Professional Documents
Culture Documents
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 17
Abstract—Computer crime can easily be defined as the criminal activity that involves an information technology infrastructure,
including illegal access (unauthorized access), illegal interception, data interference (unauthorized damaging, deletion,
deterioration, alteration or suppression of computer data),unethical access of information and web services , disturbance of
social-peace, systems interference (interfering with the functioning of a computer system by inputting, transmitting, damaging,
deleting, deteriorating, altering or suppressing computer data), misuse of devices, forgery (ID theft), and electronic fraud.
This paper introduces a new methodology against the intruder as well as phishing attackers. Proposed methodology is based
on the 3-way handshake concept between end user and the online portal server. The methodology provides a secure
st nd rd
environment for the online transactions using 3 layers: 1 layer following username and password authentication, 2 and 3
layers following the cross validation via e-mail and SMS respectively.
—————————— ——————————
Management Gwalior (M.P.), INDIA.
1 INTRODUCTION
In the field of computer security or network security,
hacking is the criminally fraudulent process of
attempting to acquire sensitive information such as of TCP-session), ARP spoofing (re-link the network traffic
usernames, passwords, security key and credit card (or from one or more PCs to the PC of malefactor), DNS
debit card details , master card details) details by (Domain Name System) spoofing (Basically DNS IP
masquerading as a trustworthy entity in an electronic spoofing and DNS cache poisoning) are the common
communication. Communications purporting to be from attacks over any type of network [1], [2].
popular social web sites, auction sites, online payment
gateway or IT administrators are commonly used to lure 2 RELATED WORK
the unsuspecting public.
A secure system depends upon the following factors: Many Scientists and researchers have proposed several
Confidentiality, Authenticity, Integrity and Non- schemes to secure the password and to prevent the
Repudiation constituting the acronym “CAIN” [10]. external attacks, but it has yet been proved to be
IP spoofing (usurp the IP-address of certain PC), TCP impossible to build a completely (100%) secure system. In
(transmission control protocol) hijacking (Interception [11], Yang et al. presented couple password validation
schemes based on smart cards. One validation approach
use timestamp approach and the other is nonce-based
———————————————— approach. In these schemes, a user can choose according
Gaurav Kumar Tak, is with the Department of Information to its choice and it can, any time, modify its password
and Communication Technology, ABV- Indian Institute of
independently. The remote web server does not need to
Information Technology and Management Gwalior (M.P.),
INDIA. maintain the users’ passwords directory for their
Alok Ranjan is with the Department of Information and validation or a verification table to authenticated users,
Communication Technology, ABV- Indian Institute of and the login validation can be carried out without the
Information Technology and Management, Gwalior (M.P.), disturbance of a third party.
INDIA.
An OTP card schemes also proposed to provide the
Rajeev Kumar is with the Department of Information and
Communication Technology, ABV- Indian Institute of security of authentication. It generates single time
Information Technology and Management, Gwalior (M.P.), passwords, single-time password sheets; a laptop armed
INDIA. using the protocols of secure validation and it also shows
Ashok Rangnathan is with the Department of Information and the good transparency [12]. But this scheme has its own
Communication Technology, ABV- Indian Institute of
limitations.
Information Technology and Management, Gwalior (M.P.),
INDIA. Chan and Cheng (2001) introduced some of
Pankaj Srivastava is with the Department of Applied Sciences, vulnerabilities to forgery attacks of YS scheme. They
ABV- Indian Institute of Information Technology and focused on the attackers’ approach that an attacker can
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 18
easily be successful in forging a login request from the authentication, 2nd layer and 3rd layer are based on the
intercepted previous login request to pass the validation Email and SMS cross validation respectively. In the
of the web server [13]. proposed scheme, at the time of registration, the user
In [14], Chen et al. presented a new attack on the system registers its email id and contact number along with the
which is based on Fan’s scheme. They also guaranteed
other details.
that the system is not still secure against some forgery
The proposed methodology also provides a secure
attacks even if they blocked all the ID formats.
Sun et al. proved that the YS scheme is secure against environment against phishing attackers.
Chan and Cheng’s forgery attack [15].They also described The proposed scheme works in the following 2 phases:
a new and effective forgery attack on the YS scheme [16]. 1. Registration Phase: At the time of online account
The methodologies presented in [17], [18], [19] use registration, the user is asked to enter its primary contact
passwords that are extremely easy to remember, but they number and primary email id that are to be used for the
are not so much secure because attacks pertaining to secure 3‐Way Handshake Approach methodology for
eavesdropping can easily break the passwords. Some securing the transactions. In case of change of primary
cryptography research tried to solve this issue, but email id or primary contact number, the user has to
methodologies proposed by them are either not safe with update the changes with the website. The user also needs
the efficient way in the proper manner [20], [21]. In paper to answer a private question at the time of registration
[22], Richter et al. proposed Safety mechanism against
which will be used in the alternate approaches in the 3‐
shoulder surfing, but the given mechanism is also not
Way Handshake Approach methodology.
always able to protect users against the eavesdropping
adversaries.
2. Login Phase: At the time of login, the user needs
to enter his username and password and needs to
3 PROBLEM DESCRIPTION
select an option from the following three options:
Generally, in password validation schemes, every
authorized user has its own personal identity 1. Send encrypted keys on email and SMS
representing its personal existence in the system and a 2. Send the key on email and private
password corresponding to the user identity. Identity and question
password both are stored in the password table
3. Send the key on SMS and private
maintained at the server. This table is confidential and
question
should be preserved from the external attacks. During the
authentication of user in the system, details input by the
user (identity/username/userid and password) are 1. Send encrypted keys on email and SMS: The
validated with the help of password table. The traditional user enters his correct username and password
password scheme works. However, it can be awfully and he receives an encrypted key on his email as
dangerous if password is somehow revealed. well as SMS. The encryption procedure is as
Now we consider the problem of secure access or login follows:
to e-banking system or e-commerce and payment gateway The encrypted key sent via email has alternate
services (credit card, debit card details, master card characters revealed and the characters which are
details) as well. not revealed are marked by ‘#’. The SMS sent to
In this paper, we are proposing the new technique for
the user has those characters visible which were
providing the secure system as well as stopping phishing
not revealed by the encrypted key in the email
attacks by introducing the concept of 3 -Way Handshake
and has those characters marked by ‘#’ which
Approach using SMS and email. It provides a secure
environment using 3 layers: 1st layer is username and were revealed by the email. For instance, the
password, 2nd layer is email and 3rd layer is SMS. This 3- encrypted key sent via email is G#E#T#U# and
Way Handshake Approach methodology provides a the key received via SMS is *R*A*G*Y. G#E#T#U#
secure environment for transactions taking place through and *R*A*G*Y together need to be decrypted to
online portals and detects phishing website by using form ‘GREATGUY’. The user needs to enter this
encrypted key method. decrypted key to log in as an authenticated user.
2 PROPOSED METHODOLOGY AND 2. Send the key on email and private question: At
IMPLEMENTATION the time of login, if the mobile phone of the
The proposed methodology is called 3‐Way Handshake person is not operational temporarily, the
Approach because it provides a secure environment using proposed methodology has an alternate approach
3 layers: the 1st layer is based on username and password which is relatively less secure. In this alternate
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 19
approach, the user enters his correct username
and password and he receives a key on his email.
The user has to enter this key and has to give the
same answer to the private question asked
during the registration phase page to log in as an
authenticated user. This method is less secure as
the key is sent without encryption.
Fig. 3. User performs account registration for the online portal Fig. 5. Intruder logs in into the secure website
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 21
[1] Ollmann G., The Phishing Guide Understanding & Preventing
Phishing Attacks, NGS Software Insight Security Research
[2] Yu, W.D.; Nargundkar, S.; Tiruthani, N., "A phishing vulnerability
analysis of web based systems," Computers and Communications, 2008.
ISCC 2008. IEEE Symposium on, vol., no., pp.326-331, 6-9 July 2008
[3] Maher Ragheb Aburrous, Alamgir Hossain, Keshav Dahal, Fadi
Thabatah, "Modelling Intelligent Phishing Detection System for E-
banking Using Fuzzy Data Mining," cw, pp.265-272, 2009 International
Conference on CyberWorlds, 2009
[4] Abu-Nimeh, S.; Nair, S., "Bypassing Security Toolbars and Phishing
Filters via DNS Poisoning," Global Telecommunications Conference,
2008. IEEE GLOBECOM 2008. IEEE , vol., no., pp.1-6, Nov. 30 2008-Dec.
4 2008
[5] Alnajim, A. and Munro, M. 2009. An Anti-Phishing Approach that Uses
Training Intervention for Phishing Websites Detection. In Proceedings
of the 2009 Sixth international Conference on information Technology:
New Generations (April 27 - 29, 2009). ITNG. IEEE Computer Society,
Washington, DC, 405-410. DOI=
http://dx.doi.org/10.1109/ITNG.2009.109
[6] Juan Chen and Chuanxiong Guo, Online Detection and Prevention of
Phishing Attacks, in Proc. Chinacom 06
[7] Beginning PHP5, Apache, and MySQL Web Development by Elizabeth
Fig. 6. In case of phishing website Naramore, Jason Gerner, Yann Le Scouarnec, Jeremy Stolz, Michael K.
Glass; ISBN: 9780764579660
[8] PHP, AJAX, MySql and JavaScript Tutorials,
4 CONCLUSION AND LIMITATION http://www.w3schools.com/
[9] Luis von Ahn, Manuel Blum, Nicholas Hopper, and John Langford.
Currently phishing attacks are so common because it can CAPTCHA: Using Hard AI Problems for Security. In Eurocrypt
attack globally and capture and store the users’ [10] Gedam,Dhiraj Nilkanthrao, RSA BASED CONFIDENTIALITY AND
confidential information. This information is used by the INTEGRITY ENHANCEMENTS IN SCOSTA-CL, A thesis
report,Department of Computer Science and engineering,Indian
attackers (which are indirectly involved in the phishing Institute of Technology ,Kanpur,India, July, 2009
process). In this paper, 3‐way Handshake approach [11] Yang,W.H., and S.P.Shieh(1999). Password authentication schemes with
provides a more secure platform to the end users for their smart cards. Computers & Security,18(8),727–733
[12] M. Naor and B. Pinkas. Visual authentication and identification. In Proc.
online transactions. In this methodology, attackers can’t
Advances in Cryptology, pages 322–336, 1999
attack on the email and SMS simultaneously. Information [13] Chan, C.K., and L. M. Cheng . Cryptanalysisof time stamp-based
stealing will be minimized and more secure password authentication scheme. Computers & Security, 21(1),74–76,
communication (transmission) will occur using the 2001
[14] Chen, K.F. and S. Zhong .Attackson the (enhanced)Yang–Shieh
proposed methodology. If any intruder wants to peek into authentication. Computer & Security,22(8),725–727, 2003
the transmission of the confidential data, he will not be [15] Chan, C. K., and L. M. Cheng Cryptanalysis of timestamp-based
able to recognize the patterns of encrypted data. So the password authentication scheme. Computers & Security, 21(1),74–76,
2001
data will be more secure. The Proposed methodology is
[16] Sun, H. M., and H. T. Yeh. Further cryptanalysis of a password
useful to prevent the attacks of intruder as well as authentication scheme with smart cards IEICE Transactionson
phishing websites on financial web portal, payment Communications, E86-B(4),1412–1415, 2003
gateway portal, banking portal, e‐shopping market (e.g. [17] Real User Corporation. The Science Behind Passfaces. In
http://www.realuser.com/published/ScienceBehindPassfaces.pdf ,
eBay, PayPal, etc.). We can also work on the survey June, 2004
analysis from the data generated using the concept of [18] R. Dhamija and A. Perrig. Deja vu: A user study using images for
proposed methodology. authentication. In Proc. 9th USENIX Security Symposium, 2000.
[19] Y. Zhu X. Suo and G. Scott. Owen. Graphical passwords: A survey. In
The above methodology needs more hardware for the
Proc. 21st Annual Computer Security Applications Conference, 2005
implementation. Thus, it increases the workload of the [20] S. Li and H.-Y. Shum. SecHCI: Secure human-computer identification
mail server as well as SMS server. Owing to more (interface) systems against peeping attacks, 2003.
hardware specification, the cost of implementation of [21] T. Matsumoto. Human-computer cryptography: an attempt. In Proc.
Conf. on Computer and communications security, pages 68 – 75, 1996
proposed methodology is relatively higher. [22] T. Matsumoto. Human-computer cryptography: an attempt. In Proc.
Conf. on Computer and communications security, pages 68 – 75, 1996
ACKNOWLEDGEMENT
The authors would like to thank ABV‐Indian Institute of
About the Authors
Information Technology and Management, Gwalior for
the kind support provided for this work.
REFERENCES
Journal of Computing, Volume 2, Issue 7, July 2010, ISSN 2151-9617
HTTPS://SITES.GOOGLE.COM/SITE/JOURNALOFCOMPUTING/
WWW.JOURNALOFCOMPUTING.ORG 22
Ashok Ranganathan is a
student of Atal Bihari Vajpayee
Indian Institute of Information
Technology and Management,
nd
Gwalior pursuing 2 year of
B.Tech in Information
Technology. His areas of
research are Internet security,
trust and privacy, Database
management, Cloud computing
and applications.