a sequence of thumbnail images that areused to derive the associated password. On booting of thePDA the user enters the currently enrolled image sequence forverification to gain access, selecting a new sequence and/ or.The user is presented with 30 thumbnails the screen and eachthumbnail is a shift to another presenting 930 thumbnails to beselected from for password creation. The addition of the shiftkeys cause the algorithm to be complex and difficult and isvulnerable to shoulder surfing [Wayne et al; 2003].Man et al. Proposed in 2003, to avoid shoulder surfing. In thisalgorithm al the pictures are signed a unique code, duringauthentication the user is presented with several scenes whichcontain several pass images/objects and many decoys. Sinceevery object has a unique code, for each password image, theuser will enter will enter the string of code. It requires users tomemorize the code for each password object variant causinginconveniences to users. It is vulnerable to brute force attack and spyware attack, resistant to dictionary attack, guessingattack, shoulder surfing attacks, social engineering attack [Farnaz et al; 2009].Story proposed in 2004, the scheme categories the availablepicture into nine (9) categories which include animals, cars,women, food, children, men, objects nature and sport [Darrenet al; 2003].Pass-Go was proposed in, 2006 Inspired by an old Chinesegame, Go, we have designed a new graphical passwordscheme, Pass-Go, in which a user selects intersections on agrid as a way to input a password. While offering an extremelylarge password space (256 bits for the most basic scheme). Itsupports most application environments and input devices,rather than being limited to small mobile devices (PDAs), andcan be used to derive cryptographic keys. We study thememorable password space and show the potential power of this scheme by exploring further improvements and variationmechanisms scheme) [HAI; 2006].Public Key/ Asymmetric Cryptography: Public-keycryptography is acryptographicapproach which involves theuse of asymmetric key algorithms instead of or in addition tosymmetric key algorithms, it was first proposed in 1976 byWhitfield Diffie and Martin Hellman in order to solve the keymanagement problem. Unlike symmetric key algorithms, itdoes not require asecureinitialexchangeof one or more
secret keysto both sender and receiver. The asymmetric keyalgorithms are used to create a mathematically related keypair: a secret private key and a published public key. Use of these keys allows protection of the authenticity of a messageby creating adigital signatureof a message using the privatekey, which can be verified using the public key. It also allowsprotection of theconfidentialityandintegrityof a message, by
public keyencryption,encrypting the message using thepublic key, which can only be decrypted using the private key[. Donal et al; 1997]
.
Biometric technologies are automated methods of verifyingor recognizing the identity of a living person based on aphysiological or behavioral characteristic. Fingerprints takenas a legal requirement for a driver license, but not storedanywhere on the license; automatic facial recognition systemssearching for known card cheats in a casino; season tickets toan amusement park linked to the shape of the purchasersfinger; home incarceration programs supervised by automaticvoice recognition systems and confidential delivery of healthcare through iris recognition: these systems seem completelydifferent in terms of purpose, procedures, and technologies,but each uses biometric authentication in some way.Biometric features have the characteristics of non-repudiationbut each of these features if damaged there is simply no way toretrieve them. (James et al, 2004)DIGITAL
SIGNATUREA digital signature or digital signature scheme is amathematical scheme for demonstrating the authenticity of adigital message or document. A valid digital signature gives arecipient reason to believe that the message was created by aknown sender, and that it was not altered in transit. Digitalsignatures are commonly used for software distribution,financial transactions, and in other cases where it is importantto detect forgery or tampering.Digital signatures are often used to implement electronicsignatures, a broader term that refers to any electronic datathat carries the intent of a signature, but not all electronicsignatures use digital signatures. However, laws concerningelectronic signatures do not always make clear whether theyare digital cryptographic signatures in the sense used here,leaving the legal definition, and so their importance, somewhatconfused. Digital signatures employ a type of asymmetriccryptography. For messages sent through a non-securechannel, a properly implemented digital signature gives thereceiver reason to believe the message was sent by the claimedsender. Digital signatures are equivalent to traditionalhandwritten signatures in many respects; properlyimplemented digital signatures are more difficult to forge thanthe handwritten type. Digital signature schemes in the senseused here are cryptographically based, and must beimplemented properly to be effective. Digital signatures canalso provide non-repudiation, meaning that the signer cannotsuccessfully claim they did not sign a message, while alsoclaiming their private key remains secret; further, some non-repudiation schemes offer a time stamp for the digitalsignature, so that even if the private key is exposed, thesignature is valid nonetheless. Digitally signed messages maybe anything represent able as a bit-string: examples includeelectronic mail, contracts, or a message sent via some othercryptographic protocol. All public key / private keycryptosystems depend entirely on keeping the private keysecret. A private key can be stored on a user's computer, andprotected by a local password, but this has two disadvantages:the user can only sign documents on that particular computerthe security of the private key depends entirely on the securityof the computer
166http://sites.google.com/site/ijcsis/ISSN 1947-5500
Search History:
Result 00 of 00
00 results for result for
p.
Development of enhanced token using picture password and public key infrastructure mechanism for digital signature
The recent advances in actualizing a highly networked environment where data is been exchanged from one person to another electronically has given great concern for data integrity, confidentiality and security. It is stated that the exchange…
(More)
241
Reads
0
Readcasts
0
Embed Views
More From This User
Notes
Load more
